On Thu, Apr 26, 2012 at 08:43:56PM -0400, b...@bitrate.net wrote:
> OK, thanks for the clarification. The impetus for this question
> - I was setting up check_ccert_access to use an ldap lookup, and
> was using an ldap attribute whose matching rules happened to be
> case sensitive. I'd copied/pasted the fingerprint from the log
> messages [uppercase] for the ldap attribute value. This introduced
> a bit of an incongruence in my testing with postmap, since i didn't
> then know that case was being folded. It also appears that case
> folding occurs during actual operation [e.g. not just with postmap]?:
>
The lookups in access(5) fold keys to lower-case for indexed tables,
and leave them unchanged with regexp tables.
> Apr 26 20:32:49 exo postfix/smtpd[10641]: unknown[50.33.151.70]: Trusted:
> subject_CN=msa.example.net, issuer=example corp,
> fingerprint=86:A5:5C:85:A3:98:2E:19:7A:54:57:99:76:9D:D5:A3:7E:46:85:C5
> [...]
> Apr 26 20:32:49 exo postfix/smtpd[10641]: dict_ldap_lookup:
> /etc/postfix/tables/ccert_access.cf: Searching with filter
> (&?????(objectclass=mailserver)?????(certfingerprint=86:a5:5c:85:a3:98:2e:19:7a:54:57:99:76:9d:d5:a3:7e:46:85:c5)?????(memberof=cn=mail_relayers-hosts,ou=exo,ou=servers,ou=groups,dc=example,dc=net)????)
Your LDAP schema should specify certfingerprint as a case-insensitive
attribute. This is a hexadecimal number (with some ":" characters
thrown in for readability), and the case of A-F is insignificant.
--
Viktor.
