Comments (1)
There are a couple "ah-ha!" moments I had when reviewing the RFCs and the code.
- The syntax for LDAP filters matching GUIDs is not really special. What makes creating the filter so non-intuitive is that GUIDs are stored as binary data. The string representations we commonly work with are not how the data is stored, and that is why trying to filter on the common string representation doesn't work.
- RFC 4515 explains how escaping in LDAP filters works. In particular, on page 4, the characters that are normally escaped. It further goes on to say:
Other octets that are part of the <normal> set may be escaped using this mechanism, for example, non-printing ASCII characters.
And later:
As indicated by the <valueencoding> rule, implementations MUST escape all octets greater than 0x7F that are not part of a valid UTF-8 encoding sequence when they generate a string representation of a search filter.
This tells us that binary values more or less need to be represented in the escaped format, which is what the Ping Identity article you referenced is describing. (More on the "more or less" later).
- The
pureldap.LDAPFilter_*
objects have bothstr()
representations andasTest()
methods. The former is used when transmitting the BER sequences to an LDAP server. The latter is used when displaying textual representations of the data (during debugging, for example).
A code example may get to the heart of the matter:
>>> import ldaptor
>>> import ldaptor.ldapfilter as lf
>>> guid_chars = "90395F191AB51B4A9E9686C66CB18D11"
>>> chars = [c for c in guid_chars]
>>> chars
['9', '0', '3', '9', '5', 'F', '1', '9', '1', 'A', 'B', '5', '1', 'B', '4', 'A', '9', 'E', '9', '6', '8', '6', 'C', '6', '6', 'C', 'B', '1', '8', 'D', '1', '1']
>>> firsts = chars[::2]
>>> seconds = chars[1::2]
>>> pairs = zip(firsts, seconds)
>>> escaped_guid_str_rep = ''.join([r"\{0}{1}".format(a, b) for a, b in pairs])
>>> print(escaped_guid_str_rep)
\90\39\5F\19\1A\B5\1B\4A\9E\96\86\C6\6C\B1\8D\11
>>> filter_str = "(guid={0})".format(escaped_guid_str_rep)
>>> print(filter_str)
(guid=\90\39\5F\19\1A\B5\1B\4A\9E\96\86\C6\6C\B1\8D\11)
>>> fo = lf.parseFilter(filter_str)
>>> str(fo)
'\xa3\x18\x04\x04guid\x04\x10\x909_\x19\x1a\xb5\x1bJ\x9e\x96\x86\xc6l\xb1\x8d\x11'
>>> fo.asText()
'(guid=\x909_\x19\x1a\xb5\x1bJ\x9e\x96\x86\xc6l\xb1\x8d\x11)'
>>> chr(0x39)
'9'
>>> chr(0x5F)
'_'
>>>
What we see here is that the filter string will be parsed and represented correctly both as bytes sent to the LDAP server and as text displayed during debugging. However, the textual representation used for debugging, while correct, seems a bit odd to us as human beings because it mixes escaped and non-escaped representations. All the bytes that must be escaped are, but the parts that may optionally be escaped in a representation are not.
This is actually a bit confusing to look at, but the sequences:
\90\39\5F\19\1A\B5\1B\4A\9E\96\86\C6\6C\B1\8D\11
and
\x909_\x19\x1a\xb5\x1bJ\x9e\x96\x86\xc6l\xb1\x8d\x11
are equivalent. One is just a lot more intuitive for a human being to parse.
Your proposed change would provide a way to customize the textual representation of filters, though I'd suggest that the naming ("custom escape functionality") is perhaps a bit misleading. "Custom LDAP filter textual representation" or "custom LDAP filter human-readable representation" both seem more accurate to me, though they are very wordy.
I wonder if it would be possible to push on the default case a bit. Do you think it might be possible to extend your idea so that the human-readable representation would automatically detect binary data in filters automatically represent all the octets with escape sequences? Maybe if say half of the characters in the filter assertion value were non-printable?
I'll have access to an AD instance tomorrow, so I should be able to test to make sure that filtering on GUIDs already works-- it is just the textual representations can be queer-looking for binary data.
from ldaptor.
Related Issues (20)
- failing checks on master still HOT 5
- BerOctetString Repr HOT 1
- TCP Connection not closed if non SSL ldaptor LDAPServer accessed via SSL HOT 1
- missing tag for 19.1.0 HOT 1
- Proxy unable to connect to Active Directory HOT 2
- enable PR builds for readthedocs HOT 7
- release 20.1.1 ? HOT 1
- Help: how to modify ldap filter within handleBeforeForwardRequest HOT 2
- Bug: ModifyOp in the Delta module cannot serialize from LDAP
- Add callback/hook when the client connection is closed
- Merger example - Connection lost
- `SearchByTreeWalkungMixin` ignores `sizeLimit`
- LdapServer: getRootDSE misses some required attributes HOT 1
- VLV support in ldaptor HOT 1
- Reload LDIF during serving HOT 1
- Testing with Twisted 22.4 results in infinite loop creating temporary config files
- Intended handling of UnknownBERTag?
- LDAP server with binary transfer attribute for userCertificate (RFC 4522/RFC 4523)
- Remove print usage in production code
- I can't connect to the server through sssd
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ldaptor.