Arran Cudbard-Bell wrote:
On 29 Jun 2015, at 05:01, Michael Ströder <michael@stroeder.com> wrote:
HI!
Testing git v3.1.x 36e1b02e926df5cd75d4d548694401535c607ca9 I noticed that something's wrong with LDAPI URLs containing a URL-encoded path.
This does not work:
server = 'ldapi://%2Ftmp%2Fopenldap-socket'
leads to:
rlm_ldap (ldap): Bind with uid=radiusd,ou=sys,dc=stroeder,dc=local to ldapi:///tmp/openldap-socket failed: Can't contact LDAP server
I'm not sure whether radiusd URL-decodes the path and passes "ldapi:///tmp/openldap-socket" to libldap or whether the decoding simply happens when writing the log line.
It should *not* do URL-decoding because parsing the LDAP URL "ldapi:///tmp/openldap-socket" in libldap won't work since the first "/" after the "hostport" part is the next separator to the DN portion.
It's actually ldap_url_parse doing more than what's claimed in the man page entry:
ldap_url_parse() breaks down an LDAP URL passed in url into its component pieces. If successful, zero is returned, an LDAP URL description is allocated, filled in, and ludpp is set to point to it. If an error occurs, a non-zero URL error code is returned.
In addition to breaking the components down, it also url unescapes them *sigh*.
Yes, it has to for using the URI components later. That's what module ldapurl in python-ldap also does. Unparsing the components to a valid LDAP URL is more.
So the solution is to re-escape the host portion. I'll push a fix in a bit.
Hmm, I'd prefer you to simply pass the configured original string to libldap and use result code of ldap_url_parse() just as proof that it's a valid LDAP URI. Ciao, Michael.