locked
Avoid DNS lookup when chasing LDAP referrals RRS feed

  • Question

  • Hi all,

    I'm using Windows LDAP API (windows 2003 server machine) to perform LDAP queries on LDAP directories (AD, Sun One, etc).
    My Server does not have access to a DNS server, and so far I've managed for everything to work using local resolution (in etc\hosts file).

    However, I'm now trying to enable LDAP referrals support, and am facing some issues, as I simply cannot seem to prevent the API from performing DNS lookups whenever a referral is returned from the server.

    My currently working (though non referral-chasing code looks like this:

    01 ldap_sslinit(...);
    02
    03 LDAP* ld = NULL;
    04 ULONG version = LDAP_VERSION3;
    05 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version3);
    06
    07 ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
    08
    09 ldap_bind_s(ld,"cn=administrator,cn=users,dc=mydc,dc=com",
    10                      "MyPassword",LDAP_AUTH_SIMPLE);
    11
    12 string stSearchBaseContext="DC=mydc,DC=com";
    13
    14 ULONG ulRc = ldap_search_st(ld, (PCHAR)(stSearchBaseContext.c_str()),
    15                            LDAP_SCOPE_SUBTREE,
    16                            (PCHAR)(stQuery.c_str()), NULL, 0, &lTimeout, &res);
    17
    18 ULONG ulEntries = ldap_count_entries(ld, res);
    19 
    20 printf("Number of entries: %d.\n", ulEntries);<br/>

    First, I changed my base context to something in a subdomain, e.g. changed line 12:

    string stSearchBaseContext="DC=childdc,DC=mydc,DC=com";

    Then, as expected, my ldap_search_st returned LDAP_REFERRAL (0x0a).

    So, next I turned on referrals chasing by altering line 7:

    ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON);

    Now, my ldap_search_st simply hangs until the timeout expires, and then returns 0x01 error code, which is LDAP_OPERATIONS_ERROR, which means something went terribly wrong.

    So I used wireshark sniffer to see what was going on, and found out my client machine tries to access the DNS:

    Standard query SRV _ldap._tcp.Default-First-Site-Name._sites.childdc.infradc.com

    From there on out, whatever I tried, I couldn't get it to not access the DNS in order to query the SRV record.
    I tried adding the following two lines, to no avail:

    ldap_set_option(ld, LDAP_OPT_AREC_EXCLUSIVE, LDAP_OPT_ON);
    ldap_set_option(ld, LDAP_OPT_GETDSNAME_FLAGS, DS_IS_DNS_NAME);

    I also tried tinkering my etc\hosts file, which also had absolutely no effect.

    It's important to note that I've added the hostname in my etc\hosts file, and ping childdc.infradc.com works perfectly (while nslookup fails, obviously).

    Am I missing something? Is it possible to prevent the Windows LDAP API from looking up DNS during referrals chase?

    Any help / documentation references would be greatly appreciated.

    Thanks,
     G.

    • Moved by Nancy Shao Tuesday, November 24, 2009 9:10 AM not vc quetion (From:Visual C++ General)
    Thursday, November 19, 2009 1:26 PM

Answers

All replies