> http://www.ja-sig.org/wiki/display/CASUM/LDAP
The documentation is wrong, then. You should _never_ use any kind of pooling for LDAP connections used for authentication. See "When Not to Use Pooling" at the bottom of http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html for an authoritative reference. I will update the CASUM page with some notes from this thread in the coming week. > One of the features we're looking for is the ability to failover to another > ldap server. Our group has a great deal of LDAP experience, and Java/JNDI LDAP experience in particular. Daniel, our group leader, said that using the failover capability in JNDI is not suitable for a high availability setup. JNDI will try every server listed in the Context.PROVIDER_URL property, which is set by the urls property in LdapContextSource, in a round-robin fashion with a wholly unsuitable connection timeout by default. If you _must_ use this capability, you should definitely set the "com.sun.jndi.ldap.connect.timeout" environment property to no more than 5s. (Above reference discusses this environment property in further detail.) Again, we feel this strategy is not suitable for HA; instead we recommend using some sort of load balancing strategy that obfuscates the many LDAP providers behind a single virtual name and which is responsible for health checking and removing unavailable members from the pool. This strategy has worked remarkably well for our enterprise LDAP directory. > Is the pooled attribute you mentioned earlier (JNDI pooling) > the same as the one above? Yes. From the 3.0 spring-ldap AbstractContextSource class: if (pooled) { baseEnv.put(SUN_LDAP_POOLING_FLAG, "true"); log.debug("Using LDAP pooling."); } where SUN_LDAP_POOLING_FLAG = "com.sun.jndi.ldap.connect.pool". M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
