Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What is the best option to remove object by objectGuid ? #149

Open
gredwhite opened this issue Jul 31, 2023 · 2 comments
Open

What is the best option to remove object by objectGuid ? #149

gredwhite opened this issue Jul 31, 2023 · 2 comments

Comments

@gredwhite
Copy link

gredwhite commented Jul 31, 2023
edited
Loading

I want to use immutable objectGuid identifier in my project and I want to know how to remove by objectGuid

The most obvious option is get the entryby objectGuid

SearchRequest searchRequest = new SearchRequest(
                searchBase, 
                SearchScope.SUB, 
                Filter.createEqualityFilter("objectGuid", objectGuidBytest)
        );
val entry =    ldapConnectionPool.searchForEntry(searchRequest)

and then remove using existing API

ldapConnectionPool.delete(dn)

But it requires 2 requests.

Is there way to extend library to make it using single ldap request ? Does LDAP protocol suppot it ?

Based on https://learn.microsoft.com/en-us/windows/win32/ad/using-objectguid-to-bind-to-an-object I think that get by objectGuid is supported on protocol level
@dirmgr
Copy link
Collaborator

dirmgr commented Jul 31, 2023

The LDAP protocol specification in RFC 4511 section 4.8 defines a delete request as:

DelRequest ::= [APPLICATION 10] LDAPDN

This means that the only standards-compliant way for LDAP clients to identify an entry to delete is by providing the DN of that entry, and providing something other than the DN would mean that it isn't a valid LDAP request.

Nevertheless, Microsoft doesn't seem especially concerned with adhering to the protocol specification. I know that they violate the spec at least for bind operations, so it's possible that they do as well for delete operations. I don't deal with Active Directory, so I can't say whether that is the case or not.

I will say that if you attempt a delete operation and specify the DN of the entry to delete as a string, the LDAP SDK doesn't try to verify whether the provided DN actually is a string. So if Active Directory does allow you to provide an objectGUID as an alternative to a DN, then the LDAP SDK wouldn't necessarily prevent you from doing that.

@gredwhite
Copy link
Author

gredwhite commented Aug 1, 2023
edited
Loading

dirmgr Thank you!

I tried to test (with existing objectGuid)
1.

ldapConnectionPool.delete("0b3c17ce-8683-6043-96be-87f6d3211023")

==>

00002032: ldb_delete: invalid dn '(null)'

But it is not surprising because objectGuid should be passed as byte array

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gredwhite @dirmgr