[Freeipa-devel] about DNs

[Pavel Zůna]

Hi,
I didn't want to quote the already over-quoted e-mail about DNs from 
Rich, so I'm "starting a new thread". :)

Anyway, if I understand correctly, we should stop using quoted strings 
in DNs and use escapes instead, so:

This: cn="dc=example,dc=com",dc=example,dc=com
Becomes this: cn=dc\=example\,dc\=com,dc=example,dc=com

ldap2 was designed to produces DNs like this, but we still use the old 
LDAPv2 style in a lot of places, so we made it possible to disable DN 
normalization and stopped escaping characters in quoted attribute 
values. This introduced the recent problems with python-ldap functions 
blowing up in our faces, when a plugin author didn't check his DNs manually.

With your approval, I would like to make sure we switch to the new 
LDAPv3 style DNs everywhere, because:
1) it's going to prevent future problems if strict DN syntax checking is 
turned on (Rich was talking about this)
2) we'll be able to use ldap2 methods to build DNs everywhere, 
preventing  python-ldap calls from blowing up
3) we'll be able to remove the ability to disable DN normalization as it 
won't be needed anymore, thus simplifying our LDAP API

When this is done, we should encourage plugin authors to use our 
framework to build DNs instead of doing it manually, because it's 
fail-safe and will work even if the location where the entries are 
stored changes.


Example: building DNs for CoS entries of password policies:

group = 'some_group_name'
container_cos = 'cn=cosTemplates,%s' % api.env.container_accounts

group_dn = api.Object.group.get_dn(group)

cos_dn = ldap2.make_dn_from_attr(
     'cn', group_dn, container_costemplates
)


Pavel