You cannot use the distinguishedName attribute to sort an LDAP query in Windows 2000 or in Windows Server 2003

Symptoms

When you try to use the distinguishedName attribute to sort the results of a Lightweight Directory Access Protocol (LDAP) query, you cannot successfully do so. However, when you perform this operation in Microsoft Windows 2000 Server, the specific symptoms are different from the symptoms that occur when you perform this operation in Microsoft Windows Server 2003. Windows 2000 Server returns no error, but it returns an unsorted result set. Windows Server 2003 returns an error code, but the result set is empty.

More Information

You can use a network trace to determine whether the sort operation is the cause of this issue. In the Detail pane of Network Monitor, you may see the requested sort operation, as indicated by the bold text in the following sample packet:



LDAP: ProtocolOp: SearchRequest (3)
LDAP: SASL Signature
LDAP: MessageID = 157 (0x9D)
LDAP: ProtocolOp = SearchRequest
LDAP: Base Object =DC=ticehurst,DC=com
LDAP: Scope = Whole Subtree
LDAP: Deref Aliases = Never Deref Aliases
LDAP: Size Limit = 0x00000BB8
LDAP: Time Limit = 0x00000002
LDAP: Attrs Only = 0 (0x0)
LDAP: Filter
LDAP: Filter Type = And
LDAP: Filter Type = Equality Match
LDAP: Attribute Type =objectCategory
LDAP: Attribute Value =OrganizationalUnit
LDAP: Filter Type = And
LDAP: Filter Type = Present
LDAP: Attribute Type =postalCode
LDAP: Attribute Description List
LDAP: Attribute Type =objectGUID
LDAP: Attribute Type =ou
LDAP: Attribute Type =postalCode
LDAP: Attribute Type =distinguishedName
LDAP: Controls LDAP: Sort Request Control LDAP: Criticality = 255 (0xFF) LDAP: Sort Request Attribute Type =distinguishedName LDAP: Sort Reverse Order = 0 (0x0)
LDAP: Domain Scope Control
LDAP: Criticality = 0 (0x0)
LDAP: Paged Control
LDAP: Criticality = 255 (0xFF)
LDAP: Page Size = 11 (0xB)
If you run this query against Windows 2000 Server, the query runs, and the server returns a result set. However, the results are not sorted on the distinguishedName attribute as requested.



When you run this same query against Windows Server 2003, an "Unavailable Critical Extension" error is returned. The following error-descripton text is part of the LDAP response packet that appears in Network Monitor:
LDAP: ProtocolOp: SearchResponse (simple) (5)
LDAP: SASL Signature
LDAP: MessageID = 25 (0x19)
LDAP: ProtocolOp = SearchResponse (simple)
LDAP: Result Code = Unavailable Critical Extension
LDAP: Error Message =0000217A: SvcErr: DSID-031401A2, problem 5010 (UNAVAIL_EXTENSION)
LDAP: Controls
LDAP: Sort Response Control
LDAP: Criticality = 0 (0x0)
LDAP: Sort Result Code = Inappropriate Matching
LDAP: Paged Control
LDAP: Criticality = 0 (0x0)
LDAP: Page Size = 0 (0x0)

Workaround

To sort on the distinguishedName attribute, perform the sort operation on the client side instead of on the server side, as in the following sample code:
Const adUseClient = 3
Const adCmdText = 1
Const adSecureAuthentication = 1
Const adLockReadOnly = 1

Dim szQuery, g_oCon, g_oCmd, g_oRS

szQuery = "<LDAP://billtivpc01.ticehurst.com>;" + _
"(&(objectCategory=group)(&(distinguishedName=*)));" + _
"objectGUID, ou, distinguishedName;subtree"

Set g_oCon = CreateObject("ADODB.Connection")
Set g_oRS = CreateObject("ADODB.Recordset")

g_oCon.Provider = "ADsDSOObject"
g_oCon.Properties("Encrypt Password") = True
g_oCon.Properties("ADSI Flag") = adSecureAuthentication
g_oCon.Open "Active Directory Provider"


'*** The following server-side sort does not return any results.
'Set g_oCmd = CreateObject("ADODB.Command")
'Set g_oCmd.ActiveConnection = g_oCon
'g_oCmd.Properties("Sort On") = "distinguishedname"
'g_oCmd.CommandType = adCmdText
'g_oCmd.CommandText = szQuery
'g_oRS.Open g_oCmd, , adUseClient, adLockReadOnly


'*** Instead, the following client-side sort succeeds.
g_oRS.CursorLocation = adUseClient
g_oRS.Sort = "distinguishedname"
g_oRS.Open szQuery, g_oCon, , , adCmdText


While Not g_oRS.EOF
WScript.Echo g_oRS.Fields("distinguishedName").Value
g_oRS.MoveNext
Wend

WScript.Quit

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Propriedades

ID do Artigo: 842637 - Última Revisão: 4 de jan de 2008 - Revisão: 1

Comentários