Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-1357

java11 NPE with ldap configuration (Thread local SslConfig has not been set), works fine in 1.8.0_191-b12

    XMLWordPrintable

    Details

    • Operating System:
      Linux
    • Java Version:
      Other
    • Servlet Container:
      Jetty 9.3

      Description

      Ldap connectivity works  with Oracle jdk1.8.0_191 but fails to work when the execution environment java is changed to openjdk11+28 for the exact same configuration.

      It's as if the loading / configuration setup behaviour changes subtly.

      Configurations I've tested:

      •  Good: IdP-3.3.3, openjdk9.0.4, ldaptive-1.0.11 – no errors, ldap connections work, idp works 
      •  Good: IdP-3.3.3, openjdk9.0.4, ldaptive-1.2.3 – no errors, ldap connections work, idp works 
      •   Not Good: IdP-3.4.0, openjdk9.0.4, ldaptive-1.0.11 – ERROR state - LDAP connections fail due to SslConfig NPE in per stacktrace
      •  Not Good: IdP-3.4.0, openjdk9.0.4, ldaptive-1.0.13 – ERROR state - LDAP connections fail due to SslConfig NPE per stacktrace
      •  GoodIdP-3.4.0, jdk1.8.0_191, ldaptive-1.0.11 --no errors, ldap connections work, idp works ok
      •  IdP-3.4.0, openjdk11+28, ldaptive-1.0.11 -ERROR state LDAP connections fail due to SslConfig NPE per stacktrace

       

       

      Stacktrace: Stack traces from idp v3.4.1 with logback.xml set to TRACE for org.ldaptive

      in a sandbox using our build tool environment  but with v3.4.1 as the IdP connecting over TLS to the ldap instance.

       

      2018-11-02 11:14:45,957 - INFO [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:583] - Refreshing shibboleth.AttributeResolverService: startup date [Fri Nov 02 11:14:45 EDT 2018]; parent: Root WebApplicationContext2018-11-02 11:14:46,441 - TRACE [org.ldaptive.ssl.SslConfig:131] - setting credentialConfig: org.ldaptive.ssl.CredentialConfigFactory$2@628bd77e2018-11-02 11:14:46,457 - TRACE [org.ldaptive.BindConnectionInitializer:83] - setting bindDn: cn=shibboleth,ou=apps,dc=example,dc=com2018-11-02 11:14:46,457 - TRACE [org.ldaptive.BindConnectionInitializer:106] - setting bindCredential: <suppressed>2018-11-02 11:14:46,458 - TRACE [org.ldaptive.ConnectionConfig:85] - setting ldapUrl: ldaps://ldap.example.com2018-11-02 11:14:46,458 - TRACE [org.ldaptive.ConnectionConfig:110] - setting connectTimeout: 30002018-11-02 11:14:46,458 - TRACE [org.ldaptive.ConnectionConfig:162] - setting responseTimeout: 30002018-11-02 11:14:46,458 - TRACE [org.ldaptive.ConnectionConfig:213] - setting sslConfig: [org.ldaptive.ssl.SslConfig@727861082::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2@628bd77e, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null]2018-11-02 11:14:46,459 - TRACE [org.ldaptive.ConnectionConfig:285] - setting connectionInitializer: [org.ldaptive.BindConnectionInitializer@1234219829::bindDn=cn=shibboleth,ou=apps,dc=example,dc=com, bindSaslConfig=null, bindControls=null]2018-11-02 11:14:46,464 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,465 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@6b86826a2018-11-02 11:14:46,465 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,465 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@4b9fa2f2018-11-02 11:14:46,465 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,466 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@32caae192018-11-02 11:14:46,478 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:120] - setting connectionStrategy: org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy@3be46d9c2018-11-02 11:14:46,478 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:96] - setting properties: {}2018-11-02 11:14:46,535 - TRACE [org.ldaptive.ssl.SslConfig:131] - setting credentialConfig: org.ldaptive.ssl.CredentialConfigFactory$2@49f26462018-11-02 11:14:46,536 - TRACE [org.ldaptive.BindConnectionInitializer:83] - setting bindDn: cn=shibboleth,ou=apps,dc=example,dc=com2018-11-02 11:14:46,536 - TRACE [org.ldaptive.BindConnectionInitializer:106] - setting bindCredential: <suppressed>2018-11-02 11:14:46,536 - TRACE [org.ldaptive.ConnectionConfig:85] - setting ldapUrl: ldaps://ldap.example.com2018-11-02 11:14:46,536 - TRACE [org.ldaptive.ConnectionConfig:110] - setting connectTimeout: 30002018-11-02 11:14:46,536 - TRACE [org.ldaptive.ConnectionConfig:162] - setting responseTimeout: 30002018-11-02 11:14:46,537 - TRACE [org.ldaptive.ConnectionConfig:213] - setting sslConfig: [org.ldaptive.ssl.SslConfig@2080672560::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2@49f2646, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null]2018-11-02 11:14:46,537 - TRACE [org.ldaptive.ConnectionConfig:285] - setting connectionInitializer: [org.ldaptive.BindConnectionInitializer@815593047::bindDn=cn=shibboleth,ou=apps,dc=example,dc=com, bindSaslConfig=null, bindControls=null]2018-11-02 11:14:46,542 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,542 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@111702282018-11-02 11:14:46,543 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,543 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@46ee70132018-11-02 11:14:46,543 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,544 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@69d587312018-11-02 11:14:46,544 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:120] - setting connectionStrategy: org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy@3be46d9c2018-11-02 11:14:46,544 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:96] - setting properties: {}2018-11-02 11:14:46,558 - TRACE [org.ldaptive.ssl.SslConfig:131] - setting credentialConfig: org.ldaptive.ssl.CredentialConfigFactory$2@49f26462018-11-02 11:14:46,558 - TRACE [org.ldaptive.ssl.SslConfig:155] - setting trustManagers: null2018-11-02 11:14:46,558 - TRACE [org.ldaptive.ssl.SslConfig:179] - setting hostnameVerifier: null2018-11-02 11:14:46,558 - TRACE [org.ldaptive.ssl.SslConfig:203] - setting hostnameVerifierConfig: null2018-11-02 11:14:46,559 - TRACE [org.ldaptive.ssl.SslConfig:227] - setting enabledCipherSuites: null2018-11-02 11:14:46,559 - TRACE [org.ldaptive.ssl.SslConfig:251] - setting enabledProtocols: null2018-11-02 11:14:46,559 - TRACE [org.ldaptive.ssl.SslConfig:276] - setting handshakeCompletedListeners: null2018-11-02 11:14:46,565 - TRACE [org.ldaptive.ssl.SslConfig:203] - setting hostnameVerifierConfig: [org.ldaptive.ssl.HostnameVerifierConfig@1958731110::certificateHostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]]2018-11-02 11:14:46,575 - TRACE [org.ldaptive.ssl.ThreadLocalTLSSocketFactory:48] - Using SSLContextInitializer=[org.ldaptive.ssl.X509SSLContextInitializer@1098139353::trustManagers=null, hostnameVerifierConfig=[org.ldaptive.ssl.HostnameVerifierConfig@1958731110::certificateHostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]], trustCerts=[Ljava.security.cert.X509Certificate;@34070bd2, authenticationCert=null]2018-11-02 11:14:46,582 - TRACE [org.ldaptive.ssl.X509SSLContextInitializer:123] - Initialize SSLContext with keyManagers=null and trustManagers=[[org.ldaptive.ssl.AggregateTrustManager@1445947009::trustManagers=[sun.security.ssl.X509TrustManagerImpl@6f6f65a4, [org.ldaptive.ssl.HostnameVerifyingTrustManager@160479339::hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]]], trustStrategy=ALL]]2018-11-02 11:14:46,626 - TRACE [org.ldaptive.provider.jndi.JndiConnectionFactory:92] - [[ldapUrl=ldaps://ldap.example.com, count=0]] Attempting connection to ldaps://ldap.example.com for strategy org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy@3be46d9c2018-11-02 11:14:46,645 - TRACE [org.ldaptive.ssl.ThreadLocalTLSSocketFactory:48] - Using SSLContextInitializer=[org.ldaptive.ssl.X509SSLContextInitializer@220666452::trustManagers=null, hostnameVerifierConfig=[org.ldaptive.ssl.HostnameVerifierConfig@1958731110::certificateHostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]], trustCerts=[Ljava.security.cert.X509Certificate;@34070bd2, authenticationCert=null]2018-11-02 11:14:46,646 - TRACE [org.ldaptive.ssl.X509SSLContextInitializer:123] - Initialize SSLContext with keyManagers=null and trustManagers=[[org.ldaptive.ssl.AggregateTrustManager@1878583108::trustManagers=[sun.security.ssl.X509TrustManagerImpl@409395b9, [org.ldaptive.ssl.HostnameVerifyingTrustManager@1407721609::hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]]], trustStrategy=ALL]]2018-11-02 11:14:46,704 - DEBUG [org.ldaptive.ssl.AggregateTrustManager:151] - checkServerTrusted for sun.security.ssl.X509TrustManagerImpl@409395b9 succeeded2018-11-02 11:14:46,707 - DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier:112] - verifying hostname=ldap.example.com against cert=O=Example Institution, CN=ldap.example.com2018-11-02 11:14:46,708 - DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier:183] - verifyDNS using subjectAltNames=[]2018-11-02 11:14:46,735 - DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier:197] - verifyDNS using CN=[ldap.example.com]2018-11-02 11:14:46,735 - TRACE [org.ldaptive.ssl.DefaultHostnameVerifier:286] - matching for hostname=ldap.example.com, certName=ldap.example.com, isWildcard=false2018-11-02 11:14:46,735 - TRACE [org.ldaptive.ssl.DefaultHostnameVerifier:304] - match=true for ldap.example.com == ldap.example.com2018-11-02 11:14:46,736 - DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier:201] - verifyDNS found hostname match: ldap.example.com2018-11-02 11:14:46,736 - DEBUG [org.ldaptive.ssl.HostnameVerifyingTrustManager:93] - checkCertificateTrusted for org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828 succeeded against O=Example Institution, CN=ldap.example.com2018-11-02 11:14:46,736 - DEBUG [org.ldaptive.ssl.AggregateTrustManager:151] - checkServerTrusted for [org.ldaptive.ssl.HostnameVerifyingTrustManager@1407721609::hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]] succeeded2018-11-02 11:14:46,737 - DEBUG [org.ldaptive.ssl.AggregateTrustManager:179] - invoking getAcceptedIssuers for sun.security.ssl.X509TrustManagerImpl@409395b92018-11-02 11:14:46,737 - DEBUG [org.ldaptive.ssl.AggregateTrustManager:179] - invoking getAcceptedIssuers for [org.ldaptive.ssl.HostnameVerifyingTrustManager@1407721609::hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]]2018-11-02 11:14:46,790 - DEBUG [org.ldaptive.BindOperation:138] - execute request=[org.ldaptive.BindRequest@608392736::bindDn=cn=shibboleth,ou=apps,dc=example,dc=com, saslConfig=null, controls=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@79702169::config=[org.ldaptive.ConnectionConfig@1234328865::ldapUrl=ldaps://ldap.example.com, connectTimeout=3000, responseTimeout=3000, sslConfig=[org.ldaptive.ssl.SslConfig@2080672560::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2@49f2646, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@815593047::bindDn=cn=shibboleth,ou=apps,dc=example,dc=com, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1535729270::metadata=[ldapUrl=ldaps://ldap.example.com, count=1], environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.read.timeout=3000}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1948456514::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy@3be46d9c, controlProcessor=org.ldaptive.provider.ControlProcessor@69d58731, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@4a6facb0]2018-11-02 11:14:46,823 - ERROR [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator:156] - Connection factory validation failedorg.ldaptive.OperationException: javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set]        at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:67)Caused by: javax.naming.CommunicationException: ldap.example.com:636        at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:215)Caused by: java.lang.NullPointerException: Thread local SslConfig has not been set        at org.ldaptive.ssl.ThreadLocalTLSSocketFactory.getDefault(ThreadLocalTLSSocketFactory.java:70)2018-11-02 11:14:46,827 - ERROR [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector:151] - Data Connector 'myLDAP': Invalid connector configurationnet.shibboleth.idp.attribute.resolver.dc.ValidationException: [org.ldaptive.OperationException@1842537555::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set], providerException=javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set]]        at net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator.validate(ConnectionFactoryValidator.java:158)Caused by: org.ldaptive.OperationException: javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set]        at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:67)Caused by: javax.naming.CommunicationException: ldap.example.com:636        at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:215)Caused by: java.lang.NullPointerException: Thread local SslConfig has not been set        at org.ldaptive.ssl.ThreadLocalTLSSocketFactory.getDefault(ThreadLocalTLSSocketFactory.java:70)2018-11-02 11:14:46,829 - WARN [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:551] - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'myLDAP': Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Data Connector 'myLDAP': Invalid connector configuration2018-11-02 11:14:46,845 - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:182] - Service 'shibboleth.AttributeResolverService': Initial load failednet.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'myLDAP': Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Data Connector 'myLDAP': Invalid connector configuration        at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:377)Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'myLDAP': Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Data Connector 'myLDAP': Invalid connector configuration        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1631)Caused by: net.shibboleth.utilities.java.support.component.ComponentInitializationException: Data Connector 'myLDAP': Invalid connector configuration        at net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector.doInitialize(LDAPDataConnector.java:152)Caused by: net.shibboleth.idp.attribute.resolver.dc.ValidationException: [org.ldaptive.OperationException@1842537555::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set], providerException=javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set]]        at net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator.validate(ConnectionFactoryValidator.java:158)Caused by: org.ldaptive.OperationException: javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set]        at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:67)Caused by: javax.naming.CommunicationException: ldap.example.com:636        at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:215)Caused by: java.lang.NullPointerException: Thread local SslConfig has not been set        at org.ldaptive.ssl.ThreadLocalTLSSocketFactory.getDefault(ThreadLocalTLSSocketFactory.java:70)2018-11-02 11:14:46,846 - INFO [net.shibboleth.utilities.java.support.service.AbstractReloadableService:184] - Service 'shibboleth.AttributeResolverService': Continuing to poll configuration  
      
      
      

       

      ldap.properties file:

      # LDAP authentication configuration, see authn/ldap-authn-config.xml
      # Note, this doesn't apply to the use of JAAS
      
      
      ## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
      idp.authn.LDAP.authenticator=bindSearchAuthenticator
      
      
      ## Connection properties ##
      idp.authn.LDAP.ldapURL=ldaps://ldap.example.com
      idp.authn.LDAP.useStartTLS=false
      idp.authn.LDAP.useSSL=true
      # Time in milliseconds that connects will block
      #idp.authn.LDAP.connectTimeout                  = PT3S
      # Time in milliseconds to wait for responses
      #idp.authn.LDAP.responseTimeout                 = PT3S
      
      
      ## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
      idp.authn.LDAP.sslConfig=certificateTrust
      ## If using certificateTrust above, set to the trusted certificate's path
      idp.authn.LDAP.trustCertificates=%{idp.home}/ssl/ldap-server.crt
      ## If using keyStoreTrust above, set to the truststore path
      idp.authn.LDAP.trustStore=%{idp.home}/credentials/ldap-server.truststore
      
      
      ## Return attributes during authentication
      idp.authn.LDAP.returnAttributes=cn
      
      
      ## DN resolution properties ##
      
      
      # Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
      # for AD: CN=Users,DC=example,DC=org
      idp.authn.LDAP.baseDN=ou=people,dc=example,dc=com
      idp.authn.LDAP.subtreeSearch=true
      idp.authn.LDAP.userFilter=(uid={user})
      # bind search configuration
      # for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
      idp.authn.LDAP.bindDN=cn=shibboleth,ou=apps,dc=example,dc=com
      idp.authn.LDAP.bindDNCredential=readonly
      
      
      # Format DN resolution, used by directAuthenticator, adAuthenticator
      # for AD use idp.authn.LDAP.dnFormat=%s@domain.com
      idp.authn.LDAP.dnFormat=uid=%s,ou=people,dc=example,dc=com
      
      
      # LDAP attribute configuration, see attribute-resolver.xml
      # Note, this likely won't apply to the use of legacy V2 resolver configurations
      idp.attribute.resolver.LDAP.ldapURL=%{idp.authn.LDAP.ldapURL}
      idp.attribute.resolver.LDAP.connectTimeout=%{idp.authn.LDAP.connectTimeout:PT3S}
      idp.attribute.resolver.LDAP.responseTimeout=%{idp.authn.LDAP.responseTimeout:PT3S}
      idp.attribute.resolver.LDAP.baseDN=%{idp.authn.LDAP.baseDN:undefined}
      idp.attribute.resolver.LDAP.bindDN=%{idp.authn.LDAP.bindDN:undefined}
      idp.attribute.resolver.LDAP.bindDNCredential=%{idp.authn.LDAP.bindDNCredential:undefined}
      idp.attribute.resolver.LDAP.useStartTLS=%{idp.authn.LDAP.useStartTLS:true}
      idp.attribute.resolver.LDAP.trustCertificates=%{idp.authn.LDAP.trustCertificates:undefined}
      idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal)
      
      
      # LDAP pool configuration, used for both authn and DN resolution
      #idp.pool.LDAP.minSize                          = 3
      #idp.pool.LDAP.maxSize                          = 10
      #idp.pool.LDAP.validateOnCheckout               = false
      #idp.pool.LDAP.validatePeriodically             = true
      #idp.pool.LDAP.validatePeriod                   = PT5M
      #idp.pool.LDAP.prunePeriod                      = PT5M
      #idp.pool.LDAP.idleTime                         = PT10M
      #idp.pool.LDAP.blockWaitTime                    = PT3S
      #idp.pool.LDAP.failFastInitialize               = false
      

      attribute-resolver.xml DataConnector (v3.4.0 syntax)

      <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
              ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
              baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
              principal="%{idp.attribute.resolver.LDAP.bindDN}"
              principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
              useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
              connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
      		trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
              responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
              <FilterTemplate>
                  <![CDATA[
                      %{idp.attribute.resolver.LDAP.searchFilter}
                  ]]>
              </FilterTemplate>
      	    <ConnectionPool
                  minPoolSize="%{idp.pool.LDAP.minSize:3}"
                  maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
                  blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
                  validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
                  validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
                  expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
                  failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
          </DataConnector>
      
      
      

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                dfisher@vt.edu Daniel W Fisher
                Reporter:
                cphillips@canarie.ca Chris Phillips
              • Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 1 hour
                  1h