On Thu, Apr 26, 2012 at 08:43:56PM -0400, b...@bitrate.net wrote: > OK, thanks for the clarification. The impetus for this question > - I was setting up check_ccert_access to use an ldap lookup, and > was using an ldap attribute whose matching rules happened to be > case sensitive. I'd copied/pasted the fingerprint from the log > messages [uppercase] for the ldap attribute value. This introduced > a bit of an incongruence in my testing with postmap, since i didn't > then know that case was being folded. It also appears that case > folding occurs during actual operation [e.g. not just with postmap]?: >
The lookups in access(5) fold keys to lower-case for indexed tables, and leave them unchanged with regexp tables. > Apr 26 20:32:49 exo postfix/smtpd[10641]: unknown[50.33.151.70]: Trusted: > subject_CN=msa.example.net, issuer=example corp, > fingerprint=86:A5:5C:85:A3:98:2E:19:7A:54:57:99:76:9D:D5:A3:7E:46:85:C5 > [...] > Apr 26 20:32:49 exo postfix/smtpd[10641]: dict_ldap_lookup: > /etc/postfix/tables/ccert_access.cf: Searching with filter > (&?????(objectclass=mailserver)?????(certfingerprint=86:a5:5c:85:a3:98:2e:19:7a:54:57:99:76:9d:d5:a3:7e:46:85:c5)?????(memberof=cn=mail_relayers-hosts,ou=exo,ou=servers,ou=groups,dc=example,dc=net)????) Your LDAP schema should specify certfingerprint as a case-insensitive attribute. This is a hexadecimal number (with some ":" characters thrown in for readability), and the case of A-F is insignificant. -- Viktor.