Articles in Series "SAMBA4"

AD-Precreation using ktutil, kinit and adcli

Using computer object precreation you can enable machines to join an Active Directory domain with knowledge of just one dedicated one-time-password. Combined with delegation you can offload management of computer objects to an otherwise unprivileged AD user.

Lesen Sie mehr »

Comparing Distinguished LDAP Names

In a Bourne Shell script, a distinguished name (DN) for performing an LDAP-query is held in a variable:

dn="cn=Malmø,ou=County Capitals,dc=Sweden,dc=Europe"

For the purpose of demonstration, this example DN contains a non-ASCII character.

Let’s write a Bourne Shell function that escapes such special characters as requested by RFC 4514 using perl’s Net::LDAP::Util:

canonical_dn() {
    perl -s -MNet::LDAP::Util -e '
        print Net::LDAP::Util::canonical_dn($dn, mbcescape=>1)
    ' -- -dn="$1"
}

Let’s test the function:

echo "Unescaped DN: $dn"
echo "Escaped DN:   $(canonical_dn "$dn")"

The expected output is:

Unescaped DN: cn=Malmø,ou=County Capitals,dc=Sweden,dc=Europe
Escaped DN:   CN=Malm\c3\b8,OU=County Capitals,DC=Sweden,DC=Europe

With a normalized notation, DN values are more robust when sending them to external applications such as the OpenLDAP client tools (ldapsearch & Co.), and certain operations on DNs inside the shellscript itself become a bit more feasible.

But note: For various reasons, DNs can not be reliaby compared for equality, even if both are normalized using canonical_dn. For example, attributes can have a long and a short name, both are valid when denoting a DN, and the OID of an attribute can also be used when denoting a DN. The following DNs address identical entries:

  • cn=Malmø,ou=County Capitals,dc=Sweden,dc=Europe
  • commonName=Malmø,ou=County Capitals,dc=Sweden,dc=Europe
  • 2.5.4.3=Malmø,ou=County Capitals,dc=Sweden,dc=Europe

The information that all these notations of the same attribute commonName are identical is contained in the schema of the LDAP database that is being queried, and neither canonical_dn nor the shellscript can apply this information, this can only be done by an LDAP server.

This made me wonder if there is a canonical way of comparing two DN representations for identity using interaction with an LDAP directory access server. Apparently this is not so:

  • RFC 2251 lists „bind“, „search“, „modify“, „add“, „delete“ and „modify DN“ as supported message types.
  • RFC 2253 makes no mention of DN comparison.
  • I am not aware of an extended request for comparing DNs, at least not one that was widespread across implementations.  ldapwiki.com lists „cancel“, „password modify“, „StartTLS“ and „Who am I“ as known examples, ldap.com additionally lists „Start Transaction“ and „End Transaction“, calling them „standard extended operation types“.