debug—boolean debugging flag. If true, enable debugging. This is used only for testing or debugging. Normally, it should be set to false, or omitted.

initialContextFactory—(mandatory) must always be set to com.sun.jndi.ldap.LdapCtxFactory.

connectionURL—(mandatory) specify the location of the directory server using an ldap URL, ldap://Host:Port. You can optionally qualify this URL, by adding a forward slash, /, followed by the DN of a particular node in the directory tree. For example, ldap://ldapserver:10389/ou=system.

authentication—(mandatory)specifies the authentication method used when binding to the LDAP server. Can take either of the values, simple (username and password) or none (anonymous).

	Note
	Simple Authentication and Security Layer (SASL) authentication is currently not supported.

connectionUsername—(optional)the DN of the user that opens the connection to the directory server. For example, uid=admin,ou=system.

Directory servers generally require clients to present username/password credentials in order to open a connection.

connectionPassword—(optional)the password that matches the DN from connectionUsername. In the directory server, in the DIT, the password is normally stored as a userPassword attribute in the corresponding directory entry.

connectionProtocol—(mandatory)currently, the only supported value is a blank string. In future, this option will allow you to select the Secure Socket Layer (SSL) for the connection to the directory server.

	Note
	This option must be set explicitly to an empty string, because it has no default value.

userBase—(mandatory)selects a particular subtree of the DIT to search for user entries. The subtree is specified by a DN, which specifes the base node of the subtree. For example, by setting this option to ou=User,ou=ActiveMQ,ou=system, the search for user entries is restricted to the subtree beneath the ou=User,ou=ActiveMQ,ou=system node.

userSearchMatching—(mandatory)specifies an LDAP search filter, which is applied to the subtree selected by userBase. Before passing to the LDAP search operation, the string value you provide here is subjected to string substitution, as implemented by the java.text.MessageFormat class. Essentially, this means that the special string, {0}, is substituted by the username, as extracted from the incoming client credentials.

After substitution, the string is interpreted as an LDAP search filter, where the LDAP search filter syntax is defined by the IETF standard, RFC 2254. A short introduction to the search filter syntax is available from Oracle's JNDI tutorial, Search Filters.

For example, if this option is set to (uid={0}) and the received username is jdoe, the search filter becomes (uid=jdoe) after string substitution. If the resulting search filter is applied to the subtree selected by the user base, ou=User,ou=ActiveMQ,ou=system, it would match the entry, uid=jdoe,ou=User,ou=ActiveMQ,ou=system (and possibly more deeply nested entries, depending on the specified search depth—see the userSearchSubtree option).

userSearchSubtree—(optional)specify the search depth for user entries, relative to the node specified by userBase. This option can take boolean values, as follows:

userRoleName—(optional)specifies the name of the multi-valued attribute of the user entry that contains a list of role names for the user (where the role names are interpreted as group names by the broker's authorization plug-in). If you omit this option, no role names are extracted from the user entry.

roleBase—if you want to store role data directly in the directory server, you can use a combination of role options (roleBase, roleSearchMatching, roleSearchSubtree, and roleName) as an alternative to (or in addition to) specifying the userRoleName option.

This option selects a particular subtree of the DIT to search for role/group entries. The subtree is specified by a DN, which specifes the base node of the subtree. For example, by setting this option to ou=Group,ou=ActiveMQ,ou=system, the search for role/group entries is restricted to the subtree beneath the ou=Group,ou=ActiveMQ,ou=system node.

roleName—(optional)specifies the attribute type of the role entry that contains the name of the role/group. If you omit this option, the role search feature is effectively disabled.

roleSearchMatching—(mandatory)specifies an LDAP search filter, which is applied to the subtree selected by roleBase. This works in a similar manner to the userSearchMatching option, except that it supports two substitution strings, as follows:

For example, if this option is set to (member=uid={1}) and the received username is jdoe, the search filter becomes (member=uid=jdoe) after string substitution (assuming ApacheDS search filter syntax). If the resulting search filter is applied to the subtree selected by the role base, ou=Group,ou=ActiveMQ,ou=system, it matches all role entries that have a member attribute equal to uid=jdoe (the value of a member attribute is a DN).

	Note
	This option must always be set, even if role searching is disabled, because it has no default value.

	Tip
	If you use OpenLDAP, the syntax of the search filter is (member:=uid=jdoe).

roleSearchSubtree—(optional)specify the search depth for role entries, relative to the node specified by roleBase. This option can take boolean values, as follows: