John Dennis wrote:
DN's may be encoded. If we're going to return the value from one of the
RDN's in the DN then we must decode the DN first, otherwise the returned
value won't be what we're expecting. Specifically the value getting
passed back through the RPC interface was not the value set because it
included escaping specific only to DN's. We want to treat the value as
the value set by the user, the fact it happens to live as part of a DN
is an irrelevant implementation detail which shouldn't be visible in the
values we exchange through the RPC mechanism.
This patch takes the DN as returned by an ldap search and creates a DN
object from it. The DN object allows us to robustly extract the value by
name. The DN object also assures the components in the DN have been
decoded back into normal unicode strings.
There are many other places where we need to properly handle DN's by
using a DN object, this is just one place, the minimum needed to get
comma's working in privileges. I'd rather make very small incremental
changes in the DN handling rather than introducing too many changes in
this critical area of the code, let's be conservative at this juncture.
ack, pushed to master and ipa-2-0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
