[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: trouble getting entry from ldap server using ldap_search_ext_s

To: Erich Titl <erich.titl@think.ch>
Subject: Re: trouble getting entry from ldap server using ldap_search_ext_s
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sun, 08 Oct 2006 17:01:50 +0200
Cc: openldap-software@openldap.org
In-reply-to: <4527A8BF.2000509@think.ch>
References: <4527A8BF.2000509@think.ch>
User-agent: Mail/News 1.5.0.7 (X11/20060916)

Erich Titl wrote:

Hi everybody

I am trying to fix an authentication plugin for openvpn using the
openldap library. I am new to the library, so I may lack some understanding.

Here is the situation
The openldap version is 2.3.27

If I try to find a user with a base dn of

"ou=mnd999,dc=asp,dc=ruf,dc=ch"

which is the correct base dn for this user, the operation works correctly.

If I just use "dc=asp,dc=ruf,dc=ch"

the operation times out. I am using subtree search and I can see on a
packet dump on the line that there is a reply from the ldap server.

The difference between the replies is that in the case of the correct DN
just a search entry and a search result message is returned, whereas in
the case of the incomplete DN a search entry, a number of search result
references end a search result are returned. In both cases, the search
result yields success.

The code calls

        if ((err = ldap_search_ext_s(ldapConn, [base cString],
LDAP_SCOPE_SUBTREE, [filter cString], attrArray, 0, NULL, NULL,
&timeout, 5000, &res)) != LDAP_SUCCESS) {
                [TRLog error: "LDAP search failed: %d: %s", err,
ldap_err2string(err)];
                goto finish;
        }

This call times out and returns -5.

I can provide tcpdump files if needed.

Sounds like you're getting search references that the LDAP library tries to chase (anonymously, which is the default) and during that something times out. Since this seems not to be what you need, because the entry you're looking for is present, and you don't need to chase any referral, you should tell the library not to chase them, and simply return the entry you're looking for. To do that, you need to set LDAP_OPT_REFERRALS to LDAP_OPT_OFF using the ldap_set_option(3) call (don't get tricked by the trailing (3): such man page never existed, as far as I know ;). Example code may be found in ldapsearch code (actually, in clients/tools/common.c) and in the proxy backends of slapd in servers/slapd/back-ldap/bind.c.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Follow-Ups:
- Re: trouble getting entry from ldap server using ldap_search_ext_s
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: trouble getting entry from ldap server using ldap_search_ext_s
  - From: Erich Titl <erich.titl@think.ch>
- Re: trouble getting entry from ldap server using ldap_search_ext_s
  - From: Erich Titl <erich.titl@think.ch>

References:
- trouble getting entry from ldap server using ldap_search_ext_s
  - From: Erich Titl <erich.titl@think.ch>

Prev by Date: trouble getting entry from ldap server using ldap_search_ext_s
Next by Date: Re: trouble getting entry from ldap server using ldap_search_ext_s
Index(es):
- Chronological
- Thread