[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Escaping the special meaning of + in attribute value

At 10:49 AM 11/22/99 -0600, Nalla, Suneetha R (Suneetha) *CTR* wrote:
>We are using LDAP to store subscriber information such as vpimAddress,
>mailRecipient etc. Our vpimAddress and mailRecipient values start with +.

Use of naming values containing special characters
(+=,;"<>#, leading/trailing spaces, consecutive spaces, <CR>)
within DNs will cause you nothing but grief and should be avoided.

Users (clients) must escape any such uses.  The server
must also escape any such uses when returning the DN to clients.
The OpenLDAP server preserves the escaping provided by the client.

OpenLDAP does NOT decompose the DN to implement DN comparisons.
OpenLDAP uses simple string comparisons.  As such, two different
quotings of the same DN are not viewed by OpenLDAP as being the

>escape the special meaning of + in the dn, while adding the entries I am
>enclosing the mailRecipient value in quotes.

You must be sure to escape the quotes from shell interpetation if
using such DNs on the command line.

>For example to add a node with
>mailRecipient value +1231234345@ssb.com I give the dn as 
>	dn: mailRecipient="+1231234345@ssb.com",o=myorganization,c=US.

>According to the LDAP standard given in rfc1779 the server has to parse the
>dn string.

>and put the value for dn in the database as

No.  This is an invalid DN.  The server must store a valid DN,
such as what the client provided.

>But Openldap
>doesn't seem to do that, it puts the dn in the database with quotes around

Yes.  This is allowed behavior.

What OpenLDAP does incorrectly in DN comparisons.  That is, it doesn't

as naming the same entry.  Besides quoting, OpenLDAP does not
take into consideration the syntax of naming components when
applying comparisons.

>Is there a flag that I have to set in Openldap for it to parse
>the string and ignore the quotes or \.


>Did the message not reach anybody or there is no answer or is it a bug in
>OpenLDAP, any clues????????????

A little patience please.

>It doesn't even complain if I try to add it with out the quotes.

OpenLDAP doesn't support multivalued RDNs.

>The problem I am having with this is some
>entries were added using quotes and some entries were added using \ so for
>doing my search I have to give the exact way I added the entry either using
>quotes or \ in order for me to get back the result otherwise it says

Yes.  As noted above, OpenLDAP does not correctly implement DN
comparisons.  It treats DNs as simple strings.

>If the standards were followed I won't have a problem using
>either of them because it doesn't put the quotes or \ in the dn in the

The standards do not state how the DN is to put into the database.
It only states the protocol representation.

>Does somebody have a solution for this. Is there a flag to set to enable the
>string parsing, or is it a bug.

You can consider OpenLDAP handling of DN comparisons to be bug
if you like.


Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>