[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldapaci versus userCertificate;binary



At 03:05 AM 8/5/2004, Harald Jung wrote:
>Hello,
>
>In the current releases i am not able to set an attribute list including 
>attributes like cACertificate;binary or userCertificate;binary for example.
>Leaving the ;binary type away in the openldapaci attribute list, has the 
>effect that the requested attributnames won't match together.
>Otherwise the ';' hurts the openldapaci syntax and the whole aci definition 
>doesn't work.
>
>Is there a solution/fix to the problem which comes with this scenario?

A workaround might be to use 'userCertificate' instead of
'userCertificate;binary' in the ACI.  (The transfer encoding
should be irrelevant to the authorization decision.)  This
is a bigger issue with tagging (subtyping) options such as
;lang-....  For these, I suggest restrictions targetted on
'name' should apply to either all subtypes of 'name', or
minimally attribute description (v. attribute type) subtypes
of 'name' (e.g., to 'name;lang-en-us' but not 'cn').

>My idea for a workaround is to patch the source code that the definition 
>userCertificate:binary in the aci attribute list will match against 
>userCertificate;binary.

I rather have the openldapACI syntax be redesigned such that
goofy representations are not necessary.  openldapACI is
experimental, hence we should not be too married to the
current syntax.

Feel free to produce a patch that 'fixes' this somehow for
consideration.

Kurt