[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: About userSMIMECertificate&userPKCS12 attributes

To: ZhangPu <zhang@fjh.fujitsu.com>
Subject: Re: About userSMIMECertificate&userPKCS12 attributes
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 30 Jul 2004 11:26:26 +0200
Cc: OpenLDAP-Software <openldap-software@OpenLDAP.org>
In-reply-to: <20040730175702.E8C4.ZHANG@fjh.fujitsu.com>
References: <20040730162601.E8C1.ZHANG@fjh.fujitsu.com> <410A0A61.5050707@stroeder.com> <20040730175702.E8C4.ZHANG@fjh.fujitsu.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040616

ZhangPu wrote:

On Fri, 30 Jul 2004 10:44:17 +0200
Michael Stroder <michael@stroeder.com> wrote:
ZhangPu wrote:
>
> They have SYNTAX that it is "BINARY", so I assume maybe these two
> attributes are handled by a different processing to "jpegphoto" or
> "audio".
Yes. But this is only relevant for matching rules and syntax validation.
In search results you will get back the binary data.
The search results what I meant is not final results, they are the values which be gotten after ldap_search_st() be down.

You will get the binary data since there's no other presentation for transferring them on the wire.

> In addition, does Kurt will correct RFC2798 document to restrict
> transferred method of "userSMIMECertificate" and "userPKCS12" to "::"
It seems you're mixing the LDIF text file representation of directory data and what you get back as a result of LDAP search operation.
No.

base64 and "::" is definitely LDIF-specific. There's no such thing in a LDAP search operation.

Because RFC2798 defined the transferring method of "userSMIMECertificate" and "userPKCS12" as ";binary", but OpenLDAP does not support it, I read some information from mailing list told me that kurt want to revise this RFC document.


This was another discussion on the ldap-bis (or ldap-ext?) mailing list.

Please re-read the thread on the mailing lists more carefully. Start to investigate what ;binary stands for. Furthermore try to understand the discussion and the proposals made therein. Use the mailing list's archive as I won't repeat this here.

Despite what RFC2798 says (it's just an informational document), userSMIMECertificate should not be transferred in ;binary mode and should be revised (as discussed on the IETF LDAPext mailing list).

Simply request these attributes by their name without ;binary. This should work with almost every server. To be interoperable with all LDAP server implementations out there you should make it configurable in your LDAP client whether to append ;binary or not.

Ciao, Michael.

References:
- About userSMIMECertificate&userPKCS12 attributes
  - From: ZhangPu <zhang@fjh.fujitsu.com>
- Re: About userSMIMECertificate&userPKCS12 attributes
  - From: Michael Ströder <michael@stroeder.com>
- Re: About userSMIMECertificate&userPKCS12 attributes
  - From: ZhangPu <zhang@fjh.fujitsu.com>

Prev by Date: Re: OpenLDAP/Heimdal integration questions (sorry if OT)
Next by Date: Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
Index(es):
- Chronological
- Thread