Re: Component Matching / certificateMatch

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 04:22 AM 2/24/2006, Keutel, Jochen wrote:
>Hello,
>
>Kurt D. Zeilenga wrote:
>>Component matching is considered experimental in OpenLDAP
>>Software.  As indicated by ITS#4112 and -devel list
>>discussions, it needs work.
>
>  OK.
>
>What about certificate matching rules? Are they fully
>implemented?

Both certificateMatch and certificateExactMatch are implemented
(they rely on OpenSSL), though I am not sure the latter fully
supports the recently approved standard track assertion syntax
(draft-zeilenga-ldap-x509).  The test script appears to
be using an experimental assertion syntax.  The code likely
needs some updating.

>Esp.: Is it possible to search for a certain
>key usage or other certificate fields?

For arbitrary matching, one needs component matching.

>I've found the certificateMatch in tests/scripts/test021-certificate :
>
>$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
>    "(cAcertificate;binary:certificateMatch:=$CERT)"
>
>But this example seems to search with a complete certificate
>as filter value ...

Per the spec, yes.  


>Regards,  Jochen.
>
>
>>Kurt
>>At 12:49 AM 2/15/2006, Kai Kramer wrote:
>>>Hello,
>>>
>>>is component matching already usable in a production environment? Does
>>>anyone really use it? ITS4112 seems to be a serious problem.
>>>
>>>What about certificate matching rules as an alternative? I managed to
>>>use certificateExactMatch to search for serial number and issuer. But
>>>I had no success with certificateMatch. Is it possible to search for a
>>>certain key usage?
>>>
>>>
>>>Regards,
>>>Kai
>>