First Last Prev Next    This bug is not in your last search results.
Bug 57028 - blank RDN stored twice escaped with backslash
blank RDN stored twice escaped with backslash
Status: NEW
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
Depends on:
Blocks: 50385
  Show dependency treegraph
 
Reported: 2024-02-05 18:25 CET by Philipp Hahn
Modified: 2024-02-06 17:26 CET (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2024-02-05 18:25:44 CET 
```console
# udm container/cn create --set name=" "
Object created: cn=\\ ,dc=phahn50,dc=qa
# univention-ldapsearch -LLLb "$ldap_base" '(cn= )' cn
dn: cn=\5C\20,dc=phahn50,dc=qa
cn:: IA==
cn:: XCA=

# echo "|$(base64 -d <<<IA==)|$(base64 -d <<<XCA=)|"
| |\ |
```

This is worse for DNS RRs where backslash-escaping is required to escape certain octets:
```console
# eval "$(ucr --shell dump)"
# p="zoneName=testing,cn=dns,$ldap_base"
# udm dns/forward_zone create --position "cn=dns,$ldap_base" --set zone=testing --set nameserver="$hostname.$domainname."
# udm dns/txt_record create --superordinate "$p" --set name=' ' --set txt="blank"
# univention-ldapsearch -LLLb "$p" '(tXTRecord=blank)' relativeDomainName
dn: relativeDomainName=\5C\20,zoneName=testing,cn=dns,dc=phahn50,dc=qa
relativeDomainName: IA==
relativeDomainName: XCA=

# dig @localhost -p 7777 testing. axfr | grep blank
\032.testing.           79200   IN      TXT     "blank"
\032.testing.           79200   IN      TXT     "blank"
```
Comment 1 Philipp Hahn univentionstaff 2024-02-06 10:14:32 CET 
Reported as https://github.com/python-ldap/python-ldap/issues/252
Fixed by https://github.com/python-ldap/python-ldap/pull/268
But UCS 5.0-6 sill has unfixed
```console
# dpkg-query -W python3-ldap
python3-ldap:amd64      3.1.0-2A~5.0.0.202212160954
```
Comment 2 Philipp Hahn univentionstaff 2024-02-06 17:26:55 CET 
(In reply to Philipp Hahn from comment #1)
> Reported as https://github.com/python-ldap/python-ldap/issues/252
> Fixed by https://github.com/python-ldap/python-ldap/pull/268
> But UCS 5.0-6 sill has unfixed

Applying this in 5.0-6 fixes the issue for `containers/cn`:
```console
# udm container/cn create --set name=" "
Object created: cn=\ ,dc=phahn50,dc=qa
# univention-ldapsearch -LLLb 'cn=\ ,dc=phahn50,dc=qa' cn
dn: cn=\20,dc=phahn50,dc=qa
cn:: IA==
```

But this only works for `cn` but not for `relativeDomainName`:
```console
# ldapsearch -LLLxo ldif-wrap=no -b cn=Subschema -s base -E mv='(attributeTypes=cn)(attributeTypes=relativeDomainName)(attributeTypes=name)' attributeTypes
…
attributeTypes: ( … NAME 'name' … EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX directoryString{32768} )
attributeTypes: ( … NAME ( 'cn' 'commonName' ) … SUP name )
attributeTypes: ( … NAME 'relativeDomainName' … EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX IA5String )
```

The reason is `servers/slapd/schema_init.c` of OpenLDAP:
- `caseIgnoreMatch` calls `UTF8StringNormalize` where "string of all spaces is treated as one space"; `cn="  "` is treated the same as `cn=" "`.
- `caseIgnoreIA5Match` calls `IA5StringNormalize`, which "Ignore[s] initial whitespace"; `rDN=" "` is treated as `rDN=""`, which is invalid.

1. We should fix python3-ldap in UCS 5.0-x
2. "IA5String" is too restricted to store any DNS label, which can be any 8-bit octet sequence up to length 63. Either we change the schema to use "Octet String	1.3.6.1.4.1.1466.115.121.1.40" or restrict UDM syntax dnsLabel to only allow a subset of IA5String.
First Last Prev Next    This bug is not in your last search results.