[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP search filter validation

To: "Greg B" <ldapn00b@gmail.com>
Subject: Re: LDAP search filter validation
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 17 Oct 2006 09:50:32 +0200 (CEST)
Cc: openldap-software@openldap.org
Importance: Normal
In-reply-to: <2819a38c0610161841i55d8e33fpcea018e88941080e@mail.gmail.com>
References: <2819a38c0610161841i55d8e33fpcea018e88941080e@mail.gmail.com>
User-agent: SquirrelMail/1.4.3a-1

> hi,
>
> Does OpenLDAP provide any routines for validating whether a given
> string represents a valid LDAP search filter? This is for me to detect
> invalid configuration settings in my LDAP client, and report the
> problem to the end-user as early as possible. For example, I want to
> catch settings like LDAPFilter="(cn=foo)", since they don't conform to
> the RFC 2254. Also, a side question, is the use of brackets around the
> main filter definition compulsory? All of the LDAP tools I have at my
> disposal seem to allow just cn=foo type filters...

Well, the client library, with respect to filters, does syntax validation
but it cannot do any semantics validation (i.e. check if an attribute
syntax supports the matching rule that's being used, or if an attribute's
value complies with the syntax for that attribute).  A "smart" client
could do this by accessing the schema related to the search it's going to
perform, provided it implements the necessary checks for the syntaxes in
use, but OpenLDAP's clients don't do that (I guess no existing client
really does that).

Syntax checking is done while encoding the filter for transmission (if
encoding succeeds, the filter was fine); this is done by
ldap_pvt_put_filter(), which is part of the private API (as the ldap_pvt_*
indicates) so it's not exposed in the header ldap.h.  As part of the
private API, it requires access to data types otherwise opaque, so calling
it may not be easy.  You can follow two paths: learn from that function,
and code your own, or use that function by accessing the private API. 
Note that the latter option implies you're aware of the fact that the
interface may change without notice, so don't expect your code to build
seamlessly whenever you upgrade.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Follow-Ups:
- changing the base dn
  - From: "Douglas B. Jones" <douglas@gpc.edu>

References:
- LDAP search filter validation
  - From: "Greg B" <ldapn00b@gmail.com>

Prev by Date: Re: Non SASL authentication without -x option
Next by Date: FW: Problem in configuring SSL with openldap
Index(es):
- Chronological
- Thread