search

pingidentity / ldapsdk

UnboundID LDAP SDK for Java
Other
327 stars 79 forks source link

schema.getAttributeSyntaxes() is NULL in Windows AD #138

Closed edu-de closed 1 year ago

edu-de commented 1 year ago

Hi,

we are using com.unboundid.ldap.sdk.schema.Schema.getAttributeSyntaxes() for retrieving all attribute syntaxes. This works fine for an Apache Directory Studio LDAP server, but for a Windows AD server we only get NULL. This is very strange, as the same Windows AD server shows many attribute syntaxes when accessing it via "Apache Directory Studio" as shown in the screenshot. Bildschirm­foto 2023-01-02 um 11 26 47

What may be the problem?

Using LdapSDK 6.0.7

edu-de commented 1 year ago

It seeams ldapsearch returns also empty results for Windows AD. Then I really don't understand where this information in the screenshot is fetched from, any idea ?

dirmgr commented 1 year ago

I’m not really very familiar with Active Directory and its quirks, but the LDAP SDK is intended to work with standards-compliant LDAP servers. The search that it issues to retrieve the server schema uses the mechanism described in RFC 4512 section 4.4, and it appears that while Active Directory does respond to that search with some schema information, it doesn’t include the ldapSyntaxes attribute that is intended to hold the list of attribute syntaxes (as per section 4.2.5 of the same specification).

Also note that while it does return the attributeTypes attribute, which is intended to list the defined attribute types, the format of those definitions appears to violate the specification by surrounding the syntax OID in single quotes, which is not allowed as per RFC 4512 section 4.1.2. This is something that we’ve run into before, so the LDAP SDK will ignore the illegal quotes and parse the definition anyway, but it is another example of the nonstandard behavior that AD exhibits with regards to its schema handling.

I’m also not really very familiar with Apache Directory Studio, so I’m not sure how it’s getting the list of syntaxes, but it’s not using the standard mechanism described by the LDAP specification. It may be that there is some nonstandard, AD-specific way of retrieving the list of syntaxes, but I don’t know what that might be, and if there is one, then the LDAP SDK doesn’t support it.

edu-de commented 1 year ago

Hi dirmgr,

thanks for your reply and for confirming this. I will try to find out what quirks Apache Directory Studio uses for this and if I find something out I will update here, maybe this is also interesting for someone having the same issue.

Regards, Eduardo