Hi
a) I have extracted the user certificate from the directory to a file using "ldapsearch -t .... " Ive encoded the result file with hexdump and added slashes (and double slashes and tested also with reversing the byte order) Iam using the result as a search filter against the directory, and no results
b) Ive copy/pasted all the values from apache error_log (which comes from the user browser) and used as a filter to ldapsearch and nothing userCertificate=\30\82\07\38\30\82\06\20\a0\03\02\01\02\02\08\d9\33\e0\f2\f9\5d\0f\30\0d\06\09\2a\86\48\86 etc etc etc
a) and b) filters are the same, so I think I am doing the right tests, without errors
I dont have any more ideas... :( help.....
c) I will make every test again next monday just to be sure i didnt copy/pasted any error
I am starting to think of making some smaller testcase with some other binary fields, like a jpg for example. What do you think? Add a image attribute to the user, load a very small (1x1) jpg, hexdump it to a file and try to feed it to ldapsearch until i get something This is the only idea I have so far that other users could test without too much effort and compare results with me....
Luis
ldapsearch -x -h 10.15.254.148 -p 389 -D "cn=root,dc=cm-lisboa,dc=pt" -w ***** -s sub -b "ou=AuthzLDAPCertmap,dc=cm-lisboa,dc=pt" '(&(userCertificate;binary=\30\82\07\38\30\82\06\20\a0\03\02\01\02\02\08\d9\33\e0\f2\f9\5d\0f\30\0d\06\09\2a\86\48\86 etc etc etc )(objectClass=strongAuthenticationUser))'
It is legal to use an octet string for certificateExactMatch. In OpenLDAP the octet string is simply parsed and turned into a certificate assertion value and then matched as usual.
Probably the encoding of his filter value is just wrong. And of course, it would be simpler to just use a certificate assertion value instead.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
_________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969