[Date Prev][Date Next]
Re: slapd-sql with unixodbc - userCertificate retrieval problem
- To: Kevin Vargo <firstname.lastname@example.org>
- Subject: Re: slapd-sql with unixodbc - userCertificate retrieval problem
- From: Pierangelo Masarati <email@example.com>
- Date: Tue, 06 Mar 2007 19:01:06 +0100
- Cc: openldap-software@OpenLDAP.org
- In-reply-to: <firstname.lastname@example.org>
- References: <email@example.com>
- User-agent: Thunderbird 126.96.36.199 (X11/20061025)
Kevin Vargo wrote:
On Wed, 2006-06-07 at 17:31 +0200, Pierangelo Masarati wrote:
Store the certificate in the RDBMS in the form that is appropriate for
its value. In fact, back-sql doesn't do any mucking on the value of
your certificate; if you base64-encode it, back-sql cannot know.
Moreover, back-sql is very poor at dealing with binary objects, so you
might be off even if you succeed in storing the certificate in binary
I guess a reasonable approach would be to use BLOB data type and make
sure back-sql can handle it accordingly.
Has anyone else had success using userCertificates? I've placed the
Base-64 encoded certificate data in the database. However upon attempted
retrieval, I get an error attempting to validate the attribute:
unable to validate value #0 of AttributeDescription userCertificate
What the above message says is that it's pointless to store the
certificate in the database in base64, because back-sql returns the
value as is, and slapd expects it to be an octet string containing the
certificate, not its base64 representation.
So I #undef'd the pretty/validate directive in back-sql.h (BACKSQL_PRETTY_VALIDATE)
but this only resulted in getting the normalization error:
unable to normalize value #0 of AttributeDescription userCertificate
Same as above. Validators for certificates are already present in
slapd, and, of course, they expect valid certificates.
Any ideas? As well, is there any documentation on writing validators?
I wasn't able to locate any so far.
Write the certificate to the database as is, not base64 encoded, using a
BLOB. And, there's no guarantee it works. As usual, if you succeed,
patches are welcome.
Ing. Pierangelo Masarati
OpenLDAP Core Team
Via Dossi, 8 - 27100 Pavia - ITALIA