Hi, Matthieu, Just a quick note that I'm closing in on this issue. From a review of the code that is servicing this request, I believe the issue is that there is a cascade of checks that we do and in the case where you do not provide LDAP_DIRSYNC_OBJECT_SECURITY, we fail a preliminary safety check with LDAP_INSUFFICIENT_RIGHTS (0x32/50d). If we pass that check, we then get to the code that is specific to 3.1.1.3.4.1.3LDAP_SERVER_DIRSYNC_OID text "If the base of the search is not the root of an NC, the server will return the error unwillingToPerform". I have a Windows-to-Windows environment set up and a test program that I am in the process of using to confirm this hypothesis.
Bryan -----Original Message----- From: Matthieu Patou [mailto:[email protected]] Sent: Monday, January 31, 2011 1:43 PM To: Interoperability Documentation Help; [email protected]; [email protected] Subject: server behavior with dirsync control when the search base is not a root of a nc Dear doc team, I have some question related to the behavior of w2k8r2 vs what is described in the docuementation. MS-ADTS.pdf at paragraph "3.1.1.3.4.1.3LDAP_SERVER_DIRSYNC_OID" says: "If the base of the search is not the root of an NC, the server will return the error unwillingToPerform ([RFC2251] section 4.1.10). If the search scope is not subtree scope, the server will treat the search as if subtree scope was specified." If I do a search with ldbsearch with LDAP_DIRSYNC_OBJECT_SECURITY not set like this on the base "CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net": mat@ares:/usr/local/src/samba4/source4$ ./bin/ldbsearch --controls="dirsync:1:0:1000" -H ldap://172.16.100.25 -U administrator%totoTATA123 '(samaccountname=simple)' -b "CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net" I get search error - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002105: LdapErr: DSID-0C0908C0, comment: Error processing control, data 0, v1db0> <> I suppose I should have unwilling_to_perform If I set the LDAP_DIRSYNC_OBJECT_SECURITY flag with the same user and the same base: mat@ares:/usr/local/src/samba4/source4$ ./bin/ldbsearch --controls="dirsync:1:1:1000" -H ldap://172.16.100.25 -U administrator%totoTATA123 '(samaccountname=simple)' -b "CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net" Then I correctly get the "unwilling_to_perform" error. search error - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <000020F7: LdapErr: DSID-0C0908F3, comment: Error processing control, data 0, v1db0> <> Can you explain if I missed something in the doc or if the doc is not accurate ? Regards Matthieu. -- Matthieu Patou Samba Team http://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
