aspose file tools*
The moose likes Tomcat and the fly likes Getting timeout exception while connecting to ldap from tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Getting timeout exception while connecting to ldap from tomcat" Watch "Getting timeout exception while connecting to ldap from tomcat" New topic
Author

Getting timeout exception while connecting to ldap from tomcat

suman vadde
Greenhorn

Joined: Mar 07, 2013
Posts: 4
Hi Friends,

My application uses the LDAP for authentication.
Below is my configuration details.
I'm using search scope as SearchControls.SUBTREE_SCOPE in my java class.

I'm using tomcat 6.0.14

Any help is highly appreciated.

Tomcat's server.xml:

<Resource name="myapp"

auth="Container"

type="com.sun.jndi.ldap.LdapCtx"

factory="com.test.MyLdapFactory"

java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"

com.sun.jndi.ldap.connect.pool="false"

java.naming.provider.url="ldap://com.test.net:389"

java.naming.security.authentication="simple"

java.naming.security.principal="myuser"

java.naming.security.credentials="mypassword"

ldap.base="ou=users,ou=java team,ou=development,ou=software unit,DC=SOU,DC=example,DC=com"

ldap.filter="samaccountname"

/>




NOTE: Sometimes it is getting timeout exception. after restarting tomcat it is connecting fine. Please help me on this.


Thanks,

Suman


Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

Welcome to the Ranch, Suman! Could you please not double-space your postings? Newer monitors don't offer the vertical display space that older ones did and it's hard to read.

Your critical keyword in this matter is LDAP base. That Base MUST be the lowest-common denominator directory for all searches. Don't worry about overhead. Your search patterns will restrict the actual searching to only the areas of interest.

You need 2 separate search patterns, which means that the master search pattern is a logical "or" relationship between the two. This is basic LDAP searching and actually quite common. For details on complex LDAP searches, visit our JNDI/LDAP forum, where the experts hang out.


Customer surveys are for companies who didn't pay proper attention to begin with.
suman vadde
Greenhorn

Joined: Mar 07, 2013
Posts: 4
Thanks Tim. Yeah, I can change the ldap base to the common denominator. BUt if I change the ldap base to common root level, all the suers will be able to access the application. Due to security reason we don't want all the users to search the entire ldap. Is there any way to restrict the user? I can do the same by searching two sub domains thru java code. But is there any such feature available thru tomcat. However, this is some how manage, but we are facing a timeout exception ones in a month. At that moment, no user can login. After restarting the tomcat, all users will be able to login. I couldn't find any issue with my configurations. So it seems this is because of network congession, is there any way to prevent this in tomcat 6.0.14?


Thanks a lot for your support Tim.+

Regards,
Suman
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

Don't confuse the security for the appserver with the security for app users.

Just because the appserver can see all levels doesn't mean that application code can, since the application code doesn't see that particular JNDI client at all. If the app wants JNDI, it has to make its own connections.

If you are concerned about someone misusing the appserver credentials, then LDAP servers typically do support a fine enough security granularity to prevent that. And in any event, any shop following even rudimentary security standards isn't going to allow just anybody to see the server config files. That includes developers, since Realms are plug-replaceable and they can use a MemoryRealm and the tomcat-users.xml file for testing.
suman vadde
Greenhorn

Joined: Mar 07, 2013
Posts: 4
Thanks Tim. Any help on resolving timeout error. I could see this ones in a month or twice in a month.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

I believe that you can set the timeout interval as a JVM environment parameter ("-D" option), but you'll have to lookup the docs on the JNDI provider being used.

You can declare this value in JAVA_OPTS in the Tomcat setenv.sh/setenv.bat file.
 
Don't get me started about those stupid light bulbs.
 
subject: Getting timeout exception while connecting to ldap from tomcat