(ITS#9089) OpenLDAP sends searchResDone success to early

[marc.pape@telekom.de]

Full_Name: Marc Pape
Version: 2.4.48
OS: Debian 9 Kernel 4.9
URL: https://qnap.testlab-lpz.de/share.cgi?ssid=0NbcOIY
Submission from: (NULL) (80.153.108.120)


Hello dear OpenLDAP-Team, 
we have a problem with the OpenLDAP Server which we operate as LDAP Proxy.
In our deployment the OpenLDAP Proxy is for synchronization and authentication
between a Cisco Callmanager 12.5 and two Microsoft ActiveDirectories in Version
2008R2.
The Cisco Callmanager can only handle one Directory, but in some customer
deployments exist two different directories.

For that szenario we installed a Debian 9 server with OpenLDAP 2.4.48.
The syncronization and authentication runs so far until one directory has more
than 50 user.

The Cisco Callmanager uses a SearchControlValue with size 50. By syncronize the
Callmanager against one Microsoft AD directly the Microsoft Server will send
responses with 50 user and in the end after all responses a unbindRequest. In
our lab deployment we tested the Cisco Callmanager against a Microsoft AD with
over 2000 enduser successfully. 
By implementing the OpenLDAP Server between the Cisco Callmanager and the
Microsoft AD the OpenLDAP sends the unbindRequest directly after the first
response with the first 50 user. All other requests and over 1950 user don't
syncronize to the Cisco Callmanager.


Is there a possible solution to send that unbindRequest after all responses and
all users from the Microsoft AD were send to the Callmanager in that 50 users
steps / responses? 

I've provided the configuration file of the OpenLDAP Server and a pcap file from
a syncronizationrun in the upload below.
The pcap file shows the following IPs and Server:
10.34.100.2 Cisco Callmanager
10.34.100.110 Debian 9 with OpenLDAP as LDAP Proxy
10.34.100.16 Microsoft AD #1
10.34.100.17 Microsoft AD #2

Kind regards
Marc Pape