And if you want to change references/referrals, I suggest
you consider the async interface so you can better manage
security contexts. -- Kurt
At 05:01 PM 10/8/2006, Pierangelo Masarati wrote:
>Erich Titl wrote:
>>Hi everybody
>>
>>I am trying to fix an authentication plugin for openvpn using the
>>openldap library. I am new to the library, so I may lack some understanding.
>>
>>Here is the situation
>>The openldap version is 2.3.27
>>
>>If I try to find a user with a base dn of
>>
>>"ou=mnd999,dc=asp,dc=ruf,dc=ch"
>>
>>which is the correct base dn for this user, the operation works correctly.
>>
>>If I just use "dc=asp,dc=ruf,dc=ch"
>>
>>the operation times out. I am using subtree search and I can see on a
>>packet dump on the line that there is a reply from the ldap server.
>>
>>The difference between the replies is that in the case of the correct DN
>>just a search entry and a search result message is returned, whereas in
>>the case of the incomplete DN a search entry, a number of search result
>>references end a search result are returned. In both cases, the search
>>result yields success.
>>
>>The code calls
>>
>> if ((err = ldap_search_ext_s(ldapConn, [base cString],
>>LDAP_SCOPE_SUBTREE, [filter cString], attrArray, 0, NULL, NULL,
>>&timeout, 5000, &res)) != LDAP_SUCCESS) {
>> [TRLog error: "LDAP search failed: %d: %s", err,
>>ldap_err2string(err)];
>> goto finish;
>> }
>>
>>This call times out and returns -5.
>>
>>I can provide tcpdump files if needed.
>>
>Sounds like you're getting search references that the LDAP library tries to
>chase (anonymously, which is the default) and during that something times out.
> Since this seems not to be what you need, because the entry you're looking
>for is present, and you don't need to chase any referral, you should tell the
>library not to chase them, and simply return the entry you're looking for. To
>do that, you need to set LDAP_OPT_REFERRALS to LDAP_OPT_OFF using the
>ldap_set_option(3) call (don't get tricked by the trailing (3): such man page
>never existed, as far as I know ;). Example code may be found in ldapsearch
>code (actually, in clients/tools/common.c) and in the proxy backends of slapd
>in servers/slapd/back-ldap/bind.c.
>
>p.
>
>
>
>Ing. Pierangelo Masarati
>OpenLDAP Core Team
>
>SysNet s.n.c.
>Via Dossi, 8 - 27100 Pavia - ITALIA
>http://www.sys-net.it
>------------------------------------------
>Office: +39.02.23998309
>Mobile: +39.333.4963172
>Email: [EMAIL PROTECTED]
>------------------------------------------
