[Date Prev][Date Next] [Chronological] [Thread] [Top]

Attribute aliases

To: <openldap-devel@OpenLDAP.org>
Subject: Attribute aliases
From: "Paul Makepeace" <Paul.Makepeace@realprogrammers.com>
Date: Thu, 15 Apr 1999 03:04:19 -0500

I would like to investigate what's involved in enabling OpenLDAP to allow
attributes to have aliases, i.e. enable an attribute to have more than one
name.

The motivation is two-fold: first, if I understand it correctly, it's a
feature of LDAPv3, and second, more practically, it's a key feature in our
server functional requirements. The reason for this is to enable X.509
certificates to be stored in the directory and retrieved by clients who ask
by different attributes. For example, both userCertificate and
userCertificate;binary are requested by Eudora, Messenger, etc (I don't know
which asks for what; will do soon) when the user's certificate is needed.

Being able to store X.509 certificates (and retrieve them!) enables secure
email either through signing or encryption using S/MIME, all sorts of PKI
issues (RFC2527-8) and web authentication. This is a big deal for us at the
moment and the one major stumbling block with deploying OpenLDAP.

There seem to be a number of ways of fulfilling this requirement for
attribute aliasing (and thanks to Kurt for suggestions here). If, for
example, it just comes down to userCertificate v. userCertifcate;binary I
can do an internal, unreleased patch to ignore that or all subtypes while a
better solution is engineered. On the other end of the effort scale, the
full blown version is (I presume) to have OpenLDAP use Object Identifiers
(OIDs) rather than attribute names in the look up and provide some mechanism
for mapping multiple attribute names to OIDs. This, I suspect, is probably
quite a lot of work but clearly where OpenLDAP is headed anyway (fair to
say?).

I would be very grateful for any feedback folks might have including those
who've had exposure to CA/PKI/directory coupling. I would also be extremely
appreciative of hints on where to even start looking in the source, (e.g.
adding oid spec to the .conf parser, attribute resolution, etc).

Many thanks, Paul.

--
Paul.Makepeace@realprogrammers.com ;
Thus spake the Master Programmer:
  "Let the programmers be many and the managers few --
    then all will
      be productive." (http://misspiggy.gsfc.nasa.gov/tao.html)

Follow-Ups:
- Re: Attribute aliases
  - From: John Kristian <kristian@netscape.com>
- Re: Attribute aliases
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Charset translations: Request for comments
Next by Date: Re: Charset translations: Request for comments
Index(es):
- Chronological
- Thread