On 6/6/04 2:29 pm, Peter Marschall <[EMAIL PROTECTED]> wrote: > On Thursday 03 June 2004 19:01, Douglas Gray Stephens wrote: >>> Since you're sending junk to the servers, the server's *should* be >>> rejecting your modify operations. That they're not is a defect in each >>> of the servers, and you can't really expect any sort of sane behaviour >>> from them. >> >> So iPlanet 5.1HF2, SunOne 5.2HF1, and one of my Innosoft servers all >> correctly updated the record. One of the Innosoft servers had a >> problem, but NONE of the server rejected the request. > > Rejecting illegal updates depends on the servers ability to check the syntax > of the attributes updated.
Some of those servers have the "feature" (mis-feature, more like) that you can turn off syntax checking. > Although this is possible since certificate attributes in LDAP have a standard > syntax it might have proven quite complex so that the vendors did not > implement it. I doubt that's true in this case. Several of those servers have good support for using X.509 certificates in their security code, so they clearly have the ability to decode a certificate. Certificates aren't *that* complicated. > Maybe some of the servers (presumably the older ones) even use another syntax > that makes it impossible for them to distinguish a correct certificate from a > bunch of bytes. Servers have been using the BER representation of certificates for about 10 years now. It is formally described in LDAPv3, and was the de facto standard for LDAPv2. How old are the servers being tested? Cheers, Chris
