[Date Prev][Date Next]
Re: ;binary again
Kurt D. Zeilenga wrote:
At 09:08 AM 4/21/2005, Sassa wrote:
I have seen a number of questions regarding transfer of binary attributes with ';binary' option. We are using X.509 Attribute Certificates. Our schema specifies
184.108.40.206.4.1.14220.127.116.11.5 - Binary syntax
attributeCertificate would be a more appropriate syntax
for a value containing an X.509 attribute certificate.
I am forced to use Binary syntax. When I try
as defined in "Internet X.509 Public Key Infrastructure LDAP Schema and
Syntaxes for PMIs" <draft-ietf-pkix-ldap-pmi-schema-00.txt>, slapadd
fails (no syntax found, apparently).
What OID does OpenLDAP understand for attributeCertificateAttribute?
for attributeCertificateAttribute. slapadd fails to import LDIFs from the older openldap where ";binary" is present for all attributeCertificateAttributes - it complains that ";binary" option is not supported for this type. This is odd, and in my view does not conform to RFC2252 (see excerpt below).
Is there a way to force openldap to accept ";binary" for specific attributes?
No. slapd(8) accepts/requires use of ;binary on a per syntax
basis. The binary syntax defines an LDAP string encoding of
BER, use of ;binary is at best redundant and at worse
problematic. The underlying ASN.1 data type for
the binary syntax can be viewed as a constrained OCTET
STRING, and implementations with this view will encode
an OCTET STRING for transfer when ;binary is selected
(instead of just transferring the contents of the
I can't accept this explanation, because the RFC (which I quoted in the
last email) gives an example where a userCertificate is returned with
I won't paste the quote again. See RFC2252, section 4.3.1 Binary
Transfer of Values.
You can certainly modify slapd to require ;binary for all
values of the binary syntax, but in doing so, you may
break other applications which assume values of their
attributes of the binary syntax are to be transferred
without ;binary. See 'certificate' syntax for an
I don't want slapd to _require_ ;binary. I want it to accept ;binary, if
present. I can't see where in the LDAPv3 specs the use of ";binary" is
forbidden for specific syntaxes.
However, I suggest you migrate to a modern specification
of attributeCertificateAttribute which, IIRC, uses the
attributeCertificate (which doesn't require/expect
use of ;binary).
:-) The specifications that we are using haven't changed, as to my mind,
and they do not actually mandate that ";binary" _should_ be used - this
is up to LDAP to understand/require the suffix or not. And, as I said,
the standard syntax for the attribute certificates is not understood (by
any OpenLDAP implementation we tried through several years).
Now, this is clearly very annoying that LDAP v2 allowed use of
";binary", but understood the values without the suffix. The early
openldap LDAP v3 implementations _required_ the attributes that are
transmitted in binary, to have the suffix. And now you are saying that
we _can't_ use the suffix at all. Where's the truth? :-)