12:45 a.m.
Hi
When feeding a LDAP URI to ldap_url_parse(), I understand some characters
may need to be escaped in filters in order to get a litteral:
* => \2a
( => \28
) => \29
\ => \5c
/ => \2f
Reading the man page, I understand %-encoding is not mandatory, but
it is of course required for ?, and obviously for %.
? -> %3F
% -> %25
Are there other characters that should be %-encoded?
--
Emmanuel Dreyfus
manu(a)netbsd.org
11:11 a.m.
On Thu, 20 Sep 2012, Emmanuel Dreyfus wrote:
When feeding a LDAP URI to ldap_url_parse(), I understand some
characters
may need to be escaped in filters in order to get a litteral:
* => \2a
( => \28
) => \29
\ => \5c
/ => \2f
Reading the man page, I understand %-encoding is not mandatory, but
it is of course required for ?, and obviously for %.
? -> %3F
% -> %25
Are there other characters that should be %-encoded?
From RFC 4516, LDAP: Uniform Resource Locator, section 2.1:
An octet MUST be encoded using the percent-encoding mechanism
described in section 2.1 of [RFC3986] in any of these situations:
The octet is not in the reserved set defined in section 2.2 of
[RFC3986] or in the unreserved set defined in section 2.3 of
[RFC3986].
It is the single Reserved character '?' and occurs inside a <dn>,
<filter>, or other element of an LDAP URL.
...
From RFC 3986, URI Generic Syntax, section 2.2 and section 2.3:
reserved = gen-delims / sub-delims
gen-delims = ":" / "/" / "?" / "#" /
"[" / "]" / "@"
sub-delims = "!" / "$" / "&" / "'"
/ "(" / ")"
/ "*" / "+" / "," / ";" /
"="
unreserved = ALPHA / DIGIT / "-" / "." / "_" /
"~"
So, you have to precent-encode all non-graphical characters (0x00 through
0x20 and 0x7f though 0xff), as well as:
" -> %22
% -> %25
< -> %3c
-> %3e
? -> %3f
\ -> %5c
^ -> %5e
` -> %60
{ -> %7b
| -> %7c
} -> %7d
Philip Guenther
9 p.m.
Philip Guenther <guenther+ldaptech(a)sendmail.com> wrote:
So, you have to precent-encode all non-graphical characters (0x00
through
0x20 and 0x7f though 0xff), as well as:
" -> %22
% -> %25
< -> %3c
> -> %3e
? -> %3f
\ -> %5c
^ -> %5e
` -> %60
{ -> %7b
| -> %7c
} -> %7d
You include ? in the list, but in many example I have seen, we have a ?
unencoded in a LDAP URI. I understand ? needs special treatment when it
is part of a dn, filter, attribute name, and it must not be confused
with the ? as URI part delimiter.
But in that situation, should we use \3f or %3f, or %5c3f?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
9:32 p.m.
On Fri, 21 Sep 2012, Emmanuel Dreyfus wrote:
Philip Guenther <guenther+ldaptech(a)sendmail.com> wrote:
> So, you have to precent-encode all non-graphical characters (0x00 through
> 0x20 and 0x7f though 0xff), as well as:
> " -> %22
> % -> %25
> < -> %3c
> > -> %3e
> ? -> %3f
> \ -> %5c
> ^ -> %5e
> ` -> %60
> { -> %7b
> | -> %7c
> } -> %7d
You include ? in the list, but in many example I have seen, we have a ?
unencoded in a LDAP URI.
You asked what characters in an LDAP search filter have to be percent
encoded when including that search filter in an LDAP URI. That's the
question I answered above.
I cannot figure out what those "many example" have to do with your
question or my answer. Perhaps citing one of those examples and
explaining how you think there's a conflict would help.
Philip Guenther
9:54 p.m.
Philip Guenther <guenther+ldaptech(a)sendmail.com> wrote:
You asked what characters in an LDAP search filter have to be
percent
encoded when including that search filter in an LDAP URI. That's the
question I answered above.
Oh, right, there was some misunderstanding, I though you were taking
about escaping characters in the whole URI. If we only talk about the
filter, then everything makes sense.
But I am still puzzled about if I should use \3f or %3f, or %5c3f for a
litteral ?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
10:21 p.m.
On Fri, 21 Sep 2012, Emmanuel Dreyfus wrote:
Philip Guenther <guenther+ldaptech(a)sendmail.com> wrote:
> You asked what characters in an LDAP search filter have to be percent
> encoded when including that search filter in an LDAP URI. That's the
> question I answered above.
Oh, right, there was some misunderstanding, I though you were taking
about escaping characters in the whole URI. If we only talk about the
filter, then everything makes sense.
But I am still puzzled about if I should use \3f or %3f, or %5c3f for a
litteral ?
If you have to ask that question, you're doing it wrong.
1) you start with a search filter encoded according to the rules in
RFC 4515.
2) To encode *that string* inside the filter part of an LDAP URL, follow
the rules in RFC 4516.
So: imagine your search filter is this:
(cn=Bob ?)
which is the *exact same filter* as this:
(cn=Bob \3f)
Those both follow the rules of RFC 4515, and have the *same meaning*.
To encode those in a URL, you have to percent-escape two of the characters
in each. In this filter:
(cn=Bob ?)
the space and the '?' must be encoded, so it would show up in a URL like
this:
ldap://ldap.example.com/???(cn=Bob%20%3f)
In this filter:
(cn=Bob \3f)
*which has the same meaning as the previous one*, the space and the
backslash must be encoded, so it would show up in a URL like this:
ldap://ldap.example.com/???(cn=Bob%20%5c3f)
Philip Guenther
12:42 a.m.
On Thu, Sep 20, 2012 at 10:21:12PM -0700, Philip Guenther wrote:
So: imagine your search filter is this:
(cn=Bob ?)
which is the *exact same filter* as this:
(cn=Bob \3f)
(...)
(...)
Thanks, everything is clear now.
--
Emmanuel Dreyfus
manu(a)netbsd.org
5:18 a.m.
On Fri, Sep 21, 2012 at 07:42:53AM +0000, Emmanuel Dreyfus wrote:
On Thu, Sep 20, 2012 at 10:21:12PM -0700, Philip Guenther wrote:
> So: imagine your search filter is this:
> (cn=Bob ?)
> which is the *exact same filter* as this:
> (cn=Bob \3f)
(...)
Thanks, everything is clear now.
Not quite, I have one more concern: if * and \2a have the same
meaning, how do I specify a litteral * (that is * not being a wildcard)?
--
Emmanuel Dreyfus
manu(a)netbsd.org
6:19 a.m.
Le 9/21/12 2:18 PM, Emmanuel Dreyfus a écrit :
On Fri, Sep 21, 2012 at 07:42:53AM +0000, Emmanuel Dreyfus wrote:
> On Thu, Sep 20, 2012 at 10:21:12PM -0700, Philip Guenther wrote:
>> So: imagine your search filter is this:
>> (cn=Bob ?)
>> which is the *exact same filter* as this:
>> (cn=Bob \3f)
> (...)
> Thanks, everything is clear now.
Not quite, I have one more concern: if * and \2a have the same
meaning, how do I specify a litteral * (that is * not being a wildcard)?
'*' is different from '?'. '*' has a meaning in a filter,
(as '\', '(',
')' and NUL)
In a filter, (cn=Bob *) is different from (cn=Bob \2A). The former does
a substring search, the second search for any entry having "Bob *" as a cn.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
12:01 p.m.
On Fri, 21 Sep 2012, Emmanuel Dreyfus wrote:
On Fri, Sep 21, 2012 at 07:42:53AM +0000, Emmanuel Dreyfus wrote:
> On Thu, Sep 20, 2012 at 10:21:12PM -0700, Philip Guenther wrote:
> > So: imagine your search filter is this:
> > (cn=Bob ?)
> > which is the *exact same filter* as this:
> > (cn=Bob \3f)
> (...)
> Thanks, everything is clear now.
Not quite, I have one more concern: if * and \2a have the same meaning,
how do I specify a litteral * (that is * not being a wildcard)?
You need to read RFC 4515. It even has an *example* about matching
literal '*' characters!
Philip Guenther
6:31 p.m.
Philip Guenther <guenther+ldaptech(a)sendmail.com> wrote:
> Not quite, I have one more concern: if * and \2a have the same
meaning,
> how do I specify a litteral * (that is * not being a wildcard)?
You need to read RFC 4515. It even has an *example* about matching
literal '*' characters!
This is what I initially understood: * and \2a do not have the same
meaning. But the example does not tell everything: if I understand
correctly the whole thing (escape + %-encoding), If I want to match a
litteral * I should use %5c2a
Is that correct?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
1:46 p.m.
New subject: nslcd and Ubuntu 10.04
I'm having trouble keeping my servers connected to our openLDAP server.
All through syslog I see messages like this:
/Sep 26 14:06:01 hostname nslcd[930]: [2aeb87] connected to LDAP server
ldaps://ldap.domain.com/
Sep 26 14:07:01 ///hostname/ nslcd[930]: [aae0a3] ldap_result() failed:
Can't contact LDAP server
Sep 26 14:07:01 ///hostname/ nslcd[930]: [74310e] ldap_result() failed:
Can't contact LDAP server
Sep 26 14:07:01 ///hostname/ nslcd[930]: [aae0a3] ldap_abandon() failed
to abandon search: Other (e.g., implementation specific) error
Sep 26 14:07:01 ///hostname/ nslcd[930]: [b2a65f] ldap_result() failed:
Can't contact LDAP server
Sep 26 14:07:01 ///hostname/ nslcd[930]: [b2a65f] ldap_abandon() failed
to abandon search: Other (e.g., implementation specific) error
Sep 26 14:07:01 ///hostname/ nslcd[930]: [74310e] ldap_abandon() failed
to abandon search: Other (e.g., implementation specific) error
Sep 26 14:07:01 ///hostname/ nslcd[930]: [73c9b8] ldap_result() failed:
Can't contact LDAP server
Sep 26 14:07:01 ///hostname/ nslcd[930]: [73c9b8] ldap_abandon() failed
to abandon search: Other (e.g., implementation specific) error
Sep 26 14:07:01 ///hostname/ nslcd[930]: [73c9b8] connected to LDAP
server ldaps://ldap.///domain/.com/
/
I'm at the point where I want to start blaming the server, but this is
happening on all the new servers I am bringing up (Ubuntu 10.04) and not
on the older servers (8.04).
Everything seems fine and we can sudo and su with our ldap accounts and
then out of no where "so-and-so is not in the sudoers file". A simple
"id user" re-establishes the connection and all is well again for a while.
Has anyone else ran into this and finally, permanently made it work?
2:11 p.m.
New subject: nslcd and Ubuntu 10.04
http://ubuntuforums.org/showthread.php?t=1633524
http://lists.arthurdejong.org/nss-pam-ldapd-users/2011/msg00082.html
My fix was to "apt-get source nslcd" on a Debian Squeeze box, then use those
files to build a new deb on Ubuntu and shove the result in my repository. Presto, working
nslcd on Ubuntu 10.04.
On Wed, Sep 26, 2012 at 04:46:30PM -0400, Adam Wolfe wrote:
I'm having trouble keeping my servers connected to our
openLDAP server.
All through syslog I see messages like this:
Sep 26 14:06:01 hostname nslcd[930]: [2aeb87] connected to LDAP server
[1]ldaps://ldap.domain.com/
Sep 26 14:07:01 hostname nslcd[930]: [aae0a3] ldap_result() failed: Can't
contact LDAP server
Sep 26 14:07:01 hostname nslcd[930]: [74310e] ldap_result() failed: Can't
contact LDAP server
Sep 26 14:07:01 hostname nslcd[930]: [aae0a3] ldap_abandon() failed to
abandon search: Other (e.g., implementation specific) error
Sep 26 14:07:01 hostname nslcd[930]: [b2a65f] ldap_result() failed: Can't
contact LDAP server
Sep 26 14:07:01 hostname nslcd[930]: [b2a65f] ldap_abandon() failed to
abandon search: Other (e.g., implementation specific) error
Sep 26 14:07:01 hostname nslcd[930]: [74310e] ldap_abandon() failed to
abandon search: Other (e.g., implementation specific) error
Sep 26 14:07:01 hostname nslcd[930]: [73c9b8] ldap_result() failed: Can't
contact LDAP server
Sep 26 14:07:01 hostname nslcd[930]: [73c9b8] ldap_abandon() failed to
abandon search: Other (e.g., implementation specific) error
Sep 26 14:07:01 hostname nslcd[930]: [73c9b8] connected to LDAP server
[2]ldaps://ldap.domain.com/
I'm at the point where I want to start blaming the server, but this is
happening on all the new servers I am bringing up (Ubuntu 10.04) and not
on the older servers (8.04).
Everything seems fine and we can sudo and su with our ldap accounts and
then out of no where "so-and-so is not in the sudoers file". A simple
"id
user" re-establishes the connection and all is well again for a while.
Has anyone else ran into this and finally, permanently made it work?
References
Visible links
1. file:///tmp/ldaps:/ldap.domain.com/
2. file:///tmp/ldaps:/ldap
4083
days inactive
4089
days old
openldap-technical@openldap.org
12 comments
6 participants
participants (6)
-
Adam Wolfe -
Christopher Wood -
Emmanuel Dreyfus -
Emmanuel Lécharny -
manu@netbsd.org
-
Philip Guenther