[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: how do I use component matching?

At 01:10 AM 10/30/2005, vadim wrote:
>I am trying to understand how can I use component matching - feature
>described in ITS #3738. 

I suggest you review RFC 3671 (component matching),
and RFC 3876 (returning matched values).  Also, test031
for component matching examples and test015 for a
matched values example.

I note that very little here (just the ldapsearch(1) particulars
below) is actually specific to OpenLDAP Software, these are standardized
protocol extensions after all.  General discussions regarding LDAP
(including such extensions) should be moved to a general LDAP list
(see http://www.openldap.org/lists/).

>Imagine I have user entries of class "inetOrgPerson", which allows
>"userCertificate" attribute whose values are certificates of the user
>issued by different CAs. Now given a certificate I can always find which
>user at has been issued. 
>But what if I want to find a certificate of a user, given user is known
>and, for example, issuing CA is also known? Is it correct, that
>ldapsearch will return me all certificates (all values of the
>"userCertificate" attribute) and I will have to choose on the client
>side a certificate which matches issuing CA?

Something like:

          component "toBeSigned.issuer.rdnSequence",
                rule distinguishedNameMatch,
                value "cn=issuer,dc=example,dc=com" }
                rule distinguishedNameMatch,
                value "uid=user,dc=example,dc=com" }

(note that I've added extra whitespace for readability.
The extra whitespace should be removed in the actual
filter string used.)

>Does it mean, that I have to create child entries of the user entry each
>having single value of the "userCertificate" attribute in order to
>perform properly described above query?

No.  If you only want matched values to be returned in the
search results, you should consider using the matched values
extension (RFC 3876).

For instance:

FILTER='(userCertificate:componentFilterMatch:=and:{ item:{   component "toBeSigned.issuer.rdnSequence", rule distinguishedNameMatch, value "cn=issuer,dc=example,dc=com" } item:{ component "toBeSigned.subject.rdnSequence", rule distinguishedNameMatch, value "uid=user,dc=example,dc=com" } })'

ldapsearch ... -E '!mv='"$FILTER" "$FILTER" userCertificate

>Thanx a lot and best regards, vadim tarassov
>vadim <vadim.tarassov@swissonline.ch>