On 28 Jan 2015, at 6:33 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote: >> Does 389ds offer certificateExactMatch support as per the RFCs? > > No, that's why it is commented out. We do not have support for the certificate* matching rules. That's why we just use octetString i.e. it just does a memcmp(). I’ve been trying the option of using octetStringMatch with a filter that looks like this: (userCertificate=#308203aa3082[snip]) The error I get back is: LDAP: error code 11 - Administrative Limit Exceeded A number of questions: - The encoding was obtained from the java javax.naming.ldap.Rdn class, which seems to want to encode the DER byte array of the certificate being searched for as a hash symbol followed by hex digits, as opposed to \00\11\22 (etc) as seen in many examples online. Is this encoding correct? (I assume it is). - I noticed that no index existed for userCertificate, so I added an index on equality. The searches still take a very long time (with Directory Manager) and Administrative limit exceeded with normal users. Am I right in understanding that userCertificate searches are not filtered? Regards, Graham — -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
