The LDAP/LDAPS Servers page of the configuration editor allows you to edit all LDAP specific settings.
It contains the following sections : LDAP/LDAPS Servers , Limits , SSL/Start TLS Keystore , SSL Advanced Settings , Supported Authentication Mechanisms , SASL Settings and Advanced .
Here's what the LDAP/LDAPS Servers page looks like:
This section allows you to enable/disable the LDAP and LDAPS protocols. For each protocol you can specify
- Port: the TCP port the server should listen to
- Address: the IP address the server should bind to (default 0.0.0.0 means to bind to all network interfaces)
- NbThreads: the number of threads to use to serve requests
- Backlog Size: the number of requests to queue when all threads are busy
This section allows you to specify the Limits of the server.
Max. Time Limit lets you choose the maximum time that should last a request (in milliseconds).
Max. Size Limit lets you choose the maximum number of entries that should be returned.
Max. PDU Size lets you choose the maximum PDU size (in bytes).
This section allows you to specify keystore which contains the private key used for SSL and Start TLS sessions.
Keystore lets you select the path to the keystore file.
Password lets you enter the password of the keystore file.
This section allows you to specify advanced settings for SSL and Start TLS.
Check the Require Client Auth checkbox to require client authentication.
Check the Request Client Auth checkbox to request client authentication.
Ciphers Suite lets you select which cipher suites are allowed to use.
Enabled Protocols lets you select which protocols are enabled (default: TLSv1, TLSv1.1, TLSv1.2).
This section allows you to specify the supported authentication mechanisms. You can choose between the following mechanisms:
- SIMPLE
- GSSAPI (SASL)
- CRAM-MD5 (SASL)
- DIGEST-MD5 (SASL)
- NTML (SASL), including the provider
- GSS-SPNEGO (SASL), including the provider
This section allows you to specify to the SASL settings.
The SASL Host field represents the name of the host.
The SASL Principal field represents the service principal name that the server-side of the LDAP protocol provider will use to "accept" a GSSAPI context initiated by the LDAP client. The SASL principal MUST follow the name-form "ldap/[fqdn]@[realm]".
The Search Base DN field represents the Distinguished Name where a subtree-scoped DIT search will be performed. This is BOTH where the LDAP service principal must reside, as well as where user principals must reside.
The SASL Realms field allows you specify to the SASL realms.
Use the Add... , Edit... and Delete buttons to set your SASL Realms.
This section allows you to specify other advanced settings of the server.
Check the Enable TLS checkbox to enable the Start TLS extended operation.
Check the Enable server-side password hashing checkbox to instruct the server to hash modified user passwords on the server side. When checked this also allows you to select the hashing method to use.
The Replication pinger sleep field allows you to define the frequency how often the replication consumer pings the replication producer (in seconds).
The Disk synchronization delay field allows you to define the frequency how often data is synchronized to the disk (in milliseconds).