Hi to all, sorry for the usual LDAP questions, but this is a very
difficult "thingh" to configure.
First of all, the pubblication of normal certificates is working very well.
The first problem is with CRL pubblication, from the LDAP interface
when I try to pubblish the CRL, I've this error:
Loading CRL ...
loaded CRL 47
Checking the configuration for a special issuer ...
No special issuer was specified!
Pushing CRL 47 to LDAP ...
Cannot write CRL to LDAP (error 32: No such object)
Last Update: Jul 26 15:40:45 2005 GMT
Next Update: Aug 25 15:40:45 2005 GMT
in the stderr.log file I note this rows:
OpenCA::LDAP->connect: ldap2://10.10.1.90:389
OpenCA::LDAP->add_attribute: DN=
[EMAIL PROTECTED],cn=PKI,ou=PKI,o=PKI,c=IT
OpenCA::LDAP->add_attribute: attr: certificateRevocationList;binary
OpenCA::LDAP->add_attribute: LDAP Searchfilter:
(certificateRevocationList;binary=*)
OpenCA::LDAP->add_attribute: LDAP Search Mesg-Code 32
OpenCA::LDAP->add_attribute: LDAP Search Mesg-Count 0
The second problem is with the CA certificate:
Attributes for the insertion:
cn = PKI
ou = PKI
mail = [EMAIL PROTECTED]
emailAddress = [EMAIL PROTECTED]
objectclass = ARRAY(0x9f45128)
Certificate 2147483647 FAILED (error 17: LDAP-add failed:
emailaddress: attribute type undefined)
and the stderr.log says:
OpenCA::LDAP->add_object: may emailAddress
OpenCA::LDAP->add_object: structural organizationalRole
OpenCA::LDAP->add_object: structural opencaEmailAddress
OpenCA::LDAP->add_object: structural pkiCA
OpenCA::LDAP->add_object: Must setup a CA-cert
OpenCA::LDAP->add_object: The resultcode of the nodeinsertion was 17
I suspect there is a bit of misconfiguration with the attribute
emailAddress, but I cannot find it in the schemas. If I add the CA
certificate from the LDAP interface, removing the emailAddress
attribute from the DN, the certificate is pubblished without problems.
Thanks for the help.
p.s. In the slapd.conf file I've included these schemas:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openca.schema
Note that in openca.schema I've this objectclass:
objectclass ( 1.3.6.1.4.1.18227.2.1.2 NAME 'opencaEmailAddress' SUP
top AUXILIARY
MAY ( mail $ rfc822Mailbox )
)
this is needed by OpenLDAP to start.
p.s. in ldap.conf I've these settings:
LDAP "yes"
LDAP_CRL_Issuer ""
LDAP_CA_DN ""
but I don't know the meaning.
p.s. I'm using Linux ES 3.0 with kernel 2.4.21-4.ELsmp #1 SMP
--
Diego de Felice
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id�492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
