Re: Net::LDAP::Filter question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

>-- Original Message --
>Subject: Re: Net::LDAP::Filter question
>From: Chris Ridd <chr...@ma...>
>To: <ti...@uc...>, <per...@li...>
>Date: Tue, 22 Oct 2002 12:32:24 +0100
>
>
>On 22/10/02 12:14 pm, ti...@uc... <ti...@uc...> wrote:
>
>> I am working on a script that starts with a server cert and proxies as=

>a user.
>> To do 
>> this I need to determine which user presented his cert to the web serv=
er.
> The
>> web 
>> server puts the cert (MIME base 64 encoded) into the environment.  It
also
>> puts 
>> other things like the user's CN, but that is not unique.  So I need to=

>do a
>> search on 
>> the usercertificate;binary.  I extract the cert from the env, then dec=
ode
>it.
>> 
>> If I use regexs to replace the characters described by RFC 2254 with
the
>> proper 
>> encoding, everything works.  Since this is sample code for others, I
would
>> like to use 
>> Net::LDAP::Filter, but so far I can't seem to get it to work.
>> 
>> Is there an option to get Net::LDAP::Filter to do the encoding?
>> 
>> I would like to do something like:
>> 
>> $filter =3D Net::LDAP::Filter->new("(usercertificate=3D$webcert)");
>> $mesg =3D $ldap->search( base =3D> 'the base',
>>   scope =3D> 'sub',
>>   filter =3D> $filter);
>> 
>> Is this a change or is it possible now?
>
>Typically it isn't possible to use a certificate in a search filter. Wel=
l
>you might be able to on some servers, but as there aren't any real stand=
ards
>in this area yet you'd be best off avoiding it for now.

It is possible to perform a search on a binary attribute via LDAP by esca=
ping
the binary values of the cert in the filter appropriatly. See http://www.=
ietf.org/rfc/rfc2254.txt
for details.

e.g. (usercertificate=3D\01\00\03)

Make sure usercertificate is indexed appropriatly.

>Does the entry containing the cert have a DN of the cert's subject name?=

>
>I posted some snippets which decoded certs (including the subject and is=
suer
>DNs) to this list a while back. If you can't find them in the archives,
I'll
>have a hunt to see if I've still got 'em.
>
>Cheers,
>
>Chris
>
>
>
>-------------------------------------------------------
>This sf.net emial is sponsored by: Influence the future of 
>Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) 
>program now. http://ad.doubleclick.net/clk;4699841;7576301;v?
>http://www.sun.com/javavote