Merge pull request #33 from DavidJLee/master

New filter type to allow searching of binary data

Author: Rory O'Connell

Contributors.rdoc

@@ -19,3 +19,4 @@ Contributions since:
 * Derek Harmel (derekharmel)
 * Erik Hetzner (egh)
 * nowhereman
+* David J. Lee (DavidJLee)

lib/net/ber/core_ext/string.rb

@@ -16,6 +16,14 @@ def to_ber(code = 0x04)
     [code].pack('C') + raw_string.length.to_ber_length_encoding + raw_string
   end
 
+	##
+	# Converts a string to a BER string but does *not* encode to UTF-8 first.
+	# This is required for proper representation of binary data for Microsoft
+	# Active Directory
+	def to_ber_bin(code = 0x04)
+		[code].pack('C') + length.to_ber_length_encoding + self
+	end
+
   def raw_utf8_encoded
     if self.respond_to?(:encode)
       # Strings should be UTF-8 encoded according to LDAP.

lib/net/ldap.rb

@@ -308,6 +308,7 @@ class LdapError < StandardError; end
   DefaultPort = 389
   DefaultAuth = { :method => :anonymous }
   DefaultTreebase = "dc=com"
+	DefaultForceNoPage = false
 
   StartTlsOid = "1.3.6.1.4.1.1466.20037"
 
@@ -373,6 +374,8 @@ def self.result2string(code) #:nodoc:
   #   specifying the Hash {:method => :simple_tls}. There is a fairly large
   #   range of potential values that may be given for this parameter. See
   #   #encryption for details.
+  # * :force_no_page => Set to true to prevent paged results even if your
+  #   server says it supports them. This is a fix for MS Active Directory
   #
   # Instantiating a Net::LDAP object does <i>not</i> result in network
   # traffic to the LDAP server. It simply stores the connection and binding
@@ -383,6 +386,7 @@ def initialize(args = {})
     @verbose = false # Make this configurable with a switch on the class.
     @auth = args[:auth] || DefaultAuth
     @base = args[:base] || DefaultTreebase
+		@force_no_page = args[:force_no_page] || DefaultForceNoPage
     encryption args[:encryption] # may be nil
 
     if pr = @auth[:password] and pr.respond_to?(:call)
@@ -1108,6 +1112,10 @@ def search_subschema_entry
   # MUST refactor the root_dse call out.
   #++
   def paged_searches_supported?
+		# active directory returns that it supports paged results. However
+		# it returns binary data in the rfc2696_cookie which throws an
+		# encoding exception breaking searching.		
+		return false if @force_no_page
     @server_caps ||= search_root_dse
     @server_caps[:supportedcontrol].include?(Net::LDAP::LDAPControls::PAGED_RESULTS)
   end
@@ -1433,6 +1441,10 @@ def search(args = {})
         search_attributes.to_ber_sequence
       ].to_ber_appsequence(3)
 
+			# rfc2696_cookie sometimes contains binary data from Microsoft Active Directory
+			# this breaks when calling to_ber. (Can't force binary data to UTF-8)
+			# we have to disable paging (even though server supports it) to get around this...
+
       controls = []
       controls <<
         [
@@ -1582,7 +1594,7 @@ def add(args)
   #--
   # TODO: need to support a time limit, in case the server fails to respond.
   #++
-  def rename args
+  def rename(args)
     old_dn = args[:olddn] or raise "Unable to rename empty DN"
     new_rdn = args[:newrdn] or raise "Unable to rename to empty RDN"
     delete_attrs = args[:delete_attributes] ? true : false

lib/net/ldap/filter.rb

@@ -23,7 +23,7 @@
 class Net::LDAP::Filter
   ##
   # Known filter types.
-  FilterTypes = [ :ne, :eq, :ge, :le, :and, :or, :not, :ex ]
+  FilterTypes = [ :ne, :eq, :ge, :le, :and, :or, :not, :ex, :bineq ]
 
   def initialize(op, left, right) #:nodoc:
     unless FilterTypes.include?(op)
@@ -65,6 +65,23 @@ def eq(attribute, value)
       new(:eq, attribute, value)
     end
 
+		##
+		# Creates a Filter object indicating a binary comparison.
+		# this prevents the search data from being forced into a UTF-8 string.
+		#
+		# This is primarily used for Microsoft Active Directory to compare
+		# GUID values.
+		#
+		#    # for guid represented as hex charecters
+		#    guid = "6a31b4a12aa27a41aca9603f27dd5116"
+		#    guid_bin = [guid].pack("H*")
+		#    f = Net::LDAP::Filter.bineq("objectGUID", guid_bin)
+		#
+		# This filter does not perform any escaping.
+		def bineq(attribute, value)
+			new(:bineq, attribute, value)
+		end
+
     ##
     # Creates a Filter object indicating extensible comparison. This Filter
     # object is currently considered EXPERIMENTAL.
@@ -399,6 +416,8 @@ def to_raw_rfc2254
       "!(#{@left}=#{@right})"
     when :eq
       "#{@left}=#{@right}"
+		when :bineq
+			"#{@left}=#{@right}"
     when :ex
       "#{@left}:=#{@right}"
     when :ge
@@ -508,6 +527,9 @@ def to_ber
       else # equality
         [@left.to_s.to_ber, unescape(@right).to_ber].to_ber_contextspecific(3)
       end
+		when :bineq
+			# make sure data is not forced to UTF-8
+			[@left.to_s.to_ber, unescape(@right).to_ber_bin].to_ber_contextspecific(3)
     when :ex
       seq = []
 

spec/unit/ber/ber_spec.rb

@@ -84,6 +84,11 @@
       it "should properly encode strings encodable as UTF-8" do
         "teststring".encode("US-ASCII").to_ber.should == "\x04\nteststring"
       end
+			it "should properly encode binary data strings using to_ber_bin" do
+				# This is used for searching for GUIDs in Active Directory
+				["6a31b4a12aa27a41aca9603f27dd5116"].pack("H*").to_ber_bin.should == 
+					"\x04\x10" + "j1\xB4\xA1*\xA2zA\xAC\xA9`?'\xDDQ\x16"
+			end
       it "should fail on strings that can not be converted to UTF-8" do
         error = Encoding::UndefinedConversionError
         lambda {"\x81".to_ber }.should raise_exception(error)