{"type":"doc","content":[{"type":"paragraph","content":[{"text":"Current File(s):","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"conf/authn/password-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":", ","type":"text"},{"text":"conf/ldap.properties, conf/authn/ldap-authn-config.xml ","type":"text","marks":[{"type":"em"}]},{"text":"(V4.0)","type":"text"},{"text":", conf/authn/authn.properties","type":"text","marks":[{"type":"em"}]},{"text":" (V4.1+)","type":"text"},{"type":"hardBreak"},{"text":"Format:","type":"text","marks":[{"type":"strong"}]},{"text":" Native Spring","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"maxLevel":{"value":"2"}},"macroMetadata":{"macroId":{"value":"5bc449e0-05f7-4727-9a3e-f27bfc29f3c7"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"faad6cc2-fddf-477e-8b59-565cdf717e69"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"The LDAPCredentialValidator for the ","type":"text"},{"text":"password authentication","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631611"}}]},{"text":" login flow uses native LDAP libraries for password-based authentication instead of using a JAAS module. The primary advantages are slightly better performance and more control over the process, such as the ability to extract detailed account status information from the directory during a login. One disadvantage is that JAAS configurations may be reloaded each time they're used, while the native configuration is static.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"General Configuration","type":"text"}]},{"type":"expand","attrs":{"title":"V4.0"},"content":[{"type":"paragraph","content":[{"text":"Configuring LDAP as a back-end relies on beans defined via an import in ","type":"text"},{"text":"authn/password-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":":","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Import in authn/password-authn-config.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"The properties in ","type":"text"},{"text":"ldap.properties","type":"text","marks":[{"type":"em"}]},{"text":" do most of the work out of the box. Adding additional beans may be needed in very advanced cases where a higher degree of control is required.","type":"text"}]},{"type":"paragraph","content":[{"text":"These beans also act as global defaults that can be overridden on specific instances of beans inheriting from ","type":"text"},{"text":"shibboleth.LDAPValidator","type":"text","marks":[{"type":"strong"}]},{"text":" defined in ","type":"text"},{"text":"authn/password-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" in the ","type":"text"},{"text":"shibboleth.authn.Password.Validators","type":"text","marks":[{"type":"strong"}]},{"text":" bean.","type":"text"}]},{"type":"paragraph","content":[{"text":"In the simple case of LDAP used alone:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Defining use of LDAP in password-authn-config.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"If desired, it's possible to directly configure the various settings within the validator bean instead of or in addition to relying on the defaults.","type":"text"}]},{"type":"paragraph","content":[{"text":"As an example, you could chain together multiple LDAP servers (rather than hoping the client library will do it for you) like this:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Chaining LDAP validators","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n\n\t\n \t\n\t\t\t\n\t\t\n\t\n\t\n \t\n\t\t\t\n\t\t\n\t\n","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Note Regarding Upgrades","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"ldap-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" file has changed dramatically since V3 and is now very short, relying primarily on a special bean with a hidden parent definition taking a large set of properties that will generally auto-configure the proper objects.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Updating the the newer ldap-authn-config.xml","type":"text"}]},{"type":"paragraph","content":[{"text":"While the older, longer file should work in ","type":"text"},{"text":"mos","type":"text","marks":[{"type":"em"}]},{"text":"t cases, it is a good idea to look at updating to the new file from the distribution.","type":"text"}]},{"type":"paragraph","content":[{"text":"Having said that, copying the new file in will break initially unless you also explicitly define the bean called ","type":"text"},{"text":"shibboleth.authn.Password.Validators","type":"text","marks":[{"type":"strong"}]},{"text":" (shown above), which is present by default in ","type":"text"},{"text":"password-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" in new installs. For LDAP alone, the example above generally suffices.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"One issue that does come up with the older file: the defaults around pooling validation in V3 were expressed numerically in seconds, and these numbers are interpreted in V4 as milliseconds. The proper syntax is really XML Duration syntax (PT5M == 5 minutes) and not numerically, but out of the box using the old file with V4 and not setting some of the pooling properties will result in dramatically frequent pool validation on the order of every half second. The logs will be very noisy so it's quite obvious.","type":"text"}]},{"type":"paragraph","content":[{"text":"To correct this, either update to the V4 file (and define the new bean noted above), or change the property defaults in the old file, or actually set the properties themselves rather than leaving them commented.","type":"text"}]}]},{"type":"expand","attrs":{"title":"V4.1+"},"content":[{"type":"paragraph","content":[{"text":"Configuring LDAP as a back-end relies on beans internally that are configured using ","type":"text"},{"text":"ldap.properties","type":"text","marks":[{"type":"em"}]},{"text":" (defined separately from other properties because they are sometimes shared for ","type":"text"},{"text":"LDAPConnector","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631572"}}]},{"text":" configuration). Older releases included an ","type":"text"},{"text":"authn/ldap-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" file; this remains supported but is no longer required or provided.","type":"text"}]},{"type":"paragraph","content":[{"text":"The properties in ","type":"text"},{"text":"ldap.properties","type":"text","marks":[{"type":"em"}]},{"text":" do most of the work out of the box. Adding additional beans may be needed in very advanced cases where a higher degree of control is required, and you are welcome to place them within ","type":"text"},{"text":"authn/password-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"The properties act as global defaults that can be overridden on specific instances of beans inheriting from ","type":"text"},{"text":"shibboleth.LDAPValidator","type":"text","marks":[{"type":"strong"}]},{"text":" defined in ","type":"text"},{"text":"authn/password-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" in the ","type":"text"},{"text":"shibboleth.authn.Password.Validators","type":"text","marks":[{"type":"strong"}]},{"text":" bean.","type":"text"}]},{"type":"paragraph","content":[{"text":"In the simple case of LDAP used alone:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Defining use of LDAP in password-authn-config.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"It's possible to directly configure the various settings within the validator bean instead of or in addition to relying on the defaults. Typically this involves injecting a bean based on ","type":"text"},{"text":"shibboleth.LDAPAuthenticationFactory","type":"text","marks":[{"type":"strong"}]},{"text":" into the validator bean’s ","type":"text"},{"text":"authenticator","type":"text","marks":[{"type":"code"}]},{"text":" property. This is a large factory class of type ","type":"text"},{"text":"net.shibboleth.idp.authn.config.LDAPAuthenticationFactoryBean","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.config.LDAPAuthenticationFactoryBean"}}]},{"text":" that includes most common LDAP settings.","type":"text"}]},{"type":"paragraph","content":[{"text":"As an example, you could chain together multiple LDAP servers (rather than hoping the client library will do it for you) like this:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Chaining LDAP validators","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n\n\t\n \t\n\t\t\t\n\t\t\n\t\n\t\n \t\n\t\t\t\n\t\t\n\t\n","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Note Regarding Upgrades","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"ldap-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" file from V3 has been removed, with the associated objects declared internally and using a large set of properties that will generally auto-configure the proper objects.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Updating from the older ldap-authn-config.xml","type":"text"}]},{"type":"paragraph","content":[{"text":"While the older, longer file should work in ","type":"text"},{"text":"mos","type":"text","marks":[{"type":"em"}]},{"text":"t cases, it is a good idea to consider removing the file from the distribution.","type":"text"}]},{"type":"paragraph","content":[{"text":"Having said that, removing the file will break initially unless you also explicitly define the bean called ","type":"text"},{"text":"shibboleth.authn.Password.Validators","type":"text","marks":[{"type":"strong"}]},{"text":" (shown above), which is present by default in ","type":"text"},{"text":"password-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" in new installs. For LDAP alone, the example above generally suffices.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"One issue that does come up with the older file: the defaults around pooling validation in V3 were expressed numerically in seconds, and these numbers are interpreted in V4 as milliseconds. The proper syntax is really XML Duration syntax (PT5M == 5 minutes) and not numerically, but out of the box using the old file with V4 and not setting some of the pooling properties will result in dramatically frequent pool validation on the order of every half second. The logs will be very noisy so it's quite obvious.","type":"text"}]},{"type":"paragraph","content":[{"text":"To correct this, either remove the old file (and define the new bean noted above), or change the property defaults in the old file, or actually set the properties themselves rather than leaving them commented.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"The following sections describe how to configure a single instance of an LDAP CredentialValidator using the beans and properties that were available in V3 and are used by default in V4.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Authenticator Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"idp.authn.LDAP.authenticator","type":"text","marks":[{"type":"strong"}]},{"text":" property controls the workflow for how authentication occurs against the LDAP directory for most “simple” cases by automatically configuring a number of underlying objects based on a set of built-in “authenticator types” supported by the ldaptive library.","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"d2d3f83a-d801-427c-abc1-66094fbce77b"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[235.0]},"content":[{"type":"paragraph","content":[{"text":"anonSearchAuthenticator","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[975.0]},"content":[{"type":"paragraph","content":[{"text":"Performs an anonymous search for the user's DN","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[235.0]},"content":[{"type":"paragraph","content":[{"text":"bindSearchAuthenticator","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[975.0]},"content":[{"type":"paragraph","content":[{"text":"Binds with a configured DN as a service account, then searches for the user's DN","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[235.0]},"content":[{"type":"paragraph","content":[{"text":"directAuthenticator","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[975.0]},"content":[{"type":"paragraph","content":[{"text":"User DNs are of a known format. i.e. CN=user_name,ou=accounts,dc=domain,dc=edu. No DN search is performed.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[235.0]},"content":[{"type":"paragraph","content":[{"text":"adAuthenticator","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[975.0]},"content":[{"type":"paragraph","content":[{"text":"Configuration that leverages the AD specific @domain.com format. No DN search is performed since AD supports binding directly with that user name.","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"Depending on the choice above, various other properties must be set (see the reference section below).","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Connection Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"Use the following properties to configure basic connection information for the LDAP directory:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.ldapURL","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.useStartTLS","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.connectTimeout","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"paragraph","content":[{"text":"A connection pool is used, and there are several properties used to configure pool behavior (see the reference below).","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"SSL Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"If StartTLS or SSL are used, a source of trust anchors must be configured to control certificate validation, using the ","type":"text"},{"text":"idp.authn.LDAP.sslConfig","type":"text","marks":[{"type":"strong"}]},{"text":" property:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"68efe218-8c45-4478-8922-b5a74a15caf8"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[153.0]},"content":[{"type":"paragraph","content":[{"text":"certificateTrust","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1057.0]},"content":[{"type":"paragraph","content":[{"text":"Uses the ","type":"text"},{"text":"idp.authn.LDAP.trustCertificates","type":"text","marks":[{"type":"strong"}]},{"text":" property to load a resource containing the trust anchors (such as a file of PEM-format certificates)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[153.0]},"content":[{"type":"paragraph","content":[{"text":"keyStoreTrust","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1057.0]},"content":[{"type":"paragraph","content":[{"text":"Uses the ","type":"text"},{"text":"idp.authn.LDAP.trustStore","type":"text","marks":[{"type":"strong"}]},{"text":" property to load a keystore containing the trust anchors","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[153.0]},"content":[{"type":"paragraph","content":[{"text":"jvmTrust","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1057.0]},"content":[{"type":"paragraph","content":[{"text":"Uses the default JVM trust anchors (the JVM-wide \"cacerts\" file)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[153.0]},"content":[{"type":"paragraph","content":[{"text":"disabled ","type":"text"},{"text":"4.3","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1057.0]},"content":[{"type":"paragraph","content":[{"text":"Does not allow SSL or startTLS connections.","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"We have tentative plans to deprecate the “jvmTrust” option, which has already been removed from the attribute resolution side of the software, as it is bad practice and has been a source of serious security flaws.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Reference","type":"text"}]},{"type":"expand","attrs":{"title":"Properties"},"content":[{"type":"paragraph","content":[{"text":"A number of properties are found in ","type":"text"},{"text":"ldap.properties","type":"text","marks":[{"type":"em"}]},{"text":" to configure LDAP authentication global defaults. Most of the time, this is sufficient to deal with most configurations without having to delve into modifying any beans, unless you're trying to chain together separately configured back-ends.","type":"text"}]},{"type":"paragraph","content":[{"text":"Note that the big \"override everything\" hook tends to be the ","type":"text"},{"text":"idp.authn.LDAP.authenticator","type":"text","marks":[{"type":"strong"}]},{"text":" property, as most of the other properties auto-configure specific aspects of one of the built-in Authenticator beans.","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"dac043b8-c60c-42e9-ad3e-1f9949454e92"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"Property","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Function","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.authenticator","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Enumeration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"anonSearchAuthenticator","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Controls the workflow for how authentication occurs against the LDAP, one of: anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.ldapURL","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"LDAP URI","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Connection URI for LDAP directory.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.useStartTLS","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Whether StartTLS should be used after connecting with LDAP alone.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.useSSL","type":"text","marks":[{"type":"strike"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text","marks":[{"type":"strike"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text","marks":[{"type":"strike"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"DEPRECATED. To use LDAPS, specify ldaps:// in the idp.authn.LDAP.ldapURL property.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.connectTimeout","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Duration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"PT3S","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Time to wait for the TCP connection to occur.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.responseTimeout","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Duration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"PT3S","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Time to wait for an LDAP response message. (Applies to every request.)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.connectionStrategy","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Enumeration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"ACTIVE_PASSIVE","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Connection strategy to use when multiple URLs are supplied, one of ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.sslConfig","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Enumeration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"certificateTrust","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"How to establish trust in the server's TLS certificate, one of: jvmTrust, certificateTrust, or keyStoreTrust","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.trustCertificates","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Resource path","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"A resource to load trust anchors from, usually a local file in %{idp.home}/credentials","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.trustStore","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Resource path","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"A resource to load a Java keystore containing trust anchors, usually a local file in %{idp.home}/credentials","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.returnAttributes","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Comma-sep'd Strings","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"List of attributes to request during authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.baseDN","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Base DN to search against, used by anonSearchAuthenticator, bindSearchAuthenticator","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.subtreeSearch","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to search recursively, used by anonSearchAuthenticator, bindSearchAuthenticator","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.userFilter","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"LDAP search filter, used by anonSearchAuthenticator, bindSearchAuthenticator","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.bindDN","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"DN to bind with during search, used by bindSearchAuthenticator","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.bindDNCredential","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Password to bind with during search, used by bindSearchAuthenticator, usually set via ","type":"text"},{"text":"%{idp.home}/credentials/secrets.properties","type":"text","marks":[{"type":"em"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.dnFormat","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"A formatting string to generate the user DNs to authenticate, used by directAuthenticator, adAuthenticator","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.resolveEntryOnFailure","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the user's LDAP entry should be returned in the authentication response even when the user bind fails.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.resolveEntryWithBindDN","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the user's LDAP entry should be resolved with the bindDN credentials rather than as the authenticated user.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.usePasswordPolicy","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to use the ","type":"text"},{"text":"Password Policy Control","type":"text","marks":[{"type":"link","attrs":{"href":"https://tools.ietf.org/html/draft-behera-ldap-password-policy-10"}}]},{"text":".","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.usePasswordExpiration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to use the ","type":"text"},{"text":"Password Expired Control","type":"text","marks":[{"type":"link","attrs":{"href":"https://tools.ietf.org/html/draft-vchu-ldap-pwd-policy-00"}}]},{"text":".","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.activeDirectory","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"If you are using Active Directory, this switch will attempt to use the account states defined by AD. Note that this flag is unnecessary if you are using the 'adAuthenticator'. It is meant to be specified with one of the other authenticator types.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.freeIPADirectory","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"If you are using the FreeIPA LDAP, this switch will attempt to use the account states defined by that product.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.eDirectory","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"If you are using the EDirectory LDAP, this switch will attempt to use the account states defined by that product.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.disablePooling","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Whether connection pools should be used for LDAP connections used for authentication.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.pool.LDAP.minSize","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Integer","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"3","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum LDAP connection pool size","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.pool.LDAP.maxSize","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Integer","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"10","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Maximum LDAP connection pool size","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.pool.LDAP.validateOnCheckout","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to validate connections when checking them out of the pool","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.pool.LDAP.validatePeriodically","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to validate connections in the background","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.pool.LDAP.validatePeriod","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Duration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"PT5M","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Duration between validation, if ","type":"text"},{"text":"idp.pool.LDAP.validatePeriodically","type":"text","marks":[{"type":"strong"}]},{"text":" is true","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.pool.LDAP.validateDN","type":"text"},{"text":" 4.0.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"DN to search with the validateFilter, default is the rootDSE","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.pool.LDAP.validateFilter","type":"text"},{"text":" 4.0.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"String","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"(objectClass=*)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Search filter to execute in order to validate a pooled connection","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.pool.LDAP.prunePeriod","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Duration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"PT5M","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Duration between looking for idle connections to reduce the pool back to its minimum size","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.pool.LDAP.idleTime","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Duration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"PT10M","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Duration connections must be idle to be eligible for pruning","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.pool.LDAP.blockWaitTime","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Duration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"PT3S","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Duration to wait for a free connection in the pool","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[261.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.bindPoolPassivator","type":"text"},{"text":" 4.0.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Enumeration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"none","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[417.0]},"content":[{"type":"paragraph","content":[{"text":"Controls how connections in the bind pool are passivated. Connections in the bind pool may be in an authenticated state that will not allow validation searches to succeed. This property controls how bind connections are placed back into the pool. If your directory requires searches to be performed by the ","type":"text"},{"text":"idp.authn.LDAP.bindDN","type":"text","marks":[{"type":"strong"}]},{"text":" or anonymously, this property controls that behavior. one of: none, bind, anonymousBind.","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Beans"},"content":[{"type":"paragraph","content":[{"text":"Properties can be used to configure all of the built-in beans used for this feature, so the only bean of relevance is below.","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"22a9db4a-e0b9-494e-b85a-57b08513391c"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[304.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[252.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[614.0]},"content":[{"type":"paragraph","content":[{"text":"Function","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[304.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.LDAPAuthenticationFactory","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[252.0]},"content":[{"type":"paragraph","content":[{"text":"LDAPAuthenticationFactoryBean","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.config.LDAPAuthenticationFactoryBean"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[614.0]},"content":[{"type":"paragraph","content":[{"text":"Factory bean parent for defining new instances of the ","type":"text"},{"text":"org.ldaptive.auth.Authenticator","type":"text","marks":[{"type":"link","attrs":{"href":"http://ldaptive.org/v1/javadocs/org/ldaptive/Authenticator,html"}}]},{"text":" class if required","type":"text"}]}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Advanced Features","type":"text"}]},{"type":"paragraph","content":[{"text":"Note that for some advanced use cases, it may be necessary to dig deeply into the Ldaptive ","type":"text"},{"text":"documentation","type":"text","marks":[{"type":"link","attrs":{"href":"http://www.ldaptive.org/v1/"}}]},{"text":" and wire up custom objects using, or based on beans in the older V3 version of ","type":"text"},{"text":"authn/ldap-authn-config.xml,","type":"text","marks":[{"type":"em"}]},{"text":" ultimately installing an instance of org.ldaptive.auth.Authenticator into the \"authenticator\" property of a particular LDAPCredentialValidator bean. Most of the flexibility comes from all the various types of objects that can be injected into instances of the Authenticator class.","type":"text"}]},{"type":"expand","attrs":{"title":"Attribute Retrieval"},"content":[{"type":"paragraph","content":[{"text":"LDAP attributes are returned as part of the authentication process and exposed in the ","type":"text"},{"text":"LDAPResponseContext.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#222222"}}]}]},{"type":"table","attrs":{"layout":"default","localId":"493f566f-e25e-4c8f-8665-a6e15945a2f7"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[286.0]},"content":[{"type":"paragraph","content":[{"text":"Property","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Sample","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[687.0]},"content":[{"type":"paragraph","content":[{"text":"Result","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":4,"colwidth":[286.0]},"content":[{"type":"paragraph"},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"idp.authn.LDAP.returnAttributes","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"uid,","type":"text"}]},{"type":"paragraph","content":[{"text":"eduPersonAffiliation","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[687.0]},"content":[{"type":"paragraph","content":[{"text":"Returns the uid and","type":"text"}]},{"type":"paragraph","content":[{"text":"eduPersonAffiliation attributes.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"*","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[687.0]},"content":[{"type":"paragraph","content":[{"text":"Returns all user attributes on the entry.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"*,+","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[687.0]},"content":[{"type":"paragraph","content":[{"text":"Returns all user and operational attributes on the entry.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"1.1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[687.0]},"content":[{"type":"paragraph","content":[{"text":"No attribute returned. No search performed.","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"By default, attributes will be searched for using the same connection the user authenticated on. Therefore the user must have read on any attributes for those to be returned.","type":"text"}]},{"type":"paragraph","content":[{"text":"If you need access to attributes that user does not have read access to, then you must configure a connection pool that is authorized to read that data. The following configuration demonstrates how to add a new connection pool for that purpose.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Spring Configuration","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n...\n \n\n\n\n\n\n\n\n \n \n \n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"Add the ","type":"text"},{"text":"idp.authn.LDAP.entryResolver.bindDN","type":"text","marks":[{"type":"strong"}]},{"text":" and ","type":"text"},{"text":"idp.authn.LDAP.entryResolver.bindDNCredential","type":"text","marks":[{"type":"strong"}]},{"text":" properties to ","type":"text"},{"text":"conf/ldap.properties","type":"text","marks":[{"type":"em"}]},{"text":" and ","type":"text"},{"text":"credentials/secrets.properties","type":"text","marks":[{"type":"em"}]},{"text":" respectively. Then set ","type":"text"},{"text":"idp.authn.LDAP.authenticator","type":"text","marks":[{"type":"strong"}]},{"text":" to anonSearchAuthenticator. to complete the configuration.","type":"text"}]},{"type":"paragraph","content":[{"text":"Note: if you're using the bindSearchAuthenticator and those credentials can be reused for entry resolution, then this configuration can be shortened by wiring the bindPooledConnectionFactory to the entry resolver.","type":"text"}]}]},{"type":"expand","attrs":{"title":"DN Resolution"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Single Directory with Multiple Branches","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Extensible Matching","type":"text"}]},{"type":"paragraph","content":[{"text":"If your directory supports extensible matching, this is the easiest way to find users that are distributed over multiple branches.","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"3bfdf6c2-8e22-4665-b9fa-aa0bdef44121"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Property","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[388.0]},"content":[{"type":"paragraph","content":[{"text":"Value","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[546.0]},"content":[{"type":"paragraph","content":[{"text":"Result","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.userFilter","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[388.0]},"content":[{"type":"paragraph","content":[{"text":"(&(|(ou:dn:=people)(ou:dn:=guests))(uid={user}))","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[546.0]},"content":[{"type":"paragraph","content":[{"text":"Returns the entry that matches uid on either the people or guests branch.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.baseDN","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[388.0]},"content":[{"type":"paragraph","content":[{"text":"dc=example,dc=org","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[546.0]},"content":[{"type":"paragraph","content":[{"text":"The branch containing both ou=people and ou=guests.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.LDAP.subtreeSearch","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[388.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[546.0]},"content":[{"type":"paragraph","content":[{"text":"Enable subtree searching on the dc=example,dc=org branch.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Aggregate DN Resolver","type":"text"}]},{"type":"paragraph","content":[{"text":"This authenticator combines the results of multiple DN resolvers.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Spring Configuration","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n\n\n\n\n\n \n \n \n\n\n \n \n \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n \n \n\n\n \n \n\n\n\n\n\n\n\n \n \n\n\n \n\n\n\n \n \n\n\n\n\n\n\n\n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"Add the ","type":"text"},{"text":"idp.authn.LDAP.baseDN[12]","type":"text","marks":[{"type":"strong"}]},{"text":" and ","type":"text"},{"text":"idp.authn.LDAP.userFilter[12]","type":"text","marks":[{"type":"strong"}]},{"text":" properties to ","type":"text"},{"text":"conf/ldap.properties.","type":"text","marks":[{"type":"em"}]},{"text":" The key values used in dnResolvers and authHandlers can be anything, but must tie a single DN resolver to a single auth handler. By default an error will occur if more than (1) DN is resolved.","type":"text"}]},{"type":"paragraph","content":[{"text":"In addition to these beans, the ","type":"text"},{"text":"aggregateAuthenticator","type":"text","marks":[{"type":"strong"}]},{"text":" bean (in the example above) must be injected into the LDAP credential validator in password-authn-config.xml:","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n \n \n","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Multiple Directories","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Aggregate DN Resolver","type":"text"}]},{"type":"paragraph","content":[{"text":"This authenticator combines the results of multiple DN resolvers that connect to multiple directories.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Spring Configuration","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n\n\n \n\n\n\n \n \n\n\n \n \n\n","type":"text"}]},{"type":"paragraph","content":[{"text":"Complete example with DN resolvers and authentication handlers for bindSearch","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n\n\n\n\n \n \n\n\n\n\n\n\n\n\n\n \n \n \n\n\n\n\n\n\n\n\n \n \n \n\n\n\n\n\n \n \n\n\n\n\n\n\n\n\n\n\n\n\n\n","type":"text"}]},{"type":"paragraph","content":[{"text":"DN resolvers are invoked asynchronously, so all resolvers will be used for each authentication request.","type":"text"}]}]},{"type":"expand","attrs":{"title":"Account State"},"content":[{"type":"paragraph","content":[{"text":"The ldaptive LDAP library has the ability to extract detailed account status information from the directory during authentication. According to the ","type":"text"},{"text":"Ldaptive documentation","type":"text","marks":[{"type":"link","attrs":{"href":"http://www.ldaptive.org/docs/guide/authentication/accountstate"}}]},{"text":", no standard for exposing account state data has been universally adopted by LDAP vendors, but the library uses a handler which encapsulates account state information. This state contains Warning and Error types that are common to the most popular policy implementations.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Password Policy Control","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"Password Policy for LDAP Directories","type":"text","marks":[{"type":"link","attrs":{"href":"https://tools.ietf.org/html/draft-behera-ldap-password-policy-10"}}]},{"text":" (draft) standard is implemented by several LDAP directories, including ","type":"text"},{"text":"OpenLDAP","type":"text","marks":[{"type":"link","attrs":{"href":"http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies"}}]},{"text":" and ","type":"text"},{"text":"Oracle DSEE","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.oracle.com/cd/E29127_01/doc.111170/e28972/ds-password-policy.htm"}}]},{"text":". The Password Policy Control is used during an LDAP bind operation to request information about the user's account state.","type":"text"}]},{"type":"paragraph","content":[{"text":"To enable the Password Policy Control handlers in ldaptive, add the following to ","type":"text"},{"text":"conf/ldap.properties","type":"text","marks":[{"type":"em"}]},{"text":":","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"conf/ldap.properties","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"# Use password policy control\nidp.authn.LDAP.usePasswordPolicy = true","type":"text"}]},{"type":"paragraph","content":[{"text":"The user will be informed on the login page if there are any Password Policy warnings or errors (messages can be customized in ","type":"text"},{"text":"messages/messages.properties","type":"text","marks":[{"type":"em"}]},{"text":").","type":"text"}]},{"type":"paragraph","content":[{"text":"Password expiration warnings have been confirmed to work with Oracle DSEE. Please notify us or edit this page if you test successfully with other directory products.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Locked Accounts","type":"text"}]},{"type":"paragraph","content":[{"text":"To inform the user of a locked account, some configuration is needed to detect the error code returned by the LDAP bind request.","type":"text"}]},{"type":"paragraph","content":[{"text":"In ","type":"text"},{"text":"authn/password-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":", add an entry to the message clasification rules defined by ","type":"text"},{"text":"shibboleth.authn.Password.ClassifiedMessageMap","type":"text","marks":[{"type":"strong"}]}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"password-authn-config.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n ACCOUNT_LOCKED\n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"This maps the error code to a AccountLocked event. It will run the empty user flow ","type":"text"},{"text":"authn/conditions/account-locked","type":"text","marks":[{"type":"em"}]},{"text":" and then pass control back to the form. With this configuration, the user gets the message \"Your account is locked\".","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Debug information","type":"text"}]},{"type":"paragraph","content":[{"text":"Details of the AuthenticationResponse received, including the password policy controls, can be viewed using the TRACE log level in the logger of name \"net.shibboleth.idp\" (edit ","type":"text"},{"text":"logback.xml","type":"text","marks":[{"type":"em"}]},{"text":").","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Active Directory Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"The system comes with definitions to configure Active Directory authentication response handlers against a single directory.","type":"text"}]},{"type":"paragraph","content":[{"text":"Active Directory does not fully support extensible match rules (","type":"text"},{"text":"https://msdn.microsoft.com/en-us/library/cc223241.aspx","type":"text","marks":[{"type":"link","attrs":{"href":"https://msdn.microsoft.com/en-us/library/cc223241.aspx"}}]},{"text":").","type":"text"}]},{"type":"paragraph","content":[{"text":"Active Directory (by default) does not support anonymous queries (","type":"text"},{"text":"https://technet.microsoft.com/en-us/library/Cc755809%28v=WS.10%29.aspx","type":"text","marks":[{"type":"link","attrs":{"href":"https://technet.microsoft.com/en-us/library/Cc755809%28v=WS.10%29.aspx"}}]},{"text":").","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Using an entry resolver to generate password expiration warnings","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Spring Configuration","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n \n \n\n \n\n\n\n\n\n\n \n \n \n \n \n \n \n \n \n \n\n \n\n\n\n\n\n\n\n \n \n \n \n \n","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Example for two Active Directories with two DN Resolvers for each","type":"text"}]},{"type":"paragraph","content":[{"text":"This example uses directed BaseDN's with LDAP filters, and binds the queries.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Spring Configuration","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n \n\n \n \n\n \n \n \n \n\n \n \n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n \n \n\n \n \n\n \n \n \n \n \n \n \n \n \n \n \n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n \n \n \n \n \n\n \n \n \n \n ","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Add missing Active Directory account state errors","type":"text"}]},{"type":"paragraph","content":[{"text":"If adAuthenticator is the authenticator set in the ","type":"text"},{"text":"idp.authn.LDAP.authenticator","type":"text","marks":[{"type":"strong"}]},{"text":" property, Short Description values are contained in the response. If bindSearchAuthenticator is the authenticator set in the ","type":"text"},{"text":"idp.authn.LDAP.authenticator","type":"text","marks":[{"type":"strong"}]},{"text":" property, HEX values are contained in the response. It is possible to use either or both as outlined in the following example. (","type":"text"},{"text":"http://ldapwiki.willeke.com/wiki/Common%20Active%20Directory%20Bind%20Errors","type":"text","marks":[{"type":"link","attrs":{"href":"http://ldapwiki.willeke.com/wiki/Common%20Active%20Directory%20Bind%20Errors"}}]},{"text":" )","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"password-authn-config.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" ...\n \n \n ACCOUNT_DISABLED\n 533\n \n \n \n \n ACCOUNT_EXPIRED\n \n \n \n \n ACCOUNT_LOCKED_OUT\n 775\n \n \n \n \n PASSWORD_EXPIRED\n PASSWORD_MUST_CHANGE\n 532\n \n \n ...","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"messages/messages.properties","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"...\nAccountDisabled = account-disabled\nAccountExpired = account-expired\nAccountLocked = account-locked\nChangePassword = change-password\n\naccount-disabled.message = Your account is disabled.\naccount-expired.message = Your account has expired.\naccount-locked.message = Your account is locked.\nchange-password.message = You must change your password before authenticating here.\n...","type":"text"}]}]},{"type":"paragraph"}],"version":1}

Browser not supported