Thanks for the reply Marvin..
There was another recent thread I noticed regarding AD and LDAP auth (I'm
still playing catch up). The subject was "CAS and Active directory". One
of the posters there attached a sample deployerConfigContext where they
specified multiple servers but not the pooled option. Would the ldap
library still attempt the other servers in a round robin fasion?
As far as the timeouts go, I saw that on the wiki and set that as well. I
set it to 4 seconds for testing, but was going to try to lower it and see
where/if it fails. I think it would be good to look into some sort of load
balancer for LDAP, but I'm not sure if that's something we can do anytime
soon. Below is the entire bean I have (without the pooling of course).
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="urls">
<list>
<value>ldap://server1/</value>
<value>ldap://server2/</value>
</list>
</property>
<property name="userDn" value="[email protected]"/>
<property name="password" value="testing"/>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
<entry>
<key>
<value>com.sun.jndi.ldap.connect.timeout</value>
</key>
<value>4000</value>
</entry>
<entry>
<key>
<value>com.sun.jndi.ldap.read.timeout</value>
</key>
<value>4000</value>
</entry>
</map>
</property>
</bean>
Something else I should probably mention. I found I got errors when using
the full DN for the user. When I used the AD style [email protected], the
errors went away. I saw that on one of the spring forums. I'm curious if
it had to do with having some spaces in some of our OU names. Although the
search base having a space seems to work fine. I've noticed other ldap apps
we have can use either the DN or the [email protected] syntax.
Pat
On Fri, Oct 9, 2009 at 11:09 AM, Marvin Addison <[email protected]>wrote:
> > http://www.ja-sig.org/wiki/display/CASUM/LDAP
>
> The documentation is wrong, then. You should _never_ use any kind of
> pooling for LDAP connections used for authentication. See "When Not
> to Use Pooling" at the bottom of
> http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html for
> an authoritative reference. I will update the CASUM page with some
> notes from this thread in the coming week.
>
> > One of the features we're looking for is the ability to failover to
> another
> > ldap server.
>
> Our group has a great deal of LDAP experience, and Java/JNDI LDAP
> experience in particular. Daniel, our group leader, said that using
> the failover capability in JNDI is not suitable for a high
> availability setup. JNDI will try every server listed in the
> Context.PROVIDER_URL property, which is set by the urls property in
> LdapContextSource, in a round-robin fashion with a wholly unsuitable
> connection timeout by default. If you _must_ use this capability, you
> should definitely set the "com.sun.jndi.ldap.connect.timeout"
> environment property to no more than 5s. (Above reference discusses
> this environment property in further detail.) Again, we feel this
> strategy is not suitable for HA; instead we recommend using some sort
> of load balancing strategy that obfuscates the many LDAP providers
> behind a single virtual name and which is responsible for health
> checking and removing unavailable members from the pool. This
> strategy has worked remarkably well for our enterprise LDAP directory.
>
> > Is the pooled attribute you mentioned earlier (JNDI pooling)
> > the same as the one above?
>
> Yes. From the 3.0 spring-ldap AbstractContextSource class:
>
> if (pooled) {
> baseEnv.put(SUN_LDAP_POOLING_FLAG, "true");
> log.debug("Using LDAP pooling.");
> }
>
> where SUN_LDAP_POOLING_FLAG = "com.sun.jndi.ldap.connect.pool".
>
> M
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
