Announcement Announcement Module
Collapse
No announcement yet.
Interesting Active Directory / Spring LDAP issue Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Interesting Active Directory / Spring LDAP issue

    Hi,

    I am having a small problem with a customers Active Directory server and was hoping if someone has seen a similar error or can provide some guidance into where I can start digging!

    I am performing a search on a Active Directory server using Spring LDAP, here are the general details of the search:

    Base DN: dc=xxxx,dc=mycompany,dc=com
    Filter = (&(cn=Group Policy Creator Owners)(objectCategory=Group))
    Mapper:


    Code:
    public class DnContextMapper implements ContextMapper
    {
        public Object mapFromContext(Object ctx)
        {
            DirContextAdapter context = (DirContextAdapter) ctx;
            return context.getDn();
        }
    When the search is being performed by LDAPTemplate:

    specifically:


    Code:
    	NamingEnumeration results = null;
            try {
                processor.preProcess(ctx);
                results = se.executeSearch(ctx);
    
                while (results.hasMore()) {
                    NameClassPair result = (NameClassPair) results.next();
                    handler.handleNameClassPair(result);
                }
                processor.postProcess(ctx);
            } catch (NameNotFoundException e) {
    	...
    The 'NamingEnumeration' appears to have just one result (looking at the entries Vector within the Enumeration), which is what I would expect. but when results.hasMore() is called a second result is found.

    The First result is great:
    "CN=Group Policy Creator Owners,OU=Groups,OU=Austin\, TX,DC=xxxx,DC=mycompany,DC=com"
    But the second result is:
    "ldap://adserver.xxx.mycompanyt.com:389/CN=Group%20Policy%20Creator%20Owners,OU=Groups,OU= Austin,DC=adserver,DC=xxx,DC=mycompany,DC=com"

    So when the DistinguishedName DNParser tries to parse the DN an exception is thrown since this DN really is not a valid DN, it is a valid LDAP URL however.

    So my general questions are:

    Has anyone come across something like this before and does anyone have a general idea on how I should try and configure, or search with LDAPTemplate to try and stop this from occurring.

    Cheers,
    Justin
    - at the moment I am trying to get a little bit more information from our customer regarding their AD setup

  • #2
    Just some more ramblings about what I think this issue is

    So I think this all comes down to node referrals.

    I dropped in my own DirObjectFactory just to see what was being returned and what was trying to be created by Spring LDAP.

    So the first object looks fantastic, it has a nice DN. ie the Name being passed into getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment, Attributes attrs) is:
    CN=Group Policy Creator Owners,OU=Groups,OU=Austin\, TX,DC=xxxx,DC=mycompany,DC=com
    Looking at the environment HashTable the java.naming.provider.url is ldap://10.1.3.8:389

    And the distinguished name in the Attributes parameter is:
    distinguishedName: CN=Group Policy Creator Owners,OU=Groups,OU=Austin\, TX,DC=xxxx,DC=mycompany,DC=com
    Awesome!

    The second object though has the following information:

    The Name being passed into getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment, Attributes attrs) is:
    "ldap://codemotel.xxxx.mycompany.com:389/CN=Group%20Policy%20Creator%20Owners,OU=Groups,OU= Austin,DC=codemotel,DC=xxxx,DC=mycompany,DC=com"
    Looking at the environment HashTable the java.naming.provider.url is java.naming.provider.url=ldap://codemotel.xxxx.mycompany.com/DC=codemotel,DC=xxxx,DC=mycompany,DC=com

    This is rather interesting as it suggests that we have gone to another node (correct?), and we are not in Kansas anymore (although we are still in Austin ).

    And the distinguished name in the Attributes parameter is:
    distinguishedName: CN=Group Policy Creator Owners,OU=Groups,OU=Austin,DC=codemotel,DC=xxxx,DC =mycompany,DC=com
    A quick point here is that the rdn on distinguishedname is:
    "ldap://codemotel.xxxx.mycompany.com:389/CN=Group%20Policy%20Creator%20Owners,OU=Groups,OU= Austin,DC=codemotel,DC=xxxx,DC=mycompany,DC=com"
    while on the first one it was:
    CN=Group Policy Creator Owners,OU=Groups,OU=Austin\, TX,DC=xxxx,DC=mycompany,DC=com
    So I guess we have a few questions here. It looks like we are heading off to another LDAP server from the first one and returning an Object that has a different DN. So is the returned DN from this second 'node' (I am not sure what to call it) a valid DN? According to Spring LDAP, that would be no, as I mentioned above though, it a valid LDAP URL.

    So should Spring LDAP be handling this second object a little more nicely?

    Justin
    - beginning to think that Active Directory is going to become my worst nightmare!
    - Also if one of the Spring LDAP lads want to contact me directly about replicating this issue please let me know, I may be able to give you guys access to the AD server(s) in question.

    Comment


    • #3
      This link seems to contain information that might be useful in tracking this problem down. What type is the first Object paramerer coming into getObjectInstance()?

      Comment

      Working...
      X