Re: Ldap API Custom Controls
Hi Chris, I have applied the PR, with a bit of cleanup/modifications : - First, the class name should be AdPolicyHints, not LdapServerPolicyHintsOid (the Oid is spurious, so is the LdapServer prefix, and I added the 'Ad' prefix, as for all the AD controls). - I have added javadoc to the code, and a standard header (@author tag) - the control has been moved to the o.a.d.api.ldap.extras.controls.ad_impl instead of o.a.d.api.ldap.extras.controls.policyHints_impl (same thing for the interface package o.a.d.api.ldap.extras.controls.ad.policyHints which has been moved to o.a.d.api.ldap.extras.controls.ad). The rationnal is that every AD controls goes under the o.a.d.api.ldap.extrascontrols.ad package. Otherwise, all is good. Thanks for the PR and happy Xmas ! Le 04/12/2017 à 19:19, Chris Pike a écrit : > Emmanuel, > > We have created a pull request > > https://github.com/apache/directory-ldap-api/pull/1 > > Let us know if anything needs changed. > > Thanks, > > ~Chris P. > > > - Original Message - > From: "Emmanuel Lécharny" > To: "Chris Pike" , "api" , > "elecharny" > Sent: Tuesday, November 28, 2017 5:54:39 PM > Subject: Re: Ldap API Custom Controls > > Hi Chris, > > do you need any more information to get the code pushed ? > > > Many thanks ! > > > > Le 05/10/2017 à 21:18, Chris Pike a écrit : >> Emmanuel, >> >> We got this working. Is there a git repo for the directory api, or do we >> have to use subversion to provide the code back? >> >> Thanks, >> >> ~Chris Pike >> >> >> >> >> - Original Message - >> From: "Emmanuel Lecharny" >> To: "api" >> Sent: Monday, September 11, 2017 6:57:38 PM >> Subject: Re: Ldap API Custom Controls >> >> The control value (3003020101) is a PDU which has teh following meaning : >> >> 0x30 0x03 : SEQ length 3 >> 0x02 0x01 0x01 : INTEGER length 1 value 1 >> >> So you have sent a correct Control, but the OID has changed : >> 1.2.840.113556.1.4.20669 was for ancient versions of Windows Server (up to >> Windows 2012) and the OID you are using is a new one >> (1.2.840.113556.1.4.2239). >> >> I can only bet that the OID is not understood by the Windows machine you >> are talking to. >> >> >> On Fri, Sep 8, 2017 at 4:11 PM, CRAIG BENNER wrote: >> >>> Thanks Shawn, I was going to ask that. But I got wireshark working. >>> Below is the packet I'm assuming we want to see. In concept it looks >>> correct, but i'm not sure what the controlValue is suppose to be on the >>> wire. >>> >>> Frame 9: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on >>> interface 0 >>> Ethernet II, Src: PcsCompu_f5:e8:94 (08:00:27:f5:e8:94), Dst: >>> PcsCompu_4b:a3:17 (08:00:27:4b:a3:17) >>> Internet Protocol Version 4, Src: 192.168.33.10, Dst: 192.168.33.11 >>> >>> Transmission Control Protocol, Src Port: 44766, Dst Port: 389, Seq: 45, >>> Ack: 46, Len: 229 >>> Lightweight Directory Access Protocol >>> LDAPMessage modifyRequest(7) "cn=model_ouadmin,ou=PSU-OU- >>> Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD- >>> Administration,dc=develop,dc=local" >>> messageID: 7 >>> protocolOp: modifyRequest (6) >>> modifyRequest >>> object: cn=model_ouadmin,ou=PSU-OU- >>> Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD- >>> Administration,dc=develop,dc=local >>> modification: 1 item >>> [Response In: 10] >>> controls: 1 item >>> Control >>> controlType: 1.2.840.113556.1.4.2239 (ISO assigned OIDs, >>> USA.113556.1.4.2239) >>> criticality: True >>> controlValue: 3003020101 >>> >>> Thanks. >>> Craig Benner >>> >>> - Original Message - >>> From: "Shawn McKinney" >>> To: "api" >>> Sent: Friday, September 8, 2017 9:58:56 AM >>> Subject: Re: Ldap API Custom Controls >>> >>>> On Sep 7, 2017, at 8:41 PM, CRAIG BENNER wrote: >>>> >>>> It will take some changes to get a wireshark capture, since Password's >>> can only be managed over a secure connection. Hopefully tomorrow I can get >>> you the wireshark capture >>> >>> Wonder if it would be easier to just enable the API logger containing the >>> BER request/response traces? That’s typically how I debug. Saves the >>> trouble of setting up wireshark. >>> >>> >> class="org.apache.log4j.Logger" >>> additivity="false"> >>> >>> >>> >>> >> >> > -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
Le 04/12/2017 à 19:19, Chris Pike a écrit : > Emmanuel, > > We have created a pull request > > https://github.com/apache/directory-ldap-api/pull/1 > > Let us know if anything needs changed. Thanks ! I'll have a look today. -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
Emmanuel, We have created a pull request https://github.com/apache/directory-ldap-api/pull/1 Let us know if anything needs changed. Thanks, ~Chris P. - Original Message - From: "Emmanuel Lécharny" To: "Chris Pike" , "api" , "elecharny" Sent: Tuesday, November 28, 2017 5:54:39 PM Subject: Re: Ldap API Custom Controls Hi Chris, do you need any more information to get the code pushed ? Many thanks ! Le 05/10/2017 à 21:18, Chris Pike a écrit : > Emmanuel, > > We got this working. Is there a git repo for the directory api, or do we have > to use subversion to provide the code back? > > Thanks, > > ~Chris Pike > > > > > - Original Message - > From: "Emmanuel Lecharny" > To: "api" > Sent: Monday, September 11, 2017 6:57:38 PM > Subject: Re: Ldap API Custom Controls > > The control value (3003020101) is a PDU which has teh following meaning : > > 0x30 0x03 : SEQ length 3 > 0x02 0x01 0x01 : INTEGER length 1 value 1 > > So you have sent a correct Control, but the OID has changed : > 1.2.840.113556.1.4.20669 was for ancient versions of Windows Server (up to > Windows 2012) and the OID you are using is a new one > (1.2.840.113556.1.4.2239). > > I can only bet that the OID is not understood by the Windows machine you > are talking to. > > > On Fri, Sep 8, 2017 at 4:11 PM, CRAIG BENNER wrote: > >> Thanks Shawn, I was going to ask that. But I got wireshark working. >> Below is the packet I'm assuming we want to see. In concept it looks >> correct, but i'm not sure what the controlValue is suppose to be on the >> wire. >> >> Frame 9: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on >> interface 0 >> Ethernet II, Src: PcsCompu_f5:e8:94 (08:00:27:f5:e8:94), Dst: >> PcsCompu_4b:a3:17 (08:00:27:4b:a3:17) >> Internet Protocol Version 4, Src: 192.168.33.10, Dst: 192.168.33.11 >> >> Transmission Control Protocol, Src Port: 44766, Dst Port: 389, Seq: 45, >> Ack: 46, Len: 229 >> Lightweight Directory Access Protocol >> LDAPMessage modifyRequest(7) "cn=model_ouadmin,ou=PSU-OU- >> Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD- >> Administration,dc=develop,dc=local" >> messageID: 7 >> protocolOp: modifyRequest (6) >> modifyRequest >> object: cn=model_ouadmin,ou=PSU-OU- >> Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD- >> Administration,dc=develop,dc=local >> modification: 1 item >> [Response In: 10] >> controls: 1 item >> Control >> controlType: 1.2.840.113556.1.4.2239 (ISO assigned OIDs, >> USA.113556.1.4.2239) >> criticality: True >> controlValue: 3003020101 >> >> Thanks. >> Craig Benner >> >> - Original Message - >> From: "Shawn McKinney" >> To: "api" >> Sent: Friday, September 8, 2017 9:58:56 AM >> Subject: Re: Ldap API Custom Controls >> >>> On Sep 7, 2017, at 8:41 PM, CRAIG BENNER wrote: >>> >>> It will take some changes to get a wireshark capture, since Password's >> can only be managed over a secure connection. Hopefully tomorrow I can get >> you the wireshark capture >> >> Wonder if it would be easier to just enable the API logger containing the >> BER request/response traces? That’s typically how I debug. Saves the >> trouble of setting up wireshark. >> >> > additivity="false"> >> >> >> >> > > -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
Hi Chris, do you need any more information to get the code pushed ? Many thanks ! Le 05/10/2017 à 21:18, Chris Pike a écrit : > Emmanuel, > > We got this working. Is there a git repo for the directory api, or do we have > to use subversion to provide the code back? > > Thanks, > > ~Chris Pike > > > > > - Original Message - > From: "Emmanuel Lecharny" > To: "api" > Sent: Monday, September 11, 2017 6:57:38 PM > Subject: Re: Ldap API Custom Controls > > The control value (3003020101) is a PDU which has teh following meaning : > > 0x30 0x03 : SEQ length 3 > 0x02 0x01 0x01 : INTEGER length 1 value 1 > > So you have sent a correct Control, but the OID has changed : > 1.2.840.113556.1.4.20669 was for ancient versions of Windows Server (up to > Windows 2012) and the OID you are using is a new one > (1.2.840.113556.1.4.2239). > > I can only bet that the OID is not understood by the Windows machine you > are talking to. > > > On Fri, Sep 8, 2017 at 4:11 PM, CRAIG BENNER wrote: > >> Thanks Shawn, I was going to ask that. But I got wireshark working. >> Below is the packet I'm assuming we want to see. In concept it looks >> correct, but i'm not sure what the controlValue is suppose to be on the >> wire. >> >> Frame 9: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on >> interface 0 >> Ethernet II, Src: PcsCompu_f5:e8:94 (08:00:27:f5:e8:94), Dst: >> PcsCompu_4b:a3:17 (08:00:27:4b:a3:17) >> Internet Protocol Version 4, Src: 192.168.33.10, Dst: 192.168.33.11 >> >> Transmission Control Protocol, Src Port: 44766, Dst Port: 389, Seq: 45, >> Ack: 46, Len: 229 >> Lightweight Directory Access Protocol >> LDAPMessage modifyRequest(7) "cn=model_ouadmin,ou=PSU-OU- >> Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD- >> Administration,dc=develop,dc=local" >> messageID: 7 >> protocolOp: modifyRequest (6) >> modifyRequest >> object: cn=model_ouadmin,ou=PSU-OU- >> Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD- >> Administration,dc=develop,dc=local >> modification: 1 item >> [Response In: 10] >> controls: 1 item >> Control >> controlType: 1.2.840.113556.1.4.2239 (ISO assigned OIDs, >> USA.113556.1.4.2239) >> criticality: True >> controlValue: 3003020101 >> >> Thanks. >> Craig Benner >> >> - Original Message - >> From: "Shawn McKinney" >> To: "api" >> Sent: Friday, September 8, 2017 9:58:56 AM >> Subject: Re: Ldap API Custom Controls >> >>> On Sep 7, 2017, at 8:41 PM, CRAIG BENNER wrote: >>> >>> It will take some changes to get a wireshark capture, since Password's >> can only be managed over a secure connection. Hopefully tomorrow I can get >> you the wireshark capture >> >> Wonder if it would be easier to just enable the API logger containing the >> BER request/response traces? That’s typically how I debug. Saves the >> trouble of setting up wireshark. >> >> > additivity="false"> >> >> >> >> > > -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
On 10/05/2017 10:08 PM, Emmanuel Lécharny wrote: > > > Le 05/10/2017 à 21:18, Chris Pike a écrit : >> Emmanuel, >> >> We got this working. Is there a git repo for the directory api, or do we >> have to use subversion to provide the code back? > > The API is in GIT now ! > > https://gitbox.apache.org/repos/asf?p=directory-ldap-api.git;a=summary > > You can also use Github : > > https://github.com/apache/directory-shared Well, that's the old svn mirrored github repo. I think the new gitbox mirrored one is https://github.com/apache/directory-ldap-api Once the other repos are migrated to git we need to request cleanup of the github repos...
Re: Ldap API Custom Controls
Le 05/10/2017 à 21:18, Chris Pike a écrit : > Emmanuel, > > We got this working. Is there a git repo for the directory api, or do we have > to use subversion to provide the code back? The API is in GIT now ! https://gitbox.apache.org/repos/asf?p=directory-ldap-api.git;a=summary You can also use Github : https://github.com/apache/directory-shared PR are welcomed ! Thanks ! -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
Emmanuel, We got this working. Is there a git repo for the directory api, or do we have to use subversion to provide the code back? Thanks, ~Chris Pike - Original Message - From: "Emmanuel Lecharny" To: "api" Sent: Monday, September 11, 2017 6:57:38 PM Subject: Re: Ldap API Custom Controls The control value (3003020101) is a PDU which has teh following meaning : 0x30 0x03 : SEQ length 3 0x02 0x01 0x01 : INTEGER length 1 value 1 So you have sent a correct Control, but the OID has changed : 1.2.840.113556.1.4.20669 was for ancient versions of Windows Server (up to Windows 2012) and the OID you are using is a new one (1.2.840.113556.1.4.2239). I can only bet that the OID is not understood by the Windows machine you are talking to. On Fri, Sep 8, 2017 at 4:11 PM, CRAIG BENNER wrote: > Thanks Shawn, I was going to ask that. But I got wireshark working. > Below is the packet I'm assuming we want to see. In concept it looks > correct, but i'm not sure what the controlValue is suppose to be on the > wire. > > Frame 9: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on > interface 0 > Ethernet II, Src: PcsCompu_f5:e8:94 (08:00:27:f5:e8:94), Dst: > PcsCompu_4b:a3:17 (08:00:27:4b:a3:17) > Internet Protocol Version 4, Src: 192.168.33.10, Dst: 192.168.33.11 > > Transmission Control Protocol, Src Port: 44766, Dst Port: 389, Seq: 45, > Ack: 46, Len: 229 > Lightweight Directory Access Protocol > LDAPMessage modifyRequest(7) "cn=model_ouadmin,ou=PSU-OU- > Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD- > Administration,dc=develop,dc=local" > messageID: 7 > protocolOp: modifyRequest (6) > modifyRequest > object: cn=model_ouadmin,ou=PSU-OU- > Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD- > Administration,dc=develop,dc=local > modification: 1 item > [Response In: 10] > controls: 1 item > Control > controlType: 1.2.840.113556.1.4.2239 (ISO assigned OIDs, > USA.113556.1.4.2239) > criticality: True > controlValue: 3003020101 > > Thanks. > Craig Benner > > - Original Message - > From: "Shawn McKinney" > To: "api" > Sent: Friday, September 8, 2017 9:58:56 AM > Subject: Re: Ldap API Custom Controls > > > On Sep 7, 2017, at 8:41 PM, CRAIG BENNER wrote: > > > > It will take some changes to get a wireshark capture, since Password's > can only be managed over a secure connection. Hopefully tomorrow I can get > you the wireshark capture > > Wonder if it would be easier to just enable the API logger containing the > BER request/response traces? That’s typically how I debug. Saves the > trouble of setting up wireshark. > > additivity="false"> > > > > -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Ldap API Custom Controls
The control value (3003020101) is a PDU which has teh following meaning : 0x30 0x03 : SEQ length 3 0x02 0x01 0x01 : INTEGER length 1 value 1 So you have sent a correct Control, but the OID has changed : 1.2.840.113556.1.4.20669 was for ancient versions of Windows Server (up to Windows 2012) and the OID you are using is a new one (1.2.840.113556.1.4.2239). I can only bet that the OID is not understood by the Windows machine you are talking to. On Fri, Sep 8, 2017 at 4:11 PM, CRAIG BENNER wrote: > Thanks Shawn, I was going to ask that. But I got wireshark working. > Below is the packet I'm assuming we want to see. In concept it looks > correct, but i'm not sure what the controlValue is suppose to be on the > wire. > > Frame 9: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on > interface 0 > Ethernet II, Src: PcsCompu_f5:e8:94 (08:00:27:f5:e8:94), Dst: > PcsCompu_4b:a3:17 (08:00:27:4b:a3:17) > Internet Protocol Version 4, Src: 192.168.33.10, Dst: 192.168.33.11 > > Transmission Control Protocol, Src Port: 44766, Dst Port: 389, Seq: 45, > Ack: 46, Len: 229 > Lightweight Directory Access Protocol > LDAPMessage modifyRequest(7) "cn=model_ouadmin,ou=PSU-OU- > Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD- > Administration,dc=develop,dc=local" > messageID: 7 > protocolOp: modifyRequest (6) > modifyRequest > object: cn=model_ouadmin,ou=PSU-OU- > Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD- > Administration,dc=develop,dc=local > modification: 1 item > [Response In: 10] > controls: 1 item > Control > controlType: 1.2.840.113556.1.4.2239 (ISO assigned OIDs, > USA.113556.1.4.2239) > criticality: True > controlValue: 3003020101 > > Thanks. > Craig Benner > > - Original Message - > From: "Shawn McKinney" > To: "api" > Sent: Friday, September 8, 2017 9:58:56 AM > Subject: Re: Ldap API Custom Controls > > > On Sep 7, 2017, at 8:41 PM, CRAIG BENNER wrote: > > > > It will take some changes to get a wireshark capture, since Password's > can only be managed over a secure connection. Hopefully tomorrow I can get > you the wireshark capture > > Wonder if it would be easier to just enable the API logger containing the > BER request/response traces? That’s typically how I debug. Saves the > trouble of setting up wireshark. > > additivity="false"> > > > > -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Ldap API Custom Controls
Hi, According to my experience with AD this is very hard to diagnose. AD is using "unwilling to perform" as a generic error for almost anything. Sometimes there is a AD-specific error code in the error message and that is really worth checking out. Really. Try that. But apart from this there is no way how to diagnose that properly. There seems to be no reasonable logging facility on the AD server side. I'm looking for this for years and I have found nothing so far (Microsoft support is not able help much, I've tried many times). The documentation is not very clear. The best method so far that I have found is to find a tool that can already use this control. Then use packet sniffer and compare the data from the tool that works with the data produced by your code. I mean real byte-by-byte comparison. The differences will usually point you to the things that are wrong. -- Radovan Semancik Software Architect evolveum.com On 09/08/2017 04:11 PM, CRAIG BENNER wrote: Thanks Shawn, I was going to ask that. But I got wireshark working. Below is the packet I'm assuming we want to see. In concept it looks correct, but i'm not sure what the controlValue is suppose to be on the wire. Frame 9: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on interface 0 Ethernet II, Src: PcsCompu_f5:e8:94 (08:00:27:f5:e8:94), Dst: PcsCompu_4b:a3:17 (08:00:27:4b:a3:17) Internet Protocol Version 4, Src: 192.168.33.10, Dst: 192.168.33.11 Transmission Control Protocol, Src Port: 44766, Dst Port: 389, Seq: 45, Ack: 46, Len: 229 Lightweight Directory Access Protocol LDAPMessage modifyRequest(7) "cn=model_ouadmin,ou=PSU-OU-Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD-Administration,dc=develop,dc=local" messageID: 7 protocolOp: modifyRequest (6) modifyRequest object: cn=model_ouadmin,ou=PSU-OU-Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD-Administration,dc=develop,dc=local modification: 1 item [Response In: 10] controls: 1 item Control controlType: 1.2.840.113556.1.4.2239 (ISO assigned OIDs, USA.113556.1.4.2239) criticality: True controlValue: 3003020101 Thanks. Craig Benner - Original Message - From: "Shawn McKinney" To: "api" Sent: Friday, September 8, 2017 9:58:56 AM Subject: Re: Ldap API Custom Controls On Sep 7, 2017, at 8:41 PM, CRAIG BENNER wrote: It will take some changes to get a wireshark capture, since Password's can only be managed over a secure connection. Hopefully tomorrow I can get you the wireshark capture Wonder if it would be easier to just enable the API logger containing the BER request/response traces? That’s typically how I debug. Saves the trouble of setting up wireshark.
Re: Ldap API Custom Controls
Thanks Shawn, I was going to ask that. But I got wireshark working. Below is the packet I'm assuming we want to see. In concept it looks correct, but i'm not sure what the controlValue is suppose to be on the wire. Frame 9: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on interface 0 Ethernet II, Src: PcsCompu_f5:e8:94 (08:00:27:f5:e8:94), Dst: PcsCompu_4b:a3:17 (08:00:27:4b:a3:17) Internet Protocol Version 4, Src: 192.168.33.10, Dst: 192.168.33.11 Transmission Control Protocol, Src Port: 44766, Dst Port: 389, Seq: 45, Ack: 46, Len: 229 Lightweight Directory Access Protocol LDAPMessage modifyRequest(7) "cn=model_ouadmin,ou=PSU-OU-Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD-Administration,dc=develop,dc=local" messageID: 7 protocolOp: modifyRequest (6) modifyRequest object: cn=model_ouadmin,ou=PSU-OU-Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD-Administration,dc=develop,dc=local modification: 1 item [Response In: 10] controls: 1 item Control controlType: 1.2.840.113556.1.4.2239 (ISO assigned OIDs, USA.113556.1.4.2239) criticality: True controlValue: 3003020101 Thanks. Craig Benner - Original Message - From: "Shawn McKinney" To: "api" Sent: Friday, September 8, 2017 9:58:56 AM Subject: Re: Ldap API Custom Controls > On Sep 7, 2017, at 8:41 PM, CRAIG BENNER wrote: > > It will take some changes to get a wireshark capture, since Password's can > only be managed over a secure connection. Hopefully tomorrow I can get you > the wireshark capture Wonder if it would be easier to just enable the API logger containing the BER request/response traces? That’s typically how I debug. Saves the trouble of setting up wireshark.
Re: Ldap API Custom Controls
> On Sep 7, 2017, at 8:41 PM, CRAIG BENNER wrote: > > It will take some changes to get a wireshark capture, since Password's can > only be managed over a secure connection. Hopefully tomorrow I can get you > the wireshark capture Wonder if it would be easier to just enable the API logger containing the BER request/response traces? That’s typically how I debug. Saves the trouble of setting up wireshark.
Re: Ldap API Custom Controls
I'm working with Chris. We've tried both coding approaches for setting the control //LdapServerPolicyHintsOid hints = new LdapServerPolicyHintsOidImpl(); //hints.setFlags(1); //hints.setCritical(true); // modRequest.addControl(hints); --or-- LdapServerPolicyHintsOidDecorator decCtrl = new LdapServerPolicyHintsOidDecorator(getReadableLdapConnection().getCodecService()); modRequest.addControl(decCtrl); ModifyResponse modResponse = getWriteableLdapConnection().modify(modRequest); We are interacting with ActiveDirectory and we are using the ResetPassword logic (ModifyRequest Replace logic for uniCodePwd). We are trying to add honoring of the Password History data by adding the control for policy hints documented on the first email Chris Sent. It will take some changes to get a wireshark capture, since Password's can only be managed over a secure connection. Hopefully tomorrow I can get you the wireshark capture Thanks. Craig Benner - Original Message - From: "Emmanuel Lécharny" To: api@directory.apache.org Sent: Thursday, September 7, 2017 4:51:49 PM Subject: Re: Ldap API Custom Controls Le 07/09/2017 à 22:20, Chris Pike a écrit : > So I added the controls, but they don't seem to be working. We are getting a > error code 53 (unwilling to preform) when we add the control to our request, > so assuming there is something wrong with the control, but don't know enough > about ldap or the library to know what. Any ideas on what to try or what > might be wrong? We need more info to be able to understand what's wrong : - a capture of the messages being exchanged (wireshark) - the server you use > > > > - Original Message - > From: "Chris Pike" > To: "api" > Sent: Monday, September 4, 2017 6:50:37 PM > Subject: Re: Ldap API Custom Controls > > Thanks for the suggestions and code examples. I'll work on adding this new > control and let you know if I have any issues. > > ~Chris Pike > > > > - Original Message - > From: "Emmanuel Lécharny" > To: "api" > Sent: Monday, September 4, 2017 3:46:49 AM > Subject: Re: Ldap API Custom Controls > > Le 04/09/2017 à 09:16, Radovan Semancik a écrit : >> On 09/04/2017 09:02 AM, Emmanuel Lécharny wrote: >>> Actually, the tricky part is the grammar, which is a state engine >>> description. >> Oh, that is usually not that difficult either. Most of those "custom" >> controls are very simple. Just a couple of fields. Complex data >> structures seem to be very rare. If you start with existing control >> that is somehow similar it is not difficult to implement a new control. > FTR, the code I provided yesterday night in one of my previous mail took > me around 30 mins, all included. For a more complex control, like > syncrepl, that would have takne a bit more time, mainly because you want > to add unit tests to cover teh various cases. > > Now, I think that we should provide a bit of documentation about how to > implement a control... > -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
Le 07/09/2017 à 22:20, Chris Pike a écrit : > So I added the controls, but they don't seem to be working. We are getting a > error code 53 (unwilling to preform) when we add the control to our request, > so assuming there is something wrong with the control, but don't know enough > about ldap or the library to know what. Any ideas on what to try or what > might be wrong? We need more info to be able to understand what's wrong : - a capture of the messages being exchanged (wireshark) - the server you use > > > > - Original Message - > From: "Chris Pike" > To: "api" > Sent: Monday, September 4, 2017 6:50:37 PM > Subject: Re: Ldap API Custom Controls > > Thanks for the suggestions and code examples. I'll work on adding this new > control and let you know if I have any issues. > > ~Chris Pike > > > > - Original Message ----- > From: "Emmanuel Lécharny" > To: "api" > Sent: Monday, September 4, 2017 3:46:49 AM > Subject: Re: Ldap API Custom Controls > > Le 04/09/2017 à 09:16, Radovan Semancik a écrit : >> On 09/04/2017 09:02 AM, Emmanuel Lécharny wrote: >>> Actually, the tricky part is the grammar, which is a state engine >>> description. >> Oh, that is usually not that difficult either. Most of those "custom" >> controls are very simple. Just a couple of fields. Complex data >> structures seem to be very rare. If you start with existing control >> that is somehow similar it is not difficult to implement a new control. > FTR, the code I provided yesterday night in one of my previous mail took > me around 30 mins, all included. For a more complex control, like > syncrepl, that would have takne a bit more time, mainly because you want > to add unit tests to cover teh various cases. > > Now, I think that we should provide a bit of documentation about how to > implement a control... > -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
Just to be clear, we get this error even if password is not a duplicate. - Original Message - From: "Chris Pike" To: "api" Sent: Thursday, September 7, 2017 4:20:58 PM Subject: Re: Ldap API Custom Controls So I added the controls, but they don't seem to be working. We are getting a error code 53 (unwilling to preform) when we add the control to our request, so assuming there is something wrong with the control, but don't know enough about ldap or the library to know what. Any ideas on what to try or what might be wrong? - Original Message - From: "Chris Pike" To: "api" Sent: Monday, September 4, 2017 6:50:37 PM Subject: Re: Ldap API Custom Controls Thanks for the suggestions and code examples. I'll work on adding this new control and let you know if I have any issues. ~Chris Pike - Original Message - From: "Emmanuel Lécharny" To: "api" Sent: Monday, September 4, 2017 3:46:49 AM Subject: Re: Ldap API Custom Controls Le 04/09/2017 à 09:16, Radovan Semancik a écrit : > On 09/04/2017 09:02 AM, Emmanuel Lécharny wrote: >> Actually, the tricky part is the grammar, which is a state engine >> description. > > Oh, that is usually not that difficult either. Most of those "custom" > controls are very simple. Just a couple of fields. Complex data > structures seem to be very rare. If you start with existing control > that is somehow similar it is not difficult to implement a new control. FTR, the code I provided yesterday night in one of my previous mail took me around 30 mins, all included. For a more complex control, like syncrepl, that would have takne a bit more time, mainly because you want to add unit tests to cover teh various cases. Now, I think that we should provide a bit of documentation about how to implement a control... -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
So I added the controls, but they don't seem to be working. We are getting a error code 53 (unwilling to preform) when we add the control to our request, so assuming there is something wrong with the control, but don't know enough about ldap or the library to know what. Any ideas on what to try or what might be wrong? - Original Message - From: "Chris Pike" To: "api" Sent: Monday, September 4, 2017 6:50:37 PM Subject: Re: Ldap API Custom Controls Thanks for the suggestions and code examples. I'll work on adding this new control and let you know if I have any issues. ~Chris Pike - Original Message - From: "Emmanuel Lécharny" To: "api" Sent: Monday, September 4, 2017 3:46:49 AM Subject: Re: Ldap API Custom Controls Le 04/09/2017 à 09:16, Radovan Semancik a écrit : > On 09/04/2017 09:02 AM, Emmanuel Lécharny wrote: >> Actually, the tricky part is the grammar, which is a state engine >> description. > > Oh, that is usually not that difficult either. Most of those "custom" > controls are very simple. Just a couple of fields. Complex data > structures seem to be very rare. If you start with existing control > that is somehow similar it is not difficult to implement a new control. FTR, the code I provided yesterday night in one of my previous mail took me around 30 mins, all included. For a more complex control, like syncrepl, that would have takne a bit more time, mainly because you want to add unit tests to cover teh various cases. Now, I think that we should provide a bit of documentation about how to implement a control... -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
Thanks for the suggestions and code examples. I'll work on adding this new control and let you know if I have any issues. ~Chris Pike - Original Message - From: "Emmanuel Lécharny" To: "api" Sent: Monday, September 4, 2017 3:46:49 AM Subject: Re: Ldap API Custom Controls Le 04/09/2017 à 09:16, Radovan Semancik a écrit : > On 09/04/2017 09:02 AM, Emmanuel Lécharny wrote: >> Actually, the tricky part is the grammar, which is a state engine >> description. > > Oh, that is usually not that difficult either. Most of those "custom" > controls are very simple. Just a couple of fields. Complex data > structures seem to be very rare. If you start with existing control > that is somehow similar it is not difficult to implement a new control. FTR, the code I provided yesterday night in one of my previous mail took me around 30 mins, all included. For a more complex control, like syncrepl, that would have takne a bit more time, mainly because you want to add unit tests to cover teh various cases. Now, I think that we should provide a bit of documentation about how to implement a control... -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
Le 04/09/2017 à 09:16, Radovan Semancik a écrit : > On 09/04/2017 09:02 AM, Emmanuel Lécharny wrote: >> Actually, the tricky part is the grammar, which is a state engine >> description. > > Oh, that is usually not that difficult either. Most of those "custom" > controls are very simple. Just a couple of fields. Complex data > structures seem to be very rare. If you start with existing control > that is somehow similar it is not difficult to implement a new control. FTR, the code I provided yesterday night in one of my previous mail took me around 30 mins, all included. For a more complex control, like syncrepl, that would have takne a bit more time, mainly because you want to add unit tests to cover teh various cases. Now, I think that we should provide a bit of documentation about how to implement a control... -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
On 09/04/2017 09:02 AM, Emmanuel Lécharny wrote: Actually, the tricky part is the grammar, which is a state engine description. Oh, that is usually not that difficult either. Most of those "custom" controls are very simple. Just a couple of fields. Complex data structures seem to be very rare. If you start with existing control that is somehow similar it is not difficult to implement a new control. -- Radovan Semancik Software Architect evolveum.com
Re: Ldap API Custom Controls
Le 04/09/2017 à 08:49, Radovan Semancik a écrit : > Hi, > > I have implemented a couple of controls myself. Perhaps the best > approach is to do it right in the Apache Directory API source code. > And contribute it back, of course :-) > Start from any existing control. E.g. you can have a look at my AD > DirSync control > (org.apache.directory.api.ldap.extras.controls.ad.AdDirSync). It is > enough to have some basic idea how LDAP protocol works and how the API > works. Most of the work is mostly copy&paste. There are 3-4 classes to > create. It is not difficult to figure out. Actually, the tricky part is the grammar, which is a state engine description. -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
Hi, I have implemented a couple of controls myself. Perhaps the best approach is to do it right in the Apache Directory API source code. And contribute it back, of course :-) Start from any existing control. E.g. you can have a look at my AD DirSync control (org.apache.directory.api.ldap.extras.controls.ad.AdDirSync). It is enough to have some basic idea how LDAP protocol works and how the API works. Most of the work is mostly copy&paste. There are 3-4 classes to create. It is not difficult to figure out. -- Radovan Semancik Software Architect evolveum.com On 09/03/2017 08:57 PM, Chris Pike wrote: Trying to get Active Directory to honor password history when changing a password. https://blogs.technet.microsoft.com/fieldcoding/2013/01/09/resetting-passwords-honoring-password-history-or-whats-happening-under-the-hood-when-changing-resetting-passwords/ - Original Message - From: Emmanuel Lecharny To: api@directory.apache.org Sent: Sun, 03 Sep 2017 14:38:26 -0400 (EDT) Subject: Re: Ldap API Custom Controls It's a bit tricky... What control do you want to implement? Do you have a description ? Le dim. 3 sept. 2017 à 15:58, Chris Pike a écrit : Hi, I am trying to add a custom control. I started by creating a class that implements "org.apache.directory.api.ldap.model.message.Control" and passing an instance into my request. This didn't seem to work, I'm guessing because the value for the control is not passed. When looking at some of the other controls, I found a bunch of Decorator and Factory classes in another package. Do I need to implement those types of classes as well? If so, how do I register them? Is there a full example of creating a custom control somewhere? Thanks for any help you can provide. ~Chris Pike
Re: Ldap API Custom Controls
nabled(); private static Grammar instance = new LdapServerPolicyHintsOidGrammar(); @SuppressWarnings("unchecked") private LdapServerPolicyHintsOidGrammar() { setName( LdapServerPolicyHintsOidGrammar.class.getName() ); super.transitions = new GrammarTransition[LdapServerPolicyHintsOidStates.END_STATE.ordinal()][256]; super.transitions[LdapServerPolicyHintsOidStates.START_STATE.ordinal()][UniversalTag.SEQUENCE.getValue()] = new GrammarTransition( LdapServerPolicyHintsOidStates.START_STATE, LdapServerPolicyHintsOidStates.LSPHO_SEQUENCE_STATE, UniversalTag.SEQUENCE.getValue(), null ); super.transitions[LdapServerPolicyHintsOidStates.LSPHO_SEQUENCE_STATE.ordinal()][UniversalTag.INTEGER.getValue()] = new GrammarTransition( LdapServerPolicyHintsOidStates.LSPHO_SEQUENCE_STATE, LdapServerPolicyHintsOidStates.LSPHO_FLAGS_STATE, UniversalTag.INTEGER.getValue(), new StoreFlags() ); } /** * @return the singleton instance of the LdapServerPolicyHintsOidGrammar */ public static Grammar getInstance() { return instance; } } - And the action used in the grammar to feed the Flags : import org.apache.directory.api.asn1.actions.AbstractReadInteger; /** * The action used to store the Flags value * */ public class StoreFlags extends AbstractReadInteger { /** * Instantiates a new Flags action. */ public StoreFlags() { super( "LdapServerPolicyHintsOid Flags" ); } /** * {@inheritDoc} */ @Override protected void setIntegerValue( int value, LdapServerPolicyHintsOidContainer lsphoContainer ) { lsphoContainer.getDecorator().setFlags( value ); } } That's all for the code, but you also eed to declare the new control in the bundle or in the standalone API : - in ExtrasBundleActivator : private void registerExtrasControls( LdapApiService codec ) { ... ControlFactory ldapServerPolicyHintsOidFactory = new LdapServerPolicyHintsOidFactory( codec ); codec.registerControl( ldapServerPolicyHintsOidFactory ); } and to deregister it : private void unregisterExtrasControls( LdapApiService codec ) { ... codec.unregisterControl( LdapServerPolicyHintsOid.OID ); } - in CodecFactoryUtil : public static void loadStockControls( Map> controlFactories, LdapApiService apiService ) { ... ControlFactory ldapServerPolicyHintsOidFactory = new LdapServerPolicyHintsOidFactory( apiService ); controlFactories.put( ldapServerPolicyHintsOidFactory.getOid(), ldapServerPolicyHintsOidFactory ); LOG.info( "Registered pre-bundled control factory: {}", ldapServerPolicyHintsOidFactory.getOid() ); } Ideally speaking, some unit test would be good to have, but I leave you that as an exercise :-) All this code is taken from the VLV request control, modifed to fit your control. I think it should work pretty much pristine, typoes put aside. Just let me know if it's fine for you, then we can push it in the API. > > - Original Message - > From: Emmanuel Lecharny > To: api@directory.apache.org > Sent: Sun, 03 Sep 2017 14:38:26 -0400 (EDT) > Subject: Re: Ldap API Custom Controls > > It's a bit tricky... > > What control do you want to implement? Do you have a description ? > > Le dim. 3 sept. 2017 à 15:58, Chris Pike a écrit : > >> Hi, >> >> I am trying to add a custom control. I started by creating a class that >> implements "org.apache.directory.api.ldap.model.message.Control" and >> passing an instance into my request. This didn't seem to work, I'm guessing >> because the value for the control is not passed. >> >> When looking at some of the other controls, I found a bunch of Decorator >> and Factory classes in another package. Do I need to implement those types >> of classes as well? If so, how do I register them? Is there a full example >> of creating a custom control somewhere? >> >> Thanks for any help you can provide. >> >> ~Chris Pike >> -- Emmanuel Lecharny Symas.com directory.apache.org
Re: Ldap API Custom Controls
Trying to get Active Directory to honor password history when changing a password. https://blogs.technet.microsoft.com/fieldcoding/2013/01/09/resetting-passwords-honoring-password-history-or-whats-happening-under-the-hood-when-changing-resetting-passwords/ - Original Message - From: Emmanuel Lecharny To: api@directory.apache.org Sent: Sun, 03 Sep 2017 14:38:26 -0400 (EDT) Subject: Re: Ldap API Custom Controls It's a bit tricky... What control do you want to implement? Do you have a description ? Le dim. 3 sept. 2017 à 15:58, Chris Pike a écrit : > Hi, > > I am trying to add a custom control. I started by creating a class that > implements "org.apache.directory.api.ldap.model.message.Control" and > passing an instance into my request. This didn't seem to work, I'm guessing > because the value for the control is not passed. > > When looking at some of the other controls, I found a bunch of Decorator > and Factory classes in another package. Do I need to implement those types > of classes as well? If so, how do I register them? Is there a full example > of creating a custom control somewhere? > > Thanks for any help you can provide. > > ~Chris Pike > -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Ldap API Custom Controls
It's a bit tricky... What control do you want to implement? Do you have a description ? Le dim. 3 sept. 2017 à 15:58, Chris Pike a écrit : > Hi, > > I am trying to add a custom control. I started by creating a class that > implements "org.apache.directory.api.ldap.model.message.Control" and > passing an instance into my request. This didn't seem to work, I'm guessing > because the value for the control is not passed. > > When looking at some of the other controls, I found a bunch of Decorator > and Factory classes in another package. Do I need to implement those types > of classes as well? If so, how do I register them? Is there a full example > of creating a custom control somewhere? > > Thanks for any help you can provide. > > ~Chris Pike > -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Ldap API Custom Controls
Hi, I am trying to add a custom control. I started by creating a class that implements "org.apache.directory.api.ldap.model.message.Control" and passing an instance into my request. This didn't seem to work, I'm guessing because the value for the control is not passed. When looking at some of the other controls, I found a bunch of Decorator and Factory classes in another package. Do I need to implement those types of classes as well? If so, how do I register them? Is there a full example of creating a custom control somewhere? Thanks for any help you can provide. ~Chris Pike