Issue while retrieving userCertificate binary (X.509 certificate) from OpenLDAP

By: syed ali user 22 Sep 2016 at 5:31 a.m. CDT

7 Responses
syed ali gravatar
Hi, We are using Openldap for source data in our project. We need to retrieve data from userCertificate binary attribute from source. So we have created new attribute for userCertificate with photo data type under inetOrgperson using "add New attribute" form and later under gluuPerson using ldif. userCertificate attribute is also specified under cache refresh as well as customer back end key attribute section. But we are facing certificate errors as given below and certificate data is not shown while searching and viewing person using Manage people section. ``` Caused by: Connection exception (Error adding object to directory. LDAP error number 21: Entry "inum=@!5863.FE5A.5F3C.E87D!0001!8E7C.A82D!0000!9737.28D5,ou=people,o=@!5863.FE5A.5F3C.E87D!0001!8E7C.A82D,o=gluu" contains a value for attribute userCertificate that is invalid according to the syntax for that attribute: The provided value is not a valid X.509 Certificate: org.forgerock.opendj.ldap.DecodeException: Cannot decode the ASN.1 element because it contained a multi-byte length with an invalid number of bytes (111)) at org.gluu.site.ldap.OperationsFacade.addEntry(OperationsFacade.java:338) at org.gluu.site.ldap.persistence.LdapEntryManager.persist(LdapEntryManager.java:108) ... 59 more ``` Please help ! Thanks.
CentOS67
closed

Answers

By Mohib Zico staff 22 Sep 2016 at 5:57 a.m. CDT

Copy
Mohib Zico gravatar
Two points: - Attribute 'userCertificate': What this attribute has in value again? I think I haven't understood the certificate term.... - If you want to pull binary attribute, you need special care for that attribute. Check out the 'objectGUID' attribute creation part in [this](https://gluu.org/docs/integrate/office365/) doc. 'objectGUID' is a binary attribute which is coming from AD and will be same 'as-is' inside Gluu Server.

By syed ali user 22 Sep 2016 at 6:31 a.m. CDT

Copy
syed ali gravatar
userCertificate is the field name in our source openldap which has binary value. userCertificate attribute holds the X.509 certificates. I want to map this to gluu openDJ. what's the best way to do this? Thanks.

By Mohib Zico staff 22 Sep 2016 at 7:40 a.m. CDT

Copy
Mohib Zico gravatar
May I ask why you are pulling certificate in user's datastore?

By syed ali user 22 Sep 2016 at 9:18 a.m. CDT

Copy
syed ali gravatar
Hi, We are pulling certificate as it is required in our client applications using Gluu. We did try the objectGuid approach mentioned in the [link ](https://gluu.org/docs/integrate/office365/)in your earlier apply. But still we are facing issue. ``` [org.gluu.site.ldap.OperationsFacade] (pool-4-thread-7) Entry can't be modified LDAPException(resultCode=21 (invalid attribute syntax), errorMessage='When attempting to modify entry inum=@!5863.FE5A.5F3C.E87D!0001!8E7C.A82D!0000!B043.B1E0,ou=people,o=@!5863.FE5A.5F3C.E87D!0001!8E7C.A82D,o=gluu, one value for attribute userCertificate was found to be invalid according to the associated syntax: The provided value is not a valid X.509 Certificate: org.forgerock.opendj.ldap.DecodeException: Cannot decode the ASN.1 element because it contained a multi-byte length with an invalid number of bytes (111)', diagnosticMessage='When attempting to modify entry inum=@!5863.FE5A.5F3C.E87D!0001!8E7C.A82D!0000!B043.B1E0,ou=people,o=@!5863.FE5A.5F3C.E87D!0001!8E7C.A82D,o=gluu, one value for attribute userCertificate was found to be invalid according to the associated syntax: The provided value is not a valid X.509 Certificate: org.forgerock.opendj.ldap.DecodeException: Cannot decode the ASN.1 element because it contained a multi-byte length with an invalid number of bytes (111)') ```

By Anandbabu Vijayan user 23 Sep 2016 at 1:18 a.m. CDT

Copy
Anandbabu Vijayan gravatar
Similar userCertificate issue reported here [https://bugster.forgerock.org/jira/browse/OPENDJ-502](https://bugster.forgerock.org/jira/browse/OPENDJ-502)

By valsaraj viswanathan user 23 Sep 2016 at 1:57 a.m. CDT

Copy
valsaraj viswanathan gravatar
[https://bugster.forgerock.org/jira/browse/OPENDJ-421](https://bugster.forgerock.org/jira/browse/OPENDJ-421) Is it related to this?

By Mohib Zico staff 23 Sep 2016 at 6:57 a.m. CDT

Copy
Mohib Zico gravatar
Sorry, can't comment on bug tracker which you guys pointed because I am still not sure why you need to import a whole certificate for every user in your Gluu Server. If you can share the target / reason; we will be able to assist you more.

Post an answer