GlassFish Security Realm, Active Directory and Referral

Question

I've setup up a Security Realm in Glassfish to authenticate against an Active Directory server. The configuration of the realm is as follows:

Class Name: com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
JAAS context:  ldapRealm
Directory: ldap://172.16.76.10:389/
Base DN:  dc=smallbusiness,dc=local
search-filter: (&(objectClass=user)(sAMAccountName=%s))
group-search-filter: (&(objectClass=group)(member=%d))
search-bind-dn: cN=Administrator,CN=Users,dc=smallbusiness,dc=local
search-bind-password: abcd1234!

The realm is functional and I can log-in, but when ever I log in I get the following error in the log:

SEC1106: Error during LDAP search with filter [(&(objectClass=group)(member=CN=Administrator,CN=Users,dc=smallbusiness,dc=local))].
SEC1000: Caught exception.
    javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'dc=smallbusiness,dc=local'
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
        ....
        ....
ldaplm.searcherror

While searching for a solution I found that it was recommended to add java.naming.referral=follow to the properties of the realm. However, after I add this it takes 20 minutes for GlassFish to authenticate against Active Directory. I suspect it is a DNS problem on the Active Directory server. The Active Directory server is a vanilla Windows Server 2003 setup in a Virtual Machine.

Any help/recommendation is highly appreciated!

Answer 1

Hopefully, you've resolved this, but just in case:

1. I used 'objectCategory' in place of 'objectClass' as I read the former are indexed, hence faster.

2. I had to add this property:

   property name="assign-groups" value="Domain Users"

where "Domain Users" is the group in AD that all of our users are placed into. This must match the value in sun-web.xml for security-role-mapping.

Later, I was able to create a specific group for this application and make the appropriate changes.