[Date Prev][Date Next] [Chronological] [Thread] [Top]

attribute length restrictions

it seems there is a mismatch between length restrictions for standard attribute types as specified in X.520v3 and LDAPv3:

X.520, section 5.2.2
commonName ATTRIBUTE	::=	{
	WITH SYNTAX		DirectoryString {ub-common-name}
	ID			id-at-commonName }

X.520, annex C
ub-name			INTEGER	::=	32768
ub-common-name	INTEGER	::=	64

(Note: In X520_4thEditionDraftv5 ub-name now also is 64.)

draft-ietf-ldapbis-user-schema-00, section 3.2.2 ( NAME 'name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX{32768} )

draft-ietf-ldapbis-user-schema-00, section 3.2.38
   ( NAME 'cn' SUP name )

This would restrict commonName in X.500 to 64 characters, while it could hold up to 32768 characters in LDAP. Same for o and ou (and sn?). Has this deviation been made deliberately?

P.S.: Personally, I would like to use the larger limits because in Germany names for academic institutions easily exceed 64 characters. However, this would probably lead to problems in maintaining an identical data set on the FLDSA and standalone LDAP servers.

Norbert Klasen
DAASI International GmbH                 phone: +49 7071 2970336
Wilhelmstr. 106                          fax:   +49 7071 295114
72074 Tübingen                           email: norbert.klasen@daasi.de
Germany                                  web:   http://www.daasi.de