drewgr wrote:
Folks, I have a Java based application using JNDI to connect with OpenLDAP. One of the functions requires searching the directory for a given certificate. No matter what I try, this will not work with OpenLDAP. I think that either OpenLDAP just is not able to search for binary data, or more likely there is something "special" about the "userCertificate;binary" attribute.
I turned on full tracing in the LDAP log, and I see the following when the relevant search is executed.
serialNumberAndIssuerPretty:<various "graphics" characters>
get_ava: illegal value for attributeType userCertificate end get_filter 0 end get_filter_list end get_filter 0 filter: (&(?=undefined)) => get_ctrls => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" attrs:
The "filter: (&(?=undefined))" seems really fishy to me. When I do any other search, the line looks more like "(&(uid=GregD))"
Sounds like your client is supplying illegal values for the filter. In OpenLDAP 2.4 you'd get a clearer log message in these situations.
From the application side, it appears that the request succeeded, but it returns nothing.
Right, the LDAP spec says it's not an error to receive a filter that couldn't be understood, so slapd doesn't return any error message in this case.
I know the certificate exists in the directory, as I can search on an ordinary attribute like uid and then get the userCertificate;binary attribute from the result. The data returned is a valid certificate.
I have watched the packet stream back and forth, and the query is getting transmitted to the slapd correctly, but no matches are returned. Setting com.sun.jndi.ldap.trace.ber to System.out in the application gives trace data which indicates the same thing.
You should have included the packet log in your post so that we can see what your client and slapd are doing.
To further validate my suspicions that this is an OpenLDAP issue, I set up a Sun Directory Server instance on the same server, and I am able to perform the search against that software.
I've also started looking around the OpenLDAP source code, but so far have not found the smoking gun.
Can anyone shed some light on this for me?
The OS is CentOS 5.2, latest patches. The OpenLdap version is 2.3.27-8 as reported by rpm.
Your OpenLDAP version is far out of date. You should upgrade to 2.4.11 and try again, and include slapd debug logs if the problem is still there.
Thanks Greg