Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Getting timeout exception while connecting to ldap from tomcat

 
suman vadde
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Friends,

My application uses the LDAP for authentication.
Below is my configuration details.
I'm using search scope as SearchControls.SUBTREE_SCOPE in my java class.

I'm using tomcat 6.0.14

Any help is highly appreciated.

Tomcat's server.xml:

<Resource name="myapp"

auth="Container"

type="com.sun.jndi.ldap.LdapCtx"

factory="com.test.MyLdapFactory"

java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"

com.sun.jndi.ldap.connect.pool="false"

java.naming.provider.url="ldap://com.test.net:389"

java.naming.security.authentication="simple"

java.naming.security.principal="myuser"

java.naming.security.credentials="mypassword"

ldap.base="ou=users,ou=java team,ou=development,ou=software unit,DC=SOU,DC=example,DC=com"

ldap.filter="samaccountname"

/>




NOTE: Sometimes it is getting timeout exception. after restarting tomcat it is connecting fine. Please help me on this.


Thanks,

Suman


 
Tim Holloway
Saloon Keeper
Pie
Posts: 18014
47
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch, Suman! Could you please not double-space your postings? Newer monitors don't offer the vertical display space that older ones did and it's hard to read.

Your critical keyword in this matter is LDAP base. That Base MUST be the lowest-common denominator directory for all searches. Don't worry about overhead. Your search patterns will restrict the actual searching to only the areas of interest.

You need 2 separate search patterns, which means that the master search pattern is a logical "or" relationship between the two. This is basic LDAP searching and actually quite common. For details on complex LDAP searches, visit our JNDI/LDAP forum, where the experts hang out.
 
suman vadde
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Tim. Yeah, I can change the ldap base to the common denominator. BUt if I change the ldap base to common root level, all the suers will be able to access the application. Due to security reason we don't want all the users to search the entire ldap. Is there any way to restrict the user? I can do the same by searching two sub domains thru java code. But is there any such feature available thru tomcat. However, this is some how manage, but we are facing a timeout exception ones in a month. At that moment, no user can login. After restarting the tomcat, all users will be able to login. I couldn't find any issue with my configurations. So it seems this is because of network congession, is there any way to prevent this in tomcat 6.0.14?


Thanks a lot for your support Tim.+

Regards,
Suman
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18014
47
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Don't confuse the security for the appserver with the security for app users.

Just because the appserver can see all levels doesn't mean that application code can, since the application code doesn't see that particular JNDI client at all. If the app wants JNDI, it has to make its own connections.

If you are concerned about someone misusing the appserver credentials, then LDAP servers typically do support a fine enough security granularity to prevent that. And in any event, any shop following even rudimentary security standards isn't going to allow just anybody to see the server config files. That includes developers, since Realms are plug-replaceable and they can use a MemoryRealm and the tomcat-users.xml file for testing.
 
suman vadde
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Tim. Any help on resolving timeout error. I could see this ones in a month or twice in a month.
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18014
47
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I believe that you can set the timeout interval as a JVM environment parameter ("-D" option), but you'll have to lookup the docs on the JNDI provider being used.

You can declare this value in JAVA_OPTS in the Tomcat setenv.sh/setenv.bat file.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic