[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Special Character Handling in the LDAP DN and entry attributes
>> I meet an issue of handling special characters in the LDAP. As RFC2253
>> defined DN handling should escape the special characters such as ",",
>> "+",
>> """, "\", "<", ">" or ";". The question here is that does the special
>> character needs to be escaped in the entry attributes? More specific
>> here: LDAP entry looks like that:
>> dn: cn=test\, user11, ou=Expired, o=Bungalo,
>> domainComponent=Mission190, domainComponent=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: pkiUser
>> objectClass: entrustUser
>> cn: test, user11
>> certSubjectDn: cn=This\, is\, a\, test, ou=Expired, o=Bungalo,
>> domainComponent=Mission190, domainComponent=com
>> mail: "rfc822Name=testuser11@mission180.com"
>> "dNSName=testuser11.mission180.co
>> m" "iPAddress=1.1.1.4"
>>
>> certSubjectDn is a new attribute I populated in LDAP schema to hold the
>> value of a certificate subject Dn with the cn value is This, is, a,
>> test.
>> What's the correct way to save this certSubjectDn attribute in LDAP?
>> Should the special character (comma) be escaped or not? Notice that the
>> cn
>> attribute above doesn't escape the comma, that's why I'm confusing here.
>> Is there any RFC regulates this? Thanks very much.
Chars that are special in a DN must be escaped in a DN; they must not be
escaped in the distinguished values of the naming attributes unless those
attributes require escaping as well. As such, your example is correct:
dn: cn=test\, user11, ou=Expired, o=Bungalo, domainComponent=Mission190,
domainComponent=com
cn: test, user11
certSubjectDn: cn=This\, is\, a\, test, ou=Expired, o=Bungalo,
domainComponent=Mission190, domainComponent=com
(I removed irrelevant stuff)
Only, current HEAD/RE22 code will return it as
dn: cn=test\2C
user11,ou=Expired,o=Bungalo,domainComponent=Mission190,domainComponent=com
cn: test, user11
certSubjectDn: cn=This\2C is\2C a\2C
test,ou=Expired,o=Bungalo,domainComponent=Mission190,domainComponent=com
i.e. \ + <hexpair> escaping is used, and no spaces between the RDN
separators ',' and the following AVA attribute type appear ("pretty"
form).
I suggest you also read draft-ietf-ldapbis-dn, which emendates RFC2253.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497