[Date Prev][Date Next]
Re: back-ldap problem with Win2000 Active Directory
"Kurt D. Zeilenga" wrote:
> At 06:50 PM 10/19/00 +0200, Bertrand Croq wrote:
> > we are currently using slapd with back-ldap to connect to an Active
> >Directory LDAP server:
> > client <--> sldap
> > ^
> > |
> > v
> > back-ldap <--> Active Directory
> > When doing some simple searches (ldapsearch -s one "uid=toto"),
> >back-ldap crashes with the following message:
> >slapd: result.c:518: send_search_result: Assertion `!(((0x51) <= (( err
> >))) && ((( err )) <= (0x61)))' failed.
> Likely same issue as ITS#831 <http://www.openldap.org/its/?findid=831>
> > After some debug, it appears that AD sends some non-standard messages;
> >in response to the search request, back-ldap gets the following message
> >(captured with Ethereal):
> >Search Result:
> > Result code: 0x09
> > Matched DN: (null)
> > Error message: Referral:
> > The result code of 9 is not valid (it is written to be reserved in
> >RFC2251) but OpenLDAP seems to understand that it is a referal.
> That's an LDAPv2+ referral (which is not documented by any RFC).
> >The problem is that the URL of the referal is not well parsed; in response
> >to this search result, back-ldap sends another search request to the AD:
> >Search Request:
> > Base DN: CN=Configuration,DC=thehost,DC=com??base
> > Scope: Single
> > ...
> > There shouldn't be "??base" in the base DN and the scope should be
> I don't recall LDAPv2+ support scope specifiers. "??base" likely
> would confuse most LDAPv2+ implementations. But we likely allow
> such. We have another ITS to address a related issue for LDAPv3
> referrals (ITS#818).
> >Then AD replies with another result code 9 search result but
> >with a referal to "thehost.com??base" which leads to the slapd crash.
> Just "thehost.com??base" or "ldap://thehost.com??base".
> Both are, of course, in valid... but we shouldn't crash on
The complete referal is
I will try the fix in ITS#831 but I don't think this is a bind problem:
I have added the following printf in back-ldap/search.c (in the
ldap_back_search() function) :
sres = ldap_result2error(lc->ld, res, 1);
fprintf(stderr, "error value: \"%s\"\n", ldap_err2string(sres));
ldap_get_option(lc->ld, LDAP_OPT_ERROR_STRING, &err);
ldap_get_option(lc->ld, LDAP_OPT_MATCHED_DN, &match);
rc = 0;
and the output of slapd is:
error value: "Can't contact LDAP server"
slapd: result.c:518: send_search_result: Assertion `!(((0x51) <= (( err
))) && ((( err )) <= (0x61)))' failed.
> But I note that the above crash is likely not related to
> referral handling, but unknown authentication method issues.
> I suggest you apply the patch noted in the above ITS and
> retry. If you again crash, provide a stack trace back.
> Also, in regards to referral handing issues, can you repeat
> the errors using just ldapsearch -C and AD? I rather eliminate
> slapd from this issue if possible.
I don't know what the -C option does, but I have tried to contact the AD
directly with "ldapsearch -h thehost -b 'dc=thehost,dc=com'" and here
are the results: I get some values (everything is correct), and it
# search reference
# search result
result: 0 Success
# numResponses: 11
# numEntries: 9
# numReferences: 1
With Ethereal, I can see that the first message from the client is a
bind, the second is a search request and the third is an unbind; it
looks like the referal is not followed.
Bertrand Croq - VIRTUAL NET (http://www.virtual-net.fr)
80, avenue des Buttes de Coesmes - 35700 RENNES
tel: +33 2 23 21 06 30 - fax: +33 2 99 38 16 85