Apparently, there are DSA implementations out there (SunONE) that require
the proxyAuthz control value to be BER encoded, as dictated in earlier
versions of draft-weltman-ldapv3-proxy. Most of the story is clearly
described here
<http://www.codecomments.com/archive408-2005-4-460507.html>.
A (sanitized) berdump of the same request with Sun's and OpenLDAP's tools
follows; no need to mention that SunONE appears to only accept Sun's
encoding.
I have a precise customer's request that OpenLDAP's slapd be able to use
the proxyAuthz control with some version of SunONE that is affected by
this problem. Would a configure option to back-ldap that allows to use
that encoding in identity assertion be acceptable? What about a similar
switch for OpenLDAP tools?
p.
# Sun
...
0080 72 31 03 04 01 46 a0 55 30 53 04 18 32 2e 31 36 r1...F?U 0S..2.16
0090 2e 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e .840.1.1 13730.3.
00a0 34 2e 31 38 01 01 ff 04 34 04 32 64 6e 3a 75 69 4.18..ÿ. 4.2dn:ui
00b0 64 3d 78 78 78 78 78 78 78 78 78 78 78 78 78 78 d=xxxxxx xxxxxxxx
00c0 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxx xxxxxxxx
00d0 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxx xxxxx
# OpenLDAP
...
0080 72 31 03 04 01 46 a0 53 30 51 04 18 32 2e 31 36 r1...F?S 0Q..2.16
0090 2e 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e .840.1.1 13730.3.
00a0 34 2e 31 38 01 01 ff 04 32 64 6e 3a 75 69 64 3d 4.18..ÿ. 2dn:uid=
00b0 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxx xxxxxxxx
00c0 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxx xxxxxxxx
00d0 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxx xxx
Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------