Hi,
I stumbled upon an difference between openldap 2.4.30 and 2.3.43.
This is my configuration. X509 certificates are stored in the directory and a search is done with: (&(mail=aaa@a.b)(userCertificate:certificateMatch:=<binary certificate)) if that is a match the uid must be returned.
That is working on 2.3.43 but when I try that on 2.4.30 it does not work and I start debugging I see filter="(&(mail=aaa@a.b)(?=undefined))" in the logfiles.
The request is the same on both openldap servers, I copied the schema's and the acl's are the same. A slapcat on 2.3.43 is done and imported on 2.4.30
An ldapsearch on both servers for that user is returning the same data.
Do I need some more configuration for the 2.4.30 version or am I doing something wrong.
The 2.3.43 version is working properly, but I want to update to 2.4.xx for better replication.
Kind regards. Mike Hulsman
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Mike Hulsman wrote:
Hi,
I stumbled upon an difference between openldap 2.4.30 and 2.3.43.
This is my configuration. X509 certificates are stored in the directory and a search is done with: (&(mail=aaa@a.b)(userCertificate:certificateMatch:=<binary certificate)) if that is a match the uid must be returned.
That is working on 2.3.43 but when I try that on 2.4.30 it does not work and I start debugging I see filter="(&(mail=aaa@a.b)(?=undefined))" in the logfiles.
The certificateMatch rule takes a certificateAssertion, not a certificate. Your filter value is invalid.
But it also looks like there may be a bug in 2.4.x also, as the support for certificateMatch was removed in commit 4c64b8626d5b2b26256446dbc29f63ab45b5ec1d March 2006. Not sure why, would have to check the email archives or ask Kurt.
Quoting Howard Chu hyc@symas.com:
Mike Hulsman wrote:
Hi,
I stumbled upon an difference between openldap 2.4.30 and 2.3.43.
This is my configuration. X509 certificates are stored in the directory and a search is done with: (&(mail=aaa@a.b)(userCertificate:certificateMatch:=<binary certificate)) if that is a match the uid must be returned.
That is working on 2.3.43 but when I try that on 2.4.30 it does not work and I start debugging I see filter="(&(mail=aaa@a.b)(?=undefined))" in the logfiles.
The certificateMatch rule takes a certificateAssertion, not a certificate. Your filter value is invalid.
Sorry for the kmisunderstanding, I don't know all correct naming. But from what I understand after a lot of reading I am doing an certificateAsserion.
I try to do a certificateMatch on an octet string.
I did some more debugging my exact filter is: (&(mail=aaa@a.b)(userCertificate;binary:certificateMatch:=\30\82\04\8a\30\ etc. etc .)) uid In the logging the filter is displayed as: (&(mail=aaa@a.b)(?=undefined))
Without the certificatematch like (&(mail=aaa@a.b)(userCertificate;binary=*)) the results is fine and I see in the logging the filter apearing as (&(mail=aaa@a.b)(userCertificate;binary=*))
But it also looks like there may be a bug in 2.4.x also, as the support for certificateMatch was removed in commit 4c64b8626d5b2b26256446dbc29f63ab45b5ec1d March 2006. Not sure why, would have to check the email archives or ask Kurt.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Mike Hulsman
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Mike Hulsman wrote:
Quoting Howard Chu hyc@symas.com:
Mike Hulsman wrote:
Hi,
I stumbled upon an difference between openldap 2.4.30 and 2.3.43.
This is my configuration. X509 certificates are stored in the directory and a search is done with: (&(mail=aaa@a.b)(userCertificate:certificateMatch:=<binary certificate)) if that is a match the uid must be returned.
That is working on 2.3.43 but when I try that on 2.4.30 it does not work and I start debugging I see filter="(&(mail=aaa@a.b)(?=undefined))" in the logfiles.
The certificateMatch rule takes a certificateAssertion, not a certificate. Your filter value is invalid.
Sorry for the kmisunderstanding, I don't know all correct naming. But from what I understand after a lot of reading I am doing an certificateAsserion.
I try to do a certificateMatch on an octet string.
No. Read RFC4523.
Quoting Howard Chu hyc@symas.com:
Mike Hulsman wrote:
Quoting Howard Chu hyc@symas.com:
Mike Hulsman wrote:
Hi,
I stumbled upon an difference between openldap 2.4.30 and 2.3.43.
This is my configuration. X509 certificates are stored in the directory and a search is done with: (&(mail=aaa@a.b)(userCertificate:certificateMatch:=<binary certificate)) if that is a match the uid must be returned.
That is working on 2.3.43 but when I try that on 2.4.30 it does not work and I start debugging I see filter="(&(mail=aaa@a.b)(?=undefined))" in the logfiles.
The certificateMatch rule takes a certificateAssertion, not a certificate. Your filter value is invalid.
Sorry for the kmisunderstanding, I don't know all correct naming. But from what I understand after a lot of reading I am doing an certificateAsserion.
I try to do a certificateMatch on an octet string.
No. Read RFC4523.
After a lot of reading and testing I still cannot get it working.
I read RFC4523 and am now doing an ldap search of (usercertificate:certificateExactMatch:=certificate_serial_number$certificate_Issuer_DN) Than I get an (?=undefined) in my logfile, so the query is not correct. In my schema is 2.5.4.36 and 2.5.4.37 defined.
When I search on (usercertificate=certificate_serial_number$certificate_Issuer_DN) I see the query in the log so I asume it is ok, but in the debugging i see "illegal value for attributeType usercertificate"
What am I missing in this.
Regards, Mike Hulsman
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
My-signature
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
2012/12/3 Mike Hulsman mike@hulsman.net
Quoting Howard Chu hyc@symas.com:
[...]
No. Read RFC4523.
After a lot of reading and testing I still cannot get it working.
I read RFC4523 and am now doing an ldap search of (usercertificate:** certificateExactMatch:=**certificate_serial_number$** certificate_Issuer_DN) Than I get an (?=undefined) in my logfile, so the query is not correct. In my schema is 2.5.4.36 and 2.5.4.37 defined.
When I search on (usercertificate=certificate_**serial_number$certificate_**Issuer_DN) I see the query in the log so I asume it is ok, but in the debugging i see "illegal value for attributeType usercertificate"
Here's what I use:
'userCertificate={ serialNumber <yourserial>, issuer "<yourIssuerDN>" }'
For example: 'userCertificate={ serialNumber 5090, issuer "cn=passport country signing authority, ou=ptb, ou=dfat, o=gov, c=au" }'
Quoting Erwann Abalea eabalea@gmail.com:
2012/12/3 Mike Hulsman mike@hulsman.net
Quoting Howard Chu hyc@symas.com:
[...]
No. Read RFC4523.
After a lot of reading and testing I still cannot get it working.
I read RFC4523 and am now doing an ldap search of (usercertificate:** certificateExactMatch:=**certificate_serial_number$** certificate_Issuer_DN) Than I get an (?=undefined) in my logfile, so the query is not correct. In my schema is 2.5.4.36 and 2.5.4.37 defined.
When I search on (usercertificate=certificate_**serial_number$certificate_**Issuer_DN) I see the query in the log so I asume it is ok, but in the debugging i see "illegal value for attributeType usercertificate"
Here's what I use:
'userCertificate={ serialNumber <yourserial>, issuer "<yourIssuerDN>" }'
For example: 'userCertificate={ serialNumber 5090, issuer "cn=passport country signing authority, ou=ptb, ou=dfat, o=gov, c=au" }'
Thanks alot for pointing me in the right direction,
The search is working now. Now I also noticed that I put in the serialnumber in Hex instead of decimal. That is what I was doing wrong :-(, and also forgot the SerialNumber and issuer
Regards. Mike Hulsman
-- Erwann.
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
openldap-technical@openldap.org
-
Erwann Abalea -
Howard Chu -
Mike Hulsman