[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5768) [enhancement] add support for Dereference Control
--=-WGywWWDfCXc78PSX7dDA
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Thu, 2008-12-11 at 23:17 +0100, Pierangelo Masarati wrote:
> Andrew Bartlett wrote:
> > On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
> >> A tentative implementation is in HEAD, please test. You need to:
> >=20
> > Thankyou very much. I downloaded CVS HEAD and tested it out (finally -
> > the Samba4 side of the implementation took far longer than I expected).
> >=20
> >> - configure as --enable-deref
> >>
> >> - enable the "deref" overlay in slapd, with "overlay deref" (doesn't
> >> work as global overlay yet, sorry).
> >=20
> > This is something Samba4 will need, as many of our links are
> > cross-database. But fixing this for a single DB is a big help in any
> > case.
> >=20
> >> - run searches like
> >>
> >> $ ldapsearch -x -b dc=3Dexample,dc=3Dcom -E 'deref=3Dmember:entryUUID'
> >>
> >> you'll see results like
> >=20
> > When using Samba4's client, it seems to work, but it is as if it extend=
s
> > the control to the full expected length, but not the data. Ie, attache=
d
> > this is the control response I got back from the 'make testenv'
> > environment in Samba4. I've also attached the full LDAP request.
> >=20
> > The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4
> > parsing bug).
>=20
> I've found the bug (erroneous manipulation of octet strings containing=20
> '\0' octets). The objectSid is octet string-valued. Should be fixed=20
> now; please test.
While I'm mostly at sea on ASN.1, I don't think the OpenLDAP's
implementation matches your IETF draft (if not, an education on subtle
details of ASN.1 will be appreciated)
draft-masarati-ldap-deref-00
> 2.3. Control Response
>=20
>=20
> The control type is deref-oid (IANA assigned; see Section 6). The
> specification of the Dereference Control response is:
>=20
> controlValue ::=3D SEQUENCE OF derefRes DerefRes
>=20
> DerefRes ::=3D SEQUENCE {
> derefAttr AttributeDescription,
> derefVal LDAPDN,
> attrVals [0] PartialAttributeList OPTIONAL }
>=20
> PartialAttributeList ::=3D SEQUENCE OF
> partialAttribute PartialAttribute
>=20
> PartialAttribute is defined in [RFC4511]; the definition is reported
> here for clarity:
>=20
> PartialAttribute ::=3D SEQUENCE {
> type AttributeDescription,
> vals SET OF value AttributeValue }
>=20
the output of dumpasn1 on the control:
> 0 983: SEQUENCE {
> 4 168: SEQUENCE {
> 7 8: OCTET STRING 'memberOf'
> 17 56: OCTET STRING
> : 'cn=3DEnterprise Admins,cn=3DUsers,dc=3Dsamba,dc=3Dexamp=
l'
> : 'e,dc=3Dcom'
> 75 98: [0] {
> 77 51: SEQUENCE {
Shouldn't there be another SEQUENCE { here?
> 79 9: OCTET STRING 'entryUUID'
> 90 38: SET {
> 92 36: OCTET STRING
> '24476f18-5c24-102d-9945-7320c1040f54'
> : }
> : }
> 130 43: SEQUENCE {
> 132 9: OCTET STRING 'objectSid'
> 143 30: SET {
> 145 28: OCTET STRING
> : 01 05 00 00 00 00 00 05 15 00 00 00 AB BE DB 7B
> : 16 72 AE E6 53 BE 65 6F 07 02 00 00
> : }
> : }
> : }
> : }
>=20
Thanks,
Andrew Bartlett
--=20
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
--=-WGywWWDfCXc78PSX7dDA
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQBJQa1Nz4A8Wyi0NrsRAtyAAJ9Dqzqn3DknKqThzy7KML5Z+i/h2wCfZ2nM
d8HdE9UXPLaN2DZRwIseCk0=
=HFZS
-----END PGP SIGNATURE-----
--=-WGywWWDfCXc78PSX7dDA--