Re: JNDI realm Global Catalog question

Tue, 28 Apr 2015 08:20:09 -0700 


Am 28. April 2015 17:11:55 MESZ, schrieb Christopher Schultz 
<ch...@christopherschultz.net>:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Neil,
>
>On 4/28/15 9:48 AM, Lazarow, Neil wrote:
>> I have multiple domain controllers, all of which are set to
>> function as global catalog servers.
>> 
>> Is it possible to put multiple alternateURL entires into your
>> JNDIRealm confiugration (see example below)?
>> 
>> Tomcat Version:  6.0.33 on Red Hat Enterprise Linux 5
>> 
>> ------------------ <Realm
>> className="org.apache.catalina.realm.JNDIRealm" adCompat="true" 
>> connectionURL="ldaps://ldap1.my.domainname.com:3269" 
>> alternateURL="ldaps://ldap2.my.domainname.com:3269" 
>> alternateURL="ldaps://ldap3.my.domainname.com:3269" 
>> connectionName="u...@my.domain.com" connectionPassword="password" 
>> referrals="follow" userBase="CN=Users,dc=my,dc=domainname,dc=com" 
>> userSearch="(sAMAccountName={0})" userSubtree="true" 
>> userRoleName="memberOf" 
>> roleBase="CN=Users,dc=my,dc=domainname,dc=com" roleName="CN" 
>> roleSearch="(member={0})" roleNested="true" />
>
>I don't think this is currently supported, but it would be a nice
>enhancement. Could you make a request in Bugzilla?
>http://bz.apache.org/
>
>In the meantime, you might be able to get away with a configuration
>like this:
>
><Realm className="org.apache.catalina.realm.CombinedRealm">
>  <Realm className="org.apache.catalina.realm.JNDIRealm"
>         connectionURL="ldaps://server-1"
>         ... />
>  <Realm className="org.apache.catalina.realm.JNDIRealm"
>         connectionURL="ldaps://server-2"
>         ... />
>  <Realm className="org.apache.catalina.realm.JNDIRealm"
>         connectionURL="ldaps://server-3"
>         ... />
></Realm>
>

You could even try to set connectionURL to all servers at once separated by 
space. I believe jndi supports this. That would be something like

connectionURL="ldaps://one ldaps://two ldaps://three"

I haven't tested it, though.

Regards
Felix

>The timeouts you'll experience to fail-over from one server to the
>other might not be acceptable for you, though.
>
>- -chris
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2
>Comment: GPGTools - http://gpgtools.org
>
>iQIcBAEBCAAGBQJVP6M7AAoJEBzwKT+lPKRY1H8P/3wVz99mL4m0imxfUjAm/9XQ
>2fYdeigii7hzDw0tvJKLZ5jh+wMz2xoqI47CD1b0P/Nl+zQHK7AqwT0GbMidZMN5
>+bEHLS66zKfVF+tWoIq1RlvPi78vI1Hzp9dvmlxzp/NOJs8Fm2zeAbPiDkXB48d5
>vqA38m/ZBRQemA0DhsxPmnjvavGvX+ifZ9mpfZryLyQYxTEQqm4Ay2Gu+LkkFilb
>s/iRxZEJzvIJKxXpr9MyMBwv8DXHwG9EhhDWrZ+cmbvP18jruSRZyPdwQsf1N8vu
>jPX+dd5eo9ffDJKT6GjkzNMWLh0S6srZO6HMWMI4YCb2F/z/nB07GcsEd0PDnWl9
>JFuEVNhL07fdlJ31rzZ+OksDGae7+r0Jnur2DIOfAMWRKMmQWrQWXAoYm1uck5ra
>lvFaQEhlRpV8GAUUmYkf3LPvQGjG+yEINNhJu9OXSX4+pyxvF1Oa0wUbWRFa0aoH
>FIfh22ApBsk5KEhPFTVFFQCIoh/yKGS4YDhNlm48606h7SERclz5m50Cicv03vFv
>glIdrrXVL4Idbkrl7jON11CB9oZjK0//ODT4bjF7E3kSyN1DM5uBFxzpiaVIIKiO
>tzeXubcZ/DYf1Qtt+t0yO66jjkr0uei1i2uPHQgS7kJq41jSmqfg2tewWrDkiRSe
>l7hQL8S+t9zWdYmiUdG+
>=3lwQ
>-----END PGP SIGNATURE-----
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to