Below are details of configuring deployment descriptor properties, secure communication, and active reconfiguration.
Deployment descriptor properties
To configure the LDAP RA, you declare the following properties in its deployment descriptor:
Name | Type | Default | Description | Active reconfig? |
---|---|---|---|---|
User |
String |
LDAP user to use for each connection |
No |
|
Password |
String |
LDAP password to use for each connection |
No |
|
Host |
String |
LDAP server group information to use for the connections |
No |
|
ConnectionTimeout |
Integer |
5000 |
how long, in milliseconds, the RA should wait when trying to establish a TCP connection with a remote peer |
Yes |
QueryTimeout |
Long |
2000 |
timeout, in milliseconds, for a specific query (any further results sent by the server won’t be processed for the query) |
Yes |
TimeLimit |
Integer |
0 |
maximum time, in seconds, that the server should spend processing a specific query |
Yes |
SearchMinConnections |
Integer |
10 |
how few TCP connections the RA will hold open in the search connection pool (assuming the LDAP servers are reachable); |
Yes |
SearchMaxConnections |
Integer |
20 |
how many TCP connections the RA will hold open in the search connection pool |
Yes |
BindMinConnections |
Integer |
0 |
how few TCP connections the RA will hold open in the bind connection pool (assuming the LDAP servers are reachable); |
Yes |
BindMaxConnections |
Integer |
0 |
how many TCP connections the RA will hold open in the bind connection pool |
Yes |
MaxQueueSize |
Integer |
(SearchMaxConnections +BindMaxConnections) *3 |
how many queued queries will wait for a thread pool thread before they execute |
No |
MaxQueueTime |
Integer |
5000 |
how long, in milliseconds, a query will wait in the queue before it executes |
Yes |
PollInterval |
Integer |
5000 |
time, in milliseconds, between polls on a new connection in the search connection pool to an LDAP server |
Yes |
PollCount |
Integer |
2 |
how many successful polls before sending regular search queries to the LDAP server |
Yes |
PollDN |
String |
null |
LDAP DN to use for poll queries |
Yes |
PollSearchFilter |
String |
(objectclass=*) |
the LDAP search filter to use for poll queries (see |
Yes |
PollSearchScope |
String |
base |
LDAP search scope; must be one of |
Yes |
PollSuccessResultCodes |
String |
null |
comma-separated list of result codes that should not be treated as poll failures |
Yes |
SearchIdleTimeout |
Integer |
0 |
how long, in milliseconds, to wait before closing idle connections in the search connection pool |
Yes |
MaxSearchesPerConnection |
Integer |
0 |
how many search queries a specific TCP connection in the search connection pool can have before it closes |
Yes |
BindMaxConnectionAge |
Integer |
0 |
how long, in milliseconds, a specific TCP connection can stay open in the bind connection pool before it is automatically closed |
Yes |
AbandonOnTimeout |
Boolean |
false |
whether the RA should send an abandon request to any search query for which no result is received in the query
timeout period, specified by |
Yes |
MaxMessageSize |
Integer |
20971520 |
maximum allowed message size, in bytes, for messages read from the server; |
Yes |
ReceiveBufferSize |
Integer |
0 |
socket receive buffer size requested when establishing a connection to the server |
Yes |
SendBufferSize |
Integer |
0 |
socket send buffer size requested when establishing a connection to the server |
Yes |
UseSchema |
Boolean |
false |
whether to try to use schema information when reading data from the server |
Yes |
AllowUnauthenticatedBind |
Boolean |
false |
whether to allow sending bind queries with a non-empty DN and empty password (that is, the unauthenticated authentication mechanism of the simple Bind method) |
Yes |
Configuring secure communication (SSL/TLS or StartTLS)
The resource adaptor supports the use of SSL/TLS and StartTLS for secure communication.
TLS should be used to create connections that are always secure (and will generally use a different port from that used for LDAP communication, typically port 636
). StartTLS establishes insecure connection and later adds security using the StartTLS extended operation (and will communicate over the same port used for insecure LDAP communication, typically port 389
).
The following LDAP RA configuration properties configure secure connection:
Name | Type | Default | Description | Active reconfig? | ||
---|---|---|---|---|---|---|
TransportSecurity |
String |
None |
enable/disable secure transport connection
|
No |
||
CertificateKeyStore |
String |
path to JKS key store file to load certificate key from
|
No |
|||
CertificateKeyStorePassword |
String |
password for certificate key store |
No |
|||
TrustKeyStore |
String |
path to JKS key store for trust certificates
|
No |
|||
TrustKeyStorePassword |
String |
password for trust key store |
No |
|||
CipherSuites |
String |
comma-separated list of TLS cipher suites to be enabled for use when establishing TLS handshake
|
No |
|||
SSLSessionTimeout |
Integer |
0 |
time, in seconds, after which TLS session should be invalidated and new session will be established (cipher keys change) |
No |
Key stores
For information about creating a key store, please see the Java Virtual Machine vendor documentation: Oracle keytool documentation and Oracle general information about TLS support in the JSSE Reference Guide.
Active reconfiguration
The resource adaptor supports active reconfiguration. This means that (most) configuration properties can be updated without deactivating and re-activating the resource adaptor entity. If a property cannot be updated at runtime, then an alarm is raised indicating that the entity must be deactivated and re-activated. The table above indicates which properties allow active reconfiguration.