> For the complete documentation index, see [llms.txt](https://docs.fortifiedid.se/ldapclient/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.fortifiedid.se/ldapclient/readme.md). # LdapClient ## Introduction The LdapClient module manages connections and access to LDAP directory services. Each module (instance) manages a single connection to a single directory (a destination) with the possibility to add more identical directories for fail over. To configure connections to multiple servers, use multiple modules. To increase throughput, increase the number of module instances. The module provides a service on the internal event bus with a JSON based protocol and a java library for simplified use. This module is used for all internal LDAP access, including the bundled LDAP valves. ## Configuration {% hint style="info" %} **Module name:** `LdapClient | LDAPClient` {% endhint %} {% tabs %} {% tab title="Properties" %}
NameDescriptionDefaultMandatory
nameDestination name. Unique identifier for a specific configuration/connection/service. This value must be unique for all ldapclient configurations."default"false
instancesNumber of instances to deploy.1false
connectionLDAP connection configurationfalse
{% endtab %} {% tab title="Example" %} ```json { "name": "LdapClient", "instances": 1, "config": { "name" : "default", "connection" : { "host" : "127.0.0.1", "port" : 389, "bind_dn" : "cn=Directory Manager", "bind_password" : "password", "use_ssl" : false } } } ``` {% endtab %} {% endtabs %} ### Connection {% tabs %} {% tab title="Properties" %}
NameDescriptionDefaultMandatory
hostHostname or Ip-address to LDAP directory service. (Mandatory unless hosts is used)true
portListen port of LDAP directory service. (Mandatory unless hosts is used)true
hostsList of LDAP directory service hosts:ports. If more than one is specified, fail-over is enabled. When this property is used, host and port properties are optional.false
bind_dnDN of user/account used to connect to LDAP service.false
bind_passwordPassword of user/account used to connect to LDAP service.false
connect_timeout_msSpecifies the maximum length of time in milliseconds that a connection attempt should be allowed to continue before giving up. A value of zero indicates that there should be no connect timeout.10000false
response_timeout_msSpecifies the maximum length of time in milliseconds that an operation should be allowed to block while waiting for a response from the server. A value of zero indicates that there should be no timeout.2000false
abandon_on_timeoutSpecifies whether the LDAP client should attempt to abandon any request for which no response is received in the maximum response timeout period.truefalse
follow_referralsSpecifies whether associated connections should attempt to follow any referrals that they encounter, using the referral connector for the associated connection.falsefalse
use_keep_aliveSpecifies whether to use the SO_KEEPALIVE option for the underlying sockets used by associated connections.falsefalse
use_lingerSpecifies whether to use the SO_LINGER option for the underlying sockets used by associated connections.falsefalse
linger_timeout_secsSO_LINGER timeout in seconds.30false
use_schemaSpecifies whether to try to use schema information when reading data from the server (e.g., to select the appropriate matching rules for the attributes included in a search result entry).falsefalse
use_sslSpecifies if SSL/TLS should be used or not.truefalse
ssl_trust_allTurns on/off trust validation for SSL/TLS connections.falsefalse
ssl_truststore_pathPath to custom SSL truststore. If not specified, the default Java truststore will be used.false
ssl_truststore_passwordCustom truststore passwordfalse
ssl_truststore_validate_timeTurns on/off peer certificate validity check.truefalse
is_active_directoryTurns on/off Active Directory specific paginated search results.truefalse
{% endtab %} {% tab title="Example" %} ```json "connection" : { "host" : "127.0.0.1", "port" : 389, "hosts" : "fail-over-host-01:389,fail-over-host-02:1389", "bind_dn" : "cn=Directory Manager", "bind_password" : "password", "connect_timeout_ms": 500, "response_timeout_ms": 200, "use_ssl" : true, "ssl_truststore_path": "config/ssl/trust.jks", "ssl_truststore_password": "secret" } } ``` {% endtab %} {% endtabs %} #### Host configuration examples Basic with no fail-over ```json "connection" : { "host" : "ldap-host", "port" : 389 } ``` Enable failover by using `hosts` and adding more hosts ```json "connection" : { "hosts" : "ldap-host:389,other-ldap:389" } ``` ## Audit The LdapClient can record an audit trail for write operations (add, modify, delete). Audit logging is disabled by default and must be explicitly enabled per operation type. When audit is enabled, the caller is expected to supply an `AuditContext` containing the subject (the authenticated user performing the operation) and a correlation ID. The LDAP valves automatically construct this context from the session and the pipe trace ID. {% hint style="info" %} Audit events are published fire-and-forget on the internal event bus. If no audit module is running, events are silently dropped — no errors are returned to the caller. {% endhint %} ### Configuration The `audit` block is placed at the top level of the module config, alongside `connection`. {% tabs %} {% tab title="Properties" %}
NameDescriptionDefaultMandatory
audit.createRecord an audit event when an LDAP entry is added.falsefalse
audit.updateRecord an audit event when an LDAP entry is modified.falsefalse
audit.deleteRecord an audit event when an LDAP entry is deleted.falsefalse
{% endtab %} {% tab title="Example" %} ```json { "name": "LdapClient", "config": { "name": "default", "connection": { "host": "127.0.0.1", "port": 389, "bind_dn": "cn=Directory Manager", "bind_password": "password" }, "audit": { "create": true, "update": true, "delete": true } } } ``` {% endtab %} {% endtabs %} ## Events Any write operation will generate an event. ### Creating an object * LDAP\_001 - Object created * traceId, if present * object, the dn * attrNames, list of attribute names * attrCounts, attribute count * LDAP\_002 - Object creation failed * traceId, if present * object, the dn * resultCode from ldap if any ### Deleting an object * LDAP\_003 - LDAP object deleted * traceId, if present * object, the dn * LDAP\_004 - LDAP object deletion failed * traceId, if present * object, the dn ### Updating an object * LDAP\_007 - LDAP object updated * traceId, if present * object, the dn * attrNames, list of attribute names * attrCounts, attribute co * LDAP\_008 - LDAP update failed * traceId, if present * object, the dn ### Moving an object LDAP\_005 - LDAP object moved * traceId, if present * object, the dn * new\_location LDAP\_006 - LDAP failed object move * traceId, if present * object, the dn --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fortifiedid.se/ldapclient/readme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.