[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Works with ldapsearch, but can't get it to work with ldap_search_ext_s()

To: Howard Chu <hyc@symas.com>
Subject: Re: Works with ldapsearch, but can't get it to work with ldap_search_ext_s()
From: Werner M <wxxx333@gmail.com>
Date: Sat, 8 Mar 2014 20:16:41 -0300
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pU7X7kZl0PW9iipf86APbs7qpJnNWK1zTqVUbUceqeQ=; b=dH+/EpMA8o3U37TTAl7IJSBc3WFkWKPExcMj2THz15zLCgziyFGkneeu9FVYGw34Z9 SfzgY9ufbhbSCzYXg2iN/1albokRLkEEEMbNxycBFrAArYNP36RhHQNy9GkTkal4pxlH sye4jJEBaa3uGewPadkMJcdnD1LrDKJ84LXWQVrXvlbuEyxUoo1bKzh3vjq9wH180MD2 sawec/ejniRAInq/kgmFCc0D/ykAyAiWrlo+7VqQLVp3UKWz9N2eVTrAu1Jc+YZtuuhi Z4pgaBgbdl1fDPjr2hstHBG4h9G6O2uT7a7K56vkbrxuOBV8r6/kvAwLya0pZrJU6q5p y9pw==
In-reply-to: <531B8C22.5060500@symas.com>
References: <CAF4vVMSEmsbqb-3dtA_YNWmq=qKYLdKXaMW2=sgcwBZoKMMYnw@mail.gmail.com> <CAF4vVMRuJBo+1jZCx8Z+zeFWQ24UX=L-=cHOsdboj7LNDpAmog@mail.gmail.com> <531B8C22.5060500@symas.com>

On 08/03/2014, at 18:31, Howard Chu <hyc@symas.com> wrote:

> Werner - Google wrote:
> 
>> Hi,
>>   After doing some more research and lot's of tcpdumping, i got some more
>> info, but still don't  know how to solve my problem.
>> 
>>  As i mentioned, i'm doing the search agains an Active Directory service. I
>> do the serch with the code showed above, and with the tcpdump's i seems to
>> show that when i do it with ldap_search_ext_s(), i get after the found item, a
>> list of referals, like:
>> 
>> dap://ForestDnsZones.example.dc/DC=ForestDnsZones,DC=example,DC=dc
>> ldap://DomainDnsZones.example.dc/DC=DomainDnsZones,DC=example,DC=dc
>> ldap://example.dc/CN=Configuration,DC=example,DC=dc
>> 
>> and ldap_search_ext_s() tries to follow those referrals. On this attempt it
>> tries the bind without the credentials, and than i get rejected by the server
>> of sometimes i'm even unable to reach the mentioned server.
>> 
>> I've tried adding to my test code,
>> 
>> int referals = LDAP_OPT_OFF;
>> /* before the init */
>> ldap_set_option( NULL, LDAP_OPT_REFERRALS, &referals);
>> 
>> as it seems to have no effect, i still get my test code trying to 'follow' the
>> referals, i did try also put it as:
>> 
>> /* after the ldap_init , using the returned LDAP* */
>> ldap_set_option( ld, LDAP_OPT_REFERRALS, &referals);
>> 
>> but still  no effect.
> 
> Sounds like you're not using OpenLDAP's libldap. What version of LDAP library are you actually using?
> 
I'm sorry, forgot to include the information..

I'm running it on a ubuntu 13.10 with openldap version:

$ slapd -V
@(#) $OpenLDAP: slapd  (Ubuntu) (Oct  8 2013 20:51:43) $
	buildd@akateko:/build/buildd/openldap-2.4.31/debian/build/servers/slapd

$ ldapsearch -VV
ldapsearch: @(#) $OpenLDAP: ldapsearch  (Ubuntu) (Oct  8 2013 20:50:56) $
	buildd@akateko:/build/buildd/openldap-2.4.31/debian/build/clients/tools
	(LDAP library: OpenLDAP 20431)



I've also tried/tested on a mac osx mountain lion, openldap version:
dap $ldapsearch -VV
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.28 (Jul  4 2013 21:48:28) $
	root@b1026.apple.com:/private/var/tmp/OpenLDAP/OpenLDAP-208.5~1/clients/tools
	(LDAP library: OpenLDAP 20428)


Both the same result (at least up to where i can see/follow).

Are i'm understanding it wrong that after setting LDAP_OPT_REFERRALS to OFF, ldap_search_ext_s() should NOT try follow the referrals?

thx



>> And doing the same tcpdumping and running ldapsearch -d ... , it appears that
>> ldapsearch, using the same search parameters as my test code, does NOT try to
>> follow the referrals, even getting them back from the server the same as my
>> test code.
>> 
>> As additional info, the wireshark summary of the search return packet is
>> something like:
>> No.     Time           Source                Destination           Protocol
>> Length Info
>>      97 4.810369000    9.9.9.9          5.5.5.5         LDAP     405
>>  searchResEntry(2) "CN=Alonso.Vega,OU=Users,OU=Country,DC=example,DC=dc"  |
>> searchResDone(2) Unknown result(9) (Referral:
>> dap://ForestDnsZones.example.dc/DC=ForestDnsZones,DC=example,DC=dc
>> ldap://DomainDnsZones.example.dc/DC=DomainDnsZones,DC=example,DC=dc
>> ldap://example.dc/CN=Configuration,DC=example,DC=dc)  [1 result]
>> 
>> 
>> 
>> 
>> Any suggestion/help very appreciated on how i could avoid that the search
>> tries to follow the referrals?
> 
> Copy the code that the ldapsearch tool uses. You're using obsolete APIs in your code.

I'm looking into the code of the mod_ldap (from the proftpd software) to use the asynchronous methodology, but found it will be a little more challenging for my little "c" and openldap knowledge. 

but if i don't find a way of avoiding that the synchronous functions (mostly search_ext_s() ) do NOT try follow the referrals, i'll have to try rewriting the code.


> 
>> thx
>> -werner
>> 
>> 
> 
> 
> -- 
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Works with ldapsearch, but can't get it to work with ldap_search_ext_s()
  - From: Werner M <wxxx333@gmail.com>

References:
- Fwd: Works with ldapsearch, but can't get it to work with ldap_search_ext_s()
  - From: Werner - Google <wxxx333@gmail.com>
- Re: Fwd: Works with ldapsearch, but can't get it to work with ldap_search_ext_s()
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: How get more detailed error information than the provided by ldap_err2string?
Next by Date: Re: How get more detailed error information than the provided by ldap_err2string?
Index(es):
- Chronological
- Thread