deveo-ruby-ldapserver 0.5.2

data/lib/ldap/server/match.rb

@@ -0,0 +1,283 @@
+require 'ldap/server/syntax'
+require 'ldap/server/result'
+
+module LDAP
+class Server
+
+  # A class which holds LDAP MatchingRules. For now there is a global pool
+  # of MatchingRule objects (rather than each Schema object having
+  # its own pool)
+
+  class MatchingRule
+    attr_reader :oid, :names, :syntax, :desc, :obsolete
+
+    # Create a new MatchingRule object
+
+    def initialize(oid, names, syntax, desc=nil, obsolete=false, &blk)
+      @oid = oid
+      @names = names
+      @names = [@names] unless @names.is_a?(Array)
+      @desc = desc
+      @obsolete = obsolete
+      @syntax = LDAP::Server::Syntax.find(syntax)  # creates new obj if reqd
+      @def = nil
+      # initialization hook
+      self.instance_eval(&blk) if blk
+    end
+
+    def name
+      (@names && names[0]) || @oid
+    end
+
+    def to_s
+      (@names && names[0]) || @oid
+    end
+
+    def normalize(x)
+      x
+    end
+
+    # Create a new MatchingRule object, given its description string
+
+    def self.from_def(str, &blk)
+      m = LDAP::Server::Syntax::MatchingRuleDescription.match(str)
+      raise LDAP::ResultError::InvalidAttributeSyntax,
+        "Bad MatchingRuleDescription #{str.inspect}" unless m
+      new(m[1], m[2].scan(/'(.*?)'/).flatten, m[5], m[3], m[4], &blk)
+    end
+
+    def to_def
+      return @def if @def
+      ans = "( #{@oid} "
+      if names.nil? or @names.empty?
+        # nothing
+      elsif @names.size == 1
+        ans << "NAME '#{@names[0]}' "
+      else
+        ans << "NAME ( "
+        @names.each { |n| ans << "'#{n}' " }
+        ans << ") "
+      end
+      ans << "DESC '#@desc' " if @desc
+      ans << "OBSOLETE " if @obsolete
+      ans << "SYNTAX #@syntax " if @syntax
+      ans << ")"
+      @def = ans
+    end
+
+    @@rules = {}    # oid / name / alias => object
+
+    # Add a new matching rule
+
+    def self.add(*args, &blk)
+      s = new(*args, &blk)
+      @@rules[s.oid] = s
+      return if s.names.nil?
+      s.names.each do |n|
+        @@rules[n.downcase] = s
+      end
+    end
+
+    # Find a MatchingRule object given a name or oid, or return nil
+    # (? should we create one automatically, like Syntax)
+
+    def self.find(x)
+      return x if x.nil? or x.is_a?(LDAP::Server::MatchingRule)
+      @@rules[x.downcase]
+    end
+
+    # Return all known matching rules
+
+    def self.all_matching_rules
+      @@rules.values.uniq
+    end
+
+    # Now some things we can mixin to a MatchingRule when needed.
+    # Replace 'normalize' with a function which gives the canonical
+    # version of a value for comparison.
+
+    module Equality
+      def eq(vals, m)
+        return false if vals.nil?
+        m = normalize(m)
+        vals.each { |v| return true if normalize(v) == m }
+        return false
+      end
+    end
+
+    module Ordering
+      def ge(vals, m)
+        return false if vals.nil?
+        m = normalize(m)
+        vals.each { |v| return true if normalize(v) >= m }
+        return false
+      end
+
+      def le(vals, m)
+        return false if vals.nil?
+        m = normalize(m)
+        vals.each { |v| return true if normalize(v) <= m }
+        return false
+      end
+    end
+
+    module Substrings
+      def substrings(vals, *ss)
+        return false if vals.nil?
+
+        # convert the condition list into a regexp
+        re = []
+        re << "^#{Regexp.escape(normalize(ss[0]).to_s)}" if ss[0]
+        ss[1..-2].each { |s| re << Regexp.escape(normalize(s).to_s) }
+        re << "#{Regexp.escape(normalize(ss[-1]).to_s)}$" if ss[-1]
+        re = Regexp.new(re.join(".*"))
+
+        vals.each do |v|
+          v = normalize(v).to_s
+          return true if re.match(v)
+        end
+        return false
+      end
+    end # module Substrings
+
+    class DefaultMatchingClass
+      include MatchingRule::Equality
+      include MatchingRule::Ordering
+      include MatchingRule::Substrings
+      def normalize(x)
+        x
+      end
+    end
+
+    DefaultMatch = DefaultMatchingClass.new
+
+  end # class MatchingRule
+
+  #
+  # And now, here are some matching rules you can use (RFC2252 section 8)
+  #
+
+  class MatchingRule
+
+    add('2.5.13.0', 'objectIdentifierMatch', '1.3.6.1.4.1.1466.115.121.1.38') do
+      extend Equality
+    end
+    # FIXME: Filters should return undef if the OID is not in the schema
+    # (which means passing in the schema to every equality test)
+
+    add('2.5.13.1', 'distinguishedNameMatch', '1.3.6.1.4.1.1466.115.121.1.12') do
+      extend Equality
+    end
+    # FIXME: Distinguished Name matching is supposed to parse the DN into
+    # its parts and then apply the schema equality rules to each part
+    # (i.e. some parts may be case-sensitive, others case-insensitive)
+    # This is just one of the many nonsense design decisions in LDAP :-(
+
+    # How is a DirectoryString different to an IA5String or a PrintableString?
+
+    module StringTrim
+      def normalize(x); x.gsub(/^\s*|\s*$/, '').gsub(/\s+/,' '); end
+    end
+
+    module StringDowncase
+      def normalize(x); x.downcase.gsub(/^\s*|\s*$/, '').gsub(/\s+/,' '); end
+    end
+
+    add('2.5.13.2', 'caseIgnoreMatch', '1.3.6.1.4.1.1466.115.1') do
+      extend Equality
+      extend StringDowncase
+    end
+
+    module Integer
+      def normalize(x); x.to_i; end
+    end
+
+    add('2.5.13.8', 'numericStringMatch', '1.3.6.1.4.1.1466.115.121.1.36') do
+      extend Equality
+      extend Integer
+    end
+
+    # TODO: Add semantics for these (difficult since RFC2252 doesn't give
+    # them, so we presumably have to go through X.500)
+    add('2.5.13.11', 'caseIgnoreListMatch', '1.3.6.1.4.1.1466.115.121.1.41')
+    add('2.5.13.14', 'integerMatch', '1.3.6.1.4.1.1466.115.121.1.27') do
+      extend Equality
+      extend Integer
+    end
+    add('2.5.13.16', 'bitStringMatch', '1.3.6.1.4.1.1466.115.121.1.6')
+    add('2.5.13.20', 'telephoneNumberMatch', '1.3.6.1.4.1.1466.115.121.1.50') do
+      extend Equality
+      extend StringTrim
+    end
+    add('2.5.13.22', 'presentationAddressMatch', '1.3.6.1.4.1.1466.115.121.1.43')
+    add('2.5.13.23', 'uniqueMemberMatch', '1.3.6.1.4.1.1466.115.121.1.34')
+    add('2.5.13.24', 'protocolInformationMatch', '1.3.6.1.4.1.1466.115.121.1.42')
+    add('2.5.13.27', 'generalizedTimeMatch', '1.3.6.1.4.1.1466.115.121.1.24') { extend Equality }
+
+    # IA5 stuff. FIXME: What's the correct way to 'downcase' UTF8 strings?
+
+    module IA5Trim
+      def normalize(x); x.gsub(/^\s*|\s*$/u, '').gsub(/\s+/u,' '); end
+    end
+
+    module IA5Downcase
+      def normalize(x); x.downcase.gsub(/^\s*|\s*$/u, '').gsub(/\s+/u,' '); end
+    end
+
+    add('1.3.6.1.4.1.1466.109.114.1', 'caseExactIA5Match', '1.3.6.1.4.1.1466.115.121.1.26') do
+      extend Equality
+      extend IA5Trim
+    end
+
+    add('1.3.6.1.4.1.1466.109.114.2', 'caseIgnoreIA5Match', '1.3.6.1.4.1.1466.115.121.1.26') do
+      extend Equality
+      extend IA5Downcase
+    end
+
+    add('2.5.13.28', 'generalizedTimeOrderingMatch', '1.3.6.1.4.1.1466.115.121.1.24') { extend Ordering }
+    add('2.5.13.3', 'caseIgnoreOrderingMatch', '1.3.6.1.4.1.1466.115.121.1.15') do
+      extend Ordering
+      extend StringDowncase
+    end
+
+    add('2.5.13.4', 'caseIgnoreSubstringsMatch', '1.3.6.1.4.1.1466.115.121.1.58') do
+      extend Substrings
+      extend StringDowncase
+    end
+    add('2.5.13.21', 'telephoneNumberSubstringsMatch', '1.3.6.1.4.1.1466.115.121.1.58') do
+      extend Substrings
+    end
+    add('2.5.13.10', 'numericStringSubstringsMatch', '1.3.6.1.4.1.1466.115.121.1.58') do
+      extend Substrings
+    end
+
+    # from OpenLDAP
+    add('1.3.6.1.4.1.4203.1.2.1', 'caseExactIA5SubstringsMatch', '1.3.6.1.4.1.1466.115.121.1.26') do
+      extend Substrings
+      extend IA5Trim
+    end
+    add('1.3.6.1.4.1.1466.109.114.3', 'caseIgnoreIA5SubstringsMatch', '1.3.6.1.4.1.1466.115.121.1.26') do
+      extend Substrings
+      extend IA5Downcase
+    end
+    add('2.5.13.5', 'caseExactMatch', '1.3.6.1.4.1.1466.115.121.1.15') { extend Equality }
+    add('2.5.13.6', 'caseExactOrderingMatch', '1.3.6.1.4.1.1466.115.121.1.15') { extend Ordering }
+    add('2.5.13.7', 'caseExactSubstringsMatch', '1.3.6.1.4.1.1466.115.121.1.58') { extend Substrings }
+    add('2.5.13.9', 'numericStringOrderingMatch', '1.3.6.1.4.1.1466.115.121.1.36') { extend Ordering; extend Integer }
+    add('2.5.13.13', 'booleanMatch', '1.3.6.1.4.1.1466.115.121.1.7') do
+      extend Equality
+      def self.normalize(x)
+        return true if x == 'TRUE'
+        return false if x == 'FALSE'
+        x
+      end
+    end
+    add('2.5.13.15', 'integerOrderingMatch', '1.3.6.1.4.1.1466.115.121.1.27') { extend Ordering; extend Integer }
+    add('2.5.13.17', 'octetStringMatch', '1.3.6.1.4.1.1466.115.121.1.40') { extend Equality }
+    add('2.5.13.18', 'octetStringOrderingMatch', '1.3.6.1.4.1.1466.115.121.1.40') { extend Ordering }
+    add('2.5.13.19', 'octetStringSubstringsMatch', '1.3.6.1.4.1.1466.115.121.1.40') { extend Substrings }
+
+  end # class MatchingRule
+
+end # class Server
+end # module LDAP

data/lib/ldap/server/operation.rb

@@ -0,0 +1,492 @@
+require 'timeout'
+require 'ldap/server/result'
+require 'ldap/server/filter'
+
+module LDAP
+class Server
+
+  # Scope
+  BaseObject		= 0
+  SingleLevel		= 1
+  WholeSubtree		= 2
+
+  # DerefAliases
+  NeverDerefAliases	= 0
+  DerefInSearching	= 1
+  DerefFindingBaseObj	= 2
+  DerefAlways		= 3
+
+  # Object to handle a single LDAP request. Typically you would
+  # subclass this object and override methods 'simple_bind', 'search' etc.
+  # The do_xxx methods are internal, and handle the parsing of requests
+  # and the sending of responses.
+
+  class Operation
+
+    # An instance of this object is created by the Connection object
+    # for each operation which is requested by the client. If you subclass
+    # Operation, and you override initialize, make sure you call 'super'.
+
+    def initialize(connection, messageID)
+      @connection = connection
+      @respEnvelope = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Integer(messageID),
+        # protocolOp,
+        # controls [0] OPTIONAL,
+      ])
+      @schema = @connection.opt[:schema]
+      @server = @connection.opt[:server]
+    end
+
+    def log msg, severity = Logger::INFO
+      @connection.log msg, severity
+    end
+
+    def debug msg
+      @connection.debug msg
+    end
+    
+    # Send an exception report to the log
+    
+    def log_exception msg
+      @connection.log_exception msg
+    end
+
+    ##################################################
+    ### Utility methods to send protocol responses ###
+    ##################################################
+
+    def send_LDAPMessage(protocolOp, opt={}) # :nodoc:
+      @respEnvelope.value[1] = protocolOp
+      if opt[:controls]
+        @respEnvelope.value[2] = OpenSSL::ASN1::Set(opt[:controls], 0, :IMPLICIT, APPLICATION)
+      else
+        @respEnvelope.value.delete_at(2)
+      end
+
+      if false # $debug
+        puts "Response:"
+        p @respEnvelope
+        p @respEnvelope.to_der.unpack("H*")
+      end
+
+      @connection.write(@respEnvelope.to_der)
+    end
+
+    def send_LDAPResult(tag, resultCode, opt={}) # :nodoc:
+      seq = [
+        OpenSSL::ASN1::Enumerated(resultCode),
+        OpenSSL::ASN1::OctetString(opt[:matchedDN] || ""),
+        OpenSSL::ASN1::OctetString(opt[:errorMessage] || ""),
+      ]
+      if opt[:referral]
+        rs = opt[:referral].collect { |r| OpenSSL::ASN1::OctetString(r) }
+        seq << OpenSSL::ASN1::Sequence(rs, 3, :IMPLICIT, :APPLICATION)
+      end
+      yield seq if block_given?   # opportunity to add more elements
+        
+      send_LDAPMessage(OpenSSL::ASN1::Sequence(seq, tag, :IMPLICIT, :APPLICATION), opt)
+    end
+
+    def send_BindResponse(resultCode, opt={})
+      send_LDAPResult(1, resultCode, opt) do |resp|
+        if opt[:serverSaslCreds]
+          resp << OpenSSL::ASN1::OctetString(opt[:serverSaslCreds], 7, :IMPLICIT, :APPLICATION)
+        end
+      end
+    end
+
+    # Send a found entry. Avs are {attr1=>val1, attr2=>[val2,val3]}
+    # If schema given, return operational attributes only if
+    # explicitly requested
+
+    def send_SearchResultEntry(dn, avs, opt={})
+      @rescount += 1
+      if @sizelimit
+        raise LDAP::ResultError::SizeLimitExceeded if @rescount > @sizelimit
+      end
+
+      if @schema
+        # normalize the attribute names
+        @attributes = @attributes.collect { |a| @schema.find_attrtype(a).to_s }
+      else
+        @attributes = @attributes.map(&:downcase)
+      end
+
+      sendall = @attributes == [] || @attributes.include?("*")
+      avseq = []
+
+      avs.each do |attr, vals|
+        if !@attributes.include?(@schema ? attr : attr.downcase)
+          next unless sendall
+          if @schema
+            a = @schema.find_attrtype(attr)
+            next unless a and (a.usage.nil? or a.usage == :userApplications)
+          end
+        end
+
+        if @typesOnly
+          vals = [] 
+        else
+          vals = [vals] unless vals.kind_of?(Array)
+          # FIXME: optionally do a value_to_s conversion here?
+          # FIXME: handle attribute;binary
+        end
+
+        avseq << OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::OctetString(attr),
+          OpenSSL::ASN1::Set(vals.collect { |v| OpenSSL::ASN1::OctetString(v.to_s) })
+        ])
+      end
+
+      send_LDAPMessage(OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::OctetString(dn),
+          OpenSSL::ASN1::Sequence(avseq),
+        ], 4, :IMPLICIT, :APPLICATION), opt)
+    end
+
+    def send_SearchResultReference(urls, opt={})
+      send_LDAPMessage(OpenSSL::ASN1::Sequence(
+          urls.collect { |url| OpenSSL::ASN1::OctetString(url) }
+        ),
+        opt
+      )
+    end
+
+    def send_SearchResultDone(resultCode, opt={})
+      send_LDAPResult(5, resultCode, opt)
+    end
+
+    def send_ModifyResponse(resultCode, opt={})
+      send_LDAPResult(7, resultCode, opt)
+    end
+
+    def send_AddResponse(resultCode, opt={})
+      send_LDAPResult(9, resultCode, opt)
+    end
+
+    def send_DelResponse(resultCode, opt={})
+      send_LDAPResult(11, resultCode, opt)
+    end
+
+    def send_ModifyDNResponse(resultCode, opt={})
+      send_LDAPResult(13, resultCode, opt)
+    end
+
+    def send_CompareResponse(resultCode, opt={})
+      send_LDAPResult(15, resultCode, opt)
+    end
+
+    def send_ExtendedResponse(resultCode, opt={})
+      send_LDAPResult(24, resultCode, opt) do |resp|
+        if opt[:responseName]
+          resp << OpenSSL::ASN1::OctetString(opt[:responseName], 10, :IMPLICIT, :APPLICATION)
+        end
+        if opt[:response]
+          resp << OpenSSL::ASN1::OctetString(opt[:response], 11, :IMPLICIT, :APPLICATION)
+        end
+      end
+    end
+
+    ##########################################
+    ### Methods to parse each request type ###
+    ##########################################
+
+    def do_bind(protocolOp, controls) # :nodoc:
+      version = protocolOp.value[0].value
+      dn = protocolOp.value[1].value
+      dn = nil if dn == ""
+      authentication = protocolOp.value[2]
+
+      case authentication.tag   # tag_class == :CONTEXT_SPECIFIC (check why)
+      when 0
+        simple_bind(version, dn, authentication.value)
+      when 3
+        mechanism = authentication.value[0].value
+        credentials = authentication.value[1].value
+        # sasl_bind(version, dn, mechanism, credentials)
+        # FIXME: needs to exchange further BindRequests
+        raise LDAP::ResultError::AuthMethodNotSupported
+      else
+        raise LDAP::ResultError::ProtocolError, "BindRequest bad AuthenticationChoice"
+      end
+      send_BindResponse(0)
+      return dn, version
+
+    rescue LDAP::ResultError => e
+      send_BindResponse(e.to_i, :errorMessage=>e.message)
+      return nil, version
+    end
+
+    # reformat ASN1 into {attr=>[vals], attr=>[vals]}
+    #
+    #     AttributeList ::= SEQUENCE OF SEQUENCE {
+    #            type    AttributeDescription,
+    #            vals    SET OF AttributeValue }
+
+    def attributelist(set) # :nodoc:
+      av = {}
+      set.value.each do |seq|
+        a = seq.value[0].value
+        if @schema
+          a = @schema.find_attrtype(a).to_s
+        end
+        v = seq.value[1].value.collect { |asn1| asn1.value  }
+        # Not clear from the spec whether the same attribute (with
+        # distinct values) can appear more than once in AttributeList
+        raise LDAP::ResultError::AttributeOrValueExists, a if av[a]
+        av[a] = v
+      end
+      return av
+    end
+
+    def do_search(protocolOp, controls) # :nodoc:
+      baseObject = protocolOp.value[0].value
+      scope = protocolOp.value[1].value
+      deref = protocolOp.value[2].value
+      client_sizelimit = protocolOp.value[3].value
+      client_timelimit = protocolOp.value[4].value
+      @typesOnly = protocolOp.value[5].value
+      filter = Filter::parse(protocolOp.value[6], @schema)
+      @attributes = protocolOp.value[7].value.collect {|x| x.value}
+
+      @rescount = 0
+      @sizelimit = server_sizelimit
+      @sizelimit = client_sizelimit if client_sizelimit > 0 and
+                   (@sizelimit.nil? or client_sizelimit < @sizelimit)
+
+      if baseObject.empty? and scope == BaseObject
+        send_SearchResultEntry("", @server.root_dse) if
+          @server.root_dse and LDAP::Server::Filter.run(filter, @server.root_dse)
+        send_SearchResultDone(0)
+        return
+      elsif @schema and baseObject == @schema.subschema_dn
+        send_SearchResultEntry(baseObject, @schema.subschema_subentry) if
+          @schema and @schema.subschema_subentry and
+          LDAP::Server::Filter.run(filter, @schema.subschema_subentry)
+        send_SearchResultDone(0)
+        return
+      end
+
+      t = server_timelimit || 10
+      t = client_timelimit if client_timelimit > 0 and client_timelimit < t
+
+      Timeout::timeout(t.to_i, LDAP::ResultError::TimeLimitExceeded) do
+        search(baseObject, scope, deref, filter)
+      end
+      send_SearchResultDone(0)
+
+    # Note that TimeLimitExceeded is a subclass of LDAP::ResultError
+    rescue LDAP::ResultError => e
+      send_SearchResultDone(e.to_i, :errorMessage=>e.message)
+
+    rescue Abandon
+      # send no response
+
+    # Since this Operation is running in its own thread, we have to
+    # catch all other exceptions. Otherwise, in the event of a programming
+    # error, this thread will silently terminate and the client will wait
+    # forever for a response.
+
+    rescue Exception => e
+      log_exception(e)
+      send_SearchResultDone(LDAP::ResultError::OperationsError.new.to_i, :errorMessage=>e.message)
+    end
+
+    def do_modify(protocolOp, controls) # :nodoc:
+      dn = protocolOp.value[0].value
+      modinfo = {}
+      protocolOp.value[1].value.each do |seq|
+        attr = seq.value[1].value[0].value
+        if @schema
+          attr = @schema.find_attrtype(attr).to_s
+        end
+        vals = seq.value[1].value[1].value.collect { |v| v.value }
+        case seq.value[0].value.to_i
+        when 0
+          modinfo[attr] = [:add] + vals
+        when 1
+          modinfo[attr] = [:delete] + vals
+        when 2
+          modinfo[attr] = [:replace] + vals
+        else
+          raise LDAP::ResultError::ProtocolError, "Bad modify operation #{seq.value[0].value}"
+        end
+      end
+
+      modify(dn, modinfo)
+      send_ModifyResponse(0)
+
+    rescue LDAP::ResultError => e
+      send_ModifyResponse(e.to_i, :errorMessage=>e.message)
+    rescue Abandon
+      # no response
+    rescue Exception => e
+      log_exception(e)
+      send_ModifyResponse(LDAP::ResultCode::OperationsError.new.to_i, :errorMessage=>e.message)
+    end
+
+    def do_add(protocolOp, controls) # :nodoc:
+      dn = protocolOp.value[0].value
+      av = attributelist(protocolOp.value[1])
+      add(dn, av)
+      send_AddResponse(0)
+
+    rescue LDAP::ResultError => e
+      send_AddResponse(e.to_i, :errorMessage=>e.message)
+    rescue Abandon
+      # no response
+    rescue Exception => e
+      log_exception(e)
+      send_AddResponse(LDAP::ResultCode::OperationsError.new.to_i, :errorMessage=>e.message)
+    end
+
+    def do_del(protocolOp, controls) # :nodoc:
+      dn = protocolOp.value
+      del(dn)
+      send_DelResponse(0)
+
+    rescue LDAP::ResultError => e
+      send_DelResponse(e.to_i, :errorMessage=>e.message)
+    rescue Abandon
+      # no response
+    rescue Exception => e
+      log_exception(e)
+      send_DelResponse(LDAP::ResultCode::OperationsError.new.to_i, :errorMessage=>e.message)
+    end
+
+    def do_modifydn(protocolOp, controls) # :nodoc:
+      entry = protocolOp.value[0].value
+      newrdn = protocolOp.value[1].value
+      deleteoldrdn = protocolOp.value[2].value
+      if protocolOp.value.size > 3 and protocolOp.value[3].tag == 0
+        newSuperior = protocolOp.value[3].value
+      end
+      modifydn(entry, newrdn, deleteoldrdn, newSuperior)
+      send_ModifyDNResponse(0)
+
+    rescue LDAP::ResultError => e
+      send_ModifyDNResponse(e.to_i, :errorMessage=>e.message)
+    rescue Abandon
+      # no response
+    rescue Exception => e
+      log_exception(e)
+      send_ModifyDNResponse(LDAP::ResultCode::OperationsError.new.to_i, :errorMessage=>e.message)
+    end
+
+    def do_compare(protocolOp, controls) # :nodoc:
+      entry = protocolOp.value[0].value
+      ava = protocolOp.value[1].value
+      attr = ava[0].value
+      if @schema
+        attr = @schema.find_attrtype(attr).to_s
+      end
+      val = ava[1].value
+      if compare(entry, attr, val)
+        send_CompareResponse(6)  # compareTrue
+      else
+        send_CompareResponse(5)  # compareFalse
+      end
+
+    rescue LDAP::ResultError => e
+      send_CompareResponse(e.to_i, :errorMessage=>e.message)
+    rescue Abandon
+      # no response
+    rescue Exception => e
+      log_exception(e)
+      send_CompareResponse(LDAP::ResultCode::OperationsError.new.to_i, :errorMessage=>e.message)
+    end
+
+    ############################################################
+    ### Methods to get parameters related to this connection ###
+    ############################################################
+
+    # Server-set maximum time limit. Override for more complex behaviour
+    # (e.g. limit depends on @connection.binddn). Nil uses hardcoded default.
+
+    def server_timelimit
+      @connection.opt[:timelimit]
+    end
+
+    # Server-set maximum size limit. Override for more complex behaviour
+    # (e.g. limit depends on @connection.binddn). Return nil for unlimited.
+
+    def server_sizelimit
+      @connection.opt[:sizelimit]
+    end
+
+    ######################################################
+    ### Methods to actually perform the work requested ###
+    ######################################################
+
+    # Handle a simple bind request; raise an exception if the bind is
+    # not acceptable, otherwise just return to accept the bind.
+    #
+    # Override this method in your own subclass.
+
+    def simple_bind(version, dn, password)
+      if version != 3
+        raise LDAP::ResultError::ProtocolError, "version 3 only"
+      end
+      if dn
+        raise LDAP::ResultError::InappropriateAuthentication, "This server only supports anonymous bind"
+      end
+    end
+
+    # Handle a search request; override this.
+    #
+    # Call send_SearchResultEntry for each result found. Raise an exception
+    # if there is a problem. timeLimit, sizeLimit and typesOnly are taken
+    # care of, but you need to perform all authorisation checks yourself,
+    # using @connection.binddn
+
+    def search(basedn, scope, deref, filter)
+      debug "search(#{basedn}, #{scope}, #{deref}, #{filter})"
+      raise LDAP::ResultError::UnwillingToPerform, "search not implemented"
+    end
+
+    # Handle a modify request; override this
+    #
+    # dn is the object to modify; modification is a hash of
+    #   attr => [:add, val, val...]       -- add operation
+    #   attr => [:replace, val, val...]   -- replace operation
+    #   attr => [:delete, val, val...]    -- delete these values
+    #   attr => [:delete]                 -- delete all values
+
+    def modify(dn, modification)
+      raise LDAP::ResultError::UnwillingToPerform, "modify not implemented"
+    end
+
+    # Handle an add request; override this
+    #
+    # Parameters are the dn of the entry to add, and a hash of
+    #   attr=>[val...]
+    # Raise an exception if there is a problem; it is up to you to check
+    # that the connection has sufficient authorisation using @connection.binddn
+
+    def add(dn, av)
+      raise LDAP::ResultError::UnwillingToPerform, "add not implemented"
+    end
+
+    # Handle a del request; override this
+
+    def del(dn)
+      raise LDAP::ResultError::UnwillingToPerform, "delete not implemented"
+    end
+
+    # Handle a modifydn request; override this
+
+    def modifydn(entry, newrdn, deleteoldrdn, newSuperior)
+      raise LDAP::ResultError::UnwillingToPerform, "modifydn not implemented"
+    end
+
+    # Handle a compare request; override this. Return true or false,
+    # or raise an exception for errors.
+
+    def compare(entry, attr, val)
+      raise LDAP::ResultError::UnwillingToPerform, "compare not implemented"
+    end
+
+  end # class Operation
+end # class Server
+end # module LDAP