When executing a rename operation against a Samba domain, an 'unwilling to perform' error is encountered stating that the RDN must be deleted.
The rename operation is executed with python.
- Using the python-ldap library, rename_s is successful.
- Using the ldap3 library, modify_dn (the equivalent) is not successful.
The rename operation has been tested against:
- Microsoft Active Directory, Server 2012
- OpenLDAP 2.4
- Samba 4.2
- AWS Simple AD (Samba 4)
MS AD and OpenLDAP are successful with both libraries, Samba and AWS both fail.
I realize that this could be specific to the ldap3 library, but as it works against other directory services I wanted to ensure that there wasn't something special or different happening on the Samba side regarding handling of the 'delete old rdn' flag boolean value.
Please see the related bug for the ldap3 library here:
I have performed a packet capture and can confirm that the LDAP message packets include a True value for deleteolddn.
Updated the library issue with the relevant packet capture output from wireshark sending a modifyDNRequest. python-ldap clearly transmits differently than ldap3.
Update from Giovanni on the issue:
In his words:
It seems that the CER encoding for BOOLEAN is requested by samba (where the FF value means TRUE and the 00 value means False). LDAP protocol uses the BER encoding (where 00 means False and anything else means True). But LDAP specification states that only the FF value must be used for the True value of BOOLEAN. The encoding in ldap3 is made with the pyasn1 library...
Can you upload captures against Windows and Samba?
That makes it hopefully easier to understand and fix.