OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/6675
Full headers

From: adolfo@ingenia.es
Subject: ConnectException UnknownHostException using subdomain URL when searching
Compose comment
Download message
State:
0 replies:
1 followups: 1

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 14 Oct 2010 10:54:36 +0000
From: adolfo@ingenia.es
To: openldap-its@OpenLDAP.org
Subject: ConnectException UnknownHostException using subdomain URL when searching
Full_Name: Adolfo Cort.s
Version: openldap-2.3.43-12.el5
OS: CentOS release 5.2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (62.15.226.90)


I try to connect to an Active directory from a java application using  JNDI
/OpenLDAP openldap-2.3.43-12.el5 in CentOS release 5.2

When i did a search i get a CommunicationException
Error : javax.naming.CommunicationException: xxxxxxxx.es:636 [Root exception is
java.net.UnknownHostException: xxxxxxxx.es]]

xxxxxxxx.es:636 is reachable and another operations over LDAP as create user
goes fine.

I see that the problem is related to the DNS configuration:
the Active Directory server DNS is aaaaa.bbbbb.xxxxxxxx.es but the base search
is only xxxxxxxx.es

when I do the search i get the exception because it takes xxxxxxxx.es instead of
ssss.xxxxxxxx.es to perform the operation.

I tried to solve it adding  xxxxxxxx.es to hosts and writing the same IP of
aaaaa.bbbbb.xxxxxxxx.es , so the bypass works and the connection goes but now i
have a new problem, when i execute the search it connects but retrieves a
Referral Limit Exception, i.m thinking because there are jumps or confussion
between aaaaa.bbbbb.xxxxxxxx.es and xxxxxxxx.es because of the hosts bypass i
did.

So my workaround doesn.t works and i need to know or solve the connection
problem for use subdomain DNS and domain in search base.

Connection Parameters: everytihg goes right, is interesting the url, using not
secure ldap protocol I also get the same error.

[url: ldaps://aaaaa.bbbbb.xxxxxxxx.es]
java.naming.security.authentication:simple
Usuario mypassword@bbbbb.xxxxxxxx.es]
Password[getLDAPropertiesSSL]:mypassword]
keystore[getLDAPropertiesSSL]:/opt/java/jre/lib/security/jssecacerts
trustStore[getLDAPropertiesSSL]:/opt/java/jre/lib/security/jssecacerts
Especificacion uso SSL[getLDAPPropertiesSSL]java.naming.security.protocol ssl

Search details: see that base DC is xxxxxxxx.es

[base: OU=YYY,DC=xxxxxxxx,DC=es]
[searchFilter: (&(objectClass=group)(cn={0}))]
[filterArgs: new String[] {Usuarios}]
[searchControls: SUBTREE_SCOPE, Atributes null, returningobjflag true]

This Hosts file doesn.t produce the Communication ERROR
aaaaa.bbbbb.xxxxxxxx.es  ccc.ccc.ccc.ccc
xxxxxxxx.es              ccc.ccc.ccc.ccc

With this hosts file i get the Communication ERROR
aaaaa.bbbbb.xxxxxxxx.es  ccc.ccc.ccc.ccc

If i try this search directly in the AD server console, it works giving me the
results.

Thanks in advance,
Adolfo






Followup 1

Download message
Date: Thu, 14 Oct 2010 09:17:18 -0700
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: adolfo@ingenia.es, openldap-its@openldap.org
Subject: Re: (ITS#6675) ConnectException UnknownHostException using
 subdomain URL	when searching
--On Thursday, October 14, 2010 10:54 AM +0000 adolfo@ingenia.es wrote:

> Full_Name: Adolfo Cort?s
> Version: openldap-2.3.43-12.el5
> OS: CentOS release 5.2
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (62.15.226.90)

I see nothing in this report that has to do with OpenLDAP.  I.e., you do 
not show any problems with ldapsearch or any other utility provided by the 
OpenLDAP Foundation.  All of your information is about Java/JNDI, none of 
which uses the OpenLDAP Code base.  I advise you to contact Oracle if you 
have questions/issues with JNDI.

I would note that there are far superior Java API's for connecting to LDAP 
than JNDI, and that Active Directory, while LDAP "like", is not truly LDAP, 
and has many unique quirks.

--Quanah



--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org