This discussion is archived
7 Replies Latest reply: Apr 7, 2011 9:06 AM by 853690 RSS

search in AD domain - subdomain setup returns inconsistent results Pls help

812817 Newbie
Currently Being Moderated
Hi everyone,

I am facing a very peculiar and confusing problem when I perform a LDAP search in an Active Directory environment with a main domain and its subdomain.

DETAILS:
=======
domain: ohm-ad.novell.com
subdomain: subdomain.ohm-ad.novell.com
There are only 2 computers in the domain - the domain DC and the subdomain DC.
Binding using userPrincipalName on port 389
search base is dc=ohm-ad,dc=novell,dc=com
I have set the Context.REFERRAL to "follow" to follow the referrals automatically.
I have set the search scope to SUBTREE_SCOPE so that the child domains are also searched.
My search filter is (objectClass=computer) because I want all the computers in the domain and the subdomain.
PROBLEM:
=======
The problem is that the same search( ) call returns different results at different instances.

At one instance, I get both the domain DC computer and the subdomain DC computer in the search result as expected.
At another instance, I get only the domain DC computer in the search result which is unexpected.

Why am I getting inconsistent search results even though the same client code is executed every time?

Also, if I bind to the global catalog port 3268 instead of 389 in the client code, I consistently get both the domain DC computer and subdomain DC computer in the search result. Also, if i perform the same search using the miscrosoft provided AD search tool called "ldp" with the same search parameters on port 389, I consistently get both the domain DC computer and subdomain DC computer in the search result.

I am very confused and stuck up. Please help urgently. Any kind of help would be appreciated.

Regards,
Sanjay

CODE SNIPPET:
===========
          private static DCQueryResults getServersInternal (String domainController, int portDC,String certLocation,String certPass,String domainName, String loginName, String password,boolean walkThrough,boolean isSSL, boolean isTest) {
               
               DCQueryResults results = new DCQueryResults(); 
              ArrayList<String> svrList = new ArrayList<String>();
               
               Hashtable<String, String> envDC = new Hashtable<String, String>();
               
               LdapContext ctxDC = null;
//                Start TLS once the context is initialized.
               StartTlsResponse tls = null;
          

               try {
      
               /* use the AD "userPrincipalName" attribute i.e loginName@domainName for the LDAP query 
                * so that the user object can be located in any container in the AD tree */
               String adminName = loginName+"@"+domainName;//$NON-NLS-1$
               
               String adminPassword = password;
      
               String urlDC = "ldap://"+domainController+":"+portDC; //$NON-NLS-1$ //$NON-NLS-2$
               
               
               if (isSSL) {
               
                    System.setProperty("javax.net.ssl.trustStore",certLocation); //$NON-NLS-1$
                    System.setProperty("javax.net.ssl.trustStorePassword",certPass); //$NON-NLS-1$
                    //               specify use of ssl                    
                    envDC.put(Context.SECURITY_PROTOCOL,"ssl"); //$NON-NLS-1$
                    envDC.put(Context.SECURITY_AUTHENTICATION,"simple");       //$NON-NLS-1$
               }
               else
                    envDC.put(Context.SECURITY_AUTHENTICATION,"simple"); //$NON-NLS-1$
               
      
               
               envDC.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); //$NON-NLS-1$
               
     
               //set security credentials, note using simple cleartext authentication 
               
               envDC.put(Context.SECURITY_PRINCIPAL,adminName);
               envDC.put(Context.SECURITY_CREDENTIALS,adminPassword);
               
               envDC.put(Context.PROVIDER_URL,urlDC);
               
               //We need to chase referrals when retrieving attributes from the DC
               //as the object may be in a different domain
               envDC.put(Context.REFERRAL,"follow"); //$NON-NLS-1$
               
               ctxDC = new InitialLdapContext(envDC,null);
          
               //Create the search controls           
               SearchControls searchCtls = new SearchControls();
               if (isTest) {
                    searchCtls.setCountLimit(1);//If it is test just get 1 entry for making it sufficient.
               }

               //Specify the attributes to return
               String returnedAtts[]={"dNSHostName","cn","networkAddress"}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
               searchCtls.setReturningAttributes(returnedAtts);
          
               searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
     
               //specify the LDAP search filter
               String searchFilter = "(objectClass=computer)"; //$NON-NLS-1$
 
               //Specify the Base for the search
               String searchBase = makeSearchDomainBaseName(domainName);
 
               //initialize counter to total the results
               int totalResults = 0;     
          
               NamingEnumeration answer = ctxDC.search(searchBase, searchFilter, searchCtls);
            
               //Loop through the search results
               while (answer.hasMoreElements()) {
                    SearchResult sr = (SearchResult)answer.next();
 
                    totalResults++;       

          
                         //Now retrieve attributes from the DC
                         Attributes DCattrs = ctxDC.getAttributes(sr.getNameInNamespace());
                         
                         try {
                              logger.log (Level.FINEST,"   DNS-Name :" +  " Common-Name :" + DCattrs.get("cn").get()+" Network-Name : "); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$
                              //logger.log (Level.FINEST,"   DNS-Name :" + DCattrs.get("name").get());
                         }
                         catch (NullPointerException e)     {
                              logger.log (Level.SEVERE,"Problem listing attributes from Domain Controller: " + e); //$NON-NLS-1$
                              throw e;
                         }
                         if (!walkThrough) {
                              if (!isSubTreeEntry(makeServerName(sr.getNameInNamespace()),domainName))
                                svrList.add( makeServerName(sr.getNameInNamespace()));
                         }
                         else
                         svrList.add( makeServerName(sr.getNameInNamespace()));
               
                    } 
      
                     logger.log (Level.FINEST,"Total results: " + totalResults); //$NON-NLS-1$
           
      
               } 
               catch (Exception e) {
                    logger.log (Level.SEVERE,"Problem searching DomainController directory: " + e.toString()); //$NON-NLS-1$
                    ExceptionHandler.handle(logger, e);
                    svrList = null;
                    results.setIsException(true);
                    results.setExcMsg(e.toString());
               }
               finally {
                    try {
                         if (ctxDC != null)
                              ctxDC.close();
                         if (isSSL && tls != null)
                               tls.close();
                    } catch (Exception e) {
                         //Don't need to do anything other than logging.
                         logger.log (Level.SEVERE,"Problem Closing the DomainController context references.: " + e.toString()); //$NON-NLS-1$
                         ExceptionHandler.handle(logger, e);
                    }                    
                    
               }
               results.setSvrList(svrList);
               
               return  results;
          }
               
Edited by: 809814 on Nov 11, 2010 2:52 AM

Edited by: 809814 on Nov 11, 2010 2:56 AM

Edited by: 809814 on Nov 11, 2010 2:57 AM

Edited by: 809814 on Nov 11, 2010 3:43 AM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points