使用 .NET Core 5 和 Novell.Directory.Ldap.NETStandard 从 Domino LDAP 服务器获取 1000 多行

Question

I want to fetch all the users from a large location of our Domino LDAP, around ~2000 users altogether. Since .NET Core sadly doesn't have a platform independent LDAP library, I'm using Novell.Directory.Ldap.NETStandard with this POC:

var cn = new Novell.Directory.Ldap.LdapConnection();
cn.Connect("dc.internal", 389);
cn.Bind("user", "pw");
string filter = "location=MyLoc";
var result = cn.Search("", Novell.Directory.Ldap.LdapConnection.ScopeOne, filter, new string[] { Novell.Directory.Ldap.LdapConnection.AllUserAttrs }, typesOnly: false);            
int count = 0;
while (result.HasMore()) {
    var entry = result.Next();
    count++;
    Console.WriteLine(entry.Dn);
}

It prints me a lot of entries, but not all. When count = 1000 I got an Size Limit Exceeded exception. I guess this is because I need to use some kind of pagination, so not all entries woult be returned in a single request. There are different questions like this or this one . Both in Java, the .NET Core API seems somehow different.

Approach 1: Try to find out how LdapSearchRequest works in .NET Core

byte[] resumeCookie = null;
LdapMessageQueue queue = null;
var searchReq = new LdapSearchRequest("", LdapConnection.ScopeOne, filter, new string[] { LdapConnection.AllUserAttrs },
LdapSearchConstraints.DerefNever, maxResults: 3000, serverTimeLimit: 0, typesOnly: false, new LdapControl[] { new SimplePagedResultsControl(size: 100, resumeCookie) });            
var searchRequest = cn.SendRequest(searchReq, queue);

I'm trying to figure out how the Java examples can be used in .NET Core. This looks good, however I can't figure out how to fetch the LDAP entries. I only get an message id. By looking into the source it seems that I'm on the right way, but they're using MessageAgent which cannot be used outside since it's internal sealed . This is propably the reason why searching for LdapRearchRequest in the source code doesn't give many results.

Approach 2: Using SimplePagedResultsControlHandler

var opts = new SearchOptions("", LdapConnection.ScopeOne, filter, new string[] { LdapConnection.AllUserAttrs });
// For testing purpose: https://github.com/dsbenghe/Novell.Directory.Ldap.NETStandard/issues/163
cn.SearchConstraints.ReferralFollowing = false;
var pageControlHandler = new SimplePagedResultsControlHandler(cn);
var rows = pageControlHandler.SearchWithSimplePaging(opts, pageSize: 100);

This throws a Unavaliable Cricital Extension exception. First I thought that this is an issue of the .NET port, which may doesn't support all the features of the original Java library yet. It seems complete and according to further researches, it looks like to be an LDAP error code. So this must be something which has to be supported by the server, but is not supported by Domino.

Answer 1

I couldn't make at least one of those approachs work, but found another way: Cross platform support for the System.DirectoryServices.Protocols namespace was was added in .NET 5 . This was missing for a long time in .NET Core and I guess this is the main reason why libraries like Novell.Directory.Ldap.NETStandard were ported to .NET Core - in times of .NET Core 1.x this was the only way I found to authenticate against LDAP wich works on Linux too.

After having a deeper look into System.DirectoryServices.Protocols , it works well out of the box, even for ~2k users. My basic POC class looks like this:

public class DominoLdapManager {
    LdapConnection cn = null;
    public DominoLdapManager(string ldapHost, int ldapPort, string ldapBindUser, string ldapBindPassword) {
        var server = new LdapDirectoryIdentifier(ldapHost, ldapPort);
        var credentials = new NetworkCredential(ldapBindUser, ldapBindPassword);

        cn = new LdapConnection(server);
        cn.AuthType = AuthType.Basic;
        cn.Bind(credentials);
    }
    public IEnumerable<DominoUser> Search(string filter, string searchBase = "") {
        string[] attributes = { "cn", "mail", "companyname", "location" };
        var req = new SearchRequest(searchBase, filter, SearchScope.Subtree, attributes);
        var resp = (SearchResponse)cn.SendRequest(req);

        foreach (SearchResultEntry entry in resp.Entries) {
            var user = new DominoUser() {
                Name = GetStringAttribute(entry, "cn"),
                Mail = GetStringAttribute(entry, "mail"),
                Company = GetStringAttribute(entry, "companyname"),
                Location = GetStringAttribute(entry, "location")
            };
            yield return user;
        }
        yield break;
    }
    string GetStringAttribute(SearchResultEntry entry, string key) {
        if (!entry.Attributes.Contains(key)) {
            return string.Empty;
        }
        string[] rawVal = (string[])entry.Attributes[key].GetValues(typeof(string));
        return rawVal[0];
    }
}

Example usage:

var ldapManager = new DominoLdapManager("ldap.host", 389, "binduser", "pw");
var users = ldapManager.Search("objectClass=person");

But it's not solved with Novell.Directory.Ldap.NETStandard as the title said

This doesn't solve my problem with the Novell.Directory.Ldap.NETStandard library as the title suggested, yes. But since System.DirectoryServices.Protocols is a official .NET package maintained by Microsoft and the .NET foundation, this seems the better aproach for me. The foundation will take care to keep it maintained and compatible with further .NET releases. When I wrote the question, I was not aware of the fact that Linux support is added now.

Don't get me wrong, I don't want to say that third packages are bad by design - that would be completely wrong. However, when I have the choice between a official package and a third party one, I think it makes sense to prefer the official one. Except there would be a good reason against that - which is not the case here: The official package (which doesn't exist in the past) works better to solve this issue than the third party one.