[Date Prev][Date Next]
Re: Cannot search usercertificate binary data with raw data
Howard Chu wrote:
> Michael Ströder wrote:
>> But userCertificate has certificateExactMatch (220.127.116.11) defined as
>> equality matching rule. This is *not* the octetStringMatch (18.104.22.168)
>> matching rule.
> It is legal to use an octet string for certificateExactMatch. In
> OpenLDAP the octet string is simply parsed and turned into a certificate
> assertion value and then matched as usual.
It does not work for me with 2.4.22.
It's a cert which was downloaded from the directory.
In syslog the following filter is logged:
The filter string seems right to me. It's a cert which was downloaded from one
directory entry. But not results returned.
>> Searching certs with octetStringMatch will obviously not perform well
>> though. I'd recommend to think about another method.
> Probably the encoding of his filter value is just wrong. And of course,
> it would be simpler to just use a certificate assertion value instead.
Performance would be bad anyway. The approach to map certs to user entries by
searching for the whole cert is flawed.