--On Friday, May 15, 2015 3:51 PM -0500 Tim Mooney Tim.Mooney@ndsu.edu wrote:
In regard to: RE: debugging, Quanah Gibson-Mount said (at 11:13am on May...:
--On Wednesday, May 13, 2015 6:24 PM +0000 Craig White CWhite@skytouchtechnology.com wrote:
The above log line clearly indicates the client issued a search using a base of cn=accesslog. This would be a bug in the java code. ---- Thanks - that was valuable. Despite all configuration to JNDI which says where to search, the application is choosing to search 'cn=accesslog' - that was we needed to know.
Using JNDI for LDAP is a very, very bad idea.
On this, I'll take your word and Howard's second as "gospel".
For my own edification and possibly the benefit of the archives, though, can you go into the reasons *why* it's a bad idea? I'm not a Java developer but I have some down the hall from me, so I would like to be able to back up "it's a very, very bad idea" with more than just "because Quanah and Howard say so". That's enough for me, but not for some.
Our Java developers are apparently using something called "ldaptive" from Virginia Tech, which defaults to using JNDI but can actually sit on top of the Unbound ID SDK or possibly others.
Years of experience of using JNDI and dealing with its multitude of bugs and the fact the LDAP portion of JNDI is generally unmaintained. The developers who worked on it left Sun/Oracle and went and created UnboundID, but did it from scratch and were able to fix the many deficiencies in JNDI's ldap bits.
see also: http://www.sfu.ca/~hillman/zimbra-hied-admins/msg00458.html
for a bug that's *years* old and remains unfixed.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration