LDAP connection (ldapConnection)

This section describe the LDAP connection settings.

Let’s look at a sample:

      <username>cn=Directory Manager</username>

First, to be able to reference the connection in the service, it’s mandatory to give it a unique name element so that it can be referenced later in services (here ldap-dst-conn).

  • url: mandatory, this field shall contain a valid LDAP URL

  • username: optional, this element shall contain the string that is used to identify against the directory, most of the time it is a LDAP Distinguished Name, but it may be a simple SASL username (like DOMAIN\username for Active Directory)

  • password: optional, this is the clear text value that is used to connect to the directory

  • authentication: mandatory, one of the NONE, SIMPLE, SASL, DIGEST-MD5, GSSAPI value. SIMPLE is the value to use if you plan to authenticate through a simple username and password without any further security consideration

  • referral: mandatory, one of the following values: IGNORE, THROUGH, THROW or ERROR. Most of the time you should either IGNORE them, go THROUGH or handle them as an ERROR


By default, when referral is set to IGNORE, JNDI adds ManageDsaIT control, preventing attribute computation. This can be unhandy, especially when synchronizing dynamic groups. If you set referral to THROW, the ManageDsaIT is not sent any more.

  • derefAliases: mandatory, one of the following values: NEVER, SEARCH, FIND or ALWAYS. Most of the time, use NEVER

  • version: mandatory, either VERSION_2 or VERSION_3. Prefer VERSION_3 as LDAPv2 is deprecated

  • pageSize: mandatory, specify either -1 or the page size to use. The page size is implemented either through the corresponding control or through Virtual List View depending on the directory capabilities which are discovered at run time (VLV preferred)

  • factory: mandatory, only the Sun factory is supported now and you should use the corresponding value com.sun.jndi.ldap.LdapCtxFactory

  • tlsActivated: mandatory, enable or disable startTLS operation (either true or false). See SSL/TLS configuration for more information


For complete SSL/TLS configuration, please look at the following page: SSL and TLS activation

  • saslMutualAuthentication: optional, set to true for SASL mutual authentication (default: false)

  • sortedBy: optional, attribute name on which results will be sorted (server side sorting)

  • binaryAttributes: optional, list of attribute names to be fetched as binary

  • recursiveDelete: optional, set to true to allow recursive delete in the clean phase (default: false)

  • relaxRules: optional, set to true to use relax control (default: false)

  • saslQopType: optional, see Kerberos (GSSAPI)