LDAP Url failover Issue with UnboundID / V4

[Etienne Dysli Metref]

On 09/11/2020 18.50, Etienne Dysli Metref wrote:
>> Does IdP expose ldaptive / unboundID connection strategy / failoverset
>> settings for authn ?
> 
> AFAIK v3 doesn't. We're currently running with only one LDAP URL, until
> I can hack enough Spring beans together to change the connection
> strategy to active-passive for password authentication.

Here are my changes to conf/authn/ldap-authn-config.xml

+    <!-- Set the ConnectionStrategy of the UnboundID LDAP provider to
+         ACTIVE_PASSIVE, otherwise it uses the DEFAULT strategy whose
+         behaviour isn't defined with multiple URLs. This only affects
+         LDAP connections for password authentication, for the LDAP
+         DataConnector, the IdP already sets ACTIVE_PASSIVE as
+         ConnectionStrategy.
+
+         The UnboundID provider must be configured as the default one via
+         `idp.ldaptive.provider =
org.ldaptive.provider.unboundid.UnboundIDProvider`
+         in `ldap.properties`.
+
+         Every bean of class `org.ldaptive.DefaultConnectionFactory`
+         below must have its `provider` property set to reference the
+         `unboundIDProvider` bean for this to take effect. -->
+    <bean id="unboundIDProvider"
class="org.ldaptive.provider.unboundid.UnboundIDProvider">
+      <property name="providerConfig">
+        <bean
class="org.ldaptive.provider.unboundid.UnboundIDProviderConfig">
+          <property name="connectionStrategy">
+            <bean
class="org.ldaptive.provider.ConnectionStrategies.ActivePassiveConnectionStrategy"/>
+          </property>
+        </bean>
+      </property>
+    </bean>

-    <bean id="bindConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="bindConnectionConfig" />
+    <bean id="bindConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="bindConnectionConfig"
p:provider-ref="unboundIDProvider"/>

-    <bean id="anonSearchConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="anonSearchConnectionConfig" />
+    <bean id="anonSearchConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="anonSearchConnectionConfig"
p:provider-ref="unboundIDProvider"/>

-    <bean id="bindSearchConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="bindSearchConnectionConfig" />
+    <bean id="bindSearchConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="bindSearchConnectionConfig"
p:provider-ref="unboundIDProvider"/>

I haven't thoroughly tested this yet so be careful, also this is only
valid for IdP version 3.4.7.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://shibboleth.net/pipermail/users/attachments/20201109/8768bc08/attachment.sig>