1Copyright 2004 Sang Seok Lim, IBM . All rights reserved. 2 3Redistribution and use in source and binary forms, with 4or without modification, are permitted only as authorized 5by the OpenLDAP Public License. 6 7A copy of this license is available in the file LICENSE in 8the top-level directory of the distribution or, alternatively, 9at <http://www.OpenLDAP.org/license.html>. 10 11This directory contains a Component Matching module and 12a X.509 Certificate example. In order to understand Component 13Matching, see RFC 3687 and 14http://www.openldap.org/conf/odd-sandiego-2004/Sangseok.pdf 15 16%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 17A) Brief introduction about files in this directory 18%%%%%%%%%%55%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 19 201) init.c 21module_init() and functions which are dynamically linked 22into the main slapd codes. 23 242) componentlib.c and componentlib.h 25GSER and BER decoder library of each primitive ASN.1 type. 26They use component representation to store ASN.1 values. 27 283) certificate.c/.h authorityKeyIdentifier.c/.h 29eSNACC generated BER and GSER decoder routines of the X.509 30certificate specification and one of its extensions, 31authorityKeyIdentifier. 32 334) asn_to_syn_mr.c asn.h 34An mapping table from ASN.1 types to corresponding Syntaxes, 35matching rules, and component description in slapd. 36 37%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 38B) How to use Component Matching on X.509 certificates 39%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 40 411) be sure to configure slapd with enable-modules on. 422) install the GSER-support eSNACC compiler. You can find 43only in www.openldap.org. At least, you need the library 44(libcasn1.a) and header files for compiling this module. 453) modify Makefile accordingly. then run make. 46you will get compmatch.la and other necessary files in ./libs 474) modify slapd.conf to include the following module command 48 moduleload <path to>compmatch.la 495) run slapd and perform search operations against 50the attribute, userCertificate. You need to read through 51RFC 3687 in order to understand how to compose component 52filters. 53Ex) component search filter examples 54"(userCertificate:componentFilterMatch:=item:{ component 55\"toBeSigned.serialNumber\", rule integerMatch, value 2 })" 56You can find more examples in "test031-component-filter" 57in the OpenLDAP source directory. 58 59%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 60C) How to add a new ASN.1 syntax 61%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 62 631) download and install the eSNACC compiler supporting 64Component Matching. You can find the compiler only in 65www.openldap.org. Before compiling, be sure to define 66the "LDAP_COMPONENT" macro to obtain component 67supported version of C library and back-ends of eSNACC. 68Otherwise compiled library will fail to be linked to 69the module. 702) using eSNACC, compile your ASN.1 specifications and 71copy the generated .c and .h files to this directory 72Ex) 73$ esnacc -E BER_COMP -E GSER -t -d -f example.asn 74For Component Matching, set BOTH BER_COMP and GSER on. 75After compiling, you will get example.c and example.h 763) modify example.c accordingly, seeing certificate.c 77and certificate.asn as a reference. 78- add init_module_xxx() located in generated .c file 79into init_module() in init.c. 80- modify the arguments of InstallOidDecoderMapping(...) 81accordingly 82- in the generated .c file, you need to write 83"DecComponentxxxTop(...)" function for yourself. 84You can copy BDecComponentCertificateTop in the 85generated .c file and modify it accordingly. 864) register a new attribute syntax with a new OID 87in a schema file 885) then goto 3) of B) section. 89 90%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 91D) How to configure Component Indexing 92%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 93You can generate indices on each component of 94a given attribute whose values are in either GSER or 95BER. Currently primitive ASN.1 types, DN, and RDN 96can be indexed for equality matching in BDB. 97In order to generate indices, put following line 98in the slapd configuration file, slapd.conf. 99 100index [attribute name].[component reference] eq 101 102Ex) 103index userCertificate eq 104index userCertificate.toBeSigned.issuer.rdnSequence eq 105index userCertificate.toBeSigned.serialNumber eq 106index userCertificate.toBeSigned.version eq 107 108%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 109D) How to configure Attribute Alias 110%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 111If your client is unable to use component filters, 112attribute aliasing can be used instead. Attribute 113Alias maps a virtual attribute type to an attribute 114component and a component matching rule. 115You can create your own aliases by following steps. 116 1171) register aliasing attributes in the schema file. 118Sample aliasing attributes are in test.schema. 1192) compose component filters for aliasing attributes 120and put them in "preprocessed_comp_filter" array 121in "init.c". 1223) add "add_aa_entry" function calls in 123"init_attribute_aliasing_table()" in "init.c" 1244) perform searching against the aliasing attribute 125Ex) 126"(x509CertificateIssuer:distinguishedNameMatch= 127cn=ray,L=yorktown,o=ibm,c=us)" 128