...
Parameter | Default value | Description |
---|---|---|
initialContextFactory | "org.apache.directory.server.core.jndi.CoreContextFactory" | The JNDI initial context factory to use. |
securityAuthentication | "simple" | The authentication mechanism to use for establishing a JNDI context. |
securityPrincipal | "uid=admin,ou=system" | The principal to use for establishing a JNDI context. |
securityCredentials | "secret" | The credentials to use for establishing a JNDI context. |
serviceName | No default. | The friendly name of this service. |
servicePid | No default. | The PID for this service. A PID is a unique identifier for an instance of a service. PID's are used by OSGi's Config Admin service to dynamically inject configuration into a service when the service is started. |
bufferSize | No default. | The MINA buffer size for this service. |
catalogBaseDn | No default. | The single location where catalog entries are stored. A catalog entry is a mapping of a realm (or zone for DNS) to a search base DN. If this property is not set the store will expect a single search base DN to be set. Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using the Config Admin service. |
Warning |
---|
It would be |
...
good to have more insight about catalogs. |
LDAP-Specific Configuration Parameters
Note |
---|
We have had a lot of modification in this part. Some of them are really going in the right direction, some other needs to be tuned. |
Here is the latest version of the ldap configuration :
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="ldapConfiguration" class="org.apache.directory.server.ldap.LdapConfiguration">
<!-- The port to run the LDAP protocol on. | ||||
Code Block | ||||
xml | xml | <bean id="ldapConfiguration" class="org.apache.directory.server.ldap.LdapConfiguration"> <!-- The port to run the LDAP protocol on. --> <property name="ipPort" value="38910389" /> <!-- Whether to allow anonymous access. --> <property name="allowAnonymousAccess" value="false" /> <!-- The list of supported authentication mechanisms. --> <property name="supportedMechanisms"> <list> <value>SIMPLE</value> <value>CRAM-MD5</value> <value>DIGEST-MD5</value> <!--<value>GSSAPI</value>--> </list> </property> <!-- The FQDN of this SASL host, validated during SASL negotiation. --> <property name="saslHost" value="ldap.example.com" /> <!-- The Kerberos principal name for this LDAP service, used by GSSAPI. --> <property name="saslPrincipal" value="ldap/ldap.example.com@EXAMPLE.COM" /> <!-- The desired quality-of-protection, used by DIGEST-MD5 and GSSAPI. --> <property name="saslQop"> <list> <value>auth</value> <value>auth-int</value> <value>auth-conf</value> </list> </property> <!-- The realms serviced by this SASL host, used by DIGEST-MD5 and GSSAPI. --> <property name="saslRealms"> <list> <value>example.com</value> <value>apache.org</value> </list> </property> <!-- The base DN containing users that can be SASL authenticated. --> <property name="searchBaseDn" value="ou=users,dc=example,dc=comou=system" /> <!-- SSL CONFIG CAN GO HERE--> <!-- limits searches by non-admin users to a max time of 15000 --> <!-- milliseconds and has a default value of 10000 --> <property name="maxTimeLimit" value="15000" /> <!-- limits searches to max size of 1000 entries: default value is 100 --> <property name="maxSizeLimit" value="1000" /> <!-- the collection of extended operation handlers to install --> <property name="extendedOperationHandlers"> <list> <!--<bean class="org.apache.directory.server.ldap.support.starttls.StartTlsHandler"/>--> <bean class="org.apache.directory.server.ldap.support.extended.GracefulShutdownHandler"/> <bean class="org.apache.directory.server.ldap.support.extended.LaunchDiagnosticUiHandler"/> </list> </property> </bean> </bean> |
Parameter | Default value | Description | Comments |
---|---|---|---|
ipPort | 10389 | The IP port used by the ldap server | We are using a port above 1024 to allow non root users to launch the server |
allowAnonymousAccess | false | Whether to allow anonymous access | Was true in the previous version. |
supportedMechanisms | SIMPLE, CRAM-MD5, DIGEST-MD5 | The supported authentication mechanisms. | The GSSAPI mechanism has been temporarilly disabled |
Note |
---|
We have to figure out if we should reactivate this GSSAPI configuration, or not. Not a simple matter, right now. If SASL is to be moved to another configuration, then maybe it should be activated as a default value. TO BE DISCUSSED... |
Parameter | Default value | Description | allowAnonymousAccess Comments | true | Whether to allow anonymous access. |
---|---|---|---|---|---|
maxSizeLimit | 100 | The maximum size limit. | |||
maxTimeLimit | 10000 | The maximum time limit. | |||
enableLdaps | false | Whether LDAPS is enabled. | |||
ldapsCertificateFile | server-work/certificates/server.cert | The path to the certificate file. | |||
ldapsCertificatePassword | changeit | The certificate password. | |||
extendedOperationHandlers | No default. | The extended operation handlers. | |||
supportedMechanisms | SIMPLE, CRAM-MD5, DIGEST-MD5, GSSAPI | The supported authentication mechanisms. | |||
saslHost | ldap.example.com | The name of this host, validated during SASL negotiation. | |||
saslPrincipal | ldap/ldap.example.com@EXAMPLE.COM | The service principal, used by GSSAPI. | |||
saslQop | auth, auth-int, auth-conf | The quality of protection (QoP), used by DIGEST-MD5 and GSSAPI. | |||
saslHost | ldap.example.com | The name of this host, validated during SASL negotiation. | The host name must be selected with great caution | ||
saslPrincipal | ldap/ldap.example.com@EXAMPLE.COM | The service principal, used by GSSAPI. | |||
saslQop | auth, auth-int, auth-conf | The quality of protection (QoP), used by DIGEST-MD5 and GSSAPI. | |||
saslRealms | example.com | The list of realms serviced by this host. | |||
maxSizeLimit | 100 | The maximum size limit. | |||
maxTimeLimit | 10000 | The maximum time limit. | |||
enableLdaps | false | Whether LDAPS is enabled. | |||
ldapsCertificateFile | server-work/certificates/server.cert | The path to the certificate file. | |||
ldapsCertificatePassword | changeit | The certificate password. | |||
extendedOperationHandlers | No default. | The extended operation handlers | saslRealms | example.com | The list of realms serviced by this host. |
Kerberos-Specific Configuration Parameters
...