Andrew Findlay wrote:
On Fri, Feb 18, 2011 at 02:56:16PM -0800, Howard Chu wrote:
> re: TLS Authentication Identity Format
>
> Strictly speaking, the order of components is not changed at all.
> The sequence of RDNs in the DN is what it is; just that the
> convention for *displaying* it is ass-backwards in LDAP. I'm afraid
> the wording here will confuse people into thinking that the
> *semantics* of the DN are changed, when it's only a display issue.
Good point. Updated wording attached.
Thanks, applied with formatting tweaks.
Andrew
sasl-x509-dn-doc.patch
--- sasl.sdf.head 2011-02-18 23:03:07.000000000 +0000
+++ sasl.sdf 2011-02-22 14:30:25.947887979 +0000
@@ -1,4 +1,4 @@
-# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.51 2011/02/18 23:03:07 hyc Exp $
+# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.34.2.12 2011/01/04 23:49:40 kurt Exp
$
# Copyright 1999-2011 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
@@ -302,9 +302,9 @@
H4: TLS Authentication Identity Format
-This is usually the Subject DN from the client-side certificate.
-The order of the components will be changed to follow LDAP conventions,
-so a certificate issued to {{EX:C=gb, O=The Example Organisation, CN=A Person}}
+This is the Subject DN from the client-side certificate.
+Note that DNs are displayed differently by LDAP and by X.509, so
+a certificate issued to {{EX:C=gb, O=The Example Organisation, CN=A Person}}
will produce an authentication identity of:
> cn=A Person,o=The Example Organisation,c=gb
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/