jruby-ldap-fixes 0.0.3

data/lib/ldap/constants.rb

@@ -0,0 +1,126 @@
+module LDAP
+  LDAPS_PORT = 636
+  LDAP_ADMINLIMIT_EXCEEDED = 11
+  LDAP_ALIAS_DEREF_PROBLEM = 36
+  LDAP_ALIAS_PROBLEM = 33
+  LDAP_ALREADY_EXISTS = 68
+  LDAP_API_INFO_VERSION = 1
+  LDAP_API_VERSION = 3001
+  LDAP_AUTH_KRBV41 = 129
+  LDAP_AUTH_KRBV42 = 130
+  LDAP_AUTH_METHOD_NOT_SUPPORTED = 7
+  LDAP_AUTH_NONE = 0
+  LDAP_AUTH_SASL = 163
+  LDAP_AUTH_SIMPLE = 128
+  LDAP_AUTH_UNKNOWN = -6
+  LDAP_BUSY = 51
+  LDAP_COMPARE_FALSE = 5
+  LDAP_COMPARE_TRUE = 6
+  LDAP_CONFIDENTIALITY_REQUIRED = 13
+  LDAP_CONSTRAINT_VIOLATION = 19
+  LDAP_CONTROL_PAGEDRESULTS = "1.2.840.113556.1.4.319"
+  LDAP_DECODING_ERROR = -4
+  LDAP_DEREF_ALWAYS = 3
+  LDAP_DEREF_FINDING = 2
+  LDAP_DEREF_NEVER = 0
+  LDAP_DEREF_SEARCHING = 1
+  LDAP_ENCODING_ERROR = -3
+  LDAP_FILTER_ERROR = -7
+  LDAP_INAPPROPRIATE_AUTH = 48
+  LDAP_INAPPROPRIATE_MATCHING = 18
+  LDAP_INSUFFICIENT_ACCESS = 50
+  LDAP_INVALID_CREDENTIALS = 49
+  LDAP_INVALID_DN_SYNTAX = 34
+  LDAP_INVALID_SYNTAX = 21
+  LDAP_IS_LEAF = 35
+  LDAP_LOCAL_ERROR = -2
+  LDAP_LOOP_DETECT = 54
+  LDAP_MOD_ADD = 0
+  LDAP_MOD_BVALUES = 128
+  LDAP_MOD_DELETE = 1
+  LDAP_MOD_INCREMENT = 3
+  LDAP_MOD_OP = 7
+  LDAP_MOD_REPLACE = 2
+  LDAP_NAMING_VIOLATION = 64
+  LDAP_NOT_ALLOWED_ON_NONLEAF = 66
+  LDAP_NOT_ALLOWED_ON_RDN = 67
+  LDAP_NO_MEMORY = -10
+  LDAP_NO_OBJECT_CLASS_MODS = 69
+  LDAP_NO_SUCH_ATTRIBUTE = 16
+  LDAP_NO_SUCH_OBJECT = 32
+  LDAP_OBJECT_CLASS_VIOLATION = 65
+  LDAP_OPERATIONS_ERROR = 1
+  LDAP_OPT_API_FEATURE_INFO = 21
+  LDAP_OPT_API_INFO = 0
+  LDAP_OPT_CLIENT_CONTROLS = 19
+  LDAP_OPT_DEREF = 2
+  LDAP_OPT_DESC = 1
+  LDAP_OPT_HOST_NAME = 48
+  LDAP_OPT_OFF = 0
+  LDAP_OPT_ON = 3117220
+  LDAP_OPT_PROTOCOL_VERSION = 17
+  LDAP_OPT_REFERRALS = 8
+  LDAP_OPT_RESTART = 9
+  LDAP_OPT_SERVER_CONTROLS = 18
+  LDAP_OPT_SIZELIMIT = 3
+  LDAP_OPT_TIMELIMIT = 4
+  LDAP_OPT_X_SASL_AUTHCID = 24834
+  LDAP_OPT_X_SASL_AUTHZID = 24835
+  LDAP_OPT_X_SASL_MAXBUFSIZE = 24841
+  LDAP_OPT_X_SASL_MECH = 24832
+  LDAP_OPT_X_SASL_REALM = 24833
+  LDAP_OPT_X_SASL_SECPROPS = 24838
+  LDAP_OPT_X_SASL_SSF = 24836
+  LDAP_OPT_X_SASL_SSF_EXTERNAL = 24837
+  LDAP_OPT_X_SASL_SSF_MAX = 24840
+  LDAP_OPT_X_SASL_SSF_MIN = 24839
+  LDAP_OPT_X_TLS = 24576
+  LDAP_OPT_X_TLS_ALLOW = 3
+  LDAP_OPT_X_TLS_CACERTDIR = 24579
+  LDAP_OPT_X_TLS_CACERTFILE = 24578
+  LDAP_OPT_X_TLS_CERTFILE = 24580
+  LDAP_OPT_X_TLS_CIPHER_SUITE = 24584
+  LDAP_OPT_X_TLS_DEMAND = 2
+  LDAP_OPT_X_TLS_HARD = 1
+  LDAP_OPT_X_TLS_KEYFILE = 24581
+  LDAP_OPT_X_TLS_NEVER = 0
+  LDAP_OPT_X_TLS_RANDOM_FILE = 24585
+  LDAP_OPT_X_TLS_REQUIRE_CERT = 24582
+  LDAP_OPT_X_TLS_TRY = 4
+  LDAP_OTHER = 80
+  LDAP_PARAM_ERROR = -9
+  LDAP_PARTIAL_RESULTS = 9
+  LDAP_PORT = 389
+  LDAP_PROTOCOL_ERROR = 2
+  LDAP_REFERRAL = 10
+  LDAP_RESULTS_TOO_LARGE = 70
+  LDAP_SASL_BIND_IN_PROGRESS = 14
+  LDAP_SASL_SIMPLE = nil
+  LDAP_SCOPE_BASE = 0
+  LDAP_SCOPE_ONELEVEL = 1
+  LDAP_SCOPE_SUBTREE = 2
+  LDAP_SERVER_DOWN = -1
+  LDAP_SIZELIMIT_EXCEEDED = 4
+  LDAP_STRONG_AUTH_NOT_SUPPORTED = 7
+  LDAP_STRONG_AUTH_REQUIRED = 8
+  LDAP_SUCCESS = 0
+  LDAP_TIMELIMIT_EXCEEDED = 3
+  LDAP_TIMEOUT = -5
+  LDAP_TYPE_OR_VALUE_EXISTS = 20
+  LDAP_UNAVAILABLE = 52
+  LDAP_UNAVAILABLE_CRITICAL_EXTENSION = 12
+  LDAP_UNDEFINED_TYPE = 17
+  LDAP_UNWILLING_TO_PERFORM = 53
+  LDAP_USER_CANCELLED = -8
+  LDAP_VENDOR_NAME = "OpenLDAP"
+  LDAP_VENDOR_VERSION = 20335
+  LDAP_VERSION = 2
+  LDAP_VERSION1 = 1
+  LDAP_VERSION2 = 2
+  LDAP_VERSION3 = 3
+  LDAP_VERSION_MAX = 3
+  MAJOR_VERSION = 0
+  MINOR_VERSION = 9
+  PATCH_VERSION = 7
+  VERSION = "0.9.7"
+end

data/lib/ldap/control.rb

@@ -0,0 +1,48 @@
+# Manipulation of LDAP control data.
+#
+# $Id: control.rb,v 1.2 2005/02/28 05:02:25 ianmacd Exp $
+#
+# Copyright (C) 2004 Ian Macdonald <ian@caliban.org>
+#
+
+module LDAP
+  class Control
+
+    require 'openssl'
+
+    # Take +vals+, produce an Array of values in ASN.1 format and then
+    # convert the Array to DER.
+    #
+    def Control.encode( *vals )
+      encoded_vals = []
+     
+      vals.each do |val|
+        encoded_vals <<
+          case val
+          when Integer
+            OpenSSL::ASN1::Integer( val )
+          when String
+            OpenSSL::ASN1::OctetString.new( val )
+          else
+            # What other types may exist?
+          end
+      end
+   
+      OpenSSL::ASN1::Sequence.new( encoded_vals ).to_der
+    end
+
+
+    # Take an Array of ASN.1 data and return an Array of decoded values.
+    #
+    def decode
+      values = []
+
+      OpenSSL::ASN1::decode( self.value ).value.each do |val|
+	values << val.value
+      end
+
+      values
+    end
+
+  end
+end

data/lib/ldap/entry.rb

@@ -0,0 +1,64 @@
+
+module LDAP
+  class << self
+    def entry2hash(entry)
+      out = {}
+      out['dn'] = [entry.dn]
+      entry.get_attributes.each do |k|
+        out[k] = entry[k]
+      end
+      out
+    end
+  end
+  
+  class Entry
+    class << self
+      def create_from_search_result(search_result)
+        new(search_result.name_in_namespace, (search_result.attributes.get_all.inject({}){|hash, attr| 
+                                                hash[attr.getID()] = attr.getAll.to_a; hash}))
+      end
+    end
+
+    def initialize(dn, attributes)
+      @dn = dn
+      @attributes = attributes
+      @keys = @attributes.keys
+      @attributes = @keys.inject({}) do |hash, key|
+        if @attributes[key].any?{|v| !v.is_a?(String)}
+          @attributes[key] = @attributes[key].map do |val|
+            val.is_a?(String) ? val : String.from_java_bytes(val)
+          end
+        end
+        hash[key.downcase] = @attributes[key]
+        hash
+      end
+    end
+    
+    def get_attributes
+      @keys
+    end
+
+    alias attrs get_attributes
+
+    def get_dn
+      @dn
+    end
+
+    alias dn get_dn
+    
+    def get_values(attr)
+      @attributes[attr.downcase]
+    end
+    
+    alias vals get_values
+    alias [] get_values
+    
+    def inspect
+      super.split(' ').first + "\n#{(@keys.inject({}){|hash, name| hash[name] = @attributes[name.downcase];hash}.update('dn'=>[@dn])).inspect}>"
+    end
+    
+    def hash
+      @attributes.hash + @dn.hash
+    end
+  end
+end

data/lib/ldap/error.rb

@@ -0,0 +1,14 @@
+module LDAP
+  class Error < StandardError
+    attr_accessor :java_exception
+    def self.wrap(message, java_exception)
+      p java_exception if $DEBUG
+      exception = new(message)
+      exception.java_exception = java_exception
+      exception
+    end
+  end
+  class ResultError < Error; end
+  class InvalidDataError < Error; end
+  class InvalidEntryError < InvalidDataError; end
+end

data/lib/ldap/ldif.rb

@@ -0,0 +1,567 @@
+# Manipulation of LDIF data.
+#
+# $Id: ldif.rb,v 1.11 2005/03/03 01:32:07 ianmacd Exp $
+#
+# Copyright (C) 2005 Ian Macdonald <ian@caliban.org>
+#
+
+module LDAP
+
+  # Record objects are embodiments of LDAP operations. They possess a DN,
+  # a change type (*LDAP_MOD_ADD*, *LDAP_MOD_DELETE* or *LDAP_MOD_REPLACE*
+  # [any of which can be logically AND'ed with *LDAP_MOD_BVALUES*]), a hash of
+  # attributes and value arrays, a hash of modification operations (useful
+  # only when the change type is *LDAP_MOD_REPLACE*) and an array of
+  # LDAP controls.
+  #
+  # The Record class's primary use is as a transitional medium for LDIF
+  # operations parsed by the LDAP::LDIF module. You are unlikely to want to
+  # use it in application code.
+  #
+  class Record
+    attr_reader :dn, :change_type, :attrs, :mods, :controls
+
+    def initialize(dn, change_type, attrs, mods=nil, ctls=nil)
+      @dn = dn
+      @change_type = change_type
+      @attrs = attrs
+      @mods = mods
+      @controls = ctls
+    end
+
+
+    # Send the operation embodied in the Record object to the LDAP::Conn
+    # object specified in +conn+.
+    #
+    def send( conn )
+      if @change_type == :MODRDN
+	# TODO: How do we deal with 'newsuperior'?
+	# The LDAP API's ldap_modrdn2_s() function doesn't seem to use it.
+	return conn.modrdn( @dn, @attrs['newrdn'], @attrs['deleteoldrdn'] )
+      end
+
+      # Mask out the LDAP_MOD_BVALUES bit, as it's irrelevant here.
+      case @change_type & ~LDAP_MOD_BVALUES
+      when LDAP_MOD_ADD
+	@controls == [] ? conn.add( @dn, @attrs ) :
+			  conn.add_ext( @dn, @attrs, @controls, [] )
+      when LDAP_MOD_DELETE
+	@controls == [] ? conn.delete( @dn ) :
+			  conn.delete_ext( @dn, @controls, [] )
+      when LDAP_MOD_REPLACE
+	@controls == [] ? conn.modify( @dn, @mods ) :
+			  conn.modify_ext( @dn, @mods, @controls, [] )
+      end
+
+      self
+    end
+
+
+    # Remove common operational attributes from a Record object. This is
+    # useful if you have Record objects formed from LDIF data that contained
+    # operational attributes. Using LDAP::Record#send to send such an object
+    # to an LDAP server is likely to meet with an exception unless the data is
+    # first cleaned.
+    #
+    # In addition, attributes with duplicate values are pruned, as this can
+    # also result in an exception.
+    #
+    def clean
+
+      # TODO: These operational attributes are those commonly used by
+      # OpenLDAP 2.2. Others should probably be supported.
+      #
+      %w[ creatorsname createtimestamp modifiersname modifytimestamp
+          entrycsn entryuuid structuralobjectclass ].each do |attr|
+	@attrs.delete( attr )
+      end
+
+      # Clean out duplicate attribute values.
+      @attrs.each_key { |k| @attrs[k].uniq! }
+
+      self
+    end
+
+  end
+
+
+  # This module provides the ability to process LDIF entries and files.
+  #
+  module LDIF
+    LINE_LENGTH = 77
+
+    private
+
+    class Entry < String; end
+    class Mod < String; end
+    class LDIFError < LDAP::Error; end
+
+
+    # return *true* if +str+ contains a character with an ASCII value > 127 or
+    # a NUL, LF or CR. Otherwise, *false* is returned.
+    #
+    def LDIF.unsafe_char?( str )
+      # This could be written as a single regex, but this is faster.
+      str =~ /^[ :]/ || str =~ /[\x00-\x1f\x7f-\xff]/
+    end
+
+
+    # Perform Base64 decoding of +str+. If +concat+ is *true*, LF characters
+    # are stripped.
+    #
+    def LDIF.base64_encode( str, concat=false )
+      str = [ str ].pack( 'm' )
+      str.gsub!( /\n/, '' ) if concat
+      str
+    end
+
+
+    # Perform Base64 encoding of +str+.
+    #
+    def LDIF.base64_decode( str )
+      str.unpack( 'm*' )[0]
+    end
+
+
+    # Read a file from the URL +url+. At this time, the only type of URL
+    # supported is the +file://+ URL.
+    #
+    def LDIF.read_file( url )
+      unless url.sub!( %r(^file://), '' )
+        raise ArgumentError, "Bad external file reference: #{url}"
+      end
+  
+      # Slurp an external file.
+      # TODO: Support other URL types in the future.
+      File.open( url ).readlines( nil )[0]
+    end
+
+
+    # This converts an attribute and array of values to LDIF.
+    #
+    def LDIF.to_ldif( attr, vals )
+      ldif = ''
+
+      vals.each do |val|
+        sep = ':'
+        if unsafe_char?( val )
+          sep = '::'
+          val = base64_encode( val, true )
+        end
+      
+        firstline_len = LINE_LENGTH - ( "%s%s " % [ attr, sep ] ).length
+        ldif << "%s%s %s\n" % [ attr, sep, val.slice!( 0..firstline_len ) ]
+      
+        while val.length > 0
+          ldif << " %s\n" % val.slice!( 0..LINE_LENGTH - 1 )
+        end
+      end
+
+      ldif
+
+    end
+
+
+    public
+
+
+    # Parse the LDIF entry contained in +lines+ and return an LDAP::Record
+    # object. +lines+ should be an object that responds to each, such as a
+    # string or an array of lines, separated by \n characters.
+    #
+    def LDIF.parse_entry( lines )
+      header = true
+      comment = false
+      change_type = nil
+      sep = nil
+      attr = nil
+      bvalues = []
+      controls = nil
+      hash = {}
+      mods = {}
+      mod_type = nil
+      
+      lines.each do |line|
+	# Skip (continued) comments.
+	if line =~ /^#/ || ( comment && line[0..0] == ' ' )
+	  comment = true
+	  next
+	end
+
+	# Skip blank lines.
+	next if line =~ /^$/
+
+	# Reset mod type if this entry has more than one mod to make.
+	# A '-' continuation is only valid if we've already had a
+	# 'changetype: modify' line.
+	if line =~ /^-$/ && change_type == LDAP_MOD_REPLACE
+	  next
+	end
+
+	line.chomp!
+
+	# N.B. Attributes and values can be separated by one or two colons,
+	# or one colon and a '<'. Either of these is then followed by zero
+	# or one spaces.
+	if md = line.match( /^[^ ].*?((:[:<]?) ?)/ )
+
+	  # If previous value was Base64-encoded and is not continued,
+	  # we need to decode it now.
+	  if sep == '::'
+	    if mod_type
+	      mods[mod_type][attr][-1] =
+		base64_decode( mods[mod_type][attr][-1] )
+		bvalues << attr if unsafe_char?( mods[mod_type][attr][-1] )
+	    else
+	      hash[attr][-1] = base64_decode( hash[attr][-1] )
+	      bvalues << attr if unsafe_char?( hash[attr][-1] )
+	    end
+
+	  end
+
+	  # Found a attr/value line.
+	  attr, val = line.split( md[1], 2 )
+	  attr.downcase!
+
+	  # Attribute must be ldap-oid / (ALPHA *(attr-type-chars))
+	  if attr !~ /^(?:(?:\d+\.)*\d+|[[:alnum:]-]+)(?:;[[:alnum:]-]+)*$/
+	    raise LDIFError, "Invalid attribute: #{attr}"
+	  end
+
+	  if attr == 'dn'
+	    header = false
+	    change_type = nil
+	    controls = []
+	  end
+	  sep = md[2]
+
+	  val = read_file( val ) if sep == ':<'
+
+	  case attr
+	  when 'version'
+	    # Check the LDIF version.
+	    if header
+	      if val != '1'
+		raise LDIFError, "Unsupported LDIF version: #{val}"
+	      else
+		header = false
+		next
+	      end
+	    end
+
+	  when 'changetype'
+	    change_type = case val
+			    when 'add'	     then LDAP_MOD_ADD
+			    when 'delete'    then LDAP_MOD_DELETE
+			    when 'modify'    then LDAP_MOD_REPLACE
+			    when /^modr?dn$/ then :MODRDN
+			  end
+
+	    raise LDIFError, "Invalid change type: #{attr}" unless change_type
+
+	  when 'add', 'delete', 'replace'
+	    unless change_type == LDAP_MOD_REPLACE
+	      raise LDIFError, "Cannot #{attr} here."
+	    end
+
+	    mod_type = case attr
+		         when 'add'	then LDAP_MOD_ADD
+		         when 'delete'	then LDAP_MOD_DELETE
+		         when 'replace'	then LDAP_MOD_REPLACE
+		       end
+
+	    mods[mod_type] ||= {}
+	    mods[mod_type][val] ||= []
+
+	  when 'control'
+
+	    oid, criticality = val.split( / /, 2 )
+
+	    unless oid =~ /(?:\d+\.)*\d+/
+	      raise LDIFError, "Bad control OID: #{oid}" 
+	    end
+
+	    if criticality
+	      md = criticality.match( /(:[:<]?) ?/ )
+	      ctl_sep = md[1] if md
+	      criticality, value = criticality.split( /:[:<]? ?/, 2 )
+
+	      if criticality !~ /^(?:true|false)$/
+	        raise LDIFError, "Bad control criticality: #{criticality}"
+	      end
+
+	      # Convert 'true' or 'false'. to_boolean would be nice. :-)
+	      criticality = eval( criticality )
+	    end
+
+	    if value
+	      value = base64_decode( value ) if ctl_sep == '::'
+	      value = read_file( value ) if ctl_sep == ':<'
+	      value = Control.encode( value )
+	    end
+
+	    controls << Control.new( oid, value, criticality )
+	  else
+
+	    # Convert modrdn's deleteoldrdn from '1' to true, anything else
+	    # to false. Should probably raise an exception if not '0' or '1'.
+	    #
+	    if change_type == :MODRDN && attr == 'deleteoldrdn'
+	      val = val == '1' ? true : false
+	    end
+
+	    if change_type == LDAP_MOD_REPLACE
+	      mods[mod_type][attr] << val
+	    else
+	      hash[attr] ||= []
+	      hash[attr] << val
+	    end
+
+	    comment = false
+
+	    # Make a note of this attribute if value is binary.
+	    bvalues << attr if unsafe_char?( val )
+	  end
+
+	else
+
+	  # Check last line's separator: if not a binary value, the
+	  # continuation line must be indented. If a comment makes it this
+	  # far, that's also an error.
+	  #
+	  if sep == ':' && line[0..0] != ' ' || comment
+	    raise LDIFError, "Improperly continued line: #{line}"
+	  end
+
+	  # OK; this is a valid continuation line.
+
+	  # Append line except for initial space.
+	  line[0] = '' if line[0..0] == ' '
+
+	  if change_type == LDAP_MOD_REPLACE
+	    # Append to last value of current mod type.
+	    mods[mod_type][attr][-1] << line
+	  else
+	    # Append to last value.
+	    hash[attr][-1] << line
+	  end
+	end
+	
+      end
+
+      # If last value in LDIF entry was Base64-encoded, we need to decode
+      # it now.
+      if sep == '::'
+        if mod_type
+          mods[mod_type][attr][-1] =
+	    base64_decode( mods[mod_type][attr][-1] )
+	  bvalues << attr if unsafe_char?( mods[mod_type][attr][-1] )
+        else
+          hash[attr][-1] = base64_decode( hash[attr][-1] )
+	  bvalues << attr if unsafe_char?( hash[attr][-1] )
+        end
+      end
+
+      # Remove and remember DN.
+      dn = hash.delete( 'dn' )[0]
+
+      # This doesn't really matter, but let's be anal about it, because it's
+      # not an attribute and doesn't belong here.
+      bvalues.delete( 'dn' )
+
+      # If there's no change type, it's just plain LDIF data, so we'll treat
+      # it like an addition.
+      change_type ||= LDAP_MOD_ADD
+
+      case change_type
+      when LDAP_MOD_ADD
+
+	mods[LDAP_MOD_ADD] = []
+
+	hash.each do |attr,val|
+	  if bvalues.include?( attr )
+	    ct = LDAP_MOD_ADD | LDAP_MOD_BVALUES
+	  else
+	    ct = LDAP_MOD_ADD
+	  end
+
+	  mods[LDAP_MOD_ADD] << LDAP.mod( ct, attr, val )
+	end
+
+      when LDAP_MOD_DELETE
+
+	# Nothing to do.
+
+      when LDAP_MOD_REPLACE
+
+	raise LDIFError, "mods should not be empty" if mods == {}
+
+	new_mods = {}
+
+	mods.each do |mod_type,attrs|
+	  attrs.each_key do |attr|
+	    if bvalues.include?( attr )
+	      mt = mod_type | LDAP_MOD_BVALUES
+	    else
+	      mt = mod_type
+	    end
+
+	    new_mods[mt] ||= {}
+	    new_mods[mt][attr] = mods[mod_type][attr]
+	  end
+	end
+
+	mods = new_mods
+
+      when :MODRDN
+
+	# Nothing to do.
+
+      end
+
+      Record.new( dn, change_type, hash, mods, controls )
+    end
+
+
+    # Open and parse a file containing LDIF entries. +file+ should be a string
+    # containing the path to the file. If +sort+ is true, the resulting array
+    # of LDAP::Record objects will be sorted on DN length, which can be useful
+    # to avoid a later attempt to process an entry whose parent does not yet
+    # exist. This can easily happen if your LDIF file is unordered, which is
+    # likely if it was produced with a tool such as <em>slapcat(8)</em>.
+    #
+    # If a block is given, each LDAP::Record object will be yielded to the
+    # block and *nil* will be returned instead of the array. This is much less
+    # memory-intensive when parsing a large LDIF file.
+    #
+    def LDIF.parse_file( file, sort=false ) # :yield: record
+
+      File.open( file ) do |f|
+	entries = []
+	entry = false
+	header = true
+	version = false
+
+	while line = f.gets
+
+	  if line =~ /^dn:/
+	    header = false
+
+	    if entry && ! version
+	      if block_given?
+		yield parse_entry( entry )
+	      else
+	        entries << parse_entry( entry )
+	      end
+	    end
+
+	    if version
+	      entry << line
+	      version = false
+	    else
+	      entry = [ line ]
+	    end
+
+	    next
+	  end
+
+	  if header && line.downcase =~ /^version/
+	    entry = [ line ]
+	    version = true
+	    next
+	  end
+	
+	  entry << line
+	end
+
+	if block_given?
+	  yield parse_entry( entry )
+	  nil
+	else
+	  entries << parse_entry( entry )
+
+	  # Sort entries if sorting has been requested.
+	  entries.sort! { |x,y| x.dn.length <=> y.dn.length } if sort
+	  entries
+	end
+
+      end
+
+    end
+
+
+    # Given the DN, +dn+, convert a single LDAP::Mod or an array of
+    # LDAP::Mod objects, given in +mods+, to LDIF.
+    #
+    def LDIF.mods_to_ldif( dn, *mods )
+      ldif = "dn: %s\nchangetype: modify\n" % dn
+      plural = false
+
+      mods.flatten.each do |mod|
+        # TODO: Need to dynamically assemble this case statement to add
+        # OpenLDAP's increment change type, etc.
+        change_type = case mod.mod_op & ~LDAP_MOD_BVALUES
+			when LDAP_MOD_ADD     then 'add'
+			when LDAP_MOD_DELETE  then 'delete'
+			when LDAP_MOD_REPLACE then 'replace'
+		      end
+
+        ldif << "-\n" if plural
+        ldif << LDIF.to_ldif( change_type, mod.mod_type )
+        ldif << LDIF.to_ldif( mod.mod_type, mod.mod_vals )
+
+        plural = true
+      end
+
+      LDIF::Mod.new( ldif )
+    end
+
+  end
+
+
+  class Entry
+
+    # Convert an LDAP::Entry to LDIF.
+    #
+    def to_ldif
+      ldif = "dn: %s\n" % get_dn
+
+      get_attributes.each do |attr|
+	get_values( attr ).each do |val|
+	  ldif << LDIF.to_ldif( attr, [ val ] )
+	end
+      end
+
+      LDIF::Entry.new( ldif )
+    end
+
+    alias_method :to_s, :to_ldif
+  end
+
+  
+  class Mod
+
+    # Convert an LDAP::Mod with the DN given in +dn+ to LDIF.
+    #
+    def to_ldif( dn )
+      ldif = "dn: %s\n" % dn
+
+      # TODO: Need to dynamically assemble this case statement to add
+      # OpenLDAP's increment change type, etc.
+      case mod_op & ~LDAP_MOD_BVALUES
+      when LDAP_MOD_ADD
+	ldif << "changetype: add\n"
+      when LDAP_MOD_DELETE
+	ldif << "changetype: delete\n"
+      when LDAP_MOD_REPLACE
+	return LDIF.mods_to_ldif( dn, self )
+      end
+
+      ldif << LDIF.to_ldif( mod_type, mod_vals )
+      LDIF::Mod.new( ldif )
+    end
+
+    alias_method :to_s, :to_ldif
+  end
+
+end