Configuring LDAP authentication

You can allow Derby to authenticate users against an existing LDAP directory service within your enterprise. LDAP (lightweight directory access protocol) provides an open directory access protocol running over TCP/IP. An LDAP directory service can quickly authenticate a user's name and password.

The runtime library provided with the Java Development Kit (JDK) includes libraries that allow you to access an LDAP directory service. See the API documentation for the javax.naming.ldap package at http://docs.oracle.com/javase/8/docs/api/, the LDAP section of the JNDI tutorial at http://docs.oracle.com/javase/tutorial/jndi/ldap/, and the LDAP section of the JNDI specification at http://docs.oracle.com/javase/1.5.0/docs/guide/jndi/spec/jndi/jndi.5.html#pgfId=999241.

To use an LDAP directory service, set derby.authentication.provider to LDAP and specify appropriate permissions in your security policy file (see Configuring Java security.

This section describes how to authenticate users with the OpenDS LDAP server.

• Booting an LDAP server
  To begin, launch the OpenDS QuickSetup JNLP (Java Web Start) installer, then follow the installation steps to set up your directory server.
• Setting up Derby to use your LDAP directory service
  When specifying LDAP as your authentication service, you must specify what LDAP server to use.
• Guest access to search for DNs
  In an LDAP system, users are hierarchically organized in the directory as a set of entries. An entry is a set of name-attribute pairs identified by a unique name, called a DN (distinguished name).
• LDAP performance issues
  For performance reasons, the LDAP directory server should be in the same LAN as Derby. Derby does not cache the user's credential information locally and thus must connect to the directory server every time a user connects.
• LDAP restrictions
  Derby does not support LDAP groups.
• JNDI-specific properties for external directory services
  Derby allows you to set a few advanced JNDI properties, which you can set in any of the supported ways of setting Derby properties. Typically you would set these at the same level (database or system) for which you configured the external authentication service.