ldapi:// with path

Michael Ströder michael at stroeder.com
Mon Jun 29 15:48:16 CEST 2015


Arran Cudbard-Bell wrote:
> 
>> On 29 Jun 2015, at 05:01, Michael Ströder <michael at stroeder.com> wrote:
>>
>> HI!
>>
>> Testing git v3.1.x 36e1b02e926df5cd75d4d548694401535c607ca9 I noticed that
>> something's wrong with LDAPI URLs containing a URL-encoded path.
>>
>> This does not work:
>>
>> server = 'ldapi://%2Ftmp%2Fopenldap-socket'
>>
>> leads to:
>>
>> rlm_ldap (ldap): Bind with uid=radiusd,ou=sys,dc=stroeder,dc=local to
>> ldapi:///tmp/openldap-socket failed: Can't contact LDAP server
>>
>> I'm not sure whether radiusd URL-decodes the path and passes
>> "ldapi:///tmp/openldap-socket" to libldap or whether the decoding simply
>> happens when writing the log line.
>>
>> It should *not* do URL-decoding because parsing the LDAP URL
>> "ldapi:///tmp/openldap-socket" in libldap won't work since the first "/" after
>> the "hostport" part is the next separator to the DN portion.
> 
> It's actually ldap_url_parse doing more than what's claimed in the man page entry:
> 
>        ldap_url_parse()  breaks  down  an  LDAP URL passed in url into its component pieces.  If successful,
>        zero is returned, an LDAP URL description is allocated, filled in, and ludpp is set to point  to  it.
>        If an error occurs, a non-zero URL error code is returned.
> 
> In addition to breaking the components down, it also url unescapes them *sigh*.

Yes, it has to for using the URI components later.
That's what module ldapurl in python-ldap also does.
Unparsing the components to a valid LDAP URL is more.

> So the solution is to re-escape the host portion. I'll push a fix in a bit.

Hmm, I'd prefer you to simply pass the configured original string to libldap
and use result code of ldap_url_parse() just as proof that it's a valid LDAP URI.

Ciao, Michael.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150629/245797c7/attachment.bin>


More information about the Freeradius-Users mailing list