Re: Using Arbitrary X509 certificates for LDAPS authentication

[Howard Chu <hyc@symas.com>]

Michael Ströder wrote:
> Howard Chu wrote:
> > Stephen Cartwright wrote:
> > > I looked into this and I don't understand :( Would you please clarify
> > > why a DN such as "/C=CA/O=Grid/CN=host/somehost.somedomain.ca" is
> > > broken? You said "somehost.somedomain.ca" is not a valid RDN because
> > > it just has a value and not a type, however the RDN is not just
> > > "somehost.somedomain.ca" but "CN=host/somehost.somedomain.ca" which
> > > has a type of "CN" and a value of "host/somehost.somedomain.ca" does
> > > it not?
> >
> > That wasn't clear to me from the output you posted before. Since you
> > were posting a DN that uses '/' as its RDN separator, the software that
> > generated this log output should have escaped the '/' in the attribute
> > value if that was really the situation. E.g., it should have looked like
> > /CN=host%2Fsomehost.somedomain.ca.
>
> Using top-down-order and / as separator is the standard behaviour of OpenSSL.
> :-/

Right, there's nothing wrong with that, it's a well-established practice with 
a long history. But what's wrong is that when you use '/' as a separator, then 
you must escape it when it appears in a value.

> One can also display subject and issuer names in certs with
>
> openssl x509 -nameopt rfc2253

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/