title: Getting at bad dn values link: https://onemoretech.wordpress.com/2010/12/09/getting-at-bad-dn-values/ author: lembobro description: post_id: 104 created: 2010/12/09 12:55:34 created_gmt: 2010/12/09 12:55:34 comment_status: open post_name: getting-at-bad-dn-values status: publish post_type: post

Getting at bad dn values

If you’re like me, and you don’t allow non-ASCII distinguished named values on your LDAP directory, this may be of help to you.

If you do allow such values, maybe not so much. Following is some code.

The goal here is to find all the distinguished names that contain something other than straight ASCII text. For example:

"dn: cn=plembo,cn=users,dc=example,dc=com"

as opposed to

"dn:: Y249QTAwMjkw77+977+ycywgZGM9YXJyb3csZGM9Y29t&#8221"

The latter are no fun at all to work with, and in the directory environments I manage only happen when someone messes up in setting a user name value (from which I’ve banned all non-ASCII characters).

Here’s the procedure:

1. Do an LDIF dump of the subject container using ldapsearch. I like to do a

ldapsearch -x -LLL -h hostname -D "cn=orcladmin" -W 
-b "cn=users,dc=example,dc=com" -s sub "objectclass=*" dn >dns.ldif

2. Remove all blank lines

perl -pi -e 's/^n$//g' dns.ldif

3. Extract out every non-ASCII dn (these will be UTF-8 encoded in the file).

grep 'dn:: ' dnfile.ldif >baddns.ldif

To delete the entries in you baddns.ldif file, you could just do one of these:

perl -pi -e 's/n$/nchangetype: deletenn/' baddns.ldif

(the double linefeed will get you back the space needed between each entry)

Copyright 2004-2019 Phil Lembo