a) I have extracted the user certificate from the directory to a file using "ldapsearch -t .... "
Ive encoded the result file with hexdump and added slashes (and double slashes and tested also with reversing the byte order)
Iam using the result as a search filter against the directory, and no results
b) Ive copy/pasted all the values from apache error_log (which comes from the user browser) and used as a filter to ldapsearch and nothing
etc etc etc
a) and b) filters are the same, so I think I am doing the right tests, without errors
I dont have any more ideas... :(
c) I will make every test again next monday just to be sure i didnt copy/pasted any error
I am starting to think of making some smaller testcase with some other binary fields, like a jpg for example. What do you think?
Add a image attribute to the user, load a very small (1x1) jpg, hexdump it to a file and try to feed it to ldapsearch until i get something
This is the only idea I have so far that other users could test without too much effort and compare results with me....
> >> ldapsearch -x -h 10.15.254.148 -p 389 -D "cn=root,dc=cm-lisboa,dc=pt" -w
> >> ***** -s sub -b "ou=AuthzLDAPCertmap,dc=cm-lisboa,dc=pt"
> >> '(&(userCertificate;binary=\\30\\82\\07\\38\\30\\82\\06\\20\\a0\\03\\02\\01\\02\\02\\08\\d9\\33\\e0\\f2\\f9\\5d\\0f\\30\\0d\\06\\09\\2a\\86\\48\\86
> >> etc etc etc )(objectClass=strongAuthenticationUser))'
> It is legal to use an octet string for certificateExactMatch. In OpenLDAP the
> octet string is simply parsed and turned into a certificate assertion value
> and then matched as usual.
> Probably the encoding of his filter value is just wrong. And of course, it
> would be simpler to just use a certificate assertion value instead.
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
Hotmail: Trusted email with powerful SPAM protection. Sign up now.