> But I'm running into an error cause AD referral when we don't get user from > CN=Users using the baseDN instead. Evry ldap search end in a partial results > exception. To avoid that, I tried to use a ldaptempate instead of > contextsource specifying ignorePartialResultException to true, but even if > the exception is thrown, attribute aren't being set for the user.
Using LdapTemplate with ignorePartialResultException=true is the best solution available with existing components. However, it is not an ideal solution in some cases. The JNDI envrionment variable java.naming.referral when set to "ignore" does not enforce any particular ordering of referrals; it may be that you have referrals interlaced with meaningful results very early in your result set and it's ignoring the referral prematurely such that subsequent meaningful results are lost. In general, the best solution on AD is to use java.naming.referral="throw", which forces the JNDI provider to reorder normal results before referrals and throw ReferralException on the first referral that follows normal results. (See http://code.google.com/p/vt-middleware/wiki/vtldapAD for more information.) Sadly, neither Spring LDAP nor PersonDirectory support this usage. I would recommend some testing to determine if my hypothesis about appearance of referrals early in the result set is correct. If you can verify this and provide evidence here, it would provide some needed support for the "throw" use case in Spring LDAP and PersonDirectory projects. I would be happy to open and steward issues in those projects on your behalf with that data. We simply don't have an AD use case for this is why I haven't pursued it sooner. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
