Well, using the lda-utils.lib you attached below gives the exact same results.
On Thu, Aug 09, 2001 at 02:42:35PM +0200, Michael Bell wrote:
> Dave Botsch wrote:
> > Netscape Communicator, however, insists there are no such certificates.
> >Is it expecting something different in terms of the certificate format
> >or in terms of the DN of the certificate? This is when I go to Security,
> >People, Search Directory.
> >
> > I am a bit suspicious as when viewing my ldap entry in Netscape, the
> >usercertificate field shows the binary garbage in ascii representation.
>
> That's definitly wrong! I attach an actual version of the ldap-utils.lib
> which much be present in cgi-raserver/lib/ldap-utils.lib. The certs must
> be stored as DER. The browser interprets the attribute userCertificate
> and shows some data of the certificate.
>
> Cheers,
>
> Michael
> --
> ----------------------------------------------------------------------------
> Michael Bell Email: [EMAIL PROTECTED]
> Rechenzentrum - Datacenter Email (work):
> [EMAIL PROTECTED]
> Humboldt-University of Berlin Tel.(work): +49 (0)30-2093 2482
> Unter den Linden 6 Fax.(work): +49 (0)30-2093 2959
> 10099 Berlin
> Germany [OpenCA Core
> Developer]
>
> http://openca.sourceforge.net
> #!/usr/bin/perl
>
> ## RA Server Management Utility
> ## (c) 1999 by Massimiliano Pala
> ## All Rights Reserved
> ##
> ## Project Information:
> ##
> ## Current Version ..................... $VER
> ## Project Started on .................. 17/12/1998
> ## Last Modified on .................... 30/03/2001
> ## Project Closed on ................... n/a
> ##
> ## Program currently tested with OpenLDAP v.1.2 on Linux, Solaris
> ## and Sleepycat DB.
> ##
> ## DISC CLAIMER: THIS SOFTWARE IS GIVEN AS IS WITHOUT ANY WARRANTIES
> ## ABOUT ANY DAMAGE DERIVED BY THE USE ( CORRECT OR NOT ) OF THIS
> ## SOFTWARE. THE AUTHOR IS THEREFORE NOT RESPONSABLE IN ANY WAY OF
> ## DAMAGES RELATED IN ANY WAY TO THIS OR SUPPORTED SOFTWARE AS WELL.
> ##
> ## If you want to contact me (the author) please use the e-mail
> ## addresses listed below. Do not esitate in reporting bugs, enhancement
> ## or anything seems useful in developing this software:
> ##
> ## [EMAIL PROTECTED]
> ## [EMAIL PROTECTED]
> ## [EMAIL PROTECTED]
> ##
>
> ## Thank you for using this software, and remember that Open Projects
> ## are the future of mankind. Do not sleep, partecipate to world wide
> ## efforts to make life easier for all!
>
> sub addCertsUsers {
> my @keys = @_;
>
> ## Reserved Variables
> my ( @certsList );
> my ( $filename, $tmp, $ID, $cert, $ldap, $ret );
>
> ## Get Required parameter
> my $serverDir = getRequired( 'ServerDir' );
>
> ## Debugging info
> my $DEBUG = 0;
>
> ## This file has the latest imported certificate's serials
> $filename = "$serverDir/stuff/lastImport.txt";
>
> ## Let's open the stuff/lastImport.txt
> if( not -e "$filename" ) {
> configError( "File $filename not found!");
> }
>
> $tmp = $query->getFile( "$filename");
>
> if( $tmp eq "" ) {
> success( "Last Import file was empty.");
> }
>
> my @certsList = split( "\n", $tmp );
>
> my $table = $query->buildRefs ( ELEMENTS =>, MAXITEMS =>);
> my $table .= $query->startTable (COLS=>[ "Cert.-No.",
> "DN",
> "adding dn",
> "adding certificate" ],
> WIDTH=>"100%",
> TITLE_BGCOLOR=>"#DDCCFF");
>
> foreach $ID (@certsList) {
>
> my @line = ();
>
> my ( $filter, $serID, $parsed, $ret, $entry );
> ( $serID ) = ( $ID =~ /([a-f0-9]+)/i );
>
> ## Let's be sure it is in the right format
> $serID = uc( $serID );
> $serID = "0$serID" if( length($serID) % 2 );
>
> my $cert = $db->getItem ( DATATYPE => VALID_CERTIFICATE,
> KEY => $serID );
>
> if( not $cert ) {
> $table .= $query->addTableLine( DATA => [
> "<FONT COLOR=\"Red\">".
> "ERROR [$serID] : can't get certificate" .
> " from dB!\n</FONT>" ] );
> next;
> }
>
> $parsed = $cert->getParsed();
>
> push ( @line, $serID, $parsed->{DN});
> $ret = addLDAPobject ( CERTIFICATE=>$cert );
>
> my $text;
> $text .= "<FONT COLOR=\"Red\">" if ( not $ret->{STATUS} );
> $text .= $ret->{DESC};
> $text .= "</FONT>" if ( not $ret->{STATUS} );
> push ( @line, $text);
>
> if( $ret->{STATUS} ) {
> $ret = addLDAPattribute ( CERTIFICATE => $cert , NOPRINT => true);
>
> if ($ret->{STATUS}) {
> push (@line, "success");
> } else {
> push (@line, "Error : ".$ret->{CODE});
> }
> } else {
> push (@line, "operation not performed");
> }
>
> $table .= $query->addTableLine ( DATA => [ @line ]);
>
> }
>
> $table .= $query->endTable;
> print $table;
>
> return "Ok.";
> }
>
> sub addLDAPobject {
>
> ######################################################
> ## only certs makes sense because a CRL can only be ##
> ## produced if a valid CA-cert exists ##
> ######################################################
>
> my $keys = { @_ };
> local ( $obj, $parsed, $serID, $ldap, $ret, $dn, $cn, $sn, $email );
>
> my $DEBUG = 0;
>
> ## check the type of the attribute
> $obj = $keys->{CERTIFICATE};
> return if ( not $obj );
>
> ## get the needed data
> my $cert_dn = $obj->getParsed ()->{DN};
> my $cert_cn = $obj->getParsed ()->{CN};
> my $cert_serID = $obj->getParsed ()->{SERIAL};
> my $cert_email = $obj->getParsed ()->{EMAIL};
> my $cert_ou = $obj->getParsed ()->{OU};
> my $cert_o = $obj->getParsed ()->{O};
> my $cert_l = $obj->getParsed ()->{L};
> my $cert_st = $obj->getParsed ()->{ST};
>
> ## debugging
> print "Information of the Object:<br>\n" if ($DEBUG);
> print "dn ".$cert_dn."<br>\n" if ($DEBUG);
> print "cn ".$cert_cn."<br>\n" if ($DEBUG);
> print "serID ".$cert_serID."<br>\n" if ($DEBUG);
> print "email ".$cert_email."<br>\n" if ($DEBUG);
> print "ou ".$cert_ou."<br>\n" if ($DEBUG);
> print "o ".$cert_o."<br>\n" if ($DEBUG);
> print "l ".$cert_l."<br>\n" if ($DEBUG);
> print "st ".$cert_st."<br>\n" if ($DEBUG);
> print "End of the information of the Object.<br>\n" if ($DEBUG);
>
> ## here we could perform some operations with the data
> ## sn is not the real sn sometimes but you can find
> ## the person via a search with a wildcard
> my $cert_sn = $cert_cn;
> $cert_sn =~ s/^[^ ]* //;
> my $ou_counter = 0;
> my @ou_array = ();
>
> ## Get the Connection to the Server
> if ( not ( $ldap = LDAP_connect() )) {
> print "<FONT COLOR=\"Red\">";
> print "LDAP [$serID]: Connection Refused by server!\n";
> print "</FONT><BR>\n";
>
> return;
> };
>
> ## Let's bind for a predetermined User
> $ret = LDAP_bind( LDAP => $ldap );
> if( not $ret->{STATUS} ) {
> print "Failed in Bind: " . $ret->{CODE} . "\n";
> LDAP_disconnect( LDAP => $ldap );
> return $ret->{CODE};
> };
>
> ## build the array from the LDAP root
> my $basedn = getRequired ('basedn');
> my @basedn_array = ();
> my $h_attribute;
> while ($basedn) {
> ## get the last element
> $h_attribute = $basedn;
> $basedn =~ s/^[^,]*,//;
> $h_attribute = substr ($h_attribute,
> 0,
> length ($h_attribute) - length ($basedn));
> if ( not $h_attribute ) {
> $h_attribute = $basedn;
> $basedn = "";
> }
> $h_attribute =~ s/,//;
> $h_attribute =~ s/(^ )|( $)//g;
> print "element of baseDN: ".$h_attribute."<br>\n" if ($DEBUG);
> if ($h_attribute =~ /^\s*ou\s*=.*$/i) {
> $ou_array [$ou_counter] = $h_attribute;
> $ou_array [$ou_counter] =~ s/^\s*ou\s*=\s*//i;
> $ou_counter++;
> }
> push (@basedn_array, $h_attribute);
> }
>
> ## build the array from the DN
> my $h_dn = $cert_dn;
> my @dn_array = ();
> my $h_attribute;
> while ($h_dn) {
> ## get the last element
> $h_attribute = $h_dn;
> $h_dn =~ s/^[^\/,]*\///;
> $h_attribute = substr ($h_attribute,
> 0,
> length ($h_attribute) - length ($h_dn));
> if ( not $h_attribute ) {
> $h_attribute = $h_dn;
> $h_dn = "";
> }
> $h_attribute =~ s/\///;
> $h_attribute =~ s/(^ )|( $)//g;
> print "element of the inserted DN: ".$h_attribute."<br>\n" if ($DEBUG);
> push (@dn_array, $h_attribute);
> }
>
> ## verify that the root in the DN is ok
> print "Checking RootDN of Certificate ...<br>\n" if ($DEBUG);
> print "Inserted DN\t\t\tBaseDN<br>\n" if ($DEBUG);
> while (scalar (@basedn_array) and scalar (@dn_array)) {
> my $h_basedn = pop (@basedn_array);
> my $h_dn = pop (@dn_array);
> print $h_dn."\t\t".$h_basedn."<br>\n" if ($DEBUG);
> ## this dn cannot be added under the root-dn
> if ( (uc $h_basedn) ne (uc $h_dn) ) {
> LDAP_disconnect ( $ldap );
> return { STATUS => 0 ,
> DESC => "Error ( dn conflicts with basedn )",
> CODE => -1 };
> }
> }
> ## dn which should be inserted is shorter then the root-dn
> print "Checking the length of the DN of the Certificate ...<br>\n" if ($DEBUG);
> if ( scalar (@basedn_array) ) {
> LDAP_disconnect ( $ldap );
> return { STATUS => 0 ,
> DESC => "Error ( dn is shorter then basedn )",
> CODE => -2 };
> }
> ## if dn == basedn then their is no error because this can
> ## be the CA-dn
> return { STATUS => 1, CODE => 0, DESC => "Success" }
> if (!scalar (@dn_array));
>
> ## setup the tree for the DN
> ## attention only the last ldapadd must be successful !!!
> print "Building the missing nodes of the LDAP-tree ...<br>\n" if ($DEBUG);
> my $add_dn = getRequired ('basedn');
> my $actual_element;
> my $use_ldap_add = 0;
> while (scalar (@dn_array)) {
> $actual_element = pop @dn_array;
> if ($actual_element =~ /^\s*ou\s*=.*$/i) {
> $ou_array [$ou_counter] = $actual_element;
> $ou_array [$ou_counter] =~ s/^\s*ou\s*=\s*//i;
> $ou_counter++;
> }
>
> ## prepare the needed strings
> $add_dn = $actual_element.",".$add_dn;
> print "Try to add $add_dn ...<br>\n" if ($DEBUG);
>
> ## check that the entry not exist in the LDAP-tree
> my $base = $add_dn;
> #$base =~ s/^[^,]*,//;
> my $search_filter = $add_dn;
> $search_filter =~ s/,.*$//g;
> $search_filter =~ s/^email=/mail=/i;
> $search_filter = "(".$search_filter.")";
> print "LDAP Searchfilter: ".$search_filter."<br>\n" if ($DEBUG);
> print "LDAP Base: ".$base."<br>\n" if ($DEBUG);
> my $ldap_search_mesg = $ldap->search (
> base => $base,
> scope => "sub",
> filter => $search_filter);
> print "LDAP Search Mesg-Code ".$ldap_search_mesg->code."<br>\n" if ($DEBUG);
> print "LDAP Search Mesg-Count ".$ldap_search_mesg->count."<br>\n" if ($DEBUG);
> ## I stop the insertion because of a searcherror too
> if ( not $ldap_search_mesg or
> #$ldap_search_mesg->code or
> $ldap_search_mesg->count) {
> ## node/leaf exists
> print "node exists<br>\n" if ($DEBUG);
> next;
> }
> $use_ldap_add = 1;
>
> ## insert the different types
> ## attention: I don't insert here a CA!!!
> ## this most be done otherwise because I cannot declare
> ## any o and ou to be a (sub)CA
> my @attr;
> if ($add_dn =~ /^\s*(cn|email|serialNumber)\s*=.*$/i) {
> return undef if (not $cert_sn or not $cert_cn);
> push @attr, 'cn' => $cert_cn;
> push @attr, 'sn' => $cert_sn;
> push @attr, 'objectclass' => [ 'top',
> 'person',
> 'organizationalPerson',
> 'inetOrgPerson'
> ];
> push @attr, 'ou' => [ @ou_array ] if (scalar @ou_array);
> push @attr, 'o' => $cert_o if ($cert_o);
> push @attr, 'mail' => $cert_email if ($cert_email);
> push @attr, 'st' => $cert_st if ($cert_st and $add_dn =~ /\s*st\s*=/i);
> push @attr, 'l' => $cert_l if ($cert_l and $add_dn =~ /\s*l\s*=/i);
> } elsif ($add_dn =~ /^\s*ou\s*=.*$/i) {
> return undef if (not scalar @ou_array);
> push @attr, 'ou' => [ @ou_array ];
> push @attr, 'authorityRevocationList;binary' => '';
> push @attr, 'certificateRevocationList;binary' => '';
> push @attr, 'cACertificate;binary' => '';
> push @attr, 'objectclass' => [ 'top',
> 'organizationalUnit',
> 'certificationAuthority'
> ];
> push @attr, 'st' => $cert_st if ($cert_st and $add_dn =~ /\s*st\s*=/i);
> push @attr, 'l' => $cert_l if ($cert_l and $add_dn =~ /\s*l\s*=/i);
> } elsif ($add_dn =~ /^\s*o\s*=.*$/i) {
> return undef if (not $cert_o);
> push @attr, 'o' => $cert_o;
> push @attr, 'authorityRevocationList;binary' => '';
> push @attr, 'certificateRevocationList;binary' => '';
> push @attr, 'cACertificate;binary' => '';
> push @attr, 'objectclass' => [ 'top',
> 'organization',
> 'certificationAuthority'
> ];
> push @attr, 'st' => $cert_st if ($cert_st and $add_dn =~ /\s*st\s*=/i);
> push @attr, 'l' => $cert_l if ($cert_l and $add_dn =~ /\s*l\s*=/i);
> } elsif ($add_dn =~ /^\s*c\s*=.*$/i) {
> return undef if (not $cert_c);
> push @attr, 'c' => $cert_c;
> push @attr, 'objectclass' => [ 'top',
> 'country'
> ];
> } elsif ($type =~ /^st$/i) {
> return undef if (not $cert_st);
> push @attr, 'st' => $cert_st;
> push @attr, 'objectclass' => [ 'top',
> 'locality'
> ];
> } elsif ($type =~ /^l$/i) {
> return undef if (not $cert_l);
> push @attr, 'st' => $cert_l;
> push @attr, 'objectclass' => [ 'top',
> 'locality'
> ];
> } else {
> return undef;
> }
>
> print "Attributes for the insertion:<br>\n" if ($DEBUG);
> foreach $h (keys %{$attr}) {
> print "$h = $attr->{$h}<br>\n" if ($DEBUG);
> }
>
> $ldapadd_result = $ldap->add ( $add_dn , attr => [ @attr ] );
> print "The resultcode of the nodeinsertion was ".
> $ldapadd_result->code.".<br>\n" if ($DEBUG);
> last if ($ldapadd_result->code);
> }
>
> if ($use_ldap_add) {
> if( $ldapadd_result->code ) {
> ## print "<FONT COLOR=\"Red\">";
> ## print "Error Adding DN [$serID]: " . $ldapadd_result->code ."<BR>\n";
> ## print "</FONT>";
> LDAP_disconnect ( $ldap );
> return { STATUS => 0 ,
> DESC => "Error ( code " .
> $ldapadd_result->code . " )",
> CODE => $ldapadd_result->code };
> }
> }
>
> LDAP_disconnect ( $ldap );
> return { STATUS => 1, CODE => 0, DESC => "Success" };
> }
>
> ## this function add certificates and CRLs to the directory
> sub addLDAPattribute {
> my $keys = { @_ };
> my $obj;
> local $ret;
> my $ldap;
> my $noprint;
> my $dn;
> my $attr;
>
> my $DEBUG = 0;
>
> ## check the type of the attribute
> if ( $keys->{CERTIFICATE} ) {
> $obj = $keys->{CERTIFICATE};
> $attr = "userCertificate";
> } elsif ( $keys->{AUTHORITY_CERTIFICATE} ) {
> $obj = $keys->{AUTHORITY_CERTIFICATE};
> $attr = "cACertificate";
> } elsif ( $keys->{CRL} ) {
> $obj = $keys->{CRL};
> $attr = "certificateRevocationList";
> } elsif ( $keys->{AUTHORITY_CRL} ) {
> $obj = $keys->{AUTHORITY_CRL};
> $attr = "authorityRevocationList";
> }
> $attr .= ";binary";
> return if ( not $obj );
>
> ## set output mode
> $noprint = $keys->{NOPRINT};
> $noprint = 0 if ($DEBUG);
>
> ## Initializing Connection to LDAP Server
> if ( not ( $ldap = LDAP_connect() )) {
> return;
> }
>
> ## Let's bind for a predetermined User
> $ret = LDAP_bind( LDAP => $ldap );
> if ( not $ret->{STATUS} ) {
> LDAP_disconnect ( LDAP => $ldap );
> return;
> }
>
> ## get dn
> if ( $attr =~ /CERTIFICATE/i ) {
> $dn = $obj->getParsed()->{DN};
> } elsif ( $type =~ /revocationList/i ) {
> $dn = $obj->getParsed()->{ISSUER};
> }
> $dn =~ s/\//,/g;
> $dn =~ s/^ *,* *//g;
> ## fix problems with big letters
> $dn =~ s/email=/email=/i;
> $dn =~ s/cn=/cn=/i;
> $dn =~ s/c=/c=/i;
> $dn =~ s/ou=/ou=/i;
> $dn =~ s/o=/o=/i;
> $dn =~ s/st=/st=/i;
> $dn =~ s/l=/l=/i;
>
> ## $serID = $cert->getParsed()->{SERIAL};
> print "addLDAPattribute: DN= ".$dn."<br>\n" if ($DEBUG);
> print "attr: ".$attr."<br>\n" if ($DEBUG);
>
> ## search the attribute
> my $search_filter = $dn;
> $search_filter =~ s/,.*$//g;
> $search_filter =~ s/^email=/mail=/i;
> $search_filter = "(".$search_filter.")";
> print "LDAP Searchfilter: ".$search_filter."<br>\n" if ($DEBUG);
> my $mesg = $ldap->search (
> base => $dn,
> scope => "base",
> filter => $search_filter);
> print "LDAP Search Mesg-Code ".$mesg->code."<br>\n" if ($DEBUG);
> print "LDAP Search Mesg-Count ".$mesg->count."<br>\n" if ($DEBUG);
>
> ## I stop the insertion because of a searcherror too
> if ( not $mesg or
> $mesg->code or
> not $mesg->count) {
> ## search failed
> if (!$noprint) {
> print "Search for the attribute failed.\n";
> }
> if ($mesg) {
> $code = $mesg->code;
> } else {
> $code = 1;
> }
> LDAP_disconnect( LDAP => $ldap );
> return { STATUS => 0 , CODE => $code };
> }
>
> ## we can get only one entry because scope is set to "base"a
>
> ## load values
> my @values = $mesg->entry (0)->get_value ( $attr);
> push @values, $obj->getDER();
>
> ## remove doubles
> @values = sort @values;
> for (my $i=1; $i < scalar @values; $i++) {
> if ($values[$i] eq $values[$i-1]) {
> splice @values, $i;
> $i--;
> }
> }
>
> ## insert into ldap
>
> $mesg = $ldap->modify ($dn, replace => {$attr => [ @values ]});
>
> if( $mesg->code ) {
>
> $txt = "Unknown Error ( " . $mesg->code . " )";
>
> if (!$noprint) {
> print "$txt\n";
> }
> LDAP_disconnect( LDAP => $ldap );
> return { STATUS => 0 , CODE => $mesg->code };
> } else {
> $txt = "Attribute successfully inserted."
> }
>
> LDAP_disconnect( LDAP => $ldap );
> if (!$noprint) {
> # print "LDAP Result [$serID]: Success ( " . $mesg->code ." )<BR>\n";
> print "Success (".$txt.")\n";
> }
> return { STATUS => 1,
> DESC => "Success (".$txt.")",
> CODE => 0 };
> }
>
> sub LDAPsearch {
>
> my $keys = { @_ };
> my ( $mseg, $ldap, $limit, $ldapBase, $serID, $filter, $ret );
>
> $filter = $keys->{FILTER};
> $serID = $keys->{SERIAL};
>
> return if ( not $filter );
>
> ## Get required configuration keys
> $ldapBase = getRequired( 'basedn' );
>
> ## Initializing Connection to LDAP Server
> if ( not ( $ldap = LDAP_connect() )) {
> print "<FONT COLOR=\"Red\">";
> print "LDAP [$serID]: Connection Refused by server!\n";
> print "</FONT><BR>\n";
>
> return;
> };
>
> ## Let's bind for a predetermined User
> $ret = LDAP_bind( LDAP => $ldap );
> if( not $ret->{STATUS} ) {
> print "Failed in Bind: " . $ret->{CODE} . "\n";
> LDAP_disconnect( LDAP => $ldap );
> return $ret->{CODE};
> };
>
> $mesg = $ldap->search ( base => "$ldapBase",
> filter => "$filter" );
>
> if ( $mesg->code ) {
> LDAP_disconnect( LDAP => $ldap );
> return;
> }
>
> return { COUNT => $mesg->count, ENTRIES => $mesg->entries };
> };
>
>
> sub LDAP_connect {
>
> my $keys = { @_ };
> my ( $ldap, $ldapSrv, $port, $ldapUsr, $ldapBase, $ldaplim,
> $ldapPwd, $filter, @attrs, $ret );
>
> ## Initializing Connection to LDAP Server
> $ldapSrv = getRequired( 'ldapserver' );
>
> $port = getRequired('ldapport');
> $ldaplim = getRequired('ldaplimit');
>
> ## if no initialization found, get defaults
> $port = 389 unless $LDAP_Port;
>
> ## Get the Connection to the Server
> $ldap = Net::LDAP->new ("$ldapSrv",
> port => "$port",
> async => 0 );
>
> return if( not $ldap );
>
> return $ldap;
>
> }
>
> sub LDAP_disconnect {
>
> $keys => {@_};
>
> my $ldap = $keys->{LDAP};
>
> return {STATUS => 0 } if ( not $ldap );
> $ldap->unbind;
>
> return {STATUS => 1};
> }
>
> sub LDAP_bind {
>
> my $keys = {@_};
>
> ## Get Required Parameters
> my $ldapUsr = getRequired('ldaproot');
> my $ldapPwd = getRequired('ldappwd');
>
> ## Get ldap passed ref
> my $ldap = $keys->{LDAP};
>
> ## Return if no object passed
> return if( not $ldap );
>
> ## Try to bind to selected user
> my $mesg = $ldap->bind( "$ldapUsr",
> 'password' => "$ldapPwd" );
>
> ## if got an error, return it
> if ( $mesg->code ) {
> LDAP_disconnect( LDAP => $ldap );
> return { STATUS => 0, CODE => $mesg->code };
> };
>
> return { STATUS => 1 };
> }
>
> 1;
>
> ___END___;
>
--
********************************
David William Botsch
[EMAIL PROTECTED]
********************************
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users
