[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-sql with unixodbc - userCertificate retrieval problem



Kevin Vargo wrote:

Right; except that in ITS#3113, you explicitly state that back-sql
should refuse binary data,

I said that no ";binary" should be used. That's different from refusing binary data, don't you agree?


p.

don't you?  Granted, that was a while
back, however, I've not found mention of where that directive has
been obsoleted.  As well the retrieval errors are consistent with
invalid binary->text conversion upon selection out of the database.

Namely, error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
asn1 error

So, how do I (a) tell Back-SQL that the data is binary or (b) do
something else.

You don't need to tell back-sql if data is binary or not: it already knows how to deal with data based on their syntax. You need to tell the RDBMS that its' storing binary data, and store the certificate in the RDBMS as binary. If you store the certificate in base64, then back-sql (actually, the certificate's validator, back-sql yous passes octet strings around) doesn't know what to do with it.


Note that this is the OpenSSL invoked by the X.509 validator
(assuming TLS was turned on), even though the certificate in question
is not being used for TLS.  However, the normalization still fails,
even (as mentioned) if validation is disabled.  I'm assuming the
normalization failure would be related, although I haven't gotten
there yet.


TLS has nothing to do with this. OpenLDAP just needs to be compiled with ssl to have certificate handling routines around.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------