[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fw: Reserved characters for a LDAP URI

To: "John McMeeking" <jmcmeek@us.ibm.com>
Subject: Re: Fw: Reserved characters for a LDAP URI
From: "Wen-Cheng Wang" <wcwang@cht.com.tw>
Date: Tue, 24 Dec 2002 16:46:18 +0800
Cc: <ietf-ldapbis@OpenLDAP.org>, <ietf-pkix@imc.org>, <owner-ietf-ldapbis@OpenLDAP.org>, Michael Ströder <michael@stroeder.com>
References: <OFF91A436E.B001E5FE-ON86256C98.0060DA4C-86256C98.0062317F@us.ibm.com>

Dear McMeeking,

Thank you for pointing out the alternative for escaping the comma
character ',' in a LDAP DN string.

It seems that RFC 2253 requires that the comma character ',' inside
a RDN AttributeVALue must be escaped as "\," rather than "\2C".
I think RFC 2253 does not allow the comma character ',' be escaped
as "\2C".

>From RFC 2253 Section 2.4:

   If the UTF-8 string does not have any of the following characters
   which need escaping, then that string can be used as the string
   representation of the value.

    o   a space or "#" character occurring at the beginning of the
        string

    o   a space character occurring at the end of the string

    o   one of the characters ",", "+", """, "\", "<", ">" or ";"

   Implementations MAY escape other characters.

   If a character to be escaped is one of the list shown above, then it
   is prefixed by a backslash ('\' ASCII 92).

   Otherwise the character to be escaped is replaced by a backslash and
   two hex digits, which form a single byte in the code of the
   character.

I believe that it means that the special characters listed above must be
"prefixed by a backslash", other characters can be "replaced by a
backslash and two hex digits".

However, LDAPbis seems now allow the comma charachter ',' to be
escaped as "\2C".

>From Draft-ietf-ldapbis-dn-08 Section 2.4:

  ...... If that UTF-8 encoded UCS string does not have any
  of the following characters which need escaping, then that string can
  be used as the string representation of the value.

      - a space (" " U+00020) or number sign ("#" U+00023) occurring at
        the beginning of the string;

      - a space (" " U+00020) character occurring at the end of the
        string;

      - one of the characters """, "+", ",", ";", "<", ">",  or "\"
        (U+00022, U+0002B, U+0002C, U+0003B, U+0003C, U+0003E, or
        U+0005C respectively);

      - the null (U+00000) character.

  Other characters may be escaped.

  Each octet of the character to be escaped is replaced by a backslash
  and two hex digits, which form a single octet in the code of the
  character.  Alternatively, if and only if the character to be escaped
  is one of

      " ", """, "#", "+", ",", ";", "<", "=", ">", or "\"
      (U+00020, U+00022, U+00023, U+0002B, U+0002C, U+0003B,
       U+0003C, U+0003D, U+0003E, U+0005C respectively)

  it can be prefixed by a backslash ("\" U+00005C).

It seems that LDAPbis now prefer the comma character ',' be escaped as
"\2C", but alternatively it can also be escaped as "\,".

Since RFC 2253 does not allow the comma character ',' be escaped
as "\2C" but LDAPbis does, I believe that there will be some
back-compatibility issue between RFC 2253 and LDAPbis.

Wen-Cheng Wang
Telecommunication Labs,
Chunghwa Telecom Co., Ltd.

----- Original Message -----
From: "John McMeeking" <jmcmeek@us.ibm.com>
To: "Michael Ströder" <michael@stroeder.com>
Cc: <ietf-ldapbis@OpenLDAP.org>; <ietf-pkix@imc.org>;
<owner-ietf-ldapbis@OpenLDAP.org>; "Wen-Cheng Wang" <wcwang@cht.com.tw>
Sent: Tuesday, December 24, 2002 1:52 AM
Subject: Re: Fw: Reserved characters for a LDAP URI

>
>
>
>
>
> I'd start with the proper string representation of the URL (from RFC2253),
> which states that the "," in the ou value should be escaped as "\2C"
>
> ou=PKI IWG,o=Chunghwa Telecom Co.\2C Ltd.,c=TW
>
> From there, convert the string form of the DN to a URL, replacing the
space
> (%20) and \ (%5C) characters:
>
> ou=PKI%20IWG,o=Chunghwa%20Telecom%20Co.%5C2C%20Ltd.,c=TW
>
>
> John  McMeeking
>
>
>
>

>                       Michael Ströder
>                       <michael@stroeder.co        To:       Wen-Cheng Wang
<wcwang@cht.com.tw>
>                       m>                          cc:
ietf-ldapbis@OpenLDAP.org, ietf-pkix@imc.org
>                       Sent by:                    Subject:  Re: Fw:
Reserved characters for a LDAP URI
>                       owner-ietf-ldapbis@O
>                       penLDAP.org
>
>
>                       12/23/2002 04:48 AM
>
>
>
>
>
>
> Wen-Cheng Wang wrote:
> >
> > Taiwan side believes that the DN component in a LDAP URI should
> > be:
> >
> > ou=PKI%20IWG,o=Chunghwa%20Telecom%20Co.%5C,%20Ltd.,c=TW
> >
> > However, Japan side insists that it should be:
> >
> > ou=PKI%20IWG,o=Chunghwa%20Telecom%20Co.%5C%2C%20Ltd.,c=TW
>
> There is one more possibility. ;-)
>
> ou%3DPKI%20IWG%2Co%3DChunghwa%20Telecom%20Co.%5C%2C%20Ltd.%2Cc%3DTW
>
> I think in case of LDAP URLs all these variants are equivalent.
>
>  From RFC2255:
>
>     Note that any URL-illegal characters (e.g., spaces), URL special
>     characters (as defined in section 2.2 of RFC 1738) and the reserved
>     character '?' (ASCII 63) occurring inside a dn, filter, or other
>     element of an LDAP URL MUST be escaped using the % method described
>     in RFC 1738 [5]. If a comma character ',' occurs inside an extension
>     value, the character MUST also be escaped using the % method.
>
> As I understand this the ',' MUST be escaped in extensions but MAY be
> escaped in dn, filter, etc. as well.
>
> Ciao, Michael.
>
>
>
>
>

Follow-Ups:
- Re: Fw: Reserved characters for a LDAP URI
  - From: Michael Ströder <michael@stroeder.com>
- Re: Fw: Reserved characters for a LDAP URI
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: Fw: Reserved characters for a LDAP URI
  - From: John McMeeking <jmcmeek@us.ibm.com>

Prev by Date: Re: Fw: Reserved characters for a LDAP URI
Next by Date: Re: Fw: Reserved characters for a LDAP URI
Index(es):
- Chronological
- Thread