[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Certificate format in LDAP



At 01:02 PM 9/13/00 -0700, John Zhou wrote:
>Does anybody know in which format (binary or others) are the certificates
>stored in LDAP?

Depends on which version of LDAP.  In LDAPv2, each certificate
syntax, which are generally described by some ASN.1, had textual
string representations.  However, due to certificate format
changes, the old textual string representations are useless. 

LDAPv3 solved the problem associated with these syntaxes by
introducing the ";binary" option.  This option is used to
specify "binary transfer" of the value.  That is, a BER
encoded value is sent instead of the textual string.

OpenLDAP 1.2 implements LDAPv2, so it doesn't understand
";binary".  However, because of lax attribute checking,
"userCertificate;binary" is treated as a simple attribute type.
So, you can hack your schema to allow "userCertificate;binary"
instead of "userCertificate" and define "userCertficate;binary"
as 'bin'.  Or, you can stuff whatever you want in plain old
'userCertificate" (or both).  What you do here really depends
on what your clients expect.

OpenLDAP 2.0 implements LDAPv3, so it understands ";binary".
However, it only allows binary transfer of select syntaxes.
This includes various certificate syntaxes.  However, 2.0.1
and prior does not support ";binary" transfer of the 'binary'
syntax.  We view this as a bug and will be fixed in the next
release.  This primarily affects SMIME certificates attributes
defined by inetOrgPerson technical specification (RFC 2798).
If you cannot wait, try OPENLDAP_REL_ENG_2 (available only
via anonymous CVS).

>Is there any email tool (outlook or others)which can connect
>to LDAP server and search for certificates and select the proper certificate
>to sign or encrypt the outgoing email? Any information will be highly
>appreciated.

That's question likely more suitable for the general mailing list.