DN's may be encoded. If we're going to return the value from one of the
RDN's in the DN then we must decode the DN first, otherwise the returned
value won't be what we're expecting. Specifically the value getting
passed back through the RPC interface was not the value set because it
included escaping specific only to DN's. We want to treat the value as
the value set by the user, the fact it happens to live as part of a DN
is an irrelevant implementation detail which shouldn't be visible in the
values we exchange through the RPC mechanism.
This patch takes the DN as returned by an ldap search and creates a DN
object from it. The DN object allows us to robustly extract the value by
name. The DN object also assures the components in the DN have been
decoded back into normal unicode strings.
There are many other places where we need to properly handle DN's by
using a DN object, this is just one place, the minimum needed to get
comma's working in privileges. I'd rather make very small incremental
changes in the DN handling rather than introducing too many changes in
this critical area of the code, let's be conservative at this juncture.
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
>From a253c4a907e6f94b8b5193377d4009ddc94a2f20 Mon Sep 17 00:00:00 2001
From: John Dennis <jden...@redhat.com>
Date: Wed, 15 Jun 2011 15:43:26 -0400
Subject: [PATCH 27/27] get_primary_key_from_dn returns decoded value
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
---
ipalib/plugins/baseldap.py | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 7d45525..a832bea 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -33,6 +33,7 @@ from ipalib.cli import to_cli, from_cli
from ipalib import output
from ipalib.text import _
from ipalib.util import json_serialize
+from ipalib.dn import *
global_output_params = (
Str('member',
@@ -318,7 +319,9 @@ class LDAPObject(Object):
return ''
except errors.NotFound:
pass
- return dn[len(self.primary_key.name) + 1:dn.find(',')]
+ # DN object assures we're returning a decoded (unescaped) value
+ dn = DN(dn)
+ return dn[self.primary_key.name]
def get_ancestor_primary_keys(self):
if self.parent_object:
--
1.7.4.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel