PingFederate Server

Setting advanced LDAP options

PingFederate lets you customize the default settings of both the search pool and the bind pool for each LDAP datastore.

About this task

PingFederate maintains a search pool and a bind pool for each LDAP datastore for optimal performance. The search pool is for LDAP directory searches. The bind pool is for LDAP bind authentication purposes. Use the Advanced LDAP Options page to change default pool settings. These settings are applicable to both the search pool and the bind pool.

When configuring PingFederate to locate the directory server based on DNS SRV record, you can fine-tune the TTL value and the SRV record prefixes.

On the LDAP Binary Attributes tab, can also specify attributes that have values PingFederate must handle as binary data for use in attribute contract fulfillment. Binary attributes are typically used for certificates and images.

You cannot use binary data in an assertion. You must apply and handle encoding on a per-connection basis. When binary attributes are selected for attribute mapping, the administrative console prompts you to select an encoding type for each binary attribute.

Steps

  1. On the Data Store page’s LDAP Configuration tab, click Advanced.

    Result:

    The Advanced LDAP Options window opens.

    PingFederate’s Advanced LDAP Options window
  2. Optional: To view or restore default values, click Apply Defaults on the Advanced LDAP Options tab.

    The default values are conservative based on the server thread pool settings configured in the <pf_install>/pingfederate/etc/run.properties file. If any changes are made to thread pooling, update the settings as outlined in the following step.

  3. Configure the advanced settings. For more information about each field, see the following table.

    Field Description

    Retry Failed Operations

    PingFederate initiates a single retry if a request fails and it appears the connection might have become invalid. The connection is discarded, and PingFederate establishes a new one for the retry. The standard failover logic applies when creating the new connection if failover is enabled.

    In PingFederate, only operations that do not modify entries (BIND, SEARCH, and COMPARE) are eligible for retry.

    This checkbox is not selected by default.

    Test Connection on Borrow

    Indicates whether to validate objects before they are borrowed from the pool.

    This checkbox is not selected by default.

    Test Connection on Return

    Indicates whether to validate objects before they return to the pool.

    This checkbox is not selected by default.

    Create New Connection If Necessary

    Indicates whether you can create temporary connections when the Maximum Connections threshold is reached. Temporary connections are managed automatically.

    If disabled, when the Maximum Connections value is reached, subsequent requests relying on this LDAP datastore instance might fail.

    This checkbox is selected by defaul

    Verify LDAPS Hostname

    Indicates whether to verify that the host name of the directory server matches the subject (CN) or one of the subject alternative names (SANs) from the certificate.

    Verify the LDAPS host name for all LDAPS connections.

    This checkbox is selected by default.

    Minimum Connections

    (Required)

    The smallest number of connections that can remain in each pool. A minimum value of 1 creates two connections, one connection in the search pool and one connection in the bind pool. The default value is 10.

    For optimal performance, the value for this setting should equal 50% of the maxThreads value in the jetty server configuration. Learn more in Configuring connection pools to datastores.

    PingFederate does not establish the connection pool for the given datastore until it receives a request that requires one or more attributes from that datastore.

    Maximum Connections

    (Required)

    The largest number of active connections that can remain in each pool (not including the temporary connections that are managed automatically when the Create New Connection If Necessary checkbox is selected). The value must exceed or equal the Minimum Connections value.

    For optimal performance, the value for this setting should equal 75% to 100% of the maxThreads value in the Jetty server configuration. Learn more in Configuring connection pools to datastores.

    The default value is 100.

    Maximum Wait (Milli)

    (Required)

    The maximum number of milliseconds the pool waits for an available connection when trying to obtain a connection from the pool. A value of -1 causes the pool not to wait at all and to either create a new connection or produce an error (when no connections are available).

    The default value is -1.

    Time Between Eviction (Milli)

    (Required)

    The number of milliseconds between periodic background health checks against the available connections in this pool. A value of -1 disables the evictor.

    The default value is 60000.

    Read Timeout (Milli)

    (Required)

    The maximum number of milliseconds a connection waits for a response to return before producing an error. A value of -1 causes the connection to wait indefinitely.

    The default value is 3000.

    Connection Timeout (Milli)

    (Required)

    The maximum number of milliseconds that a connection attempt can continue before returning an error. A value of -1 causes the pool to wait indefinitely.

    The default value is 3000.

    DNS TTL (Milli)

    (Required)

    The amount of time in milliseconds that a previously obtained DNS SRV record remains valid. When this threshold is reached, PingFederate contacts the DNS for a new SRV record to locate the directory server.

    The default value is 60000.

    LDAP DNS SRV Record prefix

    (Required)

    The prefix that PingFederate uses in its DNS queries for SRV records to locate an LDAP-capable directory server.

    The default value is _ldap._tcp.

    LDAPS DNS SRV Record prefix

    (Required)

    The prefix that PingFederate uses in its DNS queries for SRV records to locate an LDAPS-capable directory server.

    The default value is _ldaps._tcp.

  4. Optional: To specify LDAP binary attributes:

    1. Click Next on the Advanced LDAP Options tab.

    2. On the LDAP Binary Attributes tab, add, edit, or remove binary attributes.

  5. Click Save.