[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
CertificateExactMatch for the ldap HEAD branch (ITS#2719/ITS#2771).
ITS#2771 contains a patch for ldap-head that implements certificateExactMatch.
Two types of queries are supported:
'userCertificate=0$email=ca@snakeoil.dom,cn=snake oil ca,ou=certificate authority,o=snake oil, ltd,l=snake town,st=snake desert,c=xy'
userCertificate;binary=\30\82\03\ae.....
For compatibility the 'old' syntax still works:
userCertificate=0 $ email=ca@snakeoil.dom,cn=snake oil ca,ou=certificate authority,o=snake oil, ltd,l=snake town,st=snake desert,c=xy
The queries below also work but are not recommended:
userCertificate;binary=0$email=ca@snakeoil.dom,cn=snake oil ca,ou=certificate authority,o=snake oil, ltd,l=snake town,st=snake desert,c=xy
userCertificate=30\82\03\ae.... (mod_authz_ldap)
For example: mod_authz_ldap (apache ldap strong authentication module) uses the last query type so it's allowed for compatibility.
Out of mod_authz_ldap:
-----
/* build a filter for the certificate map */
if (sec->certdirect) {
ap_snprintf(filter, MAX_STRING_LEN,
"(&(userCertificate=%s)"
"(objectClass=strongAuthenticationUser))", certificate);
-----
Internally certificates are normalized to the serial$issuerdn format and then stored and retrieved with octetStringIndexer/OctetStringMatch etc.
Note: If the issuerdn contains a comma like the snake oil cert from the example above, then this comma is removed before indexing. dnNormalize will
not allow dn's with a comma. Are there any other characters that I should be aware of?
A large part of the code has been changed and now uses standard openssl routines where possible. It has been tested with openssl0.9.6/0.9.7/openssl-SNAP
and a large data set with certificates from many different CA's.
Please let me know if additional work is needed,
Mark Ruijter