[Date Prev][Date Next]
RE: back-ldap problem with Win2000 Active Directory
I didn't find this in the ITS database, but anyway, I've checked in a fix,
the attached email. Please try it out and let me know if there are any
with this patch.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
> Sent: Thursday, October 19, 2000 3:40 PM
> To: Bertrand Croq
> Cc: openldap-bugs@OpenLDAP.org
> Subject: Re: back-ldap problem with Win2000 Active Directory
> At 06:50 PM 10/19/00 +0200, Bertrand Croq wrote:
> > we are currently using slapd with back-ldap to connect to an Active
> >Directory LDAP server:
> > client <--> sldap
> > ^
> > |
> > v
> > back-ldap <--> Active Directory
> > When doing some simple searches (ldapsearch -s one "uid=toto"),
> >back-ldap crashes with the following message:
> >slapd: result.c:518: send_search_result: Assertion `!(((0x51) <= (( err
> >))) && ((( err )) <= (0x61)))' failed.
> Likely same issue as ITS#831 <http://www.openldap.org/its/?findid=831>
> > After some debug, it appears that AD sends some non-standard messages;
> >in response to the search request, back-ldap gets the following message
> >(captured with Ethereal):
> >Search Result:
> > Result code: 0x09
> > Matched DN: (null)
> > Error message: Referral:
> > The result code of 9 is not valid (it is written to be reserved in
> >RFC2251) but OpenLDAP seems to understand that it is a referal.
> That's an LDAPv2+ referral (which is not documented by any RFC).
> >The problem is that the URL of the referal is not well parsed;
> in response
> >to this search result, back-ldap sends another search request to the AD:
> >Search Request:
> > Base DN: CN=Configuration,DC=thehost,DC=com??base
> > Scope: Single
> > ...
> > There shouldn't be "??base" in the base DN and the scope should be
> I don't recall LDAPv2+ support scope specifiers. "??base" likely
> would confuse most LDAPv2+ implementations. But we likely allow
> such. We have another ITS to address a related issue for LDAPv3
> referrals (ITS#818).
> >Then AD replies with another result code 9 search result but
> >with a referal to "thehost.com??base" which leads to the slapd crash.
> Just "thehost.com??base" or "ldap://thehost.com??base".
> Both are, of course, in valid... but we shouldn't crash on
> But I note that the above crash is likely not related to
> referral handling, but unknown authentication method issues.
> I suggest you apply the patch noted in the above ITS and
> retry. If you again crash, provide a stack trace back.
> Also, in regards to referral handing issues, can you repeat
> the errors using just ldapsearch -C and AD? I rather eliminate
> slapd from this issue if possible.
--- Begin Message ---
Update of /repo/OpenLDAP/pkg/ldap/servers/slapd/back-ldap
back-ldap.h 1.4 -> 1.5
bind.c 1.11 -> 1.12
search.c 1.18 -> 1.19
Fix: remap API error codes into protocol error codes before sending
back to client.
CVS Web URLs:
Changes are generally available on cvs.openldap.org (and CVSweb)
within 30 minutes of being committed.
--- End Message ---