Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (herse.apache.org: local policy)
From: "Zsolt Koppany" <zkoppanylist@intland.com>
To: "'Tomcat Users List'" <users@tomcat.apache.org>
Subject: RE: JNDI Realm and Active Directory root search
Date: Thu, 2 Nov 2006 12:21:16 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: Acb92ombyFsx8GnNEduTLgAWy4vSHAAlkfVA
In-Reply-To: <C16E4268.9601B%mwarren@hnw.com>
Message-Id: <20061102112142.1A40810FB004@herse.apache.org>

Matt,

what do you mean with 'referrals="follow"' ? Is that a jndi configuration
option ?

Zsolt 
> -----Original Message-----
> From: Matt Warren [mailto:mwarren@hnw.com]
> Sent: Wednesday, November 01, 2006 6:24 PM
> To: Tomcat Users List
> Subject: Re: JNDI Realm and Active Directory root search
> 
> With that lead, I figured out what was going on.
> 
> Two issues:
> - referrals="follow" is required if you search from the top of an ldap
> tree
> instead of a specific OU. That property is not documented in Tomcat docs
> as
> it might be:
> http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm
> 
> Without it, you'll get a
> 
> javax.naming.PartialResultException: Unprocessed Continuation
> Reference(s);
> remaining name 'dc=company,dc=com'
> 
> - The referral URL returned by AD is not why one might expect.
> 
> If your Tomcat server is NOT using DNS provided by the AD server you will
> likely run into a problem.
> 
> When searching LDAP from the root,  you will get a referral reply from AD
> that has a server DNS name of JUST the domain name (ie company.com). NOT
> the
> initial server name you used in your connectionURL. If your DNS or your
> local hosts files does not resolve that root domain name to an AD server,
> it
> will throw a
> 
> javax.naming.PartialResultException [Root exception is
> javax.naming.CommunicationException: company.com:389
> [Root exception is java.net.UnknownHostException: company.com]]
> 
> I've tried to update this integration guide. Hopefully "The Google" will
> help others in the future:
> 
> http://www.jspwiki.org/wiki/ActiveDirectoryIntegration
> 
> 
> > http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html
> >
> > In this case I suggest adjusting the local hosts file to fool DNS
> > (c:\windows\system32\drivers\etc\hosts). Find out the wrong DNS name in
> > the referral and point that name to your real AD.
> >
> > -- Velpi
> >
> >> I'm trying to get a JNDI Realm working as one might expect with Active
> >> Directory.
> >>
> >> Tomcat 5.5.20
> >> Java 1.5.06
> >> Windows 2000 Server
> >>
> >> The basic issue is that searching from a domain root
> "dc=company,dc=com" and
> >> using userSubtree="true" results in:
> >>
> >> Oct 31, 2006 3:18:20 PM org.apache.catalina.realm.JNDIRealm
> authenticate
> >> SEVERE: Exception performing authentication
> >> javax.naming.PartialResultException: Unprocessed Continuation
> Reference(s);
> >> remaining name 'dc=company,dc=com'
> >>
> >> If I use a more specific search base of
> "ou=Employees,dc=company,dc=com" and
> >> then the userSubtree is irrelevant, it works fine.
> >>
> >> Problem is our AD structure demands that users be in two different OU's
> and
> >> thus the search must be done from the root. I understand that AD does
> not
> >> handle referrals as expected and that could be contributing.
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org