Searching for a newly created object fails in AD?

Question

I have a service that connects to Active Directory via Spring-LDAP. When a call is made to create a new user and then a separate call is made to search for that user immediately after, the search fails sometimes with a no-object-found error.

This appears to be related to replication since the same search works only a few moments later. Note, these are are two separate requests and as such can not be guaranteed to use the same physical connection from the pool.

What are my options to solve this? Is AD not smart enough to query other servers if it can't find a local copy of an object?

Answer 1

LDAP clients should never add or modify an entry and then read the added or modified entry back immediately because of the eventual consistency model of replication (and who knows what Active Directory does). The correct procedure is to add the post read request control to the add or modify request. For details see LDAP: Programming Practices.

Answer 2

As was commented on above, replication latency is problematic for apps that assume write-then-read consistency sorts of guarantees. Typically folks deal with this in one of a few ways: 0) Increase the speed of replication. This is "tunable" by you. While it can't ever get to 0, you can make it order-seconds. 1) Change the app to do a write on a deterministic DC and then do the read from the same place. You will get write-then-read consistency on the same DC, it is x-DC reads that are problematic. 2) Change the app to not do this at all. :)

Obviously you can use a combo of strategies as well...