I have an application where I use SASL(Kerberos) to bind to ldap. In this case ldap_search_s function returns operation error when I use root as a base dn. In example if base_dn="DC=AD" and filter is (cn=administrator) ldap_search_s returns 1. ldap_search_s works as expected when I use the same filter with base_dn = "OU=OMD,DC=AD"(it works also with any other sub entry in the tree used as a base dn). I don't see the same issue when I use ldap_simple_bind_s function to bind to the server. Could you please help me understand what do I do wrong here ?
Asked
Active
Viewed 831 times
0
-
What exact error do you receive? – Michael-O Sep 22 '15 at 18:34
-
The return value is 1, so the corresponding error Message is "Operations error occurred", which doesn't give enough information on what exactly is wrong there. I did some more testing and here what I have found. Search succeeds when I use root as a base dn(DC=AD as a base dn) and LDAP_SCOPE_BASE as a scope parameter. It fails when I use LDAP_SCOPE_ONELEVEL or LDAP_SCOPE_SUBTREE. However searching in sub entries works just fine. – Grigor Aleksanyan Sep 22 '15 at 18:39
-
Did you inspect your traffic with Wireshark? you might find logical errors in your approach. Did the SASL interactive bind complete correctly? – Michael-O Sep 22 '15 at 19:16
-
Re the Wireshark, no, I don't use this tool.Actually I am testing on the same host, client and server are on the same host now. I think that bind has been finished successfully because after 3-rd call to ldap_sasl_bind_s I have got SUCCESS and last ldap error message is not LDAP_SASL_BIND_IN_PROGRESS. One more thing, as there are a number of expressions for which ldap_search_s works correctly doesn't this mean that bind was finished correctly? – Grigor Aleksanyan Sep 22 '15 at 19:26
-
You should try `ldap_search_ext_s`. This works with a valid `LDAP` to perform a search. I would still highly recommend to use Wireshark. – Michael-O Sep 22 '15 at 20:20
-
I have just tested with ldap_search_ext_s, the same issue is observed with it. Re the Wireshark. Could you please clarify a bit, what should I observe with that tool ? – Grigor Aleksanyan Sep 22 '15 at 20:36
-
The proper bind and your search request. You'll see the concrete answer from the server. – Michael-O Sep 22 '15 at 20:41
-
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/90365/discussion-between-grigor-aleksanyan-and-michael-o). – Grigor Aleksanyan Sep 22 '15 at 20:47
1 Answers
1
Here is a condensed answer based on our lengthly chat:
Your bind implementation seems sound though some subtree searches fail. Use Wireshark to see what is really happening. It is highly likely that you receive instead of a proper answer a referrer result. The API is probably set to follow and tries to perform. Since you performed a manual and not interactive bind, the subsequent internal bind is impcomplete and the resolution fails. You can either disable referral chasing and process the stuff manually or turn the connected port to 3268 and use the global catalog. That will give you a complete, read-only view of the forest. No referrals anymore.
Michael-O
- 18,123
- 6
- 55
- 121
-
Using port 3268 worked for me, thank you very much for your help! – Grigor Aleksanyan Sep 24 '15 at 11:31
-
Disabling referrals chasing works as well. I have just tested it. – Grigor Aleksanyan Sep 24 '15 at 12:51
-
@GrigorAleksanyan Great!. It reminds me of my note [here](http://tomcatspnegoad.sourceforge.net/realms.html#Configuring_a_Directory_Context_Source_Factory). – Michael-O Sep 24 '15 at 13:07