[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cannot search usercertificate binary data with raw data



Luis Neves wrote:
> but i want to specifie a raw filter to the userCertificate atribute:
> Ive uuencoded the original DER certificate and used the result as a
> search filter

Not sure whether you generated the search filter correctly at all. If you use
uuencode the cert gets base64-encoded?

If you want to search for an octet string you have to use hex-escaping of the
bytes in the search filter. See the escaping rules in RFC 4515.

> ldapsearch -x -h 10.15.254.148 -p 389 -D "cn=root,dc=cm-lisboa,dc=pt" -w
> ***** -s sub -b "ou=AuthzLDAPCertmap,dc=cm-lisboa,dc=pt"
> '(&(userCertificate;binary=\\30\\82\\07\\38\\30\\82\\06\\20\\a0\\03\\02\\01\\02\\02\\08\\d9\\33\\e0\\f2\\f9\\5d\\0f\\30\\0d\\06\\09\\2a\\86\\48\\86
> etc etc etc )(objectClass=strongAuthenticationUser))'

But userCertificate has certificateExactMatch (2.5.13.34) defined as equality
matching rule. This is *not* the octetStringMatch (2.5.13.17) matching rule.

Searching certs with octetStringMatch will obviously not perform well though.
I'd recommend to think about another method.

Since you asked a similar question on openssl-users I assume you want to use
this module. Right?

http://authzldap.othello.ch/configuration.html

Ciao, Michael.