Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

PropertyTypeDefault Authn PropertyFunction

idp.attribute.resolver.LDAP.ldapURL

URL

idp.authn.LDAP.ldapURL

Connection URL for the LDAP directory

idp.attribute.resolver.LDAP.baseDN

String

idp.authn.LDAP.baseDN

Base DN to search against,

idp.attribute.resolver.LDAP.bindDN

String

idp.authn.LDAP.bindDN

DN to bind as before performing the search

idp.attribute.resolver.LDAP.bindDNCredentialbindDNCredential     

String

idp.authn.LDAP.bindDNCredential

Password to bind with before performing the search

idp.attribute.resolver.LDAP.useStartTLS

Boolean

idp.authn.LDAP.useStartTLS (defaults true)

Whether StartTLS should be used immediately after connecting to the LDAP

idp.attribute.resolver.LDAP.trustCertificates

Resource

idp.authn.LDAP.trustCertificates

A resource to load trust anchors from, usually a local file in %{idp.home}/credentials
idp.attribute.resolver.LDAP.connectTimeoutIntegeridp.authn.LDAP.connectTimeout (defaults PT3S)Connection timeout in milliseconds
idp.attribute.resolver.LDAP.responseTimeout 3.3Durationidp.authn.LDAP.responseTimeout (defaults PT3S)Time to wait for response

...

NameReq?TypeDefaultDescription

Commonly Used Attributes

ldapURL
YSpace-delimited list of URLs

URL(s) to the LDAP server. Each listed URL is tried according to the connectionStrategy.

baseDN

YString
Base DN from which the LDAP search will be executed.

principal

YString
User name (service DN) that the connector will use to bind to the LDAP directory
principalCredential YString

Password used to authenticate as the principal (service DN)

lowercaseAttributeNames


BooleanfalseWhether all attribute IDs from the LDAP should be lower-cased. This can be important since Shibboleth attribute IDs are case-sensitive while LDAP attribute IDs are not
trustFile 3.3NString (filename)
Path to a file containing the X.509 trust information to use when connecting to the directory over LDAPS or startTLS. Replaces the deprecated use of <StartTLSTrustCredential>

Other Attributes

connectionStrategy


One of ROUND_ROBIN, DEFAULT, RANDOM, ACTIVE_PASSIVEACTIVE_PASSIVE

If Multiple URLs were provided as the ldapURL this describes how each URL will be processed.

  • DEFAULT - Indicates that the default JNDI provider behavior will be used
  • ACTIVE_PASSIVE (default value) - Indicates that the first LDAP URL will be used for every request unless it fails and then the next LDAP URL will be used.
  • ROUND_ROBIN - Indicates that for each new connection the next LDAP url in the list (circling back to the start of the list when the end is reached) will be used
  • RANDOM - Indicates that for each new connection a random LDAP url will be selected

authenticationType


One of DIGEST_MD5, CRAM_MD5, GSSAPI
A SASL mechanism to be used for the Bind operation

searchScope


One of SUBTREE, ONELEVEL, OBJECTSUBTREE

The scope of the search.

  • SUBTREE: The entire LDAP directory subtree below the search baseDN will be searched.
  • ONELEVEL: Only the immediate children of LDAP object corresponding to the search baseDN will be searched.
  • OBJECT: Only the LDAP object itself is searched.
derefAliases 3.4.5
One of NEVER, SEARCHING, FINDING, ALWAYSNEVER

How aliases should be dereferenced. See the Oracle JNDI docs for more details on these options.

useStartTLS


BooleanfalseWhether to use startTLS when connecting to the LDAP

searchTimeLimit


number of milliseconds3000Length of time in milliseconds that a search operation should execute; a value of 0 means execute indefinitely; when time limit arrives the result will contain any entires returned up to that point

maxResultSize


Integer1Maximum number of entries to include in the search result; a value of 0 means includes all entries

noResultIsError


BooleanfalseWhether an empty result set is an error

multipleResultsIsError


BooleanfalseWhether a result set with more than one result is an error

templateEngine


Bean ID
The ID of a Spring bean defining a org.apache.velocity.app.VelocityEngine

mappingStrategyRef


Bean ID
The ID of a Spring bean defining a MappingStrategy<org.ldaptive.SearchResult>
executableSearchBuilderRef 3.4
Bean ID
The ID of a Spring bean defining an ExecutableSearchBuilder<ExecutableSearchFilter>
validatorRef 3.2

Bean ID
Bean ID of a Validator to control what constitutes an initialization failure (set this to "shibboleth.NonFailFastValidator" to bypass connection attempt at config load time)
connectTimeout

Integer3000 (PT3S) 3.3Connection timeout in milliseconds

responseTimeout 3.3


DurationPT3STime to wait for response
authCert 3.4
String (filename)
Path to the file containing the X. 509 certificate to provide when connecting to the directory over LDAPS or startTLS
authKey 3.4
String (filename)
Path to the file containing the X. 509 key to provide when connecting to the directory over LDAPS or startTLS
authKeyPassword 3.4
String
Password to use on the authKey file

Deprecated Attributes

poolInitialSize




Use the <ConnectionPool> element

poolMaxIdleSize              




Use the <ConnectionPool> element

...

NameCardinalityDescription

<FilterTemplate>

0 or 1The template of the search filter to be sent to the LDAP directory server

<ReturnAttributes>

0 or 1A list of attributes to be returned from the LDAP directory server; this may help the server respond more quickly
<BinaryAttributes> 3.4.50 or 1A list of attributes whose values contain binary data and must be base64 encoded; format is a space delimited list of attribute names

<LDAPProperty>

0 or moreCustom LDAP configuration properties

<StartTLSTrustCredential>

0 or 1X.509 trust information to use when connecting to the directory over LDAPS or startTLS, DEPRECATED in favor of the trustFile attribute

<StartTLSAuthenticationCredential>

0 or 1X.509 client authentication information to provide when connecting to the directory over LDAPS or startTLS, DEPRECATED in favor of the authCert, authKey and authKeyPassword attributes

<ConnectionPool>

0 or 1Describes how the LDAP connection may be pooled

<Column>

0 or moreAllows for remapping of LDAP Attributes into alternately named IdPAttributes within the resolver

<ResultCache>


0 or 1

The definition of how results should be cached

<ResultCacheBean>

The definition of how results should be cached as an externally defined com.google.common.cache.Cache<String,Map<String,IdPAttribute>>,
the Spring bean ID of which is supplied as the content of the element

Externally (Spring) Defined Content

...

In practice, the data connector may be supplied with Spring-defined beans of the following types: