[Date Prev][Date Next]
Re: back-ldap problem with Win2000 Active Directory
"Kurt D. Zeilenga" wrote:
> >As active directory doesn't handle search requests for
> >"dc=thehost,dc=com??base", it sends another referral to point to what it
> >thinks is the good server: "thehost.com??base".
> And how does it know this is the correct server name? dc=foo,dc=bar
> doesn't imply that the host foo.bar operates an LDAP server
> holding the "dc=foo,dc=bar". The server should locate the LDAP
> server holding "dc=foo,dc=bar" using DNS. In the above case,
> DNS should have returned an error, which should then resulted
> in an error being returned by AD. An LDAP server should only
> redirect clients based upon knowledge it holds directly or
> indirectly (eg. DNS).
> Anyways, here OpenLDAP should fail to parse the URL and not
> attempt to chase it.
Here again, I agree that the problem is because of Active Directory.
> >So, I agree that Active
> >Directory shouldn't send a referral with such a server address, but it
> >happens because slapd sends a wrong DN, which happens because Active
> >Directory sends the referral in a strange way (I don't know if it is a
> >wrong way)... The problem is that we can't change Active Directory
> You can be reporting bugs to Microsoft.
I can't be sure, but if I report a bug to Microsoft and if they agree
this is a bug, I think it will take weeks to get a fix...
> > so we
> >have to handle such referrals :-(
> I agree we should make some changes to improve our handling...
> But note that this won't fix all the clients out there which
> use SDKs with historical behavior. This is why you need to
> work with your server vendor to affect change.
We have done some test with the submited code and it appears to work
exactly as we expected it to; we modified the request.c so that OpenLDAP
can handle LDAP3 url in LDAP2+ referral messages. This is what we need
but from what I understand from your mails (sorry, I am french so I
could misunderstand something), it is not really the way you would like
it to be done.
So, I'll follow what you say; I'll submit a bug to Microsoft and see
- if the referrals are corrected, OpenLDAP should work with AD without
- if the referrals are not corrected, then we would submit our
intermediary solution as told in
Bertrand Croq - VIRTUAL NET (http://www.virtual-net.fr)
80, avenue des Buttes de Coesmes - 35700 RENNES
tel: +33 2 23 21 06 30 - fax: +33 2 99 38 16 85