[Freeipa-devel] [freeipa PR#298][opened] ipaldap: handle binary encoding option transparently

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/298
Author: frasertweedale
 Title: #298: ipaldap: handle binary encoding option transparently
Action: opened

PR body:
"""
This patchset addresses
  https://fedorahosted.org/freeipa/ticket/6529.  I'm publishing it for
  discussion and review but it should not be hastily merged because
  there are compatibility implications for older server versions
  (discussed in https://fedorahosted.org/freeipa/ticket/6530).

Per RFC 4523, particular attribute syntaxes require use of the
';binary' attribute option.  Attributes using these syntaxes include
'userCertificate' and 'cACertificate'.  Our handling of this requirement is
inconsistent with no library support (i.e. it was up to individual plugin
authors to "do the right thing".

Also, because 389 DS currently does not always use this encoding option
(which is a defect), whether you need to read the
'userCertificate' or 'userCertificate;binary' attribute - or both - is
often unclear.  But technically, these both refer to the same attribute,
because the 'binary' option does not specify an attribute subtype.

This commit implements proper handling of the binary encoding option within
ipaldap.  Plugin code should now always use an attribute description
*without* the binary encoding option, and allow ipaldap to automatically
add it when sending attribute to the server, and strip it when reading
attributes in search results.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/298/head:pr298
git checkout pr298
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pr-298.patch
Type: text/x-diff
Size: 23971 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161202/2e55eb8a/attachment.bin>