[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem searching directory for a certificate

I have a Java based application using JNDI to connect with OpenLDAP. One of the functions requires searching the directory for a given certificate. No matter what I try, this will not work with OpenLDAP. I think that either OpenLDAP just is not able to search for binary data, or more likely there is something "special" about the "userCertificate;binary" attribute.

I turned on full tracing in the LDAP log, and I see the following when the relevant search is executed.

>>> serialNumberAndIssuerPretty: <various "graphics" characters >
get_ava: illegal value for attributeType userCertificate
end get_filter 0
end get_filter_list
end get_filter 0
    filter: (&(?=undefined))
=> get_ctrls
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""

The "filter: (&(?=undefined))" seems really fishy to me. When I do any other search, the line looks more like "(&(uid=GregD))"
From the application side, it appears that the request succeeded, but it returns nothing. I know the certificate exists in the directory, as I can search on an ordinary attribute like uid and then get the userCertificate;binary attribute from the result. The data returned is a valid certificate.

I have watched the packet stream back and forth, and the query is getting transmitted to the slapd correctly, but no matches are returned. Setting com.sun.jndi.ldap.trace.ber to System.out in the application gives trace data which indicates the same thing.

To further validate my suspicions that this is an OpenLDAP issue, I set up a Sun Directory Server instance on the same server, and I am able to perform the search against that software.

I've also started looking around the OpenLDAP source code, but so far have not found the smoking gun.

Can anyone shed some light on this for me?

The OS is CentOS 5.2, latest patches. The OpenLdap version is 2.3.27-8 as reported by rpm.