Mike Hulsman wrote:
Hi, I stumbled upon an difference between openldap 2.4.30 and 2.3.43. This is my configuration. X509 certificates are stored in the directory and a search is done with: (&(mail=aaa@a.b)(userCertificate:certificateMatch:=<binary certificate)) if that is a match the uid must be returned. That is working on 2.3.43 but when I try that on 2.4.30 it does not work and I start debugging I see filter="(&(mail=aaa@a.b)(?=undefined))" in the logfiles.
The certificateMatch rule takes a certificateAssertion, not a certificate. Your filter value is invalid.
But it also looks like there may be a bug in 2.4.x also, as the support for certificateMatch was removed in commit 4c64b8626d5b2b26256446dbc29f63ab45b5ec1d March 2006. Not sure why, would have to check the email archives or ask Kurt.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/