Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) Part No. B14082-01 |
|
![]() Previous |
![]() Next |
Starting with 10g Release 2 (10.1.2), you can perform a command-line search of the binary attribute usercertificate
. You can use two kinds of ldapsearch
filters:
A filter of the form "usercertificate=
certificate_serial_number
$
certificate_issuer_DN
"
. A combination of the certificate serial number and the certificate issuer's DN is used to locate the certificate. This combination is called the certificate match value.
A filter of the form"usercertificate;binary=
base_64_encoded_value_of_certificate
"
. Using this filter, one of four types of searches is possible, depending upon two things:
The value of the DSA configuration set attribute (DN: "cn=dsaconfig,cn=configsets,cn=oracle internet directory"
), orclpkimatchingrule
.
The presence or absence of the LDAP control 2.16.840.1.113894.1.8.23
The four types of searches possible with a filter of the form "usercertificate;binary=
base_64_encoded_value_of_certificate
"
are:
Presence of LDAP control | Value of orclpkimatchingrule | Search Behavior |
---|---|---|
Absent | Not used | The hashed value of the client certificate is used to locate usercertificate .
|
Present | 0 | An exact-match search is performed. The subject DN of the client certificate is the search base. This DN is compared with the user DN in the directory. The search scope is Base . The filter is "objectclass=*" .
|
Present | 1 | The hashed value of the client certificate is used to locate usercertificate .
|
Present | 2 (Default) | The hashed value of the client certificate is used to locate usercertificate . If this search yields nothing, An exact-match search is performed.
|
Use the ldapmodify
tool to set orclpkimatchingrule
to the desired value.
Notes:
|