> > Something missing from the documentation is the DN format expected by the nsCertSubjectDN attribute. > > Is the format CN=X,serialNumber=Y as reported by openssl x509, or is it serialNumber=Y,CN=X as reported by the log message above? I seem to recall a few years back, some changes to CmapLdapAttr related to normalisation of these DN's so that regardless of how they are stored in the cert, they normalise to a stable format for search to be able to use. So I think it may be the format in the log message above. You could see what's happening internally by changing nsslapd-accesslog-level from 256 to 260 (256 + 4) to log internal searches, which will show you what it's doing internally for the lookup. Hope that helps, — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
