If we use GetAttributeValue function in a search to retrieve an specific attribute, the attribute name is currently case sensitive in this API.

According to LDAP specifications attribute retrieval must be case insensitive. For exemple, the attribute givenName and givenname are the same attribute, therefore if a client ask for "givenname" and LDAP definitions is set to "givenName", the API must be case insensitive returning the attribute and its value to the client, if present of course.

This patch adds String() string methods to each of the following types:

• DN
• RelativeDN
• AttributeTypeAndValue

So that a *DN implements the fmt.Stringer interface. These methods also produce normalized strings: Attribute Type and Value are lowercased and joined with a "=" character while multiple attributes of a Relative DN are sorted lexicographically before being joined witha "+" character.

This allows one to use the string representation of a DN as a map key and ensure that two DNs which Equal() eachother would have the same String() value.

wrote get methods to struct AddRequest in add.go, as the struct variables are not global, and it would be easy if an add request wants to be compared with another one before populating it.

This PR makes filter writing much easier for humans, by allowing extra whitespace in the filter input.

As an example, rather than writing:

filter = "(&(mail=*)(|(objectClass=contact)(objectClass=group)(objectClass=inetOrgPerson)(objectClass=user)(objectClass=publicFolder))(!(msExchUserAccountControl:1.2.840.113556.1.4.803:=2))(|(userAccountControl:1.2.840.113556.1.4.803:=256)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl=*)))(!(&(msExchWhenMailboxCreated=*)(!(homeMDB=*)))))"

It is now possible to specify the same filter in this much more readable format:

    filter =  `
        (& (mail=*)
                (|  (objectClass=contact)
                    (objectClass=group)
                    (objectClass=inetOrgPerson)
                    (objectClass=user)
                    (objectClass=publicFolder)
                )
                (!  (msExchUserAccountControl:1.2.840.113556.1.4.803:=2))
                (|  (userAccountControl:1.2.840.113556.1.4.803:=256)
                    (userAccountControl:1.2.840.113556.1.4.803:=512)
                    (!(userAccountControl=*))
                )
                (!  (&  (msExchWhenMailboxCreated=*)
                        (!(homeMDB=*))
                    )
                )
            )
        `

When a member leaves office, how should I disable his account?

I want to disable it by pwdAccountLockedTime, only prompt when running:

LDAP Result Code 17 "Undefined Attribute Type": pwdAccountLockedTime: attribute type undefined

If the Ldap process is stopped or otherwise unresponsive, Bind and SimpleBind will block waiting for a response.

This commit adds BindWithTimeout and SimpleBindWithTimeout to give the developer control over the wait time. The Bind and SimpleBind will return an error after DefaultTimeout.

Is the following search filter possible with this library? Didn't seem like it worked, based on my limited testing with a hacked up example_test.go.

memberOf:CN=Some-App-Group,OU=Groups,DC=example,DC=com

Also, is it possible to search nested group membership, similar to the following?

memberOf:1.2.840.113556.1.4.1941:=CN=Some-App-Group,OU=Groups,DC=example,DC=com

Apologies if this is obvious in the code -- I'm not a Go developer but need to add this functionality to an app that uses this library.

I wrote a test program to check the password controls feature for my LDAP directory but it is failing when I am trying to run the code.

Some more info on this bug: This happens only when the authentication is successful and when I am expecting to get some info on the pasword policy.

The same setup works when I use python library. It gives proper info but with this library I always end up with a panic.

If someone who understands the issue can point me in the right direction that would be more than enough.

My code:

var ldapServer = "acmewapp.stage.acme.com"
var ldapPort = uint16(636)

l, err := ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort), &tls.Config{InsecureSkipVerify: true})
//l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort))
if err != nil {
	fmt.Printf(err.Error())
	return
}
defer l.Close()

controls := []ldap.Control{}
controls = append(controls, ldap.NewControlBeheraPasswordPolicy())
bindRequest := ldap.NewSimpleBindRequest("cn=acmewapp,dc=stage,dc=acme,dc=com", "password!@#", controls)
r, err := l.SimpleBind(bindRequest)

ppolicyControl := ldap.FindControl(r.Controls, ldap.ControlTypeBeheraPasswordPolicy)
var ppolicy *ldap.ControlBeheraPasswordPolicy
if ppolicyControl != nil {
	ppolicy = ppolicyControl.(*ldap.ControlBeheraPasswordPolicy)
} else {
	fmt.Println("ppolicyControl response not available.\n")
}
if err != nil {
	fmt.Println("err simplebind request %s", err.Error())
	if ppolicy != nil && ppolicy.Error >= 0 {
		fmt.Println("ppolicy string %s", ppolicy.ErrorString)
	}
}

Error that I am seeing:

go run main.go
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x0 pc=0x460e9d]

goroutine 1 [running]:
runtime.panic(0x5b11e0, 0x7dbee8)
	/usr/lib/go/src/pkg/runtime/panic.c:266 +0xb6
gopkg.in/ldap%2ev2.DecodeControl(0xc2100798c0, 0x0, 0x0)
	/opt/wapp/golang/src/gopkg.in/ldap.v2/control.go:339 +0x97d
gopkg.in/ldap%2ev2.(*Conn).SimpleBind(0xc21000f640, 0xc210051480, 0x0, 0x0, 0x0)
	/opt/wapp/golang/src/gopkg.in/ldap.v2/bind.go:88 +0x5ba
main.main()
	/opt/wapp/golang/testproj/main.go:26 +0x46b

goroutine 6 [runnable]:
net.runtime_pollWait(0x7fb34da06180, 0x72, 0x0)
	/usr/lib/go/src/pkg/runtime/netpoll.goc:116 +0x6a
net.(*pollDesc).Wait(0xc210047140, 0x72, 0x7fb34da050c0, 0xb)
	/usr/lib/go/src/pkg/net/fd_poll_runtime.go:81 +0x34
net.(*pollDesc).WaitRead(0xc210047140, 0xb, 0x7fb34da050c0)
	/usr/lib/go/src/pkg/net/fd_poll_runtime.go:86 +0x30
net.(*netFD).Read(0xc2100470e0, 0xc210070000, 0x800, 0x800, 0x0, ...)
	/usr/lib/go/src/pkg/net/fd_unix.go:204 +0x2a0
net.(*conn).Read(0xc210000078, 0xc210070000, 0x800, 0x800, 0x47cd81, ...)
	/usr/lib/go/src/pkg/net/net.go:122 +0xc5
crypto/tls.(*block).readFromUntil(0xc21001e840, 0x7fb34da06278, 0xc210000078, 0x5, 0xc210000078, ...)
	/usr/lib/go/src/pkg/crypto/tls/conn.go:459 +0xb6
crypto/tls.(*Conn).readRecord(0xc210052780, 0x17, 0x0, 0xc2100007e0)
	/usr/lib/go/src/pkg/crypto/tls/conn.go:539 +0x107
crypto/tls.(*Conn).Read(0xc210052780, 0xc2100007e0, 0x1, 0x1, 0x0, ...)
	/usr/lib/go/src/pkg/crypto/tls/conn.go:897 +0x135
io.ReadAtLeast(0x7fb34da06608, 0xc210052780, 0xc2100007e0, 0x1, 0x1, ...)
	/usr/lib/go/src/pkg/io/io.go:288 +0xf6
io.ReadFull(0x7fb34da06608, 0xc210052780, 0xc2100007e0, 0x1, 0x1, ...)
	/usr/lib/go/src/pkg/io/io.go:306 +0x71
gopkg.in/asn1-ber%2ev1.readByte(0x7fb34da06608, 0xc210052780, 0x41f558, 0x7f3780, 0xa)
	/opt/wapp/golang/src/gopkg.in/asn1-ber.v1/util.go:7 +0x78
gopkg.in/asn1-ber%2ev1.readIdentifier(0x7fb34da06608, 0xc210052780, 0x4669f7, 0x56cea0, 0x2, ...)
	/opt/wapp/golang/src/gopkg.in/asn1-ber.v1/identifier.go:15 +0x6c
gopkg.in/asn1-ber%2ev1.readHeader(0x7fb34da06608, 0xc210052780, 0x0, 0x0, 0xc21000f000, ...)
	/opt/wapp/golang/src/gopkg.in/asn1-ber.v1/header.go:9 +0x6d
gopkg.in/asn1-ber%2ev1.readPacket(0x7fb34da06608, 0xc210052780, 0x5a1820, 0x5d6a60, 0xc200000000, ...)
	/opt/wapp/golang/src/gopkg.in/asn1-ber.v1/ber.go:276 +0x42
gopkg.in/asn1-ber%2ev1.ReadPacket(0x7fb34da06608, 0xc210052780, 0xc210052780, 0x7fb34da06608, 0xc210052780)
	/opt/wapp/golang/src/gopkg.in/asn1-ber.v1/ber.go:199 +0x31
gopkg.in/ldap%2ev2.(*Conn).reader(0xc21000f640)
	/opt/wapp/golang/src/gopkg.in/ldap.v2/conn.go:442 +0x111
created by gopkg.in/ldap%2ev2.(*Conn).Start
	/opt/wapp/golang/src/gopkg.in/ldap.v2/conn.go:155 +0x2e

goroutine 5 [syscall]:
runtime.goexit()
	/usr/lib/go/src/pkg/runtime/proc.c:1394
exit status 2

Any info on this would be helpful.

Thanks.

    oleg@oleg-devel-linux-2# go build
    oleg@oleg-devel-linux-2# go test
    TestDial: starting...
    TestDial: finished...
    TestDialTLS: starting...
    TestDialTLS: finished...
    TestStartTLS: starting...
    TestStartTLS: finished...
    TestSearch: starting...
    TestSearch: (cn=cis-fac) -> num of entries = 0
    TestSearchStartTLS: starting...
    TestSearchStartTLS: (cn=cis-fac) -> num of entries = 0
    TestSearchStartTLS: upgrading with startTLS
    TestSearchStartTLS: (cn=cis-fac) -> num of entries = 0
    TestSearchWithPaging: starting...
    TestSearchWithPaging: (&(objectclass=rfc822mailgroup)(cn=*Computer*)) -> num of entries = 84
    TestMultiGoroutineSearch: starting...
    TestMultiGoroutineSearch(0): (cn=cis-fac) -> num of entries = 0
    TestMultiGoroutineSearch(1): (&(owner=*)(cn=cis-fac)) -> num of entries = 0
    TestMultiGoroutineSearch(2): (&(objectclass=rfc822mailgroup)(cn=*Computer*)) -> num of entries = 84
    TestMultiGoroutineSearch(3): (&(objectclass=rfc822mailgroup)(cn=*Mathematics*)) -> num of entries = 18
    TestMultiGoroutineSearch: starting...
    TestMultiGoroutineSearch(0): (cn=cis-fac) -> num of entries = 0
    TestMultiGoroutineSearch(1): (&(owner=*)(cn=cis-fac)) -> num of entries = 0
    TestMultiGoroutineSearch(2): (&(objectclass=rfc822mailgroup)(cn=*Computer*)) -> num of entries = 84
    TestMultiGoroutineSearch(3): (&(objectclass=rfc822mailgroup)(cn=*Mathematics*)) -> num of entries = 18
    TestMultiGoroutineSearch: starting...
    TestMultiGoroutineSearch: using StartTLS...
    TestMultiGoroutineSearch(0): (cn=cis-fac) -> num of entries = 0
    TestMultiGoroutineSearch(1): (&(owner=*)(cn=cis-fac)) -> num of entries = 0
    TestMultiGoroutineSearch(2): (&(objectclass=rfc822mailgroup)(cn=*Computer*)) -> num of entries = 84
    TestMultiGoroutineSearch(3): (&(objectclass=rfc822mailgroup)(cn=*Mathematics*)) -> num of entries = 18
    TestCompare: starting...
    TestCompare: -> num of entries = %!d(bool=true)
    PASS
    ok      src/github.com/BestianRU/ldap   10.615s

Hi! The problem appears when the search string contains Cyrillic (non-ascii) symbols.

Example for latin (ascii):

Search request: (|(displayName=Smith)(cn=Smith))

Debug from ldap library:

Attribute: (Universal, Primitive, Octet String) Len=11 "displayName"
Substrings Any: (Context, Primitive, 0x01) Len=5 "Smith"
Attribute: (Universal, Primitive, Octet String) Len=2 "cn"
Substrings Any: (Context, Primitive, 0x01) Len=5 "Smith"

Debug by my printf in file gopkg.in/ldap.v1/filter.go, function compileFilter, line number 193:

Filter:(|(displayName=*Smith*)(cn=*Smith*)) / filter[newPos]: * / newPos: 15
Filter:(|(displayName=*Smith*)(cn=*Smith*)) / filter[newPos]: S / newPos: 16
Filter:(|(displayName=*Smith*)(cn=*Smith*)) / filter[newPos]: m / newPos: 17
Filter:(|(displayName=*Smith*)(cn=*Smith*)) / filter[newPos]: i / newPos: 18
Filter:(|(displayName=*Smith*)(cn=*Smith*)) / filter[newPos]: t / newPos: 19
Filter:(|(displayName=*Smith*)(cn=*Smith*)) / filter[newPos]: h / newPos: 20
Filter:(|(displayName=*Smith*)(cn=*Smith*)) / filter[newPos]: * / newPos: 21

Debug from LDAP Server:

55fbcb6d ==>backsql_search(): base="ou=sl it,ou=aup,ou=tsg,ou=quadra,o=enterprise", filter="(|(displayName=smith)(cn=smith))", scope=2, deref=0, attrsonly=0, attributes to load: custom list

55fbcb72 Constructed query: SELECT DISTINCT ldap_entries.id,ldapx_persons.id,text('inetOrgPerson') AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,ldapx_persons WHERE ldapx_persons.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND lower(ldap_entries.dn) LIKE lower('%'||?) AND ldapx_persons.lang=0 AND ((lower(text(ldapx_persons.fullname)) LIKE '%SMITH%') OR (lower(text(ldapx_persons.surname||' '||ldapx_persons.name)) LIKE '%SMITH%'))

All Good!

Example for Cyrilic (non-ascii):

I'll put pictures to avoid problems with Cyrillic and non-printable symbols.

Search request:

Debug from ldap library:

Debug by my printf in file gopkg.in/ldap.v1/filter.go, function compileFilter, line number 193:

Debug From LDAP Server:

...

As an alternative to #47, I think it would be useful for long-running services if there was a feature for the LDAP connection to attempt to re-connect/bind on connection errors, similar to how database/sql maintains connections.

However, unlike database/sql and #47, I don't think that LDAP actually needs pooling, because one LDAP connection can handle multiple asynchronous requests.

Is it correct that ldap.ParseDN() considers string dc= as valid dn?

Reproduce it:

package main

import (
	"fmt"

	"github.com/go-ldap/ldap/v3"
)

func main() {
	dn, err := ldap.ParseDN("dc=")
	fmt.Printf("err == nil: %v\n", err == nil)
	fmt.Printf("dn: %v\n", dn)
}

Save it in file main.go and run go run main.go, output:

err == nil: true
dn: 

Hi, I have a non-leaf node in OpenLDAP directory. I want to delete the node. One approach is to delete all the children from the bottom most level in the tree and then finally delete the non-leaf node. Is there any other approach to solve this issue?

When I try to delete the non-leaf node, sends me the following exception:

LDAP Result Code 66 "Not Allowed On Non Leaf": subordinate objects must be deleted first

Hi, I am unsure whether the current implementation has any flag to enable or disable referral chasing while searching records in the LDAP server.

Please help me with this.

I have noticed that many people still have doubts about the specific usage of some methods when using go-ldap. In fact, I have encountered such confusion in the process of using this library. Therefore, I wrote a ldapctl tool to integrate go-ldap methods into the project in a practical way to help later users to quickly use go-ldap the library.

If possible, I hope this tool can be displayed here in go-ldap in a suitable way to help more people.

Therefore, I apply to incorporate ldapctl project into go-ldap organization. If you have any questions, please let me know at any time.

I'm struggling to find a spec related to how referrals should be BER encoded. Does anyone happen to know where to find such a spec?

I've got a user who's receiving the referral response with the following byte arrays (both are the same):

var (
	bytesHex = []byte{0x30, 0x24, 0x02, 0x01, 0x04, 0x78, 0x1f, 0x0a, 0x01, 0x0a, 0x04, 0x00, 0x04, 0x00, 0xa3, 0x16, 0x04, 0x14, 0x6c, 0x64, 0x61, 0x70, 0x3a, 0x2f, 0x2f, 0x6d, 0x65, 0x6c, 0x6c, 0x6f, 0x69, 0x2e, 0x65, 0x6f, 0x78, 0x2e, 0x61, 0x74}
	bytesDec = []byte{48, 36, 2, 1, 4, 120, 31, 10, 1, 10, 4, 0, 4, 0, 163, 22, 4, 20, 108, 100, 97, 112, 58, 47, 47, 109, 101, 108, 108, 111, 105, 46, 101, 111, 120, 46, 97, 116}
)

This is triggering an error in this code (which I wrote most of):

https://github.com/go-ldap/ldap/blob/master/v3/request.go#L74-L98

Specifically this line: https://github.com/go-ldap/ldap/blob/master/v3/request.go#L84

This is the method I'm using to decode it:

func main() {
	packet := ber.DecodePacket(bytesHex)

	printPacket("", packet)
}

func printPacket(level string, packet *ber.Packet) {
	switch level {
	case "":
		fmt.Printf("identifier: %+v\n", packet.Identifier)
		fmt.Printf("value: %+v\n", packet.Value)
		fmt.Printf("bvalue: %+v\n", packet.ByteValue)
		fmt.Printf("description: %+v\n\n", packet.Description)
		for i, child := range packet.Children {
			printPacket(fmt.Sprintf("%d", i), child)
		}
	default:
		fmt.Printf("identifier: %s: %+v\n", level, packet.Identifier)
		fmt.Printf("value: %s: %+v\n", level, packet.Value)
		fmt.Printf("bvalue: %s: %+v\n", level, packet.ByteValue)
		fmt.Printf("description: %s: %+v\n\n", level, packet.Description)
		for i, child := range packet.Children {
			printPacket(fmt.Sprintf("%s: %d", level, i), child)
		}
	}
}

This indicates to me that child BER in position 2 has tag 24 / 0x18 / Generalized Time, and child BER in position 4 in child BER in position 2 has tag 3 / 0x03 / Bit String, and child BER in position 1 in child BER in position 4 in child BER in position 2 has the tag 4 / 0x4 / Octet String. To me the issue is with the child BER in position 2, the generalized time seems completely inappropriate. However I'm not sure where to check this information.

See https://github.com/authelia/authelia/issues/4199

identifier: {ClassType:0 TagType:32 Tag:16}
value: <nil>
bvalue: []
description: 

identifier: 0: {ClassType:0 TagType:0 Tag:2}
value: 0: 4
bvalue: 0: [4]
description: 0: 

identifier: 1: {ClassType:64 TagType:32 Tag:24}
value: 1: <nil>
bvalue: 1: []
description: 1: 

identifier: 1: 0: {ClassType:0 TagType:0 Tag:10}
value: 1: 0: 10
bvalue: 1: 0: [10]
description: 1: 0: 

identifier: 1: 1: {ClassType:0 TagType:0 Tag:4}
value: 1: 1: 
bvalue: 1: 1: []
description: 1: 1: 

identifier: 1: 2: {ClassType:0 TagType:0 Tag:4}
value: 1: 2: 
bvalue: 1: 2: []
description: 1: 2: 

identifier: 1: 3: {ClassType:128 TagType:32 Tag:3}
value: 1: 3: <nil>
bvalue: 1: 3: []
description: 1: 3: 

identifier: 1: 3: 0: {ClassType:0 TagType:0 Tag:4}
value: 1: 3: 0: ldap://melloi.eox.at
bvalue: 1: 3: 0: [108 100 97 112 58 47 47 109 101 108 108 111 105 46 101 111 120 46 97 116]
description: 1: 3: 0: