Re: Implementing a matching rule for binary (ie: 1.3.6.1.4.1.1466.115.121.1.5)

[Kurt Zeilenga <Kurt@OpenLDAP.org>]

On Feb 20, 2009, at 6:11 PM, Stef wrote:

> I'm working on using openldap to store certificate requests (ie:  
> PKCS#10
> and SPKAC).
>
> I thought I'd use the binary syntax '1.3.6.1.4.1.1466.115.121.1.5' for
> my custom attribute.

Why?  This syntax should be avoided.  It was dropped with revised LDAP  
specifications (RFC 4510) for good reason.  Any uses of it will suffer  
significant interoperability problems.

If all you want is store certificate requests in the directory as  
octet strings, matched by octet string matching, then use OCTET STRING  
and octetStringMatch.

If what you want is matching based upon the request abstract value,  
then you will need to define a new syntax whose LDAP string syntax is  
the BER/DER encoding of the request (don't use ;binary) and then  
implement an equality rule for that syntax.

> However there doesn't seem to be a equality
> matching rule for that syntax.

Equality mapping for the ASN.1 open data type?  The underlying ASN.1  
data type for the binary syntax is (depending on how you read the  
obsoleted specification) an ANY.

> I could implement one, but would such a contribution be accepted by  
> the
> openldap project?

It's not implemented for a reason.

> I've looked around online, but I can't seem to find an
> OID for such a matching rule declared anywhere.
>
> Am I barking up the wrong tree?

You are at least barking in the wrong direction.