[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Special Character Handling in the LDAP DN and entry attributes



>> I meet an issue of handling special characters in the LDAP. As RFC2253
>> defined DN handling should escape the special characters such as ",",
>> "+",
>> """, "\", "<", ">" or ";". The question here is that does the special
>> character needs to be escaped in the entry attributes?  More specific
>> here:  LDAP entry looks like that:
>> 	dn: cn=test\, user11, ou=Expired, o=Bungalo,
>> domainComponent=Mission190, domainComponent=com
>> 	objectClass: top
>> 	objectClass: person
>> 	objectClass: organizationalPerson
>> 	objectClass: pkiUser
>> 	objectClass: entrustUser
>> 	cn: test, user11
>> 	certSubjectDn: cn=This\, is\, a\, test, ou=Expired, o=Bungalo,
>> domainComponent=Mission190, domainComponent=com
>> 	mail: "rfc822Name=testuser11@mission180.com"
>> "dNSName=testuser11.mission180.co
>> 	 m" "iPAddress=1.1.1.4"
>>
>> certSubjectDn is a new attribute I populated in LDAP schema to hold the
>> value of a certificate subject Dn with the cn value is  This, is, a,
>> test.
>> What's the correct way to save this certSubjectDn attribute in LDAP?
>> Should the special character (comma) be escaped or not? Notice that the
>> cn
>> attribute above doesn't escape the comma, that's why I'm confusing here.
>> Is there any RFC regulates this? Thanks very much.

Chars that are special in a DN must be escaped in a DN; they must not be
escaped in the distinguished values of the naming attributes unless those
attributes require escaping as well.  As such, your example is correct:

dn: cn=test\, user11, ou=Expired, o=Bungalo, domainComponent=Mission190,
domainComponent=com
cn: test, user11
certSubjectDn: cn=This\, is\, a\, test, ou=Expired, o=Bungalo,
domainComponent=Mission190, domainComponent=com

(I removed irrelevant stuff)

Only, current HEAD/RE22 code will return it as

dn: cn=test\2C
user11,ou=Expired,o=Bungalo,domainComponent=Mission190,domainComponent=com
cn: test, user11
certSubjectDn: cn=This\2C is\2C a\2C
test,ou=Expired,o=Bungalo,domainComponent=Mission190,domainComponent=com

i.e. \ + <hexpair> escaping is used, and no spaces between the RDN
separators ',' and the following AVA attribute type appear ("pretty"
form).
I suggest you also read draft-ietf-ldapbis-dn, which emendates RFC2253.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497