OpenLDAP ITS - Message 5768

Up to top level
Build Contrib Development Documentation Historical Incoming Software Bugs Software Enhancements Web

Logged in as guest

From: ando@sys-net.it
Subject: [enhancement] add support for Dereference Control
Compose comment
Download message

Date: Wed, 22 Oct 2008 20:18:19 GMT From: ando@sys-net.it To: openldap-its@OpenLDAP.org Subject: [enhancement] add support for Dereference Control

Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (81.72.89.40)
Submitted by: ando


See <http://www.openldap.org/lists/openldap-devel/200810/msg00105.html>
and
<https://www.redhat.com/archives/fedora-directory-devel/2008-October/msg00003.html>
for discussion.

p.

Followup 1

Download message
Date: Thu, 23 Oct 2008 00:15:50 +0200 From: Pierangelo Masarati <ando@sys-net.it> To: openldap-its@openldap.org CC: Andrew Bartlett <abartlet@samba.org> Subject: Re: (ITS#5768) [enhancement] add support for Dereference Control

A tentative implementation is in HEAD, please test.  You need to:

- configure as --enable-deref

- enable the "deref" overlay in slapd, with "overlay deref" (doesn't
work as global overlay yet, sorry).

- run searches like

$ ldapsearch -x -b dc=example,dc=com -E 'deref=member:entryUUID'

you'll see results like

# Alumni Assoc Staff, Groups, example.com
dn: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com
control: 1.3.6.1.4.1.4203.666.5.16 false MIIDgjBdBAZtZW1iZXIEHGNuPU1hbmFnZXIsZ
  GM9ZXhhbXBsZSxkYz1jb22gNTAzBAllbnRyeVVVSUQxJgQkMjlkNTNiZjQtMzRhYi0xMDJkLThhNz
  MtYWI0MTM2OTEyOTExMIGFBAZtZW1iZXIERGNuPURvcm90aHkgU3RldmVucyxvdT1BbHVtbmkgQXN
  zb2NpYXRpb24sb3U9UGVvcGxlLGRjPWV4YW1wbGUsZGM9Y29toDUwMwQJZW50cnlVVUlEMSYEJDI5
  ZDNhNzQ0LTM0YWItMTAyZC04YTZjLWFiNDEzNjkxMjkxMTCBhQQGbWVtYmVyBERjbj1KYW1lcyBBI
  EpvbmVzIDEsb3U9QWx1bW5pIEFzc29jaWF0aW9uLG91PVBlb3BsZSxkYz1leGFtcGxlLGRjPWNvba
  A1MDMECWVudHJ5VVVJRDEmBCQyOWQ0MTM5Ni0zNGFiLTEwMmQtOGE2ZS1hYjQxMzY5MTI5MTEwfgQ
  GbWVtYmVyBD1jbj1KYW5lIERvZSxvdT1BbHVtbmkgQXNzb2NpYXRpb24sb3U9UGVvcGxlLGRjPWV4
  YW1wbGUsZGM9Y29toDUwMwQJZW50cnlVVUlEMSYEJDI5ZDQ4ZTQ4LTM0YWItMTAyZC04YTcwLWFiN
  DEzNjkxMjkxMTCBhAQGbWVtYmVyBENjbj1KZW5uaWZlciBTbWl0aCxvdT1BbHVtbmkgQXNzb2NpYX
  Rpb24sb3U9UGVvcGxlLGRjPWV4YW1wbGUsZGM9Y29toDUwMwQJZW50cnlVVUlEMSYEJDI5ZDRhNjR
  lLTM0YWItMTAyZC04YTcxLWFiNDEzNjkxMjkxMTCBgQQGbWVtYmVyBEBjbj1NYXJrIEVsbGlvdCxv
  dT1BbHVtbmkgQXNzb2NpYXRpb24sb3U9UGVvcGxlLGRjPWV4YW1wbGUsZGM9Y29toDUwMwQJZW50c
  nlVVUlEMSYEJDI5ZDU1NGY0LTM0YWItMTAyZC04YTc0LWFiNDEzNjkxMjkxMTCBhQQGbWVtYmVyBE
  Rjbj1VcnN1bGEgSGFtcHN0ZXIsb3U9QWx1bW5pIEFzc29jaWF0aW9uLG91PVBlb3BsZSxkYz1leGF
  tcGxlLGRjPWNvbaA1MDMECWVudHJ5VVVJRDEmBCQyOWQ1OGVkOC0zNGFiLTEwMmQtOGE3NS1hYjQx
  MzY5MTI5MTE=
# member: <entryUUID=29d53bf4-34ab-102d-8a73-ab4136912911>;cn=Manager,dc=exam
  ple,dc=com
# member: <entryUUID=29d3a744-34ab-102d-8a6c-ab4136912911>;cn=Dorothy
Stevens
  ,ou=Alumni Association,ou=People,dc=example,dc=com
# member: <entryUUID=29d41396-34ab-102d-8a6e-ab4136912911>;cn=James A
Jones 1
  ,ou=Alumni Association,ou=People,dc=example,dc=com
# member: <entryUUID=29d48e48-34ab-102d-8a70-ab4136912911>;cn=Jane
Doe,ou=Alu
  mni Association,ou=People,dc=example,dc=com
# member: <entryUUID=29d4a64e-34ab-102d-8a71-ab4136912911>;cn=Jennifer
Smith,
  ou=Alumni Association,ou=People,dc=example,dc=com
# member: <entryUUID=29d554f4-34ab-102d-8a74-ab4136912911>;cn=Mark
Elliot,ou=
  Alumni Association,ou=People,dc=example,dc=com
# member: <entryUUID=29d58ed8-34ab-102d-8a75-ab4136912911>;cn=Ursula
Hampster
  ,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=Manager,dc=example,dc=com
member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
owner: cn=Manager,dc=example,dc=com
description: All Alumni Assoc Staff
cn: Alumni Assoc Staff
objectClass: groupOfNames


The related C API is in libraries/libldap/deref.c; as a guideline, you can look
at clients/ttols/ldapsearch.c, which creates the control and parses the response
in order to print it in extended DN style.

The current specification is formalized in a comment in overlays/deref.c; I
intend
to improve it and post it at
<http://www.openldap.org/faq/data/cache/1469.html>.

Please report through the ITS.

p.





Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Followup 2

Download message
Date: Fri, 24 Oct 2008 14:35:12 +0200 From: Pierangelo Masarati <ando@sys-net.it> To: openldap-its@openldap.org Subject: ITS#5768 - design considerations

ando@OpenLDAP.org wrote:

> Log Message:
> forgot access control...

Probably the current implementation is far from optimal, since it makes 
use of over_entry_get_rw() and thus:

- requires to apply ACLs within the overlay
- prevents other overlays from interoperating
- prevents the overlay from being instantiated as global

Probably, an internal search with scope "base" would be better.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Followup 3

Download message
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> Date: Fri, 24 Oct 2008 14:56:16 +0200 To: ando@sys-net.it Cc: openldap-its@openldap.org Subject: Re: (ITS#5768) [enhancement] add support for Dereference Control

ando@sys-net.it writes:
> The current specification is formalized in a comment in
> overlays/deref.c; I intend to improve it and post it at
> <http://www.openldap.org/faq/data/cache/1469.html>.

You've specified the syntax, but not the semantics.  I don't see
any mention there of what this control does, though I suppose the
examples help if one knows what a GUID and a SID are.

BTW, possibly "deref(erence)" is a confusing name for the control,
since it is apparently not related to aliases.

-- 
Hallvard

Followup 4

Download message
Date: Fri, 24 Oct 2008 06:14:32 -0700 From: Howard Chu <hyc@symas.com> To: h.b.furuseth@usit.uio.no CC: openldap-its@openldap.org Subject: Re: (ITS#5768) [enhancement] add support for Dereference Control

h.b.furuseth@usit.uio.no wrote:
> ando@sys-net.it writes:
>> The current specification is formalized in a comment in
>> overlays/deref.c; I intend to improve it and post it at
>> <http://www.openldap.org/faq/data/cache/1469.html>.
>
> You've specified the syntax, but not the semantics.  I don't see
> any mention there of what this control does, though I suppose the
> examples help if one knows what a GUID and a SID are.

It doesn't matter what a GUID or SID, aside from being attributes of an entry 
that was referenced by a search response entry.

> BTW, possibly "deref(erence)" is a confusing name for the control,
> since it is apparently not related to aliases.

Oh please. Nor is it related to referrals or search references, and yet these 
are all references, and "dereference" applies to them equally.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Followup 5

Download message
Date: Fri, 24 Oct 2008 15:32:28 +0200 From: Pierangelo Masarati <ando@sys-net.it> To: h.b.furuseth@usit.uio.no CC: openldap-its@openldap.org Subject: Re: (ITS#5768) [enhancement] add support for Dereference Control

h.b.furuseth@usit.uio.no wrote:
> ando@sys-net.it writes:
>> The current specification is formalized in a comment in
>> overlays/deref.c; I intend to improve it and post it at
>> <http://www.openldap.org/faq/data/cache/1469.html>.
> 
> You've specified the syntax, but not the semantics.  I don't see
> any mention there of what this control does, though I suppose the
> examples help if one knows what a GUID and a SID are.

I will, in a more detailed document.

> BTW, possibly "deref(erence)" is a confusing name for the control,
> since it is apparently not related to aliases.

"Dereference" means take DN-valued attributes, lookup the requested 
attributes from their entry and present the whole thing (name + attrs) 
as the control value.  So

ldapsearch -E deref=member:cn,sn

will return a control value consisting in sequences of member values 
contained in the search, plus the corresponding values of cn and sn.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Followup 6

Download message
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> Date: Fri, 24 Oct 2008 15:43:31 +0200 To: Howard Chu <hyc@symas.com> Cc: openldap-its@openldap.org Subject: Re: (ITS#5768) [enhancement] add support for Dereference Control

Howard Chu writes:
>> BTW, possibly "deref(erence)" is a confusing name for the control,
>> since it is apparently not related to aliases.
> 
> Oh please. Nor is it related to referrals or search references, and yet
> these are all references, and "dereference" applies to them equally.

Actually the docs do use different names for that - "follow"/"chase"
referrals, or "chain" on the server side, vs. "deref"erence aliases.
So if this is a new operation, I figured it wouldn't hurt to look for
another word for whatever it is doing.  But sure, it's no big thing.
And in that regard it can already be a bit confusing that it's aliases
and not referrals & search references which are "deref"erenced.

-- 
Hallvard

Followup 7

Download message
Subject: Re: (ITS#5768) [enhancement] add support for Dereference Control From: Andrew Bartlett <abartlet@samba.org> To: Pierangelo Masarati <ando@sys-net.it> Cc: openldap-its@openldap.org Date: Tue, 11 Nov 2008 14:52:30 +1100

--=-nSmbtQnR20QHrM5OsFp5
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
> A tentative implementation is in HEAD, please test.  You need to:

I just wanted to say thankyou very much for doing this.  The Samba side
of things has taken far longer than I ever imagined, but I hope to look
at the OpenLDAP integration this or next week.

Andrew Bartlett

--=20
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com


--=-nSmbtQnR20QHrM5OsFp5
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQBJGQF+z4A8Wyi0NrsRAnpXAJ9c4Lx4uVyadLTvaTaAm7rvTWKC+QCgrK9p
Vhadna7DXcJs0h11JPmkg8c=
=HgJ+
-----END PGP SIGNATURE-----

--=-nSmbtQnR20QHrM5OsFp5--

Followup 8

Download message
Date: Mon, 10 Nov 2008 20:18:08 -0800 From: Quanah Gibson-Mount <quanah@zimbra.com> To: abartlet@samba.org, openldap-its@openldap.org Subject: Re: (ITS#5768) [enhancement] add support for Dereference Control

--On Tuesday, November 11, 2008 3:52 AM +0000 abartlet@samba.org wrote:

>
> --=-nSmbtQnR20QHrM5OsFp5
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
>
> On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
>> A tentative implementation is in HEAD, please test.  You need to:
>
> I just wanted to say thankyou very much for doing this.  The Samba side
> of things has taken far longer than I ever imagined, but I hope to look
> at the OpenLDAP integration this or next week.

It was added to RE24 today, for inclusion in 2.4.13, so getting feedback 
would be great.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Followup 9

--=-3DGTDdLilVnhuysLkRP/
Content-Type: multipart/mixed; boundary="=-vUh+QDuuW5KKlkVC19pp"


--=-vUh+QDuuW5KKlkVC19pp
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
> A tentative implementation is in HEAD, please test.  You need to:

Thankyou very much.  I downloaded CVS HEAD and tested it out (finally -
the Samba4 side of the implementation took far longer than I expected).

> - configure as --enable-deref
>=20
> - enable the "deref" overlay in slapd, with "overlay deref" (doesn't
> work as global overlay yet, sorry).

This is something Samba4 will need, as many of our links are
cross-database.  But fixing this for a single DB is a big help in any
case.

> - run searches like
>
> $ ldapsearch -x -b dc=3Dexample,dc=3Dcom -E 'deref=3Dmember:entryUUID'
>=20
> you'll see results like

When using Samba4's client, it seems to work, but it is as if it extends
the control to the full expected length, but not the data.  Ie, attached
this is the control response I got back from the 'make testenv'
environment in Samba4.  I've also attached the full LDAP request.

The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4
parsing bug).

I can make the Samba4 tree that reproduces this available as a GIT
repository if you like. =20

Thanks,

Andrew Bartlett

--=20
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

--=-vUh+QDuuW5KKlkVC19pp
Content-Disposition: attachment; filename=control
Content-Type: application/octet-stream; name=control
Content-Transfer-Encoding: base64

MIIDnzCBqAQIbWVtYmVyT2YEOGNuPUVudGVycHJpc2UgQWRtaW5zLGNuPVVzZXJzLGRjPXNhbWJh
LGRjPWV4YW1wbGUsZGM9Y29toGIwMwQJZW50cnlVVUlEMSYEJGU4MmNiMjE4LTViNmEtMTAyZC05
MDk4LTU1MGYxMWFkZWE4OTArBAlvYmplY3RTaWQxHgQcAQUAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA==


--=-vUh+QDuuW5KKlkVC19pp
Content-Disposition: attachment; filename=request
Content-Type: application/octet-stream; name=request
Content-Transfer-Encoding: base64

MIINiwIBBmOBvQQaREM9c2FtYmEsREM9ZXhhbXBsZSxEQz1jb20KAQIKAQACAQACAQABAQCgKqIT
oxEECWlzRGVsZXRlZAQEVFJVRaMTBAJjbgQNYWRtaW5pc3RyYXRvcjBkBAlpc0RlbGV0ZWQEAmNu
BAEqBAllbnRyeVVVSUQED2NyZWF0ZVRpbWVzdGFtcAQPbW9kaWZ5VGltZXN0YW1wBA9jcmVhdGVU
aW1lc3RhbXAECGVudHJ5Q1NOBAhtZW1iZXJPZqCCDMQwggzABBkxLjMuNi4xLjQuMS40MjAzLjY2
Ni41LjE2BIIMoTCCDJ0wIQQHb3duZXJCTDAWBAllbnRyeVVVSUQECW9iamVjdFNJRDAiBAhtZW1i
ZXJPZjAWBAllbnRyeVVVSUQECW9iamVjdFNJRDAtBBNub25TZWN1cml0eU1lbWJlckJMMBYECWVu
dHJ5VVVJRAQJb2JqZWN0U0lEMCsEEWROUmVmZXJlbmNlVXBkYXRlMBYECWVudHJ5VVVJRAQJb2Jq
ZWN0U0lEMCQECnNpdGVPYmplY3QwFgQJZW50cnlVVUlEBAlvYmplY3RTSUQwKwQRaXNQcml2aWxl
Z2VIb2xkZXIwFgQJZW50cnlVVUlEBAlvYmplY3RTSUQwKwQRc2VydmVyUmVmZXJlbmNlQkwwFgQJ
ZW50cnlVVUlEBAlvYmplY3RTSUQwJQQLZE1ETG9jYXRpb24wFgQJZW50cnlVVUlEBAlvYmplY3RT
SUQwKwQRcXVlcnlQb2xpY3lPYmplY3QwFgQJZW50cnlVVUlEBAlvYmplY3RTSUQwIwQJYXNzaXN0
YW50MBYECWVudHJ5VVVJRAQJb2JqZWN0U0lEMDEEF21zRFMtTWVtYmVyc0ZvckF6Um9sZUJMMBYE
CWVudHJ5VVVJRAQJb2JqZWN0U0lEMCkED2xhc3RLbm93blBhcmVudDAWBAllbnRyeVVVSUQECW9i
amVjdFNJRDAnBA1mU01PUm9sZU93bmVyMBYECWVudHJ5VVVJRAQJb2JqZWN0U0lEMCgEDm1zQ09N
LVVzZXJMaW5rMBYECWVudHJ5VVVJRAQJb2JqZWN0U0lEMCQECm1hc3RlcmVkQnkwFgQJZW50cnlV
VUlEBAlvYmplY3RTSUQwMwQZbXNEUy1OQy1SZXBsaWNhLUxvY2F0aW9uczAWBAllbnRyeVVVSUQE
CW9iamVjdFNJRDAuBBRpcHNlY0lTQUtNUFJlZmVyZW5jZTAWBAllbnRyeVVVSUQECW9iamVjdFNJ
RDAhBAdzZWVBbHNvMBYECWVudHJ5VVVJRAQJb2JqZWN0U0lEMCYEDGhhc01hc3Rlck5DczAWBAll
bnRyeVVVSUQECW9iamVjdFNJRDAuBBRmUlNNZW1iZXJSZWZlcmVuY2VCTDAWBAllbnRyeVVVSUQE
CW9iamVjdFNJRDAwBBZtc0RTLVNEUmVmZXJlbmNlRG9tYWluMBYECWVudHJ5VVVJRAQJb2JqZWN0
U0lEMCoEEG5vdGlmaWNhdGlvbkxpc3QwFgQJZW50cnlVVUlEBAlvYmplY3RTSUQwJQQLcHJlZmVy
cmVkT1UwFgQJZW50cnlVVUlEBAlvYmplY3RTSUQwKQQPbXNEUy1Ob25NZW1iZXJzMBYECWVudHJ5
VVVJRAQJb2JqZWN0U0lEMC8EFW1zRFMtVGFza3NGb3JBelJvbGVCTDAWBAllbnRyeVVVSUQECW9i
amVjdFNJRDArBBFpcHNlY05GQVJlZmVyZW5jZTAWBAllbnRyeVVVSUQECW9iamVjdFNJRDAjBAlz
ZWNyZXRhcnkwFgQJZW50cnlVV

Message of length 15106 truncated

Followup 10

--=-svDYOuAyXlEqIDWU48Ko
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2008-12-11 at 12:22 +1100, Andrew Bartlett wrote:
> On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
> > A tentative implementation is in HEAD, please test.  You need to:
>=20
> Thankyou very much.  I downloaded CVS HEAD and tested it out (finally -
> the Samba4 side of the implementation took far longer than I expected).
>=20
> > - configure as --enable-deref
> >=20
> > - enable the "deref" overlay in slapd, with "overlay deref" (doesn't
> > work as global overlay yet, sorry).
>=20
> This is something Samba4 will need, as many of our links are
> cross-database.  But fixing this for a single DB is a big help in any
> case.
>=20
> > - run searches like
> >
> > $ ldapsearch -x -b dc=3Dexample,dc=3Dcom -E 'deref=3Dmember:entryUUID'
> >=20
> > you'll see results like
>=20
> When using Samba4's client, it seems to work, but it is as if it extends
> the control to the full expected length, but not the data.  Ie, attached
> this is the control response I got back from the 'make testenv'
> environment in Samba4.  I've also attached the full LDAP request.
>=20
> The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4
> parsing bug).
>=20
> I can make the Samba4 tree that reproduces this available as a GIT
> repository if you like. =20

To reproduce:

In a checkout from git://git.samba.org/abartlet/samba.git master run:
OPENLDAP_ROOT=3D/usr/local/ TEST_LDAP=3Dyes make testenv

Then in the xterm that pops up, run:

bin/ldbsearch -H ldap://localdc1 cn=3Dadministrator
--controls=3Dextended_dn:1:1

This will not return the extended DN (compare with TEST_LDAP=3Dno),
because it fails to parse the returned control in
libcli/ldap/ldap_controls.c (I suspect my parser also needs work)

Thanks,

Andrew Bartlett

--=20
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

--=-svDYOuAyXlEqIDWU48Ko
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQBJQJosz4A8Wyi0NrsRAuLgAJwIYEfeK/rj9xXw+/2KiVhDPw6bvwCeJwaj
Q/I64Xu6suP53nnqNT6Bkv0=
=GSzF
-----END PGP SIGNATURE-----

--=-svDYOuAyXlEqIDWU48Ko--

Followup 11

Download message
Date: Thu, 11 Dec 2008 23:17:44 +0100 From: Pierangelo Masarati <ando@sys-net.it> To: Andrew Bartlett <abartlet@samba.org> CC: openldap-its@openldap.org Subject: Re: (ITS#5768) [enhancement] add support for Dereference Control

Andrew Bartlett wrote:
> On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
>> A tentative implementation is in HEAD, please test.  You need to:
> 
> Thankyou very much.  I downloaded CVS HEAD and tested it out (finally -
> the Samba4 side of the implementation took far longer than I expected).
> 
>> - configure as --enable-deref
>>
>> - enable the "deref" overlay in slapd, with "overlay deref" (doesn't
>> work as global overlay yet, sorry).
> 
> This is something Samba4 will need, as many of our links are
> cross-database.  But fixing this for a single DB is a big help in any
> case.
> 
>> - run searches like
>>
>> $ ldapsearch -x -b dc=example,dc=com -E 'deref=member:entryUUID'
>>
>> you'll see results like
> 
> When using Samba4's client, it seems to work, but it is as if it extends
> the control to the full expected length, but not the data.  Ie, attached
> this is the control response I got back from the 'make testenv'
> environment in Samba4.  I've also attached the full LDAP request.
> 
> The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4
> parsing bug).

I've found the bug (erroneous manipulation of octet strings containing 
'\0' octets).  The objectSid is octet string-valued.  Should be fixed 
now; please test.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Followup 12

Download message
Date: Thu, 11 Dec 2008 23:22:46 +0100 From: Pierangelo Masarati <ando@sys-net.it> To: Andrew Bartlett <abartlet@samba.org> CC: openldap-its@openldap.org Subject: Re: (ITS#5768) [enhancement] add support for Dereference Control

Andrew Bartlett wrote:
> On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
>> A tentative implementation is in HEAD, please test.  You need to:
> 
> Thankyou very much.  I downloaded CVS HEAD and tested it out (finally -
> the Samba4 side of the implementation took far longer than I expected).
> 
>> - configure as --enable-deref
>>
>> - enable the "deref" overlay in slapd, with "overlay deref" (doesn't
>> work as global overlay yet, sorry).
> 
> This is something Samba4 will need, as many of our links are
> cross-database.  But fixing this for a single DB is a big help in any
> case.

Apparently this was fixed during the overlay's shakedown, as it seems to 
work as expected when only instantiated as global.  In fact, nothing was 
preventing it from working this way by design, it only didn't work at 
some point of its evolution.  Please test.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Followup 13

--=-WGywWWDfCXc78PSX7dDA
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2008-12-11 at 23:17 +0100, Pierangelo Masarati wrote:
> Andrew Bartlett wrote:
> > On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
> >> A tentative implementation is in HEAD, please test.  You need to:
> >=20
> > Thankyou very much.  I downloaded CVS HEAD and tested it out (finally
-
> > the Samba4 side of the implementation took far longer than I
expected).
> >=20
> >> - configure as --enable-deref
> >>
> >> - enable the "deref" overlay in slapd, with "overlay deref"
(doesn't
> >> work as global overlay yet, sorry).
> >=20
> > This is something Samba4 will need, as many of our links are
> > cross-database.  But fixing this for a single DB is a big help in any
> > case.
> >=20
> >> - run searches like
> >>
> >> $ ldapsearch -x -b dc=3Dexample,dc=3Dcom -E
'deref=3Dmember:entryUUID'
> >>
> >> you'll see results like
> >=20
> > When using Samba4's client, it seems to work, but it is as if it
extend=
s
> > the control to the full expected length, but not the data.  Ie,
attache=
d
> > this is the control response I got back from the 'make testenv'
> > environment in Samba4.  I've also attached the full LDAP request.
> >=20
> > The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4
> > parsing bug).
>=20
> I've found the bug (erroneous manipulation of octet strings containing=20
> '\0' octets).  The objectSid is octet string-valued.  Should be fixed=20
> now; please test.

While I'm mostly at sea on ASN.1, I don't think the OpenLDAP's
implementation matches your IETF draft (if not, an education on subtle
details of ASN.1 will be appreciated)

draft-masarati-ldap-deref-00


> 2.3.  Control Response
>=20
>=20
> The control type is deref-oid (IANA assigned; see Section 6). The
> specification of the Dereference Control response is:
>=20
> controlValue ::=3D SEQUENCE OF derefRes DerefRes
>=20
> DerefRes ::=3D SEQUENCE {
> derefAttr AttributeDescription,
> derefVal LDAPDN,
> attrVals [0] PartialAttributeList OPTIONAL }
>=20
> PartialAttributeList ::=3D SEQUENCE OF
> partialAttribute PartialAttribute
>=20
> PartialAttribute is defined in [RFC4511]; the definition is reported
> here for clarity:
>=20
> PartialAttribute ::=3D SEQUENCE {
> type AttributeDescription,
> vals SET OF value AttributeValue }
>=20

the output of dumpasn1 on the control:

>    0  983: SEQUENCE {
>    4  168:   SEQUENCE {
>    7    8:     OCTET STRING 'memberOf'
>   17   56:     OCTET STRING
>          :       'cn=3DEnterprise Admins,cn=3DUsers,dc=3Dsamba,dc=3Dexamp=
l'
>          :       'e,dc=3Dcom'
>   75   98:     [0] {
>   77   51:       SEQUENCE {

Shouldn't there be another SEQUENCE { here?

>   79    9:         OCTET STRING 'entryUUID'
>   90   38:         SET {
>   92   36:           OCTET STRING
> '24476f18-5c24-102d-9945-7320c1040f54'
>          :           }
>          :         }
> 130   43:       SEQUENCE {
> 132    9:         OCTET STRING 'objectSid'
> 143   30:         SET {
> 145   28:           OCTET STRING
>          :             01 05 00 00 00 00 00 05 15 00 00 00 AB BE DB 7B
>          :             16 72 AE E6 53 BE 65 6F 07 02 00 00
>          :           }
>          :         }
>          :       }
>          :     }
>=20

Thanks,

Andrew Bartlett

--=20
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

--=-WGywWWDfCXc78PSX7dDA
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQBJQa1Nz4A8Wyi0NrsRAtyAAJ9Dqzqn3DknKqThzy7KML5Z+i/h2wCfZ2nM
d8HdE9UXPLaN2DZRwIseCk0=
=HFZS
-----END PGP SIGNATURE-----

--=-WGywWWDfCXc78PSX7dDA--

Followup 14

--=-3TUJtt6yg+CvD9VzraMk
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2008-12-11 at 23:22 +0100, Pierangelo Masarati wrote:
> Andrew Bartlett wrote:
> > On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
> >> A tentative implementation is in HEAD, please test.  You need to:
> >=20
> > Thankyou very much.  I downloaded CVS HEAD and tested it out (finally
-
> > the Samba4 side of the implementation took far longer than I
expected).
> >=20
> >> - configure as --enable-deref
> >>
> >> - enable the "deref" overlay in slapd, with "overlay deref"
(doesn't
> >> work as global overlay yet, sorry).
> >=20
> > This is something Samba4 will need, as many of our links are
> > cross-database.  But fixing this for a single DB is a big help in any
> > case.
>=20
> Apparently this was fixed during the overlay's shakedown, as it seems to=20
> work as expected when only instantiated as global.  In fact, nothing was=20
> preventing it from working this way by design, it only didn't work at=20
> some point of its evolution.  Please test.

Indeed, it works well as a global.  Thanks!

My only issue remaining is the clarification over the ASN.1 encoding of
the control.

Andrew Bartlett

--=20
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

--=-3TUJtt6yg+CvD9VzraMk
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQBJQdk5z4A8Wyi0NrsRAiiOAKCUywnlFS2RIZlclADU/woC7id7OwCfbfwD
fh4vPeyWTWqBYACEYVFgdZA=
=UdNB
-----END PGP SIGNATURE-----

--=-3TUJtt6yg+CvD9VzraMk--

Followup 15

Download message
Date: Fri, 12 Dec 2008 08:50:50 +0100 From: Pierangelo Masarati <ando@sys-net.it> To: Andrew Bartlett <abartlet@samba.org> CC: openldap-its@openldap.org Subject: Re: (ITS#5768) [enhancement] add support for Dereference Control

Andrew Bartlett wrote:
> On Thu, 2008-12-11 at 23:17 +0100, Pierangelo Masarati wrote:
>> Andrew Bartlett wrote:
>>> On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
>>>> A tentative implementation is in HEAD, please test.  You need
to:
>>> Thankyou very much.  I downloaded CVS HEAD and tested it out
(finally -
>>> the Samba4 side of the implementation took far longer than I
expected).
>>>
>>>> - configure as --enable-deref
>>>>
>>>> - enable the "deref" overlay in slapd, with "overlay deref"
(doesn't
>>>> work as global overlay yet, sorry).
>>> This is something Samba4 will need, as many of our links are
>>> cross-database.  But fixing this for a single DB is a big help in
any
>>> case.
>>>
>>>> - run searches like
>>>>
>>>> $ ldapsearch -x -b dc=example,dc=com -E
'deref=member:entryUUID'
>>>>
>>>> you'll see results like
>>> When using Samba4's client, it seems to work, but it is as if it
extends
>>> the control to the full expected length, but not the data.  Ie,
attached
>>> this is the control response I got back from the 'make testenv'
>>> environment in Samba4.  I've also attached the full LDAP request.
>>>
>>> The extra zeros also appear in the OpenLDAP logs (so it's not a
Samba4
>>> parsing bug).
>> I've found the bug (erroneous manipulation of octet strings containing 
>> '\0' octets).  The objectSid is octet string-valued.  Should be fixed 
>> now; please test.
> 
> While I'm mostly at sea on ASN.1, I don't think the OpenLDAP's
> implementation matches your IETF draft (if not, an education on subtle
> details of ASN.1 will be appreciated)
> 
> draft-masarati-ldap-deref-00
> 
> 
>> 2.3.  Control Response
>>
>>
>> The control type is deref-oid (IANA assigned; see Section 6). The
>> specification of the Dereference Control response is:
>>
>> controlValue ::= SEQUENCE OF derefRes DerefRes
>>
>> DerefRes ::= SEQUENCE {
>> derefAttr AttributeDescription,
>> derefVal LDAPDN,
>> attrVals [0] PartialAttributeList OPTIONAL }
>>
>> PartialAttributeList ::= SEQUENCE OF
>> partialAttribute PartialAttribute
>>
>> PartialAttribute is defined in [RFC4511]; the definition is reported
>> here for clarity:
>>
>> PartialAttribute ::= SEQUENCE {
>> type AttributeDescription,
>> vals SET OF value AttributeValue }
>>
> 
> the output of dumpasn1 on the control:
> 
>>    0  983: SEQUENCE {
>>    4  168:   SEQUENCE {
>>    7    8:     OCTET STRING 'memberOf'
>>   17   56:     OCTET STRING
>>          :       'cn=Enterprise Admins,cn=Users,dc=samba,dc=exampl'
>>          :       'e,dc=com'
>>   75   98:     [0] {
>>   77   51:       SEQUENCE {
> 
> Shouldn't there be another SEQUENCE { here?

Well, that was my intention when I ber_printf("{{OOt{{O[W]}{O[W]}}}}"), 
which, AFAIK, means:
	"{"	SEQUENCE
	"{"	SEQUENCE
	"OO"	derefAttr, derefVal
	"t"	[0]
	"{"	SEQUENCE
	"{O[W]}"	SEQUENCE, type, SET OF vals

Am I missing anything?  Couldn't "[0] {" be a shortcut in dumpasn1 to 
indicate SEQUENCE OF and the presence of a context+constructed tag?

Looking at the raw data of an example, I see a sequence

240  126  060  063  004  011

which means:

240 context + constructed
126 (the length, 86 octets)
060 sequence
063 (the length, 51 octets)
004 octet string
011 (the length, 9 octets: "entryUUID")

I'm not an expert in ASN.1, but from what I infer by looking at LDAP 
specs and at OpenLDAP implementation, this is consistent with the way 
similar cases are dealt with (e.g. the "Controls" at the end of a 
request message).

p.

> 
>>   79    9:         OCTET STRING 'entryUUID'
>>   90   38:         SET {
>>   92   36:           OCTET STRING
>> '24476f18-5c24-102d-9945-7320c1040f54'
>>          :           }
>>          :         }
>> 130   43:       SEQUENCE {
>> 132    9:         OCTET STRING 'objectSid'
>> 143   30:         SET {
>> 145   28:           OCTET STRING
>>          :             01 05 00 00 00 00 00 05 15 00 00 00 AB BE DB 7B
>>          :             16 72 AE E6 53 BE 65 6F 07 02 00 00
>>          :           }
>>          :         }
>>          :       }
>>          :     }
>>
> 
> Thanks,
> 
> Andrew Bartlett
> 



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
--------------------------------

Message of length 5005 truncated

Followup 16

--=-SUZpECi7CptfRynVUs4v
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Fri, 2008-12-12 at 14:23 +1100, Andrew Bartlett wrote:
> On Thu, 2008-12-11 at 23:22 +0100, Pierangelo Masarati wrote:
> > Andrew Bartlett wrote:
> > > On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
> > >> A tentative implementation is in HEAD, please test.  You need
to:
> > >=20
> > > Thankyou very much.  I downloaded CVS HEAD and tested it out
(finally=
 -
> > > the Samba4 side of the implementation took far longer than I
expected=
).
> > >=20
> > >> - configure as --enable-deref
> > >>
> > >> - enable the "deref" overlay in slapd, with "overlay deref"
(doesn't
> > >> work as global overlay yet, sorry).
> > >=20
> > > This is something Samba4 will need, as many of our links are
> > > cross-database.  But fixing this for a single DB is a big help in
any
> > > case.
> >=20
> > Apparently this was fixed during the overlay's shakedown, as it seems
t=
o=20
> > work as expected when only instantiated as global.  In fact, nothing
wa=
s=20
> > preventing it from working this way by design, it only didn't work
at=20
> > some point of its evolution.  Please test.
>=20
> Indeed, it works well as a global.  Thanks!
>=20
> My only issue remaining is the clarification over the ASN.1 encoding of
> the control.

While I'm still confused about the ASN.1, I've coded to match OpenLDAP's
current behaviour.

The deref overlay seems to be working well.  Many thanks!

Andrew Bartlett

--=20
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

--=-SUZpECi7CptfRynVUs4v
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQBJYuLrz4A8Wyi0NrsRAgALAJ0b1YEcsKRo86mc2LCZbowtSyTo1gCeM3ws
slxgoMVr/MkEZcEk881oaLE=
=6rsz
-----END PGP SIGNATURE-----

--=-SUZpECi7CptfRynVUs4v--

Followup 17

Download message
Date: Sat, 24 Jan 2009 15:55:20 +0100 From: Pierangelo Masarati <ando@sys-net.it> To: Andrew Bartlett <abartlet@samba.org> CC: openldap-its@openldap.org Subject: Re: (ITS#5768) [enhancement] add support for Dereference Control

Andrew Bartlett wrote:

> While I'm still confused about the ASN.1, I've coded to match OpenLDAP's
> current behaviour.
> 
> The deref overlay seems to be working well.  Many thanks!

Cool.  I'd appreciate some definitive review of the correspondence of 
the implementation with respect to the draft (draft-masarati-ldap-deref 
in docs/draft, or from the IETF ID interface).  That's the best I could 
put in place so far.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Up to top level
Build Contrib Development Documentation Historical Incoming Software Bugs Software Enhancements Web

Logged in as guest

The OpenLDAP Issue Tracking System uses a hacked version of JitterBug