Fwd: Difference between 2.4.30 and 2.3.43 in certificateMatch.

To: openldap-technical@openldap.org

Subject: Fwd: Difference between 2.4.30 and 2.3.43 in certificateMatch.

From: Erwann Abalea <eabalea@gmail.com>

Date: Mon, 3 Dec 2012 17:34:59 +0100

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=XiQFOVgnDPlS1k1u1MKS8WPgGrK2mETQwVhfGRsdtVk=; b=LHqyIhwFBNdhoGTvWfupdFUwcrHPThxK0C4eusZH1hC4h+H9XNHguNgte5ODsaMTPh zpVi2yB543jTuTV8XOT146bAQ3JrPvtlCJYog4TPWtHwpjUBp62s67CW/V/O2lQpVvil AidQM5jddv4PgR8QtswARMnzhraU8qbX/adDn4u9HMUPf0CD0Z1E1//ZSwwX34O7Xwmu EWIp3/NM/HE1X70oYmTImL6vDuuZn0ma/6r7Wglk+9wDyZdjGxUqJiN0LPY4X7NVCqYx ZZVsGlW8wS26cIndHEJNit/EIS5wdPfznACQt7j1a/UsR0r17da8xvuggurpNzKWwP5w WGFg==

In-reply-to: <CA+i=0E4qfwEewE3_po9rbz7YWJQ0OWMKYbXk=Tw-w6=AB1RR4w@mail.gmail.com>

References: <20121127153603.36563itz0rpik2io@www.hulsman.net> <50B513E9.7050606@symas.com> <20121128111315.50663sqg9npb0q80@www.hulsman.net> <50B62E13.50802@symas.com> <20121203150609.17172yj1maam4l44@www.hulsman.net> <CA+i=0E54VrBXJnHwZAAOkbpzYWVEGDi6=pt3r6D2=-nXUi4FRw@mail.gmail.com> <20121203163733.72621afni84di1xc@www.hulsman.net> <CA+i=0E4qfwEewE3_po9rbz7YWJQ0OWMKYbXk=Tw-w6=AB1RR4w@mail.gmail.com>

---------- Forwarded message ----------
From: Erwann Abalea <eabalea@gmail.com>
Date: 2012/12/3
Subject: Re: Difference between 2.4.30 and 2.3.43 in certificateMatch.
To: Mike Hulsman <mike@hulsman.net>

2012/12/3 Mike Hulsman <mike@hulsman.net>

Quoting Erwann Abalea <eabalea@gmail.com>:

2012/12/3 Mike Hulsman <mike@hulsman.net>

Quoting Howard Chu <hyc@symas.com>:

[...]

No. Read RFC4523.

After a lot of reading and testing I still cannot get it working.

I read RFC4523 and am now doing an ldap search of (usercertificate:**
certificateExactMatch:=**certificate_serial_number$**

certificate_Issuer_DN)
Than I get an (?=undefined) in my logfile, so the query is not correct.
In my schema is 2.5.4.36 and 2.5.4.37 defined.

When I search on
(usercertificate=certificate_**serial_number$certificate_**Issuer_DN)

I see the query in the log so I asume it is ok, but in the debugging i see
"illegal value for attributeType usercertificate"

Here's what I use:

'userCertificate={ serialNumber <yourserial>, issuer "<yourIssuerDN>" }'

For example:
'userCertificate={ serialNumber 5090, issuer "cn=passport country signing
authority, ou=ptb, ou=dfat, o=gov, c=au" }'

Thanks alot for pointing me in the right direction,

The search is working now.
Now I also noticed that I put in the serialnumber in Hex instead of decimal.
That is what I was doing wrong :-(

You can express the serial number in hex. My example becomes

'... serialNumber 0x13E2, issuer ...'

OpenLDAP follows the X.520 name comparison rules for the issuer name; you can switch case, change spaces into multiple spaces, add heading/trailing spaces, etc. I hadn't looked at the code yet to understand why asking for serialNumber 0x013E2 or 05090 doesn't match my certificates.