Hello,
I have started a small project to build a mail server, and the authentication / users list is based on OpenLDAP.
I want to use international characters for the "secondary" email addresses but and OpenLDAP is complaining about it, as invalid syntax. I use the field otherMailBox field. I found a make-shift by storing the email address encoded in base64, but I therefore need to be sure any client will be able to read these base64 encoded email addresses. So far, Dovecot is fine, I am not sure yet about Postfix.
Is there any limitation in OpenLDAP that would prevent some fields to be stored in UTF8 directly? I have noticed that the givenName and surname are automatically encoded in base64 when containing accents, so is it a standard practice?
Thanks for your advices.
https://github.com/progmaticltd/homebox
Kind regards, André
On 2018-03-21 16:42, Andre Rodier wrote:
I want to use international characters for the "secondary" email addresses but and OpenLDAP is complaining about it, as invalid syntax.
That's because attribute 'mail' is defined to be IA5String syntax which is more or less ASCII.
Is there any limitation in OpenLDAP that would prevent some fields to be stored in UTF8 directly?
No. But the attribute type has to be declared to use DirectoryString syntax.
That's why I proposed 'intlMailAddr' herein: https://tools.ietf.org/html/draft-stroeder-mailboxrelatedobject-07#section-2
Note that this attribute only makes sense in case of non-ASCII local part and for use with SMTPUTF8 extensions. I currently only know of one SMTPUTF8 implementation (postfix 3.x).
If the mail address' domain part is non-ASCII you should store it as IDNA encoding (e.g. my web2ldap supports auto-converting the user's input.)
I have noticed that the givenName and surname are automatically encoded in base64 when containing accents, so is it a standard practice?
The attribute values are *not* base64-encoded via LDAP. What you're seeing as output of ldapsearch is LDIF representation which has to be ASCII-clean (see RFC 2849).
Ciao, Michael.
On 21/03/18 17:19, Michael Ströder wrote:
On 2018-03-21 16:42, Andre Rodier wrote:
I want to use international characters for the "secondary" email addresses but and OpenLDAP is complaining about it, as invalid syntax.
That's because attribute 'mail' is defined to be IA5String syntax which is more or less ASCII.
Is there any limitation in OpenLDAP that would prevent some fields to be stored in UTF8 directly?
No. But the attribute type has to be declared to use DirectoryString syntax.
That's why I proposed 'intlMailAddr' herein: https://tools.ietf.org/html/draft-stroeder-mailboxrelatedobject-07#section-2
Note that this attribute only makes sense in case of non-ASCII local part and for use with SMTPUTF8 extensions. I currently only know of one SMTPUTF8 implementation (postfix 3.x).
If the mail address' domain part is non-ASCII you should store it as IDNA encoding (e.g. my web2ldap supports auto-converting the user's input.)
I have noticed that the givenName and surname are automatically encoded in base64 when containing accents, so is it a standard practice?
The attribute values are *not* base64-encoded via LDAP. What you're seeing as output of ldapsearch is LDIF representation which has to be ASCII-clean (see RFC 2849).
Ciao, Michael.
Thank you, Michael,
Thank you, this is very useful, you seem to have a very good knowledge of LDAP.
I am using postfix 3 as well, with dovecot.
Kind regards, André
On Wed, Mar 21, 2018 at 07:35:34PM +0000, André Rodier wrote:
On 21/03/18 17:19, Michael Ströder wrote:
That's why I proposed 'intlMailAddr' herein: https://tools.ietf.org/html/draft-stroeder-mailboxrelatedobject-07#section-2
Note that this attribute only makes sense in case of non-ASCII local part and for use with SMTPUTF8 extensions. I currently only know of one SMTPUTF8 implementation (postfix 3.x).
I am using postfix 3 as well, with dovecot.
So you can probably use that extension. However, most people cannot. Therefore if you create mail accounts with non-ASCII characters in the local part those accounts will not be able to exchange mail with 95% of the world's population. (unless you install a translating gateway, but then the address seen outside your system will not be the same as the one inside and your users will get confused).
This is why the LDAP mail attribute is limited to IA5 (7-bit ASCII) syntax.
None of this prevents having UTF8 characters in the 'comment part', as you do youself ("André" contains one character that cannot be represented in IA5). This part is not stored in the LDAP mail attribute, which should be just LHS@RHS.domain
Andrew
On 21/03/18 17:19, Michael Ströder wrote:
On 2018-03-21 16:42, Andre Rodier wrote:
I want to use international characters for the "secondary" email addresses but and OpenLDAP is complaining about it, as invalid syntax.
That's because attribute 'mail' is defined to be IA5String syntax which is more or less ASCII.
Is there any limitation in OpenLDAP that would prevent some fields to be stored in UTF8 directly?
No. But the attribute type has to be declared to use DirectoryString syntax.
That's why I proposed 'intlMailAddr' herein: https://tools.ietf.org/html/draft-stroeder-mailboxrelatedobject-07#section-2
Note that this attribute only makes sense in case of non-ASCII local part and for use with SMTPUTF8 extensions. I currently only know of one SMTPUTF8 implementation (postfix 3.x).
If the mail address' domain part is non-ASCII you should store it as IDNA encoding (e.g. my web2ldap supports auto-converting the user's input.)
I have noticed that the givenName and surname are automatically encoded in base64 when containing accents, so is it a standard practice?
The attribute values are *not* base64-encoded via LDAP. What you're seeing as output of ldapsearch is LDIF representation which has to be ASCII-clean (see RFC 2849).
Ciao, Michael.
Hello Michael,
Thank you for your schema, it is working perfectly.
I am attaching the final LDIF file to the email, so anyone can use it for their projects.
Tell me if I made a mistake, but so far it works perfectly. I have both Dovecot and Postfix querying internationalised email addresses, and I will have something stable enough soon.
Kind regards, André
On 21/03/18 17:19, Michael Ströder wrote:
On 2018-03-21 16:42, Andre Rodier wrote:
I want to use international characters for the "secondary" email addresses but and OpenLDAP is complaining about it, as invalid syntax.
That's because attribute 'mail' is defined to be IA5String syntax which is more or less ASCII.
Is there any limitation in OpenLDAP that would prevent some fields to be stored in UTF8 directly?
No. But the attribute type has to be declared to use DirectoryString syntax.
That's why I proposed 'intlMailAddr' herein: https://tools.ietf.org/html/draft-stroeder-mailboxrelatedobject-07#section-2
Note that this attribute only makes sense in case of non-ASCII local part and for use with SMTPUTF8 extensions. I currently only know of one SMTPUTF8 implementation (postfix 3.x).
If the mail address' domain part is non-ASCII you should store it as IDNA encoding (e.g. my web2ldap supports auto-converting the user's input.)
I have noticed that the givenName and surname are automatically encoded in base64 when containing accents, so is it a standard practice?
The attribute values are *not* base64-encoded via LDAP. What you're seeing as output of ldapsearch is LDIF representation which has to be ASCII-clean (see RFC 2849).
Ciao, Michael.
Hello Michael,
Thank you for your schema, it is working perfectly.
I am adding the final LDIF file that works with OpenLDAP, so anyone can use it for their projects:
# The attribute type 'intlMailAddr' is defined for storing SMTPUTF8 # compliant addresses [RFC6530] # https://tools.ietf.org/html/draft-stroeder-mailboxrelatedobject-07
dn: cn=intlMailAddr,cn=schema,cn=config objectClass: olcSchemaConfig cn: intlMailAddr olcAttributeTypes: ( 1.3.6.1.4.1.5427.1.389.4.18 NAME 'intlMailAddr' DESC 'Internationalized Email Address' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcObjectClasses: ( 1.3.6.1.4.1.5427.1.389.6.9 NAME 'mailboxRelatedObject' DESC 'Associated RFC 5321 mailbox for any entry' AUXILIARY MAY ( displayName $ mail $ intlMailAddr ) )
Tell me if I made a mistake, but so far it works perfectly. I have both Dovecot and Postfix querying internationalised email addresses, and I will have something stable enough soon.
Kind regards, André
openldap-technical@openldap.org
-
Andre Rodier -
Andrew Findlay -
André Rodier
-
Michael Ströder