How to disable LDAP referrals
search cancel

How to disable LDAP referrals

book

Article ID: 49041

calendar_today

Updated On:

Products

CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

LDAP referrals indicate to a client that the LDAP server does not have a copy of the requested object. It is not recommended to disable them. However, if needed, you can configure the Directory xml file to disable the LDAP referrals.

Environment

Release:
Component: IDMGR

Resolution

An LDAP referral is a domain controller's way of indicating to a client application that it does not have a copy of a requested object (or, more precisely that it does not hold the section of the directory tree where that object would be, if in fact it exists) and giving the client a location that is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that indeed holds the object. However, it is possible for the referred-to-domain controller to generate yet another referral, although it usually does not take long to discover that the object does not exist and to inform the client. Active Directory returns referrals in accordance with RFC 2251.

When referrals are active (by default) in Identity Manager then you can see an indication in the app server log file such as:

WARN [ims.tmt.EnvironmentService] * Starting environment: IHG APAC       
DEBUG [ims.llsdk.directory.jndi] Attemtping to set group types from linked data 
DEBUG [ims.llsdk.directory.jndi] Attempting to set self-subscribing behavior from linked data
DEBUG [ims.llsdk.directory.jndi] Attempting to determine vendor type
DEBUG [ims.llsdk.directory.jndi] BaseDN: DC=Apac,DC=Corp,DC=Local
DEBUG [ims.llsdk.directory.jndi] protocol: ldap
DEBUG [ims.llsdk.directory.jndi] url: ldap://<SERVER>:636
DEBUG [ims.llsdk.directory.jndi] UserDN: CN=GlobalSiteMinder,OU=ServiceAccounts,OU=Directory Access Security Control,DC=Corp,DC=Local
DEBUG [ims.llsdk.directory.jndi] refType = follow
DEBUG [ims.llsdk.directory.jndi] aliasType: searching
DEBUG [ims.llsdk.directory.jndi] extraProp: [com.sun.jndk.ldap.connect.pool]=[true]
DEBUG [ims.llsdk.directory.jndi] extraProp: [java.naming.security.authentication]=[simple]
DEBUG [ims.llsdk.directory.jndi] extraProp: [java.naming.security.protocol]=[ssl]
DEBUG [ims.llsdk.directory.jndi] extraProp: [java.naming.referral]=[follow]

There still could be reasons to disable the LDAP referrals. One of them could be if not all of the domain controllers are SSL enabled. AD automatically sends a referral to "domaindnszones.<domainname>" even when it isn't necessary. Then often the LDAP connection fails because the particular domain controller that this name resolves to may not have SSL enabled.

To disable LDAP referrals for the Identity Manager directory object you need to add an extra property in the directory xml to override as follows (this section should appear right after Managed Objects declarations in the file):

<PropertyDict name="LDA_CONNECTION_SETTINGS">
<Property name="java.naming.referral">&</Property>
</PropertyDict>
Powered by Wolken Software