Just pinging the mailing list again.

I'm hoping someone has some advice or guidance on this.

Thanks,
 - Jeremiah

---------- Forwarded message ----------
From: Jeremiah Martell <inlovewithgod@gmail.com>
Date: Thu, May 27, 2010 at 3:42 PM
Subject: ldap search hangs forever
To: openldap-technical@openldap.org


I'm using openldap-2.4.18 as a client to bind and asynchronously search an active directory server.

I have a domain, example.com, that has two domain controllers: one.example.com, and two.example.com.

The ip of one.example.com is 12.34.56.1
The ip of two.example.com is 12.34.56.2

The reverse mapping of 12.34.56.1 is one.example.com
The reverse mapping of 12.34.56.2 doesn't exist

-----

/ nslookup one.example.com
Server:    12.34.56.99
Address 1: 12.34.56.99 dns1.example.com

Name:      one.example.com
Address 1: 12.34.56.1 one.example.com



/ nslookup two.example.com
Server:    12.34.56.99
Address 1: 12.34.56.99 dns1.example.com

Name:      two.example.com
Address 1: 12.34.56.2



/ nslookup example.com
Server:    12.34.56.99
Address 1: 12.34.56.99 dns1.example.com

Name:      example.com
Address 1: 12.34.56.2
Address 2: 12.34.56.1 one.example.com



/ nslookup 12.34.56.2
Server:    12.34.56.99
Address 1: 12.34.56.99 dns1.example.com

Name:      12.34.56.2
Address 1: 12.34.56.2



/ nslookup 12.34.56.1
Server:    12.34.56.99
Address 1: 12.34.56.99 dns1.example.com

Name:      12.34.56.1
Address 1: 12.34.56.1 one.example.com

/

-----

I have given openldap a "rebind proc" to use when chasing the referrals.

I do a sasl gssapi bind to one.example.com, which succeeds.

I do a search, which returns three referrals:
  DomainDnsZones.example.com
  ForestDnsZones.example.com
  example.com

openldap looks up these three names and gets 12.34.56.2, which doesn't reverse map to anything.

Then I get error messages for each referral:

May 27 16:26:18 xyz: GSSAPI Error:  Miscellaneous failure (see text) (Server (krbtgt/23.56.2@EXAMPLE.COM) unknown)
May 27 16:26:18 xyz: GSSAPI Error:  Miscellaneous failure (see text) (Server (krbtgt/23.56.2@EXAMPLE.COM) unknown)
May 27 16:26:18 xyz: GSSAPI Error:  Miscellaneous failure (see text) (Server (krbtgt/23.56.2@EXAMPLE.COM) unknown)

Then openldap hangs forever; I never get a LDAP_RES_SEARCH_RESULT.

-----

If I modify my DNS server to return 12.34.56.1 first instead of 12.34.56.2, then everything works perfectly.
If I don't chase referrals, then everything works perfectly minus chasing referrals of course.
If I use "normal" binding instead of sasl gssapi, then everything works perfectly.
If I use openldap's syncronous search instead of asyncronously polling with ldap_result, then the call times out and returns.

I half-expected openldap to not be able to bind to the referrals, but still fail quickly and return.
I don't understand why the ldap search never finishes. (I never get a LDAP_RES_SEARCH_RESULT)
I did get a LDAP_RES_SEARCH_REFERENCE and a LDAP_NO_RESULTS_RETURNED, but those dont signify the search has finished, right?

I've attached the ldap debugging. You'll see at the end the repeated calls to ldap_result with timeouts of 10 seconds.
I don't know how to read them exactly, but the status seems to be "RequestCompleted" ?

-----

17:20:50.530 ldap_result ld 0x10097060 msgid 5
17:20:50.530 wait4msg ld 0x10097060 msgid 5 (timeout 10000000 usec)
17:20:50.530 wait4msg continue ld 0x10097060 msgid 5 all 2
17:20:50.530 ** ld 0x10097060 Connections:
17:20:50.530 * host: one.example.com  port: 389  (default)
17:20:50.530   refcnt: 1  status: Connected
17:20:50.530   last used: Wed May 26 17:19:59 2010

17:20:50.530
17:20:50.530 ** ld 0x10097060 Outstanding Requests:
17:20:50.530  * msgid 5,  origid 5, status RequestCompleted
17:20:50.530    outstanding referrals 0, parent count 0
17:20:50.530   ld 0x10097060 request count 1 (abandoned 0)
17:20:50.530 ** ld 0x10097060 Response Queue:
17:20:50.530    Empty
17:20:50.530   ld 0x10097060 response count 0
17:20:50.530 ldap_chkResponseList ld 0x10097060 msgid 5 all 2
17:20:50.530 ldap_chkResponseList returns ld 0x10097060 NULL
17:20:50.530 ldap_int_select

-----

I got the latest 2.4.22 release and grabbed the majority of the changes, but the hang remains.

You can see the full debugging information in the attached txt file.

I'm asking if the forever hang could be a bug in openldap, or perhaps I'm doing something wrong?

Thanks,
 - Jeremiah