-----Original Message-----
From: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Sent: Tuesday, April 28, 2015 10:18 AM
To: Tomcat Users List
Subject: Re: JNDI realm Global Catalog question
Am 28. April 2015 17:11:55 MESZ, schrieb Christopher Schultz
<ch...@christopherschultz.net>:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Neil,
>
>On 4/28/15 9:48 AM, Lazarow, Neil wrote:
>> I have multiple domain controllers, all of which are set to function
>> as global catalog servers.
>>
>> Is it possible to put multiple alternateURL entires into your
>> JNDIRealm confiugration (see example below)?
>>
>> Tomcat Version: 6.0.33 on Red Hat Enterprise Linux 5
>>
>> ------------------ <Realm
>> className="org.apache.catalina.realm.JNDIRealm" adCompat="true"
>> connectionURL="ldaps://ldap1.my.domainname.com:3269"
>> alternateURL="ldaps://ldap2.my.domainname.com:3269"
>> alternateURL="ldaps://ldap3.my.domainname.com:3269"
>> connectionName="u...@my.domain.com" connectionPassword="password"
>> referrals="follow" userBase="CN=Users,dc=my,dc=domainname,dc=com"
>> userSearch="(sAMAccountName={0})" userSubtree="true"
>> userRoleName="memberOf"
>> roleBase="CN=Users,dc=my,dc=domainname,dc=com" roleName="CN"
>> roleSearch="(member={0})" roleNested="true" />
>
>I don't think this is currently supported, but it would be a nice
>enhancement. Could you make a request in Bugzilla?
>http://bz.apache.org/
>
>In the meantime, you might be able to get away with a configuration
>like this:
>
><Realm className="org.apache.catalina.realm.CombinedRealm">
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://server-1"
> ... />
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://server-2"
> ... />
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://server-3"
> ... />
></Realm>
>
You could even try to set connectionURL to all servers at once separated by
space. I believe jndi supports this. That would be something like
connectionURL="ldaps://one ldaps://two ldaps://three"
I haven't tested it, though.
Regards
Felix
>The timeouts you'll experience to fail-over from one server to the
>other might not be acceptable for you, though.
>
>- -chris
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2
>Comment: GPGTools - http://gpgtools.org
Felix,
Tomcat appears to accept the list of connectionURL entries separated by
spaces.
Neil
Confidentiality: This transmission, including any attachments, is solely for
the use of the intended recipient(s). This transmission may contain information
that is confidential or otherwise protected from disclosure. The use or
disclosure of the information contained in this transmission, including any
attachments, for any purpose other than that intended by its transmittal is
strictly prohibited. Unauthorized interception of this email is a violation of
federal criminal law. If you are not an intended recipient of this
transmission, please immediately destroy all copies received and notify the
sender.
