[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: back-ldap problem with Win2000 Active Directory



I didn't find this in the ITS database, but anyway, I've checked in a fix,
see
the attached email. Please try it out and let me know if there are any
problems
with this patch.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
> Sent: Thursday, October 19, 2000 3:40 PM
> To: Bertrand Croq
> Cc: openldap-bugs@OpenLDAP.org
> Subject: Re: back-ldap problem with Win2000 Active Directory
>
>
> At 06:50 PM 10/19/00 +0200, Bertrand Croq wrote:
> >Hi,
> >  we are currently using slapd with back-ldap to connect to an Active
> >Directory LDAP server:
> >
> > client <--> sldap
> >               ^
> >               |
> >               v
> >           back-ldap <--> Active Directory
> >
> >  When doing some simple searches (ldapsearch -s one "uid=toto"),
> >back-ldap crashes with the following message:
> >
> >slapd: result.c:518: send_search_result: Assertion `!(((0x51) <= (( err
> >))) && ((( err )) <= (0x61)))' failed.
>
> Likely same issue as ITS#831  <http://www.openldap.org/its/?findid=831>
>
> >  After some debug, it appears that AD sends some non-standard messages;
> >in response to the search request, back-ldap gets the following message
> >(captured with Ethereal):
> >
> >Search Result:
> > Result code: 0x09
> > Matched DN: (null)
> > Error message: Referral:
> >ldap://thehost.com/CN=Configuration,DC=thehost,DC=com??base
> >
> >  The result code of 9 is not valid (it is written to be reserved in
> >RFC2251) but OpenLDAP seems to understand that it is a referal.
>
> That's an LDAPv2+ referral (which is not documented by any RFC).
>
> >The problem is that the URL of the referal is not well parsed;
> in response
> >to this search result, back-ldap sends another search request to the AD:
> >
> >Search Request:
> > Base DN: CN=Configuration,DC=thehost,DC=com??base
> > Scope: Single
> > ...
> >
> >  There shouldn't be "??base" in the base DN and the scope should be
> >"base".
>
> I don't recall LDAPv2+ support scope specifiers.  "??base" likely
> would confuse most LDAPv2+ implementations.  But we likely allow
> such.  We have another ITS to address a related issue for LDAPv3
> referrals (ITS#818).
>
> >Then AD replies with another result code 9 search result but
> >with a referal to "thehost.com??base" which leads to the slapd crash.
>
> Just "thehost.com??base" or "ldap://thehost.com??base";.
> Both are, of course, in valid... but we shouldn't crash on
> either.
>
> But I note that the above crash is likely not related to
> referral handling, but unknown authentication method issues.
>
> I suggest you apply the patch noted in the above ITS and
> retry.  If you again crash, provide a stack trace back.
>
> Also, in regards to referral handing issues, can you repeat
> the errors using just ldapsearch -C and AD?  I rather eliminate
> slapd from this issue if possible.
>
--- Begin Message ---
Update of /repo/OpenLDAP/pkg/ldap/servers/slapd/back-ldap

Modified Files:
	back-ldap.h  1.4 -> 1.5
	bind.c  1.11 -> 1.12
	search.c  1.18 -> 1.19

Log Message:
Fix: remap API error codes into protocol error codes before sending
back to client.


CVS Web URLs:
  http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/

http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/back-ldap.h
    http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/bind.c

http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/search.c

Changes are generally available on cvs.openldap.org (and CVSweb)
within 30 minutes of being committed.

--- End Message ---