The country that nearly drove me crazy

I just upgraded my OpenLDAP to 2.4.21 and suddenly I couldn’t load an LDIF that we in Spring LDAP have used successfully for years.

% ldapadd -Dcn=Manager,dc=jayway,dc=se -wsomepwd -f /tmp/t.ldif
adding new entry "ou=groups,dc=jayway,dc=se"

adding new entry "c=Sweden,dc=jayway,dc=se"
ldap_add: Invalid DN syntax (34)

After some time of swearing and random changes, I managed to find out the following little piece of information (which seems rather obvious in hindsight): country (c) is supposed to be the two-letter ISO 3166 country code.

But hang on now, we have in the Spring LDAP samples successfully been using c=Sweden and c=Norway. What is this? Well, it’s actually very simple. Back in the good old days in 1997, the RFC2256 specified the c attribute (countryName) like this:

5.7. c

   This attribute contains a two-letter ISO 3166 country code
   (countryName).

    ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE )

Note that they suggest only in text that it should be the two-letter ISO code. This is curious, since in fact there existed a syntax specification at that time, specified in RFC2252:

6.8. Country String

   ( 1.3.6.1.4.1.1466.115.121.1.11 DESC 'Country String' )

   A value in this syntax is encoded the same as a value of Directory
   String syntax.  Note that this syntax is limited to values of exactly
   two printable string characters, as listed in ISO 3166 [14].

      CountryString  = p p

   Example:
      US

In the newer spec RFC4519 from 2006, they are much more strict:

2.2.  'c'

   The 'c' ('countryName' in X.500) attribute type contains a two-letter
   ISO 3166 [ISO3166] country code.
   (Source: X.520 [X.520])

      ( 2.5.4.6 NAME 'c'
         SUP name
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
         SINGLE-VALUE )

   1.3.6.1.4.1.1466.115.121.1.11 refers to the Country String syntax
   [RFC4517].

   Examples: "DE", "AU" and "FR".

Note that they have added a SYNTAX directive, which means there is no escape any more. Apparently, later versions of OpenLDAP are using a core.schema that follows RFC4519. This is good, I guess. I just wish someone would have told me about it…

This Post Has One Comment

  1. It must have been very hard to find what was causing this error when importing the LDIF. Nice work and very good post. Cheers

Leave a Reply

Close Menu