Welcome to the Ranch, Suman! Could you please not double-space your postings? Newer monitors don't offer the vertical display space that older ones did and it's hard to read.
Your critical keyword in this matter is LDAP base. That Base MUST be the lowest-common denominator directory for all searches. Don't worry about overhead. Your search patterns will restrict the actual searching to only the areas of interest.
You need 2 separate search patterns, which means that the master search pattern is a logical "or" relationship between the two. This is basic LDAP searching and actually quite common. For details on complex LDAP searches, visit our JNDI/LDAP forum, where the experts hang out.
An IDE is no substitute for an Intelligent Developer.
Joined: Mar 07, 2013
Thanks Tim. Yeah, I can change the ldap base to the common denominator. BUt if I change the ldap base to common root level, all the suers will be able to access the application. Due to security reason we don't want all the users to search the entire ldap. Is there any way to restrict the user? I can do the same by searching two sub domains thru java code. But is there any such feature available thru tomcat. However, this is some how manage, but we are facing a timeout exception ones in a month. At that moment, no user can login. After restarting the tomcat, all users will be able to login. I couldn't find any issue with my configurations. So it seems this is because of network congession, is there any way to prevent this in tomcat 6.0.14?
Don't confuse the security for the appserver with the security for app users.
Just because the appserver can see all levels doesn't mean that application code can, since the application code doesn't see that particular JNDI client at all. If the app wants JNDI, it has to make its own connections.
If you are concerned about someone misusing the appserver credentials, then LDAP servers typically do support a fine enough security granularity to prevent that. And in any event, any shop following even rudimentary security standards isn't going to allow just anybody to see the server config files. That includes developers, since Realms are plug-replaceable and they can use a MemoryRealm and the tomcat-users.xml file for testing.
Joined: Mar 07, 2013
Thanks Tim. Any help on resolving timeout error. I could see this ones in a month or twice in a month.