At 04:22 AM 2/24/2006, Keutel, Jochen wrote: >Hello, > >Kurt D. Zeilenga wrote: >>Component matching is considered experimental in OpenLDAP >>Software. As indicated by ITS#4112 and -devel list >>discussions, it needs work. > > OK. > >What about certificate matching rules? Are they fully >implemented?
Both certificateMatch and certificateExactMatch are implemented (they rely on OpenSSL), though I am not sure the latter fully supports the recently approved standard track assertion syntax (draft-zeilenga-ldap-x509). The test script appears to be using an experimental assertion syntax. The code likely needs some updating. >Esp.: Is it possible to search for a certain >key usage or other certificate fields? For arbitrary matching, one needs component matching. >I've found the certificateMatch in tests/scripts/test021-certificate : > >$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ > "(cAcertificate;binary:certificateMatch:=$CERT)" > >But this example seems to search with a complete certificate >as filter value ... Per the spec, yes. >Regards, Jochen. > > >>Kurt >>At 12:49 AM 2/15/2006, Kai Kramer wrote: >>>Hello, >>> >>>is component matching already usable in a production environment? Does >>>anyone really use it? ITS4112 seems to be a serious problem. >>> >>>What about certificate matching rules as an alternative? I managed to >>>use certificateExactMatch to search for serial number and issuer. But >>>I had no success with certificateMatch. Is it possible to search for a >>>certain key usage? >>> >>> >>>Regards, >>>Kai >>
