I realize this may well be off topic, but we are trying to augment a general directory management tool that we are actively developing (Ganymede, http://www.arlut.utexas.edu/gash2/) so that it can do management of users in an Active Directory server. We are using a Python program and the OpenLDAP client libraries to communicate with it, but we are having difficulty writing to the ntSecurityDescriptor attribute. We've written code to do the binary parsing, deconstruction, and reconstruction of the contents of the ntSecurityDescriptor, but when we send it to AD, it doesn't go, reporting a 'SERVER UNWILLING TO PERFORM, ERROR #53'. I've found that ntSecurityDescriptor is specified using a syntax OID of 1.2.840.113556.1.4.907, which is specific to Microsoft. I suppose what my question comes down to is, do the OpenLDAP client libraries require knowledge of the specific syntax OID (such as above) in order to properly generate the ASN.1/BER encoding of the attribute? Or do the OpenLDAP client libraries not care about the syntax OID? We're treating the attribute as a simple octet string, and we're able to read it fine, so I would imagine that reversing it and just sending the same octet string back should work, but in fact it does not. We get the same error even if we send back the exact same octet string we retrieve. Does this seem indicative of a syntax/encoding problem? Do the client libraries even care about syntax OIDs? Thanks, Jon -- ------------------------------------------------------------------------------- Jonathan Abbey jonabbey@arlut.utexas.edu Applied Research Laboratories The University of Texas at Austin GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg
Attachment:
pgpfh93w0WW2F.pgp
Description: PGP signature