[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [JLDAP] Unable to search for X509 subject entry.Escape character "("



What if you escape the "(" and ")"?  
ie "(subject=\(1999\))"

Marc Boorshtein

--- Diego Pietralunga <diego@ltt.it> wrote:
> Hi,
> 
> I' m currently stuck  with a  problem with a LDAP
> search which is 
> driving me crazy.
> 
> Using Novell JLDAP Java classes (2004_09_15) I need
> to perform a query 
> for a X509 certificate subject (stored on LDAP
> server through a custom 
> schema).
> The server is OpenLDAP 2.0.27, os Suse Linux 9.0 and
> the certificate to 
> search is Verisign's.
> Unfortunately it looks like  that the problem is
> that Verisign uses 
> plenty of "(", ")" characters in their DNs.
> These characters need to be escaped for OpenLDAP 
> (and per LDAP rfc I 
> guess).
> The standard OpenLDAP entry I have to search
> includes a binary 
> certificate and a string with the X509 Subject (for
> searching)
> 
> Scenario:
> 1)Load new plain Verisign certificate (subject) on
> OpenLDAP via LDAP 
> Browser editor tool.
> 1.1) Fail to load because of invalid chars.
> 2)Manually find and escape the chars. 
> This is the failing entry:
>
---------------------------------------------------------------------------------------------------------------------------------------
> O=VeriSign\, Inc., OU=VeriSign Trust Network, 
> OU=www.verisign.com/repository/RPA Incorp. by
> Ref.\,LIAB.LTD(c)98, 
> OU=Persona Not Validated, OU=Digital ID Class 1 -
> Microsoft, CN=L.T.T 
> Lab. Telematica
>
Territ./emailAddress=posta-certificata@certmail.ltt.it
>
----------------------------------------------------------------------------------------------------------------------------------------
> 2.1)The chars are the round parenthesis "(" , ")".
> Escaped with \28 and \29 while inserting. Browsing
> the server, it shows 
> the correct chars.
> 
> 3)Search with JLDAP using LDAPSearchResults with
> "searchFilter" set to 
> plain X509 subject.
> 3.1)Got LocalLDAP exception complaining about
> unescaped chars
> 3.2)Use LDAPDN.escapeRDN(). No luck. Later found out
> that that method 
> does NOT escape parenthesis (!).Javadocs.
> 3.3)Code a manual escape for parenthesis, resulting
> in ( = "\28" and )  
> ="\29" into the query.
> 3.4) NO MATCH.
> 
> Here's the escaped query string (note escaped
> chars):
>
------------------------------------------------------------------------------
> EMAIL=posta-certificata@certmail.ltt.it,CN=L.T.T
> Lab. Telematica 
> Territ.,OU=Digital ID Class 1 - Microsoft,OU=Persona
> Not 
> Validated,OU=www.verisign.com/repository/RPA Incorp.
> by 
> Ref.,LIAB.LTD\28c\2998,OU=VeriSign Trust
> Network,O=VeriSign, Inc.
>                             ^     ^
>
------------------------------------------------------------------------------
> 
> What can I do?
> It's a server problem?
> It's a broken JLDAP search?
> It's my escaping technique/string?
> 
> I've searched through the archives and found
> something similar with a 
> suggestion for Python (which I don't know) and I
> GUESS I've done right.
> 
> Please suggest a Java/OpenLDAP workaround if you
> can.
> 
> Thanks,
> 
> Diego
>