locked
ldap_search_s fails when I use root as a base_dn and member:1.2.840.113556.1.4.1941:=... as a filter after binding to ldap_server using SASL (Kerberos) RRS feed

  • Question

  • Hi all ,

    I have implemented handshaking process to bind to ldap_server using SASL authentication with Kerberos credentials. After binding, I try to get all groups for authenticated user using (member:1.2.840.113556.1.4.1941:=...) syntax as a filter and specifying root(in example "DC=AD") dn as a distinguished name of the entry at which to start the search. in this case ldap_search_s fails ! If I use something like the following "OU=OMD3,DC=AD" as a distinguished name of the entry at which to start the search ldap_search_s works as expected. 
    So it seems that problem occure only in case if I use root as base dn for the search. I don't observe the same problem with ldap session handle bound using ldap_simple_bind_s() function. 
    Could you please help me figure out what is wrong here ? I use Active Directory shipped with Windows Server 2008. 

    Thank you,
    -Grigor  
    • Moved by Shu 2017 Wednesday, September 23, 2015 8:57 AM from VC++ forum
    Monday, September 21, 2015 9:27 AM

All replies

  • in this case ldap_search_s fails !

    Could you tell us the return value of  ldap_search_s function if it fails? Check the return values list:

    https://msdn.microsoft.com/en-us/library/aa367014%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

    This return value should help you narrow down this issue.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, September 22, 2015 5:22 AM
  • Hi Shu Hu, 

    Thank you very much for your response !

    The return value is 1, so the corresponding error Message is "Operations error occurred", which doesn't give enough information  on what exactly is wrong there.  I did some testing related to this question and here what I have found.

    Actually ldap_search_s fails with the same error code with any filter (not only when I use member:1.2.840.113556.1.4.1941:=... syntax as a filter) when I use root(DC=AD) as a base dn name (second argument of ldap_search_s) and LDAP_SCOPE_SUBTREE, or LDAP_SCOPE_ONELEVEL as a scope parameter. It succeeds when I use root as a base dn(DC=AD as a base dn) and LDAP_SCOPE_BASE as a scope parameter.

    If I use any sub entry(in example "OU=OMD2,DC=AD") as a base dn from the tree with LDAP_SCOPE_ONELEVEL or even with LDAP_SCOPE_SUBTREE as a scope, it works without any issues. This is really mystery for me what is wrong here ?

    I am testing my application on Windows Server 2008(64 bit).

    Thank you,

    -Grigor






    • Edited by aleksgrig Tuesday, September 22, 2015 6:20 PM
    Tuesday, September 22, 2015 6:02 PM
  • I may not familiar with LDAP issue, this issue is better to discuss in Application Security for Windows Desktop forum since this issue is not much related to C++.

    People in Application Security for Windows Desktop forum should more familiar with LDAP such a security issue.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, September 23, 2015 8:56 AM