https://bugs.openldap.org/show_bug.cgi?id=9817
Issue ID: 9817
Summary: rwm overlay : Issue with DN containing special
characters
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Hi,
I'm using rwn to select the database useg for bind operations based on the
result of a rewriteMap requets.
Sample configuration in global section :
#Rewrite Map to request a remote server
rwm-rewriteMap ldap checkEntry
"ldap://10.1.2.3/ou=users,dc=paris,dc=local?dn?sub";
binddn="cn=myuser,ou=users,dc=paris,dc=local" credentials="XXX"
# Backing up original DN
rwm-rewriteRule ".+" "${&binddn($0)}$0" ":"
# Contructing LDAP Filter for remote search. Combined with a rewrite Map,
the requested DN is returned if there is a match.
rwm-rewriteRule ".+" "(&(!(description=TEST))(distinguishedName=$0))"
":"
# If filter matches, end of rewriting. Going to 'dc=paris,dc=local'
database
rwm-rewriteRule ".+" "${checkIfPasswordExpiredDN($0)}" ":@I"
# Otherwise, restoring the original DN.
rwm-rewriteRule ".+" "${*binddn}" ":"
# And final DN massaging from "dc=paris,dc=local" to "dc=paris,dc=local2"
database
rwm-rewriteRule "(.+,)?ou=users,dc=paris,dc=local$"
"$1ou=users,dc=paris,dc=local2" ":@"
Everything goes fine until I use DN with special characters, like ',' or '['.
For example : 'cn=Pubellier\, Thierry (TEST),ou=users,dc=paris,dc=local'
In this case, the rwm-rewriteRule contructs a LDAP filter with incorrect
syntax, as special caracters are not being escaped.
I have to use some ugly tricks to escape these caracters, as shown below :
#Rewrite Map to request a remote server
rwm-rewriteMap ldap checkEntry
"ldap://10.1.2.3/ou=users,dc=paris,dc=local?dn?sub";
binddn="cn=myuser,ou=users,dc=paris,dc=local" credentials="XXX"
# Backing up original DN
rwm-rewriteRule ".+" "${&binddn($0)}$0" ":"
# Rewriting for ','
rwm-rewriteRule "(.+).\2C(.+)" "$1\\,$2"
# Adding a special '#' (asserting it in none of my DNs) suffix for special
characters, in order to escape them without looping forever
rwm-rewriteRule "(.*)([)*(\\])([^#].*|$)" "$1$2#$3"
# Escaping of special characters with dedicated '#' suffix, avoiding
infinite loops
rwm-rewriteRule "(.*)([)*(\\])#(.*)" "$1\\$2$3"
# Contructing LDAP Filter for remote search. Combined with a rewrite Map,
the requested DN is returned if there is a match.
rwm-rewriteRule ".+" "(&(!(description=TEST))(distinguishedName=$0))"
":"
# If filter matches, end of rewriting. Going to 'dc=paris,dc=local'
database
rwm-rewriteRule ".+" "${checkIfPasswordExpiredDN($0)}" ":@I"
# Otherwise, restoring the original DN.
rwm-rewriteRule ".+" "${*binddn}" ":"
# And final DN massaging from "dc=paris,dc=local" to "dc=paris,dc=local2"
database
rwm-rewriteRule "(.+,)?ou=users,dc=paris,dc=local$"
"$1ou=users,dc=paris,dc=local2" ":@"
Could there be a way to integrate the ldap escape mechanism when making an
variable assignment (like using a '#' character in place of the usual '&') ?
Thanks by advance,
Best regards,
Thierry
--
You are receiving this mail because:
You are on the CC list for the issue.
