Setting up Derby to use your LDAP directory service

When specifying LDAP as your authentication service, you must specify what LDAP server to use.

To connect to the OpenDS LDAP server, add the following lines to your Derby configuration file, derby.properties. You may also want to store these properties in your database and lock them down by setting the derby.database.propertiesOnly property (see Configuring coarse-grained user authorization for an example of how to lock down database properties):

derby.connection.requireAuthentication=true
derby.authentication.server=ldap://127.0.0.1:1389
derby.authentication.provider=LDAP
derby.authentication.ldap.searchAuthPW=YOUR_SELECTED_PASSWORD
derby.authentication.ldap.searchAuthDN=cn=Directory Manager
derby.authentication.ldap.searchBase=dc=example,dc=com
derby.authentication.ldap.searchFilter=objectClass=person

Finally, start ij in the directory where you created your derby.properties (this ensures that embedded Derby will come up with the authentication settings listed above). Run the following commands:

java org.apache.derby.tools.ij
ij version 10.11
ij> connect 'jdbc:derby:testdb;create=true;user=tquist;password=tquist';

Verify that authentication works by trying to connect again, this time with bad credentials:

java org.apache.derby.tools.ij
ij version 10.11
ij> connect 'jdbc:derby:testdb;create=true;user=tquist;password=badpassword';
ERROR 08004: Connection authentication failure occurred. Reason: Invalid authentication...

When you set the property derby.authentication.server, you can specify the LDAP server using just the server name, the server name and its port number separated by a colon, or an ldap URL as shown in the example. If you do not provide a full URL, Derby will by default use unencrypted LDAP. To use SSL encrypted LDAP, specify a URL that starts with ldaps://. For details on the derby.authentication.server and derby.authentication.provider properties, see the Derby Reference Manual.

Note: If you run Java DB under a Java security manager, your policy file will need to grant Derby the privilege to connect to the LDAP server. To see how to do this, consult the policy file shown in Sample customized Java security policy file. Specifically, you will need to grant java.net.SocketPermission to derby.jar, so that the Derby code is allowed to contact the LDAP server to perform the authentication.
Related concepts
Booting an LDAP server
Guest access to search for DNs
LDAP performance issues
LDAP restrictions
JNDI-specific properties for external directory services