Setting advanced LDAP options
PingFederate lets you customize the default settings of both the search pool and the bind pool for each LDAP datastore.
About this task
PingFederate maintains a search pool and a bind pool for each LDAP datastore for optimal performance. The search pool is for LDAP directory searches. The bind pool is for LDAP bind authentication purposes. Use the Advanced LDAP Options window to change default pool settings. These settings are applicable to both the search pool and the bind pool.
When configuring PingFederate to locate the directory server based on DNS SRV record, you can fine-tune the TTL value and the SRV record prefixes.
On the LDAP Binary Attributes tab, can also specify attributes that have values PingFederate must handle as binary data for use in attribute contract fulfillment. Binary attributes are typically used for certificates and images.
You cannot use binary data in an assertion. You must apply and handle encoding on a per-connection basis. When binary attributes are selected for attribute mapping, the administrative console prompts you to select an encoding type for each binary attribute. |
Steps
-
On the Data Store window’s LDAP Configuration tab, click Advanced.
Result:
The Advanced LDAP Options window opens.
-
Optional: To view or restore default values, click the Apply Defaults button on the Advanced LDAP Options tab.
The default values are conservative based on the server thread pool settings configured in the
<pf_install>/pingfederate/etc/jetty-runtime.xml
file. If any changes are made to thread pooling, update the settings as outlined in the following step. -
Configure the advanced settings. For more information about each field, see the following table.
Field Description Retry Failed Operations
PingFederate initiates a single retry if a request fails and it appears the connection might have become invalid. The connection is discarded, and PingFederate establishes a new one for the retry. The standard failover logic applies when creating the new connection if failover is enabled.
In PingFederate, only operations that do not modify entries (
BIND
,SEARCH
, andCOMPARE
) are eligible for retry.This check box is not selected by default.
Test Connection on Borrow
Indicates whether to validate objects before they are borrowed from the pool.
This check box is not selected by default.
Test Connection on Return
Indicates whether to validate objects before they return to the pool.
This check box is not selected by default.
Create New Connection If Necessary
Indicates whether you can create temporary connections when the Maximum Connections threshold is reached. Temporary connections are managed automatically.
If disabled, when the Maximum Connections value is reached, subsequent requests relying on this LDAP datastore instance might fail.
This check box is selected by defaul
Verify LDAPS Hostname
Indicates whether to verify that the host name of the directory server matches the subject (CN) or one of the subject alternative names (SANs) from the certificate.
Verify the LDAPS host name for all LDAPS connections.
This check box is selected by default.
Minimum Connections
(Required)
The smallest number of connections that can remain in each pool. A minimum value of
1
creates two connections, one connection in the search pool and one connection in the bind pool. The default value is10
.For optimal performance, the value for this setting should equal 50% of the
maxThreads
value in the Jetty server configuration. For more information see Configuring connection pools to datastores.PingFederate does not establish the connection pool for the given datastore until it receives a request that requires one or more attributes from that datastore.
Maximum Connections
(Required)
The largest number of active connections that can remain in each pool (not including the temporary connections that are managed automatically when the Create New Connection If Necessary check box is selected). The value must exceed or equal the Minimum Connections value.
For optimal performance, the value for this setting should equal 75% to 100% of the
maxThreads
value in the Jetty server configuration. For more information, see Configuring connection pools to datastores.The default value is
100
.Maximum Wait (Milli)
(Required)
The maximum number of milliseconds the pool waits for an available connection when trying to obtain a connection from the pool. A value of
-1
causes the pool not to wait at all and to either create a new connection or produce an error (when no connections are available).The default value is
-1
.Time Between Eviction (Milli)
(Required)
The number of milliseconds between periodic background health checks against the available connections in this pool. A value of
-1
disables the evictor.The default value is
60000
.Read Timeout (Milli)
(Required)
The maximum number of milliseconds a connection waits for a response to return before producing an error. A value of
-1
causes the connection to wait indefinitely.The default value is
3000
.Connection Timeout (Milli)
(Required)
The maximum number of milliseconds that a connection attempt can continue before returning an error. A value of
-1
causes the pool to wait indefinitely.The default value is
3000
.DNS TTL (Milli)
(Required)
The amount of time in milliseconds that a previously obtained DNS SRV record remains valid. When this threshold is reached, PingFederate contacts the DNS for a new SRV record to locate the directory server.
The default value is
60000
.LDAP DNS SRV Record prefix
(Required)
The prefix that PingFederate uses in its DNS queries for SRV records to locate an LDAP-capable directory server.
The default value is
_ldap._tcp
.LDAPS DNS SRV Record prefix
(Required)
The prefix that PingFederate uses in its DNS queries for SRV records to locate an LDAPS-capable directory server.
The default value is
_ldaps._tcp
. -
Optional: To specify LDAP binary attributes:
-
Click Next on the Advanced LDAP Options tab.
-
On the LDAP Binary Attributes tab, add, edit, or remove binary attributes.
-
-
Click Save.