-----Original Message----- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: Tuesday, April 28, 2015 10:18 AM To: Tomcat Users List Subject: Re: JNDI realm Global Catalog question
Am 28. April 2015 17:11:55 MESZ, schrieb Christopher Schultz <ch...@christopherschultz.net>: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >Neil, > >On 4/28/15 9:48 AM, Lazarow, Neil wrote: >> I have multiple domain controllers, all of which are set to function >> as global catalog servers. >> >> Is it possible to put multiple alternateURL entires into your >> JNDIRealm confiugration (see example below)? >> >> Tomcat Version: 6.0.33 on Red Hat Enterprise Linux 5 >> >> ------------------ <Realm >> className="org.apache.catalina.realm.JNDIRealm" adCompat="true" >> connectionURL="ldaps://ldap1.my.domainname.com:3269" >> alternateURL="ldaps://ldap2.my.domainname.com:3269" >> alternateURL="ldaps://ldap3.my.domainname.com:3269" >> connectionName="u...@my.domain.com" connectionPassword="password" >> referrals="follow" userBase="CN=Users,dc=my,dc=domainname,dc=com" >> userSearch="(sAMAccountName={0})" userSubtree="true" >> userRoleName="memberOf" >> roleBase="CN=Users,dc=my,dc=domainname,dc=com" roleName="CN" >> roleSearch="(member={0})" roleNested="true" /> > >I don't think this is currently supported, but it would be a nice >enhancement. Could you make a request in Bugzilla? >http://bz.apache.org/ > >In the meantime, you might be able to get away with a configuration >like this: > ><Realm className="org.apache.catalina.realm.CombinedRealm"> > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionURL="ldaps://server-1" > ... /> > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionURL="ldaps://server-2" > ... /> > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionURL="ldaps://server-3" > ... /> ></Realm> > You could even try to set connectionURL to all servers at once separated by space. I believe jndi supports this. That would be something like connectionURL="ldaps://one ldaps://two ldaps://three" I haven't tested it, though. Regards Felix >The timeouts you'll experience to fail-over from one server to the >other might not be acceptable for you, though. > >- -chris >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v2 >Comment: GPGTools - http://gpgtools.org Felix, Tomcat appears to accept the list of connectionURL entries separated by spaces. Neil Confidentiality: This transmission, including any attachments, is solely for the use of the intended recipient(s). This transmission may contain information that is confidential or otherwise protected from disclosure. The use or disclosure of the information contained in this transmission, including any attachments, for any purpose other than that intended by its transmittal is strictly prohibited. Unauthorized interception of this email is a violation of federal criminal law. If you are not an intended recipient of this transmission, please immediately destroy all copies received and notify the sender.