Fix to UMich's ldapd....

Peter Whittaker (pww@entrust.com)
Wed, 28 Aug 1996 15:05:37 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peter Whittaker: "Fix to UMich's ldapd...."
Previous message: bill.mann: "RE: LDAP Clients Using DNS to Find LDAP"

The UMich ldapd will not respect a setting of "unknown" for the syntax
of a userCertificate in oidtable.at. This note suggests a fix and
describes the problem in more detail.
>
>In the file servers/ldapd/syntax.c, change the line
>
> certif_init(); /* initialize certificate syntax handler */
>
>to
>
> if ( ldap_certif_syntax ) {
> /* If the syntax is anything other than "unknown", treat it as
> an RFC 1778 string encoding */
> certif_init(); /* initialize certificate syntax handler */
> }
>
>What this does:
>
>As distributed, the UMich code will run certif_init() regardless of the
>syntax associated with the userCertificate attribute in oidtable.at; this
>fix causes the UMich code to run certif_init() only if the syntax associated
>with userCertificate is something other than "unknown", i.e., Certificate.
>
>Why is this fix necessary?
>
>This fix is necessary in order to allow the UMich ldapd to handle
>userCertificate attributes whose syntax is not the "Certificate" syntax known
>to the ISODE libraries used by the UMich ldapd, i.e., it allows the UMich
>ldapd to handle version 3 certificates.
>
>A little more background:
>
>The ISODE libraries used by the UMich ldapd and by ISODE-based DSAs such as
>QUIPU understand "Certificate" syntax to mean the older Certificate syntax
>defined in X.500(1988). When retrieving such a certificate from the
>directory, the UMich ldapd will transform it from the ASN.1 encoding returned
>by the DSA to the string encoding defined in RFC 1778.
>
>If a user wishes to use newer (version 3) certificates, whose syntax is not
>understood by ISODE-based DSAs and for which there is no string encoding, the
>syntax associated with userCertificate in the oidtable.at file should be
>changed from "Certificate" to "unknown", and the user's application should
>use printable ASN.1 instead of a string encoding. Making this change to the
>oidtable.at allows an ISODE-based DSA to store these certificates.
>
>However, this change is not enough to allow the UMich ldapd to handle such
>certificates. This is because the existing UMich code causes certif_init(),
>which treats certificates as string encoded objects, to be run regardless of
>the syntax associted with userCertificate in oidtable.at. The fix above
>causes the UMich ldapd to respect the "unknown" setting and not run
>certif_init(). This is because a syntax of "unknown" in oidtable.at causes
>ldap_certif_syntax to be equal to 0 (zero), while any other syntax, including
>"Certificate", causes ldap_certif_syntax to be a non-zero value.
>
>pww
>
>Peter Whittaker [~~~~~~~~~~~~~~~~~~~~~~] X.500 Specialist
>pww@entrust.com [http://www.entrust.com] Nortel Secure Networks
>Ph: +1 613 765 2064 [ ] P.O. Box 3511, Station C
>FAX:+1 613 765 3520 [______________________] Ottawa, Canada, K1Y 4H7
>
>

Next message: Peter Whittaker: "Fix to UMich's ldapd...."
Previous message: bill.mann: "RE: LDAP Clients Using DNS to Find LDAP"