Philip,
This does not work with 4.63
Here is a trace with the following command line on Solaris with Exim
compiled against Solaris Lib LDAP
(I am using Solaris 9 with a recent recommended patch list as of August
2006).
# ./bin/exim -d+all -C configure.exim.list -bt
r.bannocks@??? 2>ldap.stderr
r.bannocks@??? cannot be resolved at this time:
condition check lookup defer
The output of stderr is attached below. You will see that it returns
return codes 94 and 115 which a grep of /usr/include/ldap.c
Gives
# grep '94' /usr/include/ldap.h
#define LDAP_NO_RESULTS_RETURNED 0x5e /* 94 - LDAPv3 */
# grep '115' /usr/include/ldap.h
#define LDAP_RES_SEARCH_REFERENCE 0x73 /* 115 */
And a search for LDAP_RES_SEARCH_REFERENCE and LDAP_RES_SEARCH_REFERENCE
gives
# grep LDAP_RES_SEARCH_REFERENCE /usr/include/ldap.h
#define LDAP_RES_SEARCH_REFERENCE 0x73 /* 115 */
# grep LDAP_RES_SEARCH_RESULT /usr/include/ldap.h
#define LDAP_RES_SEARCH_RESULT 0x65 /* 101 */
The problem seems to be in src/lookups/ldap.c
Here the case of having a LDAP lib which deals with references
(lines 804 to 819) is caught in one place:
/* A return code that isn't -1 doesn't necessarily mean there were no
problems
with the search. The message must be an LDAP_RES_SEARCH_RESULT or
LDAP_RES_SEARCH_REFERENCE or else it's something we can't handle. Some
versions
of LDAP do not define LDAP_RES_SEARCH_REFERENCE (LDAP v1 is one, it
seems). So
we don't provide that functionality when we can't. :-) */
if (rc != LDAP_RES_SEARCH_RESULT
#ifdef LDAP_RES_SEARCH_REFERENCE
&& rc != LDAP_RES_SEARCH_REFERENCE
#endif
)
{
*errmsg = string_sprintf("ldap_result returned unexpected code %d",
rc);
goto RETURN_ERROR;
}
But at no point latter in the code is the reference dealt with and we
end up parsing the (null) results and then getting blown out at (lines
867-891):
if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED)
{
*errmsg = string_sprintf("LDAP search failed - error %d: %s%s%s%s%s",
rc,
(error1 != NULL)? error1 : US"",
(error2 != NULL && error2[0] != 0)? US"/" : US"",
(error2 != NULL)? error2 : US"",
(matched != NULL && matched[0] != 0)? US"/" : US"",
(matched != NULL)? matched : US"");
#if defined LDAP_NAME_ERROR
if (LDAP_NAME_ERROR(rc))
#elif defined NAME_ERROR /* OPENLDAP1 calls it this */
if (NAME_ERROR(rc))
#else
if (rc == LDAP_NO_SUCH_OBJECT)
#endif
{
DEBUG(D_lookup) debug_printf("lookup failure forced\n");
error_yield = FAIL;
}
goto RETURN_ERROR;
}
> -----Original Message-----
> From: Philip Hazel [mailto:ph10@hermes.cam.ac.uk]
> Sent: 05 December 2006 09:39
> To: Robert Bannocks
> Cc: Christian Kuehn; exim-users@???
> Subject: Re: [exim] Compiling and using exim with LDAP on
> Solaris with Solarios LDAP libraries
>
> On Mon, 4 Dec 2006, Robert Bannocks wrote:
>
> > The problem turned out to be that Exim cannot handle
> references coming
> > back from the AD ldap servers.
>
> Which release of Exim? The headers in your message suggest
> that you are using 4.22.
>
> > I hope fixing this is down on the TO-do list for exim.
>
> The ChangeLog for 4.50 contains this entry:
>
> 54. The LDAP lookup was not handling a return of
> LDAP_RES_SEARCH_REFERENCE. A patch that reportedly fixes this has
> been added. I am not expert enough to create a test for
> it. This is
> what the patch creator wrote:
>
> "I found a little strange behaviour of ldap code when
> working with
> Windows 2003 AD Domain, where users was placed in more than one
> Organization Units. When I tried to give exim partial
> DN, the exit
> code of ldap_search was unknown to exim because of
> LDAP_RES_SEARCH_REFERENCE. But simultaneously result of request
> was absolutely normal ldap result, so I produce this patch..."
>
> Later: it seems that not all versions of LDAP support
> LDAP_RES_SEARCH_ REFERENCE, so I have modified the code to exclude
> the patch when that macro is not defined.
>
> If you are in fact using 4.50 or later, then it would seem
> that this patch is not working.
>
> General Note to The List: Please try to get into the habit of
> stating which Exim version you are using. It does make it
> easier to respond.
>
> --
> Philip Hazel University of Cambridge Computing Service
> Get the Exim 4 book: http://www.uit.co.uk/exim-book
>
