[Date Prev][Date Next] [Chronological] [Thread] [Top]

CertificateExactMatch for the ldap HEAD branch (ITS#2719/ITS#2771).



ITS#2771 contains a patch for ldap-head that implements certificateExactMatch. Two types of queries are supported: 'userCertificate=0$email=ca@snakeoil.dom,cn=snake oil ca,ou=certificate authority,o=snake oil, ltd,l=snake town,st=snake desert,c=xy' userCertificate;binary=\30\82\03\ae..... For compatibility the 'old' syntax still works: userCertificate=0 $ email=ca@snakeoil.dom,cn=snake oil ca,ou=certificate authority,o=snake oil, ltd,l=snake town,st=snake desert,c=xy The queries below also work but are not recommended: userCertificate;binary=0$email=ca@snakeoil.dom,cn=snake oil ca,ou=certificate authority,o=snake oil, ltd,l=snake town,st=snake desert,c=xy userCertificate=30\82\03\ae.... (mod_authz_ldap) For example: mod_authz_ldap (apache ldap strong authentication module) uses the last query type so it's allowed for compatibility. Out of mod_authz_ldap: ----- /* build a filter for the certificate map */ if (sec->certdirect) { ap_snprintf(filter, MAX_STRING_LEN, "(&(userCertificate=%s)" "(objectClass=strongAuthenticationUser))", certificate); ----- Internally certificates are normalized to the serial$issuerdn format and then stored and retrieved with octetStringIndexer/OctetStringMatch etc. Note: If the issuerdn contains a comma like the snake oil cert from the example above, then this comma is removed before indexing. dnNormalize will not allow dn's with a comma. Are there any other characters that I should be aware of? A large part of the code has been changed and now uses standard openssl routines where possible. It has been tested with openssl0.9.6/0.9.7/openssl-SNAP and a large data set with certificates from many different CA's. Please let me know if additional work is needed, Mark Ruijter