DirSync Control - Incremental Values Encoding Issue

[ChadSikorra]

I wanted to make you aware of an issue with the incremental_values flag and the way it is encoded. With this library it gets encoded on the wire as an ASN.1 integer 0080000000. However, AD actually expects this flag to be sent encoded as the ASN.1 integer value 80000000. So literally the value specified in their docs byte for byte within the ASN.1 integer type. This could probably be worked around by simply using the negative integer value of the flag, which would then get encoded properly to the expected AD value.

Anyway, just wanted to raise this here as I just ran into this issue in my own LDAP library, and noticed it here as well after looking at how others were implementing the control in an attempt to see what mistake I was making in implementation.

The issue was actually spotted by @tuftedocelot in #329 it seems.

[cannatag]

thanks. will fix this in the next release of ldap3.

[cannatag]

Sorry, can't fix this because I have no access to an AD for checking it. Will try to set up a lab.

[ChadSikorra]

I can give you temporary access to a test AD instance if you like. Contact me at chad.sikorra@gmail.com for details if you want.

[oddmeow]

I'm running up against this problem, too. Providing -2147483648 as the flag value doesn't seem to do the trick.

If anyone has any workaround available they could share that would be brilliant. I've tried all kinds of stuff.

[cannatag]

Hi @ChadSikorra is your offer for a AD lab still valid?

[cannatag]

Hi, I've been able to test the dir_sync extend operation on ad AD server without any problem. Do you still have this issue?

[Vye]

@cannatag, I think I'm bumping into this problem as well. Can you reopen the issue?

To rule out any domain configuration issues I setup an equivalent dirsync script in powershell and it works with incremental=True + cookie.

ldap3 works with incremental_values=False, cookie=None but returns the following error for incremental_values=True w/ cookie.

  File "/Users/vye/.local/share/virtualenvs/adsync-OjzIhR6u/lib/python3.11/site-packages/ldap3/extend/microsoft/dirSync.py", line 93, in loop
    raise LDAPExtensionError('error %r in DirSync' % result)
ldap3.core.exceptions.LDAPExtensionError: error {'result': 12, 'description': 'unavailableCriticalExtension', 'message': '00000057: LdapErr: DSID-0C090AFF, comment: Error processing control, data 0, v3839\x00', 'dn': '', 'referrals': None, 'type': 'searchResDone'} in DirSync

Request controls between tests (all use same search criteria):

# Powershell incremental=False w/o cookie (working)
>> ControlName=DirSyncRequestControl
>> ControlType=1.2.840.113556.1.4.841
>> IsCritical=True
>> ServerSide=True
>> Flag=0
>> AttributeCount=2147483647
>> AttributeOption=ParentsFirst
>> ControlValue=30840000000c0202080002047fffffff0400

>> ControlName=ExtendedDNControl
>> ControlType=1.2.840.113556.1.4.529
>> IsCritical=False
>> ServerSide=True
>> Flag=0
>> ControlValue=308400000003020100

>> ControlName=ShowDeletedControl
>> ControlType=1.2.840.113556.1.4.417
>> IsCritical=False
>> ServerSide=True
>> Flag=0
>> ControlValue=


# Powershell incremental=True w/ cookie (working)
>> ControlName=DirSyncRequestControl
>> ControlType=1.2.840.113556.1.4.841
>> IsCritical=True
>> ServerSide=True
>> Flag=0
>> AttributeCount=2147483647
>> AttributeOption=ParentsFirst, IncrementalValues
>> ControlValue=<snipped long byte string, sensitive data here?>

>> ControlName=ExtendedDNControl
>> ControlType=1.2.840.113556.1.4.529
>> IsCritical=False
>> ServerSide=True
>> Flag=0
>> ControlValue=308400000003020100

>> ControlName=ShowDeletedControl
>> ControlType=1.2.840.113556.1.4.417
>> IsCritical=False
>> ServerSide=True
>> Flag=0
>> ControlValue=


# ldap3 incremental=False w/o cookie (working)
>> controls=Controls:
>>  Control:
>>   controlType=1.2.840.113556.1.4.841
>>   criticality=True
>>   controlValue=0x300c0202080002047fffffff0400
>>  Control:
>>   controlType=1.2.840.113556.1.4.529
>>   criticality=False
>>   controlValue=0x3003020101
>>  Control:
>>   controlType=1.2.840.113556.1.4.417
>>   criticality=False

# ldap3 incremental=True w/ cookie (not working)
>>  Control:
>>   controlType=1.2.840.113556.1.4.841
>>   criticality=True
>>   controlValue=<snipped long byte string, sensitive data here?>
>>  Control:
>>   controlType=1.2.840.113556.1.4.529
>>   criticality=False
>>   controlValue=0x3003020101
>>  Control:
>>   controlType=1.2.840.113556.1.4.417
>>   criticality=False

Python Environment

ldap3==2.9.1
pyasn1==0.4.8

AD Domains Tested:

• Windows 2019 in Windows2012R2 forest mode.
• Windows 2016 in Windows2016R2 forest mode.

Powershell Environment

• Client Windows 2016
• Powershell 5 using .NET 4.0.30319 DirectoryServices protocols.

[Vye]

Hi @cannatag,

I was able to reproduce this problem in a separate domain running 2012R2 forest mode as well.

In #329, you mentioned not having a windows environment to test in. I'm not an AD expert, but I'd be happy to help gather the information needed to fix this issue.

To my knowledge, ldap3 is the only DirSync-capable client that can run on Linux. I'm hoping to be able to use it!