I’'m having the following problem with LDAP authentication:
2006.01.06 12:13:30 Connect Socket[addr=/10.2.43.219,port=1094,localport=5222]
2006.01.06 12:13:31 Trying to find a user’'s DN based on their username. cn: cgep
hart, Base DN: o=mc…
2006.01.06 12:13:31 Creating a DirContext in LdapManager.getContext()…
2006.01.06 12:13:31 Created hashtable with context values, attempting to create
context…
2006.01.06 12:13:31 … context created successfully, returning.
2006.01.06 12:13:31 Starting LDAP search…
2006.01.06 12:13:31 … search finished
2006.01.06 12:13:31 Search for userDN based on username ‘‘cgephart’’ found multipl
e responses, throwing exception.
2006.01.06 12:13:31 Exception thrown when searching for userDN based on username
‘‘cgephart’’
org.jivesoftware.messenger.user.UserNotFoundException: LDAP username lookup for
cgephart matched multiple entries.
…
Presumably it’'s matching “multiple entries” because there is an alias entry in LDAP pointing to his account entry. So the search returns two results, one for the alias entry and one for the account entry.
Changing the filter has not helped. It appears Java is doing an LDAP query with the “dereference aliases” option set to “always”, so the filter is applied to the alias object after it’'s been dereferenced to the account object. Packet sniffing has shown the LDAP server responding with two copies of the same LDAP entry.
The Java “dereference aliases” behavior is described here:
http://java.sun.com/products/jndi/tutorial/ldap/misc/aliases.html
I have tried to add the following to my /opt/jive_messenger/bin/messenger.vmoptions file:
-Djava.naming.ldap.derefAliases=never
but it doesn’'t seem to make a difference.
Any other ideas?