[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Error searching DNs with escaped special characters

To: <big_nikita@mtu-net.ru>
Subject: Re: Error searching DNs with escaped special characters
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 22 Jul 2003 15:08:02 +0200 (CEST)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <200307221221.20578.big_nikita@mtu-net.ru>
References: <1081A20EF2D60C45823EB0E11429B839862FE1@mail2.invizeon.com> <200307181710.43409.big_nikita@mtu-net.ru> <62814.81.72.89.40.1058814460.squirrel@webmail.sys-net.it> <200307221221.20578.big_nikita@mtu-net.ru>

> On Monday 21 July 2003 23:07, Pierangelo Masarati wrote:
>> Actually, rethinking my previous post, the latter is correct:
>>
>>     dn: x509issuer=CN=test \5C\22sa\5C\22 sadf\,C=RU,O=ca
>>
>> while this is wrong:
>>
>>     dn: x509issuer=CN=test \22sa\22 sadf\,C=RU,O=ca
>>
>> Another perfectly legal form is:
>>
>>     dn: x509issuer=CN=test \\\"sa\\\" sadf\,C=RU,O=ca
>>
>> Let me elaborate on this (I couldn't wonder what yoo were
>> going to escape until Michael Stroeder directed me to the
>> schema definition of x509issuer :)
>>
>> Your DN holds, as RDN, an attribute whose syntax is
>> distinguishedName.  Then, the attribute value, in string
>> representation, is:
>>
>>     CN=test \"sa\" sadf,C=RU
>>
>> note that the double quotes are escaped because inside
>> a DN, while the comma isn't because it is separating
>> a RDN from its parent.
> Thank you for complete explanation
>
> But I am thinking that this behavior of slapd not right
> and does not correspond RFC2253.

Why?  If you have a legal RDN and you extract the value
of an associated AVA, you should get a legal value.
But if that AVA is DN-valued, the special chars must
still be escaped, otherwise the value of the AVA would
not be a legal DN.  As a consequence, the special chars
and the escape char, which is special, must be escaped
on turn.

>
>> When whis value is used inside another DN, all the special
>> chars it contains must be escaped further;
> ??? Why it MUST be escaped further???
> Where are this behavior described in RFC???

It is not described in RFC.  It's my deduction of RFC's
meaning, corroborated by the plain recursive application
of slapd's DN escaping when a DN-valued attributeis used
in the RDN.  If you have a better interpretation of the
RFC that goes beyond "I think it is not right", please
state it, and suggest corrections.

>
>> so its escape
>> value becomes:
>>
>>     CN=test \\\"sa\\\" sadf\,C=RU
>>
>> note that backslash itself needs be escaped; the same
>> applies to the quotes, as seen before.  The comma must
>> also be escaped because now it is part of a single value
>> in a RDN.  As a results you get
>>
>>     x509issuer=CN=test \\\"sa\\\" sadf\,C=RU,O=ca
>>
>>                \-----DN-valued attr--------/
>>     \-----------------RDN------------------/
>>
>> This is what slapd currently interprets as I expect.
>>
>> p.
>
> --
> Wbr
> Nikita

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: Error searching DNs with escaped special characters
  - From: Nikita Bige <big_nikita@mtu-net.ru>

References:
- Error searching DNs with escaped special characters
  - From: "Ken Turley" <kturley@invizeon.com>
- Re: Error searching DNs with escaped special characters
  - From: Nikita Bige <big_nikita@mtu-net.ru>
- Re: Error searching DNs with escaped special characters
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Error searching DNs with escaped special characters
  - From: Nikita Bige <big_nikita@mtu-net.ru>

Prev by Date: Re: TLS or plain?
Next by Date: Re: TLS or plain?
Index(es):
- Chronological
- Thread