[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CertificateExactMatch for the ldap HEAD branch (ITS#2719/ITS#2771).



Thanks for updated patch, however, as you can now see that I've committed
changes based, in part, on your prior patch.  I've also committed a
basic certificate test to the suite which includes adding/deleting
individual certificates from entries (in a manner which requires
certificates to be compared) and a few basic search operations
including presence assertions and a (userCertificate=SN$DN) assertion.

So, the basics appear okay.... but please bang on it.

The code still needs a bit more work.  I haven't checked all the
other cases to see whether they behave correctly or not.  For instance,
I haven't yet checked that (userCertificate:certificateExactMatch:=SN$DN)
works or not.  I also have not yet looked at indexing.  And, as you noted,
ldap_X509dn2bv() needs to shaken out a bit.  And it would be nice
to implement (userCertificate;binary:certificateMatch:=....) as well.

I note that xxxxx in (userCertificate;binary=xxxxx) should be BER
encoding of a value of the assertion syntax.  (I was incorrect before
when I said it could be that or the BER of the certificate.  The
CertificateMatch rule has to be explicitly specified when the assertion
syntax is certificate.)

Again, thanks for submission.  It was a big help.

Kurt


At 01:29 PM 10/17/2003, Mark Ruijter wrote:
>The new patch is : ftp://ftp.openldap.org/incoming/ldap-HEAD-171003-exactmatch.patch
>
>I also tested the userCertificate=* / usercertificate;binary=* queries against
>ldap-HEAD-171003-exactmatch.patch and it all works fine for me.
>
>I did however find a bug with the following query:
>
>usercertificate;binary=\30\02\.. This query works but doesn't use the index and is therefore very slow.
>usercertificate=\30\02\.. Works with use of the index.
>So far I haven't been able to locate the problem...
>
>-- 
>--------------------------------------------  ___  _ __  _  _
>/ __/| `  |\ \/ /  Mark Ruijter
>\__ \|  | | )  (   mark.ruijter@siennax.com
>|___/|__|_|/_/\_\  06 - 53713459
>
>--------------------------------------------