[Date Prev][Date Next]
Re: openldapaci versus userCertificate;binary
At 03:05 AM 8/5/2004, Harald Jung wrote:
>In the current releases i am not able to set an attribute list including
>attributes like cACertificate;binary or userCertificate;binary for example.
>Leaving the ;binary type away in the openldapaci attribute list, has the
>effect that the requested attributnames won't match together.
>Otherwise the ';' hurts the openldapaci syntax and the whole aci definition
>Is there a solution/fix to the problem which comes with this scenario?
A workaround might be to use 'userCertificate' instead of
'userCertificate;binary' in the ACI. (The transfer encoding
should be irrelevant to the authorization decision.) This
is a bigger issue with tagging (subtyping) options such as
;lang-.... For these, I suggest restrictions targetted on
'name' should apply to either all subtypes of 'name', or
minimally attribute description (v. attribute type) subtypes
of 'name' (e.g., to 'name;lang-en-us' but not 'cn').
>My idea for a workaround is to patch the source code that the definition
>userCertificate:binary in the aci attribute list will match against
I rather have the openldapACI syntax be redesigned such that
goofy representations are not necessary. openldapACI is
experimental, hence we should not be too married to the
Feel free to produce a patch that 'fixes' this somehow for