[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: About userSMIMECertificate&userPKCS12 attributes

ZhangPu wrote:
On Fri, 30 Jul 2004 10:44:17 +0200
Michael Stroder <michael@stroeder.com> wrote:

ZhangPu wrote:
> They have SYNTAX that it is "BINARY", so I assume maybe these two
> attributes are handled by a different processing to "jpegphoto" or
> "audio".

Yes. But this is only relevant for matching rules and syntax validation.

In search results you will get back the binary data.

The search results what I meant is not final results, they are the values which be gotten after ldap_search_st() be down.

You will get the binary data since there's no other presentation for transferring them on the wire.

> In addition, does Kurt will correct RFC2798 document to restrict
> transferred method of "userSMIMECertificate" and "userPKCS12" to "::"

It seems you're mixing the LDIF text file representation of directory data and what you get back as a result of LDAP search operation.


base64 and "::" is definitely LDIF-specific. There's no such thing in a LDAP search operation.

Because RFC2798 defined the transferring method of "userSMIMECertificate" and "userPKCS12" as ";binary", but OpenLDAP does not support it, I read some information from mailing list told me that kurt want to revise this RFC document.

This was another discussion on the ldap-bis (or ldap-ext?) mailing list.

Please re-read the thread on the mailing lists more carefully. Start to investigate what ;binary stands for. Furthermore try to understand the discussion and the proposals made therein. Use the mailing list's archive as I won't repeat this here.

Despite what RFC2798 says (it's just an informational document), userSMIMECertificate should not be transferred in ;binary mode
and should be revised (as discussed on the IETF LDAPext mailing

Simply request these attributes by their name without ;binary. This should work with almost every server. To be interoperable with all LDAP server implementations out there you should make it configurable in your LDAP client whether to append ;binary or not.

Ciao, Michael.