Asp Forum - using LDAP Controls in ruby-ldap

Jason Wold

11/4/2004 5:27:00 AM

This is a bit of a stretch since it is as much about LDAP as it is
ruby but I'll ask it here anyway. I'd like to use the "paged results"
control/extension to LDAP for getting results sets larger than the
server allows. Has anyone used this or have any further pointers?

The gory details:
------------------------
ruby-ldap seems to have part of what is needed but I can't seem to tie
it together and get it to work. There is a LDAP::Control.new method
which appears to let me create a control (although a peek at the
source reveals a bug in the initialize script that prevents "oid" from
being initialized so I hack around it by assigning it after). The
search_ext function appears to happily accept this control object, but
the behavior is not as expected. Part of the problem might be that I
have no freakin clue what the second argument ( :value ) to
LDAP::Control.new should look like. What I have there is just based
on looking at RFC2696 which defines the paged results control for
LDAP. The RFC says this is BER encoded value but it looks like the
ldap-ruby code is doing that.

$ cat test.rb
#!/usr/bin/ruby

require 'ldap'
require 'pp'

control = LDAP::Control.new(nil, 'size=10', true)
control.oid="1.2.840.113556.1.4.319"

conn = LDAP::SSLConn.new('test-dc-02.xxxxx.com', 636, false)

conn.bind("test@xxxxxx.com", Password::get() )

conn.search_ext("ou=users,ou=test,dc=xxxxx,dc=com",
LDAP::LDAP_SCOPE_SUBTREE, "sn=*", ["sn"], false, serverctrls =
[control] ) { |r| pp r.attributes }

$ ./test.rb
Password:
/test.rb:16:in `search_ext': Critical extension is unavailable
(LDAP::ResultError)
from ./test.rb:16

5 Answers

Will Drewry

11/4/2004 5:21:00 PM

On Thu, 4 Nov 2004 14:26:33 +0900, Jason Wold <jason.wold@gmail.com> wrote:
> This is a bit of a stretch since it is as much about LDAP as it is
> ruby but I'll ask it here anyway. I'd like to use the "paged results"
> control/extension to LDAP for getting results sets larger than the
> server allows. Has anyone used this or have any further pointers?
>
> The gory details:
> ------------------------
> ruby-ldap seems to have part of what is needed but I can't seem to tie
> it together and get it to work. There is a LDAP::Control.new method
> which appears to let me create a control (although a peek at the
> source reveals a bug in the initialize script that prevents "oid" from
> being initialized so I hack around it by assigning it after). The
> search_ext function appears to happily accept this control object, but
> the behavior is not as expected. Part of the problem might be that I
> have no freakin clue what the second argument ( :value ) to
> LDAP::Control.new should look like. What I have there is just based
> on looking at RFC2696 which defines the paged results control for
> LDAP. The RFC says this is BER encoded value but it looks like the
> ldap-ruby code is doing that.
>
> $ cat test.rb
> #!/usr/bin/ruby
>
> require 'ldap'
> require 'pp'
>
> control = LDAP::Control.new(nil, 'size=10', true)
> control.oid="1.2.840.113556.1.4.319"
>
> conn = LDAP::SSLConn.new('test-dc-02.xxxxx.com', 636, false)
>
> conn.bind("test@xxxxxx.com", Password::get() )
>
> conn.search_ext("ou=users,ou=test,dc=xxxxx,dc=com",
> LDAP::LDAP_SCOPE_SUBTREE, "sn=*", ["sn"], false, serverctrls =
> [control] ) { |r| pp r.attributes }
>
> $ ./test.rb
> Password:
> ./test.rb:16:in `search_ext': Critical extension is unavailable
> (LDAP::ResultError)
> from ./test.rb:16
>
>

This looks like the extension - not the value - isn't supported.

According to the OpenLDAP list, AD used to be the only server that
supported this - maybe not anymore?

http://www.openldap.org/lists/openldap-devel/200207/msg...

Anyway - I'd give it a go on an OpenLDAP 2.2 server if you have one
available and see what happens.

As to the value, it's unclear if the ruby lib will BER encode this for
you, Once I've move my install up to 2.2, I'll be able to test a
little more.

Poking around misc.c didn't make things clearer for me either.

You could try something like this
a = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new('10'),
OpenSSL::ASN1::OctetString.new('')])

control.value = a.to_der

I get conversion errors, but my openssl could be newer.

good luck,
will

ref: http://www.faqs.org/rfcs/rf...

Jason Wold

11/4/2004 6:58:00 PM

Thanks for the tip. Both AD and OpenLDAP 2.2 support this, although
OpenLDAP only supports it when using specific backends (bdb yes, ldbm
no)

Cheers,
Jason

On Fri, 5 Nov 2004 02:21:01 +0900, Will Drewry <drewry@gmail.com> wrote:
> On Thu, 4 Nov 2004 14:26:33 +0900, Jason Wold <jason.wold@gmail.com> wrote:
>
>
> > This is a bit of a stretch since it is as much about LDAP as it is
> > ruby but I'll ask it here anyway. I'd like to use the "paged results"
> > control/extension to LDAP for getting results sets larger than the
> > server allows. Has anyone used this or have any further pointers?
> >
> > The gory details:
> > ------------------------
> > ruby-ldap seems to have part of what is needed but I can't seem to tie
> > it together and get it to work. There is a LDAP::Control.new method
> > which appears to let me create a control (although a peek at the
> > source reveals a bug in the initialize script that prevents "oid" from
> > being initialized so I hack around it by assigning it after). The
> > search_ext function appears to happily accept this control object, but
> > the behavior is not as expected. Part of the problem might be that I
> > have no freakin clue what the second argument ( :value ) to
> > LDAP::Control.new should look like. What I have there is just based
> > on looking at RFC2696 which defines the paged results control for
> > LDAP. The RFC says this is BER encoded value but it looks like the
> > ldap-ruby code is doing that.
> >
> > $ cat test.rb
> > #!/usr/bin/ruby
> >
> > require 'ldap'
> > require 'pp'
> >
> > control = LDAP::Control.new(nil, 'size=10', true)
> > control.oid="1.2.840.113556.1.4.319"
> >
> > conn = LDAP::SSLConn.new('test-dc-02.xxxxx.com', 636, false)
> >
> > conn.bind("test@xxxxxx.com", Password::get() )
> >
> > conn.search_ext("ou=users,ou=test,dc=xxxxx,dc=com",
> > LDAP::LDAP_SCOPE_SUBTREE, "sn=*", ["sn"], false, serverctrls =
> > [control] ) { |r| pp r.attributes }
> >
> > $ ./test.rb
> > Password:
> > ./test.rb:16:in `search_ext': Critical extension is unavailable
> > (LDAP::ResultError)
> > from ./test.rb:16
> >
> >
>
> This looks like the extension - not the value - isn't supported.
>
> According to the OpenLDAP list, AD used to be the only server that
> supported this - maybe not anymore?
>
> http://www.openldap.org/lists/openldap-devel/200207/msg...
>
> Anyway - I'd give it a go on an OpenLDAP 2.2 server if you have one
> available and see what happens.
>
> As to the value, it's unclear if the ruby lib will BER encode this for
> you, Once I've move my install up to 2.2, I'll be able to test a
> little more.
>
> Poking around misc.c didn't make things clearer for me either.
>
> You could try something like this
> a = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new('10'),
> OpenSSL::ASN1::OctetString.new('')])
>
> control.value = a.to_der
>
> I get conversion errors, but my openssl could be newer.
>
> good luck,
> will
>
> ref: http://www.faqs.org/rfcs/rf...
>
>

Jason Wold

11/6/2004 1:31:00 AM

On Fri, 5 Nov 2004 02:21:01 +0900, Will Drewry <drewry@gmail.com> wrote:
> On Thu, 4 Nov 2004 14:26:33 +0900, Jason Wold <jason.wold@gmail.com> wrote:
>
>
> You could try something like this
> a = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new('10'),
> OpenSSL::ASN1::OctetString.new('')])
>
> control.value = a.to_der
>

'10' needs to be just the integer 10, and then it works.

SER

11/7/2004 2:58:00 AM

On Friday 05 November 2004 20:30, Jason Wold wrote:
> > You could try something like this
> > a = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new('10'),
> > OpenSSL::ASN1::OctetString.new('')])
> >
> > control.value = a.to_der
>
> '10' needs to be just the integer 10, and then it works.

I'd like to point out, for the record, that this is a perfect example of how
type checking in a language is a good thing.

Seriously, I'm not trying to restart that thread; I just want to draw the
attention of the anti-type-checking crowd to the OP.

--
### SER
### Deutsch|Esperanto|Francaise|Linux|XML|Java|Ruby|Aikido
### http://www.germane-softwar... jabber.com:ser ICQ:83578737
### GPG: http://www.germane-softwar.../Security/ser_public.gpg

Ara.T.Howard

11/7/2004 3:36:00 AM

comp.lang.ruby

using LDAP Controls in ruby-ldap

Jason Wold

Will Drewry

Jason Wold

Jason Wold

SER

Ara.T.Howard

x Login to ForumsZone