On 07/28/2009 11:58 AM, Howard Chu wrote:
The aci attribute is currently defined with a syntax of IA5 String. This syntax only allows 7-bit characters. Now that the server has support for syntax validation, this would prevent one from using international characters in aci rules. This patch defines the aci attribute with the Directory String syntax, which allows any valid UTF8 character.
Y'know, LDAP/X.500 requires that existing schema items must never be changed once they're in use. When you want to change something like this, usually you must define a new attributeType with a new OID for the purpose. Probably not so important given the history of schema checking in this code, but an fyi...
Thanks for the heads up. In this case, there are likely people with aci values out in the wild that are not 7-bit clean, despite the fact that the attribute is defined as an IA5 String. These aci values have worked just fine since we only recently added syntax validation when adding attribute values. Not changing the syntax of the aci attribute to Directory String would break existing deployments that have been depending on this functionality, hence the decision to modify the existing definition.