[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5768) [enhancement] add support for Dereference Control
Andrew Bartlett wrote:
> On Thu, 2008-12-11 at 23:17 +0100, Pierangelo Masarati wrote:
>> Andrew Bartlett wrote:
>>> On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
>>>> A tentative implementation is in HEAD, please test. You need to:
>>> Thankyou very much. I downloaded CVS HEAD and tested it out (finally -
>>> the Samba4 side of the implementation took far longer than I expected).
>>>
>>>> - configure as --enable-deref
>>>>
>>>> - enable the "deref" overlay in slapd, with "overlay deref" (doesn't
>>>> work as global overlay yet, sorry).
>>> This is something Samba4 will need, as many of our links are
>>> cross-database. But fixing this for a single DB is a big help in any
>>> case.
>>>
>>>> - run searches like
>>>>
>>>> $ ldapsearch -x -b dc=example,dc=com -E 'deref=member:entryUUID'
>>>>
>>>> you'll see results like
>>> When using Samba4's client, it seems to work, but it is as if it extends
>>> the control to the full expected length, but not the data. Ie, attached
>>> this is the control response I got back from the 'make testenv'
>>> environment in Samba4. I've also attached the full LDAP request.
>>>
>>> The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4
>>> parsing bug).
>> I've found the bug (erroneous manipulation of octet strings containing
>> '\0' octets). The objectSid is octet string-valued. Should be fixed
>> now; please test.
>
> While I'm mostly at sea on ASN.1, I don't think the OpenLDAP's
> implementation matches your IETF draft (if not, an education on subtle
> details of ASN.1 will be appreciated)
>
> draft-masarati-ldap-deref-00
>
>
>> 2.3. Control Response
>>
>>
>> The control type is deref-oid (IANA assigned; see Section 6). The
>> specification of the Dereference Control response is:
>>
>> controlValue ::= SEQUENCE OF derefRes DerefRes
>>
>> DerefRes ::= SEQUENCE {
>> derefAttr AttributeDescription,
>> derefVal LDAPDN,
>> attrVals [0] PartialAttributeList OPTIONAL }
>>
>> PartialAttributeList ::= SEQUENCE OF
>> partialAttribute PartialAttribute
>>
>> PartialAttribute is defined in [RFC4511]; the definition is reported
>> here for clarity:
>>
>> PartialAttribute ::= SEQUENCE {
>> type AttributeDescription,
>> vals SET OF value AttributeValue }
>>
>
> the output of dumpasn1 on the control:
>
>> 0 983: SEQUENCE {
>> 4 168: SEQUENCE {
>> 7 8: OCTET STRING 'memberOf'
>> 17 56: OCTET STRING
>> : 'cn=Enterprise Admins,cn=Users,dc=samba,dc=exampl'
>> : 'e,dc=com'
>> 75 98: [0] {
>> 77 51: SEQUENCE {
>
> Shouldn't there be another SEQUENCE { here?
Well, that was my intention when I ber_printf("{{OOt{{O[W]}{O[W]}}}}"),
which, AFAIK, means:
"{" SEQUENCE
"{" SEQUENCE
"OO" derefAttr, derefVal
"t" [0]
"{" SEQUENCE
"{O[W]}" SEQUENCE, type, SET OF vals
Am I missing anything? Couldn't "[0] {" be a shortcut in dumpasn1 to
indicate SEQUENCE OF and the presence of a context+constructed tag?
Looking at the raw data of an example, I see a sequence
240 126 060 063 004 011
which means:
240 context + constructed
126 (the length, 86 octets)
060 sequence
063 (the length, 51 octets)
004 octet string
011 (the length, 9 octets: "entryUUID")
I'm not an expert in ASN.1, but from what I infer by looking at LDAP
specs and at OpenLDAP implementation, this is consistent with the way
similar cases are dealt with (e.g. the "Controls" at the end of a
request message).
p.
>
>> 79 9: OCTET STRING 'entryUUID'
>> 90 38: SET {
>> 92 36: OCTET STRING
>> '24476f18-5c24-102d-9945-7320c1040f54'
>> : }
>> : }
>> 130 43: SEQUENCE {
>> 132 9: OCTET STRING 'objectSid'
>> 143 30: SET {
>> 145 28: OCTET STRING
>> : 01 05 00 00 00 00 00 05 15 00 00 00 AB BE DB 7B
>> : 16 72 AE E6 53 BE 65 6F 07 02 00 00
>> : }
>> : }
>> : }
>> : }
>>
>
> Thanks,
>
> Andrew Bartlett
>
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando@sys-net.it
-----------------------------------