[Date Prev][Date Next] [Chronological] [Thread] [Top]

[JLDAP] Unable to search for X509 subject entry.Escape character "("


I' m currently stuck with a problem with a LDAP search which is driving me crazy.

Using Novell JLDAP Java classes (2004_09_15) I need to perform a query for a X509 certificate subject (stored on LDAP server through a custom schema).
The server is OpenLDAP 2.0.27, os Suse Linux 9.0 and the certificate to search is Verisign's.
Unfortunately it looks like that the problem is that Verisign uses plenty of "(", ")" characters in their DNs.
These characters need to be escaped for OpenLDAP (and per LDAP rfc I guess).
The standard OpenLDAP entry I have to search includes a binary certificate and a string with the X509 Subject (for searching)

1)Load new plain Verisign certificate (subject) on OpenLDAP via LDAP Browser editor tool.
1.1) Fail to load because of invalid chars.
2)Manually find and escape the chars. This is the failing entry:
O=VeriSign\, Inc., OU=VeriSign Trust Network, OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98, OU=Persona Not Validated, OU=Digital ID Class 1 - Microsoft, CN=L.T.T Lab. Telematica Territ./emailAddress=posta-certificata@certmail.ltt.it
2.1)The chars are the round parenthesis "(" , ")".
Escaped with \28 and \29 while inserting. Browsing the server, it shows the correct chars.

3)Search with JLDAP using LDAPSearchResults with "searchFilter" set to plain X509 subject.
3.1)Got LocalLDAP exception complaining about unescaped chars
3.2)Use LDAPDN.escapeRDN(). No luck. Later found out that that method does NOT escape parenthesis (!).Javadocs.
3.3)Code a manual escape for parenthesis, resulting in ( = "\28" and ) ="\29" into the query.
3.4) NO MATCH.

Here's the escaped query string (note escaped chars):
EMAIL=posta-certificata@certmail.ltt.it,CN=L.T.T Lab. Telematica Territ.,OU=Digital ID Class 1 - Microsoft,OU=Persona Not Validated,OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD\28c\2998,OU=VeriSign Trust Network,O=VeriSign, Inc.
^ ^

What can I do?
It's a server problem?
It's a broken JLDAP search?
It's my escaping technique/string?

I've searched through the archives and found something similar with a suggestion for Python (which I don't know) and I GUESS I've done right.

Please suggest a Java/OpenLDAP workaround if you can.