[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-ldap problem with Win2000 Active Directory



"Kurt D. Zeilenga" wrote:
> 
> At 06:50 PM 10/19/00 +0200, Bertrand Croq wrote:
> >Hi,
> >  we are currently using slapd with back-ldap to connect to an Active
> >Directory LDAP server:
> >
> > client <--> sldap
> >               ^
> >               |
> >               v
> >           back-ldap <--> Active Directory
> >
> >  When doing some simple searches (ldapsearch -s one "uid=toto"),
> >back-ldap crashes with the following message:
> >
> >slapd: result.c:518: send_search_result: Assertion `!(((0x51) <= (( err
> >))) && ((( err )) <= (0x61)))' failed.
> 
> Likely same issue as ITS#831  <http://www.openldap.org/its/?findid=831>
> 
> >  After some debug, it appears that AD sends some non-standard messages;
> >in response to the search request, back-ldap gets the following message
> >(captured with Ethereal):
> >
> >Search Result:
> > Result code: 0x09
> > Matched DN: (null)
> > Error message: Referral:
> >ldap://thehost.com/CN=Configuration,DC=thehost,DC=com??base
> >
> >  The result code of 9 is not valid (it is written to be reserved in
> >RFC2251) but OpenLDAP seems to understand that it is a referal.
> 
> That's an LDAPv2+ referral (which is not documented by any RFC).
> 
> >The problem is that the URL of the referal is not well parsed; in response
> >to this search result, back-ldap sends another search request to the AD:
> >
> >Search Request:
> > Base DN: CN=Configuration,DC=thehost,DC=com??base
> > Scope: Single
> > ...
> >
> >  There shouldn't be "??base" in the base DN and the scope should be
> >"base".
> 
> I don't recall LDAPv2+ support scope specifiers.  "??base" likely
> would confuse most LDAPv2+ implementations.  But we likely allow
> such.  We have another ITS to address a related issue for LDAPv3
> referrals (ITS#818).
> 
> >Then AD replies with another result code 9 search result but
> >with a referal to "thehost.com??base" which leads to the slapd crash.
> 
> Just "thehost.com??base" or "ldap://thehost.com??base";.
> Both are, of course, in valid... but we shouldn't crash on
> either.

The complete referal is
"ldap://thehost.com??base/CN=Configuration,DC=thehost,DC=com%3F%3Fbase

I will try the fix in ITS#831 but I don't think this is a bind problem:
I have added the following printf in back-ldap/search.c (in the
ldap_back_search() function) :

...
  sres = ldap_result2error(lc->ld, res, 1);

  fprintf(stderr, "error value: \"%s\"\n", ldap_err2string(sres));

  ldap_get_option(lc->ld, LDAP_OPT_ERROR_STRING, &err);
  ldap_get_option(lc->ld, LDAP_OPT_MATCHED_DN, &match);
  rc = 0;
...

and the output of slapd is:

error value: "Can't contact LDAP server"
slapd: result.c:518: send_search_result: Assertion `!(((0x51) <= (( err
))) && ((( err )) <= (0x61)))' failed.
Aborted

> But I note that the above crash is likely not related to
> referral handling, but unknown authentication method issues.
> 
> I suggest you apply the patch noted in the above ITS and
> retry.  If you again crash, provide a stack trace back.
> 
> Also, in regards to referral handing issues, can you repeat
> the errors using just ldapsearch -C and AD?  I rather eliminate
> slapd from this issue if possible.

I don't know what the -C option does, but I have tried to contact the AD
directly with "ldapsearch -h thehost -b 'dc=thehost,dc=com'" and here
are the results: I get some values (everything is correct), and it
finished with:

# search reference
ref: ldap://thehost.com/CN=Configuration,DC=thehost,DC=com??base

# search result
search: 2
result: 0 Success

# numResponses: 11
# numEntries: 9
# numReferences: 1

  With Ethereal, I can see that the first message from the client is a
bind, the second is a search request and the third is an unbind; it
looks like the referal is not followed.
-- 
Bertrand Croq - VIRTUAL NET (http://www.virtual-net.fr)
80, avenue des Buttes de Coesmes - 35700 RENNES
tel: +33 2 23 21 06 30 - fax: +33 2 99 38 16 85