On 01/28/2015 09:09 AM, Graham Leggett wrote:
Hi all,
After struggling to get a certificateExactMatch query to work, I’ve discovered that in
389ds the certificateExactMatch rule in the schema has been marked as commented out like
this:
# TODO - Add Certificate syntax
#attributeTypes: ( 2.5.4.36 NAME 'userCertificate'
# DESC 'X.509 user certificate'
# EQUALITY certificateExactMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
attributeTypes: ( 2.5.4.36 NAME 'userCertificate'
DESC 'X.509 user certificate'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
X-ORIGIN 'RFC 4523’)
Does 389ds offer certificateExactMatch support as per the RFCs?
No, that's why it is commented out. We do not have support for the
certificate* matching rules. That's why we just use octetString i.e. it
just does a memcmp().
Simply uncommenting out the above results in startup failure below:
[28/Jan/2015:15:55:53 +0000] dse_read_one_file - The entry cn=schema in file
/etc/dirsrv/slapd-monica/schema/05rfc4523.ldif (lineno: 1) is invalid, error code 21
(Invalid syntax) - attribute type userCertificate: Unknown attribute syntax OID
“1.3.6.1.4.1.1466.115.121.1.8"
Regards,
Graham
—
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users