Hello list.
By setting up an heimdal KDC with an ldap backend, I found a strange issue: URI-encoding '/' character seems to be mandatory with openldap 2.4 clients (at least 2.4.9) now:
[root@stalingrad rousse]# ldapsearch -H ldapi:///var/run/ldap/ldapi DNS SRV: Could not turn DN="var/run/ldap/ldapi" into a domain -> NOK
[root@stalingrad rousse]# ldapsearch -H 'ldapi://%2fvar%2frun%2fldap%2fldapi' -> OK
is this intentional ?
Guillaume Rousse wrote:
By setting up an heimdal KDC with an ldap backend, I found a strange issue: URI-encoding '/' character seems to be mandatory with openldap 2.4 clients (at least 2.4.9) now:
Why do you consider this to be strange?
[root@stalingrad rousse]# ldapsearch -H ldapi:///var/run/ldap/ldapi DNS SRV: Could not turn DN="var/run/ldap/ldapi" into a domain -> NOK
ldapi:/// translates to an empty host name (here path name) which triggers a DNS SRV lookup for _ldap._tcp.domain.
[root@stalingrad rousse]# ldapsearch -H 'ldapi://%2fvar%2frun%2fldap%2fldapi' -> OK
is this intentional ?
Yes, I think so. How should otherwise an empty path/host name be detected?
Ciao, Michael.
Michael Ströder michael@stroeder.com writes:
Guillaume Rousse wrote:
By setting up an heimdal KDC with an ldap backend, I found a strange issue: URI-encoding '/' character seems to be mandatory with openldap 2.4 clients (at least 2.4.9) now:
Why do you consider this to be strange?
[root@stalingrad rousse]# ldapsearch -H ldapi:///var/run/ldap/ldapi DNS SRV: Could not turn DN="var/run/ldap/ldapi" into a domain -> NOK
ldapi:/// translates to an empty host name (here path name) which triggers a DNS SRV lookup for _ldap._tcp.domain.
No, ldapi connects to a named pipe. Slashes (/) are not part of ldapurl but are special characters acording to rfc2396 and have to be escaped by a percent character (%) and are presented by their hex value.
-Dieter
Guillaume Rousse writes:
URI-encoding '/' character seems to be mandatory with openldap 2.4 clients (at least 2.4.9) now: (...) [root@stalingrad rousse]# ldapsearch -H ldapi:///var/run/ldap/ldapi DNS SRV: Could not turn DN="var/run/ldap/ldapi" into a domain -> NOK
[root@stalingrad rousse]# ldapsearch -H 'ldapi://%2fvar%2frun%2fldap%2fldapi' -> OK
is this intentional ?
Yes. Early OpenLDAP had a number of URI parsing bugs, which are hopefully fixed now. This change is consequence of ITS#4879: Where does the DN begin in ldapi:///foo/bar/cn=xy/z,dc=example,dc=com?
openldap-software@openldap.org
-
Dieter Kluenter -
Guillaume Rousse -
Hallvard B Furuseth -
Michael Ströder