[389-users] 389ds and certificateExactMatch - is it supported?
Graham Leggett
minfrin at sharp.fm
Wed Jan 28 16:43:10 UTC 2015
On 28 Jan 2015, at 6:33 PM, Rich Megginson <rmeggins at redhat.com> wrote:
>> Does 389ds offer certificateExactMatch support as per the RFCs?
>
> No, that's why it is commented out. We do not have support for the certificate* matching rules. That's why we just use octetString i.e. it just does a memcmp().
I’ve been trying the option of using octetStringMatch with a filter that looks like this:
(userCertificate=#308203aa3082[snip])
The error I get back is:
LDAP: error code 11 - Administrative Limit Exceeded
A number of questions:
- The encoding was obtained from the java javax.naming.ldap.Rdn class, which seems to want to encode the DER byte array of the certificate being searched for as a hash symbol followed by hex digits, as opposed to \00\11\22 (etc) as seen in many examples online. Is this encoding correct? (I assume it is).
- I noticed that no index existed for userCertificate, so I added an index on equality. The searches still take a very long time (with Directory Manager) and Administrative limit exceeded with normal users. Am I right in understanding that userCertificate searches are not filtered?
Regards,
Graham
—
More information about the 389-users
mailing list