LdapClient

Module for outbound LDAP v3 access

Introduction

The LdapClient module manages connections and access to LDAP directory services.

Each module (instance) manages a single connection to a single directory (a destination) with the possibility to add more identical directories for fail over. To configure connections to multiple servers, use multiple modules. To increase throughput, increase the number of module instances.

The module provides a service on the internal event bus with a JSON based protocol and a java library for simplified use.

This module is used for all internal LDAP access, including the bundled LDAP valves.

Configuration

Module name: LdapClient | LDAPClient

Name
Description
Default
Mandatory

name

Destination name. Unique identifier for a specific configuration/connection/service. This value must be unique for all ldapclient configurations.

"default"

instances

Number of instances to deploy.

1

connection

Connection

Name
Description
Default
Mandatory

host

Hostname or Ip-address to LDAP directory service. (Mandatory unless hosts is used)

port

Listen port of LDAP directory service. (Mandatory unless hosts is used)

hosts

List of LDAP directory service hosts:ports. If more than one is specified, fail-over is enabled. When this property is used, host and port properties are optional.

bind_dn

DN of user/account used to connect to LDAP service.

bind_password

Password of user/account used to connect to LDAP service.

connect_timeout_ms

Specifies the maximum length of time in milliseconds that a connection attempt should be allowed to continue before giving up. A value of zero indicates that there should be no connect timeout.

10000

response_timeout_ms

Specifies the maximum length of time in milliseconds that an operation should be allowed to block while waiting for a response from the server. A value of zero indicates that there should be no timeout.

2000

abandon_on_timeout

Specifies whether the LDAP client should attempt to abandon any request for which no response is received in the maximum response timeout period.

true

follow_referrals

Specifies whether associated connections should attempt to follow any referrals that they encounter, using the referral connector for the associated connection.

false

use_keep_alive

Specifies whether to use the SO_KEEPALIVE option for the underlying sockets used by associated connections.

false

use_linger

Specifies whether to use the SO_LINGER option for the underlying sockets used by associated connections.

false

linger_timeout_secs

SO_LINGER timeout in seconds.

30

use_schema

Specifies whether to try to use schema information when reading data from the server (e.g., to select the appropriate matching rules for the attributes included in a search result entry).

true

use_ssl

Specifies if SSL/TLS should be used or not.

true

ssl_trust_all

Turns on/off trust validation for SSL/TLS connections.

false

ssl_truststore_path

Path to custom SSL truststore. If not specified, the default Java truststore will be used.

ssl_truststore_password

Custom truststore password

ssl_truststore_validate_time

Turns on/off peer certificate validity check.

true

Host configuration examples

Basic with no fail-over

"connection" : {
   "host" : "ldap-host",
   "port" : 389
}

Enable failover by using hosts and adding more hosts

"connection" : {
   "hosts" : "ldap-host:389,other-ldap:389"
}

Last updated