Hi! I use OpenLdap 2.39. I need to find the certificate with sn 61a430c600000000000c and issuer email adm@test.com, but then i try this search: (userCertificate:certificateExactMatch:=61a430c600000000000c$email=adm@test.com), OpenLdap prints this error: filter=(?=undefined). I have understood that sn should be in dec form, but converting hex->dec not helped. How correctly convert sn in dec?
networm@mail15.com wrote:
Hi! I use OpenLdap 2.39. I need to find the certificate with sn 61a430c600000000000c and issuer email adm@test.com, but then i try this search: (userCertificate:certificateExactMatch:=61a430c600000000000c$email=adm@test.com), OpenLdap prints this error: filter=(?=undefined). I have understood that sn should be in dec form, but converting hex->dec not helped. How correctly convert sn in dec?
Not sure what 2.39 means; however, with OpenLDAP 2.3 & 2.4 the (old) certificateExactMatch assertion syntax "sn$id" works, with sn in decimal. With OpenLDAP 2.4, also the GSER syntax works. I note that in OpenLDAP 2.3 certificateExactMatch was conditioned on the availability of TLS, while in OpenLDAP 2.4 the code is all built-in.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
networm@mail15.com wrote: Hi! I use OpenLdap 2.39. I need to find the certificate with sn 61a430c600000000000c and issuer email adm@test.com, but then i try this search: (userCertificate:certificateExactMatch:=61a430c600000000000c$email=adm@test.com), OpenLdap prints this error: filter=(?=undefined). I have understood that sn should be in dec form, but converting hex->dec not helped. How correctly convert sn in dec?
Not sure what 2.39 means; however, with OpenLDAP 2.3 & 2.4 the (old) certificateExactMatch assertion syntax "sn$id" works, with sn in decimal. With OpenLDAP 2.4, also the GSER syntax works. I note that in OpenLDAP 2.3 certificateExactMatch was conditioned on the availability of TLS, while in OpenLDAP 2.4 the code is all built-in.
p.
Sorry, i mean 2.3.39. certificateExactMatch works good then sn is low(e.g. sn 0xC0003 converts to 3, and openldap finds this certificate), but then sn is big(>9 in decimal) i don't know how to convert that sn to decimal. Simple convert 61a430c600000000000c from hex to dec(with online convertors) does not help(no search result from openldap).
networm@mail15.com wrote:
networm@mail15.com wrote: Hi! I use OpenLdap 2.39. I need to find the certificate with sn 61a430c600000000000c and issuer email adm@test.com, but then i try this search: (userCertificate:certificateExactMatch:=61a430c600000000000c$email=adm@test.com),
OpenLdap prints this error: filter=(?=undefined). I have understood that sn should be in dec form, but converting hex->dec not helped. How correctly convert sn in dec?
Not sure what 2.39 means; however, with OpenLDAP 2.3 & 2.4 the (old) certificateExactMatch assertion syntax "sn$id" works, with sn in decimal. With OpenLDAP 2.4, also the GSER syntax works. I note that in OpenLDAP 2.3 certificateExactMatch was conditioned on the availability of TLS, while in OpenLDAP 2.4 the code is all built-in.
p.
Sorry, i mean 2.3.39. certificateExactMatch works good then sn is low(e.g. sn 0xC0003 converts to 3, and openldap finds this certificate), but then sn is big(>9 in decimal) i don't know how to convert that sn to decimal. Simple convert 61a430c600000000000c from hex to dec(with online convertors) does not help(no search result from openldap).
OK, then the problem is that OpenLDAP 2.3's certificateExactMatch normalization needed integers within 32 bit (31 bit is LDAP's limitation, but not X509). You need to use OpenLDAP 2.4.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Hi! I use OpenLdap 2.39. I need to find the certificate with sn 61a430c600000000000c and issuer email adm@test.com, but then i try this search: (userCertificate:certificateExactMatch:=61a430c600000000000c$email=adm@test.com),
OpenLdap prints this error: filter=(?=undefined). I have understood that sn should be in dec form, but converting hex->dec not helped. How correctly convert sn in dec?
Not sure what 2.39 means; however, with OpenLDAP 2.3 & 2.4 the (old) certificateExactMatch assertion syntax "sn$id" works, with sn in decimal. With OpenLDAP 2.4, also the GSER syntax works. I note that in OpenLDAP 2.3 certificateExactMatch was conditioned on the availability of TLS, while in OpenLDAP 2.4 the code is all built-in.
p.
Sorry, i mean 2.3.39. certificateExactMatch works good then sn is low(e.g. sn 0xC0003 converts to 3, and openldap finds this certificate), but then sn is big(>9 in decimal) i don't know how to convert that sn to decimal. Simple convert 61a430c600000000000c from hex to dec(with online convertors) does not help(no search result from openldap).
OK, then the problem is that OpenLDAP 2.3's certificateExactMatch normalization needed integers within 32 bit (31 bit is LDAP's limitation, but not X509). You need to use OpenLDAP 2.4.
p.
ok, thanks.
openldap-software@openldap.org
-
networm@mail15.com -
Pierangelo Masarati