[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4644) cannon import entries with certificates because certificateExactNormalize fails

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4644) cannon import entries with certificates because certificateExactNormalize fails
From: norbert+lists.openldap-bugs@burgundy.dyndns.org
Date: Fri, 18 Aug 2006 11:06:09 GMT

n.klasen@dpcom.de wrote:
> Full_Name: Norbert Klasen
> Version: 2.3.35
> OS: Solaris 10
> URL: 
> Submission from: (NULL) (149.239.16.244)
> 
> 
> Hi,
> I cannot import the entry attached below into any recent slapds. I think this is
> due to the fact, that slapd tries to parse the certificate to support the
> CertificateExcat matching rule. This certificate has an issuer with T.61 RDNs
> that include Umlaut characters and are actually T.61 encoded. Not just Latin-1
> tagged as T.61 as it it quite common (see
> http://www.openldap.org/lists/openldap-devel/200204/msg00128.html).

Further analysis has shown, that the T.61 encoded RDNs don't make
ldap_X509dn2bv fail. It is rather due to the DN mapping in
LDAPDN_rewrite. This certificate incldudes an RDN of attribute type
0.2.262.1.10.7.20 'nameDistinguisher' that is not defined by default.
After adding a definition for it to the schema, the entry is imported
just fine.

While tracing LDAPDN_rewrite I came across a "proxy" attribute type. But
I haven't found out its purpose yet.
Shouldn't LDAPDN_rewrite use the numeric oid and a #hex encoded value
with unknown attribute types?

Norbert


# Telesec attribute types
attributetype ( 0.2.262.1.10.7.20
        NAME 'nameDistinguisher'
        EQUALITY integerMatch
        ORDERING integerOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )


> 
> Would it be possible for ldap_X509dn2bv to first try ldap_ucs_to_utf8s and if
> that fails try ldap_t61s_to_utf8s in case of V_ASN1_T61STRING?
> 
> BTW: If run with LDAP_DEBUG_TRACE slapd dumps core in dnX509normalize because
> out->bv_val is NULL.
> 
> Norbert
> 
> dn: ou=CA DER DEUTSCHEN POST 5:PN,o=Deutsche Post AG,c=de
> objectClass: organizationalUnit
> objectClass: pkiCA
> ou: CA DER DEUTSCHEN POST 5:PN
> cACertificate;binary:: MIICUjCCAb6gAwIBAgIDD2ptMAoGBiskAwMBAgUAMG8xCzAJBgNVBAY
>  TAkRFMT0wOwYDVQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5pa2F0aW9u
>  IHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjRSLUNBIDE6UE4wIhgPMjAwMDA0MTIwO
>  DIyMDNaGA8yMDA0MDQxMjA4MjIwM1owWzELMAkGA1UEBhMCREUxGTAXBgNVBAoUEERldXRzY2hlIF
>  Bvc3QgQUcxMTAMBgcCggYBCgcUEwExMCEGA1UEAxQaQ0EgREVSIERFVVRTQ0hFTiBQT1NUIDU6UE4
>  wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIH3c+gig1KkY5ceR6n/AMq+xz7hi3f0PMdpwIe2
>  v2w6Hu5kjipe++NvU3r6wakIY2royHl3gKWrExOisBico9aQmn8lMJnWZ7SUbB+WpRn0mAWNZM9YT
>  +/U5hRCffeeuLWClzrbScaWnAeaaI0G+N/QKnSSjrV/l64jogyADWCTAgMBAAGjEjAQMA4GA1UdDw
>  EB/wQEAwIBBjAKBgYrJAMDAQIFAAOBgQAaV5WClEneXk9sLO8zTQAsf4KvDaLd1BFcFeYM7kLLRHK
>  eWQ0MAd0xkuAMme5NVwWNpNZP74B4HX7Q/Q0h/wo/9LTgQaxw52lLs4Ml0HUyJbSFjoQ+sqgjg2fG
>  NGw7aGkVNY5dQTAy8oSviG8mxTsQ7Fxaush3cIB0qDDwXar/hg==

Prev by Date: Re: (ITS#4645) play cleanup handlers when abandoning
Next by Date: Re: (ITS#4644) cannon import entries with certificates because certificateExactNormalize fails
Index(es):
- Chronological
- Thread