Re: LDAP Connection Error
one minute with 28.000 users -is the when you do a propfind on all users? Also what realm are you using - I have been looking at the Krb5LoginModule as described by Stefan Fromm. I was just wondering what experiences people has with integrating with an AD. /jacob - Original Message - From: James Mason [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org Sent: Saturday, March 12, 2005 7:20 AM Subject: RE: LDAP Connection Error Just to elaborate (you've all probably figured this out by now), the JNDIPrincipalStore actually *searches* your LDAP server for users/groups. The configuration settings you give describe the search parameters. The deciding factor on performance is how many results are returned by the search. If you have a lot of users/groups Slide will take a long time to start. It takes about a minute for me with 28,000 user accounts. -James On Mon, 2005-02-28 at 09:48 +, Miguel Figueiredo wrote: Hello Jacob, The JNDIStore does not look for anything here. The configuration u give to her, tells her 'what is what, and where is it' ... Hmmm, with others words, the configuration tells the LDAP/Active Directory server what kind of objects she is looking for, and where she expects to be found. When you start configuring it, you will get more insightful regarding this statement. When the JNDIStore asks something to the server, it asks by means of a bind request, and the server shall have the responsibility to find objects, in the configured places, that match the bind request. 'Modus Operandis' of the LDAP or Active Directory is exactly the same regarding the bind operation, the difference comes in the schemas they offer: standard schemas with LDAP, proprietary but standard-based schema on Active Directory (M$ strikes again :P ). Also, as you correctly stated, most companies split users and groups in several OUs. I'm glad to report that the JNDIStore is generic enough to adapt it's configuration to any deployment choices (at least we did not found any trouble in its configuration until now). Hope this helps, Miguel Figueiredo -Original Message- From: Jacob Lund [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 28 de Fevereiro de 2005 8:46 To: Slide Users Mailing List Subject: Re: LDAP Connection Error Well - you mentioned exactly what I have been wondering about! Most companies split users and groups in several OUs (Organizational units). Can the JNDIStore search through the AD and fetch all users and groups, also how will that affect the performance? I have an AD with several OU ready for testing, but I have not had the time to look into this deeper yet! /jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org; Slide Users Mailing List slide-user@jakarta.apache.org Sent: Friday, February 25, 2005 4:14 PM Subject: RE: LDAP Connection Error There isn't much to say. I just follow the instructions I found in the comment block of the source code and the postings to the user group. There was nothing too special for AD. Here is a link to a posting by James Mason. http://cvs.apache.org/viewcvs.cgi/jakarta-slide/src/conf/webapp/JNDI-Domain. xml?rev=1.2view=auto I did have to play with the jndi.attributes.groupmemberset and jndi.search.filter settings settings. Just use any old ldap browser to browse the schema. One thing I have found is that AD admins seem to like spreading their groups and people around in the tree, instead of having a single people root and a single groups root. I don't think the JNDIPrincipalStore handles this case, but I didn't have time to test it thoroughly. It might have to do with the jndi.search.scope setting. Also having the passwords in cleartext has been a battle. From: Jacob Lund [mailto:[EMAIL PROTECTED] Sent: Fri 2/25/2005 5:53 AM To: Slide Users Mailing List Subject: Re: LDAP Connection Error Hi John! I would like to create a Wiki on how to integrate slide with an AD! Would you mind sharing your configuration of the JNDIPrincipalStore, realm and other experiences on this integration? Thanks /Jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org Sent: Thursday, February 24, 2005 4:33 PM Subject: LDAP Connection Error I am using the JNDIPrincipalStore to connect to Active Directory to retrieve Users and Roles. Everything works fine for a while. Then it eventually gets a connection error and I have to restart the Slide war. I have several other applications connecting to the same Active Directory instance and they are not experiencing any problems or may be they are handling the error and reconnecting automatically. Has anyone had this problem? Is the JNDIPrincipalStore supposed to gracefully reconnect? There is nothing for this in the code. Is this handled by the framework? Thanks John
RE: LDAP Connection Error
Just to elaborate (you've all probably figured this out by now), the JNDIPrincipalStore actually *searches* your LDAP server for users/groups. The configuration settings you give describe the search parameters. The deciding factor on performance is how many results are returned by the search. If you have a lot of users/groups Slide will take a long time to start. It takes about a minute for me with 28,000 user accounts. -James On Mon, 2005-02-28 at 09:48 +, Miguel Figueiredo wrote: Hello Jacob, The JNDIStore does not look for anything here. The configuration u give to her, tells her 'what is what, and where is it' ... Hmmm, with others words, the configuration tells the LDAP/Active Directory server what kind of objects she is looking for, and where she expects to be found. When you start configuring it, you will get more insightful regarding this statement. When the JNDIStore asks something to the server, it asks by means of a bind request, and the server shall have the responsibility to find objects, in the configured places, that match the bind request. 'Modus Operandis' of the LDAP or Active Directory is exactly the same regarding the bind operation, the difference comes in the schemas they offer: standard schemas with LDAP, proprietary but standard-based schema on Active Directory (M$ strikes again :P ). Also, as you correctly stated, most companies split users and groups in several OUs. I'm glad to report that the JNDIStore is generic enough to adapt it's configuration to any deployment choices (at least we did not found any trouble in its configuration until now). Hope this helps, Miguel Figueiredo -Original Message- From: Jacob Lund [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 28 de Fevereiro de 2005 8:46 To: Slide Users Mailing List Subject: Re: LDAP Connection Error Well - you mentioned exactly what I have been wondering about! Most companies split users and groups in several OUs (Organizational units). Can the JNDIStore search through the AD and fetch all users and groups, also how will that affect the performance? I have an AD with several OU ready for testing, but I have not had the time to look into this deeper yet! /jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org; Slide Users Mailing List slide-user@jakarta.apache.org Sent: Friday, February 25, 2005 4:14 PM Subject: RE: LDAP Connection Error There isn't much to say. I just follow the instructions I found in the comment block of the source code and the postings to the user group. There was nothing too special for AD. Here is a link to a posting by James Mason. http://cvs.apache.org/viewcvs.cgi/jakarta-slide/src/conf/webapp/JNDI-Domain. xml?rev=1.2view=auto I did have to play with the jndi.attributes.groupmemberset and jndi.search.filter settings settings. Just use any old ldap browser to browse the schema. One thing I have found is that AD admins seem to like spreading their groups and people around in the tree, instead of having a single people root and a single groups root. I don't think the JNDIPrincipalStore handles this case, but I didn't have time to test it thoroughly. It might have to do with the jndi.search.scope setting. Also having the passwords in cleartext has been a battle. From: Jacob Lund [mailto:[EMAIL PROTECTED] Sent: Fri 2/25/2005 5:53 AM To: Slide Users Mailing List Subject: Re: LDAP Connection Error Hi John! I would like to create a Wiki on how to integrate slide with an AD! Would you mind sharing your configuration of the JNDIPrincipalStore, realm and other experiences on this integration? Thanks /Jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org Sent: Thursday, February 24, 2005 4:33 PM Subject: LDAP Connection Error I am using the JNDIPrincipalStore to connect to Active Directory to retrieve Users and Roles. Everything works fine for a while. Then it eventually gets a connection error and I have to restart the Slide war. I have several other applications connecting to the same Active Directory instance and they are not experiencing any problems or may be they are handling the error and reconnecting automatically. Has anyone had this problem? Is the JNDIPrincipalStore supposed to gracefully reconnect? There is nothing for this in the code. Is this handled by the framework? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: LDAP Connection Error
Well - you mentioned exactly what I have been wondering about! Most companies split users and groups in several OUs (Organizational units). Can the JNDIStore search through the AD and fetch all users and groups, also how will that affect the performance? I have an AD with several OU ready for testing, but I have not had the time to look into this deeper yet! /jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org; Slide Users Mailing List slide-user@jakarta.apache.org Sent: Friday, February 25, 2005 4:14 PM Subject: RE: LDAP Connection Error There isn't much to say. I just follow the instructions I found in the comment block of the source code and the postings to the user group. There was nothing too special for AD. Here is a link to a posting by James Mason. http://cvs.apache.org/viewcvs.cgi/jakarta-slide/src/conf/webapp/JNDI-Domain.xml?rev=1.2view=auto I did have to play with the jndi.attributes.groupmemberset and jndi.search.filter settings settings. Just use any old ldap browser to browse the schema. One thing I have found is that AD admins seem to like spreading their groups and people around in the tree, instead of having a single people root and a single groups root. I don't think the JNDIPrincipalStore handles this case, but I didn't have time to test it thoroughly. It might have to do with the jndi.search.scope setting. Also having the passwords in cleartext has been a battle. From: Jacob Lund [mailto:[EMAIL PROTECTED] Sent: Fri 2/25/2005 5:53 AM To: Slide Users Mailing List Subject: Re: LDAP Connection Error Hi John! I would like to create a Wiki on how to integrate slide with an AD! Would you mind sharing your configuration of the JNDIPrincipalStore, realm and other experiences on this integration? Thanks /Jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org Sent: Thursday, February 24, 2005 4:33 PM Subject: LDAP Connection Error I am using the JNDIPrincipalStore to connect to Active Directory to retrieve Users and Roles. Everything works fine for a while. Then it eventually gets a connection error and I have to restart the Slide war. I have several other applications connecting to the same Active Directory instance and they are not experiencing any problems or may be they are handling the error and reconnecting automatically. Has anyone had this problem? Is the JNDIPrincipalStore supposed to gracefully reconnect? There is nothing for this in the code. Is this handled by the framework? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: LDAP Connection Error
Hello Jacob, The JNDIStore does not look for anything here. The configuration u give to her, tells her 'what is what, and where is it' ... Hmmm, with others words, the configuration tells the LDAP/Active Directory server what kind of objects she is looking for, and where she expects to be found. When you start configuring it, you will get more insightful regarding this statement. When the JNDIStore asks something to the server, it asks by means of a bind request, and the server shall have the responsibility to find objects, in the configured places, that match the bind request. 'Modus Operandis' of the LDAP or Active Directory is exactly the same regarding the bind operation, the difference comes in the schemas they offer: standard schemas with LDAP, proprietary but standard-based schema on Active Directory (M$ strikes again :P ). Also, as you correctly stated, most companies split users and groups in several OUs. I'm glad to report that the JNDIStore is generic enough to adapt it's configuration to any deployment choices (at least we did not found any trouble in its configuration until now). Hope this helps, Miguel Figueiredo -Original Message- From: Jacob Lund [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 28 de Fevereiro de 2005 8:46 To: Slide Users Mailing List Subject: Re: LDAP Connection Error Well - you mentioned exactly what I have been wondering about! Most companies split users and groups in several OUs (Organizational units). Can the JNDIStore search through the AD and fetch all users and groups, also how will that affect the performance? I have an AD with several OU ready for testing, but I have not had the time to look into this deeper yet! /jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org; Slide Users Mailing List slide-user@jakarta.apache.org Sent: Friday, February 25, 2005 4:14 PM Subject: RE: LDAP Connection Error There isn't much to say. I just follow the instructions I found in the comment block of the source code and the postings to the user group. There was nothing too special for AD. Here is a link to a posting by James Mason. http://cvs.apache.org/viewcvs.cgi/jakarta-slide/src/conf/webapp/JNDI-Domain. xml?rev=1.2view=auto I did have to play with the jndi.attributes.groupmemberset and jndi.search.filter settings settings. Just use any old ldap browser to browse the schema. One thing I have found is that AD admins seem to like spreading their groups and people around in the tree, instead of having a single people root and a single groups root. I don't think the JNDIPrincipalStore handles this case, but I didn't have time to test it thoroughly. It might have to do with the jndi.search.scope setting. Also having the passwords in cleartext has been a battle. From: Jacob Lund [mailto:[EMAIL PROTECTED] Sent: Fri 2/25/2005 5:53 AM To: Slide Users Mailing List Subject: Re: LDAP Connection Error Hi John! I would like to create a Wiki on how to integrate slide with an AD! Would you mind sharing your configuration of the JNDIPrincipalStore, realm and other experiences on this integration? Thanks /Jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org Sent: Thursday, February 24, 2005 4:33 PM Subject: LDAP Connection Error I am using the JNDIPrincipalStore to connect to Active Directory to retrieve Users and Roles. Everything works fine for a while. Then it eventually gets a connection error and I have to restart the Slide war. I have several other applications connecting to the same Active Directory instance and they are not experiencing any problems or may be they are handling the error and reconnecting automatically. Has anyone had this problem? Is the JNDIPrincipalStore supposed to gracefully reconnect? There is nothing for this in the code. Is this handled by the framework? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: LDAP Connection Error
Hi John! I would like to create a Wiki on how to integrate slide with an AD! Would you mind sharing your configuration of the JNDIPrincipalStore, realm and other experiences on this integration? Thanks /Jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org Sent: Thursday, February 24, 2005 4:33 PM Subject: LDAP Connection Error I am using the JNDIPrincipalStore to connect to Active Directory to retrieve Users and Roles. Everything works fine for a while. Then it eventually gets a connection error and I have to restart the Slide war. I have several other applications connecting to the same Active Directory instance and they are not experiencing any problems or may be they are handling the error and reconnecting automatically. Has anyone had this problem? Is the JNDIPrincipalStore supposed to gracefully reconnect? There is nothing for this in the code. Is this handled by the framework? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: LDAP Connection Error
There isn't much to say. I just follow the instructions I found in the comment block of the source code and the postings to the user group. There was nothing too special for AD. Here is a link to a posting by James Mason. http://cvs.apache.org/viewcvs.cgi/jakarta-slide/src/conf/webapp/JNDI-Domain.xml?rev=1.2view=auto I did have to play with the jndi.attributes.groupmemberset and jndi.search.filter settings settings. Just use any old ldap browser to browse the schema. One thing I have found is that AD admins seem to like spreading their groups and people around in the tree, instead of having a single people root and a single groups root. I don't think the JNDIPrincipalStore handles this case, but I didn't have time to test it thoroughly. It might have to do with the jndi.search.scope setting. Also having the passwords in cleartext has been a battle. From: Jacob Lund [mailto:[EMAIL PROTECTED] Sent: Fri 2/25/2005 5:53 AM To: Slide Users Mailing List Subject: Re: LDAP Connection Error Hi John! I would like to create a Wiki on how to integrate slide with an AD! Would you mind sharing your configuration of the JNDIPrincipalStore, realm and other experiences on this integration? Thanks /Jacob - Original Message - From: John Gilbert [EMAIL PROTECTED] To: Slide Users Mailing List slide-user@jakarta.apache.org Sent: Thursday, February 24, 2005 4:33 PM Subject: LDAP Connection Error I am using the JNDIPrincipalStore to connect to Active Directory to retrieve Users and Roles. Everything works fine for a while. Then it eventually gets a connection error and I have to restart the Slide war. I have several other applications connecting to the same Active Directory instance and they are not experiencing any problems or may be they are handling the error and reconnecting automatically. Has anyone had this problem? Is the JNDIPrincipalStore supposed to gracefully reconnect? There is nothing for this in the code. Is this handled by the framework? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: LDAP Connection Error
John, What version of Slide are you using? From 2.1beta2 on the JNDIPrincipalStore should be able to handle broken connections gracefully. -James On Thu, 2005-02-24 at 10:33 -0500, John Gilbert wrote: I am using the JNDIPrincipalStore to connect to Active Directory to retrieve Users and Roles. Everything works fine for a while. Then it eventually gets a connection error and I have to restart the Slide war. I have several other applications connecting to the same Active Directory instance and they are not experiencing any problems or may be they are handling the error and reconnecting automatically. Has anyone had this problem? Is the JNDIPrincipalStore supposed to gracefully reconnect? There is nothing for this in the code. Is this handled by the framework? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: LDAP Connection Error
Thanks James. We are still on beta1. I can just build the beta2 version of JNDIPrincipalStore or do we need to upgrade verything? -Original Message- From: James Mason [mailto:[EMAIL PROTECTED] Sent: Thursday, February 24, 2005 11:36 AM To: Slide Users Mailing List Subject: Re: LDAP Connection Error John, What version of Slide are you using? From 2.1beta2 on the JNDIPrincipalStore should be able to handle broken connections gracefully. -James On Thu, 2005-02-24 at 10:33 -0500, John Gilbert wrote: I am using the JNDIPrincipalStore to connect to Active Directory to retrieve Users and Roles. Everything works fine for a while. Then it eventually gets a connection error and I have to restart the Slide war. I have several other applications connecting to the same Active Directory instance and they are not experiencing any problems or may be they are handling the error and reconnecting automatically. Has anyone had this problem? Is the JNDIPrincipalStore supposed to gracefully reconnect? There is nothing for this in the code. Is this handled by the framework? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
