Re: (ITS#4100) userCertificate vs. userCertificate;binary when deleting attribute

[Kurt@OpenLDAP.org]

At 03:20 PM 11/3/2005, michael@stroeder.com wrote:
>Kurt D. Zeilenga wrote:
>> As the server certainly MUST return the attribute as
>> userCertificate;binary, no schema knowledge is actually
>> required to know ;binary must appear to delete it.
>
>This is not what my OpenLDAP RE23 installation is doing even when
>requesting userCertificate;binary.
>
>dn: cn=Michael [..]
>objectClass: inetOrgPerson
>[..]
>userCertificate:: MIIEWzCCA [..]

See the output of test021.  Every userCertificate has ;binary on it.

>Hmm, this entry is very old but was reimported through slapd from a LDIF
>file which contains userCertificate. Every time I slapcat it the LDIF
>output contains userCertificate. No ;binary seen in LDAP results.

slapcat just reports what's there.  However, slapadd input should
be pristine.  If not, well, then it be garbage in, garbage
out.  slapadd, I would think, would catch a missing ;binary,
but, if not, that could be considered a bug in itself.

Anyways, modifying test021 to try to add a value of
userCertificate without ;binary (via LDAP) does yields the
expected error.

>Off-topic: Which ones?

certificate, certificate list, certificate pair, and
supported algorithm.

>But it still fails on userCertificate;binary with "no such attribute".
>Please re-read the ITS entry I filed.

Re-read my response.  I couldn't duplicate that behavior
using test021.

However, if the server actually holds 'userCertificate'
garbage, it's likely that 'userCertificate;binary' won't
match it.  The bug would be in is allowing the garbage in
not the failure to match it.

Kurt