[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Component Matching / certificateMatch

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: Component Matching / certificateMatch
From: "Keutel, Jochen" <mlists@keutel.de>
Date: Fri, 24 Feb 2006 13:22:06 +0100
Cc: Kai Kramer <kai.kramer@googlemail.com>
In-reply-to: <7.0.1.0.0.20060215054624.02259bf8@OpenLDAP.org>
References: <340ae0a80602150049v50a0da5bt@mail.gmail.com> <7.0.1.0.0.20060215054624.02259bf8@OpenLDAP.org>
User-agent: Thunderbird 1.5 (Windows/20051201)

Hello,

Kurt D. Zeilenga wrote:

Component matching is considered experimental in OpenLDAP
Software.  As indicated by ITS#4112 and -devel list
discussions, it needs work.

OK.

What about certificate matching rules? Are they fully
implemented? Esp.: Is it possible to search for a certain
key usage or other certificate fields?

I've found the certificateMatch in tests/scripts/test021-certificate :

$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
    "(cAcertificate;binary:certificateMatch:=$CERT)"

But this example seems to search with a complete certificate
as filter value ...

Regards,  Jochen.


Kurt

At 12:49 AM 2/15/2006, Kai Kramer wrote:

Hello,

is component matching already usable in a production environment? Does
anyone really use it? ITS4112 seems to be a serious problem.

What about certificate matching rules as an alternative? I managed to
use certificateExactMatch to search for serial number and issuer. But
I had no success with certificateMatch. Is it possible to search for a
certain key usage?


Regards,
Kai

Follow-Ups:
- Re: Component Matching / certificateMatch
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Component Matching / certificateMatch
  - From: Kai Kramer <kai.kramer@googlemail.com>
- Re: Component Matching / certificateMatch
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Problem with index
Next by Date: Re: structural object class modification from X to Y not allowed
Index(es):
- Chronological
- Thread