[krbdev.mit.edu #7296] issues in handling special characters in KDC ldap plugin code
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sat Nov 17 00:48:52 EST 2012
More work on this issue is required. Some notes from my work so far:
* Bug #1: krb5_ldap_put_principal() is not encoding the unparsed
principal name for use as a DN, so putting a principal with DN-special
characters tends to fail.
* Bug #2: krb5_ldap_name_to_policydn() uses ldap_filter_correct() to
quote special characters. But the special characters for a filter
expression are not the same as the special characters for a DN.
* The patch here corrects bug #1 and tries to correct bug #2 by adding
some of the special DN characters to ldap_filter_correct(). But it
doesn't get all of them.
* If ldap_filter_correct() is amended to quote all of the special
characters for DNs, iteration over policies and principals still
produces incorrect results. For instance, a policy named "<test*>",
encoded to "\\3ctest\\2a\\3e" by our code for use as a DN, comes back as
"\\3Ctest*\\3E" in iteration. The iteration code is using
ldap_get_values() to extract the cn of the policy entry. I have not yet
determined why the LDAP code represents the string that way or how best
to work around it (maybe using ldap_get_values_len?)
More information about the krb5-bugs
mailing list