[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-sql with unixodbc - userCertificate retrieval problem

To: Kevin Vargo <vargok@yahoo.com>
Subject: Re: slapd-sql with unixodbc - userCertificate retrieval problem
From: Pierangelo Masarati <ando@sys-net.it>
Date: Tue, 06 Mar 2007 19:01:06 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20070306163736.87959.qmail@web54613.mail.yahoo.com>
References: <20070306163736.87959.qmail@web54613.mail.yahoo.com>
User-agent: Thunderbird 1.5.0.8 (X11/20061025)

Kevin Vargo wrote:

On Wed, 2006-06-07 at 17:31 +0200, Pierangelo Masarati wrote:

Store the certificate in the RDBMS in the form that is appropriate for
its value.  In fact, back-sql doesn't do any mucking on the value of
your certificate; if you base64-encode it, back-sql cannot know.
Moreover, back-sql is very poor at dealing with binary objects, so you
might be off even if you succeed in storing the certificate in binary
form.

I guess a reasonable approach would be to use BLOB data type and make
sure back-sql can handle it accordingly.

p.


Has anyone else had success using userCertificates?  I've placed the
Base-64 encoded certificate data in the database.  However upon attempted
retrieval, I get an error attempting to validate the attribute:
  unable to validate value #0 of AttributeDescription userCertificate

What the above message says is that it's pointless to store the certificate in the database in base64, because back-sql returns the value as is, and slapd expects it to be an octet string containing the certificate, not its base64 representation.

So I #undef'd the pretty/validate directive in back-sql.h (BACKSQL_PRETTY_VALIDATE)
but this only resulted in getting the normalization error:
  unable to normalize value #0 of AttributeDescription userCertificate

Same as above. Validators for certificates are already present in slapd, and, of course, they expect valid certificates.

Any ideas?  As well, is there any documentation on writing validators?
I wasn't able to locate any so far.

Write the certificate to the database as is, not base64 encoded, using a BLOB. And, there's no guarantee it works. As usual, if you succeed, patches are welcome.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Prev by Date: Re: accesslog overlay and 'logops all', Can't get get cn=Monitor running and problem with ppolicy (pwdAttribute)
Next by Date: Re: syncrepl updates from consumer
Index(es):
- Chronological
- Thread