...
- lowercaseAttributeNames - boolean flag which causes all attribute IDs from the LDAP to be lower-cased. This can be important since Shibboleth attribute IDs are case-sensitive while LDAP attribute IDs are not. Default value: false
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Base LDAP Data Connector Definitionxml |
|---|
|
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="UNIQUE_ID"
ldapURL="LDAP_URL"
baseDN="BASE_DN"
principal="PRINCIPAL_NAME"
principalCredential="PRINCIPAL_CREDENTIAL"
lowercaseAttributeNames="true">
<!-- Remaining configuration from the next steps go here -->
</resolver:DataConnector>
|
...
Dependencies are expressed by the <resolver:Dependency> with a ref attribute whose value is the unique ID of the attribute definition or the data connector that this connector depends on.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Basic LDAP Data Connector Definition with Dependenciesxml |
|---|
|
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="UNIQUE_ID"
ldapURL="LDAP_URL"
baseDN="BASE_DN"
principal="PRINCIPAL_NAME"
principalCredential="PRINCIPAL_CREDENTIAL">
<resolver:Dependency ref="DEFINITION_ID_1" />
<resolver:Dependency ref="DEFINITION_ID_2" />
<resolver:Dependency ref="CONNECTOR_ID_3" />
<resolver:Dependency ref="CONNECTOR_ID_4" />
<!-- Remaining configuration from the next steps go here -->
</resolver:DataConnector>
|
...
In addition to the filter template you may also expressly indicate which attributes may be returned from a search. Use the <ReturnAttributes> element and provide a space separated list of the returned attribute names as its content. This is optional but may help the LDAP server respond more quickly.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Basic LDAP Data Connector Definition with Search Parametersxml |
|---|
|
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="UNIQUE_ID"
ldapURL="LDAP_URL"
baseDN="BASE_DN"
principal="PRINCIPAL_NAME"
principalCredential="PRINCIPAL_CREDENTIAL">
<resolver:Dependency ref="DEFINITION_ID_1" />
<resolver:Dependency ref="DEFINITION_ID_2" />
<resolver:Dependency ref="CONNECTOR_ID_3" />
<resolver:Dependency ref="CONNECTOR_ID_4" />
<FilterTemplate>
<![CDATA[
(uid=${requestContext.principalName})
]]>
</FilterTemplate>
<ReturnAttributes>ATTRIBUTE_1 ATTRIBUTE_2 ATTRIBUTE_3</ReturnAttributes>
<!-- Remaining configuration from the next steps go here -->
</resolver:DataConnector>
|
...
If you import the server certificate itself, you will have to track changes to the LDAP server's certificate and change your DataConnector configuration each time the LDAP server's certificate changes. If you import the CA certificate, it is often longer lived, and the same CA certificate can enable trust of multiple servers for redundancy or fail-over (e.g., "Multiple LDAP Replicas" on this page, below).
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Basic LDAP Data Connector Definition employing startTLSxml |
|---|
|
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="UNIQUE_ID"
ldapURL="LDAP_URL"
baseDN="BASE_DN"
principal="PRINCIPAL_NAME"
principalCredential="PRINCIPAL_CREDENTIAL"
useStartTLS="true">
<resolver:Dependency ref="DEFINITION_ID_1" />
<resolver:Dependency ref="DEFINITION_ID_2" />
<resolver:Dependency ref="CONNECTOR_ID_3" />
<resolver:Dependency ref="CONNECTOR_ID_4" />
<FilterTemplate>
<![CDATA[
(uid=${requestContext.principalName})
]]>
</FilterTemplate>
<StartTLSTrustCredential xsi:type="security:X509Inline" xmlns:security="urn:mace:shibboleth:2.0:security" id="LDAPtoIdPCredential">
<security:Certificate>
<!-- PEM-encoded certificate goes here -->
</security:Certificate>
</StartTLSTrustCredential>
</resolver:DataConnector>
|
...
- connectionStrategy- The strategy used by the data connector to determine which LDAP URL, from a list, will be used when a connection needs to be made. If you are pooling connections, note that these values only apply when a new connection is opened. Acceptable values are:
- DEFAULT - Indicates that the default JNDI provider behavior will be used
- ACTIVE_PASSIVE (default value) - Indicates that the first LDAP URL will be used for every request until it fails and then the next LDAP URL will be used.
- ROUND_ROBIN - Indicates that for each new connection the next LDAP url in the list (circling back to the start of the list when the end is reached) will be used
- RANDOM - Indicates that for each new connection a random LDAP url will be selected
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | LDAP Data Connector Definition with Connection Strategyxml |
|---|
|
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="UNIQUE_ID"
ldapURL="LDAP_URL"
baseDN="BASE_DN"
principal="PRINCIPAL_NAME"
principalCredential="PRINCIPAL_CREDENTIAL"
connectionStrategy="RANDOM">
<resolver:Dependency ref="DEFINITION_ID_1" />
<resolver:Dependency ref="DEFINITION_ID_2" />
<resolver:Dependency ref="CONNECTOR_ID_3" />
<resolver:Dependency ref="CONNECTOR_ID_4" />
<!-- Remaining configuration from the next steps go here -->
</resolver:DataConnector>
|
...
- minPoolSize: The minimum number of connections to keep available, default value is 0
- maxPoolSize: The maximum number of connections to keep available, default value is 3
- blockWhenEmpty: Whether to wait for an available connection when the entire pool is in use, default is true. If set to false then the number of connections can grow beyond maxPoolSize.
- blockWaitTime: Length of time to wait, given in XML duration notation, on the pool if
blockWhenEmpty is true and the pool is empty. Default value is to wait indefinitely. - validatePeriodically: Whether each LDAP connection should be periodically checked. Default value is false.
- validateTimerPeriod: Interval, given in XML duration notation, between pool validation runs. Used in conjunction with expirationTime to remove connections from the pool. The pool will not be pruned below the minimum size. Default value is 30 minutes.
- validateDN: LDAP DN to use for connection validation. Used in conjunction with validateFilter to perform a compare.
- validateFilter: LDAP filter for connection validation. Used in conjunction with validateDN to perform a compare. Default value is objectClass=*.
- expirationTime: Amount of time, given in XML duration notation, after which a connection should be consider stale and ready for removal.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Basic LDAP Data Connector Definition employing connection poolingxml |
|---|
|
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="UNIQUE_ID"
ldapURL="LDAP_URL"
baseDN="BASE_DN"
principal="PRINCIPAL_NAME"
principalCredential="PRINCIPAL_CREDENTIAL">
<resolver:Dependency ref="DEFINITION_ID_1" />
<resolver:Dependency ref="DEFINITION_ID_2" />
<resolver:Dependency ref="CONNECTOR_ID_3" />
<resolver:Dependency ref="CONNECTOR_ID_4" />
<ConnectionPool minPoolSize="3"
maxPoolSize="8"
blockWhenEmpty="true"
blockWaitTime="PT5S"
validatePeriodically="true"
validateTimerPeriod="PT30M"
validateDN="ou=people,dc=vt,dc=edu"
validateFilter="(ou=people)"
expirationTime="PT10M"/>
</resolver:DataConnector>
|
...
- elementTimeToLive - amount of time, in duration notation, that a result will be cached (Default value: 4 hours)
- maximumCachedElements - maximum number of results that will be cached at any one time, if this is exceeded the oldest entries will be discard first. (Default value: 500)
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | LDAP Data Connector Definition with Query Result Cachingxml |
|---|
|
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="UNIQUE_ID"
ldapURL="LDAP_URL"
baseDN="BASE_DN"
principal="PRINCIPAL_NAME"
principalCredential="PRINCIPAL_CREDENTIAL"
connectionStrategy="RANDOM">
<resolver:Dependency ref="DEFINITION_ID_1" />
<resolver:Dependency ref="DEFINITION_ID_2" />
<resolver:Dependency ref="CONNECTOR_ID_3" />
<resolver:Dependency ref="CONNECTOR_ID_4" />
<!-- Remaining configuration from the next steps go here -->
<ResultCache elementTimeToLive="PT1H" />
</resolver:DataConnector>
|
...
The provider used with Shibboleth also supports a number of properties, which are described in its documentation.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Basic LDAP Data Connector Definition with Other Connection Parametersxml |
|---|
|
<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="UNIQUE_ID"
ldapURL="LDAP_URL"
baseDN="BASE_DN"
principal="PRINCIPAL_NAME"
principalCredential="PRINCIPAL_CREDENTIAL">
<resolver:Dependency ref="DEFINITION_ID_1" />
<resolver:Dependency ref="DEFINITION_ID_2" />
<resolver:Dependency ref="CONNECTOR_ID_3" />
<resolver:Dependency ref="CONNECTOR_ID_4" />
<FilterTemplate>
<![CDATA[
(uid=${requestContext.principalName})
]]>
</FilterTemplate>
<ReturnAttributes>ATTRIBUTE_1 ATTRIBUTE_2 ATTRIBUTE_3</ReturnAttributes>
<LDAPProperty name="PROPERTY_NAME_1" value="VALUE"/>
<LDAPProperty name="PROPERTY_NAME_2" value="VALUE"/>
</resolver:DataConnector>
|