Re: userCertificate:certificateExactMatch: problem

[networm@mail15.com]

> > > > Hi! I use OpenLdap 2.39. I need to find the certificate with sn
> > > > 61a430c600000000000c and issuer email adm@test.com, but then i try this
> > > > search:
> > > > (userCertificate:certificateExactMatch:=61a430c600000000000c$email=adm@test.com),
> > > >
> > > > OpenLdap prints this error: filter=(?=undefined). I have understood that
> > > > sn should be in dec form, but converting hex->dec not helped. How
> > > > correctly convert sn in dec?
> > >
> > > Not sure what 2.39 means; however, with OpenLDAP 2.3 & 2.4 the (old)
> > > certificateExactMatch assertion syntax "sn$id" works, with sn in
> > > decimal.  With OpenLDAP 2.4, also the GSER syntax works.  I note that in
> > > OpenLDAP 2.3 certificateExactMatch was conditioned on the availability
> > > of TLS, while in OpenLDAP 2.4 the code is all built-in.
> >
> > > p.
> >
> > Sorry, i mean 2.3.39.
> > certificateExactMatch works good then sn is low(e.g. sn 0xC0003 converts
> > to 3,
> > and openldap finds this certificate), but then sn is big(>9 in decimal)
> > i don't know
> > how to convert that sn to decimal. Simple convert 61a430c600000000000c
> > from hex to dec(with online convertors) does not help(no search result from
> > openldap).
>
> OK, then the problem is that OpenLDAP 2.3's certificateExactMatch
> normalization needed integers within 32 bit (31 bit is LDAP's
> limitation, but not X509).  You need to use OpenLDAP 2.4.

> p.

ok, thanks.