[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Aliasing entries with reserved characters



Am 16.02.2011 01:27, schrieb MJ Hughes:
> On Wed, Feb 16, 2011 at 2:50 AM, Christian Manal <
> moenoel@informatik.uni-bremen.de> wrote:
> 
>> Am 15.02.2011 08:04, schrieb MJ Hughes:
>>> Hi,
>>>
>>>
>>> I'm an LDAP newbie who has inherited the maintenance of an LDAP system,
>> and
>>> am learning on the fly.  Until now I've been able to puzzle out all the
>>> issues I've faced, but finally my google fu has failed me, so I'm seeking
>>> more human assistance.
>>>
>>>
>>> My problem is with reserved characters, such as , (comma).  The system
>>> wasn't coping with RDNs that contained these characters, but this was
>> easy
>>> enough to fix by simply escaping these characters with a backslash.
>>>
>>>
>>> My problem now involves trying to alias entries that contain these
>> escaped
>>> characters - I am consistently getting "Invalid DN syntax".  This is what
>>> the code to add the alias looks like:
>>>
>>>
>>>
>>> $operationDN = "aliasedObjectName=" . $this->aliasSafe($aliasDN) . "," .
>>> $locDN;
>>>
>>> $aliasParameterArray = array(
>>>
>>> "objectClass" => "alias",
>>>
>>> "aliasedObjectName" => $aliasDN
>>>
>>> );
>>>
>>> $result = ldap_add($this->LDAPcon, $operationDN, $aliasParameterArray);
>>>
>>>
>>>
>>> The aliasSafe() function converts "=" => "\3D" and "," => "\," (unless
>> the
>>> commas have already been escaped).
>>>
>>>
>>> This produces DNs that have the following (hypothetical) format:
>>>
>>>
>>>
>>> $aliasDN: cn=Tomorrow\, When The War Began,cn=books,dc=library,dc=com
>>>
>>>
>>> $operationDN: cn\3DTomorrow\, When The War
>>> Began\,cn\3Dbooks\,dc\3Dlibrary\,dc\3Dcom,cn=titles,cn=John
>>> Marsden,cn=authors,dc=library,dc=com
>>>
>>>
>>>
>>> I've tried every encoding of the comma (in the book name) that I can
>> think
>>> of (eg, a single backslash, a double backslash, a triple backslash, and
>> even
>>> '\2C') but everything I've tried so far has given me the "Invalid DN
>> syntax"
>>> error.  Could someone please help me with the syntax and encoding these
>> DNs
>>> should have?
>>>
>>>
>>> Thanks,
>>>
>>> MJ
>>>
>>
>>
>> Hi,
>>
>> have a look at RFC 1485 section 2.2:
>>
>>   <http://www.faqs.org/rfcs/rfc1485.html>
>>
>> Double quotes around the RDN will solve your problem.
>>
>>
>> Regards,
>> Christian Manal
>>
> 
> Hi again,
> 
> I was wondering if I could request further assistance with this problem.  I
> have tried double quotes around the RDN in various combinations but so far
> have continued to get the "Invalid DN syntax" error.
> 
> Part of the problem is that I'm not sure where the quotes should go in each
> of the DNs, and whether they need to be escaped.  I have tried all the
> combinations which seemed likely, such as:

Well, read the RFC I linked. There's an example in there:

   CN=L. Eagle, O="Sue, Grabbit and Runn", C=GB

Also, from your other email, I didn't find any mention that RFC 1485 is
deprecated and doing it like in the example works for me.


> $aliasDN: cn="Tomorrow\, When The War Began",cn=books,dc=library,dc=com
> $operationDN: "cn\3DTomorrow\, When The
> War Began\,cn\3Dbooks\,dc\3Dlibrary\,dc\3Dcom",cn=titles,cn=John
> Marsden,cn=authors,dc=library,dc=com
> 
> And
> 
> $aliasDN: cn="Tomorrow\, When The War Began",cn=books,dc=library,dc=com
> $operationDN: cn\3D\"Tomorrow\, When The
> War Began\"\,cn\3Dbooks\,dc\3Dlibrary\,dc\3Dcom,cn=titles,cn=John
> Marsden,cn=authors,dc=library,dc=com
> 
> Could someone please help me with where the quotes are supposed to go, and
> whether they should be escaped?

Is $operationDN what you actually throw at the LDAP server? You know
that you mustn't mask the equal signs that are actually part of the DN
syntax? You also mustn't escape the commas when you already use double
quotes. And it looks like you kinda maim the DN by adding $localDN to
it. Is this really what you want?

> cn="Tomorrow, When The War Began",cn=books,dc=library,dc=com,cn=titles,cn=John Marsden,cn=authors,dc=library,dc=com

Wouldn't this make more sense?

> cn="Tomorrow, When The War Began",cn=titles,cn=John Marsden,cn=authors,dc=library,dc=com


Another problem is probably your use of escaping and quotes. When you
put a string into double quotes and use a single backslash to escape the
comma ("cn=foo\, bar"), PHP (I assume it's PHP?) will interpret this as
an escape sequence of its own. That way the LDAP server doesn't get the
literal "\," but what the PHP interpreter makes of it. You either have
use single quotes or escape the escape character, so PHP won't mess with it.

I.e. either

   'cn=Tomorrow\, When The War Began,cn=books,dc=library,dc=com'

or

   "cn=Tomorrow\\, When The War Began,cn=books,dc=library,dc=com"

or one of the double quote variants

   "cn=\"Tomorrow, When The War Began\",cn=books,dc=library,dc=com"

   'cn="Tomorrow, When The War Began",cn=books,dc=library,dc=com'


Regards,
Christian Manal