Bug 11453 - Renaming object fails with: Unwilling to perform, old RDN must be deleted
Summary: Renaming object fails with: Unwilling to perform, old RDN must be deleted
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.2.0
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2015-08-17 18:18 UTC by Will
Modified: 2015-08-24 11:36 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Will 2015-08-17 18:18:08 UTC
When executing a rename operation against a Samba domain, an 'unwilling to perform' error is encountered stating that the RDN must be deleted.

The rename operation is executed with python.
- Using the python-ldap library, rename_s is successful.
- Using the ldap3 library, modify_dn (the equivalent) is not successful.

The rename operation has been tested against:
- Microsoft Active Directory, Server 2012
- OpenLDAP 2.4
- Samba 4.2
- AWS Simple AD (Samba 4)

MS AD and OpenLDAP are successful with both libraries, Samba and AWS both fail.

I realize that this could be specific to the ldap3 library, but as it works against other directory services I wanted to ensure that there wasn't something special or different happening on the Samba side regarding handling of the 'delete old rdn' flag boolean value.

Please see the related bug for the ldap3 library here:
Comment 1 Will 2015-08-18 17:47:40 UTC
I have performed a packet capture and can confirm that the LDAP message packets include a True value for deleteolddn.
Comment 2 Will 2015-08-18 20:36:55 UTC
Updated the library issue with the relevant packet capture output from wireshark sending a modifyDNRequest.  python-ldap clearly transmits differently than ldap3.

Comment 3 Will 2015-08-18 21:09:05 UTC
Update from Giovanni on the issue:

In his words:
It seems that the CER encoding for BOOLEAN is requested by samba (where the FF value means TRUE and the 00 value means False). LDAP protocol uses the BER encoding (where 00 means False and anything else means True). But LDAP specification states that only the FF value must be used for the True value of BOOLEAN. The encoding in ldap3 is made with the pyasn1 library...
Comment 4 Stefan Metzmacher 2015-08-24 11:36:08 UTC
Can you upload captures against Windows and Samba?

That makes it hopefully easier to understand and fix.