How to disable LDAP referrals ?

Discussion created by Sagi_Gabay Employee on Dec 26, 2012
Latest reply on Dec 26, 2012 by Chris_Hackett

LDAP referrals are an indication to a client that the LDAP server does not have a copy of the requested object. It is not recommended to disable them. However, if in need then you can configure the Directory xml file to disable the LDAP referrals.

An LDAP referral is a domain controller's way of indicating to a client appliatino that it does not have a copy of a requested object (or, more precisely that it does not hold the section of the directory tree where that object would be, if in fact it exists) and giving the client a location that is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that indeed holds the object. However, it is possible for the referred-to-domain controller to generate yet another referral, although it usually does not take long to discover that the object does not exist and to inform the client. Active Directory returns referrals in accordance with RFC 2251.

When referrals are active (by default) in Identity Manager then you can see an indication in the app server log file such as:

WARN [ims.tmt.EnvironmentService] * Starting environment: IHG APAC
DEBUG [] Attemtping to set group types from linked data
DEBUG [] Attempting to set self-subscribing behavior from linked data
DEBUG [] Attempting to determine vendor type
DEBUG [] BaseDN: DC=Apac,DC=Corp,DC=Local
DEBUG [] protocol: ldap
DEBUG [] url: ldap://<SERVER>:636
DEBUG [] UserDN: CN=GlobalSiteMinder,OU=ServiceAccounts,OU=Directory Access Security Control,DC=Corp,DC=Local
DEBUG [] refType = follow
DEBUG [] aliasType: searching
DEBUG [] extraProp: [com.sun.jndk.ldap.connect.pool]=[true]
DEBUG [] extraProp: []=[simple]
DEBUG [] extraProp: []=[ssl]
DEBUG [] extraProp: [java.naming.referral]=[follow]
There still could be reasons to disable the LDAP referrals. One of them could be if not all of the domain controllers are SSL enabled. AD automatically sends a referral to "domaindnszones.<domainname>" even when it isn't necessary, and then often the LDAP connection fails because the particular domain controller that this name resolves to may not have SSL enabled.

To disable LDAP referrals for Identity Manager directory object you need to add an extra property in the directory xml to override as follows (this section should appear right after Managed Objects declarations in the file):

<Property name="java.naming.referral">&</Property>

This information is also available as tech doc 583802 on CA's support web site:


Sagi Gabay,
CA Technologies.