How can I set up an LDAP connection pool in a JEE Container?

Question

I need to put an LDAP contextSource into my JEE container's JNDI tree so it can be used by applications inside the container.

I'm using Spring-LDAP to perform queries against ORACLE OVD. For development, I simply set up the contextSource in the Spring xml configuration file. For production, however, I need to be able to use a JNDI lookup to grab the connection/context from the container (as suggested here: http://forum.springframework.org/showthread.php?t=35122&highlight=jndi). I'm not allowed to have access to the URL/username/pwd for the production OVD instance, so that seems to rule out putting it in a jndi.properties file.

Ideally, I'd like to have a pool of connections (just like JDBC), as my application may have many LDAP queries executing at the same time. Grabbing the object from a JNDI lookup and injecting it into my SimpleLdapTemplate seems pretty straightforward, but I'm at a loss as to how to get the connection/context/pool into the JNDI tree. Would I need to construct it and package it into a RAR? If so, what are some options for letting the operations team specify the URL/username/pwd in a way that they are not accessible to the developers?

The specific container I'm using is OAS/OC4J, though I welcome strategies that have worked on other containers as well.

Answer 1

Any chance you can setup a dev version of LDAP and use that? Then you can use a jndi.properties file, which would be environment specific, but agnostic to your system.

Edit: the difference here is that when you build your app, your admin can deploy it to the production system, thereby protecting the precious ldap password as it only exists in the properties file on the production box.

Answer 2

A bit convoluted, but perhaps your sysadmin could store the username/password in your database, either encrypted, or on a table with limited access rights?

Something like (pseudo-beans)

<bean id="ldapCredentialsProvider" 
    class="com.acme.YourCredentialsProvider"
    init-method="readCredentials">
    <property name="dataSource" ref="yourDataSource"/>
</bean>

<bean id="username"
    factory-bean="ldapCredentialsProvider" 
    factory-method="getUsername"/>

<bean id="password" 
    factory-bean="ldapCredentialsProvider" 
    factory-method="getPassword"/>

Edit:

And in dev, your ldapCredentialProvider bean could be a simple properties-file-based implementation?

Answer 3

Specifically in reference to the actual pooling of LDAP connections, if you are using the built in JNDI LDAP provider, the connections are pooled already using semantics similar to JDBC data sources where separate pools are maintained for different LDAP URLs and security properties.

When creating a JNDI DirContext, configure the property com.sun.jndi.ldap.connect.pool to be true and pooling will be enabled.

There is more information on LDAP pooling here.

Details on configuring LDAP pooling are here.

Answer 4

With jboss, you can federate external JNDI contexts into the JBoss server JNDI namespace. All you have to do is to describe the LDAP access in a MBean configuration file. You can also enable caching.

We're using this solution to access an Ative Directory server.

http://www.jboss.org/community/docs/DOC-9726