Spring's LdapTemplate search: PartialResultException: Unprocessed Continuation Reference(s); remaining name '/'

Question

I add users through LDAP for a certain application, made with spring.

While this works for most of the cases, in some cases, it does not work...

The retrieve the users I use:

public class LdapUserServiceImpl implements ILdapUserService {

    @Override
    public List<LdapUserVO> getUserNamesByQuery(String query) {
        return ldapTemplate.search(
            query().countLimit(15)
                    .where("objectClass").is("user")
                    .and("sAMAccountName").isPresent()
                    .and(query()
                            .where("sAMAccountName").like("*" + query + "*")
                            .or("sAMAccountName").is(query)
                            .or("displayName").like("*" + query + "*")
                            .or("displayName").is(query))
            ,
            new AttributesMapper<LdapUserVO>() {
                public LdapUserVO mapFromAttributes(Attributes attrs) throws NamingException {
                    LdapUserVO ldapUser = new LdapUserVO();
                    Attribute attr = attrs.get(ldapUserSearch);
                    if (attr != null && attr.get() != null) {
                        ldapUser.setUserName(attr.get().toString());
                    }
                    attr = attrs.get("displayName");
                    if (attr != null && attr.get() != null) {
                        ldapUser.setDisplayName(attr.get().toString());
                    }
                    return ldapUser;
                }
            });
    }
}

So this works in most of the cases, but sometimes I get the following error:

unprocessed continuation reference(s); remaining name "/"

I've searched a lot about this, and I explicitly set

DefaultSpringSecurityContextSource ctxSrc = new DefaultSpringSecurityContextSource(ldapUrl);
ctxSrc.setReferral("follow");

Some more info:

• Search-query "admin_a" works, but "admin_ah" does not
• Spring version is 4.2.5.RELEASE
• Spring ldap-core version is 2.0.2.RELEASE

I think it strange that the remaining name is the root directory... Does someone has any ideas how to fix this, or even where to start looking?

Thanks in advance!

Answer 1

This may be related with the Active Directory being unable to handle referrals automatically. Please take a look at the LdapTemplate javadoc.

If this is the case, set the ignorePartialResultException property to true in your ldapTemplate configuration.

Answer 2

The reason for this error in my case was that the structure of the new AD had changed (userPrincipleName was now the emailaddress instead of login). Because of this the authentication to the AD worked fine, but no entry could be found that matched the filter, and as such didn't return any result. So the PartialResultException was only an indication, not the reason. the reason is the lack of any result in the method searchForSingleEntryInternal of the SpringSecurityLdapTemplate class. In my case, I had to make sure I used the correct userPrincipleName and configure the correct domain and baseDN in my ActiveDirectoryLdapAuthenticationProvider.