Author: baedke Date: Wed May 6 12:53:48 2020 New Revision: 1877435 URL: http://svn.apache.org/viewvc?rev=1877435&view=rev Log: OAK-8890: LDAP login may fail if a server or intermediate silently drops connections
Added config options to use the pools' idle object eviction tasks. Modified: jackrabbit/oak/trunk/oak-auth-ldap/pom.xml jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md Modified: jackrabbit/oak/trunk/oak-auth-ldap/pom.xml URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/pom.xml?rev=1877435&r1=1877434&r2=1877435&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-auth-ldap/pom.xml (original) +++ jackrabbit/oak/trunk/oak-auth-ldap/pom.xml Wed May 6 12:53:48 2020 @@ -36,7 +36,7 @@ <!-- enable execution of jacoco and set minimal line coverage --> <skip.coverage>false</skip.coverage> <minimum.line.coverage>0.86</minimum.line.coverage> - <minimum.branch.coverage>0.75</minimum.branch.coverage> + <minimum.branch.coverage>0.74</minimum.branch.coverage> </properties> <build> Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java?rev=1877435&r1=1877434&r2=1877435&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java (original) +++ jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java Wed May 6 12:53:48 2020 @@ -540,6 +540,9 @@ public class LdapIdentityProvider implem adminPool.setTestOnBorrow(true); adminPool.setMaxTotal(config.getAdminPoolConfig().getMaxActive()); adminPool.setBlockWhenExhausted(true); + adminPool.setMinEvictableIdleTimeMillis(config.getAdminPoolConfig().getMinEvictableIdleTimeMillis()); + adminPool.setTimeBetweenEvictionRunsMillis(config.getAdminPoolConfig().getTimeBetweenEvictionRunsMillis()); + adminPool.setNumTestsPerEvictionRun(config.getAdminPoolConfig().getNumTestsPerEvictionRun()); } // setup unbound connection pool. let's create a new version of the config @@ -556,6 +559,9 @@ public class LdapIdentityProvider implem userPool.setTestOnBorrow(true); userPool.setMaxTotal(config.getUserPoolConfig().getMaxActive()); userPool.setBlockWhenExhausted(true); + userPool.setMinEvictableIdleTimeMillis(config.getUserPoolConfig().getMinEvictableIdleTimeMillis()); + userPool.setTimeBetweenEvictionRunsMillis(config.getUserPoolConfig().getTimeBetweenEvictionRunsMillis()); + userPool.setNumTestsPerEvictionRun(config.getUserPoolConfig().getNumTestsPerEvictionRun()); } log.info("LdapIdentityProvider initialized: {}", config); Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java?rev=1877435&r1=1877434&r2=1877435&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java (original) +++ jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java Wed May 6 12:53:48 2020 @@ -205,6 +205,51 @@ public class LdapProviderConfig { public static final String PARAM_ADMIN_POOL_LOOKUP_ON_VALIDATE = "adminPool.lookupOnValidate"; /** + * @see PoolConfig#getMinEvictableIdleTimeMillis() + */ + public static final String PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT = "-1"; + + /** + * @see PoolConfig#getMinEvictableIdleTimeMillis() + */ + @Property( + label = "Admin pool min evictable idle time", + description = "The minimum amount of time a connection from the admin pool must be idle before becoming eligible for eviction by the idle object evictor, if running (eg: '1m 30s'). When non-positive, no connections will be evicted from the pool due to idle time alone.", + value = PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT + ) + public static final String PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME = "adminPool.minEvictableIdleTime"; + + /** + * @see PoolConfig#getTimeBetweenEvictionRunsMillis() + */ + public static final String PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT = "-1"; + + /** + * @see PoolConfig#getTimeBetweenEvictionRunsMillis() + */ + @Property( + label = "Time interval to sleep between evictor runs for the admin pool", + description = "Time interval to sleep between runs of the idle object evictor thread for the admin pool (eg: '1m 30s'). When non-positive, no idle object evictor thread will be run.", + value = PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT + ) + public static final String PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS = "adminPool.timeBetweenEvictionRuns"; + + /** + * @see PoolConfig#getNumTestsPerEvictionRun() + */ + public static final int PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT = 3; + + /** + * @see PoolConfig#getNumTestsPerEvictionRun() + */ + @Property( + label = "Max number of objects to be tested per run of the idle object evictor for the admin pool", + description = "The max number of objects to examine during each run of the idle object evictor thread for the admin pool (if any)", + intValue = PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT + ) + public static final String PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN = "adminPool.numTestsPerEvictionRun"; + + /** * @see PoolConfig#getMaxActive() */ public static final int PARAM_USER_POOL_MAX_ACTIVE_DEFAULT = 8; @@ -235,6 +280,51 @@ public class LdapProviderConfig { public static final String PARAM_USER_POOL_LOOKUP_ON_VALIDATE = "userPool.lookupOnValidate"; /** + * @see PoolConfig#getMinEvictableIdleTimeMillis() + */ + public static final String PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT = "-1"; + + /** + * @see PoolConfig#getMinEvictableIdleTimeMillis() + */ + @Property( + label = "User pool min evictable idle time", + description = "The minimum amount of time a connection from the user pool must be idle before becoming eligible for eviction by the idle object evictor, if running (eg: '1m 30s'). When non-positive, no connections will be evicted from the pool due to idle time alone.", + value = PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT + ) + public static final String PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME = "userPool.minEvictableIdleTime"; + + /** + * @see PoolConfig#getTimeBetweenEvictionRunsMillis() + */ + public static final String PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT = "-1"; + + /** + * @see PoolConfig#getTimeBetweenEvictionRunsMillis() + */ + @Property( + label = "Time interval to sleep between evictor runs for the user pool", + description = "Time interval to sleep between runs of the idle object evictor thread for the user pool (eg: '1m 30s'). When non-positive, no idle object evictor thread will be run.", + value = PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT + ) + public static final String PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS = "userPool.timeBetweenEvictionRuns"; + + /** + * @see PoolConfig#getNumTestsPerEvictionRun() + */ + public static final int PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT = 3; + + /** + * @see PoolConfig#getNumTestsPerEvictionRun() + */ + @Property( + label = "Max number of objects to be tested per run of the idle object evictor for the user pool", + description = "The max number of objects to examine during each run of the idle object evictor thread for the user pool (if any)", + intValue = PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT + ) + public static final String PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN = "userPool.numTestsPerEvictionRun"; + + /** * @see Identity#getBaseDN() */ public static final String PARAM_USER_BASE_DN_DEFAULT = "ou=people,o=example,dc=com"; @@ -619,14 +709,17 @@ public class LdapProviderConfig { } /** - * Defines the configuration of a connection pool. Currently we only define the max size. + * Defines the configuration of a connection pool. Currently we do not support all + * available configuration options of the pool implementation. * (documentation copied from {@link org.apache.commons.pool2.impl.GenericObjectPool}) */ public static class PoolConfig { private int maxActiveSize; - private boolean lookupOnValidate; + private long minEvictableIdleTimeMillis; + private long timeBetweenEvictionRunsMillis; + private int numTestsPerEvictionRun; /** * Returns the maximum number of objects that can be allocated by the pool @@ -678,11 +771,93 @@ public class LdapProviderConfig { return this; } + /** + * Returns the minimum amount of time a connection may sit idle in the pool + * before it is eligible for eviction by the idle object evictor + * (if running). When non-positive, no connections will be evicted from the pool due to idle time alone. + * + * @return minimum amount of time a connection may sit idle in the pool before it is eligible for eviction. + */ + public long getMinEvictableIdleTimeMillis() { return minEvictableIdleTimeMillis; } + + /** + * Sets the minimum amount of time a connection may sit idle in the pool + * before it is eligible for eviction by the idle object evictor + * (if any). + * When non-positive, no connections will be evicted from the pool + * due to idle time alone. + * + * @param minEvictableIdleTimeMillis minimum amount of time a connection may sit idle in the pool before + * it is eligible for eviction. + * @return this + */ + public PoolConfig setMinEvictableIdleTimeMillis(long minEvictableIdleTimeMillis) { + this.minEvictableIdleTimeMillis = minEvictableIdleTimeMillis; + return this; + } + + /** + * Returns the number of milliseconds to sleep between runs of the + * idle object evictor thread. + * When non-positive, no idle object evictor thread will be + * run. + * + * @return number of milliseconds to sleep between evictor runs. + */ + public long getTimeBetweenEvictionRunsMillis() { return timeBetweenEvictionRunsMillis; } + + /** + * Sets the number of milliseconds to sleep between runs of the + * idle object evictor thread. + * When non-positive, no idle object evictor thread will be + * run. + * + * @param timeBetweenEvictionRunsMillis number of milliseconds to sleep between evictor runs. + * @return this + */ + public PoolConfig setTimeBetweenEvictionRunsMillis(long timeBetweenEvictionRunsMillis) { + this.timeBetweenEvictionRunsMillis = timeBetweenEvictionRunsMillis; + return this; + } + + /** + * Returns the max number of objects to examine during each run of the + * idle object evictor thread (if any). + * + * @return max number of objects to examine during each evictor run. + * @see #setNumTestsPerEvictionRun + * @see #setTimeBetweenEvictionRunsMillis + */ + public int getNumTestsPerEvictionRun() { return numTestsPerEvictionRun; } + + /** + * Sets the max number of objects to examine during each run of the + * idle object evictor thread (if any). + * <p> + * When a negative value is supplied, <tt>ceil(number of idle objects)/abs({@link #getNumTestsPerEvictionRun})</tt> + * tests will be run. That is, when the value is <i>-n</i>, roughly one <i>n</i>th of the + * idle objects will be tested per run. When the value is positive, the number of tests + * actually performed in each run will be the minimum of this value and the number of instances + * idle in the pool. + * + * @param numTestsPerEvictionRun max number of objects to examine during each evictor run. + * @see #getNumTestsPerEvictionRun + * @see #setTimeBetweenEvictionRunsMillis + * @return this + */ + public PoolConfig setNumTestsPerEvictionRun(int numTestsPerEvictionRun) { + this.numTestsPerEvictionRun = numTestsPerEvictionRun; + return this; + } + @Override public String toString() { final StringBuilder sb = new StringBuilder("PoolConfig{"); sb.append("maxActiveSize=").append(maxActiveSize); sb.append(", lookupOnValidate=").append(lookupOnValidate); + sb.append(", minEvictableIdleTimeMillis=").append(minEvictableIdleTimeMillis); + sb.append(", timeBetweenEvictionRunsMillis=").append(timeBetweenEvictionRunsMillis); + sb.append(", numTestsPerEvictionRun=").append(numTestsPerEvictionRun); sb.append('}'); return sb.toString(); } @@ -726,13 +901,31 @@ public class LdapProviderConfig { .setObjectClasses(params.getConfigValue(PARAM_GROUP_OBJECTCLASS, PARAM_GROUP_OBJECTCLASS_DEFAULT)) .setMakeDnPath(params.getConfigValue(PARAM_GROUP_MAKE_DN_PATH, PARAM_GROUP_MAKE_DN_PATH_DEFAULT)); + ConfigurationParameters.Milliseconds msMeitAdmin = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME, PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT)); + ConfigurationParameters.Milliseconds msTberAdmin = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS, PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT)); cfg.getAdminPoolConfig() .setLookupOnValidate(params.getConfigValue(PARAM_ADMIN_POOL_LOOKUP_ON_VALIDATE, PARAM_ADMIN_POOL_LOOKUP_ON_VALIDATE_DEFAULT)) - .setMaxActive(params.getConfigValue(PARAM_ADMIN_POOL_MAX_ACTIVE, PARAM_ADMIN_POOL_MAX_ACTIVE_DEFAULT)); + .setMaxActive(params.getConfigValue(PARAM_ADMIN_POOL_MAX_ACTIVE, PARAM_ADMIN_POOL_MAX_ACTIVE_DEFAULT)) + .setNumTestsPerEvictionRun(params.getConfigValue(PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN, PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT)); + if (msMeitAdmin != null) { + cfg.getAdminPoolConfig().setMinEvictableIdleTimeMillis(msMeitAdmin.value); + } + if (msTberAdmin != null) { + cfg.getAdminPoolConfig().setTimeBetweenEvictionRunsMillis(msTberAdmin.value); + } + ConfigurationParameters.Milliseconds msMeitUser = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME, PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT)); + ConfigurationParameters.Milliseconds msTberUser = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS, PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT)); cfg.getUserPoolConfig() .setLookupOnValidate(params.getConfigValue(PARAM_USER_POOL_LOOKUP_ON_VALIDATE, PARAM_USER_POOL_LOOKUP_ON_VALIDATE_DEFAULT)) - .setMaxActive(params.getConfigValue(PARAM_USER_POOL_MAX_ACTIVE, PARAM_USER_POOL_MAX_ACTIVE_DEFAULT)); + .setMaxActive(params.getConfigValue(PARAM_USER_POOL_MAX_ACTIVE, PARAM_USER_POOL_MAX_ACTIVE_DEFAULT)) + .setNumTestsPerEvictionRun(params.getConfigValue(PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN, PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT)); + if (msMeitUser != null) { + cfg.getUserPoolConfig().setMinEvictableIdleTimeMillis(msMeitUser.value); + } + if (msTberUser != null) { + cfg.getUserPoolConfig().setTimeBetweenEvictionRunsMillis(msTberUser.value); + } return cfg; } Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java?rev=1877435&r1=1877434&r2=1877435&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java (original) +++ jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java Wed May 6 12:53:48 2020 @@ -66,9 +66,19 @@ public class LdapProviderConfigTest { boolean testAdminPoolLookupOnValidate = !LdapProviderConfig.PARAM_ADMIN_POOL_LOOKUP_ON_VALIDATE_DEFAULT; int testAdminPoolMaxActive = LdapProviderConfig.PARAM_ADMIN_POOL_MAX_ACTIVE_DEFAULT + 1; + String testAdminPoolMinEvictableIdleTime = "2d 2h 2m 2s 2ms"; + long testAdminPoolMinEvictableIdleTimeMs = 2 * (1 + 1000 * (1 + 60 * (1 + 60 * (1 + 24)))); + String testAdminPoolTimeBetweenEvictionRuns = "3d 3h 3m 3s 3ms"; + long testAdminPoolTimeBetweenEvictionRunsMs = 3 * (1 + 1000 * (1 + 60 * (1 + 60 * (1 + 24)))); + int testAdminPoolNumTestsPerEvictionRun = LdapProviderConfig.PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT + 1; boolean testUserPoolLookupOnValidate = !LdapProviderConfig.PARAM_USER_POOL_LOOKUP_ON_VALIDATE_DEFAULT; int testUserPoolMaxActive = LdapProviderConfig.PARAM_USER_POOL_MAX_ACTIVE_DEFAULT + 2; + String testUserPoolMinEvictableIdleTime = "4d 4h 4m 4s 4ms"; + long testUserPoolMinEvictableIdleTimeMs = 4 * (1 + 1000 * (1 + 60 * (1 + 60 * (1 + 24)))); + String testUserPoolTimeBetweenEvictionRuns = "5d 5h 5m 5s 5ms"; + long testUserPoolTimeBetweenEvictionRunsMs = 5 * (1 + 1000 * (1 + 60 * (1 + 60 * (1 + 24)))); + int testUserPoolNumTestsPerEvictionRun = LdapProviderConfig.PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT + 2; String testUserBaseDn = "ou=people,dc=org"; String[] testUserObjectClass = new String[] {"inetOrgPerson"}; @@ -97,9 +107,15 @@ public class LdapProviderConfigTest { params.put(LdapProviderConfig.PARAM_ADMIN_POOL_LOOKUP_ON_VALIDATE, testAdminPoolLookupOnValidate); params.put(LdapProviderConfig.PARAM_ADMIN_POOL_MAX_ACTIVE, testAdminPoolMaxActive); + params.put(LdapProviderConfig.PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME, testAdminPoolMinEvictableIdleTime); + params.put(LdapProviderConfig.PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS, testAdminPoolTimeBetweenEvictionRuns); + params.put(LdapProviderConfig.PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN, testAdminPoolNumTestsPerEvictionRun); params.put(LdapProviderConfig.PARAM_USER_POOL_LOOKUP_ON_VALIDATE, testUserPoolLookupOnValidate); params.put(LdapProviderConfig.PARAM_USER_POOL_MAX_ACTIVE, testUserPoolMaxActive); + params.put(LdapProviderConfig.PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME, testUserPoolMinEvictableIdleTime); + params.put(LdapProviderConfig.PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS, testUserPoolTimeBetweenEvictionRuns); + params.put(LdapProviderConfig.PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN, testUserPoolNumTestsPerEvictionRun); params.put(LdapProviderConfig.PARAM_USER_BASE_DN, testUserBaseDn); params.put(LdapProviderConfig.PARAM_USER_OBJECTCLASS, testUserObjectClass); @@ -130,10 +146,16 @@ public class LdapProviderConfigTest { LdapProviderConfig.PoolConfig adminPoolConfig = config.getAdminPoolConfig(); assertEquals(testAdminPoolLookupOnValidate, adminPoolConfig.lookupOnValidate()); assertEquals(testAdminPoolMaxActive, adminPoolConfig.getMaxActive()); + assertEquals(testAdminPoolMinEvictableIdleTimeMs, adminPoolConfig.getMinEvictableIdleTimeMillis()); + assertEquals(testAdminPoolTimeBetweenEvictionRunsMs, adminPoolConfig.getTimeBetweenEvictionRunsMillis()); + assertEquals(testAdminPoolNumTestsPerEvictionRun, adminPoolConfig.getNumTestsPerEvictionRun()); LdapProviderConfig.PoolConfig userPoolConfig = config.getUserPoolConfig(); assertEquals(testUserPoolLookupOnValidate, userPoolConfig.lookupOnValidate()); assertEquals(testUserPoolMaxActive, userPoolConfig.getMaxActive()); + assertEquals(testUserPoolMinEvictableIdleTimeMs, userPoolConfig.getMinEvictableIdleTimeMillis()); + assertEquals(testUserPoolTimeBetweenEvictionRunsMs, userPoolConfig.getTimeBetweenEvictionRunsMillis()); + assertEquals(testUserPoolNumTestsPerEvictionRun, userPoolConfig.getNumTestsPerEvictionRun()); LdapProviderConfig.Identity userConfig = config.getUserConfig(); assertEquals(testUserBaseDn, userConfig.getBaseDN()); Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md?rev=1877435&r1=1877434&r2=1877435&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md Wed May 6 12:53:48 2020 @@ -74,34 +74,40 @@ Oak repository: The LDAP IPDs are configured through the [org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig] which is populated either via OSGi or during manual [Repository Construction](../../construct.html). -| Name | Property | Description | -|-------------------------------|-------------------------|------------------------------------------| -| LDAP Provider Name | `provider.name` | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. | -| Bind DN | `bind.dn` | DN of the user for authentication. Leave empty for anonymous bind. | -| Bind Password | `bind.password` | Password of the user for authentication. | -| LDAP Server Hostname | `host.name` | Hostname of the LDAP server | -| Disable certificate checking | `host.noCertCheck` | Indicates if server certificate validation should be disabled. | -| LDAP Server Port | `host.port` | Port of the LDAP server | -| Use SSL | `host.ssl` | Indicates if an SSL (LDAPs) connection should be used. | -| Use TLS | `host.tls` | Indicates if TLS should be started on connections. | -| Search Timeout | `searchTimeout` | Time in until a search times out (eg: '1s' or '1m 30s'). | -| Admin pool max active | `adminPool.maxActive` | The max active size of the admin connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. | -| Admin pool lookup on validate | `adminPool.lookupOnValidate` | Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the admin pool. | -| User pool max active | `userPool.maxActive` | The max active size of the user connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. | -| User pool lookup on validate | `userPool.lookupOnValidate` | Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the user pool. | -| User base DN | `user.baseDN` | The base DN for user searches. | -| User extra filter | `user.extraFilter` | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` | -| User id attribute | `user.idAttribute` | Name of the attribute that contains the user id. | -| User DN paths | `user.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. | -| User object classes | `user.objectclass` | The list of object classes an user entry must contain. | -| Group base DN | `group.baseDN` | The base DN for group searches. | -| Group extra filter | `group.extraFilter` | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` | -| Group DN paths | `group.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. | -| Group member attribute | `group.memberAttribute` | Group attribute that contains the member(s) of a group. | -| Group name attribute | `group.nameAttribute` | Name of the attribute that contains the group name. | -| Group object classes | `group.objectclass` | The list of object classes a group entry must contain. | -| Use user id for external ids | `useUidForExtId` | If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead. | -| Custom Attributes | `customattributes` | Attributes retrieved when looking up LDAP entries. Leave empty to retrieve all attributes. | +| Name | Property | Description | +|------------------------------------|-------------------------------------------|------------------------------------------| +| LDAP Provider Name | `provider.name` | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. | +| Bind DN | `bind.dn` | DN of the user for authentication. Leave empty for anonymous bind. | +| Bind Password | `bind.password` | Password of the user for authentication. | +| LDAP Server Hostname | `host.name` | Hostname of the LDAP server | +| Disable certificate checking | `host.noCertCheck` | Indicates if server certificate validation should be disabled. | +| LDAP Server Port | `host.port` | Port of the LDAP server | +| Use SSL | `host.ssl` | Indicates if an SSL (LDAPs) connection should be used. | +| Use TLS | `host.tls` | Indicates if TLS should be started on connections. | +| Search Timeout | `searchTimeout` | Time in until a search times out (eg: '1s' or '1m 30s'). | +| Admin pool max active | `adminPool.maxActive` | The max active size of the admin connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. | +| Admin pool lookup on validate | `adminPool.lookupOnValidate` | Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the admin pool. | +| Admin pool min evictable idle time | `adminPool.minEvictableIdleTime` | The minimum amount of time a connection from the admin pool must be idle before becoming eligible for eviction by the idle object evictor, if running (eg: '1m 30s'). When non-positive, no connections will be evicted from the pool due to idle time alone. | +| Admin pool eviction run interval | `adminPool.timeBetweenEvictionRuns` | Time interval to sleep between runs of the idle object evictor thread for the admin pool (eg: '1m 30s'). When non-positive, no idle object evictor thread will be run. | +| Admin pool tests per eviction run | `adminPool.numTestsPerEvictionRun` | The maximum number of objects to be examined during a single eviction run of the admin pool. | +| User pool max active | `userPool.maxActive` | The max active size of the user connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. | +| User pool lookup on validate | `userPool.lookupOnValidate` | Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the user pool. | +| User pool min evictable idle time | `userPool.minEvictableIdleTime` | The minimum amount of time a connection from the user pool must be idle before becoming eligible for eviction by the idle object evictor, if running (eg: '1m 30s'). When non-positive, no connections will be evicted from the pool due to idle time alone. | +| User pool eviction run interval | `userPool.timeBetweenEvictionRuns` | Time interval to sleep between runs of the idle object evictor thread for the user pool (eg: '1m 30s'). When non-positive, no idle object evictor thread will be run. | +| User pool tests per eviction run | `userPool.numTestsPerEvictionRun` | The maximum number of objects to be examined during a single eviction run of the user pool. | +| User base DN | `user.baseDN` | The base DN for user searches. | +| User extra filter | `user.extraFilter` | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` | +| User id attribute | `user.idAttribute` | Name of the attribute that contains the user id. | +| User DN paths | `user.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. | +| User object classes | `user.objectclass` | The list of object classes an user entry must contain. | +| Group base DN | `group.baseDN` | The base DN for group searches. | +| Group extra filter | `group.extraFilter` | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` | +| Group DN paths | `group.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. | +| Group member attribute | `group.memberAttribute` | Group attribute that contains the member(s) of a group. | +| Group name attribute | `group.nameAttribute` | Name of the attribute that contains the group name. | +| Group object classes | `group.objectclass` | The list of object classes a group entry must contain. | +| Use user id for external ids | `useUidForExtId` | If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead. | +| Custom Attributes | `customattributes` | Attributes retrieved when looking up LDAP entries. Leave empty to retrieve all attributes. | | | | | #### SyncHandler and External Login Module