---------- Forwarded message ---------- From: Erwann Abalea <[email protected]> Date: 2012/12/3 Subject: Re: Difference between 2.4.30 and 2.3.43 in certificateMatch. To: Mike Hulsman <[email protected]>
2012/12/3 Mike Hulsman <[email protected]> > > Quoting Erwann Abalea <[email protected]>: > > 2012/12/3 Mike Hulsman <[email protected]> >> >> >>> Quoting Howard Chu <[email protected]>: >>> >>> >>>> [...] >>>> >>> >> No. Read RFC4523. >>> >>>> >>>> >>> After a lot of reading and testing I still cannot get it working. >>> >>> I read RFC4523 and am now doing an ldap search of (usercertificate:** >>> certificateExactMatch:=****certificate_serial_number$** >>> >>> certificate_Issuer_DN) >>> Than I get an (?=undefined) in my logfile, so the query is not correct. >>> In my schema is 2.5.4.36 and 2.5.4.37 defined. >>> >>> When I search on >>> (usercertificate=certificate_****serial_number$certificate_**** >>> Issuer_DN) >>> >>> I see the query in the log so I asume it is ok, but in the debugging i >>> see >>> "illegal value for attributeType usercertificate" >>> >>> >> Here's what I use: >> >> 'userCertificate={ serialNumber <yourserial>, issuer "<yourIssuerDN>" }' >> >> For example: >> 'userCertificate={ serialNumber 5090, issuer "cn=passport country signing >> authority, ou=ptb, ou=dfat, o=gov, c=au" }' >> > Thanks alot for pointing me in the right direction, > > The search is working now. > Now I also noticed that I put in the serialnumber in Hex instead of > decimal. > That is what I was doing wrong :-( > You can express the serial number in hex. My example becomes '... serialNumber 0x13E2, issuer ...' OpenLDAP follows the X.520 name comparison rules for the issuer name; you can switch case, change spaces into multiple spaces, add heading/trailing spaces, etc. I hadn't looked at the code yet to understand why asking for serialNumber 0x013E2 or 05090 doesn't match my certificates. -- Erwann.
