Managing DNs in libads only in utf8

simo idra at samba.org
Tue Feb 27 20:03:24 GMT 2007 

On Tue, 2007-02-27 at 11:50 -0800, Jeremy Allison wrote:
> On Tue, Feb 27, 2007 at 02:07:52PM -0500, simo wrote:
> > 
> > I think, and Volker seem to agree, we can make it safe to have utf8
> > strings for DNs in libads, please take a look at the next proposed patch
> > and let's talk about actual code and not ghosts ...
> 
> What are you trying to fix ? If someone has "unix charset != utf8"
> then they have to make sure everything that comes in will map
> to their charset. It's that simple.

We are talking of AD and an enterprise wide directory here, not
something joe samba admin can necessarily fix.

> How does your proposed patch fix that issue ?

Issue (this is the last time I explain it if you don't want to read
explanations I'll just give up):

A) A DN in AD is an UTF8 string by definition. A DN may contain UTF8
characters not representable in the chosen "unix charset".

B) our winbindd_ads.c has code to RETRIEVE a DN to be used later for
further queries, the DN is NOT built inside our code it is just fethed
and IDEALLY reused as is.

C) Winbindd_ads.c uses libads that BY DEFAULT translates DNs

So combine A,B and C and you will find that:

D) winbindd_ads.c corrupts DNs because to do a simple
fetch->store->reuse it really do a fetch->convert->store->convert->reuse

the double convert is utf8->unix charset and the unix charset->utf8

When a DN contains non convertible utf8 characters this double
conversion simply corrupts the DN

By keeping the DNs always in utf8 format we never convert them and never
corrupt the original DN.

>  I can't see that
> it's doing that, you're just moving the boundaries of the
> problem, the problem still exists.

The problem vanishes because you do not touch the DN at all, you use it
as it came off the wire and so it works independently of the charset
used.

> And our boundaries at
> the moment are in a good place, I *really* don't want to
> move them as it will confuse the code more than it improves
> it.

I think the boundaries are NOT in a good place in this case, they
actually corrupts perfectly sane strings used only internally. We can
keep strong boundaries using a struct to represent these utf8 strings
and not risk any confusion in the code.

> In short I think you're wasting your time here, and I'd
> rather you fix real rather than imagined bugs :-).

This is a real bug, reported by real people on a real bugzilla, please
try at least to understand which is the problem and say WONTFIX, calling
me mad is rather annoying.

/me getting really bitter today

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org

More information about the samba-technical mailing list