Spring LDAP querybuilder PartialResultException

Question

I'm trying to get all the users from my LDAP server, doing the search from the base, this is my code:

public LdapTemplate ldapTemplate() {
        LdapContextSource ctxSrc = new LdapContextSource();
        ctxSrc.setUrl("ldap://127.0.0.1:389/");
        ctxSrc.setBase("dc=test,dc=com");
        ctxSrc.setUserDn("admin");
        ctxSrc.setPassword("password");
        ctxSrc.afterPropertiesSet();
        LdapTemplate lt = new LdapTemplate(ctxSrc);
        return lt;
}
private LdapTemplate ldapTemplate = ldapTemplate();
public List<User> getAllUsers() {

        LdapQuery query= query().base("").where("objectclass").is("user");
        return ldapTemplate.search(query, new UserAttributesMapper());
}

This is the error:

10:07:09.406 [main] DEBUG o.s.l.c.s.AbstractContextSource - AuthenticationSource not set - using default implementation
10:07:09.413 [main] DEBUG o.s.l.c.s.AbstractContextSource - Not using LDAP pooling
10:07:09.416 [main] DEBUG o.s.l.c.s.AbstractContextSource - Trying provider Urls: ldap://127.0.0.1:389/dc=test,dc=com
10:07:09.548 [main] DEBUG o.s.l.c.s.AbstractContextSource - Got Ldap context on server 'ldap://127.0.0.1:389/dc=test,dc=com'
Exception in thread "main" org.springframework.ldap.PartialResultException: Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '/'
    at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:216)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:385)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:616)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:586)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:1651)
    at ldap.example.UserRepositoryImpl.getAllUsers(UserRepositoryImpl.java:81)
    at ldap.example.test.LdapApp.main(LdapApp.java:23)
Caused by: javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '/'
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2914)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
    at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.getNextBatch(AbstractLdapNamingEnumeration.java:148)
    at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:217)
    at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:365)
    ... 6 more

BUILD FAILED (total time: 1 second)

When I filter by ou it works, but I need to filter from the root.

Answer 1

You write in question's comment that changing port helps. But changing port doesn't solve this problem. Port 3268 points to Active Directory special place - Global Catalog. There is set of all object - but each of them has only small subset of attributes (for example distinguishedName, cn, sAMAccountName...). So - it works until you don't need more specific attributes.

Problem analysis

The exception occurs because AD, as the result of your query, returns referral objects:

[Active Directory] (...) generate referrals in response to queries that request data about objects that exist in the forest, but not contained on the directory server handling the request. These are called internal cross references, because they refer to domains, schema, and configuration containers within the forest.

And if referral chasing is disabled:

If referral chasing is not enabled and a subtree search is performed, the search will return all objects within the specified domain that meet the search criteria. The search will also return referrals to any subordinate domains that are direct descendants of the directory server domain. The client must resolve the referrals by binding to the path specified by the referral and submitting another query.

You can enable referral chasing, but it cost - it slow down application - you can read about this here. And I think it is not necessary in most cases.

Solution 1:

Sometimes the sufficient solution is to assign more specific baseDN - ctxSrc.setBase() method in your question. Maybe all your users are inside inner path e.g "ou=user,dc=department,dc=test,dc=com".

Read more in this answer.

Solution 2:

In Spring LdapTemplate you can also ignore this exception with method setIgnorePartialResultException():

ldapTemplate.setIgnorePartialResultException(true);

Read more in this answer.