Howard Chu wrote:
Michael Ströder wrote:
But userCertificate has certificateExactMatch (2.5.13.34) defined as equality matching rule. This is *not* the octetStringMatch (2.5.13.17) matching rule.
It is legal to use an octet string for certificateExactMatch. In OpenLDAP the octet string is simply parsed and turned into a certificate assertion value and then matched as usual.
It does not work for me with 2.4.22. It's a cert which was downloaded from the directory.
In syslog the following filter is logged:
(?userCertificate;binary=0\82\05M0\82\045\A0...)
The filter string seems right to me. It's a cert which was downloaded from one directory entry. But not results returned.
Searching certs with octetStringMatch will obviously not perform well though. I'd recommend to think about another method.
Probably the encoding of his filter value is just wrong. And of course, it would be simpler to just use a certificate assertion value instead.
Performance would be bad anyway. The approach to map certs to user entries by searching for the whole cert is flawed.
Ciao, Michael.