[Date Prev][Date Next]
Re: Error searching DNs with escaped special characters
> On Monday 21 July 2003 23:07, Pierangelo Masarati wrote:
>> Actually, rethinking my previous post, the latter is correct:
>> dn: x509issuer=CN=test \5C\22sa\5C\22 sadf\,C=RU,O=ca
>> while this is wrong:
>> dn: x509issuer=CN=test \22sa\22 sadf\,C=RU,O=ca
>> Another perfectly legal form is:
>> dn: x509issuer=CN=test \\\"sa\\\" sadf\,C=RU,O=ca
>> Let me elaborate on this (I couldn't wonder what yoo were
>> going to escape until Michael Stroeder directed me to the
>> schema definition of x509issuer :)
>> Your DN holds, as RDN, an attribute whose syntax is
>> distinguishedName. Then, the attribute value, in string
>> representation, is:
>> CN=test \"sa\" sadf,C=RU
>> note that the double quotes are escaped because inside
>> a DN, while the comma isn't because it is separating
>> a RDN from its parent.
> Thank you for complete explanation
> But I am thinking that this behavior of slapd not right
> and does not correspond RFC2253.
Why? If you have a legal RDN and you extract the value
of an associated AVA, you should get a legal value.
But if that AVA is DN-valued, the special chars must
still be escaped, otherwise the value of the AVA would
not be a legal DN. As a consequence, the special chars
and the escape char, which is special, must be escaped
>> When whis value is used inside another DN, all the special
>> chars it contains must be escaped further;
> ??? Why it MUST be escaped further???
> Where are this behavior described in RFC???
It is not described in RFC. It's my deduction of RFC's
meaning, corroborated by the plain recursive application
of slapd's DN escaping when a DN-valued attributeis used
in the RDN. If you have a better interpretation of the
RFC that goes beyond "I think it is not right", please
state it, and suggest corrections.
>> so its escape
>> value becomes:
>> CN=test \\\"sa\\\" sadf\,C=RU
>> note that backslash itself needs be escaped; the same
>> applies to the quotes, as seen before. The comma must
>> also be escaped because now it is part of a single value
>> in a RDN. As a results you get
>> x509issuer=CN=test \\\"sa\\\" sadf\,C=RU,O=ca
>> \-----DN-valued attr--------/
>> This is what slapd currently interprets as I expect.