[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Difference between 2.4.30 and 2.3.43 in certificateMatch.

Quoting Howard Chu <hyc@symas.com>:

Mike Hulsman wrote:

I stumbled upon an difference between openldap 2.4.30 and 2.3.43.

This is my configuration.
X509 certificates are stored in the directory and a search is done with:
certificate)) if that is a match the uid must be returned.

That is working on 2.3.43 but when I try that on 2.4.30 it does not
work and I start debugging I see
filter="(&(mail=aaa@a.b)(?=undefined))" in the logfiles.

The certificateMatch rule takes a certificateAssertion, not a certificate. Your filter value is invalid.
Sorry for the kmisunderstanding, I don't know all correct naming.
But from what I understand after a lot of reading I am doing an certificateAsserion.

I try to do a certificateMatch on an octet string.

I did some more debugging my exact filter is:
(&(mail=aaa@a.b)(userCertificate;binary:certificateMatch:=\30\82\04\8a\30\ etc. etc .)) uid
In the logging the filter is displayed as: (&(mail=aaa@a.b)(?=undefined))

Without the certificatematch like
(&(mail=aaa@a.b)(userCertificate;binary=*)) the results is fine and I see in the logging the filter apearing as (&(mail=aaa@a.b)(userCertificate;binary=*))

But it also looks like there may be a bug in 2.4.x also, as the support for certificateMatch was removed in commit 4c64b8626d5b2b26256446dbc29f63ab45b5ec1d March 2006. Not sure why, would have to check the email archives or ask Kurt.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Mike Hulsman

This message was sent using IMP, the Internet Messaging Program.