[Date Prev][Date Next] [Chronological] [Thread] [Top]

Characters in DN

I note from RFC 2253 that

>    If the UTF-8 string does not have any of the following characters
>    which need escaping, then that string can be used as the string
>    representation of the value.
>     o   a space or "#" character occurring at the beginning of the
>         string
>     o   a space character occurring at the end of the string
>     o   one of the characters ",", "+", """, "\", "<", ">" or ";"
>    Implementations MAY escape other characters.

but  OpenLDAP's dn parsing functions don't seem to consider anything
but dn and rdn separators (see for instance
and macro RDN_NEEDSESCAPE in servers/slapd/slap.h).
I guess it should read

#define RDN_NEEDSESCAPE(c)      ((c) == '\\' || (c) == '"' || (c) == '<'
|| (c) == '>')

as a consequence, if I add an entry of the form

dn: cn=\<Ando\>,dc=my,dc=org

and then an entry

dn: cn=<Ando>,dc=my,dc=org

they are treated like they're the same (correct) but only because
the escapes '\' of chars that do not need escape (according to
RDN_NEEDSESCAPE) are ignored when validating dns. I guess
the second example (cn=<Ando>,dc=my,dc=org) should rather
be treated as an error.

should I go on and fix it?

On another note, I made a change to rdn_attrs that eliminates
escapes from attribute values parsed out of a rdn to perform
attribute add[/delete] when changing a rdn, so that

dn: cn=whois\+\++uid=somethingelse

results in adding


to the entry. I didn't find anything about this on RFCs. Does anybody
have any comments before I commit the change?


Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   | http://www.aero.polimi.it/~masarati