---------- Forwarded message ----------
From: Erwann Abalea <eabalea@gmail.com>
Date: 2012/12/3
Subject: Re: Difference between 2.4.30 and 2.3.43 in certificateMatch.
To: Mike Hulsman <mike@hulsman.net>

2012/12/3 Mike Hulsman <mike@hulsman.net>

Quoting Erwann Abalea <eabalea@gmail.com>:

2012/12/3 Mike Hulsman <mike@hulsman.net>


Quoting Howard Chu <hyc@symas.com>:


[...]

No. Read RFC4523.


After a lot of reading and testing I still cannot get it working.

I read RFC4523 and am now doing an ldap search of (usercertificate:**
certificateExactMatch:=**certificate_serial_number$**

certificate_Issuer_DN)
Than I get an (?=undefined) in my logfile, so the query is not correct.
In my schema is 2.5.4.36 and 2.5.4.37 defined.

When I search on
(usercertificate=certificate_**serial_number$certificate_**Issuer_DN)

I see the query in the log so I asume it is ok, but in the debugging i see
"illegal value for attributeType usercertificate"


Here's what I use:

'userCertificate={ serialNumber <yourserial>, issuer "<yourIssuerDN>" }'

For example:
'userCertificate={ serialNumber 5090, issuer "cn=passport country signing
authority, ou=ptb, ou=dfat, o=gov, c=au" }'
Thanks alot for pointing me in the right direction,

The search is working now.
Now I also noticed that I put in the serialnumber in Hex instead of decimal.
That is what I was doing wrong :-(

You can express the serial number in hex. My example becomes
'... serialNumber 0x13E2, issuer ...'

OpenLDAP follows the X.520 name comparison rules for the issuer name; you can switch case, change spaces into multiple spaces, add heading/trailing spaces, etc. I hadn't looked at the code yet to understand why asking for serialNumber 0x013E2 or 05090 doesn't match my certificates.

--
Erwann.