I'm using openldap-2.4.18 as a client to bind and asynchronously search an active directory server.
I have a domain, example.com, that has two domain controllers: one.example.com, and two.example.com.
The ip of one.example.com is 12.34.56.1 The ip of two.example.com is 12.34.56.2
The reverse mapping of 12.34.56.1 is one.example.com The reverse mapping of 12.34.56.2 doesn't exist
-----
/ nslookup one.example.com Server: 12.34.56.99 Address 1: 12.34.56.99 dns1.example.com
Name: one.example.com Address 1: 12.34.56.1 one.example.com
/ nslookup two.example.com Server: 12.34.56.99 Address 1: 12.34.56.99 dns1.example.com
Name: two.example.com Address 1: 12.34.56.2
/ nslookup example.com Server: 12.34.56.99 Address 1: 12.34.56.99 dns1.example.com
Name: example.com Address 1: 12.34.56.2 Address 2: 12.34.56.1 one.example.com
/ nslookup 12.34.56.2 Server: 12.34.56.99 Address 1: 12.34.56.99 dns1.example.com
Name: 12.34.56.2 Address 1: 12.34.56.2
/ nslookup 12.34.56.1 Server: 12.34.56.99 Address 1: 12.34.56.99 dns1.example.com
Name: 12.34.56.1 Address 1: 12.34.56.1 one.example.com
/
-----
I have given openldap a "rebind proc" to use when chasing the referrals.
I do a sasl gssapi bind to one.example.com, which succeeds.
I do a search, which returns three referrals: DomainDnsZones.example.com ForestDnsZones.example.com example.com
openldap looks up these three names and gets 12.34.56.2, which doesn't reverse map to anything.
Then I get error messages for each referral:
May 27 16:26:18 xyz: GSSAPI Error: Miscellaneous failure (see text) (Server (krbtgt/23.56.2@EXAMPLE.COM) unknown) May 27 16:26:18 xyz: GSSAPI Error: Miscellaneous failure (see text) (Server (krbtgt/23.56.2@EXAMPLE.COM) unknown) May 27 16:26:18 xyz: GSSAPI Error: Miscellaneous failure (see text) (Server (krbtgt/23.56.2@EXAMPLE.COM) unknown)
Then openldap hangs forever; I never get a LDAP_RES_SEARCH_RESULT.
-----
If I modify my DNS server to return 12.34.56.1 first instead of 12.34.56.2, then everything works perfectly. If I don't chase referrals, then everything works perfectly minus chasing referrals of course. If I use "normal" binding instead of sasl gssapi, then everything works perfectly. If I use openldap's syncronous search instead of asyncronously polling with ldap_result, then the call times out and returns.
I half-expected openldap to not be able to bind to the referrals, but still fail quickly and return. I don't understand why the ldap search never finishes. (I never get a LDAP_RES_SEARCH_RESULT) I did get a LDAP_RES_SEARCH_REFERENCE and a LDAP_NO_RESULTS_RETURNED, but those dont signify the search has finished, right?
I've attached the ldap debugging. You'll see at the end the repeated calls to ldap_result with timeouts of 10 seconds. I don't know how to read them exactly, but the status seems to be "RequestCompleted" ?
-----
17:20:50.530 ldap_result ld 0x10097060 msgid 5 17:20:50.530 wait4msg ld 0x10097060 msgid 5 (timeout 10000000 usec) 17:20:50.530 wait4msg continue ld 0x10097060 msgid 5 all 2 17:20:50.530 ** ld 0x10097060 Connections: 17:20:50.530 * host: one.example.com port: 389 (default) 17:20:50.530 refcnt: 1 status: Connected 17:20:50.530 last used: Wed May 26 17:19:59 2010
17:20:50.530 17:20:50.530 ** ld 0x10097060 Outstanding Requests: 17:20:50.530 * msgid 5, origid 5, status RequestCompleted 17:20:50.530 outstanding referrals 0, parent count 0 17:20:50.530 ld 0x10097060 request count 1 (abandoned 0) 17:20:50.530 ** ld 0x10097060 Response Queue: 17:20:50.530 Empty 17:20:50.530 ld 0x10097060 response count 0 17:20:50.530 ldap_chkResponseList ld 0x10097060 msgid 5 all 2 17:20:50.530 ldap_chkResponseList returns ld 0x10097060 NULL 17:20:50.530 ldap_int_select
-----
I got the latest 2.4.22 release and grabbed the majority of the changes, but the hang remains.
You can see the full debugging information in the attached txt file.
I'm asking if the forever hang could be a bug in openldap, or perhaps I'm doing something wrong?
Thanks, - Jeremiah
openldap-technical@openldap.org
-
Jeremiah Martell