Re: "Bad search filter"?

[Philip Guenther <guenther+ldapsoft@sendmail.com>]

On Fri, 23 Apr 2010, Luis Neves wrote:
> Can someone confirm this error please?
> 
> Try to make a ldapsearch agains any attribute on a ldap directory with 
> this filter please:
> 
> 'Cart\xC3\xA3o'
> 
> Iam geting "bad search filter' because of the '\x'. But I need this 
> search working to be able to query a X.509 Certificate field.

Indeed, that's not a valid value in an LDAP search filter.  You need to 
distinguish between the true value and *an* encoded value and make sure 
you're using the correct encoding for the protocol or format.  In this 
case,
	Cart\xC3\xA3o

is the value as encoded by openssl's x509 code for displaying DNs.  The 
true value consists of the UTF-8 representation of the letters 'C', 'a', 
'r', 't', 'a with tilde', and 'o'.  To include that in an LDAP search 
filter, you need to follow the rules in RFC 4515.  If you do that, you 
get:
	Cart\C3\A3o

That's an easy one, but other encodings have more baggage, like RFC 2047's 
encoding for email header fields, in which this would be:
	=?utf-8?q?Cart=C3=A3o?=

(If you consider the character to be the true value, independent of the 
charset used, then you might consider this:
	=?iso-8859-1?q?Cart=E3o?=
to be the same...)


Philip Guenther