Default value of ldap_user_certificate = userCertificate;binary + 389ds = silent failure

[minfrin]

Making an attempt to set up smartcard login where the certificate is in the directory, and the directory is 389ds.

If we rely on the default value of ldap_user_certificate, which is userCertificate;binary, and we attempt to look up certificate in 389ds, the query silently fails.

Silently fails means that zero users are successfully returned for the LDAP search, and the code path follows "you don't exist" when the user does exist.

Changing the value to userCertificate (dropping the ;binary) makes 389ds work, meaning that suddenly one user is returned and the "hey, come on in" path is followed.

Not sure if this attribute name is wrong, or if it is as a result of different behaviour between openldap and 389ds.

At the very least the docs for ldap_user_certificate need to be updated to be clear what it should be set to depending on the server used, or more accurately the certificate syntax used, which I understand to be the cause of the difference in behaviour.

[sumit-bose]

Hi,

this might depend on how the certificate is stored in the LDAP server. E.g. if I add a certificate to a user in FreeIPA which uses 389ds I see:

# ldapsearch uid=scuser
...
dn: uid=scuser,cn=users,cn=accounts,dc=ipa,dc=test
givenName: sc
sn: user
uid: scuser
gecos: sc user
loginShell: /bin/sh
homeDirectory: /home/scuser
userCertificate;binary:: MIIE/TCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQsFADA6MQ0wCwYDV
....

bye,
Sumit