5.3. LDAP Protocol Provider 
Work in progress

This site is in the process of being reviewed and updated.

LDAP Protocol configuration is currently being revamped in the SASL branch, as part of making SASL configurable.

Before

Previously, LDAP protocol configuration existed in the MutableServerStartupConfiguration, along with Core and Partition configuration.

  <bean id="configuration" class="org.apache.directory.server.configuration.MutableServerStartupConfiguration">
    <property name="ldapPort" value="389" />
    <property name="allowAnonymousAccess" value="false" />

    <!-- limits searches by non-admin users to a max time of 15000          -->
    <!-- milliseconds and has a default value of 10000                      -->
    <property name="maxTimeLimit" value="15000" />

    <!-- limits searches to max size of 1000 entries: default value is 100  -->
    <property name="maxSizeLimit" value="1000" />

    <property name="extendedOperationHandlers">
      <list>
        <bean class="org.apache.directory.server.ldap.support.starttls.StartTlsHandler"/>
        <bean class="org.apache.directory.server.ldap.support.extended.GracefulShutdownHandler"/>
        <bean class="org.apache.directory.server.ldap.support.extended.LaunchDiagnosticUiHandler"/>
      </list>
    </property>
  </bean>

After

At the same time as the addition of numerous configuration parameters for SASL, LDAP protocol configuration has all moved to an LdapConfiguration bean.

  <bean id="ldapConfiguration" class="org.apache.directory.server.ldap.LdapConfiguration">
    <!-- The port to run the LDAP protocol on.                              -->
    <property name="ipPort" value="389" />
    <!-- Whether to allow anonymous access.                                 -->
    <property name="allowAnonymousAccess" value="true" />
    
    <!-- BEGIN NEW SASL CONFIG -->
    
    <!-- The list of supported authentication mechanisms.                   -->
    <property name="supportedMechanisms">
      <list>
        <value>SIMPLE</value>
        <value>CRAM-MD5</value>
        <value>DIGEST-MD5</value>
        <value>GSSAPI</value>
      </list>
    </property>
    
    <!-- The FQDN of this SASL host, validated during SASL negotiation.     -->
    <property name="saslHost" value="ldap.example.com" />
    
    <!-- The Kerberos principal name for this LDAP service, used by GSSAPI. -->
    <property name="saslPrincipal" value="ldap/ldap.example.com@EXAMPLE.COM" />
    
    <!-- The desired quality-of-protection, used by DIGEST-MD5 and GSSAPI.  -->
    <property name="saslQop">
      <list>
        <value>auth</value>
        <value>auth-int</value>
        <value>auth-conf</value>
      </list>
    </property>
    
    <!-- The realms serviced by this SASL host, used by DIGEST-MD5 and GSSAPI. -->
    <property name="saslRealms">
      <list>
        <value>example.com</value>
        <value>apache.org</value>
      </list>
    </property>
    
    <!-- The base DN containing users that can be SASL authenticated.       -->
    <property name="searchBaseDn" value="ou=users,dc=example,dc=com" />
    
    <!-- END NEW SASL CONFIG -->
    
    <!-- SSL CONFIG CAN GO HERE-->
    
    <!-- limits searches by non-admin users to a max time of 15000          -->
    <!-- milliseconds and has a default value of 10000                      -->
    <property name="maxTimeLimit" value="15000" />
    <!-- limits searches to max size of 1000 entries: default value is 100  -->
    <property name="maxSizeLimit" value="1000" />
    <!-- the collection of extended operation handlers to install           -->
    <property name="extendedOperationHandlers">
      <list>
        <bean class="org.apache.directory.server.ldap.support.starttls.StartTlsHandler"/>
        <bean class="org.apache.directory.server.ldap.support.extended.GracefulShutdownHandler"/>
        <bean class="org.apache.directory.server.ldap.support.extended.LaunchDiagnosticUiHandler"/>
      </list>
    </property>
  </bean>

The LdapConfiguration bean is subordinate to the MutableServerStartupConfiguration.

<bean id="configuration" class="org.apache.directory.server.configuration.MutableServerStartupConfiguration">
  ...
  <property name="ldapConfiguration" ref="ldapConfiguration" />
  ...
</bean>

Common Service Configuration Parameters

Parameter Default value Description
enabled true Whether this service is enabled.
ipPort 389 The IP port for this service.
ipAddress No default. The IP address for this service.
searchBaseDn "ou=users,dc=example,dc=com" The single location where users are stored. If this property is not set the store will search the system partition configuration for catalog entries. Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using the Config Admin service.
initialContextFactory "org.apache.directory.server.core.jndi.CoreContextFactory" The JNDI initial context factory to use.
securityAuthentication "simple" The authentication mechanism to use for establishing a JNDI context.
securityPrincipal "uid=admin,ou=system" The principal to use for establishing a JNDI context.
securityCredentials "secret" The credentials to use for establishing a JNDI context.
serviceName Apache LDAP Service The friendly name of this service.
servicePid org.apache.directory.server.ldap The PID for this service. A PID is a unique identifier for an instance of a service. PID's are used by OSGi's Config Admin service to dynamically inject configuration into a service when the service is started.
catalogBaseDn No default. The single location where catalog entries are stored. A catalog entry is a mapping of a realm (or zone for DNS) to a search base DN. If this property is not set the store will expect a single search base DN to be set. Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using the Config Admin service.

LDAP-Specific Configuration Parameters

Parameter Default value Description
allowAnonymousAccess true Whether to allow anonymous access.
maxSizeLimit 100 The maximum size limit.
maxTimeLimit 10000 The maximum time limit.
enableLdaps false Whether LDAPS is enabled.
ldapsCertificateFile server-work/certificates/server.cert The path to the certificate file.
ldapsCertificatePassword changeit The certificate password.
extendedOperationHandlers No default. The extended operation handlers.
supportedMechanisms SIMPLE, CRAM-MD5, DIGEST-MD5, GSSAPI The supported authentication mechanisms.
saslHost ldap.example.com The name of this host, validated during SASL negotiation.
saslPrincipal ldap/ldap.example.com@EXAMPLE.COM The service principal, used by GSSAPI.
saslQop auth, auth-int, auth-conf The quality of protection (QoP), used by DIGEST-MD5 and GSSAPI.
saslRealms example.com The list of realms serviced by this host.

More Information

For help with more advanced configurations, check out our Interoperability Guide.