LDAP Resource Adaptor 3.1.0 :: LDAP Resource Adaptor Guide :: Configuring the LDAP Resource Adaptor

Below are details of configuring deployment descriptor properties, secure communication, and active reconfiguration.

Resource adaptor configuration properties

The LDAP resource adaptor has the following configuration properties:

Name Type Default Description Active reconfig?

Name	Type	Default	Description	Active reconfig?
User	String		LDAP user to use for each connection	No
Password	String		LDAP password to use for each connection	No
Host	String		LDAP server groups information to use for the connections	No
ConnectionTimeout	Integer	5000	how long, in milliseconds, the resource adaptor should wait when trying to establish a TCP connection with a remote peer `0` = there should be no connection timeout	Yes
QueryTimeout	Long	2000	timeout, in milliseconds, for a specific query (any further results sent by the server won’t be processed for the query) `0` = there should be no timeout	Yes
SearchTimeLimit	Integer	0	maximum time, in seconds, that the server should spend processing a specific search query `0` = there should be no limit	Yes
MinConnections	Integer	10	how few TCP connections the resource adaptor will hold open in the connection pool (assuming the LDAP servers are reachable); connections from this pool will be used for all query types except bind queries	Yes
MaxConnections	Integer	20	how many TCP connections the resource adaptor will hold open in the connection pool	Yes
BindMinConnections	Integer	0	how few TCP connections the resource adaptor will hold open in the bind connection pool (assuming the LDAP servers are reachable); connections from this pool will be used for bind queries exclusively (for the LDAP bind queries feature)	Yes
BindMaxConnections	Integer	0	how many TCP connections the resource adaptor will hold open in the bind connection pool `0` = no connections in the bind pool (the LDAP bind queries feature is disabled in the resource adaptor)	Yes
MaxQueueSize	Integer	(MaxConnections +BindMaxConnections) *3	how many queued queries will wait for a thread pool thread before they execute (active reconfiguration of `MaxConnections` and `BindMaxConnections` won’t affect value of `MaxQueueSize` if default was used until resource adaptor reactivation)	No
MaxQueueTime	Integer	5000	how long, in milliseconds, a query will wait in the queue before it executes	Yes
PollInterval	Integer	5000	time, in milliseconds, between polls on a new connection in the connection pool to an LDAP server (for the graceful connection establishment feature)	Yes
PollCount	Integer	2	how many successful polls before sending regular queries to the LDAP server (for the graceful connection establishment feature)	Yes
PollDN	String	null	LDAP DN to use for poll queries (for the graceful connection establishment feature)	Yes
PollSearchFilter	String	(objectclass=*)	the LDAP search filter to use for poll queries (see `PollDN`)	Yes
PollSearchScope	String	base	LDAP search scope; must be one of `base`, `one`, `sub`, or `subordinate_subtree` — for a base object, one-level, subtree, or any subordinate entries (excluding base DN) search	Yes
PollSuccessResultCodes	String	null	comma-separated list of result codes that should not be treated as poll failures (for the graceful connection establishment feature)	Yes
IdleTimeout	Integer	0	how long, in milliseconds, to wait before closing idle connections in the connection pool `0` = do not close based on idle time	Yes
MaxQueriesPerConnection	Integer	0	how many queries a specific TCP connection in the connection pool can have before it closes `0` = do not close based on number of queries	Yes
BindMaxConnectionAge	Integer	0	how long, in milliseconds, a specific TCP connection can stay open in the bind connection pool before it is automatically closed (triggered by the periodic health checks, with frequency specified by `BindHealthCheckInterval`, or whenever connection is released to the bind pool, specified by `BindCheckConnectionAgeOnRelease`); `0` = do not close based on connection age	Yes
AbandonOnTimeout	Boolean	false	whether the resource adaptor should send an abandon request to any query for which no result is received in the query timeout period, specified by `QueryTimeout` (this does not affect the query timeout behaviour); this is applicable to all query types except bind queries	Yes
MaxMessageSize	Integer	20971520	maximum allowed message size, in bytes, for messages read from the server; for example, `20971520` = 20MB `0` = no limit should be enforced	Yes
ReceiveBufferSize	Integer	0	socket receive buffer size requested when establishing a connection to the server `0` = automatically determine by the JVM based on the underlying system settings	Yes
SendBufferSize	Integer	0	socket send buffer size requested when establishing a connection to the server `0` = automatically determine by the JVM based on the underlying system settings	Yes
UseSchema	Boolean	false	whether connections should try to retrieve schema information from the server, which may be used to select the appropriate matching rules when comparing attribute values for the attributes included in a search result entry (after reconfiguration will apply only to newly created connections)	Yes
AllowUnauthenticatedBind	Boolean	false	whether to allow sending bind queries with a non-empty DN and empty password (that is, the unauthenticated authentication mechanism of the simple Bind method)	Yes
BindHealthCheckInterval	Integer	60000	time, in milliseconds, between periodic health checks against the connections available in the bind pool (determine whether connections are valid and suitable for use)	Yes
BindCheckConnectionAgeOnRelease	Boolean	true	whether to check the age of a connection against the configured maximum connection age, specified by `BindMaxConnectionAge`, whenever it is released to the bind pool	Yes

User

String

LDAP user to use for each connection

Password

String

LDAP password to use for each connection

Host

String

LDAP server groups information to use for the connections

ConnectionTimeout

Integer

how long, in milliseconds, the resource adaptor should wait when trying to establish a TCP connection with a remote peer
0 = there should be no connection timeout

Yes

QueryTimeout

Long

timeout, in milliseconds, for a specific query (any further results sent by the server won’t be processed for the query)
0 = there should be no timeout

Yes

SearchTimeLimit

Integer

maximum time, in seconds, that the server should spend processing a specific search query
0 = there should be no limit

Yes

MinConnections

Integer

how few TCP connections the resource adaptor will hold open in the connection pool (assuming the LDAP servers are reachable);
connections from this pool will be used for all query types except bind queries

Yes

MaxConnections

Integer

how many TCP connections the resource adaptor will hold open in the connection pool

Yes

BindMinConnections

Integer

how few TCP connections the resource adaptor will hold open in the bind connection pool (assuming the LDAP servers are reachable);
connections from this pool will be used for bind queries exclusively
(for the LDAP bind queries feature)

Yes

BindMaxConnections

Integer

how many TCP connections the resource adaptor will hold open in the bind connection pool
0 = no connections in the bind pool (the LDAP bind queries feature is disabled in the resource adaptor)

Yes

MaxQueueSize

Integer

(MaxConnections +BindMaxConnections) *3

how many queued queries will wait for a thread pool thread before they execute
(active reconfiguration of MaxConnections and BindMaxConnections won’t affect value of MaxQueueSize if default was used until resource adaptor reactivation)

MaxQueueTime

Integer

how long, in milliseconds, a query will wait in the queue before it executes

Yes

PollInterval

Integer

time, in milliseconds, between polls on a new connection in the connection pool to an LDAP server
(for the graceful connection establishment feature)

Yes

PollCount

Integer

how many successful polls before sending regular queries to the LDAP server
(for the graceful connection establishment feature)

Yes

PollDN

String

null

LDAP DN to use for poll queries
(for the graceful connection establishment feature)

Yes

PollSearchFilter

String

(objectclass=*)

the LDAP search filter to use for poll queries (see PollDN)

Yes

PollSearchScope

String

base

LDAP search scope; must be one of base, one, sub, or subordinate_subtree — for a base object, one-level, subtree, or any subordinate entries (excluding base DN) search

Yes

PollSuccessResultCodes

String

null

comma-separated list of result codes that should not be treated as poll failures
(for the graceful connection establishment feature)

Yes

IdleTimeout

Integer

how long, in milliseconds, to wait before closing idle connections in the connection pool
0 = do not close based on idle time

Yes

MaxQueriesPerConnection

Integer

how many queries a specific TCP connection in the connection pool can have before it closes
0 = do not close based on number of queries

Yes

BindMaxConnectionAge

Integer

how long, in milliseconds, a specific TCP connection can stay open in the bind connection pool before it is automatically closed
(triggered by the periodic health checks, with frequency specified by BindHealthCheckInterval, or whenever connection is released to the bind pool, specified by BindCheckConnectionAgeOnRelease);
0 = do not close based on connection age

Yes

AbandonOnTimeout

Boolean

false

whether the resource adaptor should send an abandon request to any query for which no result is received in the query timeout period, specified by QueryTimeout (this does not affect the query timeout behaviour);
this is applicable to all query types except bind queries

Yes

MaxMessageSize

Integer

20971520

maximum allowed message size, in bytes, for messages read from the server;
for example, 20971520 = 20MB
0 = no limit should be enforced

Yes

ReceiveBufferSize

Integer

socket receive buffer size requested when establishing a connection to the server
0 = automatically determine by the JVM based on the underlying system settings

Yes

SendBufferSize

Integer

socket send buffer size requested when establishing a connection to the server
0 = automatically determine by the JVM based on the underlying system settings

Yes

UseSchema

Boolean

false

whether connections should try to retrieve schema information from the server, which may be used to select the appropriate matching rules when comparing attribute values for the attributes included in a search result entry
(after reconfiguration will apply only to newly created connections)

Yes

AllowUnauthenticatedBind

Boolean

false

whether to allow sending bind queries with a non-empty DN and empty password (that is, the unauthenticated authentication mechanism of the simple Bind method)

Yes

BindHealthCheckInterval

Integer

time, in milliseconds, between periodic health checks against the connections available in the bind pool (determine whether connections are valid and suitable for use)

Yes

BindCheckConnectionAgeOnRelease

Boolean

true

whether to check the age of a connection against the configured maximum connection age, specified by BindMaxConnectionAge, whenever it is released to the bind pool

Yes

Configuring secure communication (SSL/TLS or StartTLS)

The resource adaptor supports the use of SSL/TLS and StartTLS for secure communication. TLS should be used to create connections that are always secure (and will generally use a different port from that used for LDAP communication, typically port 636). StartTLS establishes insecure connection and later adds security using the StartTLS extended operation (and will communicate over the same port used for insecure LDAP communication, typically port 389).

The following LDAP resource adaptor configuration properties configure secure connection:

Name Type Default Description Active reconfig?

TransportSecurity

String

None

enable/disable secure transport connection

Supported values are:

None — insecure connection (LDAP)
StartTLS — secure connection established using the StartTLS extended operation
TLS — secure connection (LDAPS).

CertificateKeyStore

String

path to JKS key store file to load certificate key from

May contain system properties in Ant style, for example ${rhino.dir.home} to refer to the Rhino home directory.
By default, the resource adaptors have permission to read files from ${rhino.dir.home}/keystores.

CertificateKeyStorePassword

String

password for certificate key store

TrustKeyStore

String

path to JKS key store for trust certificates

The special value <<TRUST ALL>> may be used to bypass trust checks.
If no value is specified (the default), then the JVM default trust manager is used.
May contain system properties in Ant style, for example ${rhino.dir.home} to refer to the Rhino home directory.
By default, the resource adaptors have permission to read files from ${rhino.dir.home}/keystores.

TrustKeyStorePassword

String

password for trust key store

CipherSuites

String

comma-separated list of TLS cipher suites to be enabled for use when establishing TLS handshake

May be any values supported by the virtual machine vendor.
If empty, uses the default cipher suites.

SSLSessionTimeout

Integer

time, in seconds, after which TLS session should be invalidated and new session will be established (cipher keys change)
0 = sessions do not time out

Key stores

For information about creating a key store, please see the Java Virtual Machine vendor documentation: Oracle keytool documentation and Oracle general information about TLS support in the JSSE Reference Guide.

Active reconfiguration

The resource adaptor supports active reconfiguration. This means that (most) configuration properties can be updated without deactivating and re-activating the resource adaptor entity. If a property cannot be updated at runtime, then an alarm is raised indicating that the entity must be deactivated and re-activated. The table above indicates which properties allow active reconfiguration.

Previous page Next page