[Date Prev][Date Next] [Chronological] [Thread] [Top]

;binary again



I have seen a number of questions regarding transfer of binary attributes with ';binary' option. We are using X.509 Attribute Certificates. Our schema specifies

1.3.6.1.4.1.1466.115.121.1.5 - Binary syntax

for attributeCertificateAttribute. slapadd fails to import LDIFs from the older openldap where ";binary" is present for all attributeCertificateAttributes - it complains that ";binary" option is not supported for this type. This is odd, and in my view does not conform to RFC2252 (see excerpt below).

Is there a way to force openldap to accept ";binary" for specific attributes? Otherwise this means that either we have to switch to the older openLDAP, or change our software; neither of the options looks good.


Regards,

Sassa

ps:
I am using openLDAP that comes with Fedora Core 3:

@(#) $OpenLDAP: slapd 2.2.13 (Aug 19 2004 21:22:15) $

root@porky.build.redhat.com:/usr/src/build/440386-i386/BUILD/openldap-2.2.13/openldap-2.2.13/build-servers/servers/slapd


RFC2252 piece prescribing the use of binary transfer:

4.3.1  Binary Transfer of Values

   This encoding format is used if the binary encoding is requested by
   the client for an attribute, or if the attribute syntax name is
   "1.3.6.1.4.1.1466.115.121.1.5".  The contents of the LDAP
   AttributeValue or AssertionValue field is a BER-encoded instance of
   the attribute value or a matching rule assertion value ASN.1 data
   type as defined for use with X.500. (The first byte inside the OCTET
   STRING wrapper is a tag octet.  However, the OCTET STRING is still
   encoded in primitive form.)

   All servers MUST implement this form for both generating attribute
   values in search responses, and parsing attribute values in add,
   compare and modify requests, if the attribute type is recognized and
   the attribute syntax name is that of Binary.  Clients which request
   that all attributes be returned from entries MUST be prepared to
   receive values in binary (e.g. userCertificate;binary), and SHOULD
   NOT simply display binary or unrecognized values to users.