New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Correct implementation of rfc4523 #2118
Comments
Comment from tbordaz (@tbordaz) at 2017-01-02 19:57:49
|
Comment from tbordaz (@tbordaz) at 2017-01-02 22:16:47 usercertificate indexed in 'pres' and 'eq' Add the following values to an entry (note that values 3 and 4 are identical but on an attribute with ';binary')
The resulting entry is
So attribute value is indexed stripping the subtype or transfert option. IMHO to conform https://tools.ietf.org/html/rfc4522:
'''A problem in (1) and (2)''' is that a an attribute may appear to contain twice the same value:
The first value is coming from 'userCertificate;binary' with a encoded64 "value without binary" |
Comment from nhosoi (@nhosoi) at 2017-01-05 08:26:06 When do we need this RFE? 1.3.6 or later? |
Comment from firstyear (@Firstyear) at 2017-01-05 10:27:11 I don't think this is urgent, it can be later. |
Comment from tbordaz (@tbordaz) at 2017-01-05 13:24:32 I agree with William, this is not a blocker for freeipa. A question is will we fix it or not. Two concerns:
|
Comment from nhosoi (@nhosoi) at 2017-01-26 08:44:19 Thanks, William and Thierry! Set it to 1.3.7 backlog. |
Comment from nhosoi (@nhosoi) at 2017-02-11 23:08:52 Metadata Update from @nhosoi:
|
Comment from mreynolds (@mreynolds389) at 2017-07-12 22:13:17 Metadata Update from @mreynolds389:
|
Hello, I have came across this issue recently in my environment and was wondering if I could get guidance in how to continue. Our old LDAP server has the While reading through the comments I tried adding the certificate following the naming sequences:
but it did not work. Is that the current working implementation or was that the proposed solution? The strange part is the ldif entries are exactly the same. They both have the following structure for identifying the certificate:
however some appear in an ldap search with the I can understand if 389ds decides one way or the other in the implementation but having a mix of both is making it really difficult to properly maintain my environment. Does anyone have any suggestions on how to approach my dilemma? I am not specifically asking for this issue to be solved but more so what is the proper suggested workaround. The desired outcome would be to always have the Thank you for taking the time to read this and offering me advice! |
On 9 Jun 2021, at 03:29, Gregory Walsh ***@***.***> wrote:
Hello,
I have came across this issue recently in my environment and was wondering if I could get guidance in how to continue. Our old LDAP server has the userCertificate;binary attribute for well over 300 entries. We have been testing 389ds as an open source alternative but I am running into an issue with importing my ldifs. On 389ds the userCertificate attribute loses the ;binary subtype. This is critical for my environment since we have scripts that look for the userCertificate;binary keyword in ldap searches . As a hotfix I changed the keyword search to just userCertificate but I was wondering if there is a better alternative to enforce the subtype when reading the ds.
While reading through the comments I tried adding the certificate following the naming sequences:
usercertificate;binary vs userCertificate;binary (Notice the capital 'C')
but it did not work. Is that the current working implementation or was that the proposed solution?
I also noticed something interesting that might be a bug. I have an ldif file that is importing a bunch of entries with userCertificate;binary and a bunch with userCertificate (without the ;binary).
The strange part is the ldif entries are exactly the same. They both have the following structure for identifying the certificate:
userCertificate;binary:: (THE BINARY)
however some appear in an ldap search with the ;binary subtype and some appear without it.
I can understand if 389ds decides one way or the other in the implementation but having a mix of both is making it really difficult to properly maintain my environment. Does anyone have any suggestions on how to approach my dilemma? I am not specifically asking for this issue to be solved but more so what is the proper suggested workaround. The desired outcome would be to always have the ;binary and be RFC compliant.
Thank you for taking the time to read this and offering me advice!
;binary is an ldap tag/option.
https://ldapwiki.com/wiki/Attribute%20Options
So I think in this case, you actually want to import *without* the tag (userCertificate) and then in your client you should request userCertificate;binary as the attribute which should get all the binary values. IIRC the flagging of this as binary comes from schema.
Hope that helps,
…
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
--
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
|
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/49059
We attempt to support rfc4523 for certificate storage. This is consumed by DogTag and IPA.
However, in our schema, we incorrectly list a number of attributes as 1.3.6.1.4.1.1466.115.121.1.40 rather than 1.3.6.1.4.1.1466.115.121.1.8. In bin.c we can see that right now 1.3.6.1.4.1.1466.115.121.1.8 is octetString compatible, so we don't need to change this.
We need to fix a few things.
First, we need to update our schema to use the correct oid.
Second, part of the syntax is that any attribute returned of this syntax must have the ;binary attribute tag attached.
This is described in:
https://tools.ietf.org/html/rfc4523
Binary encoding of attributes is here:
https://tools.ietf.org/html/rfc4522
The text was updated successfully, but these errors were encountered: