Thanks (as always) Chuck! I tested out the URL approach and it works. I’m also connecting to port 3268 instead of 389 per this:
https://stackoverflow.com/questions/16412236/how-to-resolve-javax-naming-partialresultexception. That’s solved everything for now and it looks like including the search base in the URL is a somewhat standard way to go. I’m still gonna investigate some more code-centric ways of handling it - seems less brittle. JNDIAdaptor does not expose the search base attribute. It does expose the connection dictionary - so I’m guessing you could read it and add a key/value pair for the search base, which I think would update the wrapped DirContext. Tim > On Jul 24, 2017, at 11:56 AM, Chuck Hill <ch...@gevityinc.com> wrote: > > Hi Tim, > > Take a look at the JNDIAdaptor class. There are connection dictionary > parameters in there, one of those might be what you want. Or can you specify > that on the connection URL? > > Chuck > > > From: Tim Worman <li...@thetimmy.com> > Date: Monday, July 24, 2017 at 11:43 AM > To: Chuck Hill <ch...@gevityinc.com> > Cc: WebObjects Development <webobjects-dev@lists.apple.com> > Subject: Re: Active Directory, JNDI, EOModel > > Using Wireshark, below is what I’m seeing for the two queries. The biggest > difference right off the bat is that the WO/EOModel search seems to search > ROOT as the base DN whereas the Apache DirectoryStudio is using > “DC=adinstance,DC=ucla,DC=edu” as the base. The WO/EOModel search also > appears to have additional objectClass ‘AND’ filters. > > Looks like my first guess was somewhat likely - I need to find a way to get a > handle on the query and feed a base DN to my fetch in WO. > > It looks like this might be a way to set that: > JNDIPlugin - base > > But I’m wondering if there is a way to set it once at the launch of an app > and not have to set it again. > > -------------------------------------------- > > From WebObjects: > Lightweight Directory Access Protocol > LDAPMessage searchRequest(2) "<ROOT>" wholeSubtree > messageID: 2 > protocolOp: searchRequest (3) > searchRequest > baseObject: > scope: wholeSubtree (2) > derefAliases: derefAlways (3) > sizeLimit: 0 > timeLimit: 3601 > typesOnly: False > Filter: (objectClass=user) > filter: and (0) > and: (objectClass=user) > and: 1 item > Filter: (objectClass=user) > attributes: 0 items > [Response In: 8] > controls: 1 item > Control > controlType: 2.16.840.1.113730.3.4.2 (Manage DSA IT LDAPv3 > control) > > From Apache Directory Studio: > Lightweight Directory Access Protocol > LDAPMessage searchRequest(14) “DC=adinstance,DC=ucla,DC=edu" wholeSubtree > messageID: 14 > protocolOp: searchRequest (3) > searchRequest > baseObject: DC=adinstance,DC=ucla,DC=edu > scope: wholeSubtree (2) > derefAliases: derefAlways (3) > sizeLimit: 1000 > timeLimit: 0 > typesOnly: False > Filter: (objectClass=user) > filter: equalityMatch (3) > equalityMatch > attributeDesc: objectClass > assertionValue: user > attributes: 2 items > AttributeDescription: cn > AttributeDescription: objectClass > [Response In: 2] > > > > On Jul 21, 2017, at 12:58 PM, Chuck Hill <ch...@gevityinc.com> wrote: > > Try going through a proxy like Charles. Comparing what is sent from WO and > from Directory Studio might highlight what is wrong. I am sure that I did > this many years ago, but the details escape me. Microsoft’s standard is just > a little…different. > > Chuck > > On 2017-07-21, 12:56 PM, "Webobjects-dev on behalf of Tim Worman" > <webobjects-dev-bounces+chill=gevityinc....@lists.apple.com on behalf of > li...@thetimmy.com> wrote: > > Yeah, I’m not using the model for authentication to AD, I’m intending to > use simply to return EO's from AD. I’m encountering the error below when I > simply try: > > ADUser.fetchAllADUsers(pageEditingContext()); > > The WARN log seems to indicate that I can’t search objectClass “user.” But > it is modeled and was reverse engineered. I’m unsure why that would be > considering I haven’t had that issue before with other ldap services. > > Tim > > > On Jul 21, 2017, at 12:50 PM, Theodore Petrosky <tedp...@yahoo.com> wrote: > > did you see this: > > https://www.slideshare.net/wocommunity/third-party-auth-in-webobjects > > I was looking to see if there was a video to go along with the slides but > didn’t find one. > > > > On Jul 21, 2017, at 3:10 PM, Tim Worman <li...@thetimmy.com> wrote: > > Has anyone used the JNDI plugin to model Active Directory? I’ve used it with > a lot of success with other ldap directories but I’m running into a problem > with a pretty simple model (which I’m sure has to do with AD’s > implementation). > > I reverse engineered our AD (Server 2016) instance with no problem - and only > included Person and User in my model. However, when I try to do a simple > fetch of all User (or Person) I get sth like: > > Jul 21 11:11:23 GSEISNetTestApplication[54777] DEBUG NSLog - Waiting for > requests... > Jul 21 11:11:24 GSEISNetTestApplication[54777] WARN > er.extensions.eof.ERXModelGroup - Clearing previous class descriptions > Jul 21 11:11:24 GSEISNetTestApplication[54777] DEBUG NSLog - Context factory > cache is already clear > Jul 21 11:11:24 GSEISNetTestApplication[54777] DEBUG NSLog - Connecting: > {plugInClassName = "com.webobjects.jndiadaptor.LDAPPlugIn"; timeout = "3600"; > scope = "Subtree"; username = "CN="Application Server",OU="Service > Accounts",OU=ETU,DC=gseisnet,DC=ucla,DC=edu"; authenticationMethod = > "Simple"; password = "<omitted from log>"; serverUrl = > "ldap://gseisnet.ucla.edu:389";; initialContextFactory = > "com.sun.jndi.ldap.LdapCtxFactory"; } > Jul 21 11:11:24 GSEISNetTestApplication[54777] DEBUG NSLog - Creating > plug-in com.webobjects.jndiadaptor.LDAPPlugIn for JNDIAdaptor@1084219182 > Jul 21 11:11:24 GSEISNetTestApplication[54777] WARN NSLog - Cannot search > (&(objectClass=user)) > [2017-7-21 11:11:24 PDT] <WorkerThread0> javax.naming.NameNotFoundException: > [LDAP: error code 32 - 0000208D: NameErr: DSID-0310021B, problem 2001 > (NO_OBJECT), data 0, best match of: > '' > ]; remaining name '' > > When I use Directory Studio to perform what appears to be the same search, > filtering on objectClass user, I get the results I would expect. I’m using > the same bind credentials in both as well. One guess I have is the search > base, which I have set to the base DN in Directory Studio. Is there a way to > get a handle on the JNDI adaptor and set the search base globally in case it > isn’t right? > > Any other ideas? I know I’m probably off the reservation here. > > Tim > UCLA GSE&IS > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/webobjects-dev/tedpet5%40yahoo.com > > This email sent to tedp...@yahoo.com > > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > Help/Unsubscribe/Update your Subscription: > > https://lists.apple.com/mailman/options/webobjects-dev/chill%40gevityinc.com > > This email sent to ch...@gevityinc.com > > > > _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
