With that lead, I figured out what was going on. Two issues: - referrals="follow" is required if you search from the top of an ldap tree instead of a specific OU. That property is not documented in Tomcat docs as it might be: http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm
Without it, you'll get a javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'dc=company,dc=com' - The referral URL returned by AD is not why one might expect. If your Tomcat server is NOT using DNS provided by the AD server you will likely run into a problem. When searching LDAP from the root, you will get a referral reply from AD that has a server DNS name of JUST the domain name (ie company.com). NOT the initial server name you used in your connectionURL. If your DNS or your local hosts files does not resolve that root domain name to an AD server, it will throw a javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: company.com:389 [Root exception is java.net.UnknownHostException: company.com]] I've tried to update this integration guide. Hopefully "The Google" will help others in the future: http://www.jspwiki.org/wiki/ActiveDirectoryIntegration > http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html > > In this case I suggest adjusting the local hosts file to fool DNS > (c:\windows\system32\drivers\etc\hosts). Find out the wrong DNS name in > the referral and point that name to your real AD. > > -- Velpi > >> I'm trying to get a JNDI Realm working as one might expect with Active >> Directory. >> >> Tomcat 5.5.20 >> Java 1.5.06 >> Windows 2000 Server >> >> The basic issue is that searching from a domain root "dc=company,dc=com" and >> using userSubtree="true" results in: >> >> Oct 31, 2006 3:18:20 PM org.apache.catalina.realm.JNDIRealm authenticate >> SEVERE: Exception performing authentication >> javax.naming.PartialResultException: Unprocessed Continuation Reference(s); >> remaining name 'dc=company,dc=com' >> >> If I use a more specific search base of "ou=Employees,dc=company,dc=com" and >> then the userSubtree is irrelevant, it works fine. >> >> Problem is our AD structure demands that users be in two different OU's and >> thus the search must be done from the root. I understand that AD does not >> handle referrals as expected and that could be contributing. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
