https://bugs.openldap.org/show_bug.cgi?id=9817
--- Comment #11 from Ondřej Kuzník ondra@mistotebe.net --- On Thu, May 19, 2022 at 08:11:49PM +0000, openldap-its@openldap.org wrote:
https://bugs.openldap.org/show_bug.cgi?id=9817
--- Comment #10 from Thierry PUBELLIER thierry.pubellier@paris.fr --- Hi Ondřej,
This could be a very good solution to my issue. Wish it could be added to OpenLDAP in a future release.
I created a regression script. Please fin it attached.
Best regards,
Thierry
Hi Thierry, Haven't looked into adopting your script yet but I've now posted a draft MR here if you want to test it some: https://git.openldap.org/openldap/openldap/-/merge_requests/529
What it allows you to do is turn line 5 into something like:
rwm-rewriteMap escape escapeThisDN escape2filter rwm-rewriteRule ".+" "${escapeThisDN($0)}" ":" # make value safe for embedding in a filter assertion rwm-rewriteRule ".+" "(&(!(description=TEST))(entryDN=$0))" ":" # construct LDAP filter based on the escaped DN
Or you can chain them if you're parsing a part of a DN (it should even be safe for intermediate values to contain embedded nul bytes so long as the last step escapes them):
rwm-rewriteMap escape reencodeValue unescapeDN escape2filter # unescape value from DN and escape for use in a filter rwm-rewriteRule "^cn=([^,+]*)" "${reencodeValue($0)}" ":" # convert value for embedding in a filter assertion rwm-rewriteRule ".+" "(&(!(description=TEST))(cn=$0))" ":" # construct LDAP filter based on the escaped value of cn
Regards,