[
https://jira.nuxeo.org/browse/NXP-4685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=69797#action_69797
]
Robert Browning commented on NXP-4685:
--------------------------------------
When attempting to use the inbuilt implementation of SRV lookup it was failing
to do so and therefore reverting to localhost, whether any actual DNS lookup
was performed is unknown as we didn't perform any snooping to determine if the
requests were being made but it throws the following error when I test on an
unmodified server.
Caused by: org.nuxeo.ecm.core.api.WrappedException: Exception:
javax.naming.NameNotFoundException. message: [LDAP: error code 32 - 0000208D:
NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=ad,DC=pvt'
]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1766)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:394)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at
org.nuxeo.ecm.directory.ldap.LDAPSession.getLdapEntry(LDAPSession.java:270)
at
org.nuxeo.ecm.directory.ldap.LDAPSession.getLdapEntry(LDAPSession.java:243)
at
org.nuxeo.ecm.directory.ldap.LDAPSession.authenticate(LDAPSession.java:823)
That aside, the main reason for this specific implementation, as you have
mentioned, was to enable us to resolve the Active Directory GC servers from DNS
instead of the AD Domain Controllers, as the distributed nature of our AD is
such that some of the references returned from the AD controllers may not be
present due to link failure, this was causing the authentication to block
awaiting response from an unavailable server.
It is unfortunate however that the sun implementation in the ServiceLocator
class does not allow overriding of the dns service record identifier.
> LDAP implementation should support retrieval of LDAP servers through DNS SRV
> records
> ------------------------------------------------------------------------------------
>
> Key: NXP-4685
> URL: https://jira.nuxeo.org/browse/NXP-4685
> Project: Nuxeo Enterprise Platform
> Issue Type: New Feature
> Components: Directory
> Reporter: Robert Browning
> Attachments: nuxeo-platform-directory-ldap-commit.patch
>
>
> To enable dynamic lookup of LDAP server URLs the LDAPServerDescriptor and
> associated classes should be able to handle URLs of the format
> 'ldap:///dc=nuxeo,dc=org' where the hostport part of the URI is empty.
> This should query the dns server for the service record _ldap._tcp.nuxeo.org
> to retrieve a list of servers providing the ldap service for the specified
> domain.
> The service identifier should be modifiable to allow flexible use of other
> ldap services registered under different service records, for example use of
> the Global Cache as provided by Microsoft Active Directory which uses the
> _gc._tcp prefix.
> The resultant DNS queries should be cached (with expiry) to prevent the need
> for repeated DNS querying and parsing whilst allowing changes to the network
> structure to have minimal effect on the operation of the server.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
