LDAP Query logs?

  • Thread starter Thread starter JasonMeyer
  • Start date Start date
J

JasonMeyer

Do AD server keep a log of LDAP queries? Can they? I am having an issue with
a CF web app that works from an internal dev server but when I test it on a
live public webserver it fails. I just would like to see what the queries
look like that are coming to it. Thanks.


Jason
 
Ok I think I found something....I watch the ldap packets and in the
searchresponse there is a correct response and
referral:ldap://anotherdc.server.inside.fw.org. The very next packet is a
DNS lookup for the server named in the referral. And the next packet after
that is a DNS lookup failure response from my public DNS server. So I guess
what is the referral ldap:// bit mean/whats it for?


Jason
 
Here is the bottom of the packet with the referral part. the first one is a
subdomain of the second one. Being a noob to LDAP I am not very clear on the
purpose of referral. Do they have to be there? I have made a temp work
around by editing the hosts file on my webserver and pointed both URLs to
the IPs that have been opened up for LDAP queries. Guess if thats the only
way to work, its gonna stay that way.

Thanks for the help.

Jason

000002F0 00 00 00 C0 0A 01 09 04 00 04 84 00 00 00 B5 52 ...............R
00000300 65 66 65 72 72 61 6C 3A 0A 6C 64 61 70 3A 2F 2F eferral:.ldap://
00000310 73 74 75 64 65 6E 74 2E 61 64 2E 72 6F 73 65 76 student.ad.rosev
00000320 69 6C 6C 65 2E 6B 31 32 2E 6D 6E 2E 75 73 2F 44 ille.k12.mn.us/D
00000330 43 3D 73 74 75 64 65 6E 74 2C 44 43 3D 61 64 2C C=student,DC=ad,
00000340 44 43 3D 72 6F 73 65 76 69 6C 6C 65 2C 44 43 3D DC=roseville,DC=
00000350 6B 31 32 2C 44 43 3D 6D 6E 2C 44 43 3D 75 73 0A k12,DC=mn,DC=us.
00000360 6C 64 61 70 3A 2F 2F 61 64 2E 72 6F 73 65 76 69 ldap://ad.rosevi
00000370 6C 6C 65 2E 6B 31 32 2E 6D 6E 2E 75 73 2F 43 4E lle.k12.mn.us/CN
00000380 3D 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E 2C 44 =Configuration,D
00000390 43 3D 61 64 2C 44 43 3D 72 6F 73 65 76 69 6C 6C C=ad,DC=rosevill
000003A0 65 2C 44 43 3D 6B 31 32 2C 44 43 3D 6D 6E 2C 44 e,DC=k12,DC=mn,D
000003B0 43 3D 75 73 C=us
 
A referral means it couldn't find what it needed in the directory you were
connected to and sent back a referral of someplace else to look. You would have
to verify specifically what it is looking for.

joe
 
Well it was referring to a Child Domain. If I did a subtree search from the
root(parent domain) would it try to expand into subs(child domains)? How
would one block a query that starts at the root from going through the
child?

Right now I have made the queries a lot more specific limiting them to
particular OU's in the parent domain. But it was kinda of annoying to code
that way.

Jason
 
Well think of it this way, your directory looks something like


DC=root,DC=com
CN=Builtin,DC=root,DC=com
CN=Computers,DC=root,DC=com
OU=Domain Controllers,DC=root,DC=com
CN=ForeignSecurityPrincipals,DC=root,DC=com
CN=Infrastructure,DC=root,DC=com
CN=LostAndFound,DC=root,DC=com
CN=NTDS Quotas,DC=root,DC=com
CN=Program Data,DC=root,DC=com
CN=System,DC=root,DC=com
CN=Users,DC=root,DC=com
DC=child,DC=Root,DC=com
CN=Builtin,DC=child,DC=root,DC=com
CN=Computers,DC=child,DC=root,DC=com
OU=Domain Controllers,DC=child,DC=root,DC=com
CN=ForeignSecurityPrincipals,DC=child,DC=root,DC=com
CN=Infrastructure,DC=child,DC=root,DC=com
CN=LostAndFound,DC=child,DC=root,DC=com
CN=NTDS Quotas,DC=child,DC=root,DC=com
CN=Program Data,DC=child,DC=root,DC=com
CN=System,DC=child,DC=root,DC=com
CN=Users,DC=child,DC=root,DC=com


If you do a search from root, it is logical that it flows through the children
as well as they are beneath the main root structure i.e. subordinate.

If you switch to a GC search you should get away from the referrals though since
the GC maintains a subset of all attributes.

joe
 
Back
Top