Configuring a LDAP Data Connector
The LDAP connector allows you to pull attributes from data stores that can be access through a Java JNDI interface (which is most LDAP, version 3, compliant servers). This connector pools connections in order to enchance performance. See the advanced configuration section in order to disable this.
Data Connector Basics
All data connectors are configured in the IdP's resolver.xml configuration file.
Each connector is defined with an XML element that requires an id attribute. This attribute is used to reference the connector from other connectors and attribute definitions. To make future maintenance easier we encourage you to use an meaningful name for id attribute.
Configuring the Connector
- Create a JNDIDirectoryDataConnector with its id attribute.
- Create a Search element, as a child of JNDIDirectoryDataConnector, with an attribute, filter, whose value it the LDAP search filter to use. The macro %PRINCIPAL% may be used to insert the current principal's name into the search filter.
- Optionally, a Controls element may be added as a child to a Search element with attributes/values of searchScope="SUBTREE_SCOPE" and returningObjects="false" to scope a particular search filter.
- Create Property elements, children of the JNIDDirectoryDataConnector element, with attributes name and value containing the following values as appropriate
Name Attribute
Value Attribute
Usage
java.naming.factory.initial
com.sun.jndi.ldap.LdapCtxFactory
The factory used to produce LDAP connections
java.naming.provider.url
ldap://ldap.example.edu/dc=example,dc=edu (example)
The URL of the LDAP server to connect too
java.naming.referral
ignore, follow, throw
Whether to ignore, follow, or throw an exception when an LDAP referral is received
java.naming.security.principal
cn=admin,dc=example,dc=edu (example) I The DN of the user to bind to the directory
java.naming.security.credentials
examplepw
The password for the user binding to the directory
java.naming.security.protocol
ssl
To connect to the LDAP over SSL
com.sun.jndi.ldap.connect.pool
true or false
Whether to pool connections or not. This option is specific to the Sun LDAP connection factory.
com.sun.jndi.ldap.connect.pool.initsize
Number of connections to create when the pool is created. This option is specific to the Sun LDAP connection factory.
com.sun.jndi.ldap.connect.pool.prefsize
Number of connections that should be kept around in the pool. This option is specific to the Sun LDAP connection factory.
com.sun.jndi.ldap.connect.pool.authentication
none simple
The methods used to authentication users. This option is specific to the Sun LDAP connection factory.
com.sun.jndi.ldap.connect.pool.protocol
plain ssl
The protocols available to communicate to the server. This option is specific to the Sun LDAP connection factory.
- Create Property elements, children of the JNIDDirectoryDataConnector element, with attributes name and value containing the following values as appropriate
A more exhaustive list of these properties can be found on the Sun JNDI site.
Active Directory users
Active Directory has a number of deployment configurations that may prevent LDAP referrals from working properly. If you are using LDAP directories it is strongly suggested that you set the java.naming.referral property to ignore.
Example Configuration
This example demonstrates a basic configuration without pooling or SSL
<JNDIDirectoryDataConnector id="directory"> <Search filter="cn=%PRINCIPAL%"> <Controls searchScope="SUBTREE_SCOPE" returningObjects="false" /> </Search> <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" /> <Property name="java.naming.provider.url" value="ldap://ldap.example.edu/dc=example,dc=edu" /> <Property name="java.naming.security.principal" value="cn=admin,dc=example,dc=edu" /> <Property name="java.naming.security.credentials" value="examplepw" /> </JNDIDirectoryDataConnector>
This example demonstrates a configuration that uses LDAP over SSL to communicate with the directory. This assumes that the LDAP certificate has been imported the JVMs trust store.
<JNDIDirectoryDataConnector id="directorySecure"> <Search filter="cn=%PRINCIPAL%"> <Controls searchScope="SUBTREE_SCOPE" returningObjects="false" /> </Search> <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" /> <Property name="java.naming.provider.url" value="ldap://ldap.example.edu:636/dc=example,dc=edu" /> <Property name="java.naming.security.protocol" value="ssl" /> <Property name="java.naming.security.principal" value="cn=admin,dc=example,dc=edu" /> <Property name="java.naming.security.credentials" value="examplepw" /> </JNDIDirectoryDataConnector>
This example demonstrats a configuration that pools LDAP connections.
<JNDIDirectoryDataConnector id="directoryPooled"> <Search filter="cn=%PRINCIPAL%"> <Controls searchScope="SUBTREE_SCOPE" returningObjects="false" /> </Search> <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" /> <Property name="java.naming.provider.url" value="ldap://ldap.example.edu/dc=example,dc=edu" /> <Property name="com.sun.jndi.ldap.connect.pool" value="true" /> <Property name="com.sun.jndi.ldap.connect.pool.initsize" value="5" /> <Property name="com.sun.jndi.ldap.connect.pool.prefsize" value="5" /> <Property name="com.sun.jndi.ldap.connect.pool.authentication" value="none simple DIGEST-MD5" /> <Property name="com.sun.jndi.ldap.connect.pool.protocol" value="plain ssl" /> </JNDIDirectoryDataConnector>
%INCLUDE{"DataConnectorDependencies"}%
%INCLUDE{"DataConnectorErrorAndCache"}%