conf-from-container/conf/authn/ldap-authn-config.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
       xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

       default-init-method="initialize"
       default-destroy-method="destroy"
       default-lazy-init="true">

    <alias name="%{idp.authn.LDAP.authenticator:anonSearchAuthenticator}" alias="shibboleth.authn.LDAP.authenticator" />
    <bean id="shibboleth.authn.LDAP.returnAttributes" parent="shibboleth.CommaDelimStringArray">
        <constructor-arg type="java.lang.String" value="%{idp.authn.LDAP.returnAttributes:1.1}" />
    </bean>

    <alias name="ValidateUsernamePasswordAgainstLDAP" alias="ValidateUsernamePassword" />

    <!-- Connection Configuration -->
    <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL}"
        p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}"
        p:useSSL="%{idp.authn.LDAP.useSSL:false}"
        p:connectTimeoutDuration="%{idp.authn.LDAP.connectTimeout:PT3S}"
        p:responseTimeoutDuration="%{idp.authn.LDAP.responseTimeout:PT3S}"
        p:sslConfig-ref="sslConfig" />

    <alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" />

    <bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" />
    <bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig">
        <property name="credentialConfig">
            <bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" /> 
        </property>
    </bean>
    <bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig">
        <property name="credentialConfig">
            <bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" /> 
        </property>
    </bean>

    <!-- Authentication handler -->
    <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory" />
    <bean id="bindPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="bindConnectionPool" />
    <bean id="bindConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
        p:connectionFactory-ref="bindConnectionFactory" p:name="bind-pool" />
    <bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindConnectionConfig" />
    <bean id="bindConnectionConfig" parent="connectionConfig" />

    <!-- Format DN resolution -->
    <bean id="formatDnResolver" class="org.ldaptive.auth.FormatDnResolver" p:format="%{idp.authn.LDAP.dnFormat:undefined}" />

    <!-- Pool Configuration -->
    <bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true"
        p:blockWaitTimeDuration="%{idp.pool.LDAP.blockWaitTime:PT3S}"
        p:poolConfig-ref="poolConfig"
        p:pruneStrategy-ref="pruneStrategy"
        p:validator-ref="searchValidator"
        p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
    <bean id="poolConfig" class="org.ldaptive.pool.PoolConfig"
        p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
        p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
        p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
        p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
        p:validatePeriodDuration="%{idp.pool.LDAP.validatePeriod:PT5M}" />
    <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
        p:prunePeriodDuration="%{idp.pool.LDAP.prunePeriod:PT5M}"
        p:idleTimeDuration="%{idp.pool.LDAP.idleTime:PT10M}" />
    <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />

    <!-- Anonymous Search Configuration -->
    <bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
        <constructor-arg index="0" ref="anonSearchDnResolver" />
        <constructor-arg index="1" ref="authHandler" />
    </bean>
    <bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
        p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
        p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
        p:connectionFactory-ref="anonSearchPooledConnectionFactory" >
        <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
        <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
    </bean>
    <bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
        p:connectionPool-ref="anonSearchConnectionPool" />
    <bean id="anonSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
        p:connectionFactory-ref="anonSearchConnectionFactory" p:name="search-pool" />
    <bean id="anonSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="anonSearchConnectionConfig" />
    <bean id="anonSearchConnectionConfig" parent="connectionConfig" />

    <!-- Bind Search Configuration -->
    <bean name="bindSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
        <constructor-arg index="0" ref="bindSearchDnResolver" />
        <constructor-arg index="1" ref="authHandler" />
    </bean>
    <bean id="bindSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
        p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
        p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
        p:connectionFactory-ref="bindSearchPooledConnectionFactory" >
        <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
        <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
    </bean>
    <bean id="bindSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
        p:connectionPool-ref="bindSearchConnectionPool" />
    <bean id="bindSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
        p:connectionFactory-ref="bindSearchConnectionFactory" p:name="search-pool" />
    <bean id="bindSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindSearchConnectionConfig" />
    <bean id="bindSearchConnectionConfig" parent="connectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" />
    <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer"
            p:bindDn="#{'%{idp.authn.LDAP.bindDN:undefined}'.trim()}">
        <property name="bindCredential">
            <bean class="org.ldaptive.Credential">
                <constructor-arg value="%{idp.authn.LDAP.bindDNCredential:undefined}" />
            </bean>
        </property>
    </bean>

    <!-- Direct Search Configuration -->
    <bean name="directAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
        <constructor-arg index="0" ref="formatDnResolver" />
        <constructor-arg index="1" ref="authHandler" />
    </bean>

    <!-- Want to use ppolicy? Configure support by adding <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler" 
        /> add p:authenticationResponseHandlers-ref="authenticationResponseHandler" to the authenticator <bean id="authenticationControl" 
        class="org.ldaptive.control.PasswordPolicyControl" /> add p:authenticationControls-ref="authenticationControl" to the authHandler -->

    <!-- Active Directory Configuration -->
    <bean id="adAuthenticator" class="org.ldaptive.auth.Authenticator" p:authenticationResponseHandlers-ref="authenticationResponseHandler"
        p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
        <constructor-arg index="0" ref="formatDnResolver" />
        <constructor-arg index="1" ref="authHandler" />
    </bean>
    <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" />

</beans>