LDAP Server connection properties (AAC)

Server connection properties (AAC)

To access a data source outside of the appliance, define the properties of the server. The Server Connection properties table describes the properties on the LDAP Server Connections panel for the Advanced Access Control and Federation module activation levels.

Advanced Access Control Configure LDAP, database, web service, or Cloud Identity server connections to set up policy information points. We can configure any of the server connection types.
Federation Configure an LDAP server as an attribute source for attribute mapping. Federation does not configure any of the other database server connection types.

Property Applies to Description
Name All Name for the server connection. Ensure the name is unique. Select this name when defining the policy information point. The server connection name must begin with an alphabetic character. Do not use control characters, leading and trailing blanks, and the following special characters ~ ! @ # $ % ^ & * ( ) + | ` = \ ; " ' < > ? , [ ] { } / anywhere in the name.
Description All Describes the server connection. Optional.
Type All Shows the server connection type. (Read only)
JNDI ID Oracle, DB2, PostgreSQL JNDI ID the server uses. Ensure the ID is unique. Use only alphanumeric characters: a-b, A-B, 0-9
Server name Oracle, DB2, PostgreSQL, SMTP Name or IP address for the server.
Port Oracle, DB2, PostgreSQL, LDAP, SMTP Port number where the connection to the server can be made.
URL Web Service URL where the connection to the server can be made.
User name Oracle, DB2, PostgreSQL, SMTP, Web Service User name that has the correct permissions to access the resources.
Password Oracle, DB2, PostgreSQL, SMTP, Web Service Password to access the server.
SSL All Whether SSL is used for connecting to the server. Select True or False. Default is True.
Driver type Oracle Driver type. Select Thin or OCI. Default is Thin.
Service name Oracle Name of the service.
Database name DB2, PostgreSQL Name of the database.
Host name LDAP Host name or IP address of the LDAP server.
Bind DN LDAP LDAP distinguished name (DN) used when binding, or signing on, to the LDAP server. If this value is set to "anonymous", the appliance uses an anonymous bind to the LDAP directory server. Typically the bind-dn has significant privileges so that it can be used to modify LDAP registry entries, such as creating users and resetting passwords via pdadmin or the Registry Direct Java API. Using an anonymous connection to LDAP typically comes with very limited access, perhaps at most search and view of entries, at the least no access at all. If anonymous access has sufficient privileges, then it might be usable for the WebSEAL level of access on users and groups. This access includes the permission for a user to change password if "bind-auth-and-pwdchg = yes" is set ("ldap.bind-auth-and-pwdchg = true" for Registry Direct Java API).
Bind Password LDAP Password for the LDAP bind DN. If bind DN (bind-dn) is set to anonymous, we can use any non-empty string as the value of bind password (bind-pwd).
Administration hostname Cloud Identity Administration hostname of the Cloud Identity subscription.
Client ID Cloud Identity Client ID of an API Client on Cloud Identity.
Client Secret Cloud Identity Client secret of an API Client on Cloud Identity.
SSL Truststore LDAP, Web Service, Cloud Identity Truststore that verifies the credentials.
SSL Mutual Authentication Key LDAP, Web Service, Cloud Identity Label of the client certificate to be presented when connecting to the LDAP. This property is sourced from SSL Truststore. This field is required only if mutual SSL authentication is required by the server.

For information on SSL configuration, see Configure SSL connections.
The properties in the following table are connection manager properties. The defaults that are listed are the current known defaults. All tuning properties are optional.

Property Applies to Description
Aged timeout (seconds) Oracle, DB2, PostgreSQL Time, in seconds, before a physical connection is discarded by pool maintenance. Specify -1 to disable this timeout. The default is -1.
Connection timeout (seconds) Time, in seconds, after which a connection times out.
For Oracle, DB2, PostgreSQL, and SMTP, specify -1 to disable this timeout. The default is 30 seconds. For LDAP, specify only integers, 1 or greater. The default is 120 seconds.
Max Idle Time (seconds) Oracle, DB2, PostgreSQL Maximum amount of time, in seconds, after which an unused or idle connection is discarded during pool maintenance. Specify -1 to disable this timeout. The default is 1800 seconds.
Max Idle Time (seconds) LDAP Time, in seconds, after which an established connection is discarded as idle. Set this to a value lower than the connection idle timeout on the LDAP server. This is only applicable for performing Attribute Mapping from an LDAP server.
Reap time (seconds) Oracle, DB2, PostgreSQL Time, in seconds, between runs of the pool maintenance thread. Specify -1 to disable pool maintenance. The default is 180 seconds.
Max pool size Oracle, DB2, PostgreSQL Maximum number of physical connections for a pool. Specify 0 for unlimited. The default is 50.
Max pool size LDAP Maximum number of connections that are pooled. This is only applicable for performing Attribute Mapping from an LDAP server.
Min pool size Oracle, DB2, PostgreSQL Minimum number of physical connections to maintain in a pool. The aged timeout can override the minimum.
Purge policy Oracle, DB2, PostgreSQL Which connections to delete when a stale connection is detected in the pool. Select from the following options:

Entire pool

When a stale connection is detected, all connections in the pool are marked stale, and when no longer in use, are closed. This is the default option.

Failing connection only

When a stale connection is detected, only the connection that was found to be bad is closed.

Validate all connections

When a stale connection is detected, connections are tested and the ones found to be bad are closed.

Max connections per thread Oracle, DB2, PostgreSQL Limit of open connections on each thread.
Cache connections per thread Oracle, DB2, PostgreSQL Number of cache connections for each thread.

Parent topic: Manage LDAP server connections

Advanced Access Control	Configure LDAP, database, web service, or Cloud Identity server connections to set up policy information points. We can configure any of the server connection types.
Federation	Configure an LDAP server as an attribute source for attribute mapping. Federation does not configure any of the other database server connection types.

Property	Applies to	Description
Name	All	Name for the server connection. Ensure the name is unique. Select this name when defining the policy information point. The server connection name must begin with an alphabetic character. Do not use control characters, leading and trailing blanks, and the following special characters ~ ! @ # $ % ^ & * ( ) + \| ` = \ ; " ' < > ? , [ ] { } / anywhere in the name.
Description	All	Describes the server connection. Optional.
Type	All	Shows the server connection type. (Read only)
JNDI ID	Oracle, DB2, PostgreSQL	JNDI ID the server uses. Ensure the ID is unique. Use only alphanumeric characters: a-b, A-B, 0-9
Server name	Oracle, DB2, PostgreSQL, SMTP	Name or IP address for the server.
Port	Oracle, DB2, PostgreSQL, LDAP, SMTP	Port number where the connection to the server can be made.
URL	Web Service	URL where the connection to the server can be made.
User name	Oracle, DB2, PostgreSQL, SMTP, Web Service	User name that has the correct permissions to access the resources.
Password	Oracle, DB2, PostgreSQL, SMTP, Web Service	Password to access the server.
SSL	All	Whether SSL is used for connecting to the server. Select True or False. Default is True.
Driver type	Oracle	Driver type. Select Thin or OCI. Default is Thin.
Service name	Oracle	Name of the service.
Database name	DB2, PostgreSQL	Name of the database.
Host name	LDAP	Host name or IP address of the LDAP server.
Bind DN	LDAP	LDAP distinguished name (DN) used when binding, or signing on, to the LDAP server. If this value is set to "anonymous", the appliance uses an anonymous bind to the LDAP directory server. Typically the bind-dn has significant privileges so that it can be used to modify LDAP registry entries, such as creating users and resetting passwords via pdadmin or the Registry Direct Java API. Using an anonymous connection to LDAP typically comes with very limited access, perhaps at most search and view of entries, at the least no access at all. If anonymous access has sufficient privileges, then it might be usable for the WebSEAL level of access on users and groups. This access includes the permission for a user to change password if "bind-auth-and-pwdchg = yes" is set ("ldap.bind-auth-and-pwdchg = true" for Registry Direct Java API).
Bind Password	LDAP	Password for the LDAP bind DN. If bind DN (bind-dn) is set to anonymous, we can use any non-empty string as the value of bind password (bind-pwd).
Administration hostname	Cloud Identity	Administration hostname of the Cloud Identity subscription.
Client ID	Cloud Identity	Client ID of an API Client on Cloud Identity.
Client Secret	Cloud Identity	Client secret of an API Client on Cloud Identity.
SSL Truststore	LDAP, Web Service, Cloud Identity	Truststore that verifies the credentials.
SSL Mutual Authentication Key	LDAP, Web Service, Cloud Identity	Label of the client certificate to be presented when connecting to the LDAP. This property is sourced from SSL Truststore. This field is required only if mutual SSL authentication is required by the server.

Property	Applies to	Description
Aged timeout (seconds)	Oracle, DB2, PostgreSQL	Time, in seconds, before a physical connection is discarded by pool maintenance. Specify -1 to disable this timeout. The default is -1.
Connection timeout (seconds)	Time, in seconds, after which a connection times out. For Oracle, DB2, PostgreSQL, and SMTP, specify -1 to disable this timeout. The default is 30 seconds. For LDAP, specify only integers, 1 or greater. The default is 120 seconds.
Max Idle Time (seconds)	Oracle, DB2, PostgreSQL	Maximum amount of time, in seconds, after which an unused or idle connection is discarded during pool maintenance. Specify -1 to disable this timeout. The default is 1800 seconds.
Max Idle Time (seconds)	LDAP	Time, in seconds, after which an established connection is discarded as idle. Set this to a value lower than the connection idle timeout on the LDAP server. This is only applicable for performing Attribute Mapping from an LDAP server.
Reap time (seconds)	Oracle, DB2, PostgreSQL	Time, in seconds, between runs of the pool maintenance thread. Specify -1 to disable pool maintenance. The default is 180 seconds.
Max pool size	Oracle, DB2, PostgreSQL	Maximum number of physical connections for a pool. Specify 0 for unlimited. The default is 50.
Max pool size	LDAP	Maximum number of connections that are pooled. This is only applicable for performing Attribute Mapping from an LDAP server.
Min pool size	Oracle, DB2, PostgreSQL	Minimum number of physical connections to maintain in a pool. The aged timeout can override the minimum.
Purge policy	Oracle, DB2, PostgreSQL	Which connections to delete when a stale connection is detected in the pool. Select from the following options: Entire pool When a stale connection is detected, all connections in the pool are marked stale, and when no longer in use, are closed. This is the default option. Failing connection only When a stale connection is detected, only the connection that was found to be bad is closed. Validate all connections When a stale connection is detected, connections are tested and the ones found to be bad are closed.
Max connections per thread	Oracle, DB2, PostgreSQL	Limit of open connections on each thread.
Cache connections per thread	Oracle, DB2, PostgreSQL	Number of cache connections for each thread.