<?xml version="1.0" encoding="utf-8"?>
|
<!--
|
! CDDL HEADER START
|
!
|
! The contents of this file are subject to the terms of the
|
! Common Development and Distribution License, Version 1.0 only
|
! (the "License"). You may not use this file except in compliance
|
! with the License.
|
!
|
! You can obtain a copy of the license at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE
|
! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
|
! See the License for the specific language governing permissions
|
! and limitations under the License.
|
!
|
! When distributing Covered Code, include this CDDL HEADER in each
|
! file and include the License file at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
|
! add the following below this CDDL HEADER, with the fields enclosed
|
! by brackets "[]" replaced with your own identifying information:
|
! Portions Copyright [yyyy] [name of copyright owner]
|
!
|
! CDDL HEADER END
|
!
|
!
|
! Copyright 2007-2008 Sun Microsystems, Inc.
|
! -->
|
<adm:managed-object name="ldap-connection-handler"
|
plural-name="ldap-connection-handlers"
|
package="org.opends.server.admin.std" extends="connection-handler"
|
xmlns:adm="http://www.opends.org/admin"
|
xmlns:ldap="http://www.opends.org/admin-ldap">
|
<adm:synopsis>
|
The
|
<adm:user-friendly-name />
|
is used to interact with clients using LDAP.
|
</adm:synopsis>
|
<adm:description>
|
It provides full support for LDAPv3 and limited
|
support for LDAPv2.
|
</adm:description>
|
<adm:constraint>
|
<adm:synopsis>
|
A Key Manager Provider must be specified when this
|
<adm:user-friendly-name />
|
is enabled and it is configured to use SSL or StartTLS.
|
</adm:synopsis>
|
<adm:condition>
|
<adm:implies>
|
<adm:contains property="enabled" value="true" />
|
<adm:implies>
|
<adm:or>
|
<adm:contains property="use-ssl" value="true" />
|
<adm:contains property="allow-start-tls" value="true" />
|
</adm:or>
|
<adm:is-present property="key-manager-provider" />
|
</adm:implies>
|
</adm:implies>
|
</adm:condition>
|
</adm:constraint>
|
<adm:constraint>
|
<adm:synopsis>
|
A Trust Manager Provider must be specified when this
|
<adm:user-friendly-name />
|
is enabled and it is configured to use SSL or StartTLS.
|
</adm:synopsis>
|
<adm:condition>
|
<adm:implies>
|
<adm:contains property="enabled" value="true" />
|
<adm:implies>
|
<adm:or>
|
<adm:contains property="use-ssl" value="true" />
|
<adm:contains property="allow-start-tls" value="true" />
|
</adm:or>
|
<adm:is-present property="trust-manager-provider" />
|
</adm:implies>
|
</adm:implies>
|
</adm:condition>
|
</adm:constraint>
|
<adm:constraint>
|
<adm:synopsis>
|
A
|
<adm:user-friendly-name />
|
cannot be configured to support SSL and StartTLS at the same time.
|
Either SSL or StartTLS must be disabled in order for this
|
<adm:user-friendly-name />
|
to be used.
|
</adm:synopsis>
|
<adm:condition>
|
<adm:implies>
|
<adm:contains property="enabled" value="true" />
|
<adm:not>
|
<adm:and>
|
<adm:contains property="use-ssl" value="true" />
|
<adm:contains property="allow-start-tls" value="true" />
|
</adm:and>
|
</adm:not>
|
</adm:implies>
|
</adm:condition>
|
</adm:constraint>
|
<adm:profile name="ldap">
|
<ldap:object-class>
|
<ldap:name>ds-cfg-ldap-connection-handler</ldap:name>
|
<ldap:superior>ds-cfg-connection-handler</ldap:superior>
|
</ldap:object-class>
|
</adm:profile>
|
<adm:property-override name="java-class" advanced="true">
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
org.opends.server.protocols.ldap.LDAPConnectionHandler
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
</adm:property-override>
|
<adm:property-reference name="listen-port" />
|
<adm:property-reference name="use-ssl" />
|
<adm:property-reference name="ssl-cert-nickname" />
|
<adm:property name="key-manager-provider">
|
<adm:synopsis>
|
Specifies the name of the key manager that should be used with
|
this
|
<adm:user-friendly-name />
|
.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property take effect immediately, but
|
only for subsequent attempts to access the key manager
|
provider for associated client connections.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation relation-name="key-manager-provider"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced key manager provider must be enabled when
|
the
|
<adm:user-friendly-name />
|
is enabled and configured to use SSL or StartTLS.
|
</adm:synopsis>
|
<adm:target-needs-enabling-condition>
|
<adm:and>
|
<adm:contains property="enabled" value="true" />
|
<adm:or>
|
<adm:contains property="use-ssl" value="true" />
|
<adm:contains property="allow-start-tls" value="true" />
|
</adm:or>
|
</adm:and>
|
</adm:target-needs-enabling-condition>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-key-manager-provider</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="trust-manager-provider">
|
<adm:synopsis>
|
Specifies the name of the trust manager that should be used with
|
the
|
<adm:user-friendly-name />
|
.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property take effect immediately, but
|
only for subsequent attempts to access the trust manager
|
provider for associated client connections.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation relation-name="trust-manager-provider"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced trust manager provider must be enabled when
|
the
|
<adm:user-friendly-name />
|
is enabled and configured to use SSL or StartTLS.
|
</adm:synopsis>
|
<adm:target-needs-enabling-condition>
|
<adm:and>
|
<adm:contains property="enabled" value="true" />
|
<adm:or>
|
<adm:contains property="use-ssl" value="true" />
|
<adm:contains property="allow-start-tls" value="true" />
|
</adm:or>
|
</adm:and>
|
</adm:target-needs-enabling-condition>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-trust-manager-provider</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="listen-address" multi-valued="true">
|
<adm:synopsis>
|
Specifies the address or set of addresses on which this
|
<adm:user-friendly-name />
|
should listen for connections from LDAP clients.
|
</adm:synopsis>
|
<adm:description>
|
Multiple addresses may be provided as separate values for this
|
attribute. If no values are provided, then the
|
<adm:user-friendly-name />
|
listens on all interfaces.
|
</adm:description>
|
<adm:requires-admin-action>
|
<adm:component-restart />
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0.0.0.0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:ip-address />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-listen-address</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-ldap-v2">
|
<adm:synopsis>
|
Indicates whether connections from LDAPv2 clients are allowed.
|
</adm:synopsis>
|
<adm:description>
|
If LDAPv2 clients are allowed, then only a minimal degree of
|
special support are provided for them to ensure that
|
LDAPv3-specific protocol elements (for example, Configuration Guide 25
|
controls, extended response messages, intermediate response
|
messages, referrals) are not sent to an LDAPv2 client.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-ldap-v2</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="keep-stats">
|
<adm:synopsis>
|
Indicates whether the
|
<adm:user-friendly-name />
|
should keep statistics.
|
</adm:synopsis>
|
<adm:description>
|
If enabled, the
|
<adm:user-friendly-name />
|
maintains statistics about the number and types of operations
|
requested over LDAP and the amount of data sent and received.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-keep-stats</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="use-tcp-keep-alive" advanced="true">
|
<adm:synopsis>
|
Indicates whether the
|
<adm:user-friendly-name />
|
should use TCP keep-alive.
|
</adm:synopsis>
|
<adm:description>
|
If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP
|
keepalive messages should periodically be sent to the client to
|
verify that the associated connection is still valid. This may
|
also help prevent cases in which intermediate network hardware
|
could silently drop an otherwise idle client connection, provided
|
that the keepalive interval configured in the underlying operating
|
system is smaller than the timeout enforced by the network
|
hardware.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-use-tcp-keep-alive</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="use-tcp-no-delay" advanced="true">
|
<adm:synopsis>
|
Indicates whether the
|
<adm:user-friendly-name />
|
should use TCP no-delay.
|
</adm:synopsis>
|
<adm:description>
|
If enabled, the TCP_NODELAY socket option is used to ensure
|
that response messages to the client are sent immediately rather
|
than potentially waiting to determine whether additional response
|
messages can be sent in the same packet. In most cases, using the
|
TCP_NODELAY socket option provides better performance and
|
lower response times, but disabling it may help for some cases in
|
which the server sends a large number of entries to a client
|
in response to a search request.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-use-tcp-no-delay</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-tcp-reuse-address" advanced="true">
|
<adm:synopsis>
|
Indicates whether the
|
<adm:user-friendly-name />
|
should reuse socket descriptors.
|
</adm:synopsis>
|
<adm:description>
|
If enabled, the SO_REUSEADDR socket option is used on the
|
server listen socket to potentially allow the reuse of socket
|
descriptors for clients in a TIME_WAIT state. This may help the
|
server avoid temporarily running out of socket descriptors in
|
cases in which a very large number of short-lived connections have
|
been established from the same client system.
|
</adm:description>
|
<adm:requires-admin-action>
|
<adm:component-restart />
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-tcp-reuse-address</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="send-rejection-notice" advanced="true">
|
<adm:synopsis>
|
Indicates whether the
|
<adm:user-friendly-name />
|
should send a notice of disconnection extended response message to
|
the client if a new connection is rejected for some reason.
|
</adm:synopsis>
|
<adm:description>
|
The extended response message may provide an explanation
|
indicating the reason that the connection was rejected.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-send-rejection-notice</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="max-request-size" advanced="true">
|
<adm:synopsis>
|
Specifies the size in bytes of the largest LDAP request message that will
|
be allowed by this LDAP Connection handler.
|
</adm:synopsis>
|
<adm:description>
|
This property is analogous to the maxBERSize configuration
|
attribute of the Sun Java System Directory Server. This can help
|
prevent denial-of-service attacks by clients that indicate they
|
send extremely large requests to the server causing it to
|
attempt to allocate large amounts of memory.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>5 megabytes</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:size upper-limit="2147483647b"></adm:size>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-max-request-size</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="num-request-handlers" advanced="true">
|
<adm:synopsis>
|
Specifies the number of request handlers that are used to read
|
requests from clients.
|
</adm:synopsis>
|
<adm:description>
|
The
|
<adm:user-friendly-name />
|
uses one thread to accept new connections from clients, but uses
|
one or more additional threads to read requests from existing
|
client connections. This ensures that new requests are
|
read efficiently and that the connection handler itself does not
|
become a bottleneck when the server is under heavy load from many
|
clients at the same time.
|
</adm:description>
|
<adm:requires-admin-action>
|
<adm:component-restart />
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>2</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="1" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-num-request-handlers</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-start-tls">
|
<adm:synopsis>
|
Indicates whether clients are allowed to use StartTLS.
|
</adm:synopsis>
|
<adm:description>
|
If enabled, the
|
<adm:user-friendly-name />
|
allows clients to use the StartTLS extended operation to
|
initiate secure communication over an otherwise insecure channel.
|
Note that this is only allowed if the
|
<adm:user-friendly-name />
|
is not configured to use SSL, and if the server is configured with
|
a valid key manager provider and a valid trust manager provider.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-start-tls</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="ssl-client-auth-policy">
|
<adm:synopsis>
|
Specifies the policy that the
|
<adm:user-friendly-name />
|
should use regarding client SSL certificates.
|
</adm:synopsis>
|
<adm:description>
|
This is only applicable if clients are allowed to use SSL.
|
</adm:description>
|
<adm:requires-admin-action>
|
<adm:component-restart />
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>optional</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:enumeration>
|
<adm:value name="disabled">
|
<adm:synopsis>
|
Clients are not required to provide their own
|
certificates when performing SSL negotiation.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="optional">
|
<adm:synopsis>
|
Clients are requested to provide their own certificates
|
when performing SSL negotiation, but still accept the
|
connection even if the client does not provide a
|
certificate.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="required">
|
<adm:synopsis>
|
Clients are required to provide their own certificates
|
when performing SSL negotiation and are refused access
|
if the do not provide a certificate.
|
</adm:synopsis>
|
</adm:value>
|
</adm:enumeration>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-ssl-client-auth-policy</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="accept-backlog" advanced="true">
|
<adm:synopsis>
|
Specifies the maximum number of pending connection attempts that
|
are allowed to queue up in the accept backlog before the
|
server starts rejecting new connection attempts.
|
</adm:synopsis>
|
<adm:description>
|
This is primarily an issue for cases in which a large number of
|
connections are established to the server in a very short period
|
of time (for example, a benchmark utility that creates a large number of
|
client threads that each have their own connection to the server)
|
and the connection handler is unable to keep up with the rate at
|
which the new connections are established.
|
</adm:description>
|
<adm:requires-admin-action>
|
<adm:component-restart />
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>128</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="1">
|
<adm:unit-synopsis>connections</adm:unit-synopsis>
|
</adm:integer>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-accept-backlog</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="ssl-protocol" multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the SSL protocols that are allowed for
|
use in SSL or StartTLS communication.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property take effect immediately but only
|
impact new SSL/TLS-based sessions created after the
|
change.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
Uses the default set of SSL protocols provided by the server's
|
JVM.
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-ssl-protocol</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="ssl-cipher-suite" multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the SSL cipher suites that are allowed
|
for use in SSL or StartTLS communication.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property take effect immediately but will
|
only impact new SSL/TLS-based sessions created after the
|
change.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
Uses the default set of SSL cipher suites provided by the
|
server's JVM.
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-ssl-cipher-suite</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="max-blocked-write-time-limit" advanced="true">
|
<adm:synopsis>
|
Specifies the maximum length of time that attempts to write data
|
to LDAP clients should be allowed to block.
|
</adm:synopsis>
|
<adm:description>
|
If an attempt to write data to a client takes longer than this
|
length of time, then the client connection is terminated.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>2 minutes</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration base-unit="ms" lower-limit="0" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-max-blocked-write-time-limit</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
</adm:managed-object>
|
