[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapmodify with certificateExactMatch fails (ITS#2719)

Full_Name: Mark Ruijter
Version: 2.1.22
OS: Linux
URL: ftp://ftp.openldap.org/incoming/certExactModify-2.1.22.patch
Submission from: (NULL) (

When certificateExactMatch is enabled ldapmodify fails if the user has more then
one certificate. This is caused by the fact that ldapmodify supplies the
certificate for
the search instead of the certificateExactSyntax : serial $ issuerdn.

As as workaround you can use a ldapmodify with certificateExactMatch syntax:

[root@back cert]# cat delete-cert.ldif
dn: uid=mark,dc=com
changetype: modify
delete: usercertificate;binary
usercertificate;binary:< file:///root/cert/mark

[root@back cert]# cat mark
usercertificate=102199425239041956271964087300424999999 $ OU=VeriSign Class 2
OnSite Individual CA,O=VeriSign

ldapmodify -f ./delete-cert.ldif -D cn=manager,dc=com -w secret -x

This undocumented 'feature' no longer works with the patch from ITS#2703 when
compiled with -DCERT_SYNCHECK

The patch supplied with this bug report (certExactModify-2.1.22.patch) fixes the
modify problem. It also adds some extra checking in serial_and_issuer_parse.
This routine would cause the ldapserver to crash in some occassions.

  ___  _ __  _  _
 / __/| `  |\ \/ /  Mark Ruijter
 \__ \|  | | )  (   openldap@siennax.com