You cannot use the distinguishedName attribute to sort an LDAP query in Windows 2000 or in Windows Server 2003 (842637)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows 2000 Server

SYMPTOMS

When you try to use the distinguishedName attribute to sort the results of a Lightweight Directory Access Protocol (LDAP) query, you cannot successfully do so. However, when you perform this operation in Microsoft Windows 2000 Server, the specific symptoms are different from the symptoms that occur when you perform this operation in Microsoft Windows Server 2003. Windows 2000 Server returns no error, but it returns an unsorted result set. Windows Server 2003 returns an error code, but the result set is empty.

MORE INFORMATION

You can use a network trace to determine whether the sort operation is the cause of this issue. In the Detail pane of Network Monitor, you may see the requested sort operation, as indicated by the bold text in the following sample packet: 
LDAP: ProtocolOp: SearchRequest (3)
    LDAP: SASL Signature
    LDAP: MessageID = 157 (0x9D)
    LDAP: ProtocolOp = SearchRequest
        LDAP: Base Object =DC=ticehurst,DC=com
        LDAP: Scope = Whole Subtree
        LDAP: Deref Aliases = Never Deref Aliases
        LDAP: Size Limit = 0x00000BB8
        LDAP: Time Limit = 0x00000002
        LDAP: Attrs Only = 0 (0x0)
        LDAP: Filter
            LDAP: Filter Type = And
                LDAP: Filter Type = Equality Match
                    LDAP: Attribute Type =objectCategory
                    LDAP: Attribute Value =OrganizationalUnit
                LDAP: Filter Type = And
                    LDAP: Filter Type = Present
                        LDAP: Attribute Type =postalCode
        LDAP: Attribute Description List
            LDAP: Attribute Type =objectGUID
            LDAP: Attribute Type =ou
            LDAP: Attribute Type =postalCode
            LDAP: Attribute Type =distinguishedName
        LDAP: Controls
            LDAP: Sort Request Control
                LDAP: Criticality = 255 (0xFF)
                LDAP: Sort Request Attribute Type =distinguishedName
                LDAP: Sort Reverse Order = 0 (0x0)
            LDAP: Domain Scope Control
                LDAP: Criticality = 0 (0x0)
            LDAP: Paged Control
                LDAP: Criticality = 255 (0xFF)
                LDAP: Page Size = 11 (0xB)
If you run this query against Windows 2000 Server, the query runs, and the server returns a result set. However, the results are not sorted on the distinguishedName attribute as requested.

When you run this same query against Windows Server 2003, an "Unavailable Critical Extension" error is returned. The following error-descripton text is part of the LDAP response packet that appears in Network Monitor:
LDAP: ProtocolOp: SearchResponse (simple) (5)
    LDAP: SASL Signature
    LDAP: MessageID = 25 (0x19)
    LDAP: ProtocolOp = SearchResponse (simple)
        LDAP: Result Code = Unavailable Critical Extension
        LDAP: Error Message =0000217A: SvcErr: DSID-031401A2, problem 5010 (UNAVAIL_EXTENSION)
        LDAP: Controls
            LDAP: Sort Response Control
                LDAP: Criticality = 0 (0x0)
                LDAP: Sort Result Code = Inappropriate Matching
            LDAP: Paged Control
                LDAP: Criticality = 0 (0x0)
                LDAP: Page Size = 0 (0x0)

WORKAROUND

To sort on the distinguishedName attribute, perform the sort operation on the client side instead of on the server side, as in the following sample code: 
Const adUseClient = 3
Const adCmdText = 1
Const adSecureAuthentication = 1
Const adLockReadOnly = 1
 
Dim szQuery, g_oCon, g_oCmd, g_oRS
 
szQuery = "<LDAP://billtivpc01.ticehurst.com>;" + _
     "(&(objectCategory=group)(&(distinguishedName=*)));" + _
     "objectGUID, ou, distinguishedName;subtree"
 
Set g_oCon = CreateObject("ADODB.Connection")
Set g_oRS = CreateObject("ADODB.Recordset")
 
g_oCon.Provider = "ADsDSOObject"
g_oCon.Properties("Encrypt Password") = True
g_oCon.Properties("ADSI Flag") = adSecureAuthentication
g_oCon.Open "Active Directory Provider"
 
 
'*** The following server-side sort does not return any results.
'Set g_oCmd = CreateObject("ADODB.Command")
'Set g_oCmd.ActiveConnection = g_oCon
'g_oCmd.Properties("Sort On") = "distinguishedname"
'g_oCmd.CommandType = adCmdText
'g_oCmd.CommandText = szQuery
'g_oRS.Open g_oCmd, , adUseClient, adLockReadOnly
 
 
'*** Instead, the following client-side sort succeeds.
g_oRS.CursorLocation = adUseClient
g_oRS.Sort = "distinguishedname"
g_oRS.Open szQuery, g_oCon, , , adCmdText
 
 
While Not g_oRS.EOF
    WScript.Echo g_oRS.Fields("distinguishedName").Value
    g_oRS.MoveNext
Wend
 
WScript.Quit

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Modification Type:MajorLast Reviewed:6/25/2004
Keywords:kbprb KB842637 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.