You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Velpi <ve...@industria.be> on 2006/11/01 11:44:27 UTC
Re: JNDI Realm and Active Directory root search
> I'm trying to get a JNDI Realm working as one might expect with Active
> Directory.
>
> Tomcat 5.5.20
> Java 1.5.06
> Windows 2000 Server
>
> The basic issue is that searching from a domain root "dc=company,dc=com" and
> using userSubtree="true" results in:
>
> Oct 31, 2006 3:18:20 PM org.apache.catalina.realm.JNDIRealm authenticate
> SEVERE: Exception performing authentication
> javax.naming.PartialResultException: Unprocessed Continuation Reference(s);
> remaining name 'dc=company,dc=com'
>
> If I use a more specific search base of "ou=Employees,dc=company,dc=com" and
> then the userSubtree is irrelevant, it works fine.
>
> Problem is our AD structure demands that users be in two different OU's and
> thus the search must be done from the root. I understand that AD does not
> handle referrals as expected and that could be contributing.
http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html
In this case I suggest adjusting the local hosts file to fool DNS
(c:\windows\system32\drivers\etc\hosts). Find out the wrong DNS name in
the referral and point that name to your real AD.
-- Velpi
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JNDI Realm and Active Directory root search
Posted by Velpi <ve...@industria.be>.
> When searching LDAP from the root, you will get a referral reply from AD
> that has a server DNS name of JUST the domain name (ie company.com). NOT the
> initial server name you used in your connectionURL.
one small remark:
"company.com" in your post is what you chose as root object for your AD
when you installed it. I guess this is one of the reasons why MS tells
you to give the machine an FQDN *before* upgrading it to a domain
controller. I've already seen a few variations from people that do not
use their AD for DNS (eg company.local etc).
Good job ;).
Have you tried setting referrals="ignore"? I would think this would mean
"don't bother about referrals", but in my last attempt that didn't solve
things. What's the result in your case?
-- Velpi
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JNDI Realm and Active Directory root search
Posted by Zsolt Koppany <zk...@intland.com>.
Matt,
what do you mean with 'referrals="follow"' ? Is that a jndi configuration
option ?
Zsolt
> -----Original Message-----
> From: Matt Warren [mailto:mwarren@hnw.com]
> Sent: Wednesday, November 01, 2006 6:24 PM
> To: Tomcat Users List
> Subject: Re: JNDI Realm and Active Directory root search
>
> With that lead, I figured out what was going on.
>
> Two issues:
> - referrals="follow" is required if you search from the top of an ldap
> tree
> instead of a specific OU. That property is not documented in Tomcat docs
> as
> it might be:
> http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm
>
> Without it, you'll get a
>
> javax.naming.PartialResultException: Unprocessed Continuation
> Reference(s);
> remaining name 'dc=company,dc=com'
>
> - The referral URL returned by AD is not why one might expect.
>
> If your Tomcat server is NOT using DNS provided by the AD server you will
> likely run into a problem.
>
> When searching LDAP from the root, you will get a referral reply from AD
> that has a server DNS name of JUST the domain name (ie company.com). NOT
> the
> initial server name you used in your connectionURL. If your DNS or your
> local hosts files does not resolve that root domain name to an AD server,
> it
> will throw a
>
> javax.naming.PartialResultException [Root exception is
> javax.naming.CommunicationException: company.com:389
> [Root exception is java.net.UnknownHostException: company.com]]
>
> I've tried to update this integration guide. Hopefully "The Google" will
> help others in the future:
>
> http://www.jspwiki.org/wiki/ActiveDirectoryIntegration
>
>
> > http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html
> >
> > In this case I suggest adjusting the local hosts file to fool DNS
> > (c:\windows\system32\drivers\etc\hosts). Find out the wrong DNS name in
> > the referral and point that name to your real AD.
> >
> > -- Velpi
> >
> >> I'm trying to get a JNDI Realm working as one might expect with Active
> >> Directory.
> >>
> >> Tomcat 5.5.20
> >> Java 1.5.06
> >> Windows 2000 Server
> >>
> >> The basic issue is that searching from a domain root
> "dc=company,dc=com" and
> >> using userSubtree="true" results in:
> >>
> >> Oct 31, 2006 3:18:20 PM org.apache.catalina.realm.JNDIRealm
> authenticate
> >> SEVERE: Exception performing authentication
> >> javax.naming.PartialResultException: Unprocessed Continuation
> Reference(s);
> >> remaining name 'dc=company,dc=com'
> >>
> >> If I use a more specific search base of
> "ou=Employees,dc=company,dc=com" and
> >> then the userSubtree is irrelevant, it works fine.
> >>
> >> Problem is our AD structure demands that users be in two different OU's
> and
> >> thus the search must be done from the root. I understand that AD does
> not
> >> handle referrals as expected and that could be contributing.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JNDI Realm and Active Directory root search
Posted by Matt Warren <mw...@hnw.com>.
With that lead, I figured out what was going on.
Two issues:
- referrals="follow" is required if you search from the top of an ldap tree
instead of a specific OU. That property is not documented in Tomcat docs as
it might be:
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm
Without it, you'll get a
javax.naming.PartialResultException: Unprocessed Continuation Reference(s);
remaining name 'dc=company,dc=com'
- The referral URL returned by AD is not why one might expect.
If your Tomcat server is NOT using DNS provided by the AD server you will
likely run into a problem.
When searching LDAP from the root, you will get a referral reply from AD
that has a server DNS name of JUST the domain name (ie company.com). NOT the
initial server name you used in your connectionURL. If your DNS or your
local hosts files does not resolve that root domain name to an AD server, it
will throw a
javax.naming.PartialResultException [Root exception is
javax.naming.CommunicationException: company.com:389
[Root exception is java.net.UnknownHostException: company.com]]
I've tried to update this integration guide. Hopefully "The Google" will
help others in the future:
http://www.jspwiki.org/wiki/ActiveDirectoryIntegration
> http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html
>
> In this case I suggest adjusting the local hosts file to fool DNS
> (c:\windows\system32\drivers\etc\hosts). Find out the wrong DNS name in
> the referral and point that name to your real AD.
>
> -- Velpi
>
>> I'm trying to get a JNDI Realm working as one might expect with Active
>> Directory.
>>
>> Tomcat 5.5.20
>> Java 1.5.06
>> Windows 2000 Server
>>
>> The basic issue is that searching from a domain root "dc=company,dc=com" and
>> using userSubtree="true" results in:
>>
>> Oct 31, 2006 3:18:20 PM org.apache.catalina.realm.JNDIRealm authenticate
>> SEVERE: Exception performing authentication
>> javax.naming.PartialResultException: Unprocessed Continuation Reference(s);
>> remaining name 'dc=company,dc=com'
>>
>> If I use a more specific search base of "ou=Employees,dc=company,dc=com" and
>> then the userSubtree is irrelevant, it works fine.
>>
>> Problem is our AD structure demands that users be in two different OU's and
>> thus the search must be done from the root. I understand that AD does not
>> handle referrals as expected and that could be contributing.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org