Search Request Responses

Search Result

The results of the search operation are returned as zero or more SearchResultEntry and/or SearchResultReference messages, followed by a single SearchResultDone message.

Each SearchResultEntry represents an entry found during the search. Each SearchResultReference represents an area not yet explored during the search.

Referral

The referral result code indicates that the contacted server is unable to run the operation, while another server might be able to run the same.

LDAP Search Result Reference

If the server was able to locate the entry referred to by the baseObject but could not search one or more non-local entries, the server may return one or more SearchResultReference messages, each containing a reference to another set of servers for continuing the operation.

If Avaya Aura® Device Services receives a SearchResultReference, it will attempt to resolve the returned LDAP URI, and launch a new query for each returned reference, with the same filter unless a new filter is included in the reference. Any new references will also be followed.

The following is an example of a case when a reference would be returned when a domain is queried about another domain in the forest.

Ie
Source domain, dc=ottawa,dc=valley,dc=eh
Child domain, dc=upper,dc=ottawa,dc=valley,dc=eh

ldapsearch -v -H ldap://ottawa.valley.eh:389 -b "dc=ottawa,dc=valley,dc=eh" "samaccountname=a.upper" mail msrtcsip-primaryuseraddress telephonenumber
ldap_initialize( ldap://ottawa.valley.eh:389/??base )
filter: samaccountname=a.upper
requesting: mail 
# extended LDIF
#
# LDAPv3
# base <dc=ottawa,dc=valley,dc=eh> with scope subtree
# filter: samaccountname=a.upper
# requesting: mail
#

# search reference
ref: ldap://upper.ottawa.valley.eh/DC=upper,DC=ottawa,DC=valley,DC=eh

# search reference
ref: ldap://DomainDnsZones.ottawa.valley.eh/DC=DomainDnsZones,DC=ottawa,DC=val
 ley,DC=eh

# search result
search: 2
result: 0 Success

# numResponses: 3
# numReferences: 2

LDAP Reference with Active Directory

If you have Active Directory as your Enterprise source and it uses integrated DNS, the forest root will have a ForestDNSZones partition, while all domains with integrated DNS will have a DomainDNSZones partition. The forest root will also contain the Configuration partition.

This means any query to the Active Directory source will return references to all of these partitions.

The following is an example of querying the forest root.

ldapsearch -v -H ldap://west.bytown.city:389 -b "dc=west,dc=bytown,dc=city" "samaccountname=a.west" mail
ldap_initialize( ldap://west.bytown.city:389/??base )
filter: samaccountname=a.west
requesting: mail
# extended LDIF
#
# LDAPv3
# base <dc=west,dc=bytown,dc=city> with scope subtree
# filter: samaccountname=a.west
# requesting: mail
#

# Able West, West Users, west.bytown.city
dn: CN=Able West,OU=West Users,DC=west,DC=bytown,DC=city
mail: a.west@Bytown.City

# search reference
ref: ldap://DomainDnsZones.west.bytown.city/DC=DomainDnsZones,DC=west,DC=bytown,DC=city

# search reference
ref: ldap://ForestDnsZones.west.bytown.city/DC=ForestDnsZones,DC=west,DC=bytown,DC=city

# search reference
ref: ldap://west.bytown.city/CN=Configuration,DC=west,DC=bytown,DC=city

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

LDAP Referral

The referral result code indicates that the contacted server is unable to run the operation, and that one or more other servers might be able to. Reasons for this include:

• The target entry of the request is not held locally, but the server has knowledge of its possible existence elsewhere.

• The operation is restricted on this server, perhaps due to a read-only copy of an entry to be modified.

The following is an example of when a source will return referral when a query is sent to a source that is not authoritative in the base context.

source domain, dc=upper,dc=ottawa,dc=valley,dc=eh
	
	send query with base context of dc=ottawa,dc=valley,dc=eh
	
ldapsearch -v -H ldap://upper.ottawa.valley.eh:389 -b "dc=ottawa,dc=valley,dc=eh" "samaccountname=a.ottawa" mail msrtcsip-primaryuseraddress telephonenumber
ldap_initialize( ldap://upper.ottawa.valley.eh:389/??base )
filter: samaccountname=a.ottawa
requesting: mail msrtcsip-primaryuseraddress telephonenumber
# extended LDIF
#
# LDAPv3
# base <dc=ottawa,dc=valley,dc=eh> with scope subtree
# filter: samaccountname=a.ottawa
# requesting: mail msrtcsip-primaryuseraddress telephonenumber
#

# search result
search: 2
result: 10 Referral
text: 0000202B: RefErr: DSID-03100781, data 0, 1 access points
        ref 1: 'ottawa.valley.eh'

ref: ldap://ottawa.valley.eh/dc=ottawa,dc=valley,dc=eh

# numResponses: 1

If the Avaya Aura® Device Services receives a Referral, it will attempt to resolve the returned LDAP URI and launch a new query for each returned referral, with the same filter. This is unless specified otherwise in the referral.

Typically, the referred to URI will be equal to the base context in the query.

Recommendations

Minimize the number of queries sent to the Enterprise source for any given transaction. This might improve Avaya Aura® Device Services performance, and also minimize the impact on the source.

Base Context

To avoid referrals when choosing base context DN, choose the highest granularity that your enterprise source is authoritative in.

Active Directory

The ForestDNSZones, DomainDNSZones, and Configuration partitions are not replicated to the global catalog. Therefore, search requests to global catalog will not return references to said partitions. Thus if possible it is advisable to use the global catalog on Active Directory instead of the standard LDAP source.

Multiple Domains

If the Enterprise is built on Active Directory, it is advisable to use global catalog, instead of counting on referral or reference. This might minimize the number of queries. If using alternate Enterprise sources, you might experience degradation if many or all queries require referral to another source.