tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Warren <mwar...@hnw.com>
Subject Re: JNDI Realm and Active Directory root search
Date Wed, 01 Nov 2006 17:24:08 GMT
With that lead, I figured out what was going on.

Two issues:
- referrals="follow" is required if you search from the top of an ldap tree
instead of a specific OU. That property is not documented in Tomcat docs as
it might be: 
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm

Without it, you'll get a

javax.naming.PartialResultException: Unprocessed Continuation Reference(s);
remaining name 'dc=company,dc=com'

- The referral URL returned by AD is not why one might expect.

If your Tomcat server is NOT using DNS provided by the AD server you will
likely run into a problem.

When searching LDAP from the root,  you will get a referral reply from AD
that has a server DNS name of JUST the domain name (ie company.com). NOT the
initial server name you used in your connectionURL. If your DNS or your
local hosts files does not resolve that root domain name to an AD server, it
will throw a 

javax.naming.PartialResultException [Root exception is
javax.naming.CommunicationException: company.com:389
[Root exception is java.net.UnknownHostException: company.com]]

I've tried to update this integration guide. Hopefully "The Google" will
help others in the future:

http://www.jspwiki.org/wiki/ActiveDirectoryIntegration


> http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html
> 
> In this case I suggest adjusting the local hosts file to fool DNS
> (c:\windows\system32\drivers\etc\hosts). Find out the wrong DNS name in
> the referral and point that name to your real AD.
> 
> -- Velpi
> 
>> I'm trying to get a JNDI Realm working as one might expect with Active
>> Directory.
>> 
>> Tomcat 5.5.20
>> Java 1.5.06
>> Windows 2000 Server
>> 
>> The basic issue is that searching from a domain root "dc=company,dc=com" and
>> using userSubtree="true" results in:
>> 
>> Oct 31, 2006 3:18:20 PM org.apache.catalina.realm.JNDIRealm authenticate
>> SEVERE: Exception performing authentication
>> javax.naming.PartialResultException: Unprocessed Continuation Reference(s);
>> remaining name 'dc=company,dc=com'
>> 
>> If I use a more specific search base of "ou=Employees,dc=company,dc=com" and
>> then the userSubtree is irrelevant, it works fine.
>> 
>> Problem is our AD structure demands that users be in two different OU's and
>> thus the search must be done from the root. I understand that AD does not
>> handle referrals as expected and that could be contributing.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message