okuznik@symas.com wrote:

Full_Name: Ondrej Kuznik Version: master OS: URL: ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170125-Deal-with-rDN-correctly.patch Submission from: (NULL) (151.228.185.198)

When an rdn under cn=config needs escaping, incorrect value gets passed to the attribute and, if the attribute is single-value, the entry is rejected by entry_naming_check().

Patch against master is attached.

Why are you running the normalizer in a for-loop:

+ for ( cnt = 0; rDN[cnt]; cnt++ ) {

but always setting value #0?

+ free( a->a_vals[0].bv_val ); + ber_dupbv( &a->a_vals[0], &ava->la_value );

If the RDN is actually a compound with multiple AVAs you need to concatenate them into a single value. Otherwise, if you don't intend to support compound RDNs, there's no point in using a for-loop. Just return an error if there's more than one AVA.