Hi all!
To avoid the slapd’s core dump when using component match filters (see ITS # 6556) I removed line 556 of file “servers/slapd/filter.c”:

 

         case LDAP_FILTER_EXT:

                //mra_free( op, f->f_mra, 1 );

                break;

 

 

Now component match filter search requests are answered by slapd but don’t work correctly. In fact nothing is found! For example the request

 

/home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s sub "(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.serialNumber\", rule allComponentsMatch, value 449 })" sncertnr

 

Is answered with

 

# extended LDIF

#

# LDAPv3

# base <o=CustomerCA,c=de> with scope subtree

# filter: (userCertificate:componentFilterMatch:=item:{ component "toBeSigned.serialNumber", rule allComponentsMatch, value 449 })

# requesting: sncertnr

#

 

# search result

search: 2

result: 0 Success

 

# numResponses: 1

 

But in the database of slapd there are several certificates with serialNumber 449:

 

lehnert.hartmut@sn-ocspr4:/opt/lehnert/Openldap-Support$ ./dumpasn1  449.cer

   0 30  702: SEQUENCE {

   4 30  551:   SEQUENCE {

   8 A0    3:     [0] {

  10 02    1:       INTEGER 2

            :       }

  13 02    2:     INTEGER 449

  17 30   13:     SEQUENCE {

  19 06    9:       OBJECT IDENTIFIER

            :         sha256WithRSAEncryption (1 2 840 113549 1 1 11)

  30 05    0:       NULL

            :       }

  32 30  111:     SEQUENCE {

  34 31   11:       SET {

  36 30    9:         SEQUENCE {

  38 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)

  43 13    2:           PrintableString 'DE'

            :           }

            :         }

  47 31   12:       SET {

 

On slapd’s side the debug message

 

bdb_search: <integer> does not match filter

 

is written out for every record.

 

What’s going wrong here?

Regards,

Hartmut