mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-04-12 15:10:31 +08:00
Rework support for certificate exact matching based, in part,
on patch submitted by Mark Ruijter <openldap@siennax.com>. This addresses (hopefully) ITS 2702, 2703, 2719, 2771. Additional work: fix extraneous frees in libldap/getdn.c x509 rewrite routine indexing
This commit is contained in:
Kurt Zeilenga
parent
e3a0148328
commit
3fbe93c704
@ -1311,8 +1311,10 @@ else
|
||||
AC_WARN([TLS data protection not supported!])
|
||||
fi
|
||||
|
||||
WITH_TLS=no
|
||||
if test $ol_link_tls = yes ; then
|
||||
AC_DEFINE(HAVE_TLS, 1, [define if you have TLS])
|
||||
WITH_TLS=yes
|
||||
|
||||
elif test $ol_with_tls = auto ; then
|
||||
AC_WARN([Could not locate TLS/SSL package])
|
||||
@ -2831,6 +2833,7 @@ fi
|
||||
|
||||
AC_SUBST(LIBSRCS)
|
||||
AC_SUBST(PLAT)
|
||||
AC_SUBST(WITH_TLS)
|
||||
AC_SUBST(BUILD_LIBS_DYNAMIC)
|
||||
|
||||
AC_SUBST(BUILD_SLAPD)
|
||||
|
||||
@ -202,13 +202,17 @@ attributetype ( 2.5.4.34 NAME 'seeAlso'
|
||||
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
|
||||
|
||||
# Must be transferred using ;binary
|
||||
# with certificateExactMatch rule (per X.509)
|
||||
attributetype ( 2.5.4.36 NAME 'userCertificate'
|
||||
DESC 'RFC2256: X.509 user certificate, use ;binary'
|
||||
EQUALITY certificateExactMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
|
||||
|
||||
# Must be transferred using ;binary
|
||||
# with certificateExactMatch rule (per X.509)
|
||||
attributetype ( 2.5.4.37 NAME 'cACertificate'
|
||||
DESC 'RFC2256: X.509 CA certificate, use ;binary'
|
||||
EQUALITY certificateExactMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
|
||||
|
||||
# Must be transferred using ;binary
|
||||
|
||||
@ -21,6 +21,18 @@
|
||||
|
||||
#include "ldap_utf8.h"
|
||||
|
||||
#ifdef HAVE_TLS
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/asn1.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include <openssl/ssl.h>
|
||||
#endif
|
||||
|
||||
#include "lutil_hash.h"
|
||||
#define HASH_BYTES LUTIL_HASH_BYTES
|
||||
#define HASH_CONTEXT lutil_HASH_CTX
|
||||
@ -60,6 +72,33 @@ blobValidate(
|
||||
|
||||
#define berValidate blobValidate
|
||||
|
||||
static int
|
||||
sequenceValidate(
|
||||
Syntax *syntax,
|
||||
struct berval *in )
|
||||
{
|
||||
if ( in->bv_len < 2 ) return LDAP_INVALID_SYNTAX;
|
||||
if ( in->bv_val[0] != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
return LDAP_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
#ifdef HAVE_TLS
|
||||
static int certificateValidate( Syntax *syntax, struct berval *in )
|
||||
{
|
||||
X509 *xcert=NULL;
|
||||
unsigned char *p = in->bv_val;
|
||||
|
||||
xcert = d2i_X509(NULL, &p, in->bv_len);
|
||||
if ( !xcert ) return LDAP_INVALID_SYNTAX;
|
||||
X509_free(xcert);
|
||||
return LDAP_SUCCESS;
|
||||
}
|
||||
#else
|
||||
#define certificateValidate sequenceValidate
|
||||
#endif
|
||||
|
||||
static int
|
||||
octetStringMatch(
|
||||
int *matchp,
|
||||
@ -1864,211 +1903,202 @@ serialNumberAndIssuerValidate(
|
||||
Syntax *syntax,
|
||||
struct berval *in )
|
||||
{
|
||||
int rc = LDAP_INVALID_SYNTAX;
|
||||
struct berval serialNumber, issuer;
|
||||
int rc;
|
||||
int state;
|
||||
ber_len_t n;
|
||||
struct berval sn, i;
|
||||
if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
serialNumber.bv_val = in->bv_val;
|
||||
for( serialNumber.bv_len = 0;
|
||||
serialNumber.bv_len < in->bv_len;
|
||||
serialNumber.bv_len++ )
|
||||
{
|
||||
if ( serialNumber.bv_val[serialNumber.bv_len] == '$' ) {
|
||||
issuer.bv_val = &serialNumber.bv_val[serialNumber.bv_len+1];
|
||||
issuer.bv_len = in->bv_len - (serialNumber.bv_len+1);
|
||||
i.bv_val = strchr( in->bv_val, '$' );
|
||||
if( i.bv_val == NULL ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
if( serialNumber.bv_len == 0 || issuer.bv_len == 0 ) break;
|
||||
sn.bv_val = in->bv_val;
|
||||
sn.bv_len = i.bv_val - in->bv_val;
|
||||
|
||||
rc = integerValidate( NULL, &serialNumber );
|
||||
if( rc ) break;
|
||||
i.bv_val++;
|
||||
i.bv_len = in->bv_len - (sn.bv_len + 1);
|
||||
|
||||
rc = dnValidate( NULL, &issuer );
|
||||
break;
|
||||
/* validate serial number (strict for now) */
|
||||
for( n=0; n < sn.bv_len; n++ ) {
|
||||
if( !ASCII_DIGIT(sn.bv_val[n]) ) {
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
}
|
||||
|
||||
return rc;
|
||||
/* validate DN */
|
||||
rc = dnValidate( NULL, &i );
|
||||
if( rc ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
return LDAP_SUCCESS;
|
||||
}
|
||||
|
||||
int
|
||||
serialNumberAndIssuerPretty(
|
||||
Syntax *syntax,
|
||||
struct berval *val,
|
||||
struct berval *out,
|
||||
void *ctx )
|
||||
{
|
||||
int rc;
|
||||
int state;
|
||||
ber_len_t n;
|
||||
struct berval sn, i, newi;
|
||||
|
||||
assert( val );
|
||||
assert( out );
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( OPERATION, ARGS, ">>> serialNumberAndIssuerPretty: <%s>\n",
|
||||
val->bv_val, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerPretty: <%s>\n",
|
||||
val->bv_val, 0, 0 );
|
||||
#endif
|
||||
|
||||
if( val->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
i.bv_val = strchr( val->bv_val, '$' );
|
||||
if( i.bv_val == NULL ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
sn.bv_val = val->bv_val;
|
||||
sn.bv_len = i.bv_val - val->bv_val;
|
||||
|
||||
i.bv_val++;
|
||||
i.bv_len = val->bv_len - (sn.bv_len + 1);
|
||||
|
||||
/* eat leading zeros */
|
||||
for( n=0; n < (sn.bv_len-1); n++ ) {
|
||||
if( sn.bv_val[n] != '0' ) break;
|
||||
}
|
||||
sn.bv_val += n;
|
||||
sn.bv_len -= n;
|
||||
|
||||
for( n=0; n < sn.bv_len; n++ ) {
|
||||
if( !ASCII_DIGIT(sn.bv_val[n]) ) {
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
}
|
||||
|
||||
/* pretty DN */
|
||||
rc = dnPretty( syntax, &i, &newi, ctx );
|
||||
if( rc ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
/* make room from sn + "$" */
|
||||
out->bv_len = sn.bv_len + newi.bv_len + 1;
|
||||
out->bv_val = sl_realloc( newi.bv_val, out->bv_len + 1, ctx );
|
||||
|
||||
if( out->bv_val == NULL ) {
|
||||
sl_free( newi.bv_val, ctx );
|
||||
return LDAP_OTHER;
|
||||
}
|
||||
|
||||
/* push issuer over */
|
||||
AC_MEMCPY( &out->bv_val[sn.bv_len+1], newi.bv_val, newi.bv_len );
|
||||
/* insert sn and "$" */
|
||||
AC_MEMCPY( out->bv_val, sn.bv_val, sn.bv_len );
|
||||
out->bv_val[sn.bv_len] = '$';
|
||||
/* terminate */
|
||||
out->bv_val[out->bv_len] = '\0';
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( OPERATION, ARGS, "<<< serialNumberAndIssuerPretty: <%s>\n",
|
||||
out->bv_val, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerPretty: <%s>\n",
|
||||
out->bv_val, 0, 0 );
|
||||
#endif
|
||||
|
||||
return LDAP_SUCCESS;
|
||||
}
|
||||
|
||||
/*
|
||||
* This routine is called by certificateExactNormalize when
|
||||
* certificateExactNormalize receives a search string instead of
|
||||
* a certificate. This routine checks if the search value is valid
|
||||
* and then returns the normalized value
|
||||
*/
|
||||
static int
|
||||
serialNumberAndIssuerNormalize(
|
||||
slap_mask_t usage,
|
||||
Syntax *syntax,
|
||||
MatchingRule *mr,
|
||||
struct berval *val,
|
||||
struct berval *normalized,
|
||||
struct berval *out,
|
||||
void *ctx )
|
||||
{
|
||||
int rc = LDAP_INVALID_SYNTAX;
|
||||
struct berval serialNumber, issuer, nissuer;
|
||||
int rc;
|
||||
int state;
|
||||
ber_len_t n;
|
||||
struct berval sn, i, newi;
|
||||
|
||||
serialNumber.bv_val = val->bv_val;
|
||||
for( serialNumber.bv_len = 0;
|
||||
serialNumber.bv_len < val->bv_len;
|
||||
serialNumber.bv_len++ )
|
||||
{
|
||||
if ( serialNumber.bv_val[serialNumber.bv_len] == '$' ) {
|
||||
issuer.bv_val = &serialNumber.bv_val[serialNumber.bv_len+1];
|
||||
issuer.bv_len = val->bv_len - (serialNumber.bv_len+1);
|
||||
assert( val );
|
||||
assert( out );
|
||||
|
||||
if( serialNumber.bv_len == 0 || issuer.bv_len == 0 ) break;
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( OPERATION, ARGS, ">>> serialNumberAndIssuerNormalize: <%s>\n",
|
||||
val->bv_val, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerNormalize: <%s>\n",
|
||||
val->bv_val, 0, 0 );
|
||||
#endif
|
||||
|
||||
rc = dnNormalize( usage, syntax, mr, &issuer, &nissuer, ctx );
|
||||
if( rc ) break;
|
||||
if( val->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
normalized->bv_len = serialNumber.bv_len + 1 + nissuer.bv_len;
|
||||
normalized->bv_val = ch_malloc( normalized->bv_len + 1);
|
||||
i.bv_val = strchr( val->bv_val, '$' );
|
||||
if( i.bv_val == NULL ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
AC_MEMCPY( normalized->bv_val,
|
||||
serialNumber.bv_val, serialNumber.bv_len );
|
||||
normalized->bv_val[serialNumber.bv_len] = '$';
|
||||
AC_MEMCPY( &normalized->bv_val[serialNumber.bv_len+1],
|
||||
nissuer.bv_val, nissuer.bv_len );
|
||||
normalized->bv_val[normalized->bv_len] = '\0';
|
||||
break;
|
||||
sn.bv_val = val->bv_val;
|
||||
sn.bv_len = i.bv_val - val->bv_val;
|
||||
|
||||
i.bv_val++;
|
||||
i.bv_len = val->bv_len - (sn.bv_len + 1);
|
||||
|
||||
/* eat leading zeros */
|
||||
for( n=0; n < (sn.bv_len-1); n++ ) {
|
||||
if( sn.bv_val[n] != '0' ) break;
|
||||
}
|
||||
sn.bv_val += n;
|
||||
sn.bv_len -= n;
|
||||
|
||||
for( n=0; n < sn.bv_len; n++ ) {
|
||||
if( !ASCII_DIGIT(sn.bv_val[n]) ) {
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
}
|
||||
|
||||
/* pretty DN */
|
||||
rc = dnNormalize( usage, syntax, mr, &i, &newi, ctx );
|
||||
if( rc ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
/* make room from sn + "$" */
|
||||
out->bv_len = sn.bv_len + newi.bv_len + 1;
|
||||
out->bv_val = sl_realloc( newi.bv_val, out->bv_len + 1, ctx );
|
||||
|
||||
if( out->bv_val == NULL ) {
|
||||
sl_free( newi.bv_val, ctx );
|
||||
return LDAP_OTHER;
|
||||
}
|
||||
|
||||
/* push issuer over */
|
||||
AC_MEMCPY( &out->bv_val[sn.bv_len+1], newi.bv_val, newi.bv_len );
|
||||
/* insert sn and "$" */
|
||||
AC_MEMCPY( out->bv_val, sn.bv_val, sn.bv_len );
|
||||
out->bv_val[sn.bv_len] = '$';
|
||||
/* terminate */
|
||||
out->bv_val[out->bv_len] = '\0';
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( OPERATION, ARGS, "<<< serialNumberAndIssuerNormalize: <%s>\n",
|
||||
out->bv_val, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerNormalize: <%s>\n",
|
||||
out->bv_val, 0, 0 );
|
||||
#endif
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
#ifdef HAVE_TLS
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/err.h>
|
||||
|
||||
/*
|
||||
* Next function returns a string representation of a ASN1_INTEGER.
|
||||
* It works for unlimited lengths.
|
||||
*/
|
||||
|
||||
static struct berval *
|
||||
asn1_integer2str(ASN1_INTEGER *a, struct berval *bv)
|
||||
{
|
||||
char buf[256];
|
||||
char *p;
|
||||
static char digit[] = "0123456789";
|
||||
|
||||
/* We work backwards, make it fill from the end of buf */
|
||||
p = buf + sizeof(buf) - 1;
|
||||
*p = '\0';
|
||||
|
||||
if ( a == NULL || a->length == 0 ) {
|
||||
*--p = '0';
|
||||
} else {
|
||||
int i;
|
||||
int n = a->length;
|
||||
int base = 0;
|
||||
unsigned int *copy;
|
||||
|
||||
/* We want to preserve the original */
|
||||
copy = ch_malloc(n*sizeof(unsigned int));
|
||||
for (i = 0; i<n; i++) {
|
||||
copy[i] = a->data[i];
|
||||
}
|
||||
|
||||
/*
|
||||
* base indicates the index of the most significant
|
||||
* byte that might be nonzero. When it goes off the
|
||||
* end, we now there is nothing left to do.
|
||||
*/
|
||||
while (base < n) {
|
||||
unsigned int carry;
|
||||
|
||||
carry = 0;
|
||||
for (i = base; i<n; i++ ) {
|
||||
copy[i] += carry*256;
|
||||
carry = copy[i] % 10;
|
||||
copy[i] /= 10;
|
||||
}
|
||||
if (p <= buf+1) {
|
||||
/*
|
||||
* Way too large, we need to leave
|
||||
* room for sign if negative
|
||||
*/
|
||||
free(copy);
|
||||
return NULL;
|
||||
}
|
||||
*--p = digit[carry];
|
||||
|
||||
if (copy[base] == 0) base++;
|
||||
}
|
||||
free(copy);
|
||||
}
|
||||
|
||||
if ( a->type == V_ASN1_NEG_INTEGER ) {
|
||||
*--p = '-';
|
||||
}
|
||||
|
||||
return ber_str2bv( p, 0, 1, bv );
|
||||
}
|
||||
|
||||
/*
|
||||
* Given a certificate in DER format, extract the corresponding
|
||||
* assertion value for certificateExactMatch
|
||||
*/
|
||||
static int
|
||||
certificateExactConvert(
|
||||
struct berval * in,
|
||||
struct berval * out )
|
||||
{
|
||||
int rc;
|
||||
X509 *xcert;
|
||||
unsigned char *p = in->bv_val;
|
||||
struct berval serial;
|
||||
struct berval issuer_dn;
|
||||
|
||||
xcert = d2i_X509(NULL, &p, in->bv_len);
|
||||
if ( !xcert ) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( CONFIG, ENTRY,
|
||||
"certificateExactConvert: error parsing cert: %s\n",
|
||||
ERR_error_string(ERR_get_error(),NULL), 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_ARGS, "certificateExactConvert: "
|
||||
"error parsing cert: %s\n",
|
||||
ERR_error_string(ERR_get_error(),NULL), NULL, NULL );
|
||||
#endif
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
|
||||
if ( !asn1_integer2str(xcert->cert_info->serialNumber, &serial) ) {
|
||||
X509_free(xcert);
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
|
||||
rc = dnX509normalize( X509_get_issuer_name(xcert), &issuer_dn );
|
||||
if( rc != LDAP_SUCCESS ) {
|
||||
X509_free(xcert);
|
||||
ber_memfree(serial.bv_val);
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
|
||||
X509_free(xcert);
|
||||
|
||||
out->bv_len = serial.bv_len + issuer_dn.bv_len + sizeof(" $ ");
|
||||
out->bv_val = ch_malloc(out->bv_len);
|
||||
p = out->bv_val;
|
||||
AC_MEMCPY(p, serial.bv_val, serial.bv_len);
|
||||
p += serial.bv_len;
|
||||
AC_MEMCPY(p, " $ ", sizeof(" $ ")-1);
|
||||
p += 3;
|
||||
AC_MEMCPY(p, issuer_dn.bv_val, issuer_dn.bv_len);
|
||||
p += issuer_dn.bv_len;
|
||||
*p++ = '\0';
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( CONFIG, ARGS, "certificateExactConvert: %s\n",
|
||||
out->bv_val, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_ARGS, "certificateExactConvert: %s\n",
|
||||
out->bv_val, NULL, NULL );
|
||||
#endif
|
||||
|
||||
ber_memfree(serial.bv_val);
|
||||
ber_memfree(issuer_dn.bv_val);
|
||||
|
||||
return LDAP_SUCCESS;
|
||||
}
|
||||
|
||||
static int
|
||||
certificateExactNormalize(
|
||||
slap_mask_t usage,
|
||||
@ -2078,16 +2108,59 @@ certificateExactNormalize(
|
||||
struct berval *normalized,
|
||||
void *ctx )
|
||||
{
|
||||
int rc;
|
||||
int rc = LDAP_INVALID_SYNTAX;
|
||||
unsigned char *p;
|
||||
char *serial = NULL;
|
||||
ber_len_t seriallen;
|
||||
struct berval issuer_dn = { 0, NULL };
|
||||
X509_NAME *name = NULL;
|
||||
ASN1_INTEGER *sn = NULL;
|
||||
X509 *xcert = NULL;
|
||||
|
||||
if( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX( usage ) ) {
|
||||
rc = serialNumberAndIssuerNormalize( usage, syntax, mr,
|
||||
val, normalized, ctx );
|
||||
if( val->bv_len == 0 ) goto done;
|
||||
|
||||
} else {
|
||||
rc = certificateExactConvert( val, normalized );
|
||||
if( val->bv_val[0] != LBER_SEQUENCE ) {
|
||||
/* assume serialNumberAndIssuer */
|
||||
return serialNumberAndIssuerNormalize(0,NULL,NULL,val,normalized,NULL);
|
||||
}
|
||||
|
||||
p = val->bv_val;
|
||||
xcert = d2i_X509( NULL, &p, val->bv_len);
|
||||
if( xcert == NULL ) goto done;
|
||||
|
||||
sn=X509_get_serialNumber(xcert);
|
||||
if ( sn == NULL ) goto done;
|
||||
serial=i2s_ASN1_INTEGER(0, sn );
|
||||
if( serial == NULL ) goto done;
|
||||
seriallen=strlen(serial);
|
||||
|
||||
name=X509_get_issuer_name(xcert);
|
||||
if( name == NULL ) goto done;
|
||||
rc = dnX509normalize( name, &issuer_dn );
|
||||
if( rc != LDAP_SUCCESS ) goto done;
|
||||
|
||||
normalized->bv_len = seriallen + issuer_dn.bv_len + 1;
|
||||
p = normalized->bv_val = ch_malloc(normalized->bv_len+1);
|
||||
AC_MEMCPY(p, serial, seriallen);
|
||||
p += seriallen;
|
||||
*p++ = '$';
|
||||
AC_MEMCPY(p, issuer_dn.bv_val, issuer_dn.bv_len);
|
||||
p += issuer_dn.bv_len;
|
||||
*p = '\0';
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( CONFIG, ARGS, "certificateExactNormalize: %s\n",
|
||||
normalized->bv_val, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE, "certificateExactNormalize: %s\n",
|
||||
normalized->bv_val, NULL, NULL );
|
||||
#endif
|
||||
|
||||
done:
|
||||
if (xcert) X509_free(xcert);
|
||||
if (serial) ch_free(serial);
|
||||
if (issuer_dn.bv_val) ber_memfree(issuer_dn.bv_val);
|
||||
|
||||
return rc;
|
||||
}
|
||||
#endif /* HAVE_TLS */
|
||||
@ -2553,13 +2626,13 @@ static slap_syntax_defs_rec syntax_defs[] = {
|
||||
0, booleanValidate, NULL},
|
||||
{"( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' "
|
||||
X_BINARY X_NOT_H_R ")",
|
||||
SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL},
|
||||
SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, certificateValidate, NULL},
|
||||
{"( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'Certificate List' "
|
||||
X_BINARY X_NOT_H_R ")",
|
||||
SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL},
|
||||
SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, sequenceValidate, NULL},
|
||||
{"( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'Certificate Pair' "
|
||||
X_BINARY X_NOT_H_R ")",
|
||||
SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL},
|
||||
SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, sequenceValidate, NULL},
|
||||
{"( 1.3.6.1.4.1.1466.115.121.1.11 DESC 'Country String' )",
|
||||
0, countryStringValidate, NULL},
|
||||
{"( 1.3.6.1.4.1.1466.115.121.1.12 DESC 'Distinguished Name' )",
|
||||
@ -2659,16 +2732,14 @@ static slap_syntax_defs_rec syntax_defs[] = {
|
||||
{"( 1.3.6.1.1.1.0.1 DESC 'RFC2307 Boot Parameter' )",
|
||||
0, bootParameterValidate, NULL},
|
||||
|
||||
/* From PKIX */
|
||||
/* These OIDs are not published yet, but will be in the next
|
||||
* I-D for PKIX LDAPv3 schema as have been advanced by David
|
||||
* Chadwick in private mail.
|
||||
*/
|
||||
{"( 1.2.826.0.1.3344810.7.1 DESC 'Serial Number and Issuer' )",
|
||||
0, serialNumberAndIssuerValidate, NULL},
|
||||
/* From PKIX *//* This OID is not published yet. */
|
||||
{"( 1.2.826.0.1.3344810.7.1 DESC 'Certificate Serial Number and Issuer' )",
|
||||
SLAP_SYNTAX_HIDE,
|
||||
serialNumberAndIssuerValidate,
|
||||
serialNumberAndIssuerPretty},
|
||||
|
||||
/* OpenLDAP Experimental Syntaxes */
|
||||
#ifdef SLAPD_ACI_ENABLED
|
||||
/* OpenLDAP Experimental Syntaxes */
|
||||
{"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )",
|
||||
SLAP_SYNTAX_HIDE,
|
||||
UTF8StringValidate /* THIS WILL CHANGE FOR NEW ACI SYNTAX */,
|
||||
@ -2687,12 +2758,10 @@ static slap_syntax_defs_rec syntax_defs[] = {
|
||||
{NULL, 0, NULL, NULL}
|
||||
};
|
||||
|
||||
#ifdef HAVE_TLS
|
||||
char *certificateExactMatchSyntaxes[] = {
|
||||
"1.3.6.1.4.1.1466.115.121.1.8" /* certificate */,
|
||||
NULL
|
||||
};
|
||||
#endif
|
||||
char *directoryStringSyntaxes[] = {
|
||||
"1.3.6.1.4.1.1466.115.121.1.44" /* printableString */,
|
||||
NULL
|
||||
@ -2949,14 +3018,16 @@ static slap_mrule_defs_rec mrule_defs[] = {
|
||||
octetStringIndexer, octetStringFilter,
|
||||
NULL },
|
||||
|
||||
#ifdef HAVE_TLS
|
||||
{"( 2.5.13.34 NAME 'certificateExactMatch' "
|
||||
"SYNTAX 1.2.826.0.1.3344810.7.1 )",
|
||||
SLAP_MR_EQUALITY | SLAP_MR_EXT, certificateExactMatchSyntaxes,
|
||||
#ifdef HAVE_TLS
|
||||
NULL, certificateExactNormalize, octetStringMatch,
|
||||
octetStringIndexer, octetStringFilter,
|
||||
NULL },
|
||||
#else
|
||||
NULL, NULL, NULL, NULL, NULL,
|
||||
#endif
|
||||
NULL },
|
||||
|
||||
{"( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' "
|
||||
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )",
|
||||
|
||||
@ -9,6 +9,7 @@ BUILD_HDB=@BUILD_HDB@
|
||||
BUILD_LDBM=@BUILD_LDBM@
|
||||
BUILD_MONITOR=@BUILD_MONITOR@
|
||||
BUILD_CACHE=@BUILD_CACHE@
|
||||
WITH_TLS=@WITH_TLS@
|
||||
|
||||
test tests:
|
||||
@$(MAKE) bdb
|
||||
@ -33,7 +34,7 @@ bdb-no:
|
||||
|
||||
bdb-yes bdb-mod: links dirs FORCE
|
||||
@echo "Initiating LDAP tests for BDB..."
|
||||
@MONITORDB=$(BUILD_MONITOR) PROXYCACHE=$(BUILD_CACHE) BACKENDTYPE=$(BUILD_BDB) $(srcdir)/scripts/all $(srcdir) bdb bdb
|
||||
@MONITORDB=$(BUILD_MONITOR) PROXYCACHE=$(BUILD_CACHE) WITHTLS=$(WITH_TLS) BACKENDTYPE=$(BUILD_BDB) $(srcdir)/scripts/all $(srcdir) bdb bdb
|
||||
|
||||
hdb test-hdb: hdb-$(BUILD_HDB)
|
||||
hdb-no:
|
||||
@ -41,7 +42,7 @@ hdb-no:
|
||||
|
||||
hdb-yes hdb-mod: links dirs FORCE
|
||||
@echo "Initiating LDAP tests for HDB..."
|
||||
@MONITORDB=$(BUILD_MONITOR) PROXYCACHE=$(BUILD_CACHE) BACKENDTYPE=$(BUILD_HDB) $(srcdir)/scripts/all $(srcdir) hdb hdb
|
||||
@MONITORDB=$(BUILD_MONITOR) PROXYCACHE=$(BUILD_CACHE) WITHTLS=$(WITH_TLS) BACKENDTYPE=$(BUILD_HDB) $(srcdir)/scripts/all $(srcdir) hdb hdb
|
||||
|
||||
ldbm test-ldbm: ldbm-$(BUILD_LDBM)
|
||||
ldbm-no:
|
||||
@ -49,8 +50,9 @@ ldbm-no:
|
||||
|
||||
ldbm-yes ldbm-mod: links dirs FORCE
|
||||
@echo "Initiating LDAP tests for LDBM..."
|
||||
@MONITORDB=$(BUILD_MONITOR); PROXYCACHE=$(BUILD_CACHE); \
|
||||
BACKENDTYPE=$(BUILD_LDBM); export MONITORDB PROXYCACHE BACKENDTYPE; \
|
||||
@MONITORDB=$(BUILD_MONITOR); PROXYCACHE=$(BUILD_CACHE); WITHTLS=$(WITH_TLS) \
|
||||
BACKENDTYPE=$(BUILD_LDBM); \
|
||||
export MONITORDB PROXYCACHE WITHTLS BACKENDTYPE; \
|
||||
if test "$(BUILD_BDB)" != "no"; then \
|
||||
$(srcdir)/scripts/all $(srcdir) ldbm bdb ; \
|
||||
else \
|
||||
|
||||
@ -1,6 +1,8 @@
|
||||
# (userCertificate;binary=*)
|
||||
dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=University of Michigan
|
||||
,c=US
|
||||
objectClass: OpenLDAPperson
|
||||
objectClass: strongAuthenticationUser
|
||||
cn: Jennifer Smith
|
||||
cn: Jen Smith
|
||||
sn: Smith
|
||||
@ -15,42 +17,28 @@ homePhone: +1 313 555 2333
|
||||
pager: +1 313 555 6442
|
||||
facsimileTelephoneNumber: +1 313 555 2756
|
||||
telephoneNumber: +1 313 555 8232
|
||||
userCertificate;binary:: MIIDajCCAtOgAwIBAgIBATANBgkqhkiG9w0BAQQFADB2MQswCQYDV
|
||||
QQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdH
|
||||
kgTHRkMRAwDgYDVQQDEwdJV1BMIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm5ldDAeFw0
|
||||
wMzEwMTYyMjM4MzFaFw0wNDEwMTUyMjM4MzFaMH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21l
|
||||
LVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMTD0plbm5pZ
|
||||
mllciBTbWl0aDEeMBwGCSqGSIb3DQEJARYPamVuQGV4YW1wbGUubmV0MIGfMA0GCSqGSIb3DQEBAQ
|
||||
UAA4GNADCBiQKBgQC45An7/kRRHxiLIKR6yMfIVpGhkacWlKRFgkrzF5q9lcou+2NVZvuJDtMz36a
|
||||
11EgQmRJzx39oh7Eg4ZHLAHk4OoPfcwfHQ0FHCOaU6uSE6EFqLC1CjbquZPRpwLnurf2EB0GpZTo+
|
||||
bJZHvk6tA8SykUd+9qFMmX5As41JOOifjwIDAQABo4H+MIH7MAkGA1UdEwQCMAAwLAYJYIZIAYb4Q
|
||||
gENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBS/e4vtKxSvjrV2JH
|
||||
ghV/jgTEVMajCBoAYDVR0jBIGYMIGVgBQufFvScUL0ktR2YafMec94YPIrF6F6pHgwdjELMAkGA1U
|
||||
EBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5
|
||||
IEx0ZDEQMA4GA1UEAxMHSVdQTCBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5uZXSCAQAwD
|
||||
QYJKoZIhvcNAQEEBQADgYEAbbGierD9QwK2cRnVr+Gs7dcbaRtuzriLIAgnR/s2t4Py0hpnySnyBV
|
||||
ENXkzcgt7OIFEyF9ubRIe8YMfmLAO3yHxNyv4WaGTUVE0o54mZ5GaaIY2ibl7NK48u9VC/59pfxIs
|
||||
oi2m4HHbY1MD54XRy2CANELBVFI3CI4raj3/UiiA=
|
||||
userCertificate;binary:: MIIDaTCCAtKgAwIBAgIBAjANBgkqhkiG9w0BAQQFADB2MQswCQYDV
|
||||
QQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdH
|
||||
kgTHRkMRAwDgYDVQQDEwdJV1BMIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm5ldDAeFw0
|
||||
wMzEwMTYyMjQwMzNaFw0wNDEwMTUyMjQwMzNaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21l
|
||||
LVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFzAVBgNVBAMTDkplbm5pZ
|
||||
mVyIFNtaXRoMR4wHAYJKoZIhvcNAQkBFg9qZW5AZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQ
|
||||
ADgY0AMIGJAoGBAMiamobs0kC0Q/78yocNvf0iTI5x9efB3tMwsxweLg93KbuNBeFn2mczzQvuzvh
|
||||
s+PLnfKxAyWbkeZrqw0Ve1h8ZXSHWSFg75UOFbo4wevuoYEtqmMupFEwT4rdf8Ykt5Rq1PyUJ5LgS
|
||||
Ne0TMSqCYwTuo7+OunC/5YamsIbkKcsFAgMBAAGjgf4wgfswCQYDVR0TBAIwADAsBglghkgBhvhCA
|
||||
Q0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFDx71116utXKGemZrZ
|
||||
Vxp3p9NqU5MIGgBgNVHSMEgZgwgZWAFC58W9JxQvSS1HZhp8x5z3hg8isXoXqkeDB2MQswCQYDVQQ
|
||||
GEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
|
||||
THRkMRAwDgYDVQQDEwdJV1BMIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm5ldIIBADANB
|
||||
gkqhkiG9w0BAQQFAAOBgQAPDn0+fm/GYV6elg3XFJgGA3wrVm4TeQQ8BdmIhqf25DUn/3ja3SBGI0
|
||||
7DWz+LlYE/JzDEU+1UiYAfGgp7CnzKBzCUL0jyamgj11I6OyaYBdOsEGx1MFLjsOa+TCQS1f2v1gG
|
||||
Cs/k0a/b3RRCTyoUfPHxJ0M6Cw9SGXu2K8GtHYA==
|
||||
userCertificate;binary:: MIIDjDCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB3MQswCQYDV
|
||||
QQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTH
|
||||
RkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhc
|
||||
NMDMxMDE3MTYzNTM1WhcNMDQxMDE2MTYzNTM1WjCBnjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1p
|
||||
Y2hpZ2FuMR8wHQYDVQQKExZPcGVuTERBUCBFeGFtcGxlLCBMdGQuMRswGQYDVQQLExJBbHVtbmkgQ
|
||||
XNzb2ljYXRpb24xEjAQBgNVBAMTCUplbiBTbWl0aDEqMCgGCSqGSIb3DQEJARYbamVuQG1haWwuYW
|
||||
x1bW5pLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpnXWAL0VkROGO1Rg
|
||||
8J3u6F4F7yMqQCbUMsV9rxQisYj45+pmqiHV5urogvT4MGD6eLNFZKBn+0KRni++uu7gbartzpmBa
|
||||
HOlzRII9ZdVMFfrT2xYNgAlkne6pb6IZIN9UONuH/httENCDJ5WEpjZ48D1Lrml/HYO/W+SAMkpEq
|
||||
QIDAQABo4H/MIH8MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIE
|
||||
NlcnRpZmljYXRlMB0GA1UdDgQWBBTB2saht/od/nis76b9m+pjxfhSPjCBoQYDVR0jBIGZMIGWgBR
|
||||
LbyEaNiTSkPlDsFNHLX3hwOaYI6F7pHkwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
|
||||
aWExHzAdBgNVBAoTFk9wZW5MREFQIEV4YW1wbGUsIEx0ZC4xEzARBgNVBAMTCkV4YW1wbGUgQ0ExH
|
||||
TAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tggEAMA0GCSqGSIb3DQEBBAUAA4GBAIoGPc/AS0
|
||||
cNkMRDNoMIzcFdF9lONMduKBiSuFvv+x8nCek+LUdXxF59V2NPKh2V5gFh5xbAchyv6FVBnpVtPdB
|
||||
5akCr5tdFQhuBLUXXDk/tTHGpIWt7OAjEmpuMzsz3GUB8Zf9rioHOs1DMw+GpzWdnFITxXhAqEDc3
|
||||
quqPrpxZ
|
||||
|
||||
dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=University of Michiga
|
||||
n,c=US
|
||||
objectClass: OpenLDAPperson
|
||||
objectClass: strongAuthenticationUser
|
||||
cn: Ursula Hampster
|
||||
sn: Hampster
|
||||
uid: uham
|
||||
@ -63,20 +51,56 @@ homePhone: +1 313 555 8421
|
||||
pager: +1 313 555 2844
|
||||
facsimileTelephoneNumber: +1 313 555 9700
|
||||
telephoneNumber: +1 313 555 5331
|
||||
userCertificate;binary:: MIIDbDCCAtWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB2MQswCQYDV
|
||||
QQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdH
|
||||
kgTHRkMRAwDgYDVQQDEwdJV1BMIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm5ldDAeFw0
|
||||
wMzEwMTYyMjQ0MThaFw0wNDEwMTUyMjQ0MThaMIGAMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29t
|
||||
ZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRgwFgYDVQQDEw9VcnN1b
|
||||
GEgSGFtcHN0ZXIxHzAdBgkqhkiG9w0BCQEWEHVoYW1AZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQ
|
||||
EBBQADgY0AMIGJAoGBAOftC+ppQ3/ZeWJRfs93FACCYAn9ajEtHy3A4GutavSQ1eLqlsU9wEkb8aE
|
||||
vRtOQ9BwTjaJc+0JJ53uB6th7f5Tl7LNgjsbVR5Ef3ucsdX2ulfCwm4Mun5Us/AK6QeYnyn+cimdP
|
||||
aWdS2XnopiAvvOmlnEDfDuFD3XNVs8MLuQ99AgMBAAGjgf4wgfswCQYDVR0TBAIwADAsBglghkgBh
|
||||
vhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFI9vudD6euL2Lx
|
||||
IhghjKii+3J4yqMIGgBgNVHSMEgZgwgZWAFC58W9JxQvSS1HZhp8x5z3hg8isXoXqkeDB2MQswCQY
|
||||
DVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
|
||||
dHkgTHRkMRAwDgYDVQQDEwdJV1BMIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm5ldIIBA
|
||||
DANBgkqhkiG9w0BAQQFAAOBgQAnYYHkbAWFdgelG/MnYISPU48XBTxZv3dcLh9cx+J/gp1Vhggkxs
|
||||
EVaPQlhlnQCfQwtM1h4j4cSVM8Tdceif93+uF48Arl6oQe5c63MoPIZD56vJkAlg+RiAFPDy6FjX6
|
||||
otjpIpW3u5GeGzaDLDBn5rlUXr0kED7Ool7R9Javxzg==
|
||||
userCertificate;binary:: MIIDazCCAtSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADB3MQswCQYDV
|
||||
QQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTH
|
||||
RkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhc
|
||||
NMDMxMDE3MTYzMzE5WhcNMDQxMDE2MTYzMzE5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
|
||||
aWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjEYMBYGA1UEAxMPVXJzdWxhI
|
||||
EhhbXBzdGVyMR8wHQYJKoZIhvcNAQkBFhB1aGFtQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQ
|
||||
UAA4GNADCBiQKBgQDuxgp5ELV9LmhxWMpV7qc4028QQT3+zzFDXhruuXE7ji2n3S3ea8bOwDtJh+q
|
||||
nsDe561DhHHHlgIjMKCiDEizYMpxvJPYEXmvp0huRkMgpKZgmel95BSkt6TYmJ0erS3aoimOHLEFi
|
||||
mmnTLolNRMiWqNBvqwobx940PGwUWEePKQIDAQABo4H/MIH8MAkGA1UdEwQCMAAwLAYJYIZIAYb4Q
|
||||
gENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSjI94TbBmuDEeUUO
|
||||
iC37EK0Uf0XjCBoQYDVR0jBIGZMIGWgBRLbyEaNiTSkPlDsFNHLX3hwOaYI6F7pHkwdzELMAkGA1U
|
||||
EBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFk9wZW5MREFQIEV4YW1wbGUsIEx0
|
||||
ZC4xEzARBgNVBAMTCkV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tggEAM
|
||||
A0GCSqGSIb3DQEBBAUAA4GBAIgUcARb3OlWYNbmr1nmqESuxLn16uqI1Ot6WkcICvpkdQ+Bo+R9AP
|
||||
05xpoXocZtKdNvBu3FNxB/jFkiOcLU2lX7Px1Ijnsjh60qVRy9HOsHCungIKlGcnXLKHmKu0y//5j
|
||||
ds/HnaJsGcHI5JRG7CBJbW+wrwge3trJ1xHJI8prN
|
||||
|
||||
# (cAcertificate=*)
|
||||
dn: o=University of Michigan,c=US
|
||||
objectClass: organization
|
||||
objectClass: domainRelatedObject
|
||||
objectClass: extensibleObject
|
||||
l: Ann Arbor, Michigan
|
||||
st: Michigan
|
||||
o: University of Michigan
|
||||
o: UMICH
|
||||
o: UM
|
||||
o: U-M
|
||||
o: U of M
|
||||
description: The University of Michigan at Ann Arbor
|
||||
postalAddress: University of Michigan $ 535 W. William St. $ Ann Arbor, MI 481
|
||||
09 $ US
|
||||
telephoneNumber: +1 313 764-1817
|
||||
associatedDomain: example.com
|
||||
cACertificate;binary:: MIIDVDCCAr2gAwIBAgIBADANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQ
|
||||
GEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRk
|
||||
LjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhcNM
|
||||
DMxMDE3MTYzMDQxWhcNMDQxMDE2MTYzMDQxWjB3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaW
|
||||
Zvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjETMBEGA1UEAxMKRXhhbXBsZSB
|
||||
DQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
|
||||
AoGBANljUGxiisAzEiALukzt3Gj/24MRw1J0AZx6GncXLhpNJsAFyA0bYZdAzgvydKeq/uX0i5o/4
|
||||
Byc3G71XAAcbJZxDPtrLwpDAdMNOBvKV2r67yTgnpatFLfGRt/FWazj5EbFYkorWWTe+4eEBd9VPz
|
||||
ebHdIm+DPHipUfIAzRoNejAgMBAAGjge8wgewwHQYDVR0OBBYEFEtvIRo2JNKQ+UOwU0ctfeHA5pg
|
||||
jMIGhBgNVHSMEgZkwgZaAFEtvIRo2JNKQ+UOwU0ctfeHA5pgjoXukeTB3MQswCQYDVQQGEwJVUzET
|
||||
MBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjETMBEGA
|
||||
1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb22CAQAwDAYDVR0TBA
|
||||
UwAwEB/zAZBgNVHREEEjAQgQ5jYUBleGFtcGxlLmNvbTANBgkqhkiG9w0BAQQFAAOBgQCgXD/+28E
|
||||
l3GXi/uxMNEKqtnIhQdTnNU4il0fZ6pcmHPFC+61Bddow90ZZZh5Gbg5ZBxFRhDXN8K/fix3ewRSj
|
||||
ASt40dGlEODkE+FsLMt04sYl6kX7RGKg9a46DkeG+uzZnN/3252uCgh+rjNMFAglueUTERv3EtUB1
|
||||
iXEoU3GyA==
|
||||
|
||||
# (userCertificate=2$EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US)
|
||||
|
||||
|
||||
138
tests/data/certificate.tls
Normal file
138
tests/data/certificate.tls
Normal file
@ -0,0 +1,138 @@
|
||||
# (userCertificate;binary=*)
|
||||
dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=University of Michigan
|
||||
,c=US
|
||||
objectClass: OpenLDAPperson
|
||||
objectClass: strongAuthenticationUser
|
||||
cn: Jennifer Smith
|
||||
cn: Jen Smith
|
||||
sn: Smith
|
||||
uid: jen
|
||||
postalAddress: Alumni Association $ 111 Maple St $ Ann Arbor, MI 48109
|
||||
seeAlso: cn=All Staff,ou=Groups,o=University of Michigan,c=US
|
||||
drink: Sam Adams
|
||||
homePostalAddress: 1000 Maple #44 $ Ann Arbor, MI 48103
|
||||
title: Telemarketer, UM Alumni Association
|
||||
mail: jen@mail.alumni.example.com
|
||||
homePhone: +1 313 555 2333
|
||||
pager: +1 313 555 6442
|
||||
facsimileTelephoneNumber: +1 313 555 2756
|
||||
telephoneNumber: +1 313 555 8232
|
||||
userCertificate;binary:: MIIDjDCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB3MQswCQYDV
|
||||
QQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTH
|
||||
RkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhc
|
||||
NMDMxMDE3MTYzNTM1WhcNMDQxMDE2MTYzNTM1WjCBnjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1p
|
||||
Y2hpZ2FuMR8wHQYDVQQKExZPcGVuTERBUCBFeGFtcGxlLCBMdGQuMRswGQYDVQQLExJBbHVtbmkgQ
|
||||
XNzb2ljYXRpb24xEjAQBgNVBAMTCUplbiBTbWl0aDEqMCgGCSqGSIb3DQEJARYbamVuQG1haWwuYW
|
||||
x1bW5pLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpnXWAL0VkROGO1Rg
|
||||
8J3u6F4F7yMqQCbUMsV9rxQisYj45+pmqiHV5urogvT4MGD6eLNFZKBn+0KRni++uu7gbartzpmBa
|
||||
HOlzRII9ZdVMFfrT2xYNgAlkne6pb6IZIN9UONuH/httENCDJ5WEpjZ48D1Lrml/HYO/W+SAMkpEq
|
||||
QIDAQABo4H/MIH8MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIE
|
||||
NlcnRpZmljYXRlMB0GA1UdDgQWBBTB2saht/od/nis76b9m+pjxfhSPjCBoQYDVR0jBIGZMIGWgBR
|
||||
LbyEaNiTSkPlDsFNHLX3hwOaYI6F7pHkwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
|
||||
aWExHzAdBgNVBAoTFk9wZW5MREFQIEV4YW1wbGUsIEx0ZC4xEzARBgNVBAMTCkV4YW1wbGUgQ0ExH
|
||||
TAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tggEAMA0GCSqGSIb3DQEBBAUAA4GBAIoGPc/AS0
|
||||
cNkMRDNoMIzcFdF9lONMduKBiSuFvv+x8nCek+LUdXxF59V2NPKh2V5gFh5xbAchyv6FVBnpVtPdB
|
||||
5akCr5tdFQhuBLUXXDk/tTHGpIWt7OAjEmpuMzsz3GUB8Zf9rioHOs1DMw+GpzWdnFITxXhAqEDc3
|
||||
quqPrpxZ
|
||||
|
||||
dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=University of Michiga
|
||||
n,c=US
|
||||
objectClass: OpenLDAPperson
|
||||
objectClass: strongAuthenticationUser
|
||||
cn: Ursula Hampster
|
||||
sn: Hampster
|
||||
uid: uham
|
||||
title: Secretary, UM Alumni Association
|
||||
postalAddress: Alumni Association $ 111 Maple St $ Ann Arbor, MI 48109
|
||||
seeAlso: cn=All Staff,ou=Groups,o=University of Michigan,c=US
|
||||
homePostalAddress: 123 Anystreet $ Ann Arbor, MI 48104
|
||||
mail: uham@mail.alumni.example.com
|
||||
homePhone: +1 313 555 8421
|
||||
pager: +1 313 555 2844
|
||||
facsimileTelephoneNumber: +1 313 555 9700
|
||||
telephoneNumber: +1 313 555 5331
|
||||
userCertificate;binary:: MIIDazCCAtSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADB3MQswCQYDV
|
||||
QQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTH
|
||||
RkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhc
|
||||
NMDMxMDE3MTYzMzE5WhcNMDQxMDE2MTYzMzE5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
|
||||
aWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjEYMBYGA1UEAxMPVXJzdWxhI
|
||||
EhhbXBzdGVyMR8wHQYJKoZIhvcNAQkBFhB1aGFtQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQ
|
||||
UAA4GNADCBiQKBgQDuxgp5ELV9LmhxWMpV7qc4028QQT3+zzFDXhruuXE7ji2n3S3ea8bOwDtJh+q
|
||||
nsDe561DhHHHlgIjMKCiDEizYMpxvJPYEXmvp0huRkMgpKZgmel95BSkt6TYmJ0erS3aoimOHLEFi
|
||||
mmnTLolNRMiWqNBvqwobx940PGwUWEePKQIDAQABo4H/MIH8MAkGA1UdEwQCMAAwLAYJYIZIAYb4Q
|
||||
gENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSjI94TbBmuDEeUUO
|
||||
iC37EK0Uf0XjCBoQYDVR0jBIGZMIGWgBRLbyEaNiTSkPlDsFNHLX3hwOaYI6F7pHkwdzELMAkGA1U
|
||||
EBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFk9wZW5MREFQIEV4YW1wbGUsIEx0
|
||||
ZC4xEzARBgNVBAMTCkV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tggEAM
|
||||
A0GCSqGSIb3DQEBBAUAA4GBAIgUcARb3OlWYNbmr1nmqESuxLn16uqI1Ot6WkcICvpkdQ+Bo+R9AP
|
||||
05xpoXocZtKdNvBu3FNxB/jFkiOcLU2lX7Px1Ijnsjh60qVRy9HOsHCungIKlGcnXLKHmKu0y//5j
|
||||
ds/HnaJsGcHI5JRG7CBJbW+wrwge3trJ1xHJI8prN
|
||||
|
||||
# (cAcertificate=*)
|
||||
dn: o=University of Michigan,c=US
|
||||
objectClass: organization
|
||||
objectClass: domainRelatedObject
|
||||
objectClass: extensibleObject
|
||||
l: Ann Arbor, Michigan
|
||||
st: Michigan
|
||||
o: University of Michigan
|
||||
o: UMICH
|
||||
o: UM
|
||||
o: U-M
|
||||
o: U of M
|
||||
description: The University of Michigan at Ann Arbor
|
||||
postalAddress: University of Michigan $ 535 W. William St. $ Ann Arbor, MI 481
|
||||
09 $ US
|
||||
telephoneNumber: +1 313 764-1817
|
||||
associatedDomain: example.com
|
||||
cACertificate;binary:: MIIDVDCCAr2gAwIBAgIBADANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQ
|
||||
GEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRk
|
||||
LjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhcNM
|
||||
DMxMDE3MTYzMDQxWhcNMDQxMDE2MTYzMDQxWjB3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaW
|
||||
Zvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjETMBEGA1UEAxMKRXhhbXBsZSB
|
||||
DQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
|
||||
AoGBANljUGxiisAzEiALukzt3Gj/24MRw1J0AZx6GncXLhpNJsAFyA0bYZdAzgvydKeq/uX0i5o/4
|
||||
Byc3G71XAAcbJZxDPtrLwpDAdMNOBvKV2r67yTgnpatFLfGRt/FWazj5EbFYkorWWTe+4eEBd9VPz
|
||||
ebHdIm+DPHipUfIAzRoNejAgMBAAGjge8wgewwHQYDVR0OBBYEFEtvIRo2JNKQ+UOwU0ctfeHA5pg
|
||||
jMIGhBgNVHSMEgZkwgZaAFEtvIRo2JNKQ+UOwU0ctfeHA5pgjoXukeTB3MQswCQYDVQQGEwJVUzET
|
||||
MBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjETMBEGA
|
||||
1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb22CAQAwDAYDVR0TBA
|
||||
UwAwEB/zAZBgNVHREEEjAQgQ5jYUBleGFtcGxlLmNvbTANBgkqhkiG9w0BAQQFAAOBgQCgXD/+28E
|
||||
l3GXi/uxMNEKqtnIhQdTnNU4il0fZ6pcmHPFC+61Bddow90ZZZh5Gbg5ZBxFRhDXN8K/fix3ewRSj
|
||||
ASt40dGlEODkE+FsLMt04sYl6kX7RGKg9a46DkeG+uzZnN/3252uCgh+rjNMFAglueUTERv3EtUB1
|
||||
iXEoU3GyA==
|
||||
|
||||
# (userCertificate=2$EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US)
|
||||
dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=University of Michiga
|
||||
n,c=US
|
||||
objectClass: OpenLDAPperson
|
||||
objectClass: strongAuthenticationUser
|
||||
cn: Ursula Hampster
|
||||
sn: Hampster
|
||||
uid: uham
|
||||
title: Secretary, UM Alumni Association
|
||||
postalAddress: Alumni Association $ 111 Maple St $ Ann Arbor, MI 48109
|
||||
seeAlso: cn=All Staff,ou=Groups,o=University of Michigan,c=US
|
||||
homePostalAddress: 123 Anystreet $ Ann Arbor, MI 48104
|
||||
mail: uham@mail.alumni.example.com
|
||||
homePhone: +1 313 555 8421
|
||||
pager: +1 313 555 2844
|
||||
facsimileTelephoneNumber: +1 313 555 9700
|
||||
telephoneNumber: +1 313 555 5331
|
||||
userCertificate;binary:: MIIDazCCAtSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADB3MQswCQYDV
|
||||
QQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTH
|
||||
RkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhc
|
||||
NMDMxMDE3MTYzMzE5WhcNMDQxMDE2MTYzMzE5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
|
||||
aWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjEYMBYGA1UEAxMPVXJzdWxhI
|
||||
EhhbXBzdGVyMR8wHQYJKoZIhvcNAQkBFhB1aGFtQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQ
|
||||
UAA4GNADCBiQKBgQDuxgp5ELV9LmhxWMpV7qc4028QQT3+zzFDXhruuXE7ji2n3S3ea8bOwDtJh+q
|
||||
nsDe561DhHHHlgIjMKCiDEizYMpxvJPYEXmvp0huRkMgpKZgmel95BSkt6TYmJ0erS3aoimOHLEFi
|
||||
mmnTLolNRMiWqNBvqwobx940PGwUWEePKQIDAQABo4H/MIH8MAkGA1UdEwQCMAAwLAYJYIZIAYb4Q
|
||||
gENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSjI94TbBmuDEeUUO
|
||||
iC37EK0Uf0XjCBoQYDVR0jBIGZMIGWgBRLbyEaNiTSkPlDsFNHLX3hwOaYI6F7pHkwdzELMAkGA1U
|
||||
EBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFk9wZW5MREFQIEV4YW1wbGUsIEx0
|
||||
ZC4xEzARBgNVBAMTCkV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tggEAM
|
||||
A0GCSqGSIb3DQEBBAUAA4GBAIgUcARb3OlWYNbmr1nmqESuxLn16uqI1Ot6WkcICvpkdQ+Bo+R9AP
|
||||
05xpoXocZtKdNvBu3FNxB/jFkiOcLU2lX7Px1Ijnsjh60qVRy9HOsHCungIKlGcnXLKHmKu0y//5j
|
||||
ds/HnaJsGcHI5JRG7CBJbW+wrwge3trJ1xHJI8prN
|
||||
|
||||
@ -24,9 +24,10 @@ echo ">>>>> Backend: $BACKEND"
|
||||
|
||||
MONITORDB=${MONITORDB-no}
|
||||
PROXYCACHE=${PROXYCACHE-no}
|
||||
WITHTLS=${WITHTLS-no}
|
||||
BACKENDTYPE=${BACKENDTYPE-yes}
|
||||
|
||||
export MONITORDB PROXYCACHE BACKENDTYPE
|
||||
export MONITORDB PROXYCACHE WITHTLS BACKENDTYPE
|
||||
|
||||
echo ">>>>> Backend Type: $BACKENDTYPE"
|
||||
|
||||
|
||||
@ -153,6 +153,7 @@ MODRDNOUTMASTER3=$DATADIR/modrdn.out.master.3
|
||||
ACLOUTMASTER=$DATADIR/acl.out.master
|
||||
REPLOUTMASTER=$DATADIR/repl.out.master
|
||||
MODSRCHFILTERS=$DATADIR/modify.search.filters
|
||||
CERTIFICATETLS=$DATADIR/certificate.tls
|
||||
CERTIFICATEOUT=$DATADIR/certificate.out
|
||||
# Just in case we linked the binaries dynamically
|
||||
LD_LIBRARY_PATH=`pwd`/../libraries:${LD_LIBRARY_PATH} export LD_LIBRARY_PATH
|
||||
|
||||
@ -61,64 +61,131 @@ version: 1
|
||||
|
||||
# LEADING COMMENT AND WHITE SPACE
|
||||
|
||||
# should use certificationAuthority instead of extensibleObject
|
||||
dn: o=University of Michigan,c=US
|
||||
changetype: modify
|
||||
add: objectClass
|
||||
objectClass: extensibleObject
|
||||
-
|
||||
add: cAcertificate
|
||||
cAcertificate;binary::
|
||||
MIIDVDCCAr2gAwIBAgIBADANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJVUzET
|
||||
MBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwg
|
||||
THRkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhh
|
||||
bXBsZS5jb20wHhcNMDMxMDE3MTYzMDQxWhcNMDQxMDE2MTYzMDQxWjB3MQswCQYD
|
||||
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAg
|
||||
RXhhbXBsZSwgTHRkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJ
|
||||
ARYOY2FAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlj
|
||||
UGxiisAzEiALukzt3Gj/24MRw1J0AZx6GncXLhpNJsAFyA0bYZdAzgvydKeq/uX0
|
||||
i5o/4Byc3G71XAAcbJZxDPtrLwpDAdMNOBvKV2r67yTgnpatFLfGRt/FWazj5EbF
|
||||
YkorWWTe+4eEBd9VPzebHdIm+DPHipUfIAzRoNejAgMBAAGjge8wgewwHQYDVR0O
|
||||
BBYEFEtvIRo2JNKQ+UOwU0ctfeHA5pgjMIGhBgNVHSMEgZkwgZaAFEtvIRo2JNKQ
|
||||
+UOwU0ctfeHA5pgjoXukeTB3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
|
||||
cm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjETMBEGA1UEAxMK
|
||||
RXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb22CAQAwDAYD
|
||||
VR0TBAUwAwEB/zAZBgNVHREEEjAQgQ5jYUBleGFtcGxlLmNvbTANBgkqhkiG9w0B
|
||||
AQQFAAOBgQCgXD/+28El3GXi/uxMNEKqtnIhQdTnNU4il0fZ6pcmHPFC+61Bddow
|
||||
90ZZZh5Gbg5ZBxFRhDXN8K/fix3ewRSjASt40dGlEODkE+FsLMt04sYl6kX7RGKg
|
||||
9a46DkeG+uzZnN/3252uCgh+rjNMFAglueUTERv3EtUB1iXEoU3GyA==
|
||||
|
||||
dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=University of Michigan,c=US
|
||||
changetype: modify
|
||||
add: objectClass
|
||||
objectClass: strongAuthenticationUser
|
||||
-
|
||||
add: userCertificate
|
||||
userCertificate;binary::
|
||||
MIIDbDCCAtWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB2MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
|
||||
U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYDVQQDEwdJ
|
||||
V1BMIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm5ldDAeFw0wMzEwMTYyMjQ0MThaFw0w
|
||||
NDEwMTUyMjQ0MThaMIGAMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UE
|
||||
ChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRgwFgYDVQQDEw9VcnN1bGEgSGFtcHN0ZXIxHzAd
|
||||
BgkqhkiG9w0BCQEWEHVoYW1AZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
|
||||
AOftC+ppQ3/ZeWJRfs93FACCYAn9ajEtHy3A4GutavSQ1eLqlsU9wEkb8aEvRtOQ9BwTjaJc+0JJ
|
||||
53uB6th7f5Tl7LNgjsbVR5Ef3ucsdX2ulfCwm4Mun5Us/AK6QeYnyn+cimdPaWdS2XnopiAvvOml
|
||||
nEDfDuFD3XNVs8MLuQ99AgMBAAGjgf4wgfswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
|
||||
blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFI9vudD6euL2LxIhghjKii+3J4yq
|
||||
MIGgBgNVHSMEgZgwgZWAFC58W9JxQvSS1HZhp8x5z3hg8isXoXqkeDB2MQswCQYDVQQGEwJVUzET
|
||||
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAw
|
||||
DgYDVQQDEwdJV1BMIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm5ldIIBADANBgkqhkiG
|
||||
9w0BAQQFAAOBgQAnYYHkbAWFdgelG/MnYISPU48XBTxZv3dcLh9cx+J/gp1VhggkxsEVaPQlhlnQ
|
||||
CfQwtM1h4j4cSVM8Tdceif93+uF48Arl6oQe5c63MoPIZD56vJkAlg+RiAFPDy6FjX6otjpIpW3u
|
||||
5GeGzaDLDBn5rlUXr0kED7Ool7R9Javxzg==
|
||||
MIIDazCCAtSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJVUzET
|
||||
MBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwg
|
||||
THRkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhh
|
||||
bXBsZS5jb20wHhcNMDMxMDE3MTYzMzE5WhcNMDQxMDE2MTYzMzE5WjB+MQswCQYD
|
||||
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAg
|
||||
RXhhbXBsZSwgTHRkLjEYMBYGA1UEAxMPVXJzdWxhIEhhbXBzdGVyMR8wHQYJKoZI
|
||||
hvcNAQkBFhB1aGFtQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
|
||||
iQKBgQDuxgp5ELV9LmhxWMpV7qc4028QQT3+zzFDXhruuXE7ji2n3S3ea8bOwDtJ
|
||||
h+qnsDe561DhHHHlgIjMKCiDEizYMpxvJPYEXmvp0huRkMgpKZgmel95BSkt6TYm
|
||||
J0erS3aoimOHLEFimmnTLolNRMiWqNBvqwobx940PGwUWEePKQIDAQABo4H/MIH8
|
||||
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
|
||||
cnRpZmljYXRlMB0GA1UdDgQWBBSjI94TbBmuDEeUUOiC37EK0Uf0XjCBoQYDVR0j
|
||||
BIGZMIGWgBRLbyEaNiTSkPlDsFNHLX3hwOaYI6F7pHkwdzELMAkGA1UEBhMCVVMx
|
||||
EzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFk9wZW5MREFQIEV4YW1wbGUs
|
||||
IEx0ZC4xEzARBgNVBAMTCkV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4
|
||||
YW1wbGUuY29tggEAMA0GCSqGSIb3DQEBBAUAA4GBAIgUcARb3OlWYNbmr1nmqESu
|
||||
xLn16uqI1Ot6WkcICvpkdQ+Bo+R9AP05xpoXocZtKdNvBu3FNxB/jFkiOcLU2lX7
|
||||
Px1Ijnsjh60qVRy9HOsHCungIKlGcnXLKHmKu0y//5jds/HnaJsGcHI5JRG7CBJb
|
||||
W+wrwge3trJ1xHJI8prN
|
||||
|
||||
dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=University of Michigan,c=US
|
||||
changetype: modify
|
||||
add: objectClass
|
||||
objectClass: strongAuthenticationUser
|
||||
-
|
||||
add: userCertificate
|
||||
userCertificate;binary::
|
||||
MIIDajCCAtOgAwIBAgIBATANBgkqhkiG9w0BAQQFADB2MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
|
||||
U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYDVQQDEwdJ
|
||||
V1BMIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm5ldDAeFw0wMzEwMTYyMjM4MzFaFw0w
|
||||
NDEwMTUyMjM4MzFaMH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQK
|
||||
ExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMTD0plbm5pZmllciBTbWl0aDEeMBwG
|
||||
CSqGSIb3DQEJARYPamVuQGV4YW1wbGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4
|
||||
5An7/kRRHxiLIKR6yMfIVpGhkacWlKRFgkrzF5q9lcou+2NVZvuJDtMz36a11EgQmRJzx39oh7Eg
|
||||
4ZHLAHk4OoPfcwfHQ0FHCOaU6uSE6EFqLC1CjbquZPRpwLnurf2EB0GpZTo+bJZHvk6tA8SykUd+
|
||||
9qFMmX5As41JOOifjwIDAQABo4H+MIH7MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
|
||||
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBS/e4vtKxSvjrV2JHghV/jgTEVMajCB
|
||||
oAYDVR0jBIGYMIGVgBQufFvScUL0ktR2YafMec94YPIrF6F6pHgwdjELMAkGA1UEBhMCVVMxEzAR
|
||||
BgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4G
|
||||
A1UEAxMHSVdQTCBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5uZXSCAQAwDQYJKoZIhvcN
|
||||
AQEEBQADgYEAbbGierD9QwK2cRnVr+Gs7dcbaRtuzriLIAgnR/s2t4Py0hpnySnyBVENXkzcgt7O
|
||||
IFEyF9ubRIe8YMfmLAO3yHxNyv4WaGTUVE0o54mZ5GaaIY2ibl7NK48u9VC/59pfxIsoi2m4HHbY
|
||||
1MD54XRy2CANELBVFI3CI4raj3/UiiA=
|
||||
MIIDcDCCAtmgAwIBAgIBATANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJVUzET
|
||||
MBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwg
|
||||
THRkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhh
|
||||
bXBsZS5jb20wHhcNMDMxMDE3MTYzMTQwWhcNMDQxMDE2MTYzMTQwWjCBgjELMAkG
|
||||
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFk9wZW5MREFQ
|
||||
IEV4YW1wbGUsIEx0ZC4xHTAbBgNVBAMUFEplbm5pZmVyICJKZW4iIFNtaXRoMR4w
|
||||
HAYJKoZIhvcNAQkBFg9qZW5AZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
|
||||
gY0AMIGJAoGBANUgO8cP/SjqgCVxxsRYv36AP0+QL81iEkGvR4gG6jbtDDBdVYDC
|
||||
YbS2oKKNJ5e99NxGMIjOYfmKcAwmkV46IhdzUtkutgjHEG9vl5ajSwc1KSsbTMTy
|
||||
NtuG3k5k02JYFbP+FrGyUE8iPqK4+i7mVjW4bh/MBCHW88FptnpDJiuHAgMBAAGj
|
||||
gf8wgfwwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
|
||||
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFEdo4jpxCQXJ1sh/E1O3ZBkLTbHkMIGh
|
||||
BgNVHSMEgZkwgZaAFEtvIRo2JNKQ+UOwU0ctfeHA5pgjoXukeTB3MQswCQYDVQQG
|
||||
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhh
|
||||
bXBsZSwgTHRkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYO
|
||||
Y2FAZXhhbXBsZS5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEAFpHsQUtSZQzmm9k2
|
||||
Vrfs0h7tdkWF3LcHzHk4a/t3k4EXcqlHBxh4f0tmb4XNP9QupRgm6ggr8t3Rq0Vt
|
||||
T8k50x4C7oE8HwZuEEB4FM7S1Zig3dfeJ8MJgdaLqt5/U9Ip/hZdzG2dsUsIceH/
|
||||
5MCKLu9bGJUjsKnGdm/KpaNwaNo=
|
||||
|
||||
dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=University of Michigan,c=US
|
||||
add: userCertificate;binary
|
||||
userCertificate;binary::
|
||||
MIIDaTCCAtKgAwIBAgIBAjANBgkqhkiG9w0BAQQFADB2MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
|
||||
U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYDVQQDEwdJ
|
||||
V1BMIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm5ldDAeFw0wMzEwMTYyMjQwMzNaFw0w
|
||||
NDEwMTUyMjQwMzNaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQK
|
||||
ExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFzAVBgNVBAMTDkplbm5pZmVyIFNtaXRoMR4wHAYJ
|
||||
KoZIhvcNAQkBFg9qZW5AZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMia
|
||||
mobs0kC0Q/78yocNvf0iTI5x9efB3tMwsxweLg93KbuNBeFn2mczzQvuzvhs+PLnfKxAyWbkeZrq
|
||||
w0Ve1h8ZXSHWSFg75UOFbo4wevuoYEtqmMupFEwT4rdf8Ykt5Rq1PyUJ5LgSNe0TMSqCYwTuo7+O
|
||||
unC/5YamsIbkKcsFAgMBAAGjgf4wgfswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT
|
||||
TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFDx71116utXKGemZrZVxp3p9NqU5MIGg
|
||||
BgNVHSMEgZgwgZWAFC58W9JxQvSS1HZhp8x5z3hg8isXoXqkeDB2MQswCQYDVQQGEwJVUzETMBEG
|
||||
A1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYD
|
||||
VQQDEwdJV1BMIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm5ldIIBADANBgkqhkiG9w0B
|
||||
AQQFAAOBgQAPDn0+fm/GYV6elg3XFJgGA3wrVm4TeQQ8BdmIhqf25DUn/3ja3SBGI07DWz+LlYE/
|
||||
JzDEU+1UiYAfGgp7CnzKBzCUL0jyamgj11I6OyaYBdOsEGx1MFLjsOa+TCQS1f2v1gGCs/k0a/b3
|
||||
RRCTyoUfPHxJ0M6Cw9SGXu2K8GtHYA==
|
||||
MIIDjDCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJVUzET
|
||||
MBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwg
|
||||
THRkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhh
|
||||
bXBsZS5jb20wHhcNMDMxMDE3MTYzNTM1WhcNMDQxMDE2MTYzNTM1WjCBnjELMAkG
|
||||
A1UEBhMCVVMxETAPBgNVBAgTCE1pY2hpZ2FuMR8wHQYDVQQKExZPcGVuTERBUCBF
|
||||
eGFtcGxlLCBMdGQuMRswGQYDVQQLExJBbHVtbmkgQXNzb2ljYXRpb24xEjAQBgNV
|
||||
BAMTCUplbiBTbWl0aDEqMCgGCSqGSIb3DQEJARYbamVuQG1haWwuYWx1bW5pLmV4
|
||||
YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpnXWAL0VkROGO
|
||||
1Rg8J3u6F4F7yMqQCbUMsV9rxQisYj45+pmqiHV5urogvT4MGD6eLNFZKBn+0KRn
|
||||
i++uu7gbartzpmBaHOlzRII9ZdVMFfrT2xYNgAlkne6pb6IZIN9UONuH/httENCD
|
||||
J5WEpjZ48D1Lrml/HYO/W+SAMkpEqQIDAQABo4H/MIH8MAkGA1UdEwQCMAAwLAYJ
|
||||
YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud
|
||||
DgQWBBTB2saht/od/nis76b9m+pjxfhSPjCBoQYDVR0jBIGZMIGWgBRLbyEaNiTS
|
||||
kPlDsFNHLX3hwOaYI6F7pHkwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlm
|
||||
b3JuaWExHzAdBgNVBAoTFk9wZW5MREFQIEV4YW1wbGUsIEx0ZC4xEzARBgNVBAMT
|
||||
CkV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tggEAMA0G
|
||||
CSqGSIb3DQEBBAUAA4GBAIoGPc/AS0cNkMRDNoMIzcFdF9lONMduKBiSuFvv+x8n
|
||||
Cek+LUdXxF59V2NPKh2V5gFh5xbAchyv6FVBnpVtPdB5akCr5tdFQhuBLUXXDk/t
|
||||
THGpIWt7OAjEmpuMzsz3GUB8Zf9rioHOs1DMw+GpzWdnFITxXhAqEDc3quqPrpxZ
|
||||
-
|
||||
delete: userCertificate;binary
|
||||
userCertificate;binary::
|
||||
MIIDcDCCAtmgAwIBAgIBATANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJVUzET
|
||||
MBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwg
|
||||
THRkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhh
|
||||
bXBsZS5jb20wHhcNMDMxMDE3MTYzMTQwWhcNMDQxMDE2MTYzMTQwWjCBgjELMAkG
|
||||
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFk9wZW5MREFQ
|
||||
IEV4YW1wbGUsIEx0ZC4xHTAbBgNVBAMUFEplbm5pZmVyICJKZW4iIFNtaXRoMR4w
|
||||
HAYJKoZIhvcNAQkBFg9qZW5AZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
|
||||
gY0AMIGJAoGBANUgO8cP/SjqgCVxxsRYv36AP0+QL81iEkGvR4gG6jbtDDBdVYDC
|
||||
YbS2oKKNJ5e99NxGMIjOYfmKcAwmkV46IhdzUtkutgjHEG9vl5ajSwc1KSsbTMTy
|
||||
NtuG3k5k02JYFbP+FrGyUE8iPqK4+i7mVjW4bh/MBCHW88FptnpDJiuHAgMBAAGj
|
||||
gf8wgfwwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
|
||||
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFEdo4jpxCQXJ1sh/E1O3ZBkLTbHkMIGh
|
||||
BgNVHSMEgZkwgZaAFEtvIRo2JNKQ+UOwU0ctfeHA5pgjoXukeTB3MQswCQYDVQQG
|
||||
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhh
|
||||
bXBsZSwgTHRkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYO
|
||||
Y2FAZXhhbXBsZS5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEAFpHsQUtSZQzmm9k2
|
||||
Vrfs0h7tdkWF3LcHzHk4a/t3k4EXcqlHBxh4f0tmb4XNP9QupRgm6ggr8t3Rq0Vt
|
||||
T8k50x4C7oE8HwZuEEB4FM7S1Zig3dfeJ8MJgdaLqt5/U9Ip/hZdzG2dsUsIceH/
|
||||
5MCKLu9bGJUjsKnGdm/KpaNwaNo=
|
||||
|
||||
EOMODS
|
||||
|
||||
@ -130,8 +197,9 @@ if test $RC != 0 ; then
|
||||
fi
|
||||
|
||||
echo 'Using ldapsearch to retrieve (userCertificate;binary=*) ...'
|
||||
echo "# (userCertificate;binary=*)" > $SEARCHOUT
|
||||
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT \
|
||||
'(userCertificate;binary=*)' > $SEARCHOUT 2>&1
|
||||
'(userCertificate;binary=*)' >> $SEARCHOUT 2>&1
|
||||
RC=$?
|
||||
if test $RC != 0 ; then
|
||||
echo "ldapsearch failed ($RC)!"
|
||||
@ -139,9 +207,23 @@ if test $RC != 0 ; then
|
||||
exit $RC
|
||||
fi
|
||||
|
||||
echo 'Using ldapsearch to retrieve (userCertificate=*) ...'
|
||||
echo 'Using ldapsearch to retrieve (cAcertificate=*) ...'
|
||||
echo "# (cAcertificate=*)" >> $SEARCHOUT
|
||||
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT \
|
||||
'(userCertificate;binary=*)' > $SEARCHOUT 2>&1
|
||||
'(cAcertificate=*)' >> $SEARCHOUT 2>&1
|
||||
RC=$?
|
||||
if test $RC != 0 ; then
|
||||
echo "ldapsearch failed ($RC)!"
|
||||
kill -HUP $PID
|
||||
exit $RC
|
||||
fi
|
||||
|
||||
SNAI='2$EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US'
|
||||
|
||||
echo 'Using ldapsearch to retrieve (userCertificate=serialNumberAndIssuer) ...'
|
||||
echo "# (userCertificate=$SNAI)" >> $SEARCHOUT
|
||||
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT \
|
||||
"(userCertificate=$SNAI)" >> $SEARCHOUT 2>&1
|
||||
RC=$?
|
||||
if test $RC != 0 ; then
|
||||
echo "ldapsearch failed ($RC)!"
|
||||
@ -150,7 +232,13 @@ if test $RC != 0 ; then
|
||||
fi
|
||||
|
||||
kill -HUP $PID
|
||||
LDIF=$CERTIFICATEOUT
|
||||
|
||||
if test "$WITHTLS" = no ; then
|
||||
echo "Certificate matching not suported without TLS"
|
||||
LDIF=$CERTIFICATEOUT
|
||||
else
|
||||
LDIF=$CERTIFICATETLS
|
||||
fi
|
||||
|
||||
echo "Filtering ldapsearch results..."
|
||||
. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user