> I've been trying to research how to correctly escape search filters, and I > can't find any single > reliable source that makes sense. > > I look at RFC 2253 (http://www.ietf.org/rfc/rfc2253.txt) section 2.4, > and this IBM webpage ( > http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahy/rzahyunderdn.htm > ), > and they both seem to suggest that you need to escape (for example) the > '+' > sign. > > But when I escape a search filter like this: > (&(objectclass=person)(facsimileTelephoneNumber=+1234)) > to this: > (&(objectclass=person)(facsimileTelephoneNumber=\+1234)) > it results in a bad filter. > > My hunch is that perhaps DNs, attribute names, and attribute values are > all > escaped different. > > Is there a simple explanation online on how to escape search filters?
RFC2253 was about string representation of DN, not filters. RFC2254 was about search filters. They are both deprecated. See RFC4510 for a list of RFCs related to the current specification of LDAP. In any case, '+' does not need any escaping in search filters. Escaping requires '\' + two-digit hex representation of escaped octet; in your case, '\2B'. p.
