Subject: Equal sign '=' must be treated as special character for JNDI Compare to work
Author: JNDI
In response to: 3 Ways to input filter in JDNI for special characters
Posted on: 02/15/2011 08:08:56 PM
[JNDI DOC]:
The LDAP "compare" operation allows a client to ask the server whether the named entry has an attribute/value pair. This allows the server to keep certain attribute/value pairs secret (i.e., not exposed for general "search" access) while still allowing the client limited use of them. Some servers might use this feature for passwords, for example, although it is insecure for the client to pass clear-text passwords in the "compare" operation itself.
To accomplish this in the JNDI, use suitably constrained arguments for the following methods:
search(Name name, String filter, SearchControls ctls)
First, the filter must be of the form "(name=value)". You cannot use wildcards. Second, the search scope must be SearchControls.OBJECT_SCOPE. Finally, you must request that no attributes be returned. If these criteria are not met, then these methods will use an LDAP "search" operation instead of an LDAP "compare" operation. See the Context Search Methods section for information on how to avoid a common error when constructing and using string filters.
Here's an example that causes an LDAP "compare" operation to be used.
// Value of the attribute
String filter = "(<name>=<value>)";
// Set up the search controls
SearchControls ctls = new SearchControls();
ctls.setReturningAttributes(new String[0]); // Return no attrs
ctls.setSearchScope(SearchControls.OBJECT_SCOPE); // Search object only
// Invoke search method that will use the LDAP "compare" operation
NamingEnumeration answer = ctx.search("<base_dn>", filter, ctls);
If the compare is successful, the resulting enumeration will contain a single item whose name is the empty name and which contains no attributes.
Notice that the <value> may contain characters ('*','(',')','\','NULL') which are special for filter based on RFC-2254. The equal sign '=' is not defined there, but it MUST treated as special char.
For example:
String filter = "(uniqueMember=CN\\3Dgroup,DC\\3Dexample,DC\\3Dcom)";
is going to trigger
"compare" operation.
The unescaped equal sign:
String filter = "(uniqueMember=CN=group,DC=example,DC=com)";
is going to trigger
"search" operation, which is wrong.
By the way:
String filter = "(attr_not_exist=CN\\3Dgroup,DC\\3Dexample,DC\\3Dcom)";
is going to trigger
"compare" operation which returns
javax.naming.directory.NoSuchAttributeException.
String filter = "(attr_not_exist=CN=group,DC=example,DC=com)";
is going to trigger
"search" operation which returns empty result set without any error.
>
> On 03/08/2010 08:17:11 PM
JNDI wrote:
The following is a sample of JNDI doing filter search.
public static void main(String[] args)
{
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://myServer.mycompany.com:389");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "user");
env.put(Context.SECURITY_CREDENTIALS, "password");
DirContext ctx = null;
try {
ctx = new InitialDirContext(env);
SearchControls ctls = new SearchControls();
String base_dn = "dc=example,dc=com";
String filter = "(objectclass=*)";
NamingEnumeration enu = ctx.search(base_dn,filter,ctls);
while(enu.hasMore()){
SearchResult sr = (SearchResult)enu.next();
System.out.println("rdn='" +sr.getName()+"'");
}
}catch(NamingException e){
e.printStackTrace();
}finally{
try{
ctx.close();
}catch(Exception e){
}
}
}
For an user in directory server with surename (sn) being 'Leé', the actual format in the storage is:
The exactly matching filter to bring out the user can be written in three different ways:
1) Simlply type in the special character if your keyboard allows:
String filter = "(sn=Leé)";
2) Type in the unicode of the special character:
String filter = "(sn=Le\u00E9)";
3) Type in the UTF-8 string representation of the escaped special character as in the RFC 2254:
String filter = "(sn=Le\C3\A9)";
References:
