Andrew Findlay wrote:
On Fri, Feb 18, 2011 at 02:56:16PM -0800, Howard Chu wrote:
re: TLS Authentication Identity Format
Strictly speaking, the order of components is not changed at all. The sequence of RDNs in the DN is what it is; just that the convention for *displaying* it is ass-backwards in LDAP. I'm afraid the wording here will confuse people into thinking that the *semantics* of the DN are changed, when it's only a display issue.
Good point. Updated wording attached.
Thanks, applied with formatting tweaks.
Andrew
sasl-x509-dn-doc.patch
--- sasl.sdf.head 2011-02-18 23:03:07.000000000 +0000 +++ sasl.sdf 2011-02-22 14:30:25.947887979 +0000 @@ -1,4 +1,4 @@ -# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.51 2011/02/18 23:03:07 hyc Exp $ +# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.34.2.12 2011/01/04 23:49:40 kurt Exp $ # Copyright 1999-2011 The OpenLDAP Foundation, All Rights Reserved. # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
@@ -302,9 +302,9 @@
H4: TLS Authentication Identity Format
-This is usually the Subject DN from the client-side certificate. -The order of the components will be changed to follow LDAP conventions, -so a certificate issued to {{EX:C=gb, O=The Example Organisation, CN=A Person}} +This is the Subject DN from the client-side certificate. +Note that DNs are displayed differently by LDAP and by X.509, so +a certificate issued to {{EX:C=gb, O=The Example Organisation, CN=A Person}} will produce an authentication identity of:
cn=A Person,o=The Example Organisation,c=gb
-
hyc@symas.com