[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Difference between 2.4.30 and 2.3.43 in certificateMatch.




Quoting Howard Chu <hyc@symas.com>:

Mike Hulsman wrote:

Quoting Howard Chu <hyc@symas.com>:

Mike Hulsman wrote:
Hi,

I stumbled upon an difference between openldap 2.4.30 and 2.3.43.

This is my configuration.
X509 certificates are stored in the directory and a search is done with:
(&(mail=aaa@a.b)(userCertificate:certificateMatch:=<binary
certificate)) if that is a match the uid must be returned.

That is working on 2.3.43 but when I try that on 2.4.30 it does not
work and I start debugging I see
filter="(&(mail=aaa@a.b)(?=undefined))" in the logfiles.

The certificateMatch rule takes a certificateAssertion, not a
certificate. Your filter value is invalid.
Sorry for the kmisunderstanding, I don't know all correct naming.
But from what I understand after a lot of reading I am doing an
certificateAsserion.

I try to do a certificateMatch on an octet string.

No. Read RFC4523.

After a lot of reading and testing I still cannot get it working.


I read RFC4523 and am now doing an ldap search of (usercertificate:certificateExactMatch:=certificate_serial_number$certificate_Issuer_DN)
Than I get an (?=undefined) in my logfile, so the query is not correct.
In my schema is 2.5.4.36 and 2.5.4.37 defined.

When I search on
(usercertificate=certificate_serial_number$certificate_Issuer_DN)
I see the query in the log so I asume it is ok, but in the debugging i see "illegal value for attributeType usercertificate"

What am I missing in this.

Regards,
Mike Hulsman

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/



My-signature

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.