Hello Barrow,
I used to have the same problem, but the solution is
very simple. I don't have enough knowledge in LDAP,
but attending to the help provided by the most
advanced OpenCA users ;-) I finally have my OpenCA and
OpenLDAP working :-)
I don't know which openca version do you use, but if
you use version 0.9.1.X, like me, this is what I did.
First you have to copy the file pkiCA.schema, located
in the sources of OpenCA check the directory:
/usr/src/openca-0.9.1.8/contrib/openldap
Or wherever you untar your OpenCA source code, for a
file called: pkiCA.schema,
Then you have to copy that file to the folder:
/etc/openldap/schema
Once done this you have to edit the configuration in
slapd.conf, in the include section, you have to see if
these lines are uncommented:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
Then, you have to add this line:
include /etc/openldap/schema/pkiCA.schema
This is the file we have just copy, this new addition
could lead to a duplicate error, so you have to
comment the lines:
objectclass ( 2.5.6.21 NAME 'pkiUser' SUP top
AUXILIARY
MAY ( userCertificate )
)
objectclass ( 2.5.6.22 NAME 'pkiCA' SUP top AUXILIARY
MAY ( cACertificate $ certificateRevocationList
$ authorityRevocationList $ crossC
ertificatePair )
)
then, "scroll down" until you find the suffix and
rootdn declarations:
suffix "o=ubiquando,c=CO"
rootdn "cn=Manager,o=ubiquando,c=CO"
This part is very important to solve the problem you
have, o=XXX,c=YYY must concordate with what you type
when you request a certificate. This means that when
you request a certificate O= must concordate with the
entry in suffix in your slapd.conf and C= must
concordate too with c in slapd.conf.
You also have to enter your root password:
rootpw {SSHA}51oMm9swZ/YtkGEdJWg/imj29+7l4yTK
In my case I used: slappasswd to encrypt it.
At the end you can enter the line (Thanks to Michael
B. for this tip :-)
schemacheck off
Only if you have problems updating your
CA-Certificates to the LDAP directory.
In ldap.conf, you have to check for the existence of
these lines:
BINDDN cn=Manager,o=ubiquando,ou=CO
BASE o=ubiquando,c=CO
HOST 192.168.0.253 #Host where you have your ldap
#directory
PORT 389 #This is the default port for Openldap
ldaproot "cn=Manager,o=ubiquando,c=CO"
ldappwd "51oMm9swZ/YtkGEdJWg/imj29+7l4yTK"
As you can see the two above lines are very similar to
the corresponding in slapd.conf.
Then you have to go to /usr/local/OpenCA/etc/servers/
edit the file ldap.conf and check these lines:
basedn "o=ubiquando, c=co"
ldaproot "cn=manager,o=ubiquando,c=CO"
ldappwd "openca"
You can see where do these values come from, these
correspond to the lines in the files we talk later,
the only difference is that here you have to enter the
password in Clear Text, if you don't do this, OpenCA
won't be able to connect to the OpenLDAP directory.
You don't have to make any other modifications, Just
connect to your LDAP interface and make the respective
uploads. ;-)
I have to warn you that I'm not sure about the
possible consecuences of the modifications done to
those configuration files.
Hope this message is clear,
Johnny
______________________________________________
Renovamos el Correo Yahoo!: �100 MB GRATIS!
Nuevos servicios, m�s seguridad
http://correo.yahoo.es
-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
