Open iinuwa opened 3 years ago
Workaround:
Add the following line:
REFERRALS off
to one of OpenLDAP config files:
system file /usr/local/etc/openldap/ldap.conf,
user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc,
Thanks for logging this @iinuwa and thanks @prcdpr for providing a workaround. Ideally we would want the library itself to handle this as opposed to having to tamper with a setting of openldap, so it would be great to be able to fix this, specially since it is pretty common to perform searches at the root of the directory. On the bare minimum, I think we should at least throw a comprehensive error when you hit this issue so it is easier to understand from the consumer side when the issue is that you are searching at the root of the directory, since the debugging and getting to the root cause is very complex.
Here is another option or possibility to updating the ldap.conf file.
Add this to your code: SearchOptionsControl soc = new SearchOptionsControl(System.DirectoryServices.Protocols.SearchOption.DomainScope); request.Controls.Add(soc);
I got it from here: https://stackoverflow.com/questions/10336553/system-directoryservices-protocols-paged-get-all-users-code-suddenly-stopped-get
Thanks for the reply. I think your workaround is addressing a different issue. If you don't need referrals, then you can disable it with LdapConnection.SessionOptions.ReferralChasing = ReferralChasingOptions.None.
However, if you do need to follow referrals, it currently can't work on Linux if your directory requires authentication due to this API mismatch between S.DS.P and OpenLDAP.
@iinuwa A note to your last comment:
@prcdpr Just a note: I found that updating system file, /usr/local/etc/openldap/ldap.conf, with [REFERRALS off] did not work for me running .Net on an alpine Linux container == I had to put the [REFERRALS off] in the file /etc/ldap/ldap.conf to get it work...
I had the same error you communicated in the 1st post to this issue. I am running .Net on an alpine Linux container and from what I understand, communicated through this GitHub issue, this option, [ReferralChasing = ReferralChasingOptions.None], does not work on Linux.
Interesting, we use this in production, but I may have modified some code locally to make it work. I'll try to remember to check tomorrow.
I think in either case that is a separate problem from this one that deserves its own issue so it doesn't get lost in this one (which is about modifying referral callbacks, not requesting referrals not to be sent, nor disabling referral chasing).
The System.DirectoryServices.Protocols API for setting referral callbacks aligns with how the Windows LDAP library works, but . This prevents consumers to use LDAP referrals on Linux. See below for more analysis:
Originally posted by @makrattaur in https://github.com/dotnet/runtime/issues/44826#issuecomment-777963933
Hi, I am also running into this issue and I am able to reproduce with ldapsearch. I am using Microsoft Active Directory as the LDAP server (which has the behaviour described).
I have changed the query so it returns one match and one property only so the ldapsearch output is shorter.
On any other DN other than the base DN, the result looks like this:
But on the root DN, the result looks like this:
The difference between the two is that referrals are returned. They can be also seen in the first comment in this issue after the line
Response.Error Message: Referral:
in the exception details,ForestDnsZones
andDomainDnsZones
are usually Active Directory specific.By default, ldapsearch does not follow referrals, the option
-C
enables referral following:So I can get the operation error using ldapsearch. (The option is in fact obsolete, see here, it's not documented)
Trying to understand what is happening, I turned on debug logging for ldapsearch (
-d 1
), indicated a SASL mechanism so it's easier to see in the debug log (-Y GSSAPI
), redirected the debug log tostdout
and filtered the output withgrep -B 10 -A 5 ldap_pvt_connect
. I get the following output:OpenLDAP seems to follow referrals unauthenticated by default and Active Directory seems to accept the anonymous bind done in this case but gives an error on the first request done on the connection (the errors are further in the output but mixed together).
Callbacks are set with
LdapConnection.SessionOptions.ReferralCallback
and this property contains three delegates which match the ones in the structureLDAP_REFERRAL_CALLBACK
(see here) and the structure is passed toldap_set_option
withLDAP_OPT_REFERRAL_CALLBACK
to set them on a LDAP connection object. But OpenLDAP does not support this structure and option, it only has one callback which is set withldap_set_rebind_proc
and is for rebinds only, there is no multiple callbacks, so setting the property causes a LDAP exception when checking the error code ofldap_set_option
.