Hello everyone.
I am writing here (hopefully it's the right list for the topic) to ask about IDN (Internationalized Domain Names) support in OpenLDAP and LDAP in general. I've been perusing IETF documents and all I could find was a couple of expired drafts, 18 and 20 years old, pertaining the topic.
https://datatracker.ietf.org/doc/draft-hall-ldap-idn/ https://datatracker.ietf.org/doc/draft-zeilenga-ldap-idn/
Does anyone have more information on the topic and maybe on why those drafts went nowhere?
Thanks in advance, Fulvio Scapin
On 6/20/21 2:03 PM, trantorvega@gmail.com wrote:
I am writing here (hopefully it's the right list for the topic) to ask about IDN (Internationalized Domain Names) support in OpenLDAP and LDAP in general.> I've been perusing IETF documents and all I could find was a couple of expired drafts, 18 and 20 years old, pertaining the topic.> https://datatracker.ietf.org/doc/draft-hall-ldap-idn/ https://datatracker.ietf.org/doc/draft-zeilenga-ldap-idn/
Does anyone have more information on the topic and maybe on why those drafts went nowhere?
Basically those attempts got stuck and in general LDAP work at the IETF does not happen anymore.
But this is a pretty broad topic affecting various use-cases. Which particular use-case(s) do you have in mind?
In my web2ldap I encode Unicode input values for domain names (dc, associatedDomain, domain part of mail, etc.) as IDNA and I decode the IDNA when displaying the values. Note that displaying Unicode strings is subject to homograph attacks.
E-mail addresses are more complicated because of UTF-8 in the local part and thus you need a separate attribute. And well, you need MTAs support SMTPUTF8, which is AFAIK currently only supported by postfix.
My own naive attempt for an LDAP attribute was:
https://datatracker.ietf.org/doc/html/draft-stroeder-mailboxrelatedobject#se...
For e-mail addresses there also has been more recent work for X.509 certs. Especially RFC 8398 defines matching rules:
https://datatracker.ietf.org/doc/html/rfc8398#section-5
All in all this is not just a matter of the LDAP schema.
Ciao, Michael.
Thanks Michael.
As it happens, I had also come across your draft submission for an EAI-compatible mail attribute along with those I mentioned originally. :D At work I've been looking into EAI support for an e-mail solution which relies on OpenLDAP as its directory software. I've been quite dismayed at the lack of work in that direction on the LDAP front (and what appears to be lack of recent standardization work on LDAP in general). On top of that, from what I've seen, there has been quite some work on UA topics in RFCs across several areas, all more or less suggesting or mandating NFC normalization while LDAP ones, and OpenLDAP from what I can see in the code and empirical testing, go for NFKC normalization, something I think will be rather problematic for us going forward. Since there is effort going into Universal Acceptance (see https://uasg.tech) I imagined that more work would have gone into internationalization for LDAP as well, but reality appears to be different at present. As you said, it's not something just confined to schemas. Btw is there some kind of rationale available as to the direction of certain design choices, for instance for the normalization thing I've mentioned previously, as far as you know?
Thanks a lot for sharing.
Fulvio
trantorvega@gmail.com schrieb am 20.06.2021 um 14:03 in Nachricht
20210620120358.5262.46576@hypatia.openldap.org:
Hello everyone.
I am writing here (hopefully it's the right list for the topic) to ask about IDN (Internationalized Domain Names) support in OpenLDAP and LDAP in general.
I'd think it's not relevant for LDAP, because: 1) DNS originally was ASCII based with only a limited set of characters allowed, while LDAP allows UTF-8, a wider character set. So basically just use the name you like. 2) IDN support (AFAIK) just translates "special characters" to ASCII when querying the servers, and the ASCII response is translated back. Not needed for LDAP.
I've been perusing IETF documents and all I could find was a couple of expired drafts, 18 and 20 years old, pertaining the topic.
https://datatracker.ietf.org/doc/draft-hall-ldap-idn/ https://datatracker.ietf.org/doc/draft-zeilenga-ldap-idn/
Does anyone have more information on the topic and maybe on why those drafts went nowhere?
Maybe explain what you actually want to do?
Otherwise I'd suggest "RFC 3491: IDN Nameprep".
Regards, Ulrich
Thanks in advance, Fulvio Scapin
On 6/28/21 10:58 AM, Ulrich Windl wrote:
trantorvega@gmail.com schrieb am 20.06.2021 um 14:03 in Nachricht
20210620120358.5262.46576@hypatia.openldap.org:
Hello everyone.
I am writing here (hopefully it's the right list for the topic) to ask about IDN (Internationalized Domain Names) support in OpenLDAP and LDAP in general.
I'd think it's not relevant for LDAP, because:
- DNS originally was ASCII based with only a limited set of characters allowed,
Strictly speaking: Nope.
See definition of RDATA:
https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.3
Anyway use of DNS RRs is specific to application protocols. Thus broad statements like yours are always wrong.
while LDAP allows UTF-8, a wider character set. So basically just use the name you like.
Also this general statement is wrong.
- IDN support (AFAIK) just translates "special characters" to ASCII
when querying the servers, and the ASCII response is translated back.
This is only applicable when resolving host names or MX RRs.
Not needed for LDAP.
Are you actually overseeing what you're talking about? What's "needed for LDAP" depends on how certain LDAP clients (e.g. MTAs) make use of it. And that's why some people are writing specifications.
Ciao, Michael.
Michael Ströder michael@stroeder.com schrieb am 29.06.2021 um 22:10 in
Nachricht 89331497-64e9-9d57-d6aa-d931712ffb48@stroeder.com:
On 6/28/21 10:58 AM, Ulrich Windl wrote:
trantorvega@gmail.com schrieb am 20.06.2021 um 14:03 in Nachricht
20210620120358.5262.46576@hypatia.openldap.org:
Hello everyone.
I am writing here (hopefully it's the right list for the topic) to ask
about
IDN (Internationalized Domain Names) support in OpenLDAP and LDAP in
general.
I'd think it's not relevant for LDAP, because:
- DNS originally was ASCII based with only a limited set of characters
allowed,
Strictly speaking: Nope.
See definition of RDATA:
https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.3
Anyway use of DNS RRs is specific to application protocols. Thus broad statements like yours are always wrong.
I was thinking of host/domain names.
while LDAP allows UTF-8, a wider character set. So basically just use the name you like.
Also this general statement is wrong.
- IDN support (AFAIK) just translates "special characters" to ASCII
when querying the servers, and the ASCII response is translated back.
This is only applicable when resolving host names or MX RRs.
Not needed for LDAP.
Are you actually overseeing what you're talking about? What's "needed for LDAP" depends on how certain LDAP clients (e.g. MTAs) make use of it. And that's why some people are writing specifications.
You may be right that I didn't understand what the original author really wanted to do.
Ciao, Michael.
openldap-technical@openldap.org
-
Fulvio Scapin -
Michael Ströder -
trantorvega@gmail.com
-
Ulrich Windl