LDAPIdentityStoreImpl provides support for LDAP as identity persistence store (IdentityStore). At this stage the implementation is a bit limitted:
Role management (IdentityObjectRelationshipName) is not supported
Only "text" attribute type can be mapped
Only "PASSWORD" <credential-type> can be mapped
<identity-object-type><options>
idAttributeName - attribute name under which IdentityObject name is specified. Required.
passwordAttributeName - attribute name under which IdentityObject password is specified. Optional.
ctxDNs - DN that will be used as context for IdentityObject searches. More than one value can be specified.
allowCreateEntry - true/false - Specify if new IdentityObject can be created.
createEntryAttributeValues - defines a set of ldap attributes that will be set on IdentityObject entry creation. Values are in "name=value" format. This enables to fulfill LDAP schema requirements.Default is false
parentMembershipAttributeName - LDAP attribute that defines children of IdentityObject. This will be used to retrieved relationships from IdentityObject entry. Option is required if IdentityObjectType can be part of relationship.
isParentMembershipAttributeDN - defines if values of attribute defined in parentMembershipAttributeName are fully qualified LDAP DNs.
allowEmptyMemberships - defines if IdentityObject entry can have no members. Sometimes it is not allowed by LDAP schema.
parentMembershipAttributePlaceholder - if LDAP schema doesn't allow empty memberships this value will be used as a placeholder. IdentityObject specified here won't be recognized as a member and ignored
childMembershipAttributeName - LDAP attribute that defines parents of IdentityObject. This will be used to retrieved relationships from IdentityObject entry. Good example of such attribute in LDAP schema is 'memberOf'
childMembershipAttributeDN - defines if values of attribute defined in childMembershipAttributeName are fully qualified LDAP DNs.
childMembershipAttributeVirtual - specifies if attribute defined in 'childMembershipAttributeName' is a real attribute that can be updated or virtual one which value is managed by a directory and should not be updated
entrySearchFilter - ldap filter to search IdentityObject with. {0} will be substitute with IdentityObject name. Example filter can look like this: "(uid={0})". This substitution behavior comes from the standard DirContext.search(Name, String, Object, SearchControls cons) method
entrySearchScope - defines a search scope. Values can be "subtree" and "object"
enclosePasswordWith - if specified password will be surunted with a given chars before update
passwordEncoding - if specified password will be encoded before update. For example Microsoft Active Directory requires password to be enclosed with '"' and encoded using 'UTF-16LE' for update.
passwordUpdateAttributeValues - list of attributes that should be changed during password update
<identity-store><options>
providerURL - LDAP connection URL. For example "ldap://localhost:389"
adminDN - LDAP entry used to connect to the server.
adminPassword - password related to adminDN
searchTimeLimit -searchTimeLimit for LDAP search operations in miliseconds. Default value is 10000.
customJNDIConnectionParameters - list of additional 'key=value' parameters that will be used to create JNDI context. Can be usefull to use additional JNDI options.
customSystemProperties - list of 'key=value' properties that will be added using System.setProperty() method. This can be used to configure LDAP JNDI connection pooling which is set per JVM
externalJNDIContext - name that will be used to perform JDNI lookup to grab JNDI connection context
sortExtensionSupported - if set to "false" will disable the use of sort extension that triggers sort on LDAP server side
pagedResultsExtensionSupported - if set to "true" will enable paged search. Searches that exceed size defined by "pagedResultsExtensionSize" option will be splitted into few smaller ones.
pagedResultsExtensionSize - defines page size for "pagedResultsExtensionSupported" option.
createMissingContexts - if set to "true" LDAP store will try to create missing LDAP contexts defined in the configuration.
<identity-store> <id>Sample LDAP Store</id> <class>org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl</class> <external-config/> <supported-relationship-types> <relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type> </supported-relationship-types> <supported-identity-object-types> <identity-object-type> <name>IDENTITY</name> <relationships/> <credentials> <credential-type>PASSWORD</credential-type> </credentials> <attributes> <attribute> <name>phone</name> <mapping>telephoneNumber</mapping> <type>text</type> <isRequired>false</isRequired> <isMultivalued>false</isMultivalued> <isReadOnly>false</isReadOnly> </attribute> <attribute> <name>description</name> <mapping>description</mapping> <type>text</type> <isRequired>false</isRequired> <isMultivalued>false</isMultivalued> <isReadOnly>false</isReadOnly> </attribute> <attribute> <name>carLicense</name> <mapping>carLicense</mapping> <type>text</type> <isRequired>false</isRequired> <isMultivalued>false</isMultivalued> <isReadOnly>false</isReadOnly> </attribute> </attributes> <options> <option> <name>idAttributeName</name> <value>uid</value> </option> <option> <name>passwordAttributeName</name> <value>password</value> </option> <option> <name>ctxDNs</name> <value>ou=People,o=test,dc=example,dc=com</value> </option> <option> <name>allowCreateEntry</name> <value>true</value> </option> <option> <name>createEntryAttributeValues</name> <value>objectClass=top</value> <value>objectClass=inetOrgPerson</value> <value>sn= </value> <value>cn= </value> </option> </options> </identity-object-type> <identity-object-type> <name>ORGANIZATION</name> <relationships> <relationship> <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref> <identity-object-type-ref>IDENTITY</identity-object-type-ref> </relationship> <relationship> <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref> <identity-object-type-ref>ORGANIZATION</identity-object-type-ref> </relationship> <relationship> <relationship-type-ref>JBOSS_IDENTITY_MEMBERSHIP</relationship-type-ref> <identity-object-type-ref>GROUP</identity-object-type-ref> </relationship> </relationships> <credentials/> <attributes/> <options> <option> <name>idAttributeName</name> <value>cn</value> </option> <option> <name>ctxDNs</name> <value>ou=Organizations,o=test,dc=example,dc=com</value> </option> <option> <name>allowCreateEntry</name> <value>true</value> </option> <option> <name>membershipAttributeName</name> <value>member</value> </option> <option> <name>isMembershipAttributeDN</name> <value>true</value> </option> <option> <name>allowEmptyMemberships</name> <value>true</value> </option> <option> <name>createEntryAttributeValues</name> <value>objectClass=top</value> <value>objectClass=groupOfNames</value> </option> </options> </identity-object-type> </supported-identity-object-types> <options> <option> <name>providerURL</name> <value>ldap://localhost:10389</value> </option> <option> <name>adminDN</name> <value>cn=Directory Manager</value> </option> <option> <name>adminPassword</name> <value>password</value> </option> <option> <name>searchTimeLimit</name> <value>10000</value> </option> </options> </identity-store>