[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cannot search usercertificate binary data with raw data



Howard Chu wrote:
> Michael Ströder wrote:
>> But userCertificate has certificateExactMatch (2.5.13.34) defined as 
>> equality matching rule. This is *not* the octetStringMatch (2.5.13.17)
>> matching rule.
>
> It is legal to use an octet string for certificateExactMatch. In
> OpenLDAP the octet string is simply parsed and turned into a certificate
> assertion value and then matched as usual.

It does not work for me with 2.4.22.
It's a cert which was downloaded from the directory.

In syslog the following filter is logged:

(?userCertificate;binary=0\82\05M0\82\045\A0\...)

The filter string seems right to me. It's a cert which was downloaded from one
directory entry. But not results returned.

>> Searching certs with octetStringMatch will obviously not perform well 
>> though. I'd recommend to think about another method.
> 
> Probably the encoding of his filter value is just wrong. And of course,
> it would be simpler to just use a certificate assertion value instead.

Performance would be bad anyway. The approach to map certs to user entries by
searching for the whole cert is flawed.

Ciao, Michael.