PingFederate maintains a search pool and a bind pool for each LDAP datastore for optimal performance. The search pool is meant for LDAP directory searches. The bind pool is meant for LDAP bind authentication purposes. Use the Advanced LDAP Options screen to change default pool settings. These settings are applicable to both the search pool and the bind pool.

When configuring PingFederate to locate the directory server based on DNS SRV record, you can fine-tune the TTL value and the SRV record prefixes.

  1. On the Advanced LDAP Options screen, click Apply Defaults to view or restore default values.
    Tip:

    The default values are conservative based on the server thread pool settings configured in the <pf_install>/pingfederate/etc/jetty-runtime.xml file. If any changes are made to thread pooling, we recommend updating settings as outlined in the next step.

  2. Configure advanced settings.
    For more information about each field, refer to the following table.
    Field Description
    Test Connection on Borrow Indicates whether objects are validated before being borrowed from the pool.

    This check box is not selected by default.

    Test Connection on Return Indicates whether objects are validated before being returned to the pool.

    This check box is not selected by default.

    Create New Connection If Necessary Indicates whether temporary connections can be created when the Maximum Connections threshold is reached. Temporary connections are managed automatically.
    Note:

    If disabled, when the Maximum Connections value is reached, subsequent requests relying on this LDAP datastore instance may fail.

    This check box is selected by default.

    Verify LDAPS Hostname Indicates whether to verify the hostname of the directory server matches the subject (CN) or one of the subject alternative names (SANs) from the certificate.
    Important:

    We recommend to verify LDAPS hostname for all LDAPS connections.

    This check box is selected by default.

    Minimum Connections

    (Required)

    The smallest number of connections that can remain in each pool. A minimum value of 1 creates two connections: one connection in the search pool and one connection in the bind pool.
    Note:

    For optimal performance, the value for this setting should be equal to 50% of the maxThreads value in the Jetty server configuration (see Configuring connection pools to datastores).

    Note that PingFederate does not establish the connection pool for the given datastore until it receives a request that requires one or more attributes from that datastore.

    The default value is 10.

    Maximum Connections

    (Required)

    The largest number of active connections that can remain in each pool (not including the temporary connections that are managed automatically when the Create New Connection If Necessary check box is selected). The value must be greater than or equal to the Minimum Connections value.
    Note:

    For optimal performance, the value for this setting should be equal to 75% to 100% of maxThreads value in the Jetty server configuration (see Configuring connection pools to datastores).

    The default value is 100.

    Maximum Wait (Milli)

    (Required)

    The maximum number of milliseconds the pool waits for a connection to become available when trying to obtain a connection from the pool. A value of -1 causes the pool not to wait at all and to either create a new connection or produce an error (when no connections are available).

    The default value is -1.

    Time Between Eviction (Milli)

    (Required)

    The number of milliseconds between periodic background health checks against the available connections in this pool. A value of -1 disables the evictor.

    The default value is 60000.

    Read Timeout (Milli)

    (Required)

    The maximum number of milliseconds a connection waits for a response to be returned before producing an error. A value of -1 causes the connection to wait indefinitely.

    The default value is 3000.

    Connection Timeout (Milli)

    (Required)

    The maximum number of milliseconds that a connection attempt should be allowed to continue before returning an error. A value of -1 causes the pool to wait indefinitely.

    The default value is 3000.

    DNS TTL (Milli)

    (Required)

    The amount of time in milliseconds that a previously obtained DNS SRV record remains valid. When this threshold is reached, PingFederate contacts the DNS for a new SRV record to locate the directory server.

    The default value is 60000.

    LDAP DNS SRV Record prefix

    (Required)

    The prefix that PingFederate uses in its DNS queries for SRV records to locate an LDAP-capable directory server.

    The default value is _ldap._tcp.

    LDAPS DNS SRV Record prefix

    (Required)

    The prefix that PingFederate uses in its DNS queries for SRV records to locate an LDAPS-capable directory server.

    The default value is _ldaps._tcp.

  3. Optional: Click Next to specify LDAP binary attributes in the LDAP Binary Attributes screen.
  4. Click Save to keep your configuration.