Referrals in LDAPv2 and LDAPv3

When using the LDAPv3 protocol, Active Directory returns referrals and continuation references in accord with [RFC2251] section 4.5.3. When using the LDAPv2 protocol, Active Directory also returns referrals and continuation references, although these are not part of the LDAPv2 protocol, as defined in [RFC1777].

When Active Directory generates a referral in the LDAPv2 protocol, it sets the resultCode field in the LDAPResult structure (defined in [RFC1777]) to the value 9. This is a value not defined in [RFC1777] or [RFC2251] but that, by convention, is used by LDAPv2 servers to indicate the presence of a referral in the response.

The contents of the referral are conveyed in the errorMessage field of the LDAPResult. This field consists of the string "Referral:", followed by a newline character, followed by one or more LDAPURLs (defined in [RFC2255]). Each LDAPURL is separated by a newline character. The meaning of these LDAPURLs is equivalent to that of an LDAPURL in an LDAPv3 referral; that is, they indicate a server or servers against which the operation can be retried.

Active Directory uses the same mechanism to return continuation references in LDAPv2. When a continuation reference is required, the DC will return a SearchResponse message (defined in [RFC1777]) in which the resultCode and errorMessage fields in the embedded LDAPResult are set as described previously for LDAPv2 referrals. As with the LDAPv2 referrals, the meaning of the LDAPURLs embedded in the errorMessage field is equivalent to their LDAPv3 equivalent; that is, they indicate another server or NC in which the search can be continued.