Re: [389-users] retrieving x509 certificates using java

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/25/2011 07:12 AM, Luke Schierer wrote:
> We have a java application that is attempting to pull the userCertificate
> attribute from our 389ds ldap server.  Looking at the ldap logs, I see its
> request, and it looks like it should be working, except for one oddity, it
> is asking for the attribute "usercertificate;binary".  By attaching
> eclipse to the application, we have determined that the general flow of
> the code is
>
> <get certificate from client and put it into myCert>
>
> LDAPCertStoreParameters loCertStoreParams = new
> LDAPCertStoreParameters(<ldap_host>,<ldap_port>);
>
> CertStore loCertStore = CertStore.getInstance("LDAP", loCertStoreParams,
> "Sun");
>
> x509CertSelector loTargetConstraints = new X509CertSelector();
>
> lsSubjectDN = CSFGlobalPKIUtil.getSubjectDNFromCertificate(myCert);
> //we have verified that everything works fine as far as this point.
>
> loTargetConstraints.setSubject(lsSubjectDN);
> Collection loCol = loCertStore.getCertificates(loTargetConstraints);
>
> Once the gall to getCertificates is made, a query is built and sent to the
> LDAP server using java internal classes, we believe it is ultimately the
> X509CertStoreLDAP class.  We do not have the source to debug this part of
> the code, but at some point, without visible interaction in the source
> code we do have, it choses to ask for "usercertificate;binary" instead of
> just "usercertificate".
>
> Should the 389ds be able to understand "usercertificate;binary", and is
> this a misconfiguration on my part in the directory server, or is that not
> something I should be expecting the directory to understand?
the ;binary option was defined in http://www.ietf.org/rfc/rfc2251.txt 
but dropped in http://www.ietf.org/rfc/rfc4511.txt (see C.1.7. Section 
4.1.5.1 (Binary Option) and others)

So the real fix would be to change the client app to not use ";binary".  
You could also file a bug/RFE against 389 to add support for legacy apps 
that still use ";binary".  Another fix would be to add a duplicate 
attribute "usercertificate;binary" which is a duplicate of the 
userCertificate attribute.
> As a point of further information, when I try to replicate the behavior
> using ldapsearch, I also fail to retrieve a certificate when I request
> "usercertificate;binary" but succeed when I request only
> "usercertificate".
>
> Any help would be greatly appreciated.
>
> Thanks!!
>
> Luke
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux