Please excuse replying to my own post, and the top-posting... I think
I've cracked it and this may help someone else out.
Oli wrote:
>
> What I have worked out today is it is to do with the search base: I
> have many OUs in my AD, and if I set it to EXACTLY the right search base
> ('OU=Users,OU=Horsham Group,DC=willsandco,DC=com') then I get one result
> back and all is well with the world - on BOTH old and new versions.
>
> If I set the searchbase to 'DC=willsandco,DC=com', authldap fails
> outright on new one and becomes intermittent on the old.
>
> Doing each search using ldapsearch gives me a small clue: I can use
> either base and get a response, BUT the wider search base tells me there
> were actually 5 responses:
This was the clue - the AD server is giving us referrals which need
chasing. After much putting of debug code in courier-authlib and
general hacking around, I found the options being passed were all the
same as for ldapsearch, but the way it works is a little different.
I started setting various LDAP_ options for debugging, restarting failed
connections etc, and also printing out the error responses from
ldap_search_ext_s (useless - just tells me 'Operations Error')
Then I stumbled across this in the manual page:
"The LDAP libraries with the LDAP_OPT_REFERRALS option set to
LDAP_OPT_ON (default value) automatically follow referrals using an
anonymous bind. Application developers are encouraged to either
implement consistent referral chasing features, or explicitly disable
referral chasing by setting that option to LDAP_OPT_OFF."
As soon as I set the option for not implicitly chasing referrals, I get
the correct result.
So basically, I need to allow anonymous binds to my AD, or for
Courier-authlib to not implicitly chase referrals, or for it to
explicitly chase but rebind properly to each URL.
If I get a chance, I'll try to patch in an option for turning off
implicit referral chasing from the config file.
Hope this is useful to someone :-)
Cheers,
-Oli
--
Oli Comber
Systems Developer
3aIT Limited - Official Corporate Sponsor of the British Bobsleigh Team
4-10 Barttelot Rd Horsham West Sussex RH12 1DQ
M: +44 (0)77255 82405 T: +44 (0)870 881 5097 F: +44 (0)870 116 0793
3aIT Limited is a company registered in England and Wales.
CoReg: 3866698 VATReg: 771388600
Visit www.3aIT.co.uk for Design, Systems, Support
Disclaimer:
The information contained within this email is confidential and may be
legally privileged. It is intended solely for the addressee. If you are
not the intended recipient, any disclosure, copying or distribution of
this email is prohibited and may be unlawful. The content of this email
represents the views of the individual and not necessarily 3aIT Limited.
3aIT Limited reserves the right to monitor the content of all emails in
accordance with lawful business practice. Whilst every effort is made to
ensure that attachments are free from computer viruses before
transmission, 3aIT Limited does not accept any liability in respect of
any virus that is not detected.
3aIT Limited
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
