I just upgraded my OpenLDAP to 2.4.21 and suddenly I couldn’t load an LDIF that we in Spring LDAP have used successfully for years.
% ldapadd -Dcn=Manager,dc=jayway,dc=se -wsomepwd -f /tmp/t.ldif adding new entry "ou=groups,dc=jayway,dc=se" adding new entry "c=Sweden,dc=jayway,dc=se" ldap_add: Invalid DN syntax (34)
After some time of swearing and random changes, I managed to find out the following little piece of information (which seems rather obvious in hindsight): country (c) is supposed to be the two-letter ISO 3166 country code.
But hang on now, we have in the Spring LDAP samples successfully been using c=Sweden and c=Norway. What is this? Well, it’s actually very simple. Back in the good old days in 1997, the RFC2256 specified the c attribute (countryName) like this:
5.7. c This attribute contains a two-letter ISO 3166 country code (countryName). ( 184.108.40.206 NAME 'c' SUP name SINGLE-VALUE )
Note that they suggest only in text that it should be the two-letter ISO code. This is curious, since in fact there existed a syntax specification at that time, specified in RFC2252:
6.8. Country String ( 220.127.116.11.4.1.1418.104.22.168.11 DESC 'Country String' ) A value in this syntax is encoded the same as a value of Directory String syntax. Note that this syntax is limited to values of exactly two printable string characters, as listed in ISO 3166 . CountryString = p p Example: US
In the newer spec RFC4519 from 2006, they are much more strict:
2.2. 'c' The 'c' ('countryName' in X.500) attribute type contains a two-letter ISO 3166 [ISO3166] country code. (Source: X.520 [X.520]) ( 22.214.171.124 NAME 'c' SUP name SYNTAX 126.96.36.199.4.1.14188.8.131.52.11 SINGLE-VALUE ) 184.108.40.206.4.1.14220.127.116.11.11 refers to the Country String syntax [RFC4517]. Examples: "DE", "AU" and "FR".
Note that they have added a SYNTAX directive, which means there is no escape any more. Apparently, later versions of OpenLDAP are using a core.schema that follows RFC4519. This is good, I guess. I just wish someone would have told me about it…