ruby-ldap 0.9.11 → 0.9.12

data/conn.c

@@ -31,6 +31,7 @@ rb_ldap_conn_free (RB_LDAP_DATA * ldapdata)
     {
       ldap_unbind (ldapdata->ldap);
     };
+  xfree(ldapdata);
 };
 
 static void
@@ -167,6 +168,26 @@ rb_ldap_conn_s_open (int argc, VALUE argv[], VALUE klass)
   return conn;
 };
 
+/*
+ * call-seq:
+ * LDAP::Conn.open_uri(uri)  => LDAP::Conn
+ *
+ * Return a new LDAP::Conn connection to the server described with +uri+.
+ */
+VALUE
+rb_ldap_conn_s_open_uri (VALUE klass, VALUE uri)
+{
+  LDAP  *cldap = NULL;
+  int    rc;
+
+  rc = ldap_initialize (&cldap, StringValueCStr (uri));
+
+  if (rc || cldap == NULL)
+    rb_raise (rb_eLDAP_ResultError, "can't open an LDAP session");
+  
+  return rb_ldap_conn_new (klass, cldap);
+};
+
 /*
  * call-seq:
  * conn.start_tls  => nil
@@ -742,7 +763,7 @@ rb_ldap_conn_get_errno (VALUE self)
   GET_LDAP_DATA (self, ldapdata);
 
 #ifdef USE_NETSCAPE_SDK
-  cerr = ldap_get_lderrno (ldapdata->ldap, NULL, NULL);
+  int cerr = ldap_get_lderrno (ldapdata->ldap, NULL, NULL);
   err = INT2NUM (cerr);
 #else
 # ifdef USE_OPENLDAP1
@@ -1515,6 +1536,7 @@ rb_ldap_conn_modify_s (VALUE self, VALUE dn, VALUE attrs)
 
   ldapdata->err = ldap_modify_s (ldapdata->ldap, c_dn, c_attrs);
   Check_LDAP_Result (ldapdata->err);
+  free(c_attrs);
 
   return self;
 };
@@ -1777,6 +1799,7 @@ Init_ldap_conn ()
                              rb_ldap_conn_s_allocate, 0);
 #endif
   rb_define_singleton_method (rb_cLDAP_Conn, "open", rb_ldap_conn_s_open, -1);
+  rb_define_singleton_method (rb_cLDAP_Conn, "open_uri", rb_ldap_conn_s_open_uri, 1);
   rb_define_singleton_method (rb_cLDAP_Conn, "set_option",
 			      rb_ldap_conn_s_set_option, 2);
   rb_define_singleton_method (rb_cLDAP_Conn, "get_option",

data/entry.c

@@ -12,6 +12,7 @@ VALUE rb_cLDAP_Entry;
 void
 rb_ldap_entry_free (RB_LDAPENTRY_DATA * edata)
 {
+  xfree(edata);
   /* edata->msg is valid in a block given by each search operation */
   /* ldap_msgfree should be called after ldap_search */
 }
@@ -22,7 +23,7 @@ rb_ldap_entry_new (LDAP * ldap, LDAPMessage * msg)
   VALUE val;
   RB_LDAPENTRY_DATA *edata;
   val = Data_Make_Struct (rb_cLDAP_Entry, RB_LDAPENTRY_DATA,
-			  0, 0 /* rb_ldap_entry_free */ , edata);
+			  0, rb_ldap_entry_free, edata);
   edata->ldap = ldap;
   edata->msg = msg;
   return val;
@@ -112,7 +113,7 @@ rb_ldap_entry_get_attributes (VALUE self)
   RB_LDAPENTRY_DATA *edata;
   VALUE vals;
   char *attr;
-  BerElement *ber;
+  BerElement *ber = NULL;
 
   GET_LDAPENTRY_DATA (self, edata);
 
@@ -122,15 +123,14 @@ rb_ldap_entry_get_attributes (VALUE self)
        attr = ldap_next_attribute (edata->ldap, edata->msg, ber))
     {
       rb_ary_push (vals, rb_tainted_str_new2 (attr));
+      ldap_memfree(attr);
     }
 
-  /* this code may cause segv
-     #if !defined(USE_OPENLDAP1)
-     if( ber != NULL ){
-     ber_free(ber, 0);
-     }
-     #endif
-   */
+    #if !defined(USE_OPENLDAP1)
+    if( ber != NULL ){
+      ber_free(ber, 0);
+    }
+    #endif
 
   return vals;
 }

data/extconf.rb

@@ -1,4 +1,4 @@
-#!/usr/bin/env ruby-1.4
+#!/usr/bin/env ruby
 #
 # extconf.rb for ldap extension
 # $Id: extconf.rb,v 1.7 2006/04/18 23:49:56 ianmacd Exp $
@@ -10,13 +10,14 @@ $INTERACTIVE = false
 
 if( ARGV.include?("--help") )
   print <<EOF
-  --with-ldap-dir    specify the LDAP directory.
+  --with-ldap-dir     specify the LDAP directory.
   --with-ldap-include specify the directory containing ldap.h and lber.h.
-  --with-ldap-lib    specify the directory containing the LDAP libraries.
-  --with-netscape    build with Netscape SDK.
-  --with-openldap1   build with OpenLDAP 1.x.
-  --with-openldap2   build with OpenLDAP 2.x.
-  --with-wldap32     Active Directory Client API.
+  --with-ldap-lib     specify the directory containing the LDAP libraries.
+  --with-netscape     build with Netscape SDK.
+  --with-mozilla      build with Mozilla SDK (Enables certificate authentication).
+  --with-openldap1    build with OpenLDAP 1.x.
+  --with-openldap2    build with OpenLDAP 2.x.
+  --with-wldap32      Active Directory Client API.
 
 The following are library configuration options:
   --with-libcrypto=crypto,   --without-libcrypto
@@ -40,7 +41,9 @@ def find_files(dir = nil)
     search_dirs =
       ["/usr/local", "/usr", "/opt"] +
       Dir.glob("/usr/local/./*ldap*").collect{|d| d.gsub(/\/\.\//, "/")} +
-      Dir.glob("/usr/./*ldap*").collect{|d| d.gsub(/\/\.\//, "/")}
+      Dir.glob("/usr/./*ldap*").collect{|d| d.gsub(/\/\.\//, "/") +
+        Dir.glob("/usr/lib{64,}/mozldap/*ldap*") + ["/usr/include/mozldap"]
+    }
   end
   for d in search_dirs
     h = File.join(d,"include","ldap.h")
@@ -48,21 +51,21 @@ def find_files(dir = nil)
     if( File.exist?(h) )
       l = Dir.glob(l)[0]
       if( l )
-	if( $INTERACTIVE )
-	  print("--with-ldap-dir=#{d} [y/n]")
-	  ans = $stdin.gets
-	  ans.chop!
-	  if( ans == "y" )
-	    result = [d, File.basename(l).split(".")[0][3..-1], File.basename(h)]
-	    return result
-	    break
-	  end
-	else
-	  print("--with-ldap-dir=#{d}\n")
-	  result = [d, File.basename(l).split(".")[0][3..-1], File.basename(h)]
-	  return result
-	  break
-	end
+        if( $INTERACTIVE )
+          print("--with-ldap-dir=#{d} [y/n]")
+          ans = $stdin.gets
+          ans.chop!
+          if( ans == "y" )
+            result = [d, File.basename(l).split(".")[0][3..-1], File.basename(h)]
+            return result
+            break
+          end
+        else
+          print("--with-ldap-dir=#{d}\n")
+          result = [d, File.basename(l).split(".")[0][3..-1], File.basename(h)]
+          return result
+          break
+        end
       end
     end
   end
@@ -83,6 +86,9 @@ def ldap_with_config(arg, default = nil)
 end
 
 $use_netscape  = ldap_with_config("netscape")
+if ldap_with_config("mozilla")
+  $use_netscape  = '6'
+end
 $use_openldap1 = ldap_with_config("openldap1")
 $use_openldap2 = ldap_with_config("openldap2")
 $use_wldap32   = ldap_with_config("wldap32")
@@ -100,9 +106,17 @@ if( !($use_netscape || $use_openldap1 || $use_openldap2 || $use_wldap32) )
   when /^ssldap50+$/, /^ldap50+$/
     print("--with-netscape=5")
     $use_netscape = "5"
+  when /^ssldap60+$/, /^ldap60+$/
+    print("--with-netscape=6")
+    $use_netscape = "6"
   else
-    print("--with-openldap2\n")
-    $use_openldap2 = true
+    if RUBY_PLATFORM =~ /-(:?mingw32|mswin32)/
+      print("--with-wldap32\n")
+      $use_wldap32 = true
+    else
+      print("--with-openldap2\n")
+      $use_openldap2 = true
+    end
   end
 end
 if( $use_netscape == true )
@@ -127,6 +141,27 @@ if( $use_netscape )
     $libns      = ldap_with_config("libns", "nspr4,plc4,plds4").split(",")
     $liblber    = ldap_with_config("liblber", "lber50")
     $libssl     = ldap_with_config("libssl", "ssl3")
+  when /^6/
+    %x{pkg-config --exists 'mozldap >= 6.0 nspr >= 4.0'}
+
+    if $? == 0
+      puts 'Mozzilla LDAP libs will be used.'
+      $mozlibs = %x{pkg-config mozldap nspr --libs}.chomp
+      $mozincs = %x{pkg-config mozldap nspr --cflags}.chomp
+    else
+      puts 'pkg-config reported that no right mozilla LDAP libs were found'
+      puts 'we need mozldap >= 6.0 and nspr >= 4.0'
+      exit 1
+    end
+
+    $defs << "-DUSE_NETSCAPE_SDK -DUSE_SSL_CLIENTAUTH"
+    #$libnsl     = ldap_with_config("libnsl", "nsl")
+    #$libpthread = ldap_with_config("libpthread", "pthread")
+    $libresolv  = ldap_with_config("libresolv", "resolv")
+    $libldap    = ldap_with_config("libldap", "ldap60")
+    $libns      = ldap_with_config("libns", "nspr4,plc4,plds4").split(",")
+    $liblber    = ldap_with_config("liblber", "lber60")
+    $libssl     = ldap_with_config("libssl", "ssl3")
   end
 end
 
@@ -173,6 +208,10 @@ if( $use_wldap32 )
   have_header("winldap.h")
   have_header("winlber.h")
   have_header("sys/time.h")
+elsif $use_netscape =~ /^6/
+  # mozilla
+  pkg_config('mozldap')
+  pkg_config('nspr')
 else
   ldap_h = have_header("ldap.h")
   lber_h = have_header("lber.h")
@@ -187,6 +226,7 @@ else
   have_header("openssl/crypto.h") || have_header("crypto.h")
 end
 
+$LIBS << ' -pthread'
 for l in [$libcrypto, $libssl, $libnsl, $libpthread, $libresolv,
           $libns, $liblber, $libldap_r, $libldap].flatten
   if( l )
@@ -194,7 +234,7 @@ for l in [$libcrypto, $libssl, $libnsl, $libpthread, $libresolv,
   end
 end
 
-have_func("ldap_init")
+have_func("ldap_init", 'ldap.h')
 have_func("ldap_set_option")
 have_func("ldap_get_option")
 have_func("ldap_start_tls_s") if $use_openldap2
@@ -242,7 +282,7 @@ end
 $run_test += " #{$slapd} #{$schema_dir}"
 
 
-File.open("Makefile","a"){|f|
+File.open("Makefile","a") do |f|
   f.print <<EOF
 
 test::
@@ -263,6 +303,7 @@ doc:
 unit:
 \t(cd test; $(RUBY_INSTALL_NAME) tc_ldif.rb)
 
-.PHONY:	doc
+.PHONY: doc
 EOF
-}
+
+end

data/ldap.c

@@ -88,6 +88,65 @@ rb_ldap_dn2ufn (VALUE self, VALUE dn)
     }
 }
 
+VALUE
+rb_ldap_explode_dn (VALUE self, VALUE dn, VALUE notypes)
+{
+    char **c_arr, **p;
+    char *c_dn;
+    VALUE ary;
+
+    if (dn == Qnil) 
+    {
+        return Qnil;
+    }
+
+    c_dn = StringValueCStr (dn);
+    if ((c_arr = ldap_explode_dn (c_dn, RTEST (notypes) ? 1 : 0)))
+    {
+        ary = rb_ary_new ();
+        for (p = c_arr; *p != NULL; p++)
+        {
+            rb_ary_push (ary, rb_tainted_str_new2 (*p));
+        }
+        ldap_value_free (c_arr);
+
+        return ary;
+    } 
+    else 
+    {
+        return Qnil;
+    }
+}
+
+VALUE
+rb_ldap_explode_rdn (VALUE self, VALUE rdn, VALUE notypes)
+{
+    char **c_arr, **p;
+    char *c_dn;
+    VALUE ary;
+
+    if (rdn == Qnil) 
+    {
+        return Qnil;
+    }
+
+    c_dn = StringValueCStr (rdn);
+    if ((c_arr = ldap_explode_rdn (c_dn, RTEST (notypes) ? 1 : 0))) 
+    {
+        ary = rb_ary_new ();
+        for (p = c_arr; *p != NULL; p++) {
+            rb_ary_push (ary, rb_tainted_str_new2 (*p));
+        }
+        ldap_value_free (c_arr);
+
+        return ary;
+    } 
+    else 
+    {
+        return Qnil;
+    }
+}
+
 /*
  * call-seq:
  * LDAP.mod(mod_type, attr, vals)  => LDAP::Mod
@@ -165,6 +224,9 @@ extern void Init_ldap_entry ();
 extern void Init_ldap_conn ();
 extern void Init_ldap_sslconn ();
 extern void Init_ldap_saslconn ();
+#ifdef USE_SSL_CLIENTAUTH
+extern void Init_ldap_clientauth ();
+#endif
 extern void Init_ldap_mod ();
 extern void Init_ldap_misc ();
 
@@ -246,6 +308,8 @@ Init_ldap ()
 
 
   rb_define_module_function (rb_mLDAP, "err2string", rb_ldap_err2string, 1);
+  rb_define_module_function (rb_mLDAP, "explode_dn", rb_ldap_explode_dn, 2);
+  rb_define_module_function (rb_mLDAP, "explode_rdn", rb_ldap_explode_rdn, 2);
   rb_define_module_function (rb_mLDAP, "dn2ufn", rb_ldap_dn2ufn, 1);
   rb_define_module_function (rb_mLDAP, "mod", rb_ldap_mod_s_new, -1);
   rb_define_module_function (rb_mLDAP, "hash2mods", rb_ldap_hash2mods, 2);
@@ -571,6 +635,9 @@ Init_ldap ()
   Init_ldap_conn ();
   Init_ldap_sslconn ();
   Init_ldap_saslconn ();
+#ifdef USE_SSL_CLIENTAUTH
+  Init_ldap_clientauth();
+#endif
   Init_ldap_entry ();
   Init_ldap_mod ();
   Init_ldap_misc ();

data/lib/ldap/control.rb

@@ -17,7 +17,7 @@ module LDAP
     #
     def Control.encode( *vals )
       encoded_vals = []
-     
+
       vals.each do |val|
         encoded_vals <<
           case val
@@ -29,7 +29,7 @@ module LDAP
             # What other types may exist?
           end
       end
-   
+
       OpenSSL::ASN1::Sequence.new( encoded_vals ).to_der
     end
 
@@ -40,7 +40,7 @@ module LDAP
       values = []
 
       OpenSSL::ASN1::decode( self.value ).value.each do |val|
-	values << val.value
+        values << val.value
       end
 
       values

data/lib/ldap/ldif.rb

@@ -37,22 +37,22 @@ module LDAP
     #
     def send( conn )
       if @change_type == :MODRDN
-	# TODO: How do we deal with 'newsuperior'?
-	# The LDAP API's ldap_modrdn2_s() function doesn't seem to use it.
-	return conn.modrdn( @dn, @attrs['newrdn'], @attrs['deleteoldrdn'] )
+        # TODO: How do we deal with 'newsuperior'?
+        # The LDAP API's ldap_modrdn2_s() function doesn't seem to use it.
+        return conn.modrdn( @dn, @attrs['newrdn'], @attrs['deleteoldrdn'] )
       end
 
       # Mask out the LDAP_MOD_BVALUES bit, as it's irrelevant here.
       case @change_type & ~LDAP_MOD_BVALUES
       when LDAP_MOD_ADD
-	@controls == [] ? conn.add( @dn, @attrs ) :
-			  conn.add_ext( @dn, @attrs, @controls, [] )
+        @controls == [] ? conn.add( @dn, @attrs ) :
+        conn.add_ext( @dn, @attrs, @controls, [] )
       when LDAP_MOD_DELETE
-	@controls == [] ? conn.delete( @dn ) :
-			  conn.delete_ext( @dn, @controls, [] )
+        @controls == [] ? conn.delete( @dn ) :
+        conn.delete_ext( @dn, @controls, [] )
       when LDAP_MOD_REPLACE
-	@controls == [] ? conn.modify( @dn, @mods ) :
-			  conn.modify_ext( @dn, @mods, @controls, [] )
+        @controls == [] ? conn.modify( @dn, @mods ) :
+        conn.modify_ext( @dn, @mods, @controls, [] )
       end
 
       self
@@ -75,7 +75,7 @@ module LDAP
       #
       %w[ creatorsname createtimestamp modifiersname modifytimestamp
           entrycsn entryuuid structuralobjectclass ].each do |attr|
-	@attrs.delete( attr )
+        @attrs.delete( attr )
       end
 
       # Clean out duplicate attribute values.
@@ -132,7 +132,7 @@ module LDAP
       unless url.sub!( %r(^file://), '' )
         raise ArgumentError, "Bad external file reference: #{url}"
       end
-  
+
       # Slurp an external file.
       # TODO: Support other URL types in the future.
       File.open( url ).readlines( nil )[0]
@@ -150,10 +150,10 @@ module LDAP
           sep = '::'
           val = base64_encode( val, true )
         end
-      
+
         firstline_len = LINE_LENGTH - ( "%s%s " % [ attr, sep ] ).length
         ldif << "%s%s %s\n" % [ attr, sep, val.slice!( 0..firstline_len ) ]
-      
+
         while val.length > 0
           ldif << " %s\n" % val.slice!( 0..LINE_LENGTH - 1 )
         end
@@ -182,173 +182,172 @@ module LDAP
       hash = {}
       mods = {}
       mod_type = nil
-      
+
       lines.each do |line|
-	# Skip (continued) comments.
-	if line =~ /^#/ || ( comment && line[0..0] == ' ' )
-	  comment = true
-	  next
-	end
-
-	# Skip blank lines.
-	next if line =~ /^$/
-
-	# Reset mod type if this entry has more than one mod to make.
-	# A '-' continuation is only valid if we've already had a
-	# 'changetype: modify' line.
-	if line =~ /^-$/ && change_type == LDAP_MOD_REPLACE
-	  next
-	end
-
-	line.chomp!
-
-	# N.B. Attributes and values can be separated by one or two colons,
-	# or one colon and a '<'. Either of these is then followed by zero
-	# or one spaces.
-	if md = line.match( /^[^ ].*?((:[:<]?) ?)/ )
-
-	  # If previous value was Base64-encoded and is not continued,
-	  # we need to decode it now.
-	  if sep == '::'
-	    if mod_type
-	      mods[mod_type][attr][-1] =
-		base64_decode( mods[mod_type][attr][-1] )
-		bvalues << attr if unsafe_char?( mods[mod_type][attr][-1] )
-	    else
-	      hash[attr][-1] = base64_decode( hash[attr][-1] )
-	      bvalues << attr if unsafe_char?( hash[attr][-1] )
-	    end
-
-	  end
-
-	  # Found a attr/value line.
-	  attr, val = line.split( md[1], 2 )
-	  attr.downcase!
-
-	  # Attribute must be ldap-oid / (ALPHA *(attr-type-chars))
-	  if attr !~ /^(?:(?:\d+\.)*\d+|[[:alnum:]-]+)(?:;[[:alnum:]-]+)*$/
-	    raise LDIFError, "Invalid attribute: #{attr}"
-	  end
-
-	  if attr == 'dn'
-	    header = false
-	    change_type = nil
-	    controls = []
-	  end
-	  sep = md[2]
-
-	  val = read_file( val ) if sep == ':<'
-
-	  case attr
-	  when 'version'
-	    # Check the LDIF version.
-	    if header
-	      if val != '1'
-		raise LDIFError, "Unsupported LDIF version: #{val}"
-	      else
-		header = false
-		next
-	      end
-	    end
-
-	  when 'changetype'
-	    change_type = case val
-			    when 'add'	     then LDAP_MOD_ADD
-			    when 'delete'    then LDAP_MOD_DELETE
-			    when 'modify'    then LDAP_MOD_REPLACE
-			    when /^modr?dn$/ then :MODRDN
-			  end
-
-	    raise LDIFError, "Invalid change type: #{attr}" unless change_type
-
-	  when 'add', 'delete', 'replace'
-	    unless change_type == LDAP_MOD_REPLACE
-	      raise LDIFError, "Cannot #{attr} here."
-	    end
-
-	    mod_type = case attr
-		         when 'add'	then LDAP_MOD_ADD
-		         when 'delete'	then LDAP_MOD_DELETE
-		         when 'replace'	then LDAP_MOD_REPLACE
-		       end
-
-	    mods[mod_type] ||= {}
-	    mods[mod_type][val] ||= []
-
-	  when 'control'
-
-	    oid, criticality = val.split( / /, 2 )
-
-	    unless oid =~ /(?:\d+\.)*\d+/
-	      raise LDIFError, "Bad control OID: #{oid}" 
-	    end
-
-	    if criticality
-	      md = criticality.match( /(:[:<]?) ?/ )
-	      ctl_sep = md[1] if md
-	      criticality, value = criticality.split( /:[:<]? ?/, 2 )
-
-	      if criticality !~ /^(?:true|false)$/
-	        raise LDIFError, "Bad control criticality: #{criticality}"
-	      end
-
-	      # Convert 'true' or 'false'. to_boolean would be nice. :-)
-	      criticality = eval( criticality )
-	    end
-
-	    if value
-	      value = base64_decode( value ) if ctl_sep == '::'
-	      value = read_file( value ) if ctl_sep == ':<'
-	      value = Control.encode( value )
-	    end
-
-	    controls << Control.new( oid, value, criticality )
-	  else
-
-	    # Convert modrdn's deleteoldrdn from '1' to true, anything else
-	    # to false. Should probably raise an exception if not '0' or '1'.
-	    #
-	    if change_type == :MODRDN && attr == 'deleteoldrdn'
-	      val = val == '1' ? true : false
-	    end
-
-	    if change_type == LDAP_MOD_REPLACE
-	      mods[mod_type][attr] << val
-	    else
-	      hash[attr] ||= []
-	      hash[attr] << val
-	    end
-
-	    comment = false
-
-	    # Make a note of this attribute if value is binary.
-	    bvalues << attr if unsafe_char?( val )
-	  end
-
-	else
-
-	  # Check last line's separator: if not a binary value, the
-	  # continuation line must be indented. If a comment makes it this
-	  # far, that's also an error.
-	  #
-	  if sep == ':' && line[0..0] != ' ' || comment
-	    raise LDIFError, "Improperly continued line: #{line}"
-	  end
-
-	  # OK; this is a valid continuation line.
-
-	  # Append line except for initial space.
-	  line[0] = '' if line[0..0] == ' '
-
-	  if change_type == LDAP_MOD_REPLACE
-	    # Append to last value of current mod type.
-	    mods[mod_type][attr][-1] << line
-	  else
-	    # Append to last value.
-	    hash[attr][-1] << line
-	  end
-	end
-	
+        # Skip (continued) comments.
+        if line =~ /^#/ || ( comment && line[0..0] == ' ' )
+          comment = true
+          next
+        end
+
+        # Skip blank lines.
+        next if line =~ /^$/
+
+        # Reset mod type if this entry has more than one mod to make.
+        # A '-' continuation is only valid if we've already had a
+        # 'changetype: modify' line.
+        if line =~ /^-$/ && change_type == LDAP_MOD_REPLACE
+          next
+        end
+
+        line.chomp!
+
+        # N.B. Attributes and values can be separated by one or two colons,
+        # or one colon and a '<'. Either of these is then followed by zero
+        # or one spaces.
+        if md = line.match( /^[^ ].*?((:[:<]?) ?)/ )
+
+          # If previous value was Base64-encoded and is not continued,
+          # we need to decode it now.
+          if sep == '::'
+            if mod_type
+              mods[mod_type][attr][-1] =
+                base64_decode( mods[mod_type][attr][-1] )
+              bvalues << attr if unsafe_char?( mods[mod_type][attr][-1] )
+            else
+              hash[attr][-1] = base64_decode( hash[attr][-1] )
+              bvalues << attr if unsafe_char?( hash[attr][-1] )
+            end
+          end
+
+          # Found a attr/value line.
+          attr, val = line.split( md[1], 2 )
+          attr.downcase!
+
+          # Attribute must be ldap-oid / (ALPHA *(attr-type-chars))
+          if attr !~ /^(?:(?:\d+\.)*\d+|[[:alnum:]-]+)(?:;[[:alnum:]-]+)*$/
+            raise LDIFError, "Invalid attribute: #{attr}"
+          end
+
+          if attr == 'dn'
+            header = false
+            change_type = nil
+            controls = []
+          end
+          sep = md[2]
+
+          val = read_file( val ) if sep == ':<'
+
+          case attr
+          when 'version'
+            # Check the LDIF version.
+            if header
+              if val != '1'
+                raise LDIFError, "Unsupported LDIF version: #{val}"
+              else
+                header = false
+                next
+              end
+            end
+
+          when 'changetype'
+            change_type = case val
+              when 'add'       then LDAP_MOD_ADD
+              when 'delete'    then LDAP_MOD_DELETE
+              when 'modify'    then LDAP_MOD_REPLACE
+              when /^modr?dn$/ then :MODRDN
+            end
+
+            raise LDIFError, "Invalid change type: #{attr}" unless change_type
+
+          when 'add', 'delete', 'replace'
+            unless change_type == LDAP_MOD_REPLACE
+              raise LDIFError, "Cannot #{attr} here."
+            end
+
+            mod_type = case attr
+              when 'add'     then LDAP_MOD_ADD
+              when 'delete'  then LDAP_MOD_DELETE
+              when 'replace' then LDAP_MOD_REPLACE
+            end
+
+            # In this case val is actually an attribute and should be lowercased. 
+            mods[mod_type] ||= {}
+            mods[mod_type][val.downcase] ||= []
+
+          when 'control'
+            oid, criticality = val.split( / /, 2 )
+
+            unless oid =~ /(?:\d+\.)*\d+/
+              raise LDIFError, "Bad control OID: #{oid}" 
+            end
+
+            if criticality
+              md = criticality.match( /(:[:<]?) ?/ )
+              ctl_sep = md[1] if md
+              criticality, value = criticality.split( /:[:<]? ?/, 2 )
+
+              if criticality !~ /^(?:true|false)$/
+                raise LDIFError, "Bad control criticality: #{criticality}"
+              end
+
+              # Convert 'true' or 'false'. to_boolean would be nice. :-)
+              criticality = eval( criticality )
+            end
+
+            if value
+              value = base64_decode( value ) if ctl_sep == '::'
+              value = read_file( value ) if ctl_sep == ':<'
+              value = Control.encode( value )
+            end
+
+            controls << Control.new( oid, value, criticality )
+
+          else
+            # Convert modrdn's deleteoldrdn from '1' to true, anything else
+            # to false. Should probably raise an exception if not '0' or '1'.
+            #
+            if change_type == :MODRDN && attr == 'deleteoldrdn'
+              val = val == '1' ? true : false
+            end
+
+            if change_type == LDAP_MOD_REPLACE
+              mods[mod_type][attr] << val
+            else
+              hash[attr] ||= []
+              hash[attr] << val
+            end
+
+            comment = false
+
+            # Make a note of this attribute if value is binary.
+            bvalues << attr if unsafe_char?( val )
+
+          end
+
+        else
+          # Check last line's separator: if not a binary value, the
+          # continuation line must be indented. If a comment makes it this
+          # far, that's also an error.
+          #
+          if sep == ':' && line[0..0] != ' ' || comment
+            raise LDIFError, "Improperly continued line: #{line}"
+          end
+
+          # OK; this is a valid continuation line.
+
+          # Append line except for initial space.
+          line[0] = '' if line[0..0] == ' '
+
+          if change_type == LDAP_MOD_REPLACE
+            # Append to last value of current mod type.
+            mods[mod_type][attr][-1] << line
+          else
+            # Append to last value.
+            hash[attr][-1] << line
+          end
+        end
+
       end
 
       # If last value in LDIF entry was Base64-encoded, we need to decode
@@ -356,11 +355,11 @@ module LDAP
       if sep == '::'
         if mod_type
           mods[mod_type][attr][-1] =
-	    base64_decode( mods[mod_type][attr][-1] )
-	  bvalues << attr if unsafe_char?( mods[mod_type][attr][-1] )
+            base64_decode( mods[mod_type][attr][-1] )
+          bvalues << attr if unsafe_char?( mods[mod_type][attr][-1] )
         else
           hash[attr][-1] = base64_decode( hash[attr][-1] )
-	  bvalues << attr if unsafe_char?( hash[attr][-1] )
+          bvalues << attr if unsafe_char?( hash[attr][-1] )
         end
       end
 
@@ -377,47 +376,43 @@ module LDAP
 
       case change_type
       when LDAP_MOD_ADD
+        mods[LDAP_MOD_ADD] = []
 
-	mods[LDAP_MOD_ADD] = []
-
-	hash.each do |attr_local, val|
-	  if bvalues.include?( attr_local )
-	    ct = LDAP_MOD_ADD | LDAP_MOD_BVALUES
-	  else
-	    ct = LDAP_MOD_ADD
-	  end
+        hash.each do |attr_local, val|
+          if bvalues.include?( attr_local )
+            ct = LDAP_MOD_ADD | LDAP_MOD_BVALUES
+          else
+            ct = LDAP_MOD_ADD
+          end
 
-	  mods[LDAP_MOD_ADD] << LDAP.mod( ct, attr_local, val )
-	end
+          mods[LDAP_MOD_ADD] << LDAP.mod( ct, attr_local, val )
+        end
 
       when LDAP_MOD_DELETE
-
-	# Nothing to do.
+        # Nothing to do.
 
       when LDAP_MOD_REPLACE
+        raise LDIFError, "mods should not be empty" if mods == {}
 
-	raise LDIFError, "mods should not be empty" if mods == {}
+        new_mods = {}
 
-	new_mods = {}
+        mods.each do |mod_type_local,attrs|
+          attrs.each_key do |attr_local|
+            if bvalues.include?( attr_local )
+              mt = mod_type_local | LDAP_MOD_BVALUES
+            else
+              mt = mod_type_local
+            end
 
-	mods.each do |mod_type_local,attrs|
-	  attrs.each_key do |attr_local|
-	    if bvalues.include?( attr_local )
-	      mt = mod_type_local | LDAP_MOD_BVALUES
-	    else
-	      mt = mod_type_local
-	    end
-
-	    new_mods[mt] ||= {}
-	    new_mods[mt][attr_local] = mods[mod_type_local][attr_local]
-	  end
-	end
+            new_mods[mt] ||= {}
+            new_mods[mt][attr_local] = mods[mod_type_local][attr_local]
+          end
+        end
 
-	mods = new_mods
+        mods = new_mods
 
       when :MODRDN
-
-	# Nothing to do.
+        # Nothing to do.
 
       end
 
@@ -439,53 +434,53 @@ module LDAP
     def LDIF.parse_file( file, sort=false ) # :yield: record
 
       File.open( file ) do |f|
-	entries = []
-	entry = false
-	header = true
-	version = false
-
-	while line = f.gets
-
-	  if line =~ /^dn:/
-	    header = false
-
-	    if entry && ! version
-	      if block_given?
-		yield parse_entry( entry )
-	      else
-	        entries << parse_entry( entry )
-	      end
-	    end
-
-	    if version
-	      entry << line
-	      version = false
-	    else
-	      entry = [ line ]
-	    end
-
-	    next
-	  end
-
-	  if header && line.downcase =~ /^version/
-	    entry = [ line ]
-	    version = true
-	    next
-	  end
-	
-	  entry << line
-	end
-
-	if block_given?
-	  yield parse_entry( entry )
-	  nil
-	else
-	  entries << parse_entry( entry )
-
-	  # Sort entries if sorting has been requested.
-	  entries.sort! { |x,y| x.dn.length <=> y.dn.length } if sort
-	  entries
-	end
+        entries = []
+        entry = false
+        header = true
+        version = false
+
+        while line = f.gets
+
+          if line =~ /^dn:/
+            header = false
+
+            if entry && ! version
+              if block_given?
+                yield parse_entry( entry )
+              else
+                entries << parse_entry( entry )
+              end
+            end
+
+            if version
+              entry << line
+              version = false
+            else
+              entry = [ line ]
+            end
+
+            next
+          end
+
+          if header && line.downcase =~ /^version/
+            entry = [ line ]
+            version = true
+            next
+          end
+
+          entry << line
+        end
+
+        if block_given?
+          yield parse_entry( entry )
+          nil
+        else
+          entries << parse_entry( entry )
+
+          # Sort entries if sorting has been requested.
+          entries.sort! { |x,y| x.dn.length <=> y.dn.length } if sort
+          entries
+        end
 
       end
 
@@ -503,10 +498,10 @@ module LDAP
         # TODO: Need to dynamically assemble this case statement to add
         # OpenLDAP's increment change type, etc.
         change_type = case mod.mod_op & ~LDAP_MOD_BVALUES
-			when LDAP_MOD_ADD     then 'add'
-			when LDAP_MOD_DELETE  then 'delete'
-			when LDAP_MOD_REPLACE then 'replace'
-		      end
+          when LDAP_MOD_ADD     then 'add'
+          when LDAP_MOD_DELETE  then 'delete'
+          when LDAP_MOD_REPLACE then 'replace'
+        end
 
         ldif << "-\n" if plural
         ldif << LDIF.to_ldif( change_type, mod.mod_type )
@@ -529,9 +524,9 @@ module LDAP
       ldif = "dn: %s\n" % get_dn
 
       get_attributes.each do |attr|
-	get_values( attr ).each do |val|
-	  ldif << LDIF.to_ldif( attr, [ val ] )
-	end
+        get_values( attr ).each do |val|
+          ldif << LDIF.to_ldif( attr, [ val ] )
+        end
       end
 
       LDIF::Entry.new( ldif )
@@ -540,7 +535,7 @@ module LDAP
     alias_method :to_s, :to_ldif
   end
 
-  
+
   class Mod
 
     # Convert an LDAP::Mod with the DN given in +dn+ to LDIF.
@@ -552,11 +547,11 @@ module LDAP
       # OpenLDAP's increment change type, etc.
       case mod_op & ~LDAP_MOD_BVALUES
       when LDAP_MOD_ADD
-	ldif << "changetype: add\n"
+        ldif << "changetype: add\n"
       when LDAP_MOD_DELETE
-	ldif << "changetype: delete\n"
+        ldif << "changetype: delete\n"
       when LDAP_MOD_REPLACE
-	return LDIF.mods_to_ldif( dn, self )
+        return LDIF.mods_to_ldif( dn, self )
       end
 
       ldif << LDIF.to_ldif( mod_type, mod_vals )