[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: About RDN values starting with #

To: Howard Chu <hyc@symas.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: About RDN values starting with #
From: "Pofelski, Lech" <lech.pofelski@hp.com>
Date: Thu, 30 Apr 2015 13:07:14 +0000
Accept-language: en-US
Content-language: en-US
In-reply-to: <553F718E.7020405@symas.com>
References: <B8FB3D76DDDF0C44A4A7B7A4E0C7D45A388B77EF@G9W0741.americas.hpqcorp.net> <553C76E3.8010609@symas.com> <B8FB3D76DDDF0C44A4A7B7A4E0C7D45A388B7BDA@G9W0741.americas.hpqcorp.net> <553F718E.7020405@symas.com>
Thread-index: AQHQf+F+hDGXs0Dm40KXk2lAf+inKZ1iNg0ggAAaSwCAAzwFQA==
Thread-topic: About RDN values starting with #

Hello Mr Chu,

Thanks for proposing us to submit a patch. We are starting to work on it.
There is still one point to clarify about two possible forms of RDNs with values starting with #.
The RFC4514 says:
"
If the AttributeType is of the dotted-decimal form, the 
AttributeValue is represented by an number sign ('#' U+0023) 
character followed by the hexadecimal encoding of each of the octets 
of the BER encoding of the X.500 AttributeValue
"

This statement explains clearly, without any ambiguity the case when the RDN is of form:

	<attribute type OID>=#<BER encoded value in form of hexstring>

However, the RDN syntax definition presented in the same RFC allows also the form:

	<attribute type NAME>=#<hexstring>

i.e. where the  AttributeType is NOT and OID. This form has the <hexstring> value which does not seem to be explicitly restricted by any constraint, i.e. it is not necessarily a BER.

In brief, there may be two interpretations of this part of the RFC:

*	A permissive one: 
o	In the form <attribute type NAME>=#<hexstring>  any <hexstring> is allowed (implicitly, by syntax and not constrained)
o	In the form <attribute type OID>=#<hexstring>   only BER <hexstring> is allowed (explicitly, including examples)

*	A restrictive one:
o	in both cases (attribute type NAME / OID)=#<hexstring> - only BER <hexstring> is allowed

Note that in any case we consider only the attribute types having the syntax of Octet String, so as we discussed earlier we don't expect any pitfall issue described in (https://www.openldap.org/its/index.cgi/Software%20Bugs?id=6570).

Between the two interpretations presented above our preferred choice is the permissive one, i.e. <attribute type NAME>=#<hex string>, with no constraint on the <hex string> value. Note that the restrictive interpretation seems to be more restrictive than the RFC itself.

Which interpretation would you recommend for our fix?

Thanks in advance,

Regards,

Lech POFELSKI

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Tuesday, April 28, 2015 1:40 PM
To: Pofelski, Lech; openldap-technical@openldap.org
Subject: Re: About RDN values starting with #

Pofelski, Lech wrote:
> Hello Mr Chu,
>
> Thanks for the pointer. Now we understand why the RDNs like cn=#80 are
not supported in the current version of openldap.
>
> However, we have a very particular use case, specific to the telecom
network usage of LDAP (something similar to TerraCortex presentation in Paris at LDAPCon2013) that we must support: this is the case when the attribute type of the RDN has the syntax Octet String. For that use case, we can't see any other method than #<hexstring> to enable us to put the content of the Octet String attribute required by the application in the RDN, keeping DN size, and performance intact.
>
> In that specific case, far more restrictive than the general LDAP RFC
use case, the attribute used in RDN has a, per application, mandatory syntax of Octet String, and the BER encoding is restricted to Universal Class Tag "OctetString".

> For all to understand, one example of RDN that must be supported is
>
>          x.y.v.z=#0403466f6f
>
> i.e. x.y.v.z is the OID of an Octet String attribute and 0403466f6f is
the BER with the Octet String tag (04) (the case 2.5.4.3=#040180 (
cn=#80) will still be kept not supported).
>
> If we enable, under specific config flag control, the ability to
decode RDN similar to example given just above, in a modified openLDAP, we should not fall in the pitfall described in the openLDAP ITS 6570 (https://www.openldap.org/its/index.cgi/Software%20Bugs?id=6570).
>
> For the specific syntax OctetString, there is no normalization, nor
verification. Thus the risk to inject a bad DN values in this way is very, very limited, as any value, including empty content, #80, arbitrary content.. are already allowed.

Not quite. The # prefix means the following hex string must be a valid BER encoding of whatever value. Thus, while the octetString value may be arbitrary, including zero length, it must still have a valid BER tag and length.

> Moreover, it may be possible to allow also the other syntax, far more 
> user friendly
>
>          myoctstringattr=#466f6f ( no BER, just direct hexa, and short 
> name, not OID)
>
> Once again, the functionality is allowed ONLY for the syntax Octet String, i.e. cn=#80 STILL not allowed.
>
> This change could make openldap more LDAP v3 compliant.
>
>
> Does someone have any idea of a theoretical side effect of enabling such functionality ?

You're welcome to submit a patch enabling hex format for attributes of octetString syntax, but it cannot simply pass thru any hex string. The decoded hex string must still conform to BER.

Internally, we would expect the normalized form to be stored in binary, not hex. (UUIDs are also treated this way already.) But the text/hex form would be given back to clients.

Have to say, using octetString syntax for naming attributes is rather user-unfriendly. You should reconsider your app design.
>
> Regards,
>
> Lech POFELSKI
>
>
> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com]
> Sent: Sunday, April 26, 2015 7:26 AM
> To: Pofelski, Lech; openldap-technical@openldap.org
> Subject: Re: About RDN values starting with #
>
> Pofelski, Lech wrote:
>> Hello openLDAP gurus,
>>
>> According to the RFC 4514, an RDN value may start with # and to be 
>> followed by a number of "hex pair" (pairs of hexadecimal values), 
>> representing octets of some binary value.
>>
>> There are two use cases involving such RDN syntax:
>>
>> *Case 1, where the RDN is of the form:
>>
>> <attribute OID (called also as attribute desc in dotted form)>=#<BER 
>> encoded attribute value in form of a sequence of hex pairs >
>>
>> *Case 2, where the RDN is of the form:
>>
>> <attribute name>=#<attribute value in form of a sequence of hex 
>> pairs>
>>
>> Case 1 is explicitly illustrated in the RFC 4514 by the example:
>>
>> 1.3.6.1.4.1.1466.0=#04024869
>>
>> Although Case 2 is not explicitly illustrated in the RFC4514, it is 
>> implicitly correct, as it is in the conformity with the RDN syntax 
>> provided by this RFC.
>
> It is explicitly rejected by OpenLDAP.
>
> https://www.openldap.org/its/index.cgi/Software%20Bugs?id=6570
>
>> *If this is a known limitation in openLDAP.
>>
>> *If there is already a plan to fix the problem. If not, I'd be glad 
>> to contribute to fixing it.
>

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: About RDN values starting with #
  - From: Howard Chu <hyc@symas.com>

References:
- About RDN values starting with #
  - From: "Pofelski, Lech" <lech.pofelski@hp.com>
- Re: About RDN values starting with #
  - From: Howard Chu <hyc@symas.com>
- RE: About RDN values starting with #
  - From: "Pofelski, Lech" <lech.pofelski@hp.com>
- Re: About RDN values starting with #
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Significance of name forms.
Next by Date: Re: Significance of name forms.
Index(es):
- Chronological
- Thread