[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-ldap problem with Win2000 Active Directory



"Kurt D. Zeilenga" wrote:
> >As active directory doesn't handle search requests for
> >"dc=thehost,dc=com??base", it sends another referral to point to what it
> >thinks is the good server: "thehost.com??base".
> 
> And how does it know this is the correct server name?  dc=foo,dc=bar
> doesn't imply that the host foo.bar operates an LDAP server
> holding the "dc=foo,dc=bar".  The server should locate the LDAP
> server holding "dc=foo,dc=bar" using DNS.  In the above case,
> DNS should have returned an error, which should then resulted
> in an error being returned by AD.  An LDAP server should only
> redirect clients based upon knowledge it holds directly or
> indirectly (eg. DNS).
> 
> Anyways, here OpenLDAP should fail to parse the URL and not
> attempt to chase it.

  Here again, I agree that the problem is because of Active Directory.

> >So, I agree that Active
> >Directory shouldn't send a referral with such a server address, but it
> >happens because slapd sends a wrong DN, which happens because Active
> >Directory sends the referral in a strange way (I don't know if it is a
> >wrong way)... The problem is that we can't change Active Directory
> 
> You can be reporting bugs to Microsoft.

  I can't be sure, but if I report a bug to Microsoft and if they agree
this is a bug, I think it will take weeks to get a fix...

> > so we
> >have to handle such referrals :-(
> 
> I agree we should make some changes to improve our handling...
> 
> But note that this won't fix all the clients out there which
> use SDKs with historical behavior.  This is why you need to
> work with your server vendor to affect change.

  We have done some test with the submited code and it appears to work
exactly as we expected it to; we modified the request.c so that OpenLDAP
can handle LDAP3 url in LDAP2+ referral messages. This is what we need
but from what I understand from your mails (sorry, I am french so I
could misunderstand something), it is not really the way you would like
it to be done.
  So, I'll follow what you say; I'll submit a bug to Microsoft and see
what happens:
- if the referrals are corrected, OpenLDAP should work with AD without
modifications.
- if the referrals are not corrected, then we would submit our
intermediary solution as told in
<http://www.openldap.org/devel/contributing.html>.

Thanks
-- 
Bertrand Croq - VIRTUAL NET (http://www.virtual-net.fr)
80, avenue des Buttes de Coesmes - 35700 RENNES
tel: +33 2 23 21 06 30 - fax: +33 2 99 38 16 85