I've setup 0.9.1-7 with most of the defaults including the use of the old-style DNs.
Starting with an "empty" OpenLDAP database, and with debug on in the LDAP-related functions (Thanks Michael !), I've gotten OpenCA to establish the root entry (o=Trident,c=US in my case) as well as the next entry (OU=intern,o=Trident,c=US). It now comes to creating an entry for the CA-Certificate into LDAP and I get the following two lines from the slapd log. Note that my LDAP schema includes the pkiCA, pkiUser, and even that rfc822MailUser object classes otherwise I would not have gotten past the root entry creation. Anyway, the issue according to the slapd log is that none of the object classes that OpenCA is using include an "email" attribute which OpenLDAP is requiring because it is part of the DN.
My question: if OpenCA defaults to putting email in DN, then what LDAP object class did OpenCA expect to have an email attribute?
The problem is that the LDAP servers started to be so strict after the release of 0.9.1.0. The problem is that it is really problematical to change the used scheme during a stable release's lifetime. I can only describe how you can solve the problem:
1. You have to copy all the lines where the mail attribute is handled:
1.1. ldap-utils.lib line 265-275 Here we set the mail address. If you have to support pkcs#9 emailAddress because your LDAP server is really strict then you must copy the code for mail and must add attributes for emailaddress too. 1.2. ldap-utils.lib line 329-333 Please duplicate these lines (without the objectclass) and add the emailaddress to the attribute values.
2. You have to change the schema. rfc822MailUser must bechanged. replace "mail" by "mail $ emailAddress". Also it is a god idea to replace "MUST" yb "MAY" to avoid schema problems.
We cannot solve the problem without breaking all already installed OpenCA 0.9.1. Therefore I can only describe what you have to do.
Here's the two relevant lines from the slapd log.
conn=0 op=5 ADD dn="[EMAIL PROTECTED],cn=ca,ou=intern,o=Trident,c=US"
conn=0 op=5 RESULT tag=105 err=64 text=naming attribute 'email' is not present in entry
Here's the debug info shown in the browser. Note that I added a loop that lists the objectclasses to complement the debug loop of the attributes. :)
Try to add [EMAIL PROTECTED],CN=ca,OU=intern,o=Trident, c=US
You LDAP server distinguish between mail (rfc822mailbox) and emailAddress (pkcs#9 emailaddress). This problem can only be handled with 0.9.2 but this is not released until now. I know that this is not really helpfull but we cannot break already installed system with simple updates.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
