5:58 p.m.
Hi, I'm trying to insert userCertificate values containing
x500UniqueIdentifiers. When the value appears at the SubjectNames, it
inserts correctly.
By this I assume there is a validation for the field formatting.
When I have a x500UniqueIdentifier at the IssuerNames it fails to
insert.
Is there a specific place where valid attributes and syntaxes for
IssuerNames should be declared?
Thanks
Jgcardoso.
10:05 a.m.
Juan Gonzalez wrote:
Hi, I’m trying to insert userCertificate values containing
x500UniqueIdentifiers. When the value appears at the SubjectNames, it inserts
correctly.
By this I assume there is a validation for the field formatting.
When I have a x500UniqueIdentifier at the IssuerNames it fails to insert.
Is there a specific place where valid attributes and syntaxes for IssuerNames
should be declared?
Certificate name validation just uses whatever schema is already loaded into
slapd, and x500UniqueIdentifier is in the core schema file so it should
already be present in your configuration.
However, subjectNames aren't fully parsed during certificate validation, while
issuerNames are. So e.g. a syntax error in subjectName will not be detected at
insert time.
Can you post an example certificate? I have a feeling that our DN validator
here may not be handling the syntax for x500UniqueIdentifier but would like to
double check.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
1:45 p.m.
Howard Chu wrote:
Juan Gonzalez wrote:
> Hi, I’m trying to insert userCertificate values containing
> x500UniqueIdentifiers. When the value appears at the SubjectNames, it inserts
> correctly.
>
> By this I assume there is a validation for the field formatting.
>
> When I have a x500UniqueIdentifier at the IssuerNames it fails to insert.
>
> Is there a specific place where valid attributes and syntaxes for IssuerNames
> should be declared?
Certificate name validation just uses whatever schema is already loaded into
slapd, and x500UniqueIdentifier is in the core schema file so it should
already be present in your configuration.
However, subjectNames aren't fully parsed during certificate validation, while
issuerNames are. So e.g. a syntax error in subjectName will not be detected at
insert time.
Can you post an example certificate? I have a feeling that our DN validator
here may not be handling the syntax for x500UniqueIdentifier but would like to
double check.
I should also warn you, x500UniqueIdentifier has a bitstring syntax, and this
syntax is extremely clumsy in LDAP. Judging from the certificate you sent me,
you're trying to use this attribute as a regular octetstring. The two are
quite different. E.g. if you have a value in the certificate
"x500UniqueIdentifier=ABC" in LDAP this is represented as
"x500UniqueIdentifier='010000010100001001000011'B"
I would strongly encourage you to use some other attribute other than
x500UniqueIdentifier, and to avoid any attributes that use bitstring syntax as
this one does.
The bitstring syntax is intended for data items that are actually an arbitrary
string of bits, in particular, a string that may not be aligned on octet
boundaries. If the only data you're storing is actually sequences of octets,
this is a very inefficient choice of syntax.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9:56 a.m.
Howard Chu wrote:
I should also warn you, x500UniqueIdentifier has a bitstring syntax,
and
this syntax is extremely clumsy in LDAP. Judging from the certificate
you sent me, you're trying to use this attribute as a regular
octetstring. The two are quite different.
I suspected something like this. There has quite some confusion about
x500UniqueIdentifier also in other software:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
Ciao, Michael.
4562
days inactive
4564
days old
openldap-technical@openldap.org
3 comments
3 participants
participants (3)
-
Howard Chu -
Juan Gonzalez -
Michael Ströder