[Date Prev][Date Next]
Re: About userSMIMECertificate&userPKCS12 attributes
On Fri, 30 Jul 2004 10:44:17 +0200
Michael Stroder <firstname.lastname@example.org> wrote:
> They have SYNTAX that it is "BINARY", so I assume maybe these two
> attributes are handled by a different processing to "jpegphoto" or
Yes. But this is only relevant for matching rules and syntax validation.
In search results you will get back the binary data.
The search results what I meant is not final results, they are the values
which be gotten after ldap_search_st() be down.
You will get the binary data since there's no other presentation for
transferring them on the wire.
> In addition, does Kurt will correct RFC2798 document to restrict
> transferred method of "userSMIMECertificate" and "userPKCS12" to "::"
It seems you're mixing the LDIF text file representation of directory data
and what you get back as a result of LDAP search operation.
base64 and "::" is definitely LDIF-specific. There's no such thing in a LDAP
Because RFC2798 defined the transferring method of "userSMIMECertificate"
and "userPKCS12" as ";binary", but OpenLDAP does not support it, I read some
information from mailing list told me that kurt want to revise this RFC document.
This was another discussion on the ldap-bis (or ldap-ext?) mailing list.
Please re-read the thread on the mailing lists more carefully. Start to
investigate what ;binary stands for. Furthermore try to understand the
discussion and the proposals made therein. Use the mailing list's archive as
I won't repeat this here.
Despite what RFC2798 says (it's just an informational document),
userSMIMECertificate should not be transferred in ;binary mode
and should be revised (as discussed on the IETF LDAPext mailing
Simply request these attributes by their name without ;binary. This should
work with almost every server. To be interoperable with all LDAP server
implementations out there you should make it configurable in your LDAP
client whether to append ;binary or not.