Setting advanced LDAP options - PingFederate - 10.3

PingFederate Server

bundle
pingfederate-103
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.3
category
Product
pf-103
pingfederate
ContentType_ce

PingFederate enables you to customize the default settings of both the search pool and the bind pool for each LDAP datastore.

PingFederate maintains a search pool and a bind pool for each LDAP datastore for optimal performance. The search pool is for LDAP directory searches. The bind pool is for LDAP bind authentication purposes. Use the Advanced LDAP Options window to change default pool settings. These settings are applicable to both the search pool and the bind pool.

When configuring PingFederate to locate the directory server based on DNS SRV record, you can fine-tune the TTL value and the SRV record prefixes.

  1. In the Advanced LDAP Options window, click Apply Defaults to view or restore default values.
    Tip:

    The default values are conservative based on the server thread pool settings configured in the <pf_install>/pingfederate/etc/jetty-runtime.xml file. If any changes are made to thread pooling, update the settings as outlined in the following step.

  2. Configure advanced settings. For more information about each field, see the following table.
    FieldDescription
    Test Connection on Borrow Indicates whether to validate objects before they are borrowed from the pool.

    This check box is not selected by default.

    Test Connection on Return Indicates whether to validate objects before they return to the pool.

    This check box is not selected by default.

    Create New Connection If Necessary Indicates whether you can create temporary connections when the Maximum Connections threshold is reached. Temporary connections are managed automatically.
    Note:

    If disabled, when the Maximum Connections value is reached, subsequent requests relying on this LDAP datastore instance might fail.

    This check box is selected by defaul

    Verify LDAPS Hostname Indicates whether to verify that the host name of the directory server matches the subject (CN) or one of the subject alternative names (SANs) from the certificate.
    Important:

    Verify the LDAPS host name for all LDAPS connections.

    This check box is selected by default.

    Minimum Connections

    (Required)

    The smallest number of connections that can remain in each pool. A minimum value of 1 creates two connections, one connection in the search pool and one connection in the bind pool. The default value is 10.
    Note:

    For optimal performance, the value for this setting should equal 50% of the maxThreads value in the Jetty server configuration. For more information see Configuring connection pools to datastores.

    Note:

    PingFederate does not establish the connection pool for the given datastore until it receives a request that requires one or more attributes from that datastore.

    Maximum Connections

    (Required)

    The largest number of active connections that can remain in each pool (not including the temporary connections that are managed automatically when the Create New Connection If Necessary check box is selected). The value must exceed or equal the Minimum Connections value.
    Note:

    For optimal performance, the value for this setting should equal 75% to 100% of the maxThreads value in the Jetty server configuration. For more information, see Configuring connection pools to datastores.

    The default value is 100.

    Maximum Wait (Milli)

    (Required)

    The maximum number of milliseconds the pool waits for an available connection when trying to obtain a connection from the pool. A value of -1 causes the pool not to wait at all and to either create a new connection or produce an error (when no connections are available).

    The default value is -1.

    Time Between Eviction (Milli)

    (Required)

    The number of milliseconds between periodic background health checks against the available connections in this pool. A value of -1 disables the evictor.

    The default value is 60000.

    Read Timeout (Milli)

    (Required)

    The maximum number of milliseconds a connection waits for a response to return before producing an error. A value of -1 causes the connection to wait indefinitely.

    The default value is 3000.

    Connection Timeout (Milli)

    (Required)

    The maximum number of milliseconds that a connection attempt can continue before returning an error. A value of -1 causes the pool to wait indefinitely.

    The default value is 3000.

    DNS TTL (Milli)

    (Required)

    The amount of time in milliseconds that a previously obtained DNS SRV record remains valid. When this threshold is reached, PingFederate contacts the DNS for a new SRV record to locate the directory server.

    The default value is 60000.

    LDAP DNS SRV Record prefix

    (Required)

    The prefix that PingFederate uses in its DNS queries for SRV records to locate an LDAP-capable directory server.

    The default value is _ldap._tcp.

    LDAPS DNS SRV Record prefix

    (Required)

    The prefix that PingFederate uses in its DNS queries for SRV records to locate an LDAPS-capable directory server.

    The default value is _ldaps._tcp.

  3. Optional: Click Next to specify LDAP binary attributes on the LDAP Binary Attributes tab.
  4. Click Save.