mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
.. | ||
asn_to_syn_mr.c | ||
asn.h | ||
authorityKeyIdentifier.asn | ||
authorityKeyIdentifier.c | ||
authorityKeyIdentifier.h | ||
certificate.asn1 | ||
certificate.c | ||
certificate.h | ||
componentlib.c | ||
componentlib.h | ||
init.c | ||
Makefile | ||
README |
Copyright 2004 Sang Seok Lim, IBM . All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License. A copy of this license is available in the file LICENSE in the top-level directory of the distribution or, alternatively, at <http://www.OpenLDAP.org/license.html>. This directory contains a Component Matching module and a X.509 Certificate example. In order to understand Component Matching, see RFC 3687 and http://www.openldap.org/conf/odd-sandiego-2004/Sangseok.pdf %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% A) Brief introduction about files in this directory %%%%%%%%%%55%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1) init.c module_init() and functions which are dynamically linked into the main slapd codes. 2) componentlib.c and componentlib.h GSER and BER decoder library of each primitive ASN.1 type. They use component representation to store ASN.1 values. 3) certificate.c/.h authorityKeyIdentifier.c/.h eSNACC generated BER and GSER decoder routines of the X.509 certificate specification and one of its extensions, authorityKeyIdentifier. 4) asn_to_syn_mr.c asn.h An mapping table from ASN.1 types to corresponding Syntaxes, matching rules, and component description in slapd. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% B) How to use Component Matching on X.509 certificates %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1) be sure to configure slapd with enable-modules on. 2) install the GSER-support eSNACC compiler. You can find only in www.openldap.org. At least, you need the library (libcasn1.a) and header files for compiling this module. 3) modify Makefile accordingly. then run make. you will get compmatch.la and other necessary files in ./libs 4) modify slapd.conf to include the following module command moduleload <path to>compmatch.la 5) run slapd and perform search operations against the attribute, userCertificate. You need to read through RFC 3687 in order to understand how to compose component filters. Ex) component search filter examples "(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.serialNumber\", rule integerMatch, value 2 })" You can find more examples in "test031-component-filter" in the OpenLDAP source directory. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% C) How to add a new ASN.1 syntax %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1) download and install the eSNACC compiler supporting Component Matching. You can find the compiler only in www.openldap.org. Before compiling, be sure to define the "LDAP_COMPONENT" macro to obtain component supported version of C library and back-ends of eSNACC. Otherwise compiled library will fail to be linked to the module. 2) using eSNACC, compile your ASN.1 specifications and copy the generated .c and .h files to this directory Ex) $ esnacc -E BER_COMP -E GSER -t -d -f example.asn For Component Matching, set BOTH BER_COMP and GSER on. After compiling, you will get example.c and example.h 3) modify example.c accordingly, seeing certificate.c and certificate.asn as a reference. - add init_module_xxx() located in generated .c file into init_module() in init.c. - modify the arguments of InstallOidDecoderMapping(...) accordingly - in the generated .c file, you need to write "DecComponentxxxTop(...)" function for yourself. You can copy BDecComponentCertificateTop in the generated .c file and modify it accordingly. 4) register a new attribute syntax with a new OID in a schema file 5) then goto 3) of B) section. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% D) How to configure Component Indexing %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% You can generate indices on each component of a given attribute whose values are in either GSER or BER. Currently primitive ASN.1 types, DN, and RDN can be indexed for equality matching in BDB. In order to generate indices, put following line in the slapd configuration file, slapd.conf. index [attribute name].[component reference] eq Ex) index userCertificate eq index userCertificate.toBeSigned.issuer.rdnSequence eq index userCertificate.toBeSigned.serialNumber eq index userCertificate.toBeSigned.version eq %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% D) How to configure Attribute Alias %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% If your client is unable to use component filters, attribute aliasing can be used instead. Attribute Alias maps a virtual attribute type to an attribute component and a component matching rule. You can create your own aliases by following steps. 1) register aliasing attributes in the schema file. Sample aliasing attributes are in test.schema. 2) compose component filters for aliasing attributes and put them in "preprocessed_comp_filter" array in "init.c". 3) add "add_aa_entry" function calls in "init_attribute_aliasing_table()" in "init.c" 4) perform searching against the aliasing attribute Ex) "(x509CertificateIssuer:distinguishedNameMatch= cn=ray,L=yorktown,o=ibm,c=us)"