[Date Prev][Date Next]
Re: Characters in DN
OK, I have now integrated my versions of the dn_validate and dn_normalize functions into current development branch code and have posted the new patch file to http://csrc.nist.gov/pki/testing/openLDAP_contrib.html. Feel free to check it out and, if you think it is appropriate, to commit the changes.
At 04:45 PM 7/10/01 +0200, Pierangelo Masarati wrote:
>"David A. Cooper" wrote:
> > This is something that I came across late last year. I also noticed that dn_validate/dn_normalize functions did not perform enough processing to always match two identical DNs. In addition to the example you cited, the functions also could not compare plain text with quoted text, text with escaped characters, or BER encoded text. For example, the following 4 DNs should all match:
> > cn=David Cooper
> > cn="David Cooper"
> > cn=David\20Cooper
> > cn=#130C446176696420436F6F706572
> > I wrote some code that could normalize all of these, but it has not yet been included into the main development branch of the code. What I have written is available for download at http://csrc.nist.gov/pki/testing/openLDAP_contrib.html, however, as it is several months old, the patch will probably not work against the current code base.
> > I will download the current code in the development branch of the CVS tree, integrate my code with it, and then post an updated patch file as soon as I can.
>Sure. I didn't really mean to criticize the code,
>since I haven't been working very much on dn
>syntax/normalization, and actually I didn't even
>have problems with the current implementation.
>Recently I happened to commit some changes
>to rdn parsing for dn renaming; that's how I got
>curious about the topic. I'd prefer that those who
>worked on the current implementation of
>dn_validate/normalize take care of it; however,
>I can do it if no one else has time to spare.
I agree that in most cases, the current dn_validate/dn_normalize functions should work fine. However, if there is no coordination between the user who places an entry into the database and the user who queries that entry, there is a chance that the two will specify the same DN in very different ways (both consistent with RFC 2253). The current code, in many cases will not always normalize the same DN to the same string. My code can properly handle a much wider range of strings.
>BTW, did you submit an ITS?
No, I just posted a message to the OpenLDAP Devel list describing the work that I had done and providing a pointer to the patch file. Would it be helpful for me to submit a report on ITS as well?