[Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
Pavel Zuna
pzuna at redhat.com
Tue Mar 30 14:37:10 UTC 2010
On 03/30/2010 04:19 PM, Rich Megginson wrote:
> Pavel Zuna wrote:
>> On 03/26/2010 04:56 PM, Rob Crittenden wrote:
>>> Pavel Zuna wrote:
>>>> This patch effectively removes all LDAPv2 style quoted DNs and makes
>>>> sure we don't use them anymore.
>>>>
>>>> KDC doesn't seem to have any problems with LDAPv3 style DNs, but I
>>>> kept the option to disable DN normalization for now.
>>>>
>>>> I also had to add a new dollar variable for LDIF files:
>>>> $ESCAPED_SUFFIX. We need it to create entries that contain the DN of
>>>> another entry in their own, like the account activated/inactivated CoS
>>>> entries.
>>>>
>>>> what I tested:
>>>> - playing around with password policies and CoS entries using both
>>>> pwpolicy and pwpolicy2
>>>> - changing user passwords to see if the policies apply
>>>> - re-installing IPA to see if the activated/inactived CoS entries
>>>> where OK
>>>> - user-lock/user-unlock
>>>>
>>>> The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on
>>>> it, but won't apply without. I didn't realize before committing and
>>>> couldn't get it back by re-basing, so...
>>>>
>>>> Pavel
>>>
>>> replication also uses v2-style escaping. This code looks ok for what it
>>> touches but it isn't complete.
>> Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping
>> tree,cn=config entry is created automatically by DS
> Yes.
>> and there's no much we can do about it.
> Right.
>> We could delete the entry and create a new one, but I suspect
>> replication won't like it.
> Right. Don't do that.
>
> There are still a number of places in the directory server where quotes
> are still used in DNs. We have not gone through and removed all of
> those. We won't get around to doing this for 389-ds-base 1.2.6, probably
> in some later release.
>
> However, you should still be able to search for the
> cn="SUFFIX",cn=mapping tree,cn=config entry using LDAPv3 style escapes -
> the escapes should match the quotes inside the server. Just make sure
> SUFFIX is the normalized DN (and that assumes the server is using the
> normalized DN too).
Ok cool. Thanks for the info.
I did an extended version of the patch, that uses LDAPv3 DN with replication.
Attached, so you can take a look, but don't hurry with pushing it.
The replication code still uses legacy LDAP code from v1 that is going away soon
anyway. I would push the patch in its original state and include the replication
changes in my next patch in the "ldap2 for installer" series.
> /me grumbles at the fact that someone thought it was a good idea to use
> DNs as values within other DNs in non-DN syntax attributes . . .
>>
>>> rob
>>
>> Pavel
Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Use-escapes-in-DNs-instead-of-quoting.patch
Type: application/mbox
Size: 14270 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20100330/794f9a6b/attachment.mbox>
More information about the Freeipa-devel
mailing list