Re: How to import user certificates in OpenLDAP?

[Howard Chu <hyc@symas.com>]

Vaclav Barta wrote:
> Hi,
>
> On 7/15/2015 12:55 AM, Sergio NNX wrote:
> > > Or just read the ldapmodify/ldapadd manpage. The jpegPhoto example in the
> > > manpage shows how to load a binary value. You can load DER format
> > certificates
> > > directly, this way.
> >
> >
> > I agree with Howard, you don't have to use ldif command. You can use
> > ldapmodify or ldapadd to achieve the same thing. I have a working example I
> > could email to you, if you are interested.
> Yes please. I've adapted an example from
> http://kukusan-network.blogspot.cz/2012/01/how-to-setting-ldap-openldap-in-windows.html

> (also for OpenLDAP for Windows), adding the certificate with the syntax from
> the man page (roughly - the man page doesn't have space between : and <).

Because a space does not belong there.

If you're not going to actually follow the official OpenLDAP documentation, 
then there's really no point in proceeding any further.

> It fails:

> C:\OpenLDAP\ClientTools>ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager,
> dc=maxcrc,dc=com" -f c:\OpenLDAP\ldifdata\user.ldif -w secret
> ldap_connect_to_host: TCP localhost:389
> ldap_new_socket: 636
> ldap_prepare_socket: 636
> ldap_connect_to_host: Trying ::1 389
> ldap_pvt_connect: fd: 636 tm: -1 async: 0
> attempting to connect:
> connect success
> adding new entry "cn=Vaclav Barta,ou=people,dc=maxcrc,dc=com"
> ldap_add: Undefined attribute type (17)
>          additional info: usercertificate: requires ;binary transfer
>
> Obviously the problem is on the usercertificate line of user.ldif, but how
> exactly should I write it?

Use

usercertificate;binary:< file:///blahblahblah


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/