# LDAP authentication (and possibly attribute resolver) configuration # Note, this doesn't apply to the use of JAAS authentication via LDAP ## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator idp.authn.LDAP.authenticator = bindSearchAuthenticator ## Connection properties ## idp.authn.LDAP.ldapURL.1 = ldap://ldap_1.exemplo.local:389 idp.authn.LDAP.useStartTLS.1 = false idp.authn.LDAP.ldapURL.2 = ldap://ldap_2.exemplo.local:389 idp.authn.LDAP.useStartTLS.2 = false idp.authn.LDAP.ldapURL.3 = ldap://AD_3.exemplo.local:389 idp.authn.LDAP.useStartTLS.3 = false # Time in milliseconds that connects will block idp.authn.LDAP.connectTimeout = PT3S # Time in milliseconds to wait for responses idp.authn.LDAP.responseTimeout = PT3S # Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM #idp.authn.LDAP.connectionStrategy = ACTIVE_PASSIVE ## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust idp.authn.LDAP.sslConfig = certificateTrust ## If using certificateTrust above, set to the trusted certificate's path idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt ## If using keyStoreTrust above, set to the truststore path #idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore ## Return attributes during authentication idp.authn.LDAP.returnAttributes.1 = uid idp.authn.LDAP.returnAttributes.2 = uid idp.authn.LDAP.returnAttributes.3 = sAMAccountName ## DN resolution properties ## # Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator # for AD: CN=Users,DC=example,DC=org idp.authn.LDAP.baseDN.1 = ou=people_1,dc=homolog,dc=rnp idp.authn.LDAP.subtreeSearch.1 = true idp.authn.LDAP.userFilter.1 = (uid={user}) idp.authn.LDAP.baseDN.2 = ou=people_2,dc=homolog,dc=rnp idp.authn.LDAP.subtreeSearch.2 = true idp.authn.LDAP.userFilter.2 = (uid={user}) idp.authn.LDAP.baseDN.3 = ou=people_3,dc=homolog,dc=rnp idp.authn.LDAP.subtreeSearch.3 = true idp.authn.LDAP.userFilter.3 = (sAMAccountName={user}) # bind search configuration # for AD: idp.authn.LDAP.bindDN=adminuser@domain.com idp.authn.LDAP.bindDN.1 = uid=leitor-shib,ou=Admins,dc=homolog,dc=rnp idp.authn.LDAP.bindDN.2 = cn=leitor-shib,dc=homolog,dc=rnp idp.authn.LDAP.bindDN.3 = app.shibboleth@homolog.rnp # Format DN resolution, used by directAuthenticator, adAuthenticator # for AD use idp.authn.LDAP.dnFormat=%s@domain.com idp.authn.LDAP.dnFormat.1 = mail=%s,ou=people_1,dc=homolog,dc=rnp idp.authn.LDAP.dnFormat.2 = mail=%s,ou=people_2,dc=homolog,dc=rnp idp.authn.LDAP.dnFormat.3 = %s@homolog.rnp # pool passivator, either none, bind or anonymousBind #idp.authn.LDAP.bindPoolPassivator = none # LDAP attribute configuration, see attribute-resolver.xml # Note, this likely won't apply to the use of legacy V2 resolver configurations idp.attribute.resolver.LDAP.ldapURL.1 = %{idp.authn.LDAP.ldapURL.1} idp.attribute.resolver.LDAP.connectTimeout.1 = %{idp.authn.LDAP.connectTimeout:PT3S} idp.attribute.resolver.LDAP.responseTimeout.1 = %{idp.authn.LDAP.responseTimeout:PT3S} idp.attribute.resolver.LDAP.connectionStrategy.1 = %{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE} idp.attribute.resolver.LDAP.baseDN.1 = %{idp.authn.LDAP.baseDN.1:undefined} idp.attribute.resolver.LDAP.bindDN.1 = %{idp.authn.LDAP.bindDN.1:undefined} idp.attribute.resolver.LDAP.useStartTLS.1 = %{idp.authn.LDAP.useStartTLS.1:true} idp.attribute.resolver.LDAP.trustCertificates.1 = %{idp.authn.LDAP.trustCertificates:undefined} idp.attribute.resolver.LDAP.searchFilter.1 = (uid=$resolutionContext.principal) idp.attribute.resolver.LDAP.ldapURL.2 = %{idp.authn.LDAP.ldapURL.2} idp.attribute.resolver.LDAP.connectTimeout.2 = %{idp.authn.LDAP.connectTimeout:PT3S} idp.attribute.resolver.LDAP.responseTimeout.2 = %{idp.authn.LDAP.responseTimeout:PT3S} idp.attribute.resolver.LDAP.connectionStrategy.2 = %{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE} idp.attribute.resolver.LDAP.baseDN.2 = %{idp.authn.LDAP.baseDN.2:undefined} idp.attribute.resolver.LDAP.bindDN.2 = %{idp.authn.LDAP.bindDN.2:undefined} idp.attribute.resolver.LDAP.useStartTLS.2 = %{idp.authn.LDAP.useStartTLS.2:true} idp.attribute.resolver.LDAP.trustCertificates.2 = %{idp.authn.LDAP.trustCertificates:undefined} idp.attribute.resolver.LDAP.searchFilter.2 = (uid=$resolutionContext.principal) idp.attribute.resolver.LDAP.ldapURL.3 = %{idp.authn.LDAP.ldapURL.3} idp.attribute.resolver.LDAP.connectTimeout.3 = %{idp.authn.LDAP.connectTimeout:PT3S} idp.attribute.resolver.LDAP.responseTimeout.3 = %{idp.authn.LDAP.responseTimeout:PT3S} idp.attribute.resolver.LDAP.connectionStrategy.3 = %{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE} idp.attribute.resolver.LDAP.baseDN.3 = %{idp.authn.LDAP.baseDN.3:undefined} idp.attribute.resolver.LDAP.bindDN.3 = %{idp.authn.LDAP.bindDN.3:undefined} idp.attribute.resolver.LDAP.useStartTLS.3 = %{idp.authn.LDAP.useStartTLS.3:true} idp.attribute.resolver.LDAP.trustCertificates.3 = %{idp.authn.LDAP.trustCertificates:undefined} idp.attribute.resolver.LDAP.searchFilter.3 = (sAMAccountName=$resolutionContext.principal) # LDAP pool configuration, used for both authn and DN resolution #idp.pool.LDAP.minSize = 3 #idp.pool.LDAP.maxSize = 10 #idp.pool.LDAP.validateOnCheckout = false #idp.pool.LDAP.validatePeriodically = true #idp.pool.LDAP.validatePeriod = PT5M #idp.pool.LDAP.validateDN = #idp.pool.LDAP.validateFilter = (objectClass=*) #idp.pool.LDAP.prunePeriod = PT5M #idp.pool.LDAP.idleTime = PT10M #idp.pool.LDAP.blockWaitTime = PT3S