Powerful Directory Management Tool

[steveg]

Hi,
We're testing LDAP administrator with Novell's eDirectory version 8.8 and are getting protocol errors on quite a number of operations:

- deletes
- exports
- searches with "ManageDsaIt" enabled in the Server menu

It seems to be related to the ManageDsaIt control which is set on all of the above operations. All worked fine with eDir 8.7.3, and the problem cannot be reproduced when the same request is made with the perl Net::LDAP module.

I've logged the problem with Novell but wondered if anyone had come across it before. It makes LDAP administrator next to useless with eDirectory 8.8.

Regards
Steve

[Support]

Novell has published an article explaining the problem.

[Support]

We've just become aware that a fix is available from Microsoft support.

[steveg]

I tried installing that hotfix and the problem still exists, I'm still getting protocol errors.

Novell provided the following response:

There seems to be a problem in the control send by the ldapadministrator tool. MANAGEDSAIT control does not expect a control value, but looks like the ldapadministrator tool is sending the request with some control value. This is causing the protocol error. The code that checks this particular condition is added in eDir 8.8 and it is not available in eDir 8.7.3. Hence the tool does not show any issue with eDir 8.7.3.

For every delete and export operation, the tool is requesting a search/read with a managedsait control. The control is non-critical; however, the control value is not null. eDir LDAP server works fine if the control value is set to null. ldapsearch with -M options does this and it works fine.

The best solution would be to fix this in the ldapadministrator tool itself.

Is there anything you can do on the LDAP administrator side to prevent this problem?

[Support]

We are working on a build that would include a workaround for this issue. We expect it to be ready during a week. We'll post a link to the build with a workaround in this thread when the build is ready.

[Support]

A build with a workaround is now available. Note, we just commented out the ManageDsaIT control usage in the code, and the actual problem is behind LDAP Administrator. Further status of the bug is unclear. Either Microsoft or Novell should modify their code to truly eliminate the issue.

[jwilleke]

Problem still exist with LDAP Administrator 3.4

Is there a fix?

And it is not JUST with deletions, it also occurs with exports of data.

Any help would be appreciated.

[Support]

The issue is beyond LDAP Administrator software. MS LDAP API (wldap32.dll) sends a not completely valid LDAP Message and Novell engineers has decided to introduce a stricter parsing since version 8.8 SP1.

We've opened a support ticket at MS Support site and we are waiting for MS to comment or fix this issue. Until that we are not going to change our code which is absolutely correct.

While status of this issue is unknown we suggest you use a 3.3.1 "workaround" build (see link above) .

[jwilleke]

I guess I am confused.
Your program is sending an invalid request.

The fact that you choose to use wldap32.dll for your program is well, your choice.

To say your "code" is correct when it is sending an invalid request shows your program is at fault.

-jim

[Support]

Your program is sending an invalid request

LDAP Administrator neither assembles nor disassembles LDAPMessage envelopes that go between client and server. I just just prepares necessary parameters and executes ldap_search_ex API call as necessary. On-wire things are cooked inside wldap32.dll. For low-level details please read a post at google groups.

The fact that you choose to use wldap32.dll for your program is well, your choice.

Yes, that was our choice. There are not so many options though. WLDAP32 has its bugs, but other APIs (the list is really small BTW) have their own problems like bad performance, absence of multithreading support and no SASL authentication support on Windows.

Why you don't want to use the "workaround" build? There are not so many critical changes between 3.3.1 and 3.4 for those working with eDirectory.

[jwilleke]

FYI: The hotfix is fixes included in Windows XP Service Pack 2 and therefore it apparently is therefore not effective.
http://support.microsoft.com/kb/811113

I understand what you are saying about LDAP administrator, but I purchased a program to do things with. The program has issues, regardless of the fact that you wish to blame someone else.

I guess I will have to go to the older versions as suggested.

Any ideas on when MS will address the issue?

Thanks
-jim

[Support]

Code: Select all

FYI: The hotfix is fixes included in Windows XP Service Pack 2 and therefore it apparently is therefore not effective.
http://support.microsoft.com/kb/811113


Do you mean this issue? While the cause is very similar it's not a fix for the eDirectory case - it's a fix for another bug that we saw and reported (see item 4) a few years ago.

Code: Select all

Any ideas on when MS will address the issue?

As I said we've open a support ticket and I know that Novell folks had some conversation with MS support as well. By now we've been waiting for 4+ month. I guess next week we'll be trying to get the status update.

[jwilleke]

The fix you (and Novell) reference as a fix for, what appears to be, this issue:
[We've just become aware that a fix is available from Microsoft support.]

is http://support.microsoft.com/kb/841461/.

This is listed as being included in SP2 as referenced on this page:
http://support.microsoft.com/kb/811113/

-jim[/quote]