The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
JNDIDataConnector
Configuring a LDAP Data Connector
The LDAP connector allows you to pull attributes from data stores that can be access through a Java JNDI interface (which is most LDAP, version 3, compliant servers). This connector pools connections in order to enhance performance. See the advanced configuration section in order to disable this.
Configuring the Connector
Create a JNDIDirectoryDataConnector with its id attribute and optional attributes:
useStartTls - true if startTLS should be used, defaults to false
mergeMultipleResults - true if a query that returns multiple results should have the attributes (and values) from each result merged into a single result, defaults to false
noResultIsError - _ true_ if an LDAP query that does not return a result is an error, defaults to true
Create a Search element, as a child of JNDIDirectoryDataConnector, with an attribute, filter, whose value it the LDAP search filter to use. The macro %PRINCIPAL% may be used to insert the current principal's name into the search filter.
Optionally, a Controls element with any of the following attributes:
Optionally, create Property elements, children of the JNIDDirectoryDataConnector element, with attributes name and value containing the following values as appropriate
A more exhaustive list of these properties can be found on the Sun JNDI site.
Active Directory users
Active Directory has a number of deployment configurations that may prevent LDAP referrals from working properly. If you are using LDAP directories it is strongly suggested that you set the java.naming.referral property to ignore.
Example Configuration
This example demonstrates a basic configuration without pooling or SSL
<JNDIDirectoryDataConnector id="directory">
<Search filter="cn=%PRINCIPAL%">
<Controls searchScope="SUBTREE_SCOPE" returningObjects="false" />
</Search>
<Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<Property name="java.naming.provider.url" value="ldap://ldap.example.edu/dc=example,dc=edu" />
<Property name="java.naming.security.principal" value="cn=admin,dc=example,dc=edu" />
<Property name="java.naming.security.credentials" value="examplepw" />
</JNDIDirectoryDataConnector>
This example demonstrates a configuration that uses LDAP over SSL to communicate with the directory. This assumes that the LDAP certificate has been imported the JVMs trust store.
<JNDIDirectoryDataConnector id="directorySecure">
<Search filter="cn=%PRINCIPAL%">
<Controls searchScope="SUBTREE_SCOPE" returningObjects="false" />
</Search>
<Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<Property name="java.naming.provider.url" value="ldap://ldap.example.edu:636/dc=example,dc=edu" />
<Property name="java.naming.security.protocol" value="ssl" />
<Property name="java.naming.security.principal" value="cn=admin,dc=example,dc=edu" />
<Property name="java.naming.security.credentials" value="examplepw" />
</JNDIDirectoryDataConnector>
This example demonstrats a configuration that pools LDAP connections.
<JNDIDirectoryDataConnector id="directoryPooled">
<Search filter="cn=%PRINCIPAL%">
<Controls searchScope="SUBTREE_SCOPE" returningObjects="false" />
</Search>
<Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<Property name="java.naming.provider.url" value="ldap://ldap.example.edu/dc=example,dc=edu" />
<Property name="com.sun.jndi.ldap.connect.pool" value="true" />
<Property name="com.sun.jndi.ldap.connect.pool.initsize" value="5" />
<Property name="com.sun.jndi.ldap.connect.pool.prefsize" value="5" />
<Property name="com.sun.jndi.ldap.connect.pool.authentication" value="none simple DIGEST-MD5" />
<Property name="com.sun.jndi.ldap.connect.pool.protocol" value="plain ssl" />
</JNDIDirectoryDataConnector>