[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: trouble getting entry from ldap server using ldap_search_ext_s



And if you want to change references/referrals, I suggest
you consider the async interface so you can better manage
security contexts.  -- Kurt

At 05:01 PM 10/8/2006, Pierangelo Masarati wrote:
>Erich Titl wrote:
>>Hi everybody
>>
>>I am trying to fix an authentication plugin for openvpn using the
>>openldap library. I am new to the library, so I may lack some understanding.
>>
>>Here is the situation
>>The openldap version is 2.3.27
>>
>>If I try to find a user with a base dn of
>>
>>"ou=mnd999,dc=asp,dc=ruf,dc=ch"
>>
>>which is the correct base dn for this user, the operation works correctly.
>>
>>If I just use "dc=asp,dc=ruf,dc=ch"
>>
>>the operation times out. I am using subtree search and I can see on a
>>packet dump on the line that there is a reply from the ldap server.
>>
>>The difference between the replies is that in the case of the correct DN
>>just a search entry and a search result message is returned, whereas in
>>the case of the incomplete DN a search entry, a number of search result
>>references end a search result are returned. In both cases, the search
>>result yields success.
>>
>>The code calls
>>
>>        if ((err = ldap_search_ext_s(ldapConn, [base cString],
>>LDAP_SCOPE_SUBTREE, [filter cString], attrArray, 0, NULL, NULL,
>>&timeout, 5000, &res)) != LDAP_SUCCESS) {
>>                [TRLog error: "LDAP search failed: %d: %s", err,
>>ldap_err2string(err)];
>>                goto finish;
>>        }
>>
>>This call times out and returns -5.
>>
>>I can provide tcpdump files if needed.
>>  
>Sounds like you're getting search references that the LDAP library tries to chase (anonymously, which is the default) and during that something times out.  Since this seems not to be what you need, because the entry you're looking for is present, and you don't need to chase any referral, you should tell the library not to chase them, and simply return the entry you're looking for.  To do that, you need to set LDAP_OPT_REFERRALS to LDAP_OPT_OFF using the ldap_set_option(3) call (don't get tricked by the trailing (3): such man page never existed, as far as I know ;).  Example code may be found in ldapsearch code (actually, in clients/tools/common.c) and in the proxy backends of slapd in servers/slapd/back-ldap/bind.c.
>
>p.
>
>
>
>Ing. Pierangelo Masarati
>OpenLDAP Core Team
>
>SysNet s.n.c.
>Via Dossi, 8 - 27100 Pavia - ITALIA
>http://www.sys-net.it
>------------------------------------------
>Office:   +39.02.23998309
>Mobile:   +39.333.4963172
>Email:    pierangelo.masarati@sys-net.it
>------------------------------------------