Sumit Bose wrote:
Since this is a design document one important comment:
This won't work with OpenLDAP.
In 389-DS 'userCertificate' is declared like this:
( 2.5.4.36
NAME 'userCertificate'
DESC 'X.509 user certificate'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
X-ORIGIN 'RFC 4523' )
Note that although this references RFC 4523 simply Octet String syntax is used
with the accompanying equality matching rule 'octetStringMatch'. That's
what's
used in your design for generating the LDAP filter strings.
In OpenLDAP 'userCertificate' is declared like defined in RFC 4523:
( 2.5.4.36
NAME 'userCertificate'
DESC 'RFC2256: X.509 user certificate, use ;binary'
EQUALITY certificateExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
Note that 'certificateExactMatch' is used as equality matching rule.
Generating simple filters like for 'octetStringMatch' does not work. You would
have to construct a issuer-DN+serial assertion value.
Ciao, Michael.