dirmgr
commented
12 months ago The LDAP protocol specification in RFC 4511 section 4.8 defines a delete request as:
DelRequest ::= [APPLICATION 10] LDAPDN
This means that the only standards-compliant way for LDAP clients to identify an entry to delete is by providing the DN of that entry, and providing something other than the DN would mean that it isn't a valid LDAP request.
Nevertheless, Microsoft doesn't seem especially concerned with adhering to the protocol specification. I know that they violate the spec at least for bind operations, so it's possible that they do as well for delete operations. I don't deal with Active Directory, so I can't say whether that is the case or not.
I will say that if you attempt a delete operation and specify the DN of the entry to delete as a string, the LDAP SDK doesn't try to verify whether the provided DN actually is a string. So if Active Directory does allow you to provide an objectGUID as an alternative to a DN, then the LDAP SDK wouldn't necessarily prevent you from doing that.
gredwhite
I want to use immutable objectGuid identifier in my project and I want to know how to remove by
objectGuidThe most obvious option is get the entryby
objectGuidand then remove using existing API
ldapConnectionPool.delete(dn)But it requires 2 requests.
Is there way to extend library to make it using single ldap request ? Does LDAP protocol suppot it ?
Based on https://learn.microsoft.com/en-us/windows/win32/ad/using-objectguid-to-bind-to-an-object I think that get by
objectGuidis supported on protocol level