1

I'm using the UnboundID LDAP Java SDK to connect a Groovy/Grails application to Active Directory. Here are the connection options that I'm using:

  LDAPConnectionOptions options = new LDAPConnectionOptions()
  options.connectTimeoutMillis = 60000 // 1 minute
  options.followReferrals = true
  options.referralHopLimit = 10
  options.responseTimeoutMillis = 60000 // 1 minute
  options.useSynchronousMode = true

However, I still keep getting LDAPSearchExceptions with result code 10, which means that the server sent a referral. Changing the referralHopLimit to a higher number doesn't help, so clearly the library isn't following the referrals.

So far I seem to only get this issue when using the LDAPConnection.getEntry method to load a specific entry specified by a DN. I haven't yet received it when performing a search. So I'm wondering if maybe the getEntry method isn't supposed to follow referrals and if that's the case, what's the best approach for manually following referrals or changing it's behavior?

Harry Muscle
  • 2,247
  • 4
  • 38
  • 62

1 Answers1

2

The getEntry method uses search behind the scenes, so if search works, then getEntry should also work. I just ran a quick test and it works for me. Using the latest LDAP SDK release (2.3.6) and the following code, I get the expected entry after following the referral. If I comment out the "opts.setFollowReferrals(true)" line, then I get a referral exception:

import com.unboundid.ldap.listener.*;
import com.unboundid.ldap.sdk.*;



public class ReferralTest
{
  public static void main(final String... args)
         throws Exception
  {
    final InMemoryDirectoryServerConfig cfg =
         new InMemoryDirectoryServerConfig("dc=example,dc=com");
    final InMemoryDirectoryServer ds1 = new InMemoryDirectoryServer(cfg);
    final InMemoryDirectoryServer ds2 = new InMemoryDirectoryServer(cfg);

    ds1.startListening();
    ds2.startListening();

    final LDAPConnectionOptions opts = new LDAPConnectionOptions();
    opts.setFollowReferrals(true);

    final LDAPConnection conn1 = ds1.getConnection(opts);
    final LDAPConnection conn2 = ds2.getConnection(opts);

    conn1.add(
         "dn: dc=example,dc=com",
         "objectClass: top",
         "objectClass: domain",
         "dc: example");
    conn1.add(
         "dn: ou=Referral Entry,dc=example,dc=com",
         "objectClass: top",
         "objectClass: organizationalUnit",
         "ou: Referral Entry",
         "description: This is a referral entry");

    conn2.add(
         "dn: dc=example,dc=com",
         "objectClass: top",
         "objectClass: domain",
         "dc: example");
    conn2.add(
         "dn: ou=Referral Entry,dc=example,dc=com",
         "objectClass: top",
         "objectClass: referral",
         "objectClass: extensibleObject",
         "ou: Referral Entry",
         "ref: ldap://127.0.0.1:" + ds1.getListenPort() +
              "/ou=Referral Entry,dc=example,dc=com");

    final Entry e = conn2.getEntry("ou=Referral Entry,dc=example,dc=com");
    System.out.println(e.toLDIFString());

    conn1.close();
    conn2.close();

    ds1.shutDown(true);
    ds2.shutDown(true);
  }
}
Neil Wilson
  • 1,706
  • 8
  • 4
  • Thanks. I'm gonna try your example tomorrow and report back. However, I have a feeling such a sterile example will work, even though similar code when connecting to our Active Directory instance is failing to follow referrals. I also wanted to ask, do you think using a connection pool would change anything (I'm using a connection pool to connect to Active Directory)? – Harry Muscle Jun 10 '14 at 01:35
  • Whether or not a connection is part of a connection pool should not have any impact on the treatment of referrals. And as long as a referral is properly formed, then it shouldn't matter what type of directory server sent it to the client. – Neil Wilson Jun 10 '14 at 19:59