Preventing LDAP injection

Question

I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code.
I'd like to know which sanitizing techniques are known, not only for C/unix development but in more general terms, i.e., web development etc.
I thought that escaping equals and semicolons would be enough, but not sure.

Here is a little piece of code so I can make clearer the question:

 String ldapSearchQuery = "(cn=" + $userName + ")";
 System.out.println(ldapSearchQuery); 

Obviously I do need to sanitize $userName, as stated in this OWASP ARTICLE

Answer 1

OWASP is a good security guide that I use a lot, and has example code (in Java, but you should be able to translate): http://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java

Also, here's an Active Directory specific reference: http://www.rlmueller.net/CharactersEscaped.htm

Answer 2

You got your answer in the question comment, already. RFC 2254 has it.

Here's what I use in PHP. Something equivalent in your language should suffice.

/**
 * Sanitizes ldap search strings.
 * See rfc2254
 * @link http://www.faqs.org/rfcs/rfc2254.html
 * @since 1.5.1 and 1.4.5
 * @param string $string
 * @return string sanitized string
 * @author Squirrelmail Team
 */
function ldapspecialchars($string) {
    $sanitized=array('\\' => '\5c',
                     '*' => '\2a',
                     '(' => '\28',
                     ')' => '\29',
                     "\x00" => '\00');

    return str_replace(array_keys($sanitized),array_values($sanitized),$string);
}