ldapi:// with path

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Jun 29 16:59:44 CEST 2015


> On 29 Jun 2015, at 09:48, Michael Ströder <michael at stroeder.com> wrote:
> 
> Arran Cudbard-Bell wrote:
>> 
>>> On 29 Jun 2015, at 05:01, Michael Ströder <michael at stroeder.com> wrote:
>>> 
>>> HI!
>>> 
>>> Testing git v3.1.x 36e1b02e926df5cd75d4d548694401535c607ca9 I noticed that
>>> something's wrong with LDAPI URLs containing a URL-encoded path.
>>> 
>>> This does not work:
>>> 
>>> server = 'ldapi://%2Ftmp%2Fopenldap-socket'
>>> 
>>> leads to:
>>> 
>>> rlm_ldap (ldap): Bind with uid=radiusd,ou=sys,dc=stroeder,dc=local to
>>> ldapi:///tmp/openldap-socket failed: Can't contact LDAP server
>>> 
>>> I'm not sure whether radiusd URL-decodes the path and passes
>>> "ldapi:///tmp/openldap-socket" to libldap or whether the decoding simply
>>> happens when writing the log line.
>>> 
>>> It should *not* do URL-decoding because parsing the LDAP URL
>>> "ldapi:///tmp/openldap-socket" in libldap won't work since the first "/" after
>>> the "hostport" part is the next separator to the DN portion.
>> 
>> It's actually ldap_url_parse doing more than what's claimed in the man page entry:
>> 
>>       ldap_url_parse()  breaks  down  an  LDAP URL passed in url into its component pieces.  If successful,
>>       zero is returned, an LDAP URL description is allocated, filled in, and ludpp is set to point  to  it.
>>       If an error occurs, a non-zero URL error code is returned.
>> 
>> In addition to breaking the components down, it also url unescapes them *sigh*.
> 
> Yes, it has to for using the URI components later.

It's a public function, for breaking a url into components, it should do what its man page entry says it should do.

There's an internal version which accepts compatibility flags, if they need the components unescaped for internal use they could of used that. Breaking the URL into its components does not require unescaping. The component separators '/' and '?' are not escaped.

See here: https://tools.ietf.org/html/rfc2255#section-3

> That's what module ldapurl in python-ldap also does.
> Unparsing the components to a valid LDAP URL is more.

OK.

>> So the solution is to re-escape the host portion. I'll push a fix in a bit.
> 
> Hmm, I'd prefer you to simply pass the configured original string to libldap
> and use result code of ldap_url_parse() just as proof that it's a valid LDAP URI.

base_dn, filter, scope and attributes need stripping. We don't support specifying them via the URL.

I guess we could error out if any of those components were found

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150629/07d44510/attachment.sig>


More information about the Freeradius-Users mailing list