[Date Prev][Date Next]
Re: SASL EXTERNAL with TLS Authentication
On Thursday 14 March 2002 16:13, Michael Ströder wrote:
| Karsten Künne wrote:
| > On Thursday 14 March 2002 12:40, Michael Ströder wrote:
| > | Karsten Künne wrote:
| > | > member: uid=/C=US/ST=New York/L=East Setauket/O=Renaissance
| > | > Technologies Corp.
| > | > /CN=Karsten Kuenne/Emailemail@example.com
| > |
| > | This violates the schema (besides other caveats with DIT etc.):
| > |
| > | attributetype ( 220.127.116.11 NAME 'member' SUP distinguishedName )
| > I know, but what do you do in 2.0.23 without saslregexp support? At least
| > Openldap accepts it (and other invalid constructions for the member
| > attribute
| It violates the schema and therefore will cause nothing than grief with
| e.g. other LDAP admin software.
I don't use much else besides ldapadd, ldapmodify and ldapdelete.
| The second thing is that this string representation (or at least the
| OpenSSL implementation) does not care about escaping special chars not to
| speak of string normalization for international chars. Basically it's a
| hack. That's why there is an explicit RFC2253 compliant string output of
| DNs in OpenSSL nowadays.
Yes, I agree, it's a hack.
| > which are also not really valid dn's like "member:
| > uid=kuenne+realm=RENTEC.COM"
| You mean uid=kuenne+realm=RENTEC.COM ? What's wrong with that?
It probably doesn't violate the syntax rules but it's an RDN, not a complete
DN. You won't find it in the tree. But it's necessary for SASL-GSSAPI (which
I mostly use, SASL-EXTERNAL was more of an experiment).
| Ciao, Michael.
"Things should be made as simple as possible, but not any simpler."