I am using openldap client library 2.4.44 on Centos 7.3, LDAP v3 setting. I am having an issue with LDAP bind when the DN has encoded representation of special characters like é (e acute). Actual DN is CN=mithun,OU=Groupes de Sécurité,DC=mytest,DC=net and when it is sent by the app (frontend) to our backend, it is coming as CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=insaaadev,DC=net. Basically, é comes encoded as \u00e9 which is as per the encoding mentioned here https://www.fileformat.info/info/unicode/char/e9/index.htm
To further try out, I directly hardcoded the DN to CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=mytest,DC=net and that worked fine. I want to understand why it fails when the DN in the same format comes from the frontend app. Appreciate your help, thanks.
radiatejava wrote:
I am using openldap client library 2.4.44 on Centos 7.3, LDAP v3 setting. I am having an issue with LDAP bind when the DN has encoded representation of special characters like é (e acute). Actual DN is CN=mithun,OU=Groupes de Sécurité,DC=mytest,DC=net and when it is sent by the app (frontend) to our backend, it is coming as CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=insaaadev,DC=net. Basically, é comes encoded as \u00e9 which is as per the encoding mentioned here https://www.fileformat.info/info/unicode/char/e9/index.htm
That is not a valid encoding for LDAP. Read RFC4511.
To further try out, I directly hardcoded the DN to CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=mytest,DC=net and that worked fine. I want to understand why it fails when the DN in the same format comes from the frontend app. Appreciate your help, thanks.
On Sun, Jan 31, 2021 at 5:49 PM Howard Chu hyc@symas.com wrote:
That is not a valid encoding for LDAP. Read RFC4511.
Thanks for responding but did not get you fully. RFC 4511 talks about BER and ASN.1 encodings but here my issue with the actual value or the data. BER and ASN.1 encoding should be taken care by the ldap client library right? For me it works fine when I hard code the DN to CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=insaaadev,DC=net. It is just that when the same value is coming from frontend, it is not working.
If you do not mind, can you please tell me what should be the encoded value for CN=mithun,OU=Groupes de Sécurité,DC=mytest,DC=net ? Basically what is expected here for the ldap client?
Thanks
On 2/2/21 2:56 AM, radiatejava wrote:
On Sun, Jan 31, 2021 at 5:49 PM Howard Chu hyc@symas.com wrote:
That is not a valid encoding for LDAP. Read RFC4511.
Thanks for responding but did not get you fully. RFC 4511 talks about BER and ASN.1 encodings but here my issue with the actual value or the data. BER and ASN.1 encoding should be taken care by the ldap client library right?
Right.
For me it works fine when I hard code the DN to CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=insaaadev,DC=net.
Have a look at definition of valid LDAP string representations:
https://tools.ietf.org/html/rfc4514
It is just that when the same value is coming from frontend, it is not working.
Fix your frontend. It seems to send a runtime-specific string representation which is a not valid DN string representation as per RFC 4514.
If you do not mind, can you please tell me what should be the encoded value for CN=mithun,OU=Groupes de Sécurité,DC=mytest,DC=net ?
If you encode
CN=mithun,OU=Groupes de Sécurité,DC=mytest,DC=net
as valid UTF-8 everything should be just fine. At minimum you must properly escape some special chars when generating DN parts from arbitrary input values. Most LDAP libraries have decent functions for this.
Ciao, Michael.
On 1/31/21 9:55 PM, radiatejava wrote:
I am using openldap client library 2.4.44 on Centos 7.3, LDAP v3 setting. I am having an issue with LDAP bind when the DN has encoded representation of special characters like é (e acute). Actual DN is CN=mithun,OU=Groupes de Sécurité,DC=mytest,DC=net and when it is sent by the app (frontend) to our backend, it is coming as CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=insaaadev,DC=net.
This looks like some application-side munging of the DN, like e.g. a Python string-representation of the Unicode character entities. Sending this string to any LDAP server out there will not work.
Python 3.8.6 (default, Nov 09 2020, 12:09:06) >>> 'CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=insaaadev,DC=net' 'CN=mithun,OU=Groupes de Sécurité,DC=insaaadev,DC=net'
Ciao, Michael.
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder -
radiatejava