[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CertificateExactMatch for the ldap HEAD branch (ITS#2719/ITS#2771).



Kurt D. Zeilenga wrote:

I've committed an initial test script (enhancements are welcomed)
to use in evaluating your patch (which I'm now doing).

One thing I noticed right away in the old code is that
(userCertificate=*) is not matching entries containing
userCertificate (added with ;binary).  I need to look
into that.

Kurt

Kurt,

I've uploaded a tool for generating certificateExactMatch search strings from a certificate (pem) file.
The file is ftp://ftp.openldap.org/incoming/exactfilter-171003.tgz.
I also uploaded an improved version of the patch that doesn't strip the comma
from the dn. I fixed it by (re)escaping the search string before feeding it to dnNormalize.
The new patch is : ftp://ftp.openldap.org/incoming/ldap-HEAD-171003-exactmatch.patch


I also tested the userCertificate=* / usercertificate;binary=* queries against
ldap-HEAD-171003-exactmatch.patch and it all works fine for me.


I did however find a bug with the following query:

usercertificate;binary=\30\02\.. This query works but doesn't use the index and is therefore very slow.
usercertificate=\30\02\.. Works with use of the index.
So far I haven't been able to locate the problem...


--
-------------------------------------------- ___ _ __ _ _
/ __/| ` |\ \/ / Mark Ruijter
\__ \| | | ) ( mark.ruijter@siennax.com
|___/|__|_|/_/\_\ 06 - 53713459


--------------------------------------------