Hi Martin,
Consider a server certificate with the following DN:
CN=foobar, DC=example, DC=com
When adding the certificate to LDAP, OpenCA::LDAP automatically "invents" SN attribute that is set to the CN. Not useful, I think - at least for servers.
The problem is that CN is usually a person. The objectclass person requires SN. It is not optional. Therefore we invent the SN attribute if it is not present.
You can change this behaviour in ldap.xml. Go to the <certificate> area and change the stuff for the RDN attribute cn.
Alternatively we can change the ldap stuff a little bit. We could create the certificate area like now but support inside of a <rdn> the definition of special values for a special role.
Today -----
<rdn>
<attributetype>cn</attributetype>
<must>
<attributetype>cn</attributetype>
<attributetype>sn</attributetype>
</must>
<may>
<attributetype>mail</attributetype>
<attributetype>emailAddress</attributetype>
<attributetype>ou</attributetype>
<attributetype>o</attributetype>
<attributetype>st</attributetype>
<attributetype>l</attributetype>
</may>
<structural>
<objectclass>person</objectclass>
<objectclass>organizationalPerson</objectclass>
<objectclass>inetOrgPerson</objectclass>
</structural>
<auxiliary>
<objectclass>opencaEmailAddress</objectclass>
<objectclass>pkiUser</objectclass>
</auxiliary>
</rdn>Proposal --------
<rdn>
... everything like before ...
<role>
<name>Web Server</name>
<must>
<attributetype>cn</attributetype>
</must>
</role>
</rdn>We would replace the stuff of the default configuration by the stuff which we found in the special definition. If the example would be real then we must change the objectclasses because "person" is not usable for a server. Everything which is not defined in the role area is taken from the default area. Would this be an acceptable solution? Would this be a good design?
BTW we need a default configuration to handle new roles which were created by the OpenCA admins. The most people don't like to touch such a core configuration.
Looks like LDAP is - like always - the last thing which stops a release ;-D
Best regards
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
