rfc2253 says we need to escape " and leading and trailing space.

plugins/sudoers/cvtsudoers_ldif.c

@@ -326,6 +326,7 @@ print_cmndspec_ldif(FILE *fp, struct cmndspec *cs, struct cmndspec **nextp, stru
 
 /*
  * Convert user name to cn, avoiding duplicates and quoting as needed.
+ * See http://www.faqs.org/rfcs/rfc2253.html
  */
 static char *
 user_to_cn(const char *user)
@@ -363,19 +364,23 @@ user_to_cn(const char *user)
     for (src = user, dst = cn; *src != '\0'; src++) {
 	switch (*src) {
 	case ',':
-	case '\\':
-	case '#':
 	case '+':
+	case '"':
+	case '\\':
 	case '<':
 	case '>':
+	case '#':
 	case ';':
-	    *dst++ = '\\';
+	    *dst++ = '\\';	/* always escape */
-	    *dst++ = *src;
+	    break;
+	case ' ':
+	    if (src == user || src[1] == '\0')
+		*dst++ = '\\';	/* only escape at beginning or end of string */
 	    break;
 	default:
-	    *dst++ = *src;
 	    break;
 	}
+	*dst++ = *src;
     }
     *dst = '\0';
 

plugins/sudoers/regress/sudoers/test2.ldif.ok

@@ -45,10 +45,10 @@ sudoRunAsUser: root
 sudoCommand: ALL
 sudoOrder: 2
 
-dn: cn=foo",ou=SUDOers,dc=sudo,dc=ws
+dn: cn=foo\",ou=SUDOers,dc=sudo,dc=ws
 objectClass: top
 objectClass: sudoRole
-cn: foo"
+cn: foo\"
 sudoUser: foo"
 sudoHost: hostc
 sudoRunAsUser: root
@@ -65,10 +65,10 @@ sudoRunAsUser: root
 sudoCommand: ALL
 sudoOrder: 4
 
-dn: cn=foo:bar",ou=SUDOers,dc=sudo,dc=ws
+dn: cn=foo:bar\",ou=SUDOers,dc=sudo,dc=ws
 objectClass: top
 objectClass: sudoRole
-cn: foo:bar"
+cn: foo:bar\"
 sudoUser: foo:bar"
 sudoHost: hoste
 sudoRunAsUser: root
@@ -115,10 +115,10 @@ sudoRunAsUser: root
 sudoCommand: ALL
 sudoOrder: 9
 
-dn: cn=%:C/non"UNIX"0 c,ou=SUDOers,dc=sudo,dc=ws
+dn: cn=%:C/non\"UNIX\"0 c,ou=SUDOers,dc=sudo,dc=ws
 objectClass: top
 objectClass: sudoRole
-cn: %:C/non"UNIX"0 c
+cn: %:C/non\"UNIX\"0 c
 sudoUser: %:C/non"UNIX"0 c
 sudoHost: hoste
 sudoRunAsUser: root