Escaping of binary characters

Mark Hammond mhammond at
Tue May 10 15:39:12 CEST 2005

> Mark Hammond wrote:
> > 	I'm using python-ldap in conjunction with Zope and the
> LDAPUserFolder
> > product to talk to a Windows Active Directory server.  One
> of the objects I
> > am trying to fetch via LDAP is objectGUID - a binary value.
> Can you please provide sample Python code so I can see what you really
> want to achieve? Are you searching entries by objectGUID
> assertion values?

I don't actually have neat sample code - I'm observing this inside Zope.
However, what happens is:

* We query for the attribute 'objectGUID'.  We get back a 16 byte string - a
raw binary representation of the 128-bit GUID.  This part works fine - we
get the binary value from LDAP correctly.

* Later, we call search_s with a filter string '(objectGUID={string})',
after calling escape_filter_chars with the exact value as previously
fetched.  The filter fails, but succeeds with my implementation of

> > It seems to me that the current implementation of
> > ldap.filters.escape_filter_chars is too conservative in choosing the
> > characters to escape.
> This implementation simply trys to preserve a human-readable
> form of the
> search filter as much as possible.

On closer inspection, my version is too aggressive.  Instead of:

 if c < '0' or c > 'z' or c in "\\*()":

it should read:

 if c < ' ' or c > '~' or c in "\\*()":

which includes some extra punctuation.  As far as I can tell, that will
leave all 'printable' characters alone and should leave things as readable
(even if slightly different than) the current implementation

> But actually nothing forces you to use python-ldap's helper function
> ldap.filter.escape_filter_chars(). You can simply use your own
> implementation in your code. You could even substitute python-ldap's
> implementation by initially overwriting it
> import ldap.filter
> ldap.filter.escape_filter_chars = my_funky_escape_filter_chars

Yes, you are correct in that nothing is forcing us to use your function - I
just thought you would like to know :)



More information about the python-ldap mailing list