[Question] Does one need to validate characters when using `simple_bind`?

[Zerowalker]

As title specifies, does one need to make sure the characters in the username (or/and password?) are valid? If I understand it correctly not all characters can be used upon binding, It depends on the LDAP server, but the specification lists some that are always wrong: https://www.ietf.org/rfc/rfc2253.txt

As when using filters one needs to use ldap_escape to ensure it both works properly and can't be exploited. So was wondering if there is a similar approach when simple_bind is used?

Thanks!

PS: If possible perhaps Discussions can be opened to prevent questions appearing as "issues"?

[inejge]

Ensuring that the bind DN is valid is entirely on the client. The protocol will transport whatever's supplied as an octet string, and the server should validate it and refuse the operation if it's malformed. There is the dn_escape() utility function which can be applied to RDN values when constructing the DN.

As for Discussions -- I don't mind seeing questions here, especially if they're explicitly tagged as such. There are not many, anyway. (I always close any usage/question issue when I judge that the conversation has run its course.)

[Zerowalker]

Got it, thanks for the quick response! :)