9.51.2 LDAP Agent Configuration

You open the LDAP agent configuration dialog from a workflow configuration: you can right-click the agent icon and select Configuration..., or double-click the agent icon.

The LDAP agent configuration has three tabs: Connections, Advanced and Security.

Connections Tab


LDAP agent configuration - Connections tab

The routing logic that you can select in the Connections tab applies to creating new connections. A connection pool is created towards the server nodes listed in the agent configuration. When the pool receives a new request and all of the already established connections are busy, then a new connection is established following the selected routing logic. You can choose between Round Robin and Failover.

SettingDescription
RoundRobinIf you choose Round Robin routing logic, the next server node from the list specified in the agent configuration is used to establish the connection. This is the default logic.
FailoverIf you choose Failover routing logic, the primary server node is used to establish all the connections until the pool realizes that the server node is down. When it fails a second server is used, then the third, etc.
HostEnter the host name or IP address for the LDAP server node.
PortEnter the port number for the LDAP server node.

Note!

If you use external references, you must provide hosts and ports in coma separated syntax: <host1>:<port1>,<host2>:<port2>.

Advanced Tab


LDAP agent configuration - Advanced tab

SettingDescription
Max ConnectionsEnter the maximum number of concurrent connections permitted towards the LDAP servers. The default value is 2.
Max Connection Age (ms)Enter the maximum amount of time in milliseconds that an LDAP connection can exist before closing it. The default value is 60000 milliseconds.
Max Connection Wait Time (ms)

Enter the maximum amount of time in milliseconds that you want the agent to wait for a connection to become available from the pool. The default value is 1000 milliseconds.

If the maximum amount of time set is exceeded, an exception is thrown which is written to the pico log. No attempt is made to retry the operation.

Connection Timeout (ms)

Enter the connection timeout in milliseconds before assuming that the initial attempt to connect to the LDAP server is unsuccessful. The default value is 100 milliseconds.

If the amount of time set is exceeded, an exception is thrown which is written to the pico log.

Pending Answers LimitEnter the maximum number of operations that can be active per connection. When this limit is reached, the connection stops accepting new requests and waits for all of the answers to arrive and it is checked by the pool. The default value is 1000.
Pool Check Interval (ms)Enter the time interval, in milliseconds, that you want to wait before checking the pool state after it has been marked as invalid. Invalid means no idle connections are available and all connections that are currently in use are invalid, or the pending answers limit has been exceeded for all of the connections. The default value is 2000 milliseconds.
Number of RetriesEnter the maximum number of retries permitted for an unsuccessful operation. The default value is 0. To enable retries you must select a value of 1 or more.
Retry Interval (ms)

Enter the time interval, in milliseconds, that you want to wait before retrying an unsuccessful operation. The default and maximum value is 1000 milliseconds.

If the server is overloaded, the delay interval doubles for each retry until the maximum value of 1000 milliseconds is reached.

Max Throughput (Ops/sec)

Enter the maximum number of operations per second sent to be sent to the LDAP server. If you enter the value of 0, the number of operations per second is unlimited.

Operation Timeout (ms)

Enter the maximum amount of time in milliseconds permitted after sending a request to the LDAP server without receiving a response, before the request times out. The default value is 5000 milliseconds.

If the maximum amount of time set is exceeded, an exception is thrown which is written to the pico log. If you have entered a value for the Number of Retries option, the operation request will be sent again. Otherwise, the operation request will be ignored.

Enable Request ID

If you want to be able to abandon an operation, you must select this check box. An identifier embedded in an LdapRequestIDUDR is sent by the agent, for every operation request, except abandon.

For further information on LDAP Agent UDRs, see 9.51.3 LDAP Agent UDRs.

Security Tab


LDAP agent configuration - Security tab

SettingDescription

Security Principal

You can enter a security principal to use to bind to the LDAP server.

If this field and the Security Credentials field are not populated, the LDAP server is connected to without authentication.

Security Credentials

You can enter the security credentials for the specified security principal.

If this field and the Security Principal field are not populated, the LDAP server is connected to without authentication.

Enable TLS

Select this check box if you want to enable TLS security. If you select this check box, the Keystore and Keystore Password fields are available.

If you enable this check box and leave the Keystore and/or Keystore Password fields empty, a TLS connection is created without a certificate.

Keystore

Enter the full path to the keystore file that you want to use. The keystore file must be in .jks format. This field is optional.

If you leave this field empty, a TLS connection is created without a certificate.

Keystore Password

Enter the password for the selected keystore file. This field is optional.

If you leave this field empty, a TLS connection is created without a certificate.

The following command can be used to create a keystore with the Java keytool program:

$ keytool -keystore clientkeystore -genkey -alias client

Keytool prompts for required information such as identity details and password. Note that the keystore password must be the same as the key password.