[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-ldap problem with Win2000 Active Directory

To: Bertrand Croq <bcroq@virtual-net.fr>
Subject: Re: back-ldap problem with Win2000 Active Directory
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 19 Oct 2000 15:39:31 -0700
Cc: openldap-bugs@OpenLDAP.org
In-reply-to: <39EF2670.8BCC37C7@virtual-net.fr>

At 06:50 PM 10/19/00 +0200, Bertrand Croq wrote:
>Hi,
>  we are currently using slapd with back-ldap to connect to an Active
>Directory LDAP server:
>
> client <--> sldap
>               ^
>               | 
>               v
>           back-ldap <--> Active Directory
>
>  When doing some simple searches (ldapsearch -s one "uid=toto"),
>back-ldap crashes with the following message:
>
>slapd: result.c:518: send_search_result: Assertion `!(((0x51) <= (( err
>))) && ((( err )) <= (0x61)))' failed.

Likely same issue as ITS#831  <http://www.openldap.org/its/?findid=831>

>  After some debug, it appears that AD sends some non-standard messages;
>in response to the search request, back-ldap gets the following message
>(captured with Ethereal):
>
>Search Result:
> Result code: 0x09
> Matched DN: (null)
> Error message: Referral:
>ldap://thehost.com/CN=Configuration,DC=thehost,DC=com??base
>
>  The result code of 9 is not valid (it is written to be reserved in
>RFC2251) but OpenLDAP seems to understand that it is a referal.

That's an LDAPv2+ referral (which is not documented by any RFC).

>The problem is that the URL of the referal is not well parsed; in response
>to this search result, back-ldap sends another search request to the AD:
>
>Search Request:
> Base DN: CN=Configuration,DC=thehost,DC=com??base
> Scope: Single
> ...
>
>  There shouldn't be "??base" in the base DN and the scope should be
>"base".

I don't recall LDAPv2+ support scope specifiers.  "??base" likely
would confuse most LDAPv2+ implementations.  But we likely allow
such.  We have another ITS to address a related issue for LDAPv3
referrals (ITS#818).

>Then AD replies with another result code 9 search result but
>with a referal to "thehost.com??base" which leads to the slapd crash.

Just "thehost.com??base" or "ldap://thehost.com??base";.
Both are, of course, in valid... but we shouldn't crash on
either.

But I note that the above crash is likely not related to
referral handling, but unknown authentication method issues.

I suggest you apply the patch noted in the above ITS and
retry.  If you again crash, provide a stack trace back.

Also, in regards to referral handing issues, can you repeat
the errors using just ldapsearch -C and AD?  I rather eliminate
slapd from this issue if possible.

Follow-Ups:
- Re: back-ldap problem with Win2000 Active Directory
  - From: Bertrand Croq <bcroq@virtual-net.fr>
- RE: back-ldap problem with Win2000 Active Directory
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- back-ldap problem with Win2000 Active Directory
  - From: Bertrand Croq <bcroq@virtual-net.fr>

Prev by Date: make failed (ITS#850)
Next by Date: [2.0.6] slapd segfaults on bad filter
Index(es):
- Chronological
- Thread