Univention Bugzilla – Bug 57028
blank RDN stored twice escaped with backslash
Last modified: 2024-02-06 17:26:55 CET
```console # udm container/cn create --set name=" " Object created: cn=\\ ,dc=phahn50,dc=qa # univention-ldapsearch -LLLb "$ldap_base" '(cn= )' cn dn: cn=\5C\20,dc=phahn50,dc=qa cn:: IA== cn:: XCA= # echo "|$(base64 -d <<<IA==)|$(base64 -d <<<XCA=)|" | |\ | ``` This is worse for DNS RRs where backslash-escaping is required to escape certain octets: ```console # eval "$(ucr --shell dump)" # p="zoneName=testing,cn=dns,$ldap_base" # udm dns/forward_zone create --position "cn=dns,$ldap_base" --set zone=testing --set nameserver="$hostname.$domainname." # udm dns/txt_record create --superordinate "$p" --set name=' ' --set txt="blank" # univention-ldapsearch -LLLb "$p" '(tXTRecord=blank)' relativeDomainName dn: relativeDomainName=\5C\20,zoneName=testing,cn=dns,dc=phahn50,dc=qa relativeDomainName: IA== relativeDomainName: XCA= # dig @localhost -p 7777 testing. axfr | grep blank \032.testing. 79200 IN TXT "blank" \032.testing. 79200 IN TXT "blank" ```
Reported as https://github.com/python-ldap/python-ldap/issues/252 Fixed by https://github.com/python-ldap/python-ldap/pull/268 But UCS 5.0-6 sill has unfixed ```console # dpkg-query -W python3-ldap python3-ldap:amd64 3.1.0-2A~5.0.0.202212160954 ```
(In reply to Philipp Hahn from comment #1) > Reported as https://github.com/python-ldap/python-ldap/issues/252 > Fixed by https://github.com/python-ldap/python-ldap/pull/268 > But UCS 5.0-6 sill has unfixed Applying this in 5.0-6 fixes the issue for `containers/cn`: ```console # udm container/cn create --set name=" " Object created: cn=\ ,dc=phahn50,dc=qa # univention-ldapsearch -LLLb 'cn=\ ,dc=phahn50,dc=qa' cn dn: cn=\20,dc=phahn50,dc=qa cn:: IA== ``` But this only works for `cn` but not for `relativeDomainName`: ```console # ldapsearch -LLLxo ldif-wrap=no -b cn=Subschema -s base -E mv='(attributeTypes=cn)(attributeTypes=relativeDomainName)(attributeTypes=name)' attributeTypes … attributeTypes: ( … NAME 'name' … EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX directoryString{32768} ) attributeTypes: ( … NAME ( 'cn' 'commonName' ) … SUP name ) attributeTypes: ( … NAME 'relativeDomainName' … EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX IA5String ) ``` The reason is `servers/slapd/schema_init.c` of OpenLDAP: - `caseIgnoreMatch` calls `UTF8StringNormalize` where "string of all spaces is treated as one space"; `cn=" "` is treated the same as `cn=" "`. - `caseIgnoreIA5Match` calls `IA5StringNormalize`, which "Ignore[s] initial whitespace"; `rDN=" "` is treated as `rDN=""`, which is invalid. 1. We should fix python3-ldap in UCS 5.0-x 2. "IA5String" is too restricted to store any DNS label, which can be any 8-bit octet sequence up to length 63. Either we change the schema to use "Octet String 1.3.6.1.4.1.1466.115.121.1.40" or restrict UDM syntax dnsLabel to only allow a subset of IA5String.