Configuring multiple RTC's OUs
2 answers
You don't need to. You simple choose the top common node as the base. For example, if you have two OUs such as "ou=dept1,dc=company,dc=com" and "ou=dept2,dc=company,dc=com", then you choose "dc=company,dc=com" as the base. When configuring LDAP in either WAS or Tomcat, you can specify whether to search the entire subtree (default is yes I believe).
Thanks Donald,
When I set the common root for both trees it generates a warning on the web interface code() and authentication fails for all users.
This is the output of catalina log:
FINE: Authenticating username 'testuser'
Jun 25, 2014 4:32:22 PM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
Throwable occurred: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: das.com.ve:389 [Root exception is java.net.SocketTimeoutException: connect timed out]]
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:236)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:183)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1461)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1291)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1247)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1188)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1046)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:295)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:450)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:906)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:929)
at java.lang.Thread.run(Thread.java:761)
When I set the common root for both trees it generates a warning on the web interface code() and authentication fails for all users.
This is the output of catalina log:
curiously das.com.ve is not my LDAP server, my LDAP server is dasc1.das.com.ve:389
FINE: Authenticating username 'testuser'
Jun 25, 2014 4:32:22 PM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
Throwable occurred: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: das.com.ve:389 [Root exception is java.net.SocketTimeoutException: connect timed out]]
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:236)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:183)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1461)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1291)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1247)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1188)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1046)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:295)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:450)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:906)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:929)
at java.lang.Thread.run(Thread.java:761)
Comments
It could be that your LDAP server is part of an Active Directory Forest and the common root actually starts from a central server (such as das.comve). It becomes a bit complicated now. You may have to talk to your network administrator to understand the network topology in order to come up with a solution. Consult your network administrator whether Global Catalog will work for you or not.