Andrew Bartlett wrote:
On Thu, 2008-12-11 at 23:17 +0100, Pierangelo Masarati wrote:
Andrew Bartlett wrote:
On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
A tentative implementation is in HEAD, please test. You need to:
Thankyou very much. I downloaded CVS HEAD and tested it out (finally - the Samba4 side of the implementation took far longer than I expected).
configure as --enable-deref
enable the "deref" overlay in slapd, with "overlay deref" (doesn't
work as global overlay yet, sorry).
This is something Samba4 will need, as many of our links are cross-database. But fixing this for a single DB is a big help in any case.
- run searches like
$ ldapsearch -x -b dc=example,dc=com -E 'deref=member:entryUUID'
you'll see results like
When using Samba4's client, it seems to work, but it is as if it extends the control to the full expected length, but not the data. Ie, attached this is the control response I got back from the 'make testenv' environment in Samba4. I've also attached the full LDAP request.
The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4 parsing bug).
I've found the bug (erroneous manipulation of octet strings containing '\0' octets). The objectSid is octet string-valued. Should be fixed now; please test.
While I'm mostly at sea on ASN.1, I don't think the OpenLDAP's implementation matches your IETF draft (if not, an education on subtle details of ASN.1 will be appreciated)
draft-masarati-ldap-deref-00
2.3. Control Response
The control type is deref-oid (IANA assigned; see Section 6). The specification of the Dereference Control response is:
controlValue ::= SEQUENCE OF derefRes DerefRes
DerefRes ::= SEQUENCE { derefAttr AttributeDescription, derefVal LDAPDN, attrVals [0] PartialAttributeList OPTIONAL }
PartialAttributeList ::= SEQUENCE OF partialAttribute PartialAttribute
PartialAttribute is defined in [RFC4511]; the definition is reported here for clarity:
PartialAttribute ::= SEQUENCE { type AttributeDescription, vals SET OF value AttributeValue }
the output of dumpasn1 on the control:
0 983: SEQUENCE { 4 168: SEQUENCE { 7 8: OCTET STRING 'memberOf' 17 56: OCTET STRING : 'cn=Enterprise Admins,cn=Users,dc=samba,dc=exampl' : 'e,dc=com' 75 98: [0] { 77 51: SEQUENCE {
Shouldn't there be another SEQUENCE { here?
Well, that was my intention when I ber_printf("{{OOt{{O[W]}{O[W]}}}}"), which, AFAIK, means: "{" SEQUENCE "{" SEQUENCE "OO" derefAttr, derefVal "t" [0] "{" SEQUENCE "{O[W]}" SEQUENCE, type, SET OF vals
Am I missing anything? Couldn't "[0] {" be a shortcut in dumpasn1 to indicate SEQUENCE OF and the presence of a context+constructed tag?
Looking at the raw data of an example, I see a sequence
240 126 060 063 004 011
which means:
240 context + constructed 126 (the length, 86 octets) 060 sequence 063 (the length, 51 octets) 004 octet string 011 (the length, 9 octets: "entryUUID")
I'm not an expert in ASN.1, but from what I infer by looking at LDAP specs and at OpenLDAP implementation, this is consistent with the way similar cases are dealt with (e.g. the "Controls" at the end of a request message).
p.
79 9: OCTET STRING 'entryUUID' 90 38: SET { 92 36: OCTET STRING '24476f18-5c24-102d-9945-7320c1040f54' : } : } 130 43: SEQUENCE { 132 9: OCTET STRING 'objectSid' 143 30: SET { 145 28: OCTET STRING : 01 05 00 00 00 00 00 05 15 00 00 00 AB BE DB 7B : 16 72 AE E6 53 BE 65 6F 07 02 00 00 : } : } : } : }
Thanks,
Andrew Bartlett
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------