Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] handling quoted relative ldap dns ?

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] handling quoted relative ldap dns ?


Chronological Thread 
  • From: Tom Zeller <>
  • To: "Scott D. Williams" <>
  • Cc:
  • Subject: Re: [grouper-dev] handling quoted relative ldap dns ?
  • Date: Thu, 12 Nov 2009 18:10:57 -0600
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=haYdBy/JFZl5oVJL1a+RdxkrSMCqdAJt19rty29lDFy7TIqVRggsmofuJaAr6y9gHK Q7ObXF8brVnzCPS6G8kborFYWfMePGKoU+WuF05DthHpDVJXv422oqcsA5KMDm6sMao/ owRu5pubaXjkIXotk0X6XF49ZUTRoKc6WzgME=

Right, thanks. Apparently this is at least a 9-year old "feature"

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4307193

And that is how I resolved this issue before, by using
CompositeName.add(dn). However, as you know, vt-ldap accepts String
DNs only and not Names.

And, some directories (like Active Directory) will return the forward
slash escaped '\/' while others (OpenLDAP, ApacheDS, RedHat DS) don't
- at least as far as I can tell.

So, now, ldappc will try and escape any not-already escaped forward
slashes for stems, groups, and members whenever an ldap operation is
called, and will also un-escape any returned forward slashes for, ah,
consistency.

I spent too much time on this.

TomZ

On Wed, Nov 11, 2009 at 9:17 PM, Scott D. Williams
<>
wrote:
> Hi Tom,
>
> I recently discovered the black magic required to properly escape (jndi)
> forward slashes in a DN so that they may be used by JNDI/VT libs without
> throwing the InvalidNameException. I have verified this w/OpenLdap only, so
> far...
>
> String groupCn = "example/cn/with/slashes";
> String groupDn = "cn=" + groupCn + ",ou=groups,dc=edu";
> String memberDn = "uid=randomguy,ou=people,dc=edu";
>
> Attributes A = new BasicAttributes( "cn", groupCn );
> A.put("objectclass", "groupOfNames");
> A.put("member", memberDn );
>
> // escape dn only, not cn attribute itself
> groupDn = groupDn.replace("/", "\\/");
>
> VTLdapObject.create(groupDn, A);
>
>
> Hope this helps,
> Scott
>
> Tom Zeller wrote:
>>
>> Hi folks,
>>
>> Ldappc needs to construct a Name from a String dn, and I'm looking for
>> a better way to handled quoted relative names.
>>
>> For example, I've observed that Active Directory will return
>>
>>  "CN=Quoted/Name",DC=edu
>>
>> if a dn component contains the JNDI forward slash (/) character.
>>
>> An InvalidNameException is thrown if construct a Name using LdapName :
>>
>>  Name name = new javax.naming.ldap.LdapName(dn).
>>
>>  javax.naming.InvalidNameException: Invalid name: "cn=Quoted/Name",DC=edu
>>   at javax.naming.ldap.Rfc2253Parser.parseAttrType(Rfc2253Parser.java:130)
>>   at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:83)
>>   at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:45)
>>   at javax.naming.ldap.LdapName.parse(LdapName.java:772)
>>   at javax.naming.ldap.LdapName.<init>(LdapName.java:108)
>>
>> If I construct a Name via :
>>
>>  Name name = new javax.naming.CompositeName().add(dn)
>>
>> then the quotes are escaped and the resultant dn is
>>
>>  "\"CN=Quoted/Name\",DC=edu"
>>
>> which is incorrect.
>>
>> Previously, ldappc removed starting and ending quotes from a dn
>> component. I've written a search result handler suitable for vt-ldap
>> to reproduce this behavior which deployers can toggle.
>>
>> I'm surprised that I'm having to spend time figuring out ldap and jndi
>> metacharacters (well not that surprised), and I assume there's some
>> solution I'm just not familiar with.
>>
>> Thanks,
>> TomZ
>>
>
>



Archive powered by MHonArc 2.6.16.

Top of Page