On Fri, Feb 18, 2011 at 02:56:16PM -0800, Howard Chu wrote: > re: TLS Authentication Identity Format > > Strictly speaking, the order of components is not changed at all. > The sequence of RDNs in the DN is what it is; just that the > convention for *displaying* it is ass-backwards in LDAP. I'm afraid > the wording here will confuse people into thinking that the > *semantics* of the DN are changed, when it's only a display issue. Good point. Updated wording attached.

Andrew sasl-x509-dn-doc.patch --- sasl.sdf.head 2011-02-18 23:03:07.000000000 +0000 +++ sasl.sdf 2011-02-22 14:30:25.947887979 +0000 @@ -1,4 +1,4 @@ -# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.51 2011/02/18 23:03:07 hyc Exp $ +# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.34.2.12 2011/01/04 23:49:40 kurt Exp $ # Copyright 1999-2011 The OpenLDAP Foundation, All Rights Reserved. # COPYING RESTRICTIONS APPLY, see COPYRIGHT. @@ -302,9 +302,9 @@ H4: TLS Authentication Identity Format -This is usually the Subject DN from the client-side certificate. -The order of the components will be changed to follow LDAP conventions, -so a certificate issued to {{EX:C=gb, O=The Example Organisation, CN=A Person}} +This is the Subject DN from the client-side certificate. +Note that DNs are displayed differently by LDAP and by X.509, so +a certificate issued to {{EX:C=gb, O=The Example Organisation, CN=A Person}} will produce an authentication identity of: > cn=A Person,o=The Example Organisation,c=gb