[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CertificateExactMatch for the ldap HEAD branch (ITS#2719/ITS#2771).



Mark Ruijter <openldap@siennax.com> writes:

> ITS#2771 contains a patch for ldap-head that implements
> certificateExactMatch.

Hi,

I have been inactive on OpenLDAP for a long time now and that was one
of the last few things I was involved.  Though I might add some
helpful comments.

> Two types of queries are supported:
>
>
>    * 'userCertificate=0$email=ca@snakeoil.dom,cn=snake oil
>      ca,ou=certificate authority,o=snake oil, ltd,l=snake town,st=snake
>      desert,c=xy'
>    * userCertificate;binary=\30\82\03\ae.....
>
> For compatibility the 'old' syntax still works:
> userCertificate=0 $ email=ca@snakeoil.dom,cn=snake oil ca,ou=certificate
> authority,o=snake oil, ltd,l=snake town,st=snake desert,c=xy

The old syntax, that I am not sure in what is exactly different from
the new syntax, was a broken attempt to follow David Chadwick's draft
for certificate matching.  It was broken in that I forgot that the DN
must be quoted, IIRC.  So the old syntax should die.

Are you following David Chadwick's draft or is this a specification
you have written yourself?

> The queries below also work but are not recommended:
> userCertificate;binary=0$email=ca@snakeoil.dom,cn=snake oil
> ca,ou=certificate authority,o=snake oil, ltd,l=snake town,st=snake
> desert,c=xy
> userCertificate=30\82\03\ae....   (mod_authz_ldap)
>
> For example:  mod_authz_ldap (apache ldap strong authentication module)
> uses the last query type so it's allowed for compatibility.

Andreas Mueller did what he could by inventing a certificate mapping
system that works with directories that have no certificate search
facilities.  And it is great.  I use it everyday (well, not that
match, but the serial and issuer DN match).

But if OpenLDAP really supports certificate searching, mod_authz_ldap
should be enhanced to do it.  I think he was open to the idea but did
not want to accept the changes back then since it was only on HEAD.
However, he has accepted my patches to map certificates against Active
Directory (on which my feedback to him is long overdue :-( )

Otherwise, having this direct matching is great. I presume indexing
works, right?  That was the biggest problem with otectStringMatch that
Andreas recommended.

> A large part of the code has been changed and now uses standard openssl
> routines where possible.

I have not checked your patch, but notice that some OpenSSL routines
were not able to handle serial numbers larger that 32 bits (that are
legal and the Microsoft Certificate Server customarily creates) unless
they are not represented as integers but as some non
standard-compliant series of decimal or even hexadecimal thingies
separated by colons.  I painfully wrote code what would produce an
integer of unrestricted length (that OpenLDAP's own integerMatch
supported).  And I could not do it with standard OpenSSL routines.

I had also concerns about the rfc2253 validity of some DN renderings,
but his I don't remember very well.  I might have gone overboard on
this and done what X509_NAME_ex could do for itself.

Regards,

Julio

-- 
Julio Sanchez
 PGP Key fingerprint =  E5 29 93 6F 41 4E 00 E2  90 11 A1 8C 72 D0 DE 71