[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CertificateExactMatch for the ldap HEAD branch (ITS#2719/ITS#2771).



I've committed an initial test script (enhancements are welcomed)
to use in evaluating your patch (which I'm now doing).

One thing I noticed right away in the old code is that
(userCertificate=*) is not matching entries containing
userCertificate (added with ;binary).  I need to look
into that.

Kurt


At 02:08 PM 10/16/2003, Kurt D. Zeilenga wrote:
>Mark,
>
>I'll try to take at your patch in a bit.  I'm thinking it might be
>useful to add userCertificate tests to the test suite.
>
>Regarding characters special to the LDAP string representation of DNs, see
>RFC 2253.  These characters need to be properly escaped.  That
>should be done by X509_NAME_print_ex() with appropriate flags.
>If not, then we need to work with the OpenSSL folks to fix
>it.  Striping commas (or other characters) is a bad idea as it
>will cause incorrect matching.
>
>Kurt
>
>At 12:57 PM 10/16/2003, Mark Ruijter wrote:
>>ITS#2771 contains a patch for ldap-head that implements
>>certificateExactMatch.
>>
>>Two types of queries are supported:
>>
>>
>>   * 'userCertificate=0$email=ca@snakeoil.dom,cn=snake oil
>>     ca,ou=certificate authority,o=snake oil, ltd,l=snake town,st=snake
>>     desert,c=xy'
>>   * userCertificate;binary=\30\82\03\ae.....
>>
>>For compatibility the 'old' syntax still works:
>>userCertificate=0 $ email=ca@snakeoil.dom,cn=snake oil ca,ou=certificate
>>authority,o=snake oil, ltd,l=snake town,st=snake desert,c=xy
>>
>>The queries below also work but are not recommended:
>>userCertificate;binary=0$email=ca@snakeoil.dom,cn=snake oil
>>ca,ou=certificate authority,o=snake oil, ltd,l=snake town,st=snake
>>desert,c=xy
>>userCertificate=30\82\03\ae....   (mod_authz_ldap)
>>
>>For example:  mod_authz_ldap (apache ldap strong authentication module)
>>uses the last query type so it's allowed for compatibility.
>>Out of mod_authz_ldap:
>>-----
>>        /* build a filter for the certificate map
>>*/
>>        if (sec->certdirect) {
>>                ap_snprintf(filter, MAX_STRING_LEN,
>>                        "(&(userCertificate=%s)"
>>                        "(objectClass=strongAuthenticationUser))",
>>certificate);
>>-----
>>
>>Internally certificates are normalized to the serial$issuerdn format
>>and  then stored and retrieved with octetStringIndexer/OctetStringMatch
>>etc.
>>
>>Note: If the issuerdn contains a comma like the snake oil cert from the
>>example above, then this comma is removed before indexing. dnNormalize
>>will
>>not allow dn's with a comma. Are there any other characters that I
>>should be aware of?
>>
>>A large part of the code has been changed and now uses standard openssl
>>routines where possible. It has been tested with
>>openssl0.9.6/0.9.7/openssl-SNAP
>>and a large data set with certificates from many different CA's.
>>
>>Please let me know if additional work is needed,
>>
>>Mark Ruijter