Some thoughts about the bug report (sorry for the borked first version of this mail):
1. There is already code in openldap that maps dn's to paths in the cn=config backend when it writes the config tree to the file system in /etc/ldap/slapd.d. Maybe that code or at least its escaping logic can be reused. 2. Wouldn't it be enough to use the database *number* to uniquely name the database backup? This would remove the whole problem. 3. In order to use the basedn as a file name that can be safely used in shell script, what about a whitelist approach that replaces or encodes any character that is not a (ascii) letter, number, dash or underscrore with something safe/sane? Seems a better way than the approach where only certain "bad" characters are replaced. Unicode is huge, and using a whitelist of known good characters seems a more defensive approach, especially when prefixed with the database number. So "o=|\/|y Über Company" would become something like "db2-yberCompany". Feedback appreciated.