gmane.comp.ldap.umich

Agarwal, Sharad | 15 Oct 16:53

LDAP Error 32 v/s Empty Result Set

Hi All,

Is it standard behavior for an LDAP server to respond with (LDAP Error
32) when a query is run that has no match?

I tried a zero result query with the embedded LDAP Server (that comes
with WebLogic). This query does not return LDAP Error 32, it just
returns an empty result set.

Code snippet:
~~~~
        int ldapVersion   = LDAPConnection.LDAP_V3;
        int ldapPort      = 27001; 
        String ldapHost   = "fesbosbgdd33v3";
        String loginDN    =
"uid=vgnadmin,ou=people,ou=VgnLDAPRealm,dc=vgndomain";
        String password   = "password masked";
        String searchBase = "ou=groups,ou=VgnLDAPRealm,dc=vgndomain";
        String searchFilter =
"(&(uniquemember=cn=Administrators,ou=groups,ou=VgnLDAPRealm,dc=vgndomai
n)(objectclass=groupOfUniqueNames))";
~~~~

Code output:
~~~~
searchResults.getCount() = 0
~~~~

The same kind of query against another LDAP interface (Oracle Virtual
Directory) returns LDAP Error 32.

(Continue reading)

Terry Gardner | 15 Oct 17:00

Re: LDAP Error 32 v/s Empty Result Set

error code 32 means "no such object", not zero entries match a query.

On Oct 15, 2008, at 10:57 AM, Agarwal, Sharad wrote:

> Hi All,
>
> Is it standard behavior for an LDAP server to respond with (LDAP Error
> 32) when a query is run that has no match?
>
> I tried a zero result query with the embedded LDAP Server (that comes
> with WebLogic). This query does not return LDAP Error 32, it just
> returns an empty result set.
>
> Code snippet:
> ~~~~
>        int ldapVersion   = LDAPConnection.LDAP_V3;
>        int ldapPort      = 27001;
>        String ldapHost   = "fesbosbgdd33v3";
>        String loginDN    =
> "uid=vgnadmin,ou=people,ou=VgnLDAPRealm,dc=vgndomain";
>        String password   = "password masked";
>        String searchBase = "ou=groups,ou=VgnLDAPRealm,dc=vgndomain";
>        String searchFilter =
> "(&(uniquemember
> =cn=Administrators,ou=groups,ou=VgnLDAPRealm,dc=vgndomai
> n)(objectclass=groupOfUniqueNames))";
> ~~~~
>
> Code output:
> ~~~~

(Continue reading)

Agarwal, Sharad | 15 Oct 17:03

RE: LDAP Error 32 v/s Empty Result Set

Thank you Terry!

It would be fair to say that the server that returns (LDAP Error 32) for
this query is not behaving in a standards compliant way? 

I am not an LDAP expert, and I tried searching the web to find an
authoritative source that I could cite to the VDS team. Can you guide
me?

Thanks,
Sharad

-----Original Message-----
From: Terry.Gardner@...
[mailto:Terry.Gardner@...] 
Sent: Wednesday, October 15, 2008 11:00 AM
To: Agarwal, Sharad
Cc: ldap@...
Subject: Re: [ldap] LDAP Error 32 v/s Empty Result Set

error code 32 means "no such object", not zero entries match a query.

On Oct 15, 2008, at 10:57 AM, Agarwal, Sharad wrote:

> Hi All,
>
> Is it standard behavior for an LDAP server to respond with (LDAP Error
> 32) when a query is run that has no match?
>
> I tried a zero result query with the embedded LDAP Server (that comes

(Continue reading)

Terry Gardner | 15 Oct 17:14

RE: LDAP Error 32 v/s Empty Result Set

One example of 32 being returned would be if the BIND dn or search  
base did not exist in an ldapsearch command. for example:

ldapsearch -h ldap.example.com -p 389 -D 'cn=directory manger' -w  
password -b ou=people,dc=example,dc=com '(uid=abc*)' dn

Assume in this case that "directory manger" is supposed to be  
"directory manager" (the root dn). If"cn=directory manger" did not  
exist, then an err=32 would be returned.

On Oct 15, 2008, at 11:03 AM, Agarwal, Sharad wrote:

> Thank you Terry!
>
> It would be fair to say that the server that returns (LDAP Error 32)  
> for
> this query is not behaving in a standards compliant way?
>
> I am not an LDAP expert, and I tried searching the web to find an
> authoritative source that I could cite to the VDS team. Can you guide
> me?
>
> Thanks,
> Sharad
>
> -----Original Message-----
> From: Terry.Gardner@... [mailto:Terry.Gardner@...]
> Sent: Wednesday, October 15, 2008 11:00 AM
> To: Agarwal, Sharad
> Cc: ldap@...

(Continue reading)

Adam Tauno Williams | 15 Oct 17:04

Re: LDAP Error 32 v/s Empty Result Set

> Is it standard behavior for an LDAP server to respond with (LDAP Error
> 32) when a query is run that has no match?

I suppose, if the specified searchBase does not exist or potentially if
the simple bind fails (the latter isn't "correct" AFAIK, but I've seen
it in the wild).

> I tried a zero result query with the embedded LDAP Server (that comes
> with WebLogic). This query does not return LDAP Error 32, it just
> returns an empty result set.
> 
> Code snippet:
> ~~~~
>         int ldapVersion   = LDAPConnection.LDAP_V3;
>         int ldapPort      = 27001; 
>         String ldapHost   = "fesbosbgdd33v3";
>         String loginDN    =
> "uid=vgnadmin,ou=people,ou=VgnLDAPRealm,dc=vgndomain";
>         String password   = "password masked";
>         String searchBase = "ou=groups,ou=VgnLDAPRealm,dc=vgndomain";
>         String searchFilter =
> "(&(uniquemember=cn=Administrators,ou=groups,ou=VgnLDAPRealm,dc=vgndomai
> n)(objectclass=groupOfUniqueNames))";
> ~~~~

--

-- 
          Consonance: an Open Source .NET OpenGroupware client.
 Contact:awilliam@...   http://freshmeat.net/projects/consonance/

(Continue reading)

Agarwal, Sharad | 15 Oct 17:10

Re: LDAP Error 32 v/s Empty Result Set

Thanks Adam.

My apologies, I should have been more clear on that front. Both the
searchBase and bind information is valid. The only thing out of order
(if we can call it that) is that the search is for something that does
not exist. Put another way, we are searching for an item that does not
exist in the searchBase.

If the standard behavior for an LDAP server is to NOT give an error, can
you please point me to an authoritative source that I could cite to the
LDAP administrators?

Thanks,
Sharad

-----Original Message-----
From: bounce-ldap-5778666@...
[mailto:bounce-ldap-5778666@...] On Behalf Of Adam
Tauno Williams
Sent: Wednesday, October 15, 2008 11:04 AM
To: ldap@...
Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set

> Is it standard behavior for an LDAP server to respond with (LDAP Error
> 32) when a query is run that has no match?

I suppose, if the specified searchBase does not exist or potentially if
the simple bind fails (the latter isn't "correct" AFAIK, but I've seen
it in the wild).

(Continue reading)

joe | 15 Oct 17:27

Re: LDAP Error 32 v/s Empty Result Set

Does a base level search with a filter of objectclass=* return the base
object or does it return an error? Alternately if you change your filter to
objectclass=* and leave the rest of the query the same does it work?

I could this being a problem with your search base as well as the DN
specified for the uniqueMember match. Either of which not existing or you
not having access rights to see them.

   joe

 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

-----Original Message-----
From: bounce-ldap-5210650@...
[mailto:bounce-ldap-5210650@...] On Behalf Of Agarwal,
Sharad
Sent: Wednesday, October 15, 2008 11:10 AM
To: adam@...; ldap@...
Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set

Thanks Adam.

My apologies, I should have been more clear on that front. Both the
searchBase and bind information is valid. The only thing out of order (if we
can call it that) is that the search is for something that does not exist.
Put another way, we are searching for an item that does not exist in the
searchBase.

(Continue reading)

Agarwal, Sharad | 15 Oct 18:16

Re: LDAP Error 32 v/s Empty Result Set

Hi Joe,

Thank you for elaborating on that. 

I think I was asking too generic a question. Here are two specific
queries to the Oracle Virtual Directory server, both using the same bind
information. One succeeds, the other fails. The only difference between
the two is that one is searching for (uid=vgnadmin) and the other for
(uid=foo).

Query:
~~~~
        String searchBase = "ou=People,dc=fmr,dc=com";
        String searchFilter = "(uid=vgnadmin)"; //WORKS
~~~~

Output:
~~~~
LDAPEntry: uid=vgnadmin,ou=People,dc=fmr,dc=com; LDAPAttributeSet:
LDAPAttribute: {type='cn', value='vgnadmin, VDS'}
~~~~

Query:
~~~~
        String searchBase = "ou=People,dc=fmr,dc=com";
        String searchFilter = "(uid=foo)"; //FAILS
~~~~

Output:
~~~~

(Continue reading)

joe | 15 Oct 18:18

Re: LDAP Error 32 v/s Empty Result Set

Good example. I would say the LDAP server was sending back a non-standard
response for that situation then. 

   joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

-----Original Message-----
From: Agarwal, Sharad [mailto:Sharad.Agarwal@...] 
Sent: Wednesday, October 15, 2008 12:17 PM
To: joe; adam@...; ldap@...
Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set

Hi Joe,

Thank you for elaborating on that. 

I think I was asking too generic a question. Here are two specific queries
to the Oracle Virtual Directory server, both using the same bind
information. One succeeds, the other fails. The only difference between the
two is that one is searching for (uid=vgnadmin) and the other for (uid=foo).

Query:
~~~~
        String searchBase = "ou=People,dc=fmr,dc=com";
        String searchFilter = "(uid=vgnadmin)"; //WORKS ~~~~

Output:

(Continue reading)

Agarwal, Sharad | 15 Oct 18:22

Re: LDAP Error 32 v/s Empty Result Set

Thanks Joe. Appreciate your patience.

Is there some kind of authoritative source I could cite when I have this
discussion with the LDAP administrators? They are just telling me that
the application should handle the error and that LDAP Error 32 is 'No
Such Object'. And since there is no (uid=foo) object, it is standards
compliant behavior for the server to return LDAP Error 32.

Thanks,
Sharad

-----Original Message-----
From: joe [mailto:joe@...] 
Sent: Wednesday, October 15, 2008 12:19 PM
To: Agarwal, Sharad; adam@...; ldap@...
Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set

Good example. I would say the LDAP server was sending back a
non-standard
response for that situation then. 

   joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

-----Original Message-----
From: Agarwal, Sharad [mailto:Sharad.Agarwal@...] 
Sent: Wednesday, October 15, 2008 12:17 PM

(Continue reading)

Paul Engle | 15 Oct 21:40

Re: LDAP Error 32 v/s Empty Result Set

Dieter beat me to the punch on citing RFC 4511 as the authoritative source for information. However, it
doesn't really give guidelines on what result code to return for this (or any) situation.

Appendix A of the same RFC also gives short descriptions of the result codes, breaking them down into
"Non-Error Result Codes" and "Result Codes". Code 32 falls into the latter. Since that group is not
"Non-Error", I would tend to interpret it to mean that those codes *are* errors.

Not finding what you were searching for is not, in my opinion, a protocol error. To return an error code for a
successful search operation doesn't seem right to me. Every LDAP directory I've worked with returns a
Success (0) for an empty search result.

  -paul

--

-- 
Paul D. Engle                       | Rice University
Sr. Systems Adminstrator, RHCE      | Information Technology - MS119
713-348-4702                        | PO Box 1892
pengle@...                     | Houston, TX 77251-1892

--On Wednesday, October 15, 2008 12:22 PM -0400 "Agarwal, Sharad"
<Sharad.Agarwal@...> wrote:

> Thanks Joe. Appreciate your patience.
>
> Is there some kind of authoritative source I could cite when I have this
> discussion with the LDAP administrators? They are just telling me that
> the application should handle the error and that LDAP Error 32 is 'No
> Such Object'. And since there is no (uid=foo) object, it is standards
> compliant behavior for the server to return LDAP Error 32.

(Continue reading)

Emmanuel Lecharny | 15 Oct 21:44

Re: LDAP Error 32 v/s Empty Result Set

Paul Engle wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Dieter beat me to the punch on citing RFC 4511 as the authoritative source for information. However, it
doesn't really give guidelines on what result code to return for this (or any) situation.
>
> Appendix A of the same RFC also gives short descriptions of the result codes, breaking them down into
"Non-Error Result Codes" and "Result Codes". Code 32 falls into the latter. Since that group is not
"Non-Error", I would tend to interpret it to mean that those codes *are* errors.
>
> Not finding what you were searching for is not, in my opinion, a protocol error. To return an error code for a
successful search operation doesn't seem right to me. Every LDAP directory I've worked with returns a
Success (0) for an empty search result.
>   

http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt

5.2.2.2.1noSuchObject(32)

   Applicable operations: all except for Bind.

   This error should only be returned if the target object cannot be
   found. For example, in a search operation if the search base can not
   be located in the DSA the server should return noSuchObject. If,
   however, the search base is found but does not match the search
   filter, success, with no resultant objects, should be returned
   instead of noSuchObject.

(Continue reading)

Pierangelo Masarati | 16 Oct 09:03

Re: LDAP Error 32 v/s Empty Result Set


----- "Emmanuel Lecharny" <elecharny@...> wrote:

> http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt

Iinternet Drafts are not authoritative sources of information.  They should never cited except as
work-in-progress.  No one seems to be questioning that noSuchObject is a legitimate response code for
LDAP searches.  The point is whether noSuchObject is appropriate for a search whose searchBase exists.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@...
-----------------------------------

Emmanuel Lecharny | 16 Oct 10:19

Re: LDAP Error 32 v/s Empty Result Set

> ----- "Emmanuel Lecharny" <elecharny@...> wrote:
>
> > http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt
>
> Iinternet Drafts are not authoritative sources of information.  They should never cited except as
work-in-progress.  No one seems to be questioning that noSuchObject is a legitimate response code for
LDAP searches.

It seems that Agarwal's LDAP admins are questionning this simple fact :)

> The point is whether noSuchObject is appropriate for a search whose searchBase exists.

That's pretty clear it's not appropriate, RFC draft of not. However,
it's still better to expose the fact that this point is being
clarified in a RFC draft, for those who haven't been read extensively
all the LDAP RFCs. May be the official drafts are not clear enough,
too.

> Ing. Pierangelo Masarati
> OpenLDAP Core Team
>
> SysNet s.r.l.
> via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> -----------------------------------
> Office:  +39 02 23998309
> Mobile:  +39 333 4963172
> Fax:     +39 0382 476497
> Email:   ando@...
> -----------------------------------

(Continue reading)

Kurt Zeilenga | 16 Oct 17:53

Re: LDAP Error 32 v/s Empty Result Set

On Oct 16, 2008, at 1:19 AM, Emmanuel Lecharny wrote:

>>
>> The point is whether noSuchObject is appropriate for a search whose  
>> searchBase exists.
>
> That's pretty clear it's not appropriate, RFC draft of not.

Actually, there are cases where it is appropriate.  For instance, when  
the user is not authorized to know if the searchBase exists.  But this  
case doesn't seem to apply here.

What should be clear is that by returning noSuchObject, the server is  
reporting that the baseObject of the search does not exist.  This  
quite different than reporting there are no entries which match the  
search criteria.

-- Kurt

> However,
> it's still better to expose the fact that this point is being
> clarified in a RFC draft, for those who haven't been read extensively
> all the LDAP RFCs. May be the official drafts are not clear enough,
> too.

Michael Ströder | 16 Oct 10:37

Re: LDAP Error 32 v/s Empty Result Set

Pierangelo Masarati wrote:
> ----- "Emmanuel Lecharny" <elecharny@...> wrote:
> 
>> http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt
> 
> Iinternet Drafts are not authoritative sources of information.  They
> should never cited except as work-in-progress.  No one seems to be
> questioning that noSuchObject is a legitimate response code for LDAP
> searches.  The point is whether noSuchObject is appropriate for a
> search whose searchBase exists.

I wonder why that's such a big issue at all. When implementing LDAP
client software one has to handle noSuchObject and an empty result set
anyway. In most cases the handling is mainly the same.

Ciao, Michael.

Pierangelo Masarati | 16 Oct 16:29

Re: LDAP Error 32 v/s Empty Result Set

----- "Michael Ströder" <michael@...> wrote:

> Pierangelo Masarati wrote:
> > ----- "Emmanuel Lecharny" <elecharny@...> wrote:
> > 
> >>
> http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt
> > 
> > Iinternet Drafts are not authoritative sources of information. 
> They
> > should never cited except as work-in-progress.  No one seems to be
> > questioning that noSuchObject is a legitimate response code for
> LDAP
> > searches.  The point is whether noSuchObject is appropriate for a
> > search whose searchBase exists.
> 
> I wonder why that's such a big issue at all. When implementing LDAP
> client software one has to handle noSuchObject and an empty result
> set
> anyway. In most cases the handling is mainly the same.

Let me disagree: from an implementation point of view, it depends on what a client is supposed to do.  If the
client's task is over after the search response is returned, I might agree.  But in any case, from a(n
informed) user's perspective, the two responses are not the same.  In case of "success", no entry matched
the search criteria, while in case of "noSuchObject" one search criterium, the searchBase, was
inappropriate.  I concur that this whole discussion is a little nonsense, as I believe the expected
behavior is so well explained in RFC 4511, which is the sole authoritative source of information for this
topic, that there is no point in discussing it any further.  Also, I believe many implementations 'round do
not conform yet to RFC 451*, as they might still conform to RFC 225* (like OpenLDAP 2.3 itself).  However, I

(Continue reading)

Paul Engle | 16 Oct 17:03

Re: LDAP Error 32 v/s Empty Result Set


--On Thursday, October 16, 2008 4:29 PM +0200 Pierangelo Masarati
<ando@...> wrote:

>
> ----- "Michael Ströder" <michael@...> wrote:
>
>> Pierangelo Masarati wrote:
>> > ----- "Emmanuel Lecharny" <elecharny@...> wrote:
>> >
>> >>
>> http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt
>> >
>> > Iinternet Drafts are not authoritative sources of information.
>> They
>> > should never cited except as work-in-progress.  No one seems to be
>> > questioning that noSuchObject is a legitimate response code for
>> LDAP
>> > searches.  The point is whether noSuchObject is appropriate for a
>> > search whose searchBase exists.
>>
>> I wonder why that's such a big issue at all. When implementing LDAP
>> client software one has to handle noSuchObject and an empty result
>> set
>> anyway. In most cases the handling is mainly the same.
>
> Let me disagree: from an implementation point of view, it depends on what a client is supposed to do.  If the
client's task is over after the search response is returned, I might agree.  But in any case, from a(n
informed) user's perspective, the two responses are not the same.  In case of "success", no entry matched
the search criteria, while in case of "noSuchObject" one search criterium, the searchBase, was inappropriate.

(Continue reading)

Michael Ströder | 17 Oct 13:55

Re: LDAP Error 32 v/s Empty Result Set

Pierangelo Masarati wrote:
> ----- "Michael Ströder" <michael@...> wrote:
> 
>> Pierangelo Masarati wrote:
>>> ----- "Emmanuel Lecharny" <elecharny@...> wrote:
>>>
>> http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt
>>> Iinternet Drafts are not authoritative sources of information. 
>> They
>>> should never cited except as work-in-progress.  No one seems to be
>>> questioning that noSuchObject is a legitimate response code for
>> LDAP
>>> searches.  The point is whether noSuchObject is appropriate for a
>>> search whose searchBase exists.
>> I wonder why that's such a big issue at all. When implementing LDAP
>> client software one has to handle noSuchObject and an empty result
>> set anyway. In most cases the handling is mainly the same.
> 
> Let me disagree: from an implementation point of view, it depends on
> what a client is supposed to do.  If the client's task is over after
> the search response is returned, I might agree.  But in any case,
> from a(n informed) user's perspective, the two responses are not the
> same.

That's why I wrote "In most cases the handling is mainly the same".
                       ^^^^                       ^^^^^^

Most LDAP clients are not nifty interactive clients which try to guide
the user what to do next. Most LDAP clients just log an error. While I'm
pretty eager with fine-grained error handling in web2ldap I find myself

(Continue reading)

Agarwal, Sharad | 17 Oct 16:03

Re: LDAP Error 32 v/s Empty Result Set

"Michael Ströder" <michael@...> wrote:
> So I'd be interested which LDAP clients the original poster is 
> working with and which problems he experienced.

WebLogic is the application in question. WebLogic allows us to define Authenticators (code that connects
to the LDAP server). Once an Authenticator is defined, WebLogic offers a UI where all users and groups can
be listed. 

The group listing fails because of some code in WebLogic that tries to find the description of a group. They
have a generic function getdescription() that is used for both users and groups. It ends up searching for
the group in the user base DN. And our LDAP returns an Error 32.

As far as I can tell, WebLogic should not be searching for the group in the user context. But it is doing that.
By the same token, the LDAP should not return LDAP Error 32. But it is doing that. And, together, the twain
are resulting in the user seeing a stack trace instead of the Group listing.

This puts me in a tough predicament. Both parties have a plausible argument. WebLogic complains that the
LDAP is not standards compliant. And LDAP complains that WebLogic should not search for groups in the user
DN. And if it does, it should handle/ignore the error.

All - I really appreciate the various pointers I have received from this wonderful community. 

Thank you,
Sharad

Emmanuel Lecharny | 17 Oct 16:33

Re: LDAP Error 32 v/s Empty Result Set

Agarwal, Sharad wrote:
> "Michael Ströder" <michael@...> wrote:
>   
>> So I'd be interested which LDAP clients the original poster is 
>> working with and which problems he experienced.
>>     
>
> WebLogic is the application in question. WebLogic allows us to define Authenticators (code that
connects to the LDAP server). Once an Authenticator is defined, WebLogic offers a UI where all users and
groups can be listed. 
>
> The group listing fails because of some code in WebLogic that tries to find the description of a group. They
have a generic function getdescription() that is used for both users and groups. It ends up searching for
the group in the user base DN. And our LDAP returns an Error 32.
>
> As far as I can tell, WebLogic should not be searching for the group in the user context. But it is doing that.
By the same token, the LDAP should not return LDAP Error 32. But it is doing that. And, together, the twain
are resulting in the user seeing a stack trace instead of the Group listing.
>   
Looking back to the request's base:

String searchBase = "ou=groups,ou=VgnLDAPRealm,dc=vgndomain";

if the ou=groups,ou=VgnLDAPRealm,dc=vgndomain branch does not exist in your LDAP DIT, then you will get a
NoSuchObject resultcode.

Your LDAP server is compliant if you get this result. 

> This puts me in a tough predicament. Both parties have a plausible argument. WebLogic complains that the
LDAP is not standards compliant. And LDAP complains that WebLogic should not search for groups in the user

(Continue reading)

Agarwal, Sharad | 17 Oct 16:46

Re: LDAP Error 32 v/s Empty Result Set

Emmanuel Lecharny wrote:
> Now the funiest part : WebLogic and Oracle Virtual Directory (, 
> OctetString product) ar _both_ Oracle products ;) Either Oracle or 
> Oracle is not compliant somewhere...

LOL. You are right, BEA was purchased by Oracle. They are indeed both
Oracle products.

What I am not sure is whether Oracle Virtual Directory sends the LDAP
Error 32 by default; or if it is the implementation of the product at
our organization. I suspect it is the latter.

Thanks,
Sharad

Michael Ströder | 17 Oct 16:50

Re: LDAP Error 32 v/s Empty Result Set

Agarwal, Sharad wrote:
> "Michael Ströder" <michael@...> wrote:
>> So I'd be interested which LDAP clients the original poster is 
>> working with and which problems he experienced.
> 
> WebLogic is the application in question. WebLogic allows us to define
> Authenticators (code that connects to the LDAP server). Once an
> Authenticator is defined, WebLogic offers a UI where all users and
> groups can be listed.
> 
> The group listing fails because of some code in WebLogic that tries
> to find the description of a group. They have a generic function
> getdescription() that is used for both users and groups. It ends up
> searching for the group in the user base DN. And our LDAP returns an
> Error 32.

In any case the LDAP client should also handle noSuchObject more
gracefully. Although more thorough analysis should be done I think in
this particular case noSuchObject could also be handled the same way
like no group entry found. And that's exactly what I meant with "In most
cases the handling is mainly the same".

Ciao, Michael.

Mark H. Wood | 20 Oct 15:26

Re: LDAP Error 32 v/s Empty Result Set

On Fri, Oct 17, 2008 at 10:03:27AM -0400, Agarwal, Sharad wrote:
> This puts me in a tough predicament. Both parties have a plausible argument. WebLogic complains that the
LDAP is not standards compliant. And LDAP complains that WebLogic should not search for groups in the user
DN. And if it does, it should handle/ignore the error.

WebLogic has a problem which is independent of the LDAP service's
behavior: it is searching the wrong context.  If this is not the
result of misconfiguration by the customer, then they should fix that.
I would simply refuse *any* arguments concerning the LDAP response to
an incorrect query until the query is corrected.  I would keep
pointing to the error in WebLogic until it is acknowledged.

--

-- 
Mark H. Wood, Lead System Programmer   mwood@...
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.

Hallvard B Furuseth | 20 Oct 16:09

Re: LDAP Error 32 v/s Empty Result Set

Mark H. Wood writes:
> WebLogic has a problem which is independent of the LDAP service's
> behavior: it is searching the wrong context.  If this is not the
> result of misconfiguration by the customer, then they should fix that.
> I would simply refuse *any* arguments concerning the LDAP response to
> an incorrect query until the query is corrected.  I would keep
> pointing to the error in WebLogic until it is acknowledged.

Sorry, no.  It's irritating but normal for LDAP clients to try several
searches until one succeeds, and to not offer a way to turn off searches
that the user knows will find nothing.  Furthermore "no such object" can
mean user misconfiguration - "you must point the group base DN at an
actual entry" while no search results is normal.  Assuming that group DN
is actually configured and necessary, of course.

I've lost track of this discussion a bit, but anyway: Possibly it would
help to point the group DN at the parent entry so that a search for the
"group" will find users too.  Depends on whether group searches use
subtree scope and filter for groups.

--

-- 
Hallvard

Dustin Puryear | 15 Oct 18:38

Re: LDAP Error 32 v/s Empty Result Set

Perhaps you should give some actual examples of the DIT and some queries
via ldapsearch. That may help. :)

--
Dustin Puryear
President and Sr. Consultant
Puryear Information Technology, LLC
225-706-8414 x112
http://www.puryear-it.com

Author, "Best Practices for Managing Linux and UNIX Servers"
  http://www.puryear-it.com/pubs/linux-unix-best-practices/

Agarwal, Sharad wrote:
> Thanks Adam.
> 
> My apologies, I should have been more clear on that front. Both the
> searchBase and bind information is valid. The only thing out of order
> (if we can call it that) is that the search is for something that does
> not exist. Put another way, we are searching for an item that does not
> exist in the searchBase.
> 
> If the standard behavior for an LDAP server is to NOT give an error, can
> you please point me to an authoritative source that I could cite to the
> LDAP administrators?
> 
> Thanks,
> Sharad
> 
> -----Original Message-----

(Continue reading)

Dieter Kluenter | 15 Oct 18:20

Re: LDAP Error 32 v/s Empty Result Set

"Agarwal, Sharad" <Sharad.Agarwal@...> writes:

> Thanks Adam.
>
> My apologies, I should have been more clear on that front. Both the
> searchBase and bind information is valid. The only thing out of order
> (if we can call it that) is that the search is for something that does
> not exist. Put another way, we are searching for an item that does not
> exist in the searchBase.
>
> If the standard behavior for an LDAP server is to NOT give an error, can
> you please point me to an authoritative source that I could cite to the
> LDAP administrators?

RFC-4511, section 4.1.9 Result Message

-Dieter

--

-- 
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E

Return

Return to gmane.comp.ldap.umich.

Advertisement

Project Web Page

General LDAP Discussion

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane