Hi all,

I have been using fedora directory server/389 directory server for a
couple years now with out any real issues, so I want to start off by
thanking all of the developers for the hours they put into making it
available to us.

Lately I have had the need to look at storeing x509 certificates in my
LDAP directory, to make them available to an application we use.
Looking at the documentation available on the website, it appears that
the usercertificate attribute either used to be a binary attribute, or
that there is a way to make it a binary attribute that I am not
seeing.

If the former, that it was but is no longer a binary attribute, it
appears to me that the 389-console cannot handle the PEM formatted
certificates, once one is added, I can no longer select that attribute
to manipulate either it, or the certificate it contains.

If the latter, that it can be changed to be binary, I would greatly
appreciate a pointer on how to do so.

Hopefully someone who has worked with certificates in 389-ds can give
me some pointers either way, so that I can either submit a bug report,
or find the right docs to be reading. Any help would be greatly
appreciated.

Thanks!!

Luke

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Luke Schierer wrote:
> Hi all,
>
> I have been using fedora directory server/389 directory server for a
> couple years now with out any real issues, so I want to start off by
> thanking all of the developers for the hours they put into making it
> available to us.
>
> Lately I have had the need to look at storeing x509 certificates in my
> LDAP directory, to make them available to an application we use.
> Looking at the documentation available on the website, it appears that
> the usercertificate attribute either used to be a binary attribute, or
> that there is a way to make it a binary attribute that I am not
> seeing.
>
It is and always has been a binary attribute. What documentation on the
website leads you to think otherwise? We need to fix it.
> If the former, that it was but is no longer a binary attribute, it
> appears to me that the 389-console cannot handle the PEM formatted
> certificates, once one is added, I can no longer select that attribute
> to manipulate either it, or the certificate it contains.
>
Sounds like a bug.
> If the latter, that it can be changed to be binary, I would greatly
> appreciate a pointer on how to do so.
>
> Hopefully someone who has worked with certificates in 389-ds can give
> me some pointers either way, so that I can either submit a bug report,
> or find the right docs to be reading. Any help would be greatly
> appreciated.
>
You can always use ldapmodify e.g.
dn: uid=username,....
changetype: modify
replace: userCertificate
userCertificate:: <PEM data>
or
userCertificate:<file:///path/to/binary/encoded/file
> Thanks!!
>
> Luke
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

On 5/18/2010 6:44 PM, Rich Megginson wrote:

Luke Schierer wrote:


Hi all,

I have been using fedora directory server/389 directory server for a
couple years now with out any real issues, so I want to start off by
thanking all of the developers for the hours they put into making it
available to us.

Lately I have had the need to look at storeing x509 certificates in my
LDAP directory, to make them available to an application we use.
Looking at the documentation available on the website, it appears that
the usercertificate attribute either used to be a binary attribute, or
that there is a way to make it a binary attribute that I am not
seeing.



It is and always has been a binary attribute. What documentation on the
website leads you to think otherwise? We need to fix it.


If the former, that it was but is no longer a binary attribute, it
appears to me that the 389-console cannot handle the PEM formatted
certificates, once one is added, I can no longer select that attribute
to manipulate either it, or the certificate it contains.



Sounds like a bug.


If the latter, that it can be changed to be binary, I would greatly
appreciate a pointer on how to do so.

Hopefully someone who has worked with certificates in 389-ds can give
me some pointers either way, so that I can either submit a bug report,
or find the right docs to be reading. Any help would be greatly
appreciated.



You can always use ldapmodify e.g.
dn: uid=username,....
changetype: modify
replace: userCertificate
userCertificate::<PEM data>
or
userCertificate:<file:///path/to/binary/encoded/file



If using the Mozilla LDAP tools with the latter method, make sure to
specify LDIF version 1 because otherwise the literal string
"<file:///path/to/binary/encoded/file" is stored.


version 1
dn: uid=username,....
changetype: modify
replace: userCertificate
userCertificate:<file:///path/to/binary/encoded/file

Thanks!!

Luke

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users




--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

On Tue, May 18, 2010 at 07:44:23PM -0600, Rich Megginson wrote:
> Luke Schierer wrote:
> > Hi all,
> >
> > I have been using fedora directory server/389 directory server for a
> > couple years now with out any real issues, so I want to start off by
> > thanking all of the developers for the hours they put into making it
> > available to us.
> >
> > Lately I have had the need to look at storeing x509 certificates in my
> > LDAP directory, to make them available to an application we use.
> > Looking at the documentation available on the website, it appears that
> > the usercertificate attribute either used to be a binary attribute, or
> > that there is a way to make it a binary attribute that I am not
> > seeing.
> >
> It is and always has been a binary attribute. What documentation on the
> website leads you to think otherwise? We need to fix it.
> > If the former, that it was but is no longer a binary attribute, it
> > appears to me that the 389-console cannot handle the PEM formatted
> > certificates, once one is added, I can no longer select that attribute
> > to manipulate either it, or the certificate it contains.
> >
> Sounds like a bug.
> > If the latter, that it can be changed to be binary, I would greatly
> > appreciate a pointer on how to do so.
> >
> > Hopefully someone who has worked with certificates in 389-ds can give
> > me some pointers either way, so that I can either submit a bug report,
> > or find the right docs to be reading. Any help would be greatly
> > appreciated.

The docs do say that it is a binary attribute, but they say that in
the 389-console that it should have a button to select the file to
upload. Instead, it has a text box. That is what confuses me.
Should I put the filename in that text box?

Thanks!!

Luke


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Luke Schierer wrote:
> On Tue, May 18, 2010 at 07:44:23PM -0600, Rich Megginson wrote:
>
>> Luke Schierer wrote:
>>
>>> Hi all,
>>>
>>> I have been using fedora directory server/389 directory server for a
>>> couple years now with out any real issues, so I want to start off by
>>> thanking all of the developers for the hours they put into making it
>>> available to us.
>>>
>>> Lately I have had the need to look at storeing x509 certificates in my
>>> LDAP directory, to make them available to an application we use.
>>> Looking at the documentation available on the website, it appears that
>>> the usercertificate attribute either used to be a binary attribute, or
>>> that there is a way to make it a binary attribute that I am not
>>> seeing.
>>>
>>>
>> It is and always has been a binary attribute. What documentation on the
>> website leads you to think otherwise? We need to fix it.
>>
>>> If the former, that it was but is no longer a binary attribute, it
>>> appears to me that the 389-console cannot handle the PEM formatted
>>> certificates, once one is added, I can no longer select that attribute
>>> to manipulate either it, or the certificate it contains.
>>>
>>>
>> Sounds like a bug.
>>
>>> If the latter, that it can be changed to be binary, I would greatly
>>> appreciate a pointer on how to do so.
>>>
>>> Hopefully someone who has worked with certificates in 389-ds can give
>>> me some pointers either way, so that I can either submit a bug report,
>>> or find the right docs to be reading. Any help would be greatly
>>> appreciated.
>>>
>
> The docs do say that it is a binary attribute, but they say that in
> the 389-console that it should have a button to select the file to
> upload. Instead, it has a text box. That is what confuses me.
> Should I put the filename in that text box?
>
No, I think the text box is for the base64 encoded (i.e. PEM) cert data.
> Thanks!!
>
> Luke
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users