perl-ldap-dev

Net::LDAP::Filter question

[<ti...@uc...>]

I am working on a script that starts with a server cert and proxies as a user.  To do 
this I need to determine which user presented his cert to the web server.  The web 
server puts the cert (MIME base 64 encoded) into the environment.  It also puts 
other things like the user's CN, but that is not unique.  So I need to do a search on 
the usercertificate;binary.  I extract the cert from the env, then decode it.

If I use regexs to replace the characters described by RFC 2254 with the proper 
encoding, everything works.  Since this is sample code for others, I would like to use 
Net::LDAP::Filter, but so far I can't seem to get it to work.

Is there an option to get Net::LDAP::Filter to do the encoding?

I would like to do something like:

$filter = Net::LDAP::Filter->new("(usercertificate=$webcert)");
$mesg = $ldap->search( base => 'the base',
			   scope => 'sub',
			   filter => $filter);

Is this a change or is it possible now?

Re: Net::LDAP::Filter question

[Chris R. <chr...@ma...>]

On 22/10/02 12:14 pm, ti...@uc... <ti...@uc...> wrote:

> I am working on a script that starts with a server cert and proxies as a user.
> To do 
> this I need to determine which user presented his cert to the web server.  The
> web 
> server puts the cert (MIME base 64 encoded) into the environment.  It also
> puts 
> other things like the user's CN, but that is not unique.  So I need to do a
> search on 
> the usercertificate;binary.  I extract the cert from the env, then decode it.
> 
> If I use regexs to replace the characters described by RFC 2254 with the
> proper 
> encoding, everything works.  Since this is sample code for others, I would
> like to use 
> Net::LDAP::Filter, but so far I can't seem to get it to work.
> 
> Is there an option to get Net::LDAP::Filter to do the encoding?
> 
> I would like to do something like:
> 
> $filter = Net::LDAP::Filter->new("(usercertificate=$webcert)");
> $mesg = $ldap->search( base => 'the base',
>   scope => 'sub',
>   filter => $filter);
> 
> Is this a change or is it possible now?

Typically it isn't possible to use a certificate in a search filter. Well
you might be able to on some servers, but as there aren't any real standards
in this area yet you'd be best off avoiding it for now.

Does the entry containing the cert have a DN of the cert's subject name?

I posted some snippets which decoded certs (including the subject and issuer
DNs) to this list a while back. If you can't find them in the archives, I'll
have a hunt to see if I've still got 'em.

Cheers,

Chris

Re: Net::LDAP::Filter question

[<pau...@cp...>]

>-- Original Message --
>Subject: Re: Net::LDAP::Filter question
>From: Chris Ridd <chr...@ma...>
>To: <ti...@uc...>, <per...@li...>
>Date: Tue, 22 Oct 2002 12:32:24 +0100
>
>
>On 22/10/02 12:14 pm, ti...@uc... <ti...@uc...> wrote:
>
>> I am working on a script that starts with a server cert and proxies as=

>a user.
>> To do 
>> this I need to determine which user presented his cert to the web serv=
er.
> The
>> web 
>> server puts the cert (MIME base 64 encoded) into the environment.  It
also
>> puts 
>> other things like the user's CN, but that is not unique.  So I need to=

>do a
>> search on 
>> the usercertificate;binary.  I extract the cert from the env, then dec=
ode
>it.
>> 
>> If I use regexs to replace the characters described by RFC 2254 with
the
>> proper 
>> encoding, everything works.  Since this is sample code for others, I
would
>> like to use 
>> Net::LDAP::Filter, but so far I can't seem to get it to work.
>> 
>> Is there an option to get Net::LDAP::Filter to do the encoding?
>> 
>> I would like to do something like:
>> 
>> $filter =3D Net::LDAP::Filter->new("(usercertificate=3D$webcert)");
>> $mesg =3D $ldap->search( base =3D> 'the base',
>>   scope =3D> 'sub',
>>   filter =3D> $filter);
>> 
>> Is this a change or is it possible now?
>
>Typically it isn't possible to use a certificate in a search filter. Wel=
l
>you might be able to on some servers, but as there aren't any real stand=
ards
>in this area yet you'd be best off avoiding it for now.

It is possible to perform a search on a binary attribute via LDAP by esca=
ping
the binary values of the cert in the filter appropriatly. See http://www.=
ietf.org/rfc/rfc2254.txt
for details.

e.g. (usercertificate=3D\01\00\03)

Make sure usercertificate is indexed appropriatly.

>Does the entry containing the cert have a DN of the cert's subject name?=

>
>I posted some snippets which decoded certs (including the subject and is=
suer
>DNs) to this list a while back. If you can't find them in the archives,
I'll
>have a hunt to see if I've still got 'em.
>
>Cheers,
>
>Chris
>
>
>
>-------------------------------------------------------
>This sf.net emial is sponsored by: Influence the future of 
>Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) 
>program now. http://ad.doubleclick.net/clk;4699841;7576301;v?
>http://www.sun.com/javavote

Re: Net::LDAP::Filter question

[Chris R. <chr...@ma...>]

On 24/10/02 1:24 pm, pau...@cp... <pau...@cp...> wrote:
>> Typically it isn't possible to use a certificate in a search filter. Well
>> you might be able to on some servers, but as there aren't any real standards
>> in this area yet you'd be best off avoiding it for now.
> 
> It is possible to perform a search on a binary attribute via LDAP by escaping
> the binary values of the cert in the filter appropriatly. See

You could try that, however since there is no standardized equality matching
rule defined for the userCertificate attribute there's no guarantee what the
server's going to do, which was my point. I'll raise your RFC with another
;-) - from RFC 2256:

-----
5.37. userCertificate

   This attribute is to be stored and requested in the binary form, as
   'userCertificate;binary'.

    ( 2.5.4.36 NAME 'userCertificate'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
-----

I believe there's work going in in the PKIX groups to define certificate
matching rules.

Cheers,

Chris