| ldap-server-type | enumeration | optional | generic | |
| connection-timeout | int32 | optional | 30 | Idle timeout in seconds for connections in the connection pool (zero value indicates infinite timeout) |
| validate-connections | boolean | optional | true | Validate connections before fetching them from the connection pool |
| time-between-eviction-runs | int32 | optional | -1 | How often idle connections are checked for in seconds. If set to -1, eviction will not occur. This is preferred as it will increase throughput by avoiding contention with object usage and idleness checking. |
| detect-user-must-reset-password | boolean | optional | false | In case the server type is Active Directory, a SimpleBind operation can return with LDAP_INVALID_CREDENTIALS even when the credentials were accepted, when the account has the UserMustResetPassword flag set on it. To detect this, the diagnostics message string will be used to detect whether the reason for failure was that this flag was set, and authentication was considered acceptable. In that case, the resulting SubjectAttributes of the authentication attempt will contain a _userMustResetPassword attribute that indicates this state. This setting can only be enabled when the server type is Active Directory, and defaults to false. |
| detect-user-password-expired | boolean | optional | false | Enable Active Directory specific password expiration handling. If set, and the server type is Active Directory, authentication will be considered acceptable even if the password has expired. The resulting SubjectAttributes of the authentication attempt will contain a _userMustResetPassword attribute to indicate this. This setting defaults to false. |
| hostname | host | required | | Sets the hostname or IP-address of the LDAP Directory Server |
| port | uint16 | optional | | The port of the LDAP Directory Server. Defaults to 389, or when ldaps is enabled, it defaults to 636. |
| ldaps | boolean | optional | false | Indicates whether the server communicates with LDAPS |
| client-id | string | optional | | The client id used to bind to the LDAP Directory Server. When not set, an anonymous bind is performed. |
| client-secret | string | optional | | The client secret used to authenticate the client id. |
| default-root | string | required | | The default search root DN where searches are based off of, i.e. ou=People,dc=example,dc=com |
| search-scope | enumeration | optional | sub | The search scope, relative to the default root. Default is to search the sub-tree. |
| initial-connections | uint8 | optional | 5 | Initial number of connections to hold in the connection pool |
| max-connections | uint8 | optional | 10 | Maximum number of connections to hold in the connection pool |