Exception on LDAP search on WIN AD 2003

[Guny01]

Hello,

I am a really beginner with spring and spring LDAP, but we have a big problem with doing a search on MS AD 2003.

The AD uses only references and if we do a search on it, we get a DataRetrievalFailureException!

Here the the LDAP Config

Code:

  <bean id="contextSource" class="org.springframework.ldap.support.LdapContextSource">
      <property name="url" value="ldap://ldap.company.com:389" />
      <property name="base" value="dc=company,dc=com" />
      <property name="userName" value="cn=ServiceUser" />
      <property name="password" value="secret" />
   	  <property name="baseEnvironmentProperties">
   	    <map>
        	<entry key="java.naming.referral" value="follow" />
            <entry key="java.naming.security.authentication" value="simple" /> 
		</map>
		</property>
   </bean>

   <bean id="ldapTemplate" class="org.springframework.ldap.LdapTemplate">
      <constructor-arg ref="contextSource" />
   </bean>

Code snippet:

Code:

  ldapTemplate.setIgnorePartialResultException(true);
String filter = "(&(objectclass=person)(!(company=_*))(objectclass=computer))(mail="+email+"))";
return ldapTemplate.search("dc=company,dc=com", filter, new EngineerAttributesMapper());

With the following "ldapsearch" I get the correct result.

Code:

ldapsearch -h ldap.company.com -p 389 -x -D "cn=ServiceUser"  -b dc=company,dc=com -w secret "(&(objectclass=person)(!(company=_*))(!(objectclass=computer))(mail=mail@company.com))"

Here the Exception:

Code:

org.springframework.dao.DataRetrievalFailureException: Unable to communicate with LDAP server; nested exception is javax.naming.CommunicationException: Request: 2 cancelled; remaining name ''dc=company,dc=com"
Caused by: javax.naming.CommunicationException: Request: 2 cancelled; remaining name ''dc=company,dc=com"
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:60)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:405)
at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:611)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:534)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1944)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1806)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
at org.springframework.ldap.LdapTemplate$4.executeSearch(LdapTemplate.java:227)
at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:268)
at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:231)

Could the use of the references be the problem?

We get back a really lot of attributes also some "binary" like certificates, could this be a possible problem ?

Have anyone an idea, we have to solve the problem very quick.

Thanks a lot.

Regards

[rasky]

It is quite possible that referrals are causing the problem. There has been reports of problems with referrals and AD, not only with Spring LDAP but with Java LDAP in general. Just to check if this is the problem, remove the base environment properties from your ContextSource setup and try setting the 'ignorePartialResultException' property of LdapTemplate to true. If the referrals were causing your problem that should get you going (note that this will actually ignore any referrals, so this might not actually be what you want).

[Guny01]

Hello,

that is not what we want, because we have all entries as "referrals", so we have to "follow" them.

Any other ideas ?

Thanks

[rasky]

Ouch, then I think you'll probably be in trouble. As I said, there's known problems with Java LDAP and AD referrals, so this might mean that you'll have to follow the referrals manually. That can't be done out of the box using Spring LDAP, so I'm afraid you might be on your own here.

[Guny01]

Thank you for the information....

but is the error message typical for an referral problem or could it be any other problem ?

Code:

org.springframework.dao.DataRetrievalFailureException: Unable to communicate with LDAP server; nested exception is javax.naming.CommunicationException: Request: 2 cancelled; remaining name ''dc=company,dc=com"
Caused by: javax.naming.CommunicationException: Request: 2 cancelled; remaining name ''dc=company,dc=com"
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:60)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:405)
at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:611)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:534)

Thanks

[rasky]

It might very well be unrelated; I don't recognize the error. Some googling on the root exception gave a couple of pointers, but nothing specific. I'd be happy to know if you find anything out.

Sorry for not being able to help you out on this.

[Guny01]

Hello,

thank you for your try to help.

I solved my problem.

There was a wrong bracket in the search filter

I changed :

Code:

String filter = "(&(objectclass=person)(!(company=_*))(objectclass=computer))(mail="+email+"))";

to :

Code:

String filter = "(&(objectclass=person)(!(company=_*))(objectclass=computer) (mail="+email+"))";

The error came because MS Active Directory is not able to give back a understandable error code. It seems to stop with an undefined error.

Now my search works fine completly with Spring LDAP.

[rasky]

Excellent, good to hear it worked out.