Characters in DN

[Pierangelo Masarati <masarati@aero.polimi.it>]

I note from RFC 2253 that


>    If the UTF-8 string does not have any of the following characters
>    which need escaping, then that string can be used as the string
>    representation of the value.
>
>     o   a space or "#" character occurring at the beginning of the
>         string
>
>     o   a space character occurring at the end of the string
>
>     o   one of the characters ",", "+", """, "\", "<", ">" or ";"
>
>    Implementations MAY escape other characters.
>

but  OpenLDAP's dn parsing functions don't seem to consider anything
but dn and rdn separators (see for instance
servers/slapd/dn.c:dn_validate
and macro RDN_NEEDSESCAPE in servers/slapd/slap.h).
I guess it should read

#define RDN_NEEDSESCAPE(c)      ((c) == '\\' || (c) == '"' || (c) == '<'
|| (c) == '>')

as a consequence, if I add an entry of the form

dn: cn=\<Ando\>,dc=my,dc=org
...

and then an entry

dn: cn=<Ando>,dc=my,dc=org
...

they are treated like they're the same (correct) but only because
the escapes '\' of chars that do not need escape (according to
RDN_NEEDSESCAPE) are ignored when validating dns. I guess
the second example (cn=<Ando>,dc=my,dc=org) should rather
be treated as an error.

should I go on and fix it?

On another note, I made a change to rdn_attrs that eliminates
escapes from attribute values parsed out of a rdn to perform
attribute add[/delete] when changing a rdn, so that

dn: cn=whois\+\++uid=somethingelse

results in adding

cn=whois++
uid=somethingelse

to the entry. I didn't find anything about this on RFCs. Does anybody
have any comments before I commit the change?

Ando.

--
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   | http://www.aero.polimi.it/~masarati