Announcement Announcement Module
Collapse
No announcement yet.
Failure to Bind on Valid DN Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Failure to Bind on Valid DN

    When I attempt to bind the following DN, I get an InvalidNameException:

    uid=testing\+abc.com, ou=internal, ou=people, dc=mycompany, dc=net
    JXplorer (the open source LDAP browser) is able to bind this DN just fine.
    phpAdmin throws up when it tries to read it, claiming it's an invalid DN.

    So now I have to ask...

    When you have a DN that contains a special character like the '+', how do you bind it?

    Your help greatly appreciated! And please, I know email address is a somewhat poor choice for UID, but it's all I've got to work with.

    Thanks,
    Dan

  • #2
    It does appear to be a valid DN. I'll need some more information - i.e. configuration setup, code snippet and the actual stack trace - in order to make a good guess.

    You might also try not escaping the value yourself, but rather let DistinguishedName do it for you, e.g.:
    Code:
    DistinguishedName dn = new DistinguishedName("ou=internal, ou=people, dc=mycompany, dc=net");
    dn.append("uid", person.getEmailAddress());
    ldapTemplate.bind(dn, null, attrs);
    That should properly escape the value for you.

    Comment


    • #3
      It's Broke Bad, Boss

      Hi, and thanks for the quick response.

      It's the DistinguishedName parser, and unfortunately, it's broken in both 1.1.2 and 1.2RC1. Here's a simple unit test showing that it cannot handle the + character, even when escaped. In fact, it seems to choke on the escape as well....

      Code:
          @Test
          public void testDNsOnly() {
              DistinguishedName base = new DistinguishedName("ou=people, dc=mycompany, dc=net");
              String[] names = new String[] { 
                  "[email protected]",
                  "test\\[email protected]",
                  "test\\\\[email protected]",
                  "test\\\\\\\\[email protected]"
              };
              
              boolean failed = false;
              for( String name : names ) {
                  try {
                      LOG.info("Attempting to create DN for " + name );
                      Name dn = base.addAll(new DistinguishedName(name));
                      LOG.info("Successfully created DN " + dn );
                  }
                  catch ( Throwable t ) {
                      LOG.warn("Parser failed unexpectedly on " + name + ": " + t );
                      failed = true;
                  }
              }                
              
              Assert.assertFalse(failed);
          }
      Results are as follows:
      Code:
      06-12-07 11:00:19,815 [main] INFO  com.eprize.caffeine.TestDistinguishedName  - Attempting to create DN for [email protected]
      06-12-07 11:00:19,825 [main] WARN  com.eprize.caffeine.TestDistinguishedName  - Parser failed unexpectedly on [email protected]: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5.  Encountered: "+" (43), after : ""
      06-12-07 11:00:19,825 [main] INFO  com.eprize.caffeine.TestDistinguishedName  - Attempting to create DN for test\[email protected]
      06-12-07 11:00:19,825 [main] WARN  com.eprize.caffeine.TestDistinguishedName  - Parser failed unexpectedly on test\[email protected]: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5.  Encountered: "\\" (92), after : ""
      06-12-07 11:00:19,825 [main] INFO  com.eprize.caffeine.TestDistinguishedName  - Attempting to create DN for test\\[email protected]
      06-12-07 11:00:19,825 [main] WARN  com.eprize.caffeine.TestDistinguishedName  - Parser failed unexpectedly on test\\[email protected]: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5.  Encountered: "\\" (92), after : ""
      06-12-07 11:00:19,825 [main] INFO  com.eprize.caffeine.TestDistinguishedName  - Attempting to create DN for test\\\\[email protected]
      06-12-07 11:00:19,825 [main] WARN  com.eprize.caffeine.TestDistinguishedName  - Parser failed unexpectedly on test\\\\[email protected]: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5.  Encountered: "\\" (92), after : ""

      Comment


      • #4
        Interestingly...

        The same test fails exactly the same way if I use either Sun's OR Novell's DN and RDN classes instead of DistinguishedName.

        I cannot find anywhere in the spec that would imply + or escaped backslash were invalid characters...

        Dan
        Last edited by dantelope; Jun 12th, 2007, 10:17 AM. Reason: Added Sun

        Comment


        • #5
          What substituting a hex equivalent?

          Can the hex (or unicode) string be plugged in? I don't do this often in Java, so I don't know the precise syntax.

          Comment


          • #6
            LDAP v3 Specification

            According to RFC 2253, Section 2.2:
            If the UTF-8 string does not have any of the following characters
            which need escaping, then that string can be used as the string
            representation of the value.

            o a space or "#" character occurring at the beginning of the
            string

            o a space character occurring at the end of the string

            o one of the characters ",", "+", """, "\", "<", ">" or ";"

            Implementations MAY escape other characters.

            If a character to be escaped is one of the list shown above, then it
            is prefixed by a backslash ('\' ASCII 92).

            Otherwise the character to be escaped is replaced by a backslash and
            two hex digits, which form a single byte in the code of the
            character.
            This does not seem to be the case for all 3 tested providers of implementations - Sun, Novell, and Spring.

            Methinks I need to add this as a very serious defect in JIRA...

            Comment


            • #7
              Originally posted by gregturn View Post
              Can the hex (or unicode) string be plugged in? I don't do this often in Java, so I don't know the precise syntax.
              Excellent idea, but unfortunately the implementations are choking on the escape character -- which means even the escaped hex methodology won't work.

              In additioin, at least according to the spec, the implementations are supposed to do the escaping, not the caller. It should be transparent to the caller.

              Dan

              Comment


              • #8
                More Information...

                I substituted JXplorer's DN and RDN class for the unit test and it passed. However, a subsequent attempt to bind with LdapTemplate failed with an InvalidNameException, so it appears I'm still searching for a workaround...

                Thanks,
                Dan

                Comment


                • #9
                  Well, the names you're trying to parse aren't distinguished names.
                  e.g.:
                  Code:
                  test\\[email protected]
                  is not a distinguished name - there is no attribute specifier.

                  However:
                  Code:
                  cn=test\\[email protected]
                  should be a distinguished name, but the DistinguishedName parser doesn't swallow that either, so we'll need to look into that a little bit further.

                  Comment


                  • #10
                    OK, gave it another try. The following two tests pass successfully:
                    Code:
                        public void testParseAtSign() {
                            DistinguishedName name = new DistinguishedName("cn=[email protected]");
                            assertNotNull(name);
                        }
                        
                        public void testParseAtSign2() {
                            DistinguishedName name = new DistinguishedName("cn=te\\[email protected]");
                            assertNotNull(name);
                        }
                    However, the following test fails:
                    Code:
                        public void testParseInvalidPlus(){
                            DistinguishedName name = new DistinguishedName("cn=[email protected]");
                            assertNotNull(name);        
                        }
                    This is to be expected, as the last one is not a valid DistinguishedName (an unescaped '+' sign indicates a multivalue RDN, as in:
                    Code:
                    cn=john doe+sn=doe, ou=people, dc=mycompany, dc=com
                    In this example, the leftmost RDN consists of two attributes, cn=john doe and sn=doe

                    Comment


                    • #11
                      Clarification: from my previous post I would like to argue that the DistinguishedName parser is indeed performing as expected.

                      Comment


                      • #12
                        Ahhhh... yes... right. *thumps himself in the head*. Thanks

                        Appreciate you taking the time to look into it!

                        Dan

                        Comment


                        • #13
                          hi,

                          i am having issue with LdapTemplate.search(). If the result list contains DNs with escaped backslashes, then exception occurs. Example CN=ABC\\Something causing problem. Does anyone having work around to elliminate? or at least expand my query filter to exclude those items?

                          many thanks,

                          exception :
                          Code:
                          failed org.springframework.ldap.UncategorizedLdapException: Operation failed; nested exception is javax.naming.NamingException: problem generating object using object factory 
                          Root exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.support.TokenMgrError: Lexical error at line 1, column 18.  Encountered: "\\" (92), after : ""]; remaining name ''
                          Caused by: 
                          javax.naming.NamingException: problem generating object using object factory 
                          Root exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.support.TokenMgrError: Lexical error at line 1, column 18.  Encountered: "\\" (92), after : ""]; remaining name ''
                                  at com.sun.jndi.ldap.LdapSearchEnumeration.createItem(LdapSearchEnumeration.java:111)
                                  at com.sun.jndi.ldap.LdapNamingEnumeration.nextAux(LdapNamingEnumeration.java:256)
                                  at com.sun.jndi.ldap.LdapNamingEnumeration.nextImpl(LdapNamingEnumeration.java:236)
                                  at com.sun.jndi.ldap.LdapNamingEnumeration.next(LdapNamingEnumeration.java:184)
                                  at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:271)
                                  at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:231)
                                  at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:561)
                                  at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:475)
                                  at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:423)

                          Comment


                          • #14
                            The following test case succeeds:
                            Code:
                            public void testEscapedBackslash() throws Exception {
                              DistinguishedName dn = new DistinguishedName("cn=ABC\\\\Something");
                              assertEquals("cn", dn.getLdapRdn(0).getKey());
                              assertEquals("ABC\\Something", dn.getLdapRdn(0).getValue());
                            }
                            We encountered a similar problem earlier, and that was quite thoroughly investigated here.
                            It seems like the DN supplied to Spring LDAP by the underlying code is invalid, and there's not much we can do about it.

                            You should be able to modify your filter to exclude these entries.:
                            Code:
                              Filter originalFilter = <your original filter>
                              AndFilter newFilter = new AndFilter();
                              newFilter.and(originalFilter);
                              newFilter.and(new WhitespaceWildcardsFilter("cn", "\\"));

                            Comment

                            Working...
                            X