[Bodington-developers] More LDAP Fun and Games

[Jon M. <jo...@te...>]

Following on from previous posts....

Michael and I have been having nasty problems with LDAP.  The 
authenticator discussed earlier on the list was deployed last Friday and 
the log is showing randomly occurring exceptions ever since. A 
connection, bind and search are carried out O.K. but almost randomly the 
next() method called on the search results throws an exception which 
indicates an internal error on the LDAP server but provides a message 
suggesting that a bind is required. Although nearly random there are 
some searches for particular users that always fail.

I wrote a little application based on the authenticator which carries 
out the same operations in a loop.  Although unable to reproduce the 
same exception, other exceptions were thrown randomly. The nature of the 
exceptions strongly suggests programming errors in the Novell/OpenLDAP 
API (which perhaps only occur when connecting to Active Directory). I 
say this because the exceptions are not thrown in the main program 
thread but within LDAP API worker threads and refer to illegal access to 
semaphores. It looks like a fundamental problem handshaking within the 
LDAP protocol.

Anyway, the point of all this explanation is that it leads me to the 
conclusion that a switch to JNDI and to the Sun LDAP provider is 
essential.  I think JNDI is far more likely to be well debugged against 
many different LDAP servers and more importantly if anyone has problems 
with the Sun provider in connection with their own little used LDAP 
server they may be able to plug in a specific provider for it.  Any 
thoughts on this?

Jon

P.S. we can't be 100% certain that there isn't a problem at the Active 
Directory end of the LDAP but another web service at Leeds, based on 
uPortal is successfully authenticating to it via JNDI.