> In fact, I did try the authentication to Active Directory 2003, but I
> didn't have to configure any ignorePartalResultException in my
> depoloyerConfigContext.xml
The PartialResultException is caused by an error that *most* AD setups have.
When you install an AD it is important that the DNS name of the machine
is right. However it seems that people don't use a public available
FQDN for that. AD uses LDAP referrals in its directory. A referral is
like a redirect that a *client* should follow if chooses so. It can
point to another directory (in the forest), but in AD it usually points
to another node in its own directory. Unfortunately the referrals are
created with the current hostname as DNS name for the 'redirect'.
An LDAP client tries to follow the referral. But since the DNS name does
not match in a lot of AD's, it won't be able to connect to the
directory. This causes a "PartialResultException" in Java.
(Note that this is one of the reasons why changing a domain name is
really hard for AD's.)
There are several options to solve this problem:
*) make the wrong DNS name point to the right directory (can be done in
Ldap client's local hosts file, but that doesn't feel very clean, does it?)
*) don't try to follow the referrals
*) ignore the partial result exception
Not trying to follow the referrals can be done by setting an environment
variable. Even if this option would work, it is not the best choice
since there may be some referrals that we really need to follow to get
all data.
ignorePartialResultException tries to use the third approach, as its
clear name explains. So we let the Ldap client follow all referrals,
throw an error when there is one and catch that specific error properly
(=ignore it and continue, else the search would result in a fail).
LdapTemplate handles this very nicely using this code snippet:
---------------------------------
} catch (PartialResultException e) {
// Workaround for AD servers not handling referrals correctly.
if (ignorePartialResultException) {
log.debug("PartialResultException encountered and
ignored", e);
} else {
throw getExceptionTranslator().translate(e);
}
} catch (NamingException e) {
---------------------------------
So now we can all enjoy searching AD's smoothly by using the
LdapTemplate and configuring one special setting :).
-- Velpi
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
