The LDAPCredentialValidator for the password authentication login flow uses native LDAP libraries for password-based authentication instead of using a JAAS module. The primary advantages are slightly better performance and more control over the process, such as the ability to extract detailed account status information from the directory during a login. One disadvantage is that JAAS configurations may be reloaded each time they're used, while the native configuration is static.
The following sections describe how to configure a single instance of an LDAP CredentialValidator using the beans and properties that were available in V3 and are used by default in V4.
The idp.authn.LDAP.authenticator property controls the workflow for how authentication occurs against the LDAP directory:
Performs an anonymous search for the user's DN
Binds with a configured DN as a service account, then searches for the user's DN
User DNs are of a known format. i.e. CN=user_name,ou=accounts,dc=domain,dc=edu. No DN search is performed.
Configuration that leverages the AD specific @domain.com format. No DN search is performed since AD supports binding directly with that user name.
Depending on the choice above, various other properties must be set (see the reference section below).
Use the following properties to configure basic connection information for the LDAP directory:
A connection pool is used, and there are several properties used to configure pool behavior (see the reference below).
If StartTLS or SSL are used, a source of trust anchors must be configured to control certificate validation, using the idp.authn.LDAP.sslConfig property:
Uses the idp.authn.LDAP.trustCertificates property to load a resource containing the trust anchors (such as a file of PEM-format certificates)
Uses the idp.authn.LDAP.trustStore property to load a keystore containing the trust anchors
Uses the default JVM trust anchors (the JVM-wide "cacerts" file)
Note that for some advanced use cases, it may be necessary to dig deeply into the Ldaptive documentation and wire up custom objects using, or based on beans in the older V3 version of authn/ldap-authn-config.xml, ultimately installing an instance of org.ldaptive.auth.Authenticator into the "authenticator" property of a particular LDAPCredentialValidator bean, which for a single validator can be done by setting the idp.authn.LDAP.authenticator property in conf/ldap.properties to that bean name. Most of the flexibility comes from all the various types of objects that can be injected into instances of the Authenticator class.