From: M.-A. D. <mad...@nu...> - 2005-03-30 15:32:42
|
M.-A. DARCHE wrote: > > Current unsatisfying behavior > ----------------------------- > Publishing a certificate from the http://pki-ra/cgi-bin/ldap/ldap > interface actually creates the certificate as an extra entry, a child > node to the existing user, instead of modifying the existing user. > > LDAP base dn: > o=3Dpkidemo,c=3Dfr > > User dn: > cn=3DUser1,ou=3Dpeople,o=3Dpkidemo,c=3Dfr > > Extra entry published by OpenCA: > serialNumber=3D8,cn=3DUser1,ou=3Dpeople,o=3Dpkidemo,c=3Dfr > The solution to the main part of my problem is to be found in http://www.openca.org/openca/docs/online/ch02s05.html : =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D OpenCA displays at every time DNs like defined by RFC 2253. There are=20 five options which influence the subject during the issuing itself: SET_REQUEST_SERIAL_IN_DN This options enforce the inclusion of the request's serial in the=20 subject of the certificate. This is a simple method to guarantee that=20 the subject is unique. True values are Y, YES and ON. REQUEST_SERIAL_NAME If the serial of the request will be included then this option=20 defines which attribute is used for the serial. SET_CERTIFICATE_SERIAL_IN_DN This options enforce the inclusion of the certificate's serial in=20 the subject of the certificate. This is a simple method to guarantee=20 that the subject is unique. This option is more recommended than=20 SET_REQUEST_SERIAL_IN_DN because the value is tranparent. True values=20 are Y, YES and ON. CERTIFICATE_SERIAL_NAME If the serial of the certificate will be included then this option=20 defines which attribute is used for the serial. DN_WITHOUT_EMAIL This option is used to enforce recommendations of S/MIME v3. If you = don't want to include the emailaddress in the subject then you can use=20 this option. OpenCA will remove the emailaddress from the subject before = it issues the certificate. True values are again Y, YES and ON. =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D So I have modified all the openca/etc/servers/*.conf files that specify the SET_CERTIFICATE_SERIAL_IN_DN property. I have set: SET_CERTIFICATE_SERIAL_IN_DN "N" This way I haven't anymore: serialNumber=3D8,cn=3DUser1,ou=3Dpeople,o=3Dpkidemo,c=3Dfr and I now have: cn=3DUser1,ou=3Dpeople,o=3Dpkidemo,c=3Dfr In the openca/etc/servers/*.conf files I have also modified the default DN_TYPE_XXX_ELEMENT_3_SELECT "Internet" "Partners" "Employees" "Trustcent= er" (where XXX can take many values) so that those names correspond to the name of branches of my LDAP directory: DN_TYPE_XXX_ELEMENT_3_SELECT "people1" "software" > Technical details > ------------------ > It seems the configuration to do what I need is located in the file > openca/etc/ldap.xml and more precisely in the XML node > openca/ldap/schema. But the openca/ldap/schema node seems very obscure= > to me (especially why an attributetype would "must" other > attributetypes). > I still don't understand how the file openca/etc/ldap.xml is used by OpenCA. I'm interested in the difficult part, the schema part. When is the "default" schema used (compared to the ca and certificate schemas)? Regards, --=20 Marc-Aur=E8le DARCHE NUXEO (Paris, France) http://nuxeo.com/ Nuxeo Collaborative Portal Server (CPS) http://www.cps-project.org/ Gestion de contenu web / portail collaboratif / logiciel libre |