Use escapes in DNs instead of quoting.

Based on initial patch from Pavel Zuna.

2 files changed, 7 insertions, 1 deletions

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index f535b7ba..61887dde 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -34,6 +34,7 @@ import service
 import installutils
 import certs
 import ldap
+from ldap.dn import escape_dn_chars
 from ipaserver import ipaldap
 from ipaserver.install import ldapupdate
 from ipaserver.install import httpinstance
@@ -209,7 +210,9 @@ class DsInstance(service.Service):
                              REALM=self.realm_name, USER=self.ds_user,
                              SERVER_ROOT=server_root, DOMAIN=self.domain,
                              TIME=int(time.time()), UIDSTART=self.uidstart,
-                             GIDSTART=self.gidstart, HOST=self.host_name)
+                             GIDSTART=self.gidstart, HOST=self.host_name,
+                             ESCAPED_SUFFIX= escape_dn_chars(self.suffix.lower()),
+                         )
 
     def __create_ds_user(self):
         user_exists = True
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index c0345918..dff94783 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -31,6 +31,7 @@ from ipapython import entity, ipautil
 from ipalib import util, uuid
 from ipalib import errors
 import ldap
+from ldap.dn import escape_dn_chars
 import logging
 import krbV
 import platform
@@ -76,6 +77,8 @@ class LDAPUpdate:
             self.sub_dict["DOMAIN"] = domain
         if not self.sub_dict.get("SUFFIX"):
             self.sub_dict["SUFFIX"] = suffix
+        if not self.sub_dict.get("ESCAPED_SUFFIX"):
+            self.sub_dict["ESCAPED_SUFFIX"] = escape_dn_chars(suffix)
         if not self.sub_dict.get("LIBARCH"):
             self.sub_dict["LIBARCH"] = libarch
         if not self.sub_dict.get("TIME"):