Synchronization Support for OpenLDAP (RFC4533)

[rajashrigoli]

For getting latest changes from Ldap we have used dirsync class. When we call $dirSync->getChanges() then its throwing Below exception. Please help me to resolve this issue.

PHP Fatal error: Uncaught FreeDSx\Ldap\Exception\OperationException: critical extension is not recognized in /var/www/html/ldap/vendor/freedsx/ldap/src/FreeDSx/Ldap/Protocol/ClientProtocolHandler.php:227\nStack trace:\n#0 /var/www/html/ldap/vendor/freedsx/ldap/src/FreeDSx/Ldap/Protocol/ClientProtocolHandler.php(188): FreeDSx\Ldap\Protocol\ClientProtocolHandler->handleResponse(Object(FreeDSx\Ldap\Protocol\LdapMessageRequest), Object(FreeDSx\Ldap\Protocol\LdapMessageResponse))\n#1 /var/www/html/ldap/vendor/freedsx/ldap/src/FreeDSx/Ldap/LdapClient.php(237): FreeDSx\Ldap\Protocol\ClientProtocolHandler->send(Object(FreeDSx\Ldap\Operation\Request\SearchRequest), Object(FreeDSx\Ldap\Control\Ad\DirSyncRequestControl))\n#2 /var/www/html/ldap/vendor/freedsx/ldap/src/FreeDSx/Ldap/Search/DirSync.php(149): FreeDSx\Ldap\LdapClient->send(Object(FreeDSx\Ldap\Operation\Request\SearchRequest), Object(FreeDSx\Ldap\Control\Ad\DirSyncRequestControl))\n#3 /var/www/html/ldap/ldap-get-changes.php(55): FreeDSx\Ldap\Search\DirSync->getChanges()\n#4 {main}\n in /var/www/html/ldap/vendor/freedsx/ldap/src/FreeDSx/Ldap/Protocol/ClientProtocolHandler.php on line 227

[ChadSikorra]

I would look over this, as all of the same rules apply:

https://docs.microsoft.com/en-us/windows/desktop/ad/polling-for-changes-using-the-dirsync-control

What does your code look like for how you are calling dirsync? Is it all with default parameters? Keep in mind that the account running the dirsync needs replication permissions (domain admins would by default). Also, the base DN of the search must be a root naming context. What AD version are you running against?

[rajashrigoli]

Hi ChadSikorra, Thanks for the prompt response.

What does your code look like for how you are calling dirsync?
We are calling dirsync in following manner
$filter = Filters::and(
Filters::raw('(cn=)'),
Filters::raw('(sn=)')
# Filters::equal('objectClass', 'user'),
# Filters::startsWith('cn', 'R'),
# Add a filter object based off a raw string filter...
#Filters::raw('(telephoneNumber=*)')
);
$dirSync = $ldap->dirSync('dc=unixmen,dc=local', $filter);
**Is it all with default parameters?**Is it all with default parameters?
Yes, We are using cn & sn parameters.

What AD version are you running against?
We are using OpenLdap (phpldapadmin). Please let me know is there any settings to enable DirSync in OpenLdap (phpldapadmin).

[ChadSikorra]

As noted in the docs, DirSync is very much an Active Directory specific control. There is no OpenLDAP equivalent that I'm aware of (Perhaps when running samba it would? not sure). Though if there is, I'd be open to implementing it.

[rajashrigoli]

Hi ChadSikorra, Thanks for the prompt response.

Could you implement this? So that DirSync can work with OpenLDAP also.

[ChadSikorra]

Unfortunately I cannot. Such a control needs to be server-side from OpenLDAP. When a client uses a sync control it fundamentally changes the behavior of how the server determines to send back results from a search.

Upon a little investigation I did find the following information:

• https://www.openldap.org/doc/admin22/syncrepl.html (OpenLDAP specific replication information)
• https://tools.ietf.org/html/rfc4533.html (An experimental RFC regarding LDAP synchronization)

I'd be interested in seeing how other LDAP implementations are actually implementing directory synchronization. I'd have to imagine it's not really standardized. It worries me when an RFC is written specifically with contributions from only one implementor (OpenLDAP in this case). There seems to be little consensus / collaboration around this kind of operation.

That said, I could implement a helper class around RFC 4533, though I will not have it ready in time for the next tagged version. Not sure of the time frame for implementation. Need to dig into the details of the control. Though it seems like that would allow to do a synchronization sort of operation from an OpenLDAP server.