Hi a) I have extracted the user certificate from the directory to a file using "ldapsearch -t .... " Ive encoded the result file with hexdump and added slashes (and double slashes and tested also with reversing the byte order) Iam using the result as a search filter against the directory, and no results
b) Ive copy/pasted all the values from apache error_log (which comes from the user browser) and used as a filter to ldapsearch and nothing userCertificate=\\30\\82\\07\\38\\30\\82\\06\\20\\a0\\03\\02\\01\\02\\02\\08\\d9\\33\\e0\\f2\\f9\\5d\\0f\\30\\0d\\06\\09\\2a\\86\\48\\86 etc etc etc a) and b) filters are the same, so I think I am doing the right tests, without errors I dont have any more ideas... :( help..... c) I will make every test again next monday just to be sure i didnt copy/pasted any error I am starting to think of making some smaller testcase with some other binary fields, like a jpg for example. What do you think? Add a image attribute to the user, load a very small (1x1) jpg, hexdump it to a file and try to feed it to ldapsearch until i get something This is the only idea I have so far that other users could test without too much effort and compare results with me.... Luis > > > >> ldapsearch -x -h 10.15.254.148 -p 389 -D "cn=root,dc=cm-lisboa,dc=pt" -w > >> ***** -s sub -b "ou=AuthzLDAPCertmap,dc=cm-lisboa,dc=pt" > >> '(&(userCertificate;binary=\\30\\82\\07\\38\\30\\82\\06\\20\\a0\\03\\02\\01\\02\\02\\08\\d9\\33\\e0\\f2\\f9\\5d\\0f\\30\\0d\\06\\09\\2a\\86\\48\\86 > >> etc etc etc )(objectClass=strongAuthenticationUser))' > > > > It is legal to use an octet string for certificateExactMatch. In OpenLDAP the > octet string is simply parsed and turned into a certificate assertion value > and then matched as usual. > > Probably the encoding of his filter value is just wrong. And of course, it > would be simpler to just use a certificate assertion value instead. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
