Deprecated. LDAP configurations are now per client not server-wide.
LDAP (Lightweight Directory Access Protocol) is a vendor-independent protocol for maintaining and accessing a distributed directory service. For OA4MP for OAuth 2.0, there is an optional claim source that will talk to an LDAP server and in turn let you populate the user information response with data from LDAP. This may be enabled or disabled in the configuration file. If the LDAP service is not available, then this is not treated as a serious error, but is merely logged. If this component is not configured, then it is ignored. Note that this applies to every call made to the server before any other configured claim sources for clients are invoked. This permits initially populating the claims with whatever the server deems is standard information.
Note that there is one attribute for this tag enabled and the rest of the arguments are separate elements. The reason for this is simple: Attributes do not allow for arbitrary text (such as for a password). These are still recorded below in the table since this is an easy tabular format for this.
| Name | Required | Default | |
| address | Y | The fully qualified address for the LDAP server. | |
| port | N | 636 | The port of the LDAP service |
| password | Y | The password for the LDAP server | |
| principal | Y | The DN of the principal for authenticating the caller to the service. The format of the principal depends on the authentication scheme. If this property is unspecified, the behavior is determined by the service provider. | |
| searchBase | Y | The DN that is the starting point of the search. | |
| searchAttributes | N | A list of attributes to be returned. This limits the size of the result. Omitting this returns all possible applicable attributes from the server. This consists of a set of <attribute> elements, each of which can take special characters if needed. You may also specify the name that the result is returned under using the returnedAs attribute. See the example below. |
<service name="myconfig>
<ldap enabled="true">
<address>ldap.bigstate.edu</address>
<port>636</port>
<password><![CDATA[asd8"%5*96<<]]></password>
<principal><![CDATA[uid=admin_bob,ou=system,o=MESS,dc=foo,dc=baz,dc=org]]></principal>
<searchBase><![CDATA[o=MESS,dc=foo,dc=baz,dc=org]]></searchBase>
<searchAttributes>
<attribute>eduPersonOrcid</attribute>
<attribute returnedAs="isMemberOf">MemberOf</attribute>
</searchAttributes>
<ssl debug="false"
useJavaTrustStore="true">
<trustStore>
<path>/opt/oa2/etc/cacerts</path>
<password><![CDATA[sdj8956HJf^&$#h]]></password>
<type><PKCS12></type>
</trustStore>
</ssl>
</ldap>
</service>
In this case the server is at the stated address and port. The (security) prinicipal's DN used in authentication is specified as well. The search base is the DN for where to start the search. There will be two search results attributes returned, "eduPersonOrcid" and "memberOf" (these are what is stored in LDAP). The results will however, be returned in the JSON as "eduPersonOrcid" (unchanged) and "isMemberOf" (rather than "memberOf"). In this case, a specific truststore is required for SSL to operate, whose full path and required password is given. The truststore is in PKCS12 format.