Currently Certificate attribute is stored/compared with OctetString syntax/mr.
Because of this, a search request can not dig into Certificate with a filter matching for example DNS name of host.example.com:
(userCertificate:1.2.826.0.1.3344810.7.2:={ nameConstraints { permittedSubtrees { { base dNSName:host.example.com, maximum 0 } } } })
There is a need to implement https://tools.ietf.org/html/draft-ietf-pkix-ldap-schema-02#section-4.2
This enhancement is not a priority: - because of the amount of work to support this new syntax/mr - because IPA is the only know client of it - because IPA can workaround that limitation
IPA is evaluating to store valuable certificate fields (i.e. issuer), then grouping those fields with the certificate. This can be done without storing the certificate itself.
Metadata Update from @tbordaz: - Issue set to the milestone: FUTURE
Metadata Update from @mreynolds: - Custom field reviewstatus adjusted to None - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1473
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.