Hi!
Unfortunately the RFC does not really give an example of using multiple AVAa in an RDN; it just states:
" This relative name, known as its Relative Distinguished Name (RDN) [X.501], is composed of an unordered set of one or more attribute value assertions (AVA) consisting of an attribute description with zero options and an attribute value. These AVAs are chosen to match attribute values (each a distinguished value) of the entry."
And the other question is how multiple AVAs will be ordered to allow an AuthRegexp to match them.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Tuesday, May 6, 2025 11:50 AM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Re: Match certificate subject with escaped characters using olcAuthzRegexp
On Mon, May 05, 2025 at 07:42:01AM +0000, Windl, Ulrich wrote:
The ide was to provide an alternate DN, but maybe it does not work the
way I thought.
I saw this example in https://learn.microsoft.com/en-
us/openspecs/windows_protocols/ms-adts/3c96b56d-d7a7-46f1-9883- 7d031f9fa01e:
F=John Smith+F=David Jones, OU=Users,DC=Fabrikam,DC=com
Hi Ulrich, that example is contrary to RFC4512 section 2.2 around the end[0].
Actually if you read the link you provided, AD's own implementation is much stricter and doesn't support multivalued rDNs at all and the example you give is specifically listed as "disallowed"!
[0]. https://www.rfc-editor.org/rfc/rfc4512#section-2.2
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP