-
Notifications
You must be signed in to change notification settings - Fork 265
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DirSync Control - Incremental Values Encoding Issue #642
Comments
thanks. will fix this in the next release of ldap3. |
Sorry, can't fix this because I have no access to an AD for checking it. Will try to set up a lab. |
I can give you temporary access to a test AD instance if you like. Contact me at chad.sikorra@gmail.com for details if you want. |
I'm running up against this problem, too. Providing -2147483648 as the flag value doesn't seem to do the trick. If anyone has any workaround available they could share that would be brilliant. I've tried all kinds of stuff. |
Hi @ChadSikorra is your offer for a AD lab still valid? |
Hi, I've been able to test the dir_sync extend operation on ad AD server without any problem. Do you still have this issue? |
@cannatag, I think I'm bumping into this problem as well. Can you reopen the issue? To rule out any domain configuration issues I setup an equivalent dirsync script in powershell and it works with incremental=True + cookie. ldap3 works with File "/Users/vye/.local/share/virtualenvs/adsync-OjzIhR6u/lib/python3.11/site-packages/ldap3/extend/microsoft/dirSync.py", line 93, in loop
raise LDAPExtensionError('error %r in DirSync' % result)
ldap3.core.exceptions.LDAPExtensionError: error {'result': 12, 'description': 'unavailableCriticalExtension', 'message': '00000057: LdapErr: DSID-0C090AFF, comment: Error processing control, data 0, v3839\x00', 'dn': '', 'referrals': None, 'type': 'searchResDone'} in DirSync Request controls between tests (all use same search criteria): # Powershell incremental=False w/o cookie (working)
>> ControlName=DirSyncRequestControl
>> ControlType=1.2.840.113556.1.4.841
>> IsCritical=True
>> ServerSide=True
>> Flag=0
>> AttributeCount=2147483647
>> AttributeOption=ParentsFirst
>> ControlValue=30840000000c0202080002047fffffff0400
>> ControlName=ExtendedDNControl
>> ControlType=1.2.840.113556.1.4.529
>> IsCritical=False
>> ServerSide=True
>> Flag=0
>> ControlValue=308400000003020100
>> ControlName=ShowDeletedControl
>> ControlType=1.2.840.113556.1.4.417
>> IsCritical=False
>> ServerSide=True
>> Flag=0
>> ControlValue=
# Powershell incremental=True w/ cookie (working)
>> ControlName=DirSyncRequestControl
>> ControlType=1.2.840.113556.1.4.841
>> IsCritical=True
>> ServerSide=True
>> Flag=0
>> AttributeCount=2147483647
>> AttributeOption=ParentsFirst, IncrementalValues
>> ControlValue=<snipped long byte string, sensitive data here?>
>> ControlName=ExtendedDNControl
>> ControlType=1.2.840.113556.1.4.529
>> IsCritical=False
>> ServerSide=True
>> Flag=0
>> ControlValue=308400000003020100
>> ControlName=ShowDeletedControl
>> ControlType=1.2.840.113556.1.4.417
>> IsCritical=False
>> ServerSide=True
>> Flag=0
>> ControlValue=
# ldap3 incremental=False w/o cookie (working)
>> controls=Controls:
>> Control:
>> controlType=1.2.840.113556.1.4.841
>> criticality=True
>> controlValue=0x300c0202080002047fffffff0400
>> Control:
>> controlType=1.2.840.113556.1.4.529
>> criticality=False
>> controlValue=0x3003020101
>> Control:
>> controlType=1.2.840.113556.1.4.417
>> criticality=False
# ldap3 incremental=True w/ cookie (not working)
>> Control:
>> controlType=1.2.840.113556.1.4.841
>> criticality=True
>> controlValue=<snipped long byte string, sensitive data here?>
>> Control:
>> controlType=1.2.840.113556.1.4.529
>> criticality=False
>> controlValue=0x3003020101
>> Control:
>> controlType=1.2.840.113556.1.4.417
>> criticality=False Python Environment
AD Domains Tested:
Powershell Environment
|
Hi @cannatag, I was able to reproduce this problem in a separate domain running 2012R2 forest mode as well. In #329, you mentioned not having a windows environment to test in. I'm not an AD expert, but I'd be happy to help gather the information needed to fix this issue. To my knowledge, ldap3 is the only DirSync-capable client that can run on Linux. I'm hoping to be able to use it! |
I wanted to make you aware of an issue with the incremental_values flag and the way it is encoded. With this library it gets encoded on the wire as an ASN.1 integer
0080000000
. However, AD actually expects this flag to be sent encoded as the ASN.1 integer value80000000
. So literally the value specified in their docs byte for byte within the ASN.1 integer type. This could probably be worked around by simply using the negative integer value of the flag, which would then get encoded properly to the expected AD value.Anyway, just wanted to raise this here as I just ran into this issue in my own LDAP library, and noticed it here as well after looking at how others were implementing the control in an attempt to see what mistake I was making in implementation.
The issue was actually spotted by @tuftedocelot in #329 it seems.
The text was updated successfully, but these errors were encountered: