[Freeipa-devel] about DNs
Pavel Zůna
pzuna at redhat.com
Mon Mar 22 10:30:40 UTC 2010
Hi,
I didn't want to quote the already over-quoted e-mail about DNs from
Rich, so I'm "starting a new thread". :)
Anyway, if I understand correctly, we should stop using quoted strings
in DNs and use escapes instead, so:
This: cn="dc=example,dc=com",dc=example,dc=com
Becomes this: cn=dc\=example\,dc\=com,dc=example,dc=com
ldap2 was designed to produces DNs like this, but we still use the old
LDAPv2 style in a lot of places, so we made it possible to disable DN
normalization and stopped escaping characters in quoted attribute
values. This introduced the recent problems with python-ldap functions
blowing up in our faces, when a plugin author didn't check his DNs manually.
With your approval, I would like to make sure we switch to the new
LDAPv3 style DNs everywhere, because:
1) it's going to prevent future problems if strict DN syntax checking is
turned on (Rich was talking about this)
2) we'll be able to use ldap2 methods to build DNs everywhere,
preventing python-ldap calls from blowing up
3) we'll be able to remove the ability to disable DN normalization as it
won't be needed anymore, thus simplifying our LDAP API
When this is done, we should encourage plugin authors to use our
framework to build DNs instead of doing it manually, because it's
fail-safe and will work even if the location where the entries are
stored changes.
Example: building DNs for CoS entries of password policies:
group = 'some_group_name'
container_cos = 'cn=cosTemplates,%s' % api.env.container_accounts
group_dn = api.Object.group.get_dn(group)
cos_dn = ldap2.make_dn_from_attr(
'cn', group_dn, container_costemplates
)
Pavel
More information about the Freeipa-devel
mailing list