I have a sandbox application that I once had working using a dao authentication provider. I'm trying to get it working using an ldap-authentication-provider. We use Lotus Domino servers in our environment and we have LDAP running on them. Within our Domino environment, we have several directories setup and any LDAP connection request scans all of the directories for a match. Now some of the users that will authenticate are registered users in the organization, so their LDAP entries have an organization. In another directory though, users are all basically generic users, we use that directory for clients who login to our website. So I'm just curious what the best practice is for configuration.

This is what my security-config.xml file looks like.

Code:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:p="http://www.springframework.org/schema/p"
	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
	
	<http auto-config="true">
		<intercept-url pattern="/css/**" filters="none" />
		<intercept-url pattern="/**" access="ROLE_ADMINISTRATORS" />
	</http>
	
	<!-- Will probably need to provide a manager dn and password for authentication -->
	<ldap-server url="ldap://ldap.acme.com" port="389" />
	
	
	<authentication-manager alias="authenticationManager">
		<!-- <authentication-provider ref="daoAuthenticationProvider" /> -->
		<ldap-authentication-provider user-search-filter="cn={0}" user-search-base="o=FOO" />
		<ldap-authentication-provider user-search-filter="cn={0}" user-search-base="o=BAR" />
		<ldap-authentication-provider user-dn-pattern="cn={0}" />
	</authentication-manager>
	
	<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"
			p:userDetailsService-ref="wntUserDetailsService"
			p:passwordEncoder-ref="wntPasswordEncoder" />	
	
</beans:beans>
I've got 2 ldap-authentication-providers setup with search filters and have set a different base for each of them. The third one just uses a dn pattern. The idea is that everybody logs in with their email address. Is this the best practice for doing it?

thanks.