Extended operations LDAP Extended operations This chapter demonstrates how to use LDAP extended operations. For complete examples corresponding to the excerpts shown below, see ExtendedOperations.java, one of the OpenDJ LDAP SDK examples.

Extended operations allow additional operations to be defined for services not already available in the protocol

Extended operations Supported LDAP Checking supported features For OpenDJ, the extended operations supported are listed in the Administration Guide appendix, LDAP Extended Operations. You can access the list of OIDs for supported LDAP controls by reading the supportedExtension attribute of the root DSE. $ ldapsearch \ --baseDN "" \ --searchScope base \ --port 1389 \ "(objectclass=*)" supportedExtension dn: supportedExtension: 1.3.6.1.1.8 supportedExtension: 1.3.6.1.4.1.26027.1.6.1 supportedExtension: 1.3.6.1.4.1.26027.1.6.2 supportedExtension: 1.3.6.1.4.1.26027.1.6.3 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.4.1.1466.20037 The following excerpt shows code to check for supported extended operations. [jcp:org.forgerock.opendj.examples.ExtendedOperations:--- JCite check support ---]

Extended operations Cancel Searches Cancel RFC 3909, LDAP Cancel Operation, defines an extended operation that lets you cancel an operation in progress and get an indication of the outcome. The Cancel extended request uses the request ID of operation you want to cancel, and so therefore works with asynchronous searches and updates. Depending on the delay between your application sending the Cancel request and the directory server receiving the request, the server might have already finished processing the original request before it receives your Cancel request. You can add a Cancel extended request for example to stop handling entries returned from a search if the directory server returns more entries than you want. In the following example, the search result handler implementation is passed to a searchAsync() method on the connection. When the entry count reaches 10, the example requests that the directory server cancel the search. Notice that the extended request is also asynchronous, handled using promises to deal with both success and also error conditions. [jcp:org.forgerock.opendj.examples.SearchAsync:--- JCite decl1 ---] [jcp:org.forgerock.opendj.examples.SearchAsync:--- JCite decl2 ---] [jcp:org.forgerock.opendj.examples.SearchAsync:--- JCite search result handler ---] OpenDJ directory server supports the cancel operation. If OpenDJ directory server manages to return all entries in Example.ldif before it receives the Cancel extended request, you can see the Cancel request fail because the request ID refers to the search, which is no longer in progress. Try adding a new base DN using OpenDJ control panel and adding the default 2000 generated entries to ensure more search results. For example if dc=example,dc=org contains 2000 generated entries, and the SearchAsync example is run with the arguments sub objectclass=* cn for scope, filter, and attributes respectively, then the example produces something like the following output: Canceled: Processing on this operation was terminated as a result of receiving a cancel request (message ID 3) # Search result entry: dc=example,dc=org dn: dc=example,dc=org # Search result entry: ou=People,dc=example,dc=org dn: ou=People,dc=example,dc=org # Search result entry: uid=user.0,ou=People,dc=example,dc=org dn: uid=user.0,ou=People,dc=example,dc=org cn: Aaccf Amar ... Cancel request succeeded

Extended operations Password modify Modifications Password modify Passwords RFC 3062, LDAP Password Modify Extended Operation, defines an extended operation for modifying user passwords that does not depend on the authentication identity, nor on the way passwords are stored. [jcp:org.forgerock.opendj.examples.ExtendedOperations:--- JCite password modify ---] OpenDJ directory server supports the password modify operation. Changed password for u:scarter

Use Start TLS when setting up your connection to protect what your application sends to and receives from the directory server. For an example, read the section on Start TLS & SSL Authentication.

Extended operations Who am I? Authorizations RFC 4532, LDAP "Who am I?" Operation, defines an extended operation that lets your application determine the current authorization ID. [jcp:org.forgerock.opendj.examples.ExtendedOperations:--- JCite who am I ---] OpenDJ directory server supports the "Who am I?" operation. Authz ID: dn:uid=bjensen,ou=People,dc=example,dc=com