David, Yeah, if the app servers are just searching for a CN that might be anywhere in the forest, searching the GC is the better strategy.
I'm curious as to why the app was choking on the referral... -g -----Original Message----- From: Fugleberg, David A [mailto:david.fugleberg@;nwa.com] Sent: Tuesday, October 22, 2002 3:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP referral during subtree search Thanks Gil - I knew you would know <g> Am I correct in assuming that it's an all-around better practice to point those app servers at the GC (port 3268) anyhow ? Right now, the only issue is that the app server seems to choke on the referral, but in the future if I should add a domain to the forest, I imagine I'd want to go to the GC anyhow so I wouldn't need to be concerned about which domain the user was in. I should point out that we use a unique ID for user CNs, so there's no issue of duplicate RDNs to be concerned with... Dave -----Original Message----- From: Gil Kirkpatrick [mailto:gilk@;netpro.com] Sent: Tuesday, October 22, 2002 5:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP referral during subtree search David, Not quite correct... >From a logical perspective, your tree has a root NC (DC=XYZ,DC=com) and >that NC contains a subordinate config NC (CN=Configuration,DC=XYZ,DC=com), which itself contains a subordinate schema NC (CN=Schema,CN=Configuration,DC=XYZ,DC=com). When you search the root domain, and you don't use the LDAP_SERVER_DOMAIN_SCOPE_OID (1.2.840.113556.1.4.1339) control, AD generates referrals to the subordinate NCs that were included in the scope of your search so that you can chase the referrals appropriately *even though there is a replica of that NC on the DC you are searching*. In your case, you get the referral to the only NC subordinate to the root: CN=Configuration. The GC is effectively a separate NC that includes the entire scope of the forest, so there are no subordinate referrals to be had. -gil -----Original Message----- From: Fugleberg, David A [mailto:david.fugleberg@;nwa.com] Sent: Tuesday, October 22, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP referral during subtree search I noticed something while doing LDAP searches against AD that I'd like to understand. Take the example of a single-domain forest called xyz.com. User objects are stored in various OUs, and the OUs exist directly under the domain (OU=orgunit1,DC=xyz,DC=com, OU=orgunit2,DC=xyz,DC=com, etc.) Let's say you want to look for a user object with CN=joeuser, and it might be anywhere in the OU structure. You try two different methods: 1. Bind to a Domain Controller on port 389. Issue a subtree search with a base DN of DC=xyz,DC=com and a filter of (&(cn=joeuser)(objectclass=user)). 2. Bind to a Global Catalog server on port 3268. Issue a subtree search with a base DN of DC=xyz,DC=com and a filter of (&(cn=joeuser)(objectclass=user)). If you do option 1, joeuser is found, and his full DN is returned. The DC also returns an LDAP referral to ldap://xyz.com/CN=Configuration,Dc=xyz,DC=com. If you do option 2, you still get the DN you wanted but no referral is returned. I'm thinking that this is because in option 1, the DC doesn't know whether a user with CN=joeuser exists in some other domain so it refers you to the configuration container which should know about other partitions. The GC, on the other hand, has full knowledge of the forest so does not need to return a referral. Am I on the right track here ? Is there more to it than that ? The reason I care is that we have some Java application servers that currently authenticate against our single-domain AD forest via LDAP. At first, all the relevant users were in the Users container, and the app server was configured like option 1 (using port 389 on a DC) with the search base at the CN=users level. That worked fine. Now we have users in other OUs not under the Users container, and they obviously are never found. The app server seems to choke when I make the search base DC=xyz,DC=com, but if I use Option 2 (against the GC on 3268) it's happy. The only difference I see is the absence of that referral. I think the right thing to do is go ahead and point them at the GC anyhow, but I just wondered if I'm understanding this correctly. Comments ? Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
