RE: ;binary

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 08:30 AM 2002-02-25, Christopher Oliva wrote:
>So what is the correct behavior of an ldapv3 server when a client does a wildcard search for "all attributes" ? 

I assume you mean when the client provides an empty attributes
list or an attribute list which contains "*".  That is, the
client has failed to request userCertificate using ;binary
as indicated in the specification [RFC 2252,RFC 2256].

>Is the server supposed to include the userCertificate or omit it? In this case the client did not specify the binary transfer mechanism. So I guess the server should omit the attribute.

The behavior is undefined as the client was expected to request
the userCertificate attribute using ;binary.

>My argument here is that the current ldapv3 RFCs do not really say one way or another what should happen.

It doesn't need to.  The specification requires the client to
request the userCertificate attribute using ;binary.  If the
client fails this mandate, then the behavior it gets is undefined.

>Since there is no obvious reason to omit the certificate, an implementation may elect to include it.

There are obvious reasons to omit it and, IIRC, there are
implementations which do exactly this.  I would consider
such implementations as being conformant.

>If you accept that a current implementation might behave this way, then wouldn't changing the specs break interoperability ?

Clients are expected to request the userCertificate attribute
using ;binary.   Clients which fail to follow the specification
will not interoperate with all compliant servers.

I do see a need for a general (not userCertificate specific
clarification).  I will offer a suggestion separately.

Kurt