Managing DNs in libads only in utf8

simo idra at
Tue Feb 27 19:04:25 GMT 2007

On Tue, 2007-02-27 at 10:40 -0800, Jeremy Allison wrote:

> > Why do we have the option at all ?
> So people who have "strange" needs can do them
> at will. But I don't want to refactor the code
> to code with these things, unless we have enough
> users out there who *need* this. The world is
> moving to utf8, we don't want to make it easier
> not to.

I agree in principle, but I still think we should still fix related bugs
when possible.
Otherwise we should simply disregard any performance consideration when
charset != utf8 and just convert at the syscall boundary if utf8 is not
used. this would simplify the code a lot and avoid many problems with
bad conversions. If we don't care that much about non utf8 systems why
should we care about their performances?

If we have the courage to take this path (utf8 only matters) then I will
support that. Let's just be as coherent as possible.

I'd like to just note that afaik all *BSDs use "iso8859-1" as unix
charset by default so all these systems may easily suffer the bug I'd
like to fix.

> Here's the code.

Have you read what escape_ldap_string_alloc() do ?
It is an escaping function for _filters_, not for DNs (and yes I am
planning on fixing this problem too in lookup_group_member()).

It does not escape ',' nor '=', and even if it did how do you escape a
component of an entire DN?

Given CN=joe,bad=user,CN=users,DC=blah how do you escape it?

The correct escaping should be:

But unless you make assumptions on attribute names, and you shouldn't,
you can't make code that can guess what has to be escaped and what not.
And even if you make assumption the following will still defeat the
escaping function: "joe,cn=bad" is a valid CN attribute value.


Simo Sorce
Samba Team GPL Compliance Officer
email: idra at

More information about the samba-technical mailing list