Hi,
I done more Active Directory tests with the latest API trunk. There are
two things you should know:
1. LDAP over SSL with AD fails when getting big things (such as AD
schema). It ends up in an endless loop. It is obviously a Mina bug and I
have sent the path to mina dev mailing list. However it might be a good
idea to coordinate with the mina project and switch the API to the fixed
mina version. I believe that this bug may appear in any LDAPS connection
and it is really nasty to diagnose (endless loop, no relevant error, no
log message).
2. Active directory supports insane DN formats such as
<GUID=ae36bced-d6dd-cb41-a7e9-ef4f9bd59f0d>. Yes, this is passes ad DN.
Yes, really like that, including the angle brackets. However
unbelievable it might be, this kind of DN is in fact required to get
some attributes (e.g. msds-memberOfTransitive) as these only appear in
scope=base searches. And this seems to be the only efficient way how to
get scope=base search when all you know is object GUID. Of course, the
API complained about the format and failed to process it. So I have
committed a patch that tolerates these insane formats when relaxed mode
is set.
--
Radovan Semancik
Software Architect
evolveum.com
