Thank You for your reply.
I have tried what you state below, but if the object already exists in the tree, OpenCA wants to add (ldap-utils.lib) the object instead of modifying the object and adding the certificate as an attribute to the object. Of course an error occurs and it fails.
There doesn't seem to be a way that I can see (without alterations or scripting) to allows this to happen. Am I right or am I missing something?
Also I noticed that the objects are always a person (inetOrgPerson) even though it could be a router or whatever.
There doesn't seem to be a way of specifying (that I can see) that an object could have a "SUP top AUXILIARY" instead of "SUP top STRUCTURAL"
Am I right?
If this is the case, I guess allowing OpenCA create a different tree in the same LDAP server is the solution, but I just want to make sure.
Thanks and good day to all
Francis Thebault
| Martin Lizner <[EMAIL PROTECTED]>
13.02.2003 09:41 |
Pour : Francis Thebault <[EMAIL PROTECTED]> cc : [EMAIL PROTECTED] Objet : Re: [Openca-Users] Existing LDAP tree structure |
hello
it's possible. you've got to follow the hierarchy in you ldap tree - dn of
your certificates has to respect ldap tree, ie if your ldap tree is:
o=organization,c=country
your openca should produce certificates with dn ie:
[EMAIL PROTECTED],cn=name
surname,ou=department,o=organization,c=country
you can configure openca for your ldap at compile time (follow configire
options) or afterwards in $your_openca_directory/etc/servers/*.conf
if certificate's dn does not respect your ldap tree you can still add it
to ldap with modified dn manually via ra interface, possibly you can
create script for many certificates to add. i have no expirience with
that, escpecially what is the behaviour of clients looking up certificates
with modified dn in ldap.
martin lizner
www.anect.com
czech rep.
On Wed, 12 Feb 2003, Francis Thebault wrote:
> Hello,
>
> I would like to find out if it is possible to add certificates created
> with OpenCA to an already existing LDAP tree structure.
> Is OpenCA configurable to allow this flexibility?
>
> Thank You and Best Regards
>
> Francis Thebault
