Re: OpenLDAP 2.0.1, netscape and userSMIMEcertificate

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 07:15 PM 9/13/00 +0200, Karsten Künne wrote:
>The next problem

I missed this part...

>was to read back the certificate from the server with
>netscape. Netscape always asks for the attribute "userSMIMEcertificate;binary"

This is fine.  It's asking for the binary transfer of
the userSMIMEcertificate.

>which obviously doesn't exist because the attribute's name is
>"userSMIMEcertificate" and "binary" is just the encoding.

Don't confuse syntax with transfer means.  "x;binary" means
transfer the BER encoding of the value per the syntax.  For
x being INTEGER, this means to transfer as a BER encoded
INTEGER instead of a string representation of the INTEGER.
If x is a ASN.1 Certificate, then this means to transfer
the certificate using the BER encoded value instead of
the (defunct) string representation.  What's a bit confusing
in this case is that x is an ASN.1 Binary syntax and hence
is value is transferred in BER encoded regardless of whether
";binary" is specified or not.  (I'm not sure why inetOrgPerson
says to use ";binary" here, but it does.  Hopefully no other
application is expecting to ask for some other attribute y
of binary syntax and expects "y" not "y;binary".  We'll see.

Anyways, I digress.

>This time I
>would blame netscape for being wrong

Netscape, in this case, is doing what RFC 2798 says to do.

>but I had to find a solution.
>In order to make netscape happy I added a small hack to search.c
>which simply strips the ";binary" qualifier from the attribute name. This is
>the patch:

This isn't the right fix...  this should already be handled
in result.c.  I'll take a look at this.  Any proper fix for
this is not likely to make 2.0.2... sorry.

Kurt