[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem searching directory for a certificate

drewgr wrote:
I have a Java based application using JNDI to connect with OpenLDAP.
One of the functions requires searching the directory for a given
certificate.  No matter what I try, this will not work with OpenLDAP.  I
think that either OpenLDAP just is not able to search for binary data,
or more likely there is something "special" about the
"userCertificate;binary" attribute.

I turned on full tracing in the LDAP log, and I see the following when
the relevant search is executed.

  >>>  serialNumberAndIssuerPretty:<various "graphics" characters>
  get_ava: illegal value for attributeType userCertificate
  end get_filter 0
  end get_filter_list
  end get_filter 0
      filter: (&(?=undefined))
  =>  get_ctrls
  =>  get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
  <= get_ctrls: n=1 rc=0 err=""

The "filter: (&(?=undefined))" seems really fishy to me.  When I do any
other search, the line looks more like "(&(uid=GregD))"

Sounds like your client is supplying illegal values for the filter. In OpenLDAP 2.4 you'd get a clearer log message in these situations.

  From the application side, it appears that the request succeeded, but
it returns nothing.

Right, the LDAP spec says it's not an error to receive a filter that couldn't be understood, so slapd doesn't return any error message in this case.

I know the certificate exists in the directory, as
I can search on an ordinary attribute like uid and then get the
userCertificate;binary attribute from the result.  The data returned is
a valid certificate.

I have watched the packet stream back and forth, and the query is
getting transmitted to the slapd correctly, but no matches are
returned.  Setting com.sun.jndi.ldap.trace.ber to System.out in the
application gives trace data which indicates the same thing.

You should have included the packet log in your post so that we can see what your client and slapd are doing.

To further validate my suspicions that this is an OpenLDAP issue, I set
up a Sun Directory Server instance on the same server, and I am able to
perform the search against that software.

I've also started looking around the OpenLDAP source code, but so far
have not found the smoking gun.

Can anyone shed some light on this for me?

The OS is CentOS 5.2, latest patches.  The OpenLdap version is 2.3.27-8
as reported by rpm.

Your OpenLDAP version is far out of date. You should upgrade to 2.4.11 and try again, and include slapd debug logs if the problem is still there.

Thanks Greg

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/