Re: ;binary again

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 09:08 AM 4/21/2005, Sassa wrote:
>I have seen a number of questions regarding transfer of binary attributes with ';binary' option. We are using X.509 Attribute Certificates. Our schema specifies
>
>1.3.6.1.4.1.1466.115.121.1.5 - Binary syntax

attributeCertificate would be a more appropriate syntax
for a value containing an X.509 attribute certificate.

>for attributeCertificateAttribute. slapadd fails to import LDIFs from the older openldap where ";binary" is present for all attributeCertificateAttributes - it complains that ";binary" option is not supported for this type. This is odd, and in my view does not conform to RFC2252 (see excerpt below).
>
>Is there a way to force openldap to accept ";binary" for specific attributes?

No.  slapd(8) accepts/requires use of ;binary on a per syntax
basis.  The binary syntax defines an LDAP string encoding of
BER, use of ;binary is at best redundant and at worse
problematic.  The underlying ASN.1 data type for
the binary syntax can be viewed as a constrained OCTET
STRING, and implementations with this view will encode
an OCTET STRING for transfer when ;binary is selected
(instead of just transferring the contents of the
OCTET STRING).

You can certainly modify slapd to require ;binary for all
values of the binary syntax, but in doing so, you may
break other applications which assume values of their
attributes of the binary syntax are to be transferred
without ;binary.   See 'certificate' syntax for an
example.

However, I suggest you migrate to a modern specification
of attributeCertificateAttribute which, IIRC, uses the
attributeCertificate (which doesn't require/expect
use of ;binary).

Kurt