Luisç Nevesã wrote: > I am trying to use mod_authz_ldap to query a X.509 certificate on a > ldap directory
This is rather a LDAP-related question e.g. for the openldap-technical mailing list if you're using OpenLDAP server or the more general list l...@umich.edu. > in the directory, i have stored in the userCertificate attribute an > BASE64 cerificate: > > MIIHODCCBiCgAwIBAgIIX9kz4PL5XQ8wDQYJKo etc etc etc You have to store the raw DER data in LDAP, not as base64-encoded data. Most people get confused by the LDIF representations of binary data which is base64-encoded for NON-ASCII bytes. But in the LDAP requests/responses the data is *not* base64-encoded. Which LDAP server is this? Recent versions of OpenLDAP would not accept wrong certs or CRLs. And you have to use userCertificate;binary as attribute type when sending the LDAP request. > the problem is that I see on the /var/log/httpd/ssl_error_log that > mod_authz_ladp is making a query to the directory like this: > > filter: (&(userCertificate=\\30\\82\\07\\38\\30\\82\\06\\20\\a0\\[..] > etc etc etc \\7d)(objectClass=strongAuthenticationUser)) base: > ou=AuthzLDAPCertmap,dc=cm-lisboa,dc=pt, no such user > [..] > i think the module is trying to query using hexadecimal encoding > against a values that is encoded on the directory as BASE64. Yupp. And you probably made a mistake by storing it in base64-encoded form. > if such, how can I compare the certificate? You should really come over to a LDAP-related forum. Because most people on openssl-users will not be interested in learning about EQUALITY matching rules for userCertificate. Ciao, Michael. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org