[Freeipa-devel] [PATCH] Use escapes in DNs instead of quoting.
Rich Megginson
rmeggins at redhat.com
Tue Mar 30 14:19:54 UTC 2010
Pavel Zuna wrote:
> On 03/26/2010 04:56 PM, Rob Crittenden wrote:
>> Pavel Zuna wrote:
>>> This patch effectively removes all LDAPv2 style quoted DNs and makes
>>> sure we don't use them anymore.
>>>
>>> KDC doesn't seem to have any problems with LDAPv3 style DNs, but I
>>> kept the option to disable DN normalization for now.
>>>
>>> I also had to add a new dollar variable for LDIF files:
>>> $ESCAPED_SUFFIX. We need it to create entries that contain the DN of
>>> another entry in their own, like the account activated/inactivated CoS
>>> entries.
>>>
>>> what I tested:
>>> - playing around with password policies and CoS entries using both
>>> pwpolicy and pwpolicy2
>>> - changing user passwords to see if the policies apply
>>> - re-installing IPA to see if the activated/inactived CoS entries
>>> where OK
>>> - user-lock/user-unlock
>>>
>>> The patch depends on the pwpolicy2 plugin. Well, it doesn't depend on
>>> it, but won't apply without. I didn't realize before committing and
>>> couldn't get it back by re-basing, so...
>>>
>>> Pavel
>>
>> replication also uses v2-style escaping. This code looks ok for what it
>> touches but it isn't complete.
> Maybe I'm wrong, but it seems that the cn="SUFFIX",cn=mapping
> tree,cn=config entry is created automatically by DS
Yes.
> and there's no much we can do about it.
Right.
> We could delete the entry and create a new one, but I suspect
> replication won't like it.
Right. Don't do that.
There are still a number of places in the directory server where quotes
are still used in DNs. We have not gone through and removed all of
those. We won't get around to doing this for 389-ds-base 1.2.6,
probably in some later release.
However, you should still be able to search for the
cn="SUFFIX",cn=mapping tree,cn=config entry using LDAPv3 style escapes -
the escapes should match the quotes inside the server. Just make sure
SUFFIX is the normalized DN (and that assumes the server is using the
normalized DN too).
/me grumbles at the fact that someone thought it was a good idea to use
DNs as values within other DNs in non-DN syntax attributes . . .
>
>> rob
>
> Pavel
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list