[Date Prev][Date Next]
RE: Error searching DNs with escaped special characters
- To: <firstname.lastname@example.org>
- Subject: RE: Error searching DNs with escaped special characters
- From: "Ken Turley" <email@example.com>
- Date: Tue, 22 Jul 2003 11:29:05 -0600
- Cc: <openldap-software@OpenLDAP.org>
- Content-class: urn:content-classes:message
- Thread-index: AcNPugU+ShkdfHE7Swy2HbdrOTmE2wAuDpPg
- Thread-topic: Error searching DNs with escaped special characters
Okay, after taking another look at slapd log (started as you suggested with -d -1), I've figured out the subtleties of how to construct my DNs in the back-sql ldap_entries table so that searches on escaped special characters work.
However, I have observed two inconsistencies in behavior. One may be desired, but the other might need to be addressed. (recall I'm using 2.1.16 with back-sql off of MS SQL Server 2000)
Special characters ",", "+", and "\" require that their ASCII hex code be inserted in the ldap_entries DN string following the escape character (\). Special characters """, "<", ">", ";" require the actual character. Furthermore, search results display in the same manner (regardless of client); that is, the first set of characters display with hex code, the second set with actual character. This seems a bit inconsistent in that it makes the underlying construction of the DN in the directory database less transparent --though maybe it's desired and/or necessary for interoperability -?
Note that both sets of characters (with one exception, see below) allow the search to be issued by escaping either the ASCII hex value or the actual character --good from the client standpoint.
(succeeds) ldapsearch -b "cn=CITY\2B COMMISSIONER,dc=ROLES,o=MYCO,c=US"
(succeeds) ldapsearch -b "cn=CITY\+ COMMISSIONER,dc=ROLES,o=MYCO,c=US"
An escaped backlash character, "\", can only be searched for by specifying the ASCII hex code when double quotes delimit the DN. If single quotes delimit the DN, then it can also be searched by specifying "\\". This may not seem like a big deal, except that it causes searches to fail in other LDAP clients, like the Jarek Gawor JAVA browser.
(succeeds) ldapsearch -b "cn=CITY\5C COMMISSIONER,dc=ROLES,o=MYCO,c=US"
(fails) ldapsearch -b "cn=CITY\\ COMMISSIONER,dc=ROLES,o=MYCO,c=US"
(succeeds) ldapsearch -b 'cn=CITY\\ COMMISSIONER,dc=ROLES,o=MYCO,c=US'
For what it's worth, I've appended a table summarizing the tests I performed.
Thanks as always,
spcl ldap_entries search search client wildcard
char DN contains: for: y/n for: y/n displays displays
---- ------------- ------ --- ------ --- -------- --------
, \2C \2C Y \, Y \2C \2C
, \, \2C N \, N - \2C
+ \2B \2B Y \+ Y \2B \2B
+ \+ \2B N \+ N - \2B
\ \5C \5C Y \\ N,Y (*) \5C \5C
\ \\ \5C N \\ N - \5C
> \3E \3E N \> N - \>
> \> \3E Y \> Y \> \>
< \3C \3C N \< N - \<
< \< \3C Y \< Y \< \<
; \3B \3B N \; N - \;
; \; \3B Y \; Y \; \;
" \22 \22 N \" N - \"
" \" (**) \22 Y \" Y \" \"
(*) - Failure here where others succeed if double quotes (") delimit the DN, but succeeds if single quotes (') delimit the DN
(**) - DN must be delimited on ldapsearch command line with single quote marks (') instead of double (").
> -----Original Message-----
> From: Pierangelo Masarati [mailto:firstname.lastname@example.org]
> Sent: Monday, July 21, 2003 12:58 PM
> To: Ken Turley
> Cc: openldap-software@OpenLDAP.org
> Subject: RE: Error searching DNs with escaped special characters
> > And is Nikita's problem related to the one I described with my post
> > originally under this subject heading on 7/17/2003? (text of posting
> > attached) Thanks, K. Turley.
> Actually, I don't see the problem; everything seems to work fine with
> respect to DN escaping chars, and significantly with \,
> escaping; maybe
> you're exploiting some problem with back-sql. You might want to look
> at how the DN is parsed by checking slapd's log (with -d -1) and, in
> case everything looks good, check how the client is parsing the DN.
> Pierangelo Masarati