Using control 1.3.6.1.4.1.4203.1.10.1 (Subentries)

[ghenry]

Hi,

I've just seen 40c28e1 and was also trying to use 1.3.6.1.4.1.4203.1.10.1 (Subentries) against the latest OpenLDAP, but can't get it to work. Does it make a difference whether I pass in the control type or if there is a bundled control?

I'm using like so:

        my $subentry_ctrl = Net::LDAP::Control->new(
            type     => '1.3.6.1.4.1.4203.1.10.1',
            value    => 'Subentries',
            critical => 1
        );

        my $deleted = $c->model('LDAPContacts')->delete(
            q{ou=Contacts,} . $user_dn,
            control => [ $subentry_ctrl ]
        );

        if ( $deleted->code ) {
            $c->error( qq{Failed to delete LDAP contact entries for: $user_dn}
                  . $deleted->error
                  . q{ Code: }
                  . $deleted->code );
            return 0;
        }

and I'm getting:

Dec 22 12:53:57 gabriel slapd[31511]: conn=1110022 op=2 SRCH attr=dn
Dec 22 12:53:57 gabriel slapd[31511]: conn=1110022 op=2 ENTRY dn="xxxx"
Dec 22 12:53:57 gabriel slapd[31511]: conn=1110022 op=2 SEARCH RESULT tag=101 err=0 qtime=0.000010 etime=0.001015 nentries=1 text=
Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 fd=435 ACCEPT from IP=xxx:51082 (IP=0.0.0.0:389)
Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=0 STARTTLS
Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=0 RESULT oid= err=0 qtime=0.000007 etime=0.000038 text=
Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 fd=435 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=1 BIND dn="xxx" method=128
Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=1 BIND dn="xxx" mech=SIMPLE ssf=0
Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=1 RESULT tag=97 err=0 qtime=0.000017 etime=0.000116 text=
Dec 22 12:53:58 gabriel slapd[31511]: conn=1110023 op=2 RESULT tag=107 err=12 qtime=0.000014 etime=0.000274 text=critical extension is unavailable
Dec 22 12:53:58 gabriel slapd[31511]: conn=1110023 op=2 do_delete: get_ctrls failed

Any ideas? Using ldapdelete with -r works as the same user (so not my ACLs), but I note in the logs that it is doing a base search for subentries and deleting each one. What am I misunderstanding here?

Thanks,
Gavin.

[ghenry]

I've checked and it is supported:

[marschap]

Hi,

in order for a control to work, both sides need to support it: the server and the client.
OpenLDAP as a server supports it, but unfortunately perl-ldap does not (at least not yet).

According to the RFC, the Subentries control has a special requirement to how the
value needs to be encoded in a special way:

The subentries control is an LDAP Control whose controlType is
1.3.6.1.4.1.4203.1.10.1, criticality is TRUE or FALSE (hence absent),
and controlValue contains a BER-encoded BOOLEAN indicating
visibility. A controlValue containing the value TRUE indicates that
subentries are visible and normal entries are not. A controlValue
containing the value FALSE indicates that normal entries are visible
and subentries are not.

Note that TRUE visibility has the three octet encoding { 01 01 FF }
and FALSE visibility has the three octet encoding { 01 01 00 }.

This special encoding requirement hindered me from implementing the Subentries control.
(and this is b.t.w. why your instantiation of the control does not work)

In addition, the RFC states:

This control is not appropriate for non-Search operations.

Patches to get a working Subentries control are - of course - very welcome ;-)

Best
Peter

[ghenry]

Thanks Peter. Do you have any test code to play with or pointers? I'll clone this repo and have a read.

[ghenry]

Reading the RFC - https://tools.ietf.org/html/rfc3672 I'm not sure if this control does what I think it does. It's not for deleting subtrees, but controlling searches and I see your comment now too. Let's just close this.