System.DirectoryServices.Protocols - Cannot use objectCategory filter on linux

[null-d3v]

Description

On linux, using a filter with objectCategory will result in the following:

System.DirectoryServices.Protocols.LdapException: The LDAP server returned an unknown error.
    at System.DirectoryServices.Protocols.LdapConnection.BeginSendRequest(DirectoryRequest request, TimeSpan requestTimeout, PartialResultProcessing partialMode, AsyncCallback callback, Object state)

Sample:

var searchRequest = new SearchRequest(
    "ou=Company,dc=company,dc=com",
    "(&(objectCategory=group)((|(objectGUID=\\D6\\F5\\F3\\0B\\04\\49\\D1\\4E\\B4\\9D\\C3\\D3\\87\\D9\\AD\\AC))))",
    SearchScope.Subtree,
    new[] { "cn", });
searchRequest.Controls.Add(
    new SearchOptionsControl(SearchOption.DomainScope));

var searchResults = (SearchResponse)await connection.SendRequestAsync(
    searchRequest, PartialResultProcessing.NoPartialResultSupport);

Configuration

• .NET 5.0.0-rc.2.20475.5
• aspnet:5.0-alpine docker image
• x86_64
• libldap 2.4
• Windows Server 2019 DC

[danmoseley]

It might be good if ToString() on LdapException included ErrorCode. Is it possible to dump ErrorCode off this exception?

[null-d3v]

Sure! In this case the error code I received was -7.

$"Exception: {ldapException.Message} | {ldapException.ErrorCode}"

Exception: The LDAP server returned an unknown error. | -7

[danmoseley]

I don't know anything about libldap, but I downloaded the sources and ldap.h contains

#define LDAP_SERVER_DOWN				(-1)
#define LDAP_LOCAL_ERROR				(-2)
#define LDAP_ENCODING_ERROR				(-3)
#define LDAP_DECODING_ERROR				(-4)
#define LDAP_TIMEOUT					(-5)
#define LDAP_AUTH_UNKNOWN				(-6)
#define LDAP_FILTER_ERROR				(-7)
#define LDAP_USER_CANCELLED				(-8)
#define LDAP_PARAM_ERROR				(-9)
#define LDAP_NO_MEMORY					(-10)
#define LDAP_CONNECT_ERROR				(-11)
#define LDAP_NOT_SUPPORTED				(-12)
#define LDAP_CONTROL_NOT_FOUND			(-13)
#define LDAP_NO_RESULTS_RETURNED		(-14)
#define LDAP_MORE_RESULTS_TO_RETURN		(-15)	/* Obsolete */
#define LDAP_CLIENT_LOOP				(-16)
#define LDAP_REFERRAL_LIMIT_EXCEEDED	(-17)
#define	LDAP_X_CONNECTING			(-18)

It would be good for LdapException to translate each of these codes to nice messages, rather than defaulting to The LDAP server returned an unknown error. Perhaps that's a change someone could offer separately.

Someone knowledgeable like @joperezr may have an idea what your issue is though.

[danmoseley]

Do you have the ability to try the same query on Windows, against the same server?

[joperezr]

agreed that testing if the same code works in Windows would be valuable in case that is possible. Also, have you tried performing the search without the Search Control to see if that makes any difference?

It would be good for LdapException to translate each of these codes to nice messages, rather than defaulting to The LDAP server returned an unknown error. Perhaps that's a change someone could offer separately.

Completely agree here, it should be straight forward to do this but I'm fine with treating it separately.

[null-d3v]

I can confirm that the query does return results on Windows. This is a conversion of a Windows service to docker/k8s.

Without the search control on linux, I am definitely able to get results. I can also do things like search with a distinguished name. Specifically though objectCategory searches will fail on linux but work on Windows.

Through working with changing the search request, I did find is another problem though that I will probably open another issue for. Response sizes above the maximum allowed size will always time out on linux, regardless of the time out setting on the connection. Additionally the maximum allowed size on linux is noticeably smaller than that on Windows.

[danmoseley]

Created #46021 to fix the codes