Implementation of LDAPControls

Deepak Giridharagopal deepak at arlut.utexas.edu
Fri Feb 18 19:53:32 CET 2005 

Hello, me again. :)

On Thu, 2005-02-17 at 16:30 -0600, Deepak Giridharagopal wrote:
> The project I'm working on is at a point where this feature is a
> necessity, so if implementation of this feature is at a standstill I'm
> willing to get the ball rolling again.

As a proof of concept, I've gone ahead and begun coding up support for
LDAP Controls. My goal for the test was to successfully do an
ldap_modify_ext operation on our Active Directory server, using AD's
Security Descriptor Modification control (http://tinyurl.com/5tlok).

It works great!

I've only so far implemented control support in:
set_option
ldap_search_ext
ldap_modify_ext

...but adding support for the other LDAP operations (I hope) should be
easy.

My approach has been to model the OpenLDAP LDAPControl struct as a
tuple:

(OID <string>, Criticality Flag <boolean>, Value <string/list of bytes>)

The "Value" field needs to be an ASN.1 encoded list of bytes. I've taken
the position that however the user actually encodes his Python data
structure into ASN.1 is (for the moment) not my concern. This way, the C
code remains simple. 

I figure that once we settle on a pure-python ASN.1 encoding module, we
can handle marshalling/unmarshalling an LDAPControl object's payload at
a higher level than the C code, perhaps in a utility module like
"modlist.py" ("control_builder.py"?).

That said, for the moment I've been using Pices' ASN.1 encoding module.
It's a single Python file and trivial to use:

http://www.cnri.reston.va.us/software/pisces/manual/module-pisces.asn1.html

Here is the code I use to set a control:

#######################
import asn1 # This is the Pices module

# This is the OID for the MS security descriptor control I described
# above.
oid = "1.2.840.113556.1.4.801"
criticality = 1

# Here's where I actually construct the payload. The payload for this
# AD control needs to be an ASN.1 sequence with a single int inside.
payload = asn1.Sequence()
payload.append(0xf)

# Ta da, here is the control
control = ( oid, criticality, payload.encode() )

# Now do the operation
dn = "cn=foobar,cn=users,dc=activedirectory,dc=com"
modifications = [(ldap.MOD_REPLACE, "ntSecurityDescriptor", "blah")]
conn.modify_ext_s(dn, modifications, serverctrls=[control])
######################

Like I said, it works great!

The C code I've written looks very similar to the existing code in
LDAPObject.c that handles LDAPMod objects (I used the LDAPMod code as a
template for my stuff). If you guys want, I can start throwing patches
your way. 

Any thoughts on all of this?

Cheers!
deepak

--
Deepak Giridharagopal
Applied Research Laboratories
University of Texas at Austin

More information about the python-ldap mailing list