[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Aliasing entries with reserved characters



Am 16.02.2011 09:43, schrieb Christian Manal:
> Am 16.02.2011 01:27, schrieb MJ Hughes:
>> On Wed, Feb 16, 2011 at 2:50 AM, Christian Manal <
>> moenoel@informatik.uni-bremen.de> wrote:
>>
>>> Am 15.02.2011 08:04, schrieb MJ Hughes:
>>>> Hi,
>>>>
>>>>
>>>> I'm an LDAP newbie who has inherited the maintenance of an LDAP system,
>>> and
>>>> am learning on the fly.  Until now I've been able to puzzle out all the
>>>> issues I've faced, but finally my google fu has failed me, so I'm seeking
>>>> more human assistance.
>>>>
>>>>
>>>> My problem is with reserved characters, such as , (comma).  The system
>>>> wasn't coping with RDNs that contained these characters, but this was
>>> easy
>>>> enough to fix by simply escaping these characters with a backslash.
>>>>
>>>>
>>>> My problem now involves trying to alias entries that contain these
>>> escaped
>>>> characters - I am consistently getting "Invalid DN syntax".  This is what
>>>> the code to add the alias looks like:
>>>>
>>>>
>>>>
>>>> $operationDN = "aliasedObjectName=" . $this->aliasSafe($aliasDN) . "," .
>>>> $locDN;
>>>>
>>>> $aliasParameterArray = array(
>>>>
>>>> "objectClass" => "alias",
>>>>
>>>> "aliasedObjectName" => $aliasDN
>>>>
>>>> );
>>>>
>>>> $result = ldap_add($this->LDAPcon, $operationDN, $aliasParameterArray);
>>>>
>>>>
>>>>
>>>> The aliasSafe() function converts "=" => "\3D" and "," => "\," (unless
>>> the
>>>> commas have already been escaped).
>>>>
>>>>
>>>> This produces DNs that have the following (hypothetical) format:
>>>>
>>>>
>>>>
>>>> $aliasDN: cn=Tomorrow\, When The War Began,cn=books,dc=library,dc=com
>>>>
>>>>
>>>> $operationDN: cn\3DTomorrow\, When The War
>>>> Began\,cn\3Dbooks\,dc\3Dlibrary\,dc\3Dcom,cn=titles,cn=John
>>>> Marsden,cn=authors,dc=library,dc=com
>>>>
>>>>
>>>>
>>>> I've tried every encoding of the comma (in the book name) that I can
>>> think
>>>> of (eg, a single backslash, a double backslash, a triple backslash, and
>>> even
>>>> '\2C') but everything I've tried so far has given me the "Invalid DN
>>> syntax"
>>>> error.  Could someone please help me with the syntax and encoding these
>>> DNs
>>>> should have?
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> MJ
>>>>
>>>
>>>
>>> Hi,
>>>
>>> have a look at RFC 1485 section 2.2:
>>>
>>>   <http://www.faqs.org/rfcs/rfc1485.html>
>>>
>>> Double quotes around the RDN will solve your problem.
>>>
>>>
>>> Regards,
>>> Christian Manal
>>>
>>
>> Hi again,
>>
>> I was wondering if I could request further assistance with this problem.  I
>> have tried double quotes around the RDN in various combinations but so far
>> have continued to get the "Invalid DN syntax" error.
>>
>> Part of the problem is that I'm not sure where the quotes should go in each
>> of the DNs, and whether they need to be escaped.  I have tried all the
>> combinations which seemed likely, such as:
> 
> Well, read the RFC I linked. There's an example in there:
> 
>    CN=L. Eagle, O="Sue, Grabbit and Runn", C=GB
> 
> Also, from your other email, I didn't find any mention that RFC 1485 is
> deprecated and doing it like in the example works for me.
> 
> 
>> $aliasDN: cn="Tomorrow\, When The War Began",cn=books,dc=library,dc=com
>> $operationDN: "cn\3DTomorrow\, When The
>> War Began\,cn\3Dbooks\,dc\3Dlibrary\,dc\3Dcom",cn=titles,cn=John
>> Marsden,cn=authors,dc=library,dc=com
>>
>> And
>>
>> $aliasDN: cn="Tomorrow\, When The War Began",cn=books,dc=library,dc=com


>> $operationDN: cn\3D\"Tomorrow\, When The
>> War Began\"\,cn\3Dbooks\,dc\3Dlibrary\,dc\3Dcom,cn=titles,cn=John
>> Marsden,cn=authors,dc=library,dc=com

Hmm... not my day today, it seems. I should read more carefully. Since
"aliasedObjectName=" was missing in $operationDN I kinda read that
wrong. So forget what I said bellow about $operationDN.

And as you were right that the RFC I dug up is deprecated, the real
problem is probably with the escaping/quoting done in your PHP(?) code,
so at least I wasn't a complete idiot ;-)


>> Could someone please help me with where the quotes are supposed to go, and
>> whether they should be escaped?
> 
> Is $operationDN what you actually throw at the LDAP server? You know
> that you mustn't mask the equal signs that are actually part of the DN
> syntax? You also mustn't escape the commas when you already use double
> quotes. And it looks like you kinda maim the DN by adding $localDN to
> it. Is this really what you want?
> 
>> cn="Tomorrow, When The War Began",cn=books,dc=library,dc=com,cn=titles,cn=John Marsden,cn=authors,dc=library,dc=com
> 
> Wouldn't this make more sense?
> 
>> cn="Tomorrow, When The War Began",cn=titles,cn=John Marsden,cn=authors,dc=library,dc=com
> 
> 
> Another problem is probably your use of escaping and quotes. When you
> put a string into double quotes and use a single backslash to escape the
> comma ("cn=foo\, bar"), PHP (I assume it's PHP?) will interpret this as
> an escape sequence of its own. That way the LDAP server doesn't get the
> literal "\," but what the PHP interpreter makes of it. You either have
> use single quotes or escape the escape character, so PHP won't mess with it.
> 
> I.e. either
> 
>    'cn=Tomorrow\, When The War Began,cn=books,dc=library,dc=com'
> 
> or
> 
>    "cn=Tomorrow\\, When The War Began,cn=books,dc=library,dc=com"
> 
> or one of the double quote variants
> 
>    "cn=\"Tomorrow, When The War Began\",cn=books,dc=library,dc=com"
> 
>    'cn="Tomorrow, When The War Began",cn=books,dc=library,dc=com'
> 
> 
> Regards,
> Christian Manal
>