Luis Neves wrote: > but i want to specifie a raw filter to the userCertificate atribute: > Ive uuencoded the original DER certificate and used the result as a > search filter
Not sure whether you generated the search filter correctly at all. If you use uuencode the cert gets base64-encoded? If you want to search for an octet string you have to use hex-escaping of the bytes in the search filter. See the escaping rules in RFC 4515. > ldapsearch -x -h 10.15.254.148 -p 389 -D "cn=root,dc=cm-lisboa,dc=pt" -w > ***** -s sub -b "ou=AuthzLDAPCertmap,dc=cm-lisboa,dc=pt" > '(&(userCertificate;binary=\\30\\82\\07\\38\\30\\82\\06\\20\\a0\\03\\02\\01\\02\\02\\08\\d9\\33\\e0\\f2\\f9\\5d\\0f\\30\\0d\\06\\09\\2a\\86\\48\\86 > etc etc etc )(objectClass=strongAuthenticationUser))' But userCertificate has certificateExactMatch (2.5.13.34) defined as equality matching rule. This is *not* the octetStringMatch (2.5.13.17) matching rule. Searching certs with octetStringMatch will obviously not perform well though. I'd recommend to think about another method. Since you asked a similar question on openssl-users I assume you want to use this module. Right? http://authzldap.othello.ch/configuration.html Ciao, Michael.
