4

We have a user that our corporate portal cannot fetch the groups for from AD.

On the portal logs we see this error:

javax.naming.PartialResultException: Unprocessed Continuation Reference(s) remaining name ''

I've Googled for the error and the best symptoms that seem to describe this case and how to resolve it are here: http://www-01.ibm.com/support/docview.wss?uid=swg21232921

Assuming we don't want to change the configuration just because of one user but to amend the data of this specific user can someone please explain me how can recognize this when examining the user's record in the AD? Is this something to do with his groups assignments and if yes then what should I look for?

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
Joly
  • 3,218
  • 14
  • 44
  • 70

4 Answers4

7

I just ran into this.

I got around it by setting your InitialDirContext environment to have the Context.REFERRAL key set to "follow".

According to the Javadocs, that key can be "follow", "ignore", or "throw". The default is determined by the provider you use, which is probably "throw".

mj1531
  • 2,456
  • 1
  • 19
  • 10
5

Check out this link for a bit more data on what your API is telling you: http://www.jspwiki.org/wiki/ActiveDirectoryIntegration

I'm not an expert on this API but can explain at least what I think is going on based upon that doc & knowledge of what AD is doing. :)

AD returns what are called "referrals" when you do searches that have naming contexts outside of this local server/search but in the logical scope of your request. This is per RFC request. Think of a referral as a hint to you the app that there might be more data out there...ie, that is, the AD server is saying "here are the results I have for you but, you should know, there is someone else that might have more...go here to find out." Referrals aren't an "error" they are a hint to the app.

It seems that your LDAP API is throwing an exception when encountering them. Per the docs I referenced above, it looks like you can either swallow them or chase the referral to find out if there is more data.

StackzOfZtuff
  • 2,534
  • 1
  • 28
  • 25
Eric Fleischman
  • 1,168
  • 6
  • 8
  • Thanks, a bit clearer now. I guess my next question is how can I figure out which referrals exist for this specific user that don't work and remove them? – Joly Aug 31 '12 at 22:52
  • If you tell me the namespace configuration your forest and what sort of search base you are using I can probably help. It is typically because there is a namespace that is a "child" of the one you are searching, and that you're using a subtree search. (ex: you are searching dc=domain,dc=com and there is also a dc=child,dc=domain,dc=com out there). Oh, and you don't want to remove them. You want to change your search query/api config. Removing them probably would destroy stuff in your forest. :) – Eric Fleischman Aug 31 '12 at 22:55
  • Where can I get the namespace of the forest from? The search base is: DC=comp1,DC=ad,DC=comp,DC=com – Joly Aug 31 '12 at 23:09
  • Also might help to give the entire error: javax.naming.PartialResultException: Unprocessed Continuation Reference(s) ); remaining name ''. Notice the remaining name '', does that give you a hint? – Joly Aug 31 '12 at 23:30
  • If you look in cn=partitions,cn=configuration,dc= you'll see crossrefs for each namespace. That's help...look for children of the search base. Another option is to take a network sniff of the search and see what exact referrals you're getting back. BTW, feel free to email me if we've hit the point of diminishing marginal return on general advise and want to get very specific in your config. – Eric Fleischman Aug 31 '12 at 23:36
1

add this for env properties

 env.put(Context.REFERRAL,"follow");
Asanka Sampath
  • 545
  • 4
  • 12
  • 2
    While this piece of code may provide a solution to the question, it's better to add context as to why/how it works. This can help future users learn and eventually apply that knowledge to their own code. You are also likely to have positive feedback/upvotes from users, when the code is explained. – Amit Verma Feb 24 '21 at 07:40
0

Also one of the issues that i found was that the incorrect search query string in ldapContext. The incorrect query formed due to wrong format of parameter throws:

javax.naming.PartialResultException: Unprocessed Continuation Reference(s) remaining name ''

But if we add the parameter Context.REFERRAL="follow", then it does not throw an exception but neither does it return result.

The parameter to ldap query string should also match the that is being accepted by LDAP else it will throw the same error.

Nazik
  • 8,696
  • 27
  • 77
  • 123
Bharat
  • 31
  • 4