[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: attribute length restrictions

To: "'Norbert Klasen'" <norbert.klasen@daasi.de>, "'ldapbis'" <ietf-ldapbis@OpenLDAP.org>
Subject: RE: attribute length restrictions
From: "Steven Legg" <steven.legg@adacel.com.au>
Date: Tue, 28 Aug 2001 12:35:56 +1100
Importance: Normal
In-reply-to: <1637215831.998938706@localhost>

Norbert,

Norbert Klasen wrote:
> Hi,
> it seems there is a mismatch between length restrictions for standard
> attribute types as specified in X.520v3 and LDAPv3:
>
> X.520, section 5.2.2
> commonName ATTRIBUTE	::=	{
> 	SUBTYPE OF		name
> 	WITH SYNTAX		DirectoryString {ub-common-name}
> 	ID			id-at-commonName }
>
> X.520, annex C
> ub-name			INTEGER	::=	32768
> ub-common-name	INTEGER	::=	64
>
> (Note: In X520_4thEditionDraftv5 ub-name now also is 64.)
>
>
> draft-ietf-ldapbis-user-schema-00, section 3.2.2
>     ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch
>       SUBSTR caseIgnoreSubstringsMatch
>       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
>
> draft-ietf-ldapbis-user-schema-00, section 3.2.38
>     ( 2.5.4.3 NAME 'cn' SUP name )
>
> This would restrict commonName in X.500 to 64 characters,
> while it could
> hold up to 32768 characters in LDAP. Same for o and ou (and
> sn?). Has this
> deviation been made deliberately?

The upper bounds given in X.520 Annex C are suggestions only, though that
fact
isn't widely appreciated. An X.500 implementation is free to use whatever
upper
bounds it likes, so the mechanism in LDAP for specifying a minimum upper
bound
doesn't produce an actual specification conflict for servers implementing
both
X.500 and LDAP. Such a server can, for example, allow commonName attribute
values to contain up to 32768 characters without violating the X.500
standards.

Regards,
Steven

References:
- attribute length restrictions
  - From: Norbert Klasen <norbert.klasen@daasi.de>

Prev by Date: Re: attribute length restrictions
Next by Date: RE: ModifyDN -- subtrees or not?
Index(es):
- Chronological
- Thread