[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4644) cannon import entries with certificates because certificateExactNormalize fails
n.klasen@dpcom.de wrote:
> Full_Name: Norbert Klasen
> Version: 2.3.35
> OS: Solaris 10
> URL:
> Submission from: (NULL) (149.239.16.244)
>
>
> Hi,
> I cannot import the entry attached below into any recent slapds. I think this is
> due to the fact, that slapd tries to parse the certificate to support the
> CertificateExcat matching rule. This certificate has an issuer with T.61 RDNs
> that include Umlaut characters and are actually T.61 encoded. Not just Latin-1
> tagged as T.61 as it it quite common (see
> http://www.openldap.org/lists/openldap-devel/200204/msg00128.html).
Further analysis has shown, that the T.61 encoded RDNs don't make
ldap_X509dn2bv fail. It is rather due to the DN mapping in
LDAPDN_rewrite. This certificate incldudes an RDN of attribute type
0.2.262.1.10.7.20 'nameDistinguisher' that is not defined by default.
After adding a definition for it to the schema, the entry is imported
just fine.
While tracing LDAPDN_rewrite I came across a "proxy" attribute type. But
I haven't found out its purpose yet.
Shouldn't LDAPDN_rewrite use the numeric oid and a #hex encoded value
with unknown attribute types?
Norbert
# Telesec attribute types
attributetype ( 0.2.262.1.10.7.20
NAME 'nameDistinguisher'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
>
> Would it be possible for ldap_X509dn2bv to first try ldap_ucs_to_utf8s and if
> that fails try ldap_t61s_to_utf8s in case of V_ASN1_T61STRING?
>
> BTW: If run with LDAP_DEBUG_TRACE slapd dumps core in dnX509normalize because
> out->bv_val is NULL.
>
> Norbert
>
> dn: ou=CA DER DEUTSCHEN POST 5:PN,o=Deutsche Post AG,c=de
> objectClass: organizationalUnit
> objectClass: pkiCA
> ou: CA DER DEUTSCHEN POST 5:PN
> cACertificate;binary:: MIICUjCCAb6gAwIBAgIDD2ptMAoGBiskAwMBAgUAMG8xCzAJBgNVBAY
> TAkRFMT0wOwYDVQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5pa2F0aW9u
> IHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjRSLUNBIDE6UE4wIhgPMjAwMDA0MTIwO
> DIyMDNaGA8yMDA0MDQxMjA4MjIwM1owWzELMAkGA1UEBhMCREUxGTAXBgNVBAoUEERldXRzY2hlIF
> Bvc3QgQUcxMTAMBgcCggYBCgcUEwExMCEGA1UEAxQaQ0EgREVSIERFVVRTQ0hFTiBQT1NUIDU6UE4
> wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIH3c+gig1KkY5ceR6n/AMq+xz7hi3f0PMdpwIe2
> v2w6Hu5kjipe++NvU3r6wakIY2royHl3gKWrExOisBico9aQmn8lMJnWZ7SUbB+WpRn0mAWNZM9YT
> +/U5hRCffeeuLWClzrbScaWnAeaaI0G+N/QKnSSjrV/l64jogyADWCTAgMBAAGjEjAQMA4GA1UdDw
> EB/wQEAwIBBjAKBgYrJAMDAQIFAAOBgQAaV5WClEneXk9sLO8zTQAsf4KvDaLd1BFcFeYM7kLLRHK
> eWQ0MAd0xkuAMme5NVwWNpNZP74B4HX7Q/Q0h/wo/9LTgQaxw52lLs4Ml0HUyJbSFjoQ+sqgjg2fG
> NGw7aGkVNY5dQTAy8oSviG8mxTsQ7Fxaush3cIB0qDDwXar/hg==