This is pretty old information.

Adds an empty BER-encoded value of an LDAPControl's ldctl_value#

"We've found an interoperability issue and would like to report it to Microsoft. The issue is similar to another issue we discovered and reported a couple of years ago. The problem is that MS LDAP API (wldap32.dll) always adds an empty BER-encoded value of an LDAPControl's ldctl_value field regardless the fact it's set or not. This fact makes impossible using of some LDAP operations.

Recently, Novell released eDirectory 8.8 SP1 that introduced a stricter parsing of the ManageDsaIT control then they had used before. Now, eDirectory 8.8 SP1 does not accept requests with ManageDsaIT control attached because it does not expect that the control has a value attached.

Below are extracts of several network traffic captures, we made using WinShark, of a simple program sending a search request with the ManageDsaIT control attached.

0080   24 30 84 00 00 00 1e 04 17 32 2e 31 36 2e 38 34
$0.......2.16.84
0090   30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 2e 32
0.1.113730.3.4.2
00a0   01 01 00 04 00
MS LDAP API - Windows Vista Pre-RC1 (build 5536):
0080   21 30 84 00 00 00 1b 04 17 32 2e 31 36 2e 38 34
!0.......2.16.84
0090   30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 2e 32
0.1.113730.3.4.2
00a0   04 00                                            ..
OpenLDAP API:
0070   1b 30 19 04 17 32 2e 31 36 2e 38 34 30 2e 31 2e
.0...2.16.840.1.
0080   31 31 33 37 33 30 2e 33 2e 34 2e 32              113730.3.4.2
We've got here 1 or 2 differences in the way the controls are encoded in MS LDAP API
  1. ) 01 01 00 - It seems to be the LDAPControl's criticality flag. According to RFC 2251 (section 4.1.12) it's an optional part and by default is FALSE, so it's pretty reasonable for OpenLDAP not to include this part when criticality is set to FALSE and this way to reduce the size of an on-wire data. Vista's edition of MS LDAP API also does not include this part when criticality is FALSE.
  1. ) 04 00 - This seems to be an empty OCTET STRING, that MS LDAP API attaches to any control regardless the fact it's empty. It should not be attached when LDAPContol's ldctl_value field is set to {NULL, 0}.

Some of our clients discovered a Microsoft hot-fix, however they claim it does not help.

More Information#

There might be more information for this subject on one of the following: ...nobody

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-4) was last changed on 05-Jan-2017 12:24 by jim