[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userCertificate:certificateExactMatch: problem

networm@mail15.com wrote:
networm@mail15.com wrote:
Hi! I use OpenLdap 2.39. I need to find the certificate with sn
61a430c600000000000c and issuer email adm@test.com, but then i try this

OpenLdap prints this error: filter=(?=undefined). I have understood that
sn should be in dec form, but converting hex->dec not helped. How
correctly convert sn in dec?

Not sure what 2.39 means; however, with OpenLDAP 2.3 & 2.4 the (old)
certificateExactMatch assertion syntax "sn$id" works, with sn in
decimal.  With OpenLDAP 2.4, also the GSER syntax works.  I note that in
OpenLDAP 2.3 certificateExactMatch was conditioned on the availability
of TLS, while in OpenLDAP 2.4 the code is all built-in.


Sorry, i mean 2.3.39.
certificateExactMatch works good then sn is low(e.g. sn 0xC0003 converts to 3,
and openldap finds this certificate), but then sn is big(>9 in decimal) i don't know
how to convert that sn to decimal. Simple convert 61a430c600000000000c
from hex to dec(with online convertors) does not help(no search result from

OK, then the problem is that OpenLDAP 2.3's certificateExactMatch normalization needed integers within 32 bit (31 bit is LDAP's limitation, but not X509). You need to use OpenLDAP 2.4.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it