Version 7

    Problem:

    LDAP synchronizations take a very long time and/or never complete. Authentication attempts take more than 30 seconds and occasionally timeout.

     

    Type of Problem:

    Environmental misconfiguration.

     

    Cause:

    Active Directory responds to some LDAP requests with referrals to a specific domain name. If the domain name cannot be resolved in DNS by the SBS server, the request from the SBS server will timeout while trying to chase the referral.

     

    Diagnosing this issue:

    You will typically see errors in the logs similar to this:

     

    25 Feb 2010 15:26:36,316 [http-127.0.0.1-9001-5] [EC557654CE6DB8F8C705A7469B5E2F46.node0:kliu] ERROR action.PageViewInterceptor - Exception encountered -
    org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: sample.host.com:389 [Root exception is java.net.ConnectException: Connection refused]]
    at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:203)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:315)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:361)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:215)
    at com.jivesoftware.base.ldap.LdapSearchManager.findUserByName(LdapSearchManager.java:431)
    at com.jivesoftware.community.action.UserSearch.execute(UserSearch.java:193)
     
    [TRUNCATED]
     
    at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:574)
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1527)
    at java.lang.Thread.run(Thread.java:619)
     
    Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: sample.host.com:389 [Root exception is java.net.ConnectException: Connection refused]]
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:224)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:362)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:208)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:362)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:208)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:295)
    ... 154 more
     
    Caused by: javax.naming.CommunicationException: sample.host.com:389 [Root exception is java.net.ConnectException: Connection refused]
    at com.sun.jndi.ldap.LdapReferralContext.(LdapReferralContext.java:74)
    at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:132)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:339)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:208)
    ... 160 more
     
    Caused by: java.net.ConnectException: Connection refused
    at java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
    at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
    at java.net.Socket.connect(Socket.java:525)
    at java.net.Socket.connect(Socket.java:475)
    at java.net.Socket.(Socket.java:372)
    at java.net.Socket.(Socket.java:186)
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:349)
    at com.sun.jndi.ldap.Connection.(Connection.java:184)
    at com.sun.jndi.ldap.LdapClient.(LdapClient.java:118)
    at com.sun.jndi.ldap.LdapClientFactory.createPooledConnection(LdapClientFactory.java:46)
    at com.sun.jndi.ldap.pool.Connections.getOrCreateConnection(Connections.java:185)
    at com.sun.jndi.ldap.pool.Connections.get(Connections.java:126)
    at com.sun.jndi.ldap.pool.Pool.getPooledConnection(Pool.java:129)
    at com.sun.jndi.ldap.LdapPoolManager.getLdapClient(LdapPoolManager.java:310)
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1572)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2652)
    at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:293)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:134)
    at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:35)
    at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:584)
    at javax.naming.spi.NamingManager.processURL(NamingManager.java:364)
    at javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:344)
    at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:316)
    at com.sun.jndi.ldap.LdapReferralContext.(LdapReferralContext.java:93)
    ... 163 more

     

    Solution:

    Ensure that the hostname (in this example it's sample.host.com) is resolvable from all nodes in the SBS cluster. If necessary, you can add an entry in your /etc/hosts file to map this hostname directly to the IP address of the domain controller where you are connecting to AD.

     

    Another solution which is equally valid is to connect to the Active Directory Global Catalog (ports 3268 for plaintext or 3269 for SSL).

     

    Also, you'll want to check to make sure that ldap.followReferrals = true in your SBS system properties.

     

    Extra Credit:

    Here are a few resources where you can find more information about referrals in Active Directory: