[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL EXTERNAL

To: Howard Chu <hyc@highlandsun.com>
Subject: RE: SASL EXTERNAL
From: Norbert Klasen <norbert.klasen@daasi.de>
Date: Sun, 28 Apr 2002 20:41:07 +0200
Cc: openldap-devel@OpenLDAP.org
Content-disposition: inline
In-reply-to: <NMEFLNHODBAOPDKNNJALOEOECLAA.hyc@highlandsun.com>
References: <NMEFLNHODBAOPDKNNJALOEOECLAA.hyc@highlandsun.com>

--On Freitag, 26. April 2002 09:56 -0700 Howard Chu <hyc@highlandsun.com> wrote:

Please send me a copy of the full debug output, not just the TLS messages.
There should specifically be a call to ldap_dn2bv() with your
certificate's DN being logged in normalized LDAP format. Which version of
SASL library are you using?

TLS certificate verification: depth: 0, err: 0, subject:
/C=DE/ST=Baden-W\xFCrttemberg/L=T\xFCbingen/O=DAASI International
GmbH/CN=Norbert Klasen/Email=norbert.klasen@daasi.de, issuer:
/C=DE/O=DAASI
International GmbH/OU=DAASI CA/Email=ca@daasi.de

There are two issues with this certificate: - It includes an AVA with the pkcs emailAddress attribute, which is not defined in OpenLDAP's schema. This can be fixed easily. I suggest the following definition be added to core.schema: # RFC 2459 # -- Legacy attributes # #pkcs9email ATTRIBUTE ::= { # WITH SYNTAX PHGString, # ID emailAddress } # #PHGString ::= IA5String (SIZE(1..ub-emailaddress-length)) # #pkcs-9 OBJECT IDENTIFIER ::= # { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } # #emailAddress OBJECT IDENTIFIER ::= { pkcs-9 1 } # #ub-emailaddress-length INTEGER ::= 128

attributetype ( 1.2.840.113549.1.9.1
       NAME 'pkcs9email'
       DESC 'RFC2459: legacy attribute for email addresses in DNs'
       EQUALITY caseIgnoreIA5Match
       SUBSTR caseIgnoreIA5SubstringsMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

- Secondly it includes two AVAs tagged as TeletexString whose values contain Latin-1 characters. These surely fail the UTF8 validity check in LDAPDN_rewrite. It seems that all values are taken as being UTF8Strings. At least, the type field of ASN1_STRING *str in ldap_X509dn2bv is not being looked at.

--
Norbert Klasen, Dipl.-Inform.
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 Tübingen                           email: norbert.klasen@daasi.de
Germany                                  web:   http://www.daasi.de

Follow-Ups:
- RE: SASL EXTERNAL
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: Follow-up: Re: Too many tokens?
Next by Date: RE: SASL EXTERNAL
Index(es):
- Chronological
- Thread