and add a
default:DNComps cn
to match the DN components
?
On Tue, Nov 17, 2020 at 5:35 PM William Brown <wbrown@xxxxxxx> wrote:
>
> Something missing from the documentation is the DN format expected by the nsCertSubjectDN attribute.
>
> Is the format CN=X,serialNumber=Y as reported by openssl x509, or is it serialNumber=Y,CN=X as reported by the log message above?
I seem to recall a few years back, some changes to CmapLdapAttr related to normalisation of these DN's so that regardless of how they are stored in the cert, they normalise to a stable format for search to be able to use.
So I think it may be the format in the log message above.
You could see what's happening internally by changing nsslapd-accesslog-level from 256 to 260 (256 + 4) to log internal searches, which will show you what it's doing internally for the lookup.
Hope that helps,
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
