> Can someone give me a pointer on where to look? I need to use LDAP or
> other method to separate the password from the J2EE app server. We
> can't lock our app server down as well as I would like, so I don't want
> any passwords compromised.
> I know this is a common practice, and I've read about it before, but for
> the life of me I can't find anything.

I see no problem with it at all. Just query your LDAP server via JNDI (most
likely you will need separate provider, available from Sun), obtain password
there and use DataSource.getConnection(String, String) method instead of
DataSource.getConnection() which uses user name and password stored in
configuration. You will still need to specify something correct there, but
that means that you only create a guest user with no permissions in your
database. It will be able to connect to the database (and, if I'm not
mistaken, query RDB$ tables), but that's all.

Roman