On 6/20/21 2:03 PM, trantorvega@gmail.com wrote:
I am writing here (hopefully it's the right list for the topic) to ask about IDN (Internationalized Domain Names) support in OpenLDAP and LDAP in general.> I've been perusing IETF documents and all I could find was a couple of expired drafts, 18 and 20 years old, pertaining the topic.> https://datatracker.ietf.org/doc/draft-hall-ldap-idn/ https://datatracker.ietf.org/doc/draft-zeilenga-ldap-idn/
Does anyone have more information on the topic and maybe on why those drafts went nowhere?
Basically those attempts got stuck and in general LDAP work at the IETF does not happen anymore.
But this is a pretty broad topic affecting various use-cases. Which particular use-case(s) do you have in mind?
In my web2ldap I encode Unicode input values for domain names (dc, associatedDomain, domain part of mail, etc.) as IDNA and I decode the IDNA when displaying the values. Note that displaying Unicode strings is subject to homograph attacks.
E-mail addresses are more complicated because of UTF-8 in the local part and thus you need a separate attribute. And well, you need MTAs support SMTPUTF8, which is AFAIK currently only supported by postfix.
My own naive attempt for an LDAP attribute was:
https://datatracker.ietf.org/doc/html/draft-stroeder-mailboxrelatedobject#se...
For e-mail addresses there also has been more recent work for X.509 certs. Especially RFC 8398 defines matching rules:
https://datatracker.ietf.org/doc/html/rfc8398#section-5
All in all this is not just a matter of the LDAP schema.
Ciao, Michael.