> The exception is logged: > javax.naming.PartialResultException: Unprocessed Continuation Reference(s); > remaining name 'DC=mydomain,DC=mycompany,DC=com'
By default, the Sun JNDI provider sends the LDAPv3 ManageDsaIT control to AD, but this control is not supported since AD is not LDAPv3 compliant. The behavior of AD is to send a referral for the actual entry, which is not expected by the JNDI provider and it throws a PartialResultException when it sees the referral. You have a few options to avoid this: - Query the global catalog which apparently does not contain referrals - Set the Context.REFERRAL property to follow to cause the JNDI provider to do client-side referral following (see http://java.sun.com/products/jndi/tutorial/ldap/referral/jndi.html for more info) - Configure a number of authentication handlers, each pointing to a different search base above the root (apparently only the root contains referrals; we have no docs to support this, only experience) - Set the ignorePartialResultException of the LDAP auth handler to true; see http://www.ja-sig.org/wiki/display/CASUM/LDAP for an example The last option is the easiest and usually sufficient, but it's important to note you _may_ miss results since the ordering of results before referrals is not guaranteed. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
