Hi
When feeding a LDAP URI to ldap_url_parse(), I understand some characters may need to be escaped in filters in order to get a litteral: * => \2a ( => \28 ) => \29 \ => \5c / => \2f
Reading the man page, I understand %-encoding is not mandatory, but it is of course required for ?, and obviously for %. ? -> %3F % -> %25
Are there other characters that should be %-encoded?
On Thu, 20 Sep 2012, Emmanuel Dreyfus wrote:
When feeding a LDAP URI to ldap_url_parse(), I understand some characters may need to be escaped in filters in order to get a litteral:
- => \2a
( => \28 ) => \29 \ => \5c / => \2f
Reading the man page, I understand %-encoding is not mandatory, but it is of course required for ?, and obviously for %. ? -> %3F % -> %25
Are there other characters that should be %-encoded?
From RFC 4516, LDAP: Uniform Resource Locator, section 2.1:
An octet MUST be encoded using the percent-encoding mechanism described in section 2.1 of [RFC3986] in any of these situations:
The octet is not in the reserved set defined in section 2.2 of [RFC3986] or in the unreserved set defined in section 2.3 of [RFC3986].
It is the single Reserved character '?' and occurs inside a <dn>, <filter>, or other element of an LDAP URL. ...
From RFC 3986, URI Generic Syntax, section 2.2 and section 2.3:
reserved = gen-delims / sub-delims gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@" sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
So, you have to precent-encode all non-graphical characters (0x00 through 0x20 and 0x7f though 0xff), as well as: " -> %22 % -> %25 < -> %3c > -> %3e ? -> %3f \ -> %5c ^ -> %5e ` -> %60 { -> %7b | -> %7c } -> %7d
Philip Guenther
Philip Guenther guenther+ldaptech@sendmail.com wrote:
So, you have to precent-encode all non-graphical characters (0x00 through 0x20 and 0x7f though 0xff), as well as: " -> %22 % -> %25 < -> %3c > -> %3e ? -> %3f \ -> %5c ^ -> %5e ` -> %60 { -> %7b | -> %7c } -> %7d
You include ? in the list, but in many example I have seen, we have a ? unencoded in a LDAP URI. I understand ? needs special treatment when it is part of a dn, filter, attribute name, and it must not be confused with the ? as URI part delimiter.
But in that situation, should we use \3f or %3f, or %5c3f?
On Fri, 21 Sep 2012, Emmanuel Dreyfus wrote:
Philip Guenther guenther+ldaptech@sendmail.com wrote:
So, you have to precent-encode all non-graphical characters (0x00 through 0x20 and 0x7f though 0xff), as well as: " -> %22 % -> %25 < -> %3c > -> %3e ? -> %3f \ -> %5c ^ -> %5e ` -> %60 { -> %7b | -> %7c } -> %7d
You include ? in the list, but in many example I have seen, we have a ? unencoded in a LDAP URI.
You asked what characters in an LDAP search filter have to be percent encoded when including that search filter in an LDAP URI. That's the question I answered above.
I cannot figure out what those "many example" have to do with your question or my answer. Perhaps citing one of those examples and explaining how you think there's a conflict would help.
Philip Guenther
Philip Guenther guenther+ldaptech@sendmail.com wrote:
You asked what characters in an LDAP search filter have to be percent encoded when including that search filter in an LDAP URI. That's the question I answered above.
Oh, right, there was some misunderstanding, I though you were taking about escaping characters in the whole URI. If we only talk about the filter, then everything makes sense.
But I am still puzzled about if I should use \3f or %3f, or %5c3f for a litteral ?
On Fri, 21 Sep 2012, Emmanuel Dreyfus wrote:
Philip Guenther guenther+ldaptech@sendmail.com wrote:
You asked what characters in an LDAP search filter have to be percent encoded when including that search filter in an LDAP URI. That's the question I answered above.
Oh, right, there was some misunderstanding, I though you were taking about escaping characters in the whole URI. If we only talk about the filter, then everything makes sense.
But I am still puzzled about if I should use \3f or %3f, or %5c3f for a litteral ?
If you have to ask that question, you're doing it wrong.
1) you start with a search filter encoded according to the rules in RFC 4515. 2) To encode *that string* inside the filter part of an LDAP URL, follow the rules in RFC 4516.
So: imagine your search filter is this: (cn=Bob ?) which is the *exact same filter* as this: (cn=Bob \3f)
Those both follow the rules of RFC 4515, and have the *same meaning*.
To encode those in a URL, you have to percent-escape two of the characters in each. In this filter: (cn=Bob ?)
the space and the '?' must be encoded, so it would show up in a URL like this: ldap://ldap.example.com/???(cn=Bob%20%3f)
In this filter: (cn=Bob \3f)
*which has the same meaning as the previous one*, the space and the backslash must be encoded, so it would show up in a URL like this: ldap://ldap.example.com/???(cn=Bob%20%5c3f)
Philip Guenther
On Thu, Sep 20, 2012 at 10:21:12PM -0700, Philip Guenther wrote:
So: imagine your search filter is this: (cn=Bob ?) which is the *exact same filter* as this: (cn=Bob \3f)
(...)
ldap://ldap.example.com/???(cn=Bob%20%3f)
(...)
ldap://ldap.example.com/???(cn=Bob%20%5c3f)
Thanks, everything is clear now.
On Fri, Sep 21, 2012 at 07:42:53AM +0000, Emmanuel Dreyfus wrote:
On Thu, Sep 20, 2012 at 10:21:12PM -0700, Philip Guenther wrote:
So: imagine your search filter is this: (cn=Bob ?) which is the *exact same filter* as this: (cn=Bob \3f)
(...) Thanks, everything is clear now.
Not quite, I have one more concern: if * and \2a have the same meaning, how do I specify a litteral * (that is * not being a wildcard)?
Le 9/21/12 2:18 PM, Emmanuel Dreyfus a écrit :
On Fri, Sep 21, 2012 at 07:42:53AM +0000, Emmanuel Dreyfus wrote:
On Thu, Sep 20, 2012 at 10:21:12PM -0700, Philip Guenther wrote:
So: imagine your search filter is this: (cn=Bob ?) which is the *exact same filter* as this: (cn=Bob \3f)
(...) Thanks, everything is clear now.
Not quite, I have one more concern: if * and \2a have the same meaning, how do I specify a litteral * (that is * not being a wildcard)?
'*' is different from '?'. '*' has a meaning in a filter, (as '', '(', ')' and NUL)
In a filter, (cn=Bob *) is different from (cn=Bob \2A). The former does a substring search, the second search for any entry having "Bob *" as a cn.
On Fri, 21 Sep 2012, Emmanuel Dreyfus wrote:
On Fri, Sep 21, 2012 at 07:42:53AM +0000, Emmanuel Dreyfus wrote:
On Thu, Sep 20, 2012 at 10:21:12PM -0700, Philip Guenther wrote:
So: imagine your search filter is this: (cn=Bob ?) which is the *exact same filter* as this: (cn=Bob \3f)
(...) Thanks, everything is clear now.
Not quite, I have one more concern: if * and \2a have the same meaning, how do I specify a litteral * (that is * not being a wildcard)?
You need to read RFC 4515. It even has an *example* about matching literal '*' characters!
Philip Guenther
Philip Guenther guenther+ldaptech@sendmail.com wrote:
Not quite, I have one more concern: if * and \2a have the same meaning, how do I specify a litteral * (that is * not being a wildcard)?
You need to read RFC 4515. It even has an *example* about matching literal '*' characters!
This is what I initially understood: * and \2a do not have the same meaning. But the example does not tell everything: if I understand correctly the whole thing (escape + %-encoding), If I want to match a litteral * I should use %5c2a
Is that correct?
I'm having trouble keeping my servers connected to our openLDAP server.
All through syslog I see messages like this:
/Sep 26 14:06:01 hostname nslcd[930]: [2aeb87] connected to LDAP server ldaps://ldap.domain.com/ Sep 26 14:07:01 ///hostname/ nslcd[930]: [aae0a3] ldap_result() failed: Can't contact LDAP server Sep 26 14:07:01 ///hostname/ nslcd[930]: [74310e] ldap_result() failed: Can't contact LDAP server Sep 26 14:07:01 ///hostname/ nslcd[930]: [aae0a3] ldap_abandon() failed to abandon search: Other (e.g., implementation specific) error Sep 26 14:07:01 ///hostname/ nslcd[930]: [b2a65f] ldap_result() failed: Can't contact LDAP server Sep 26 14:07:01 ///hostname/ nslcd[930]: [b2a65f] ldap_abandon() failed to abandon search: Other (e.g., implementation specific) error Sep 26 14:07:01 ///hostname/ nslcd[930]: [74310e] ldap_abandon() failed to abandon search: Other (e.g., implementation specific) error Sep 26 14:07:01 ///hostname/ nslcd[930]: [73c9b8] ldap_result() failed: Can't contact LDAP server Sep 26 14:07:01 ///hostname/ nslcd[930]: [73c9b8] ldap_abandon() failed to abandon search: Other (e.g., implementation specific) error Sep 26 14:07:01 ///hostname/ nslcd[930]: [73c9b8] connected to LDAP server ldaps://ldap.///domain/.com/ /
I'm at the point where I want to start blaming the server, but this is happening on all the new servers I am bringing up (Ubuntu 10.04) and not on the older servers (8.04). Everything seems fine and we can sudo and su with our ldap accounts and then out of no where "so-and-so is not in the sudoers file". A simple "id user" re-establishes the connection and all is well again for a while.
Has anyone else ran into this and finally, permanently made it work?
http://ubuntuforums.org/showthread.php?t=1633524
http://lists.arthurdejong.org/nss-pam-ldapd-users/2011/msg00082.html
My fix was to "apt-get source nslcd" on a Debian Squeeze box, then use those files to build a new deb on Ubuntu and shove the result in my repository. Presto, working nslcd on Ubuntu 10.04.
On Wed, Sep 26, 2012 at 04:46:30PM -0400, Adam Wolfe wrote:
I'm having trouble keeping my servers connected to our openLDAP server.
All through syslog I see messages like this:
Sep 26 14:06:01 hostname nslcd[930]: [2aeb87] connected to LDAP server [1]ldaps://ldap.domain.com/ Sep 26 14:07:01 hostname nslcd[930]: [aae0a3] ldap_result() failed: Can't contact LDAP server Sep 26 14:07:01 hostname nslcd[930]: [74310e] ldap_result() failed: Can't contact LDAP server Sep 26 14:07:01 hostname nslcd[930]: [aae0a3] ldap_abandon() failed to abandon search: Other (e.g., implementation specific) error Sep 26 14:07:01 hostname nslcd[930]: [b2a65f] ldap_result() failed: Can't contact LDAP server Sep 26 14:07:01 hostname nslcd[930]: [b2a65f] ldap_abandon() failed to abandon search: Other (e.g., implementation specific) error Sep 26 14:07:01 hostname nslcd[930]: [74310e] ldap_abandon() failed to abandon search: Other (e.g., implementation specific) error Sep 26 14:07:01 hostname nslcd[930]: [73c9b8] ldap_result() failed: Can't contact LDAP server Sep 26 14:07:01 hostname nslcd[930]: [73c9b8] ldap_abandon() failed to abandon search: Other (e.g., implementation specific) error Sep 26 14:07:01 hostname nslcd[930]: [73c9b8] connected to LDAP server [2]ldaps://ldap.domain.com/
I'm at the point where I want to start blaming the server, but this is happening on all the new servers I am bringing up (Ubuntu 10.04) and not on the older servers (8.04). Everything seems fine and we can sudo and su with our ldap accounts and then out of no where "so-and-so is not in the sudoers file". A simple "id user" re-establishes the connection and all is well again for a while.
Has anyone else ran into this and finally, permanently made it work?
References
Visible links
- file:///tmp/ldaps:/ldap.domain.com/
- file:///tmp/ldaps:/ldap
openldap-technical@openldap.org
-
Adam Wolfe -
Christopher Wood -
Emmanuel Dreyfus -
Emmanuel Lécharny -
manu@netbsd.org
-
Philip Guenther