[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ;binary again

Kurt D. Zeilenga wrote:

At 09:08 AM 4/21/2005, Sassa wrote:

I have seen a number of questions regarding transfer of binary attributes with ';binary' option. We are using X.509 Attribute Certificates. Our schema specifies - Binary syntax

attributeCertificate would be a more appropriate syntax for a value containing an X.509 attribute certificate.

I am forced to use Binary syntax. When I try


as defined in "Internet X.509 Public Key Infrastructure LDAP Schema and Syntaxes for PMIs" <draft-ietf-pkix-ldap-pmi-schema-00.txt>, slapadd fails (no syntax found, apparently).

What OID does OpenLDAP understand for attributeCertificateAttribute?

for attributeCertificateAttribute. slapadd fails to import LDIFs from the older openldap where ";binary" is present for all attributeCertificateAttributes - it complains that ";binary" option is not supported for this type. This is odd, and in my view does not conform to RFC2252 (see excerpt below).

Is there a way to force openldap to accept ";binary" for specific attributes?

No. slapd(8) accepts/requires use of ;binary on a per syntax basis. The binary syntax defines an LDAP string encoding of BER, use of ;binary is at best redundant and at worse problematic. The underlying ASN.1 data type for the binary syntax can be viewed as a constrained OCTET STRING, and implementations with this view will encode an OCTET STRING for transfer when ;binary is selected (instead of just transferring the contents of the OCTET STRING).

I can't accept this explanation, because the RFC (which I quoted in the last email) gives an example where a userCertificate is returned with ";binary" suffix.

I won't paste the quote again. See RFC2252, section 4.3.1 Binary Transfer of Values.

You can certainly modify slapd to require ;binary for all
values of the binary syntax, but in doing so, you may
break other applications which assume values of their
attributes of the binary syntax are to be transferred
without ;binary.   See 'certificate' syntax for an

I don't want slapd to _require_ ;binary. I want it to accept ;binary, if present. I can't see where in the LDAPv3 specs the use of ";binary" is forbidden for specific syntaxes.

However, I suggest you migrate to a modern specification
of attributeCertificateAttribute which, IIRC, uses the
attributeCertificate (which doesn't require/expect
use of ;binary).

:-) The specifications that we are using haven't changed, as to my mind, and they do not actually mandate that ";binary" _should_ be used - this is up to LDAP to understand/require the suffix or not. And, as I said, the standard syntax for the attribute certificates is not understood (by any OpenLDAP implementation we tried through several years).

Now, this is clearly very annoying that LDAP v2 allowed use of ";binary", but understood the values without the suffix. The early openldap LDAP v3 implementations _required_ the attributes that are transmitted in binary, to have the suffix. And now you are saying that we _can't_ use the suffix at all. Where's the truth? :-)