--=-WGywWWDfCXc78PSX7dDA Content-Type: text/plain Content-Transfer-Encoding: quoted-printable
On Thu, 2008-12-11 at 23:17 +0100, Pierangelo Masarati wrote:
Andrew Bartlett wrote:
On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote:
A tentative implementation is in HEAD, please test. You need to:
=20 Thankyou very much. I downloaded CVS HEAD and tested it out (finally - the Samba4 side of the implementation took far longer than I expected). =20
configure as --enable-deref
enable the "deref" overlay in slapd, with "overlay deref" (doesn't
work as global overlay yet, sorry).
=20 This is something Samba4 will need, as many of our links are cross-database. But fixing this for a single DB is a big help in any case. =20
- run searches like
$ ldapsearch -x -b dc=3Dexample,dc=3Dcom -E 'deref=3Dmember:entryUUID'
you'll see results like
=20 When using Samba4's client, it seems to work, but it is as if it extend=
s
the control to the full expected length, but not the data. Ie, attache=
d
this is the control response I got back from the 'make testenv' environment in Samba4. I've also attached the full LDAP request. =20 The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4 parsing bug).
=20 I've found the bug (erroneous manipulation of octet strings containing=20 '\0' octets). The objectSid is octet string-valued. Should be fixed=20 now; please test.
While I'm mostly at sea on ASN.1, I don't think the OpenLDAP's implementation matches your IETF draft (if not, an education on subtle details of ASN.1 will be appreciated)
draft-masarati-ldap-deref-00
2.3. Control Response =20 =20 The control type is deref-oid (IANA assigned; see Section 6). The specification of the Dereference Control response is: =20 controlValue ::=3D SEQUENCE OF derefRes DerefRes =20 DerefRes ::=3D SEQUENCE { derefAttr AttributeDescription, derefVal LDAPDN, attrVals [0] PartialAttributeList OPTIONAL } =20 PartialAttributeList ::=3D SEQUENCE OF partialAttribute PartialAttribute =20 PartialAttribute is defined in [RFC4511]; the definition is reported here for clarity: =20 PartialAttribute ::=3D SEQUENCE { type AttributeDescription, vals SET OF value AttributeValue } =20
the output of dumpasn1 on the control:
0 983: SEQUENCE { 4 168: SEQUENCE { 7 8: OCTET STRING 'memberOf' 17 56: OCTET STRING : 'cn=3DEnterprise Admins,cn=3DUsers,dc=3Dsamba,dc=3Dexamp=
l'
: 'e,dc=3Dcom'75 98: [0] { 77 51: SEQUENCE {
Shouldn't there be another SEQUENCE { here?
79 9: OCTET STRING 'entryUUID' 90 38: SET { 92 36: OCTET STRING '24476f18-5c24-102d-9945-7320c1040f54' : } : } 130 43: SEQUENCE { 132 9: OCTET STRING 'objectSid' 143 30: SET { 145 28: OCTET STRING : 01 05 00 00 00 00 00 05 15 00 00 00 AB BE DB 7B : 16 72 AE E6 53 BE 65 6F 07 02 00 00 : } : } : } : } =20
Thanks,
Andrew Bartlett
--=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
--=-WGywWWDfCXc78PSX7dDA Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part
--=-WGywWWDfCXc78PSX7dDA--
-
abartlet@samba.org