The wording on this issue seems to suggest we want to add a third option to the "Follow Referral" setting, but I don't think this is necessary.

All you want to do is make the current "Don't follow" option not throw an error if there are referrals to possibly follow.
This option should quietly ignore the referrals.

Note that this significantly reduces the amount of work required because no UI changes are needed.

If you hit into PartialResultExceptions after upgrading to Confluence 3.5.x, please refer to this kb article: http://confluence.atlassian.com/display/CONFKB/PartialResultException+After+Upgrading+to+Confluence+3.5

A small change could solve this as David Yu commented. If crowd observed the -Djava.naming.referral=ignore then instead of throwing an error in the logs and stopping, crowd would continue its work with the results it has.

Hi Aaron,

There's three options that I can think of for this:

1. Disable referrals. If you use the AD Global Catalog, then you probably won't need to use referrals. The Global Catalog is Read-Only though.
2. Connect using an account that has browse permission on all DCs, meaning the referral can be followed and no error is thrown.
3. Change the security on the referral objects so that the account Crowd is using to connect to AD cannot see them. Then Crowd won't attempt to follow the referral and throw an exception.

Cheers,
Dave O'Flynn.

David, can you tell me if there is a way to implement that workaround in a crowd install?

I get the same problem with AD and Crowd 2.0.4.
Are there some risks on permissions? We have just started evaluating CROWD and this may be a showstopper.
Gilles

I did some further tests on this problem against AD + 1.6 and some google searching.

If we uncheck Use Node Referrals, it seems Crowd still errors out on PartialResultExceptions. I also had a customer test this out with AD.

Also worth noting is the following in the JavaDocs from Spring LdapTemplate:

Note for Active Directory (AD) users: AD servers are apparently unable to handle referrals automatically, which causes a PartialResultException to be thrown whenever a referral is encountered in a search. To avoid this, set the ignorePartialResultException property to true. There is currently no way of manually handling these referrals in the form of ReferralException, i.e. either you get the exception (and your results are lost) or all referrals are ignored (if the server is unable to handle them properly. Neither is there any simple way to get notified that a PartialResultException has been ignored (other than in the log).

Setting -Djava.naming.referral=ignore seems to have no effect, similar to other experiences with other users. But some googling on how to ignore referrals in Spring LDAP lead to this suggestion ( ldapTemplate.setIgnorePartialResultException(true) ) which does appear to work! No more PartialResultExceptions with this enabled.

May be worth investigating further and do some network monitoring to ensure it's really not following referrals.

It appears this issue may be limited to AD only, and from all the support issues linked, they were all AD.