Matt, what do you mean with 'referrals="follow"' ? Is that a jndi configuration option ?
Zsolt > -----Original Message----- > From: Matt Warren [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 01, 2006 6:24 PM > To: Tomcat Users List > Subject: Re: JNDI Realm and Active Directory root search > > With that lead, I figured out what was going on. > > Two issues: > - referrals="follow" is required if you search from the top of an ldap > tree > instead of a specific OU. That property is not documented in Tomcat docs > as > it might be: > http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm > > Without it, you'll get a > > javax.naming.PartialResultException: Unprocessed Continuation > Reference(s); > remaining name 'dc=company,dc=com' > > - The referral URL returned by AD is not why one might expect. > > If your Tomcat server is NOT using DNS provided by the AD server you will > likely run into a problem. > > When searching LDAP from the root, you will get a referral reply from AD > that has a server DNS name of JUST the domain name (ie company.com). NOT > the > initial server name you used in your connectionURL. If your DNS or your > local hosts files does not resolve that root domain name to an AD server, > it > will throw a > > javax.naming.PartialResultException [Root exception is > javax.naming.CommunicationException: company.com:389 > [Root exception is java.net.UnknownHostException: company.com]] > > I've tried to update this integration guide. Hopefully "The Google" will > help others in the future: > > http://www.jspwiki.org/wiki/ActiveDirectoryIntegration > > > > http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html > > > > In this case I suggest adjusting the local hosts file to fool DNS > > (c:\windows\system32\drivers\etc\hosts). Find out the wrong DNS name in > > the referral and point that name to your real AD. > > > > -- Velpi > > > >> I'm trying to get a JNDI Realm working as one might expect with Active > >> Directory. > >> > >> Tomcat 5.5.20 > >> Java 1.5.06 > >> Windows 2000 Server > >> > >> The basic issue is that searching from a domain root > "dc=company,dc=com" and > >> using userSubtree="true" results in: > >> > >> Oct 31, 2006 3:18:20 PM org.apache.catalina.realm.JNDIRealm > authenticate > >> SEVERE: Exception performing authentication > >> javax.naming.PartialResultException: Unprocessed Continuation > Reference(s); > >> remaining name 'dc=company,dc=com' > >> > >> If I use a more specific search base of > "ou=Employees,dc=company,dc=com" and > >> then the userSubtree is irrelevant, it works fine. > >> > >> Problem is our AD structure demands that users be in two different OU's > and > >> thus the search must be done from the root. I understand that AD does > not > >> handle referrals as expected and that could be contributing. > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
