| Author |
Topic: Special Characters both in DN and Filter |
|
eLDAP
member
offline  |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
 |
|
|
| Special Characters both in DN and Filter |
For those characters which are special to DN, they must be escaped by backslash '\'. Then problem arises what if the escaped dn is used in filter where the character '\' is considered as special char as well.
|
|
|
|
|
|
|
eLDAP
member
offline  |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
| User Account |
Let's take a look at an example. Here comes a person whose last name is "Smith" and first name is "J\oh=n" (yes, two extra characters '\' and '=' inside). The account for this person should be as follow:
dn: uid=Smith\, J\\oh\=n,cn=users,dc=example
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
givenName: J\oh=n
sn: Smith
uid: Smith, J\oh=n
In terms of DN, the value of uid is "Smith, J\oh=n" which contains three special characters ',', '\', and '='. After being escaped, the DN of this account is "uid=Smith\, J\\oh\=n,cn=users,dc=example"
|
|
|
|
|
|
|
eLDAP
member
offline |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
| Group Account |
The group to whom the user belongs is
dn: cn=special users,ou=groups,dc=example
objectclass: top
objectclass: groupofuniquenames
cn: special users
ou: groups
uniquemember: uid=Smith\, J\\oh\=n,cn=users,dc=example
uniquemember: uid=Joe Smith,cn=users,dc=example
|
|
|
|
|
|
|
eLDAP
member
offline |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
| How to find the user? |
ldapsearch -h localhost -p 389 -b "cn=users,dc=example" -s sub "(uid=Smith, J\5coh=n)"
Here in the filter (uid: Smith, J\oh=n), ',' and '=' are normal chars and only '\' is special and hence must be encoded as '\5c'
The search should succeed and bring result:
dn: uid=Smith\, J\\oh\=n,cn=users,dc=example
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
givenName: J\oh=n
sn: Smith
uid: Smith, J\oh=n
|
|
|
|
|
|
|
eLDAP
member
offline |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
| How bind with the user account? |
ldapsearch -h localhost -p 389 -D "uid=Smith\, J\\oh\=n,cn=users,dc=example"
-w secret -b "cn=users,dc=example" -s sub "(uid=Smith, John)"
Here, all tree chars ',', '\' and '=' must be escaped by '\'.
|
|
|
|
|
|
|
eLDAP
member
offline |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
| How to check if the user belongs to a certain group? |
ldapsearch -h localhost -p 389 -b "ou=groups,dc=example" -s sub
"(uniquemember=uid=Smith\5c, J\5c\5coh\5c=n,cn=users,dc=example)"
Here, uniquemember is a DN type of attribute and the value is "uid=Smith\, J\\oh\=n,cn=users,dc=example". Now, when DN serves as a filter, all the backslash '\' should all be encodes as '\5c', i.e. "(uniquemember=uid=Smith\5c, J\5c\5coh\5c=n,cn=users,dc=example)" -- no matter it is a real backslash (the one before 'oh') or it is the escaping backslash (the other three).
The command should succeed and bring result:
dn: cn=special users,ou=groups,dc=example
objectclass: top
objectclass: groupofuniquenames
cn: special users
ou: groups
uniquemember: uid=Smith\, J\\oh\=n,cn=users,dc=example
uniquemember: uid=Joe Smith,cn=users,dc=example
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 01/17/2015 02:37:22 AM
Edit
Quote
Report
Profile
Reply