How to best handle DN+String and DN+Binary in OL?

Howard Chu hyc at
Sun Jul 11 15:16:20 MDT 2010

Andrew Bartlett wrote:
> I'm back on my occasional task of trying to get the OpenLDAP backend to
> Samba4 going again, and was hoping to simply test out the fine work done
> on the vernum module.  (which I should have tested at the time it was
> developed).
> Anyway, Samba has moved on, and things have broken.  Part of the changes
> relate to these additional DN types (found in AD), of:
> #define DSDB_SYNTAX_BINARY_DN   "1.2.840.113556.1.4.903"
> #define DSDB_SYNTAX_STRING_DN   "1.2.840.113556.1.4.904"
> #define DSDB_SYNTAX_OR_NAME     "1.2.840.113556.1.4.1221"
> These are quite odd in their behaivour, but in short they are both a
> string or binary blob and a DN, all in one.  Only the DN portion is
> relevant for attribute matching rules.
> Currently, I map these to strings, but they are not strings - and need
> proper DN match rules, as I need to be able to use the 'deref' module on
> them (and to correctly handle the case sensitive/insensitive nature of
> DNs).
> What is the best way to get OpenLDAP to understand it needs to match on
> and follow references to the DN part of these values?

Good question. So far the only way to get DN semantics is by using 
distinguishedName syntax. In a few places we've also special-cased recognition 
of NameAndOptionalUID syntax, but that's not universal. I suppose, if you can 
shoehorn your extra blobs into the UID portion, you can use that syntax and we 
can figure out where else it needs to be accepted.
> (Additionally, even when just use deref with normal DNs, I'm not getting
> a the control response, but I need to get more info before I can pin the
> details down)
> Thanks,
> Andrew Bartlett

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP

More information about the samba-technical mailing list