Bug #34
Ignore continuation referrals sent by AD even when ignoring referrals
| Status: | Closed | Start: | 18/02/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | Jonathan Clarke | % Done: | 100% |
|
| Category: | Core | |||
| Target version: | 1.1.0 | |||
| Problem in version: |
Description
When performing a LDAP search on the base DN which is the root naming context of an AD server (at least on 2003), search responses come accompanied with a referral. This is some AD specific setup. LSC currently raises an exception in such a case.
With JNDI configured to "ignore" referrals, a PartialResultsException is thrown. Catching it is pointless, since we then don't have the search response anywhere.
With JNDI configured to "follow" referrals, every search result makes JNDI perform at least one other search, although an entry has already been returned as a search result. This has a HUGE performance hit. Plus, many AD domains are badly configured, and the referral cannot always be followed (DNS resolution problems).
This seems to be a common problem. It is described here: https://mail.internet2.edu/wws/arc/shibboleth-users/2008-06/msg00044.html. Solving it is important to use AD fully. A quick workaround is to base searches on a sub-container in AD (for example ou=a,dc=ad,dc=lan).
To workaround this, it seems the best solution is to set referral handling to "throw", and catch referrals then skip them, as decribed here: http://java.sun.com/products/jndi/tutorial/ldap/referral/throw.html.
Associated revisions
In getEntry, ignore exceptions if we found the entry we want. Fixes #34
History
Updated by Jonathan Clarke over 1 year ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Bug fixed, we now ignore exceptions if we can get one entry (which is what we're looking for).
See http://java.sun.com/j2se/1.4.2/docs/api/javax/naming/NamingEnumeration.html