> In fact, I did try the authentication to Active Directory 2003, but I > didn't have to configure any ignorePartalResultException in my > depoloyerConfigContext.xml
The PartialResultException is caused by an error that *most* AD setups have. When you install an AD it is important that the DNS name of the machine is right. However it seems that people don't use a public available FQDN for that. AD uses LDAP referrals in its directory. A referral is like a redirect that a *client* should follow if chooses so. It can point to another directory (in the forest), but in AD it usually points to another node in its own directory. Unfortunately the referrals are created with the current hostname as DNS name for the 'redirect'. An LDAP client tries to follow the referral. But since the DNS name does not match in a lot of AD's, it won't be able to connect to the directory. This causes a "PartialResultException" in Java. (Note that this is one of the reasons why changing a domain name is really hard for AD's.) There are several options to solve this problem: *) make the wrong DNS name point to the right directory (can be done in Ldap client's local hosts file, but that doesn't feel very clean, does it?) *) don't try to follow the referrals *) ignore the partial result exception Not trying to follow the referrals can be done by setting an environment variable. Even if this option would work, it is not the best choice since there may be some referrals that we really need to follow to get all data. ignorePartialResultException tries to use the third approach, as its clear name explains. So we let the Ldap client follow all referrals, throw an error when there is one and catch that specific error properly (=ignore it and continue, else the search would result in a fail). LdapTemplate handles this very nicely using this code snippet: --------------------------------- } catch (PartialResultException e) { // Workaround for AD servers not handling referrals correctly. if (ignorePartialResultException) { log.debug("PartialResultException encountered and ignored", e); } else { throw getExceptionTranslator().translate(e); } } catch (NamingException e) { --------------------------------- So now we can all enjoy searching AD's smoothly by using the LdapTemplate and configuring one special setting :). -- Velpi _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas