Re: LDIF, userCertificate; and missing "binary" option

[Michael Ströder <michael@stroeder.com>]

Erwann ABALEA wrote:
> 
> Hoping it's the right list to ask for it.
> 
> I'm facing a "cross-recommendations" problem. Here it is.
> 
> I'm downloading an LDIF containing some inetOrgPerson and
> cRLDistributionPoint entries, in order to have a replication site to
> develop on.
> Those entries have userCertificate or certificateRevocationList , but
> not stored with the "binary" option (only the "::" indicating it's
> Base64-encoded).
> When trying to import this file with ldapadd on my directory, it failed,
> telling me that those attributes need to be transfered with the binary
> option. Right. I'm searching RFCs 2252 and 2256 (and their  replacement
> as well), and find that effectively, those attributes *MUST* be
> transfered as binary ones.
> I told the directory maintainer that the LDIF wasn't correct according
> to these RFCs, and he replied that it was correct regarding RFC2849,
> which is the only one defining the LDIF format.
> 
> Finally, that's right. And this RFC doesn't tell anything about
> certificates or binary option. And I can't find an obvious link between
> RFC2849 and RFC2252/2256.

RFC 2849 (LDIF) describes just a text representation format for entry
records or change records. RFC 2252-2256 described the LDAP protocol
level. BTW: Today RFC 4510 ff. are relevant for the protocol.

> I know I can just do a 'sed
> s/userCertificate::/userCertificate;binary::/' of the file,

If the producer of the data is not willing to fix then just do it.

Ciao, Michael.