[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: About RDN values starting with #
Pofelski, Lech wrote:
Hello Mr Chu,
Thanks for the pointer. Now we understand why the RDNs like cn=#80 are
not supported in the current version of openldap.
However, we have a very particular use case, specific to the telecom
network usage of LDAP (something similar to TerraCortex presentation in
Paris at LDAPCon2013) that we must support: this is the case when the
attribute type of the RDN has the syntax Octet String. For that use
case, we can't see any other method than #<hexstring> to enable us to
put the content of the Octet String attribute required by the
application in the RDN, keeping DN size, and performance intact.
In that specific case, far more restrictive than the general LDAP
RFC
use case, the attribute used in RDN has a, per application, mandatory
syntax of Octet String, and the BER encoding is restricted to Universal
Class Tag "OctetString".
For all to understand, one example of RDN that must be supported is
x.y.v.z=#0403466f6f
i.e. x.y.v.z is the OID of an Octet String attribute and 0403466f6f
is
the BER with the Octet String tag (04) (the case 2.5.4.3=#040180 (
cn=#80) will still be kept not supported).
If we enable, under specific config flag control, the ability to
decode RDN similar to example given just above, in a modified openLDAP,
we should not fall in the pitfall described in the openLDAP ITS 6570
(https://www.openldap.org/its/index.cgi/Software%20Bugs?id=6570).
For the specific syntax OctetString, there is no normalization, nor
verification. Thus the risk to inject a bad DN values in this way is
very, very limited, as any value, including empty content, #80,
arbitrary content.. are already allowed.
Not quite. The # prefix means the following hex string must be a valid
BER encoding of whatever value. Thus, while the octetString value may be
arbitrary, including zero length, it must still have a valid BER tag and
length.
Moreover, it may be possible to allow also the other syntax, far more user friendly
myoctstringattr=#466f6f ( no BER, just direct hexa, and short name, not OID)
Once again, the functionality is allowed ONLY for the syntax Octet String, i.e. cn=#80 STILL not allowed.
This change could make openldap more LDAP v3 compliant.
Does someone have any idea of a theoretical side effect of enabling such functionality ?
You're welcome to submit a patch enabling hex format for attributes of
octetString syntax, but it cannot simply pass thru any hex string. The
decoded hex string must still conform to BER.
Internally, we would expect the normalized form to be stored in binary,
not hex. (UUIDs are also treated this way already.) But the text/hex
form would be given back to clients.
Have to say, using octetString syntax for naming attributes is rather
user-unfriendly. You should reconsider your app design.
Regards,
Lech POFELSKI
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Sunday, April 26, 2015 7:26 AM
To: Pofelski, Lech; openldap-technical@openldap.org
Subject: Re: About RDN values starting with #
Pofelski, Lech wrote:
Hello openLDAP gurus,
According to the RFC 4514, an RDN value may start with # and to be
followed by a number of "hex pair" (pairs of hexadecimal values),
representing octets of some binary value.
There are two use cases involving such RDN syntax:
*Case 1, where the RDN is of the form:
<attribute OID (called also as attribute desc in dotted form)>=#<BER
encoded attribute value in form of a sequence of hex pairs >
*Case 2, where the RDN is of the form:
<attribute name>=#<attribute value in form of a sequence of hex pairs>
Case 1 is explicitly illustrated in the RFC 4514 by the example:
1.3.6.1.4.1.1466.0=#04024869
Although Case 2 is not explicitly illustrated in the RFC4514, it is
implicitly correct, as it is in the conformity with the RDN syntax
provided by this RFC.
It is explicitly rejected by OpenLDAP.
https://www.openldap.org/its/index.cgi/Software%20Bugs?id=6570
*If this is a known limitation in openLDAP.
*If there is already a plan to fix the problem. If not, I'd be glad to
contribute to fixing it.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/