[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Cannot search usercertificate binary data with raw data

To: <hyc@symas.com>, <michael@stroeder.com>
Subject: RE: Cannot search usercertificate binary data with raw data
From: Luis Neves <luisneves@hotmail.com>
Date: Sat, 8 May 2010 10:21:27 +0000
Cc: openldap-software@openldap.org
Importance: Normal
In-reply-to: <4BE4A0DF.7090802@symas.com>
References: <COL110-W27CBBA7AD04AE6A2240CE2A7F60@phx.gbl>, <4BE45235.2090407@stroeder.com>, <4BE4A0DF.7090802@symas.com>

Hi

a) I have extracted the user certificate from the directory to a file using "ldapsearch -t .... "
Ive encoded the result file with hexdump and added slashes (and double slashes and tested also with reversing the byte order)
Iam using the result as a search filter against the directory, and no results

b) Ive copy/pasted all the values from apache error_log (which comes from the user browser) and used as a filter to ldapsearch and nothing
userCertificate=\\30\\82\\07\\38\\30\\82\\06\\20\\a0\\03\\02\\01\\02\\02\\08\\d9\\33\\e0\\f2\\f9\\5d\\0f\\30\\0d\\06\\09\\2a\\86\\48\\86
etc etc etc

a) and b) filters are the same, so I think I am doing the right tests, without errors

I dont have any more ideas... :(
help.....

c) I will make every test again next monday just to be sure i didnt copy/pasted any error

I am starting to think of making some smaller testcase with some other binary fields, like a jpg for example. What do you think?
Add a image attribute to the user, load a very small (1x1) jpg, hexdump it to a file and try to feed it to ldapsearch until i get something
This is the only idea I have so far that other users could test without too much effort and compare results with me....

Luis

> >
> >> ldapsearch -x -h 10.15.254.148 -p 389 -D "cn=root,dc=cm-lisboa,dc=pt" -w
> >> ***** -s sub -b "ou=AuthzLDAPCertmap,dc=cm-lisboa,dc=pt"
> >> '(&(userCertificate;binary=\\30\\82\\07\\38\\30\\82\\06\\20\\a0\\03\\02\\01\\02\\02\\08\\d9\\33\\e0\\f2\\f9\\5d\\0f\\30\\0d\\06\\09\\2a\\86\\48\\86
> >> etc etc etc )(objectClass=strongAuthenticationUser))'
> >

>
> It is legal to use an octet string for certificateExactMatch. In OpenLDAP the
> octet string is simply parsed and turned into a certificate assertion value
> and then matched as usual.
>
> Probably the encoding of his filter value is just wrong. And of course, it
> would be simpler to just use a certificate assertion value instead.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/

Hotmail: Trusted email with powerful SPAM protection. Sign up now.

Follow-Ups:
- Re: Cannot search usercertificate binary data with raw data
  - From: Michael Ströder <michael@stroeder.com>

References:
- Cannot search usercertificate binary data with raw data
  - From: Luis Neves <luisneves@hotmail.com>
- Re: Cannot search usercertificate binary data with raw data
  - From: Michael Ströder <michael@stroeder.com>
- Re: Cannot search usercertificate binary data with raw data
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Cannot search usercertificate binary data with raw data
Next by Date: Re: Cannot search usercertificate binary data with raw data
Index(es):
- Chronological
- Thread