Announcement

Collapse
No announcement yet.

LDAP lookups on branch office servers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP lookups on branch office servers

    Hello.

    We are having an ongoing problem with a particular app that we are using. The app uses TomCat and is authenticating users with AD. The config files are pointing to a primary and alternate AD server that is located locally.

    The problem is that when a user tries to authenticate, the app server is querying our branch office servers as well. Our branch office servers are Domain Controllers for our domain as well, but being as they are on slow links, the authentication usually times out before authenticating the user.

    Is there a way in AD or anywhere to make this app server only query the servers that we want?

    Thanks for the help.

  • #2
    Re: LDAP lookups on branch office servers

    Hi,

    What OS is your AD running on? What's the application called and what version of Tomcat are you using and also can you post a server.xml?
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: LDAP lookups on branch office servers

      Hey L4ndy,

      Our domain is running 2003r2.

      The application is a local app that is built inside our company. The version of TomCat is 6.0.18.

      The appname.xml file contains similar to the following:

      connectionURL="ldap://xx.xx.xx.xx:389"
      alternateURL="ldap://xx.xx.xx.xx:389"
      connectionName="cn=adminaccount,cn=Users,dc=ourdom ain,dc=com"
      connectionPassword="adminpassword"
      userBase="dc=ourdomain,dc=com"
      userSearch="sAMAccountName={0}"
      userSubtree="true"
      referrals="follow"

      Thanks for the help.

      Comment


      • #4
        Re: LDAP lookups on branch office servers

        A few more details:

        At our home office we have 3 domain controllers running AD in 2003 native mode:

        localdc1
        localdc2
        localdc3

        We have two remote offices over WAN links that are also running dc's for the same domain as our home office:

        remotedc1
        remotedc2

        Locally, at our home office, the application that I am asking for help with is running behind a Cisco content switch for load balancing. It is in a different VLAN than the rest of the network. It uses the 3 local dc's for authentication. Or, it is supposed to.

        Within AD Sites & Services, we have placed all of our home office dc's into the default_first_site site, and we have created sites for the two remote offices and placed their dc's in there. We have created subnets and connectors for all of the sites and matched them up accordingly.

        The problem is that when local users access this app that is running behind the content switch at our home office, I can look at the traffic on the content switch and see that it is sending the LDAP request to all 5 of our dc's. Most times, the right dc answers, but on a bad day, the answer tries to come from one of the remote servers.

        I am not a programmer, but I would think that the configuration that I posted earlier should direct the LDAP queries to the two servers listed and ignore the others.

        Even if that isn't the case, the subnet of the servers behind the content switch is within the default_first_site container along with our local subnet that the dc's are a part of. Shouldn't that tell those servers to only use the local dc's for lookups?

        The only other thing that I have tried is changing the settings in DNS for the LDAP/389 settings. I changed the priority for the two remote dc's from 0 to 1 in hopes that our app would prefer the local servers. This made no difference.

        Thanks for the help. Sorry for the length. I am open to any suggestions.

        Comment


        • #5
          Re: LDAP lookups on branch office servers

          Originally posted by 81reaper View Post
          The appname.xml file contains similar to the following:

          connectionURL="ldap://xx.xx.xx.xx:389"
          Hi,

          I think you need to focus either on the Tomcat configuration rather in DNS.
          You should have a similar entry as above on the Server.xml file.
          Afaik, LDAP is a client-server protocol and if configured properly, any client using tomcat should use ldap to query the specified DC.
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment

          Working...
          X