[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: back-ldap problem with Win2000 Active Directory
I replied to the wrong email before. Just to clarify, the patch I checked in
is
only to address the issue of mapping the error codes that back-ldap sends.
The other problem in this thread has to do with how the referral processing
code
handles referral URLs. I've looked thru libldap and note that the V2
referral
processing code doesn't do complete processing of URLs. (Note comment on
line
841 of libldap/request.c...)
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of Howard Chu
> Sent: Monday, October 23, 2000 4:41 AM
> To: Kurt D. Zeilenga; Bertrand Croq
> Cc: openldap-bugs@OpenLDAP.org
> Subject: RE: back-ldap problem with Win2000 Active Directory
>
>
> I didn't find this in the ITS database, but anyway, I've checked in a fix,
> see
> the attached email. Please try it out and let me know if there are any
> problems
> with this patch.
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
>
> > -----Original Message-----
> > From: owner-openldap-bugs@OpenLDAP.org
> > [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
> > Sent: Thursday, October 19, 2000 3:40 PM
> > To: Bertrand Croq
> > Cc: openldap-bugs@OpenLDAP.org
> > Subject: Re: back-ldap problem with Win2000 Active Directory
> >
> >
> > At 06:50 PM 10/19/00 +0200, Bertrand Croq wrote:
> > >Hi,
> > > we are currently using slapd with back-ldap to connect to an Active
> > >Directory LDAP server:
> > >
> > > client <--> sldap
> > > ^
> > > |
> > > v
> > > back-ldap <--> Active Directory
> > >
> > > When doing some simple searches (ldapsearch -s one "uid=toto"),
> > >back-ldap crashes with the following message:
> > >
> > >slapd: result.c:518: send_search_result: Assertion `!(((0x51) <= (( err
> > >))) && ((( err )) <= (0x61)))' failed.
> >
> > Likely same issue as ITS#831 <http://www.openldap.org/its/?findid=831>
> >
> > > After some debug, it appears that AD sends some non-standard
> messages;
> > >in response to the search request, back-ldap gets the following message
> > >(captured with Ethereal):
> > >
> > >Search Result:
> > > Result code: 0x09
> > > Matched DN: (null)
> > > Error message: Referral:
> > >ldap://thehost.com/CN=Configuration,DC=thehost,DC=com??base
> > >
> > > The result code of 9 is not valid (it is written to be reserved in
> > >RFC2251) but OpenLDAP seems to understand that it is a referal.
> >
> > That's an LDAPv2+ referral (which is not documented by any RFC).
> >
> > >The problem is that the URL of the referal is not well parsed;
> > in response
> > >to this search result, back-ldap sends another search request
> to the AD:
> > >
> > >Search Request:
> > > Base DN: CN=Configuration,DC=thehost,DC=com??base
> > > Scope: Single
> > > ...
> > >
> > > There shouldn't be "??base" in the base DN and the scope should be
> > >"base".
> >
> > I don't recall LDAPv2+ support scope specifiers. "??base" likely
> > would confuse most LDAPv2+ implementations. But we likely allow
> > such. We have another ITS to address a related issue for LDAPv3
> > referrals (ITS#818).
> >
> > >Then AD replies with another result code 9 search result but
> > >with a referal to "thehost.com??base" which leads to the slapd crash.
> >
> > Just "thehost.com??base" or "ldap://thehost.com??base";.
> > Both are, of course, in valid... but we shouldn't crash on
> > either.
> >
> > But I note that the above crash is likely not related to
> > referral handling, but unknown authentication method issues.
> >
> > I suggest you apply the patch noted in the above ITS and
> > retry. If you again crash, provide a stack trace back.
> >
> > Also, in regards to referral handing issues, can you repeat
> > the errors using just ldapsearch -C and AD? I rather eliminate
> > slapd from this issue if possible.
> >
>