[Date Prev][Date Next] [Chronological] [Thread] [Top]

Searching in an Active Directory on Win2003


I observed some problems after our back-office group upgraded their domain controller
from Win2k to 2003 Server:

I ran some Apaches (1.3 and 2.0) with different LDAP modules for integrating an
Active Directory login on parts of the contents.

This is no longer possible after the upgrade of the Active Directory to 2003 and I
can even simulate the behavior of the Apache modules with a single ldapsearch command
including the C-Option to chase references.

If I submit a subtree search on the Active Directory using a dedicated bind user,
the response always includes 3 strange references (ldap://ForestDNSZones.<domain>, ldap://<domain>
and a third one, I don't remember in this moment). But Win2003 no longer allows an
anonymous bind on the URIs returned in the references. So, if ldapsearch tries to
connect to one of them in chase mode, the search will fail with an "operations" error,
which complains about an anonymous access.

I know, that this is not the right place for asking configuration tips for the
Active Directory on 2003 server and I am not responsible for that stuff anyway.

But perhaps others see similar problems in their OpenLDAP environments (both Apache
modules are using OpenLDAP's libraries). It drills down to:
Chasing references will not reuse the bind user, but rebinds anonymously, which is
no longer allowed in the standard configuration of Active Directory on 2003 server.

Is this perhaps a well-documented behavior of the LDAP protocol? Or just OpenLDAP's
understanding of rebinding to references in the first level results? Of course I would
like the first option to hold true, since this would lead to a reconfiguration request
for Active Directory (which should then no longer return non-public references or
re-establish anonymous bind to any of them).

I appreciate any suggestions in this context.

Holger Paschke