Re: [Openca-Users] LDAP problems

Wed, 03 Aug 2005 03:48:14 -0700 

If someoneelse is interested, I've resolved the problem of the CRL
pubblication. The issue is that in the contrib openca.ldif there is no
definition for the cRLDistributionPoint. If I add this object to LDAP
and if I specify its path in servers/ldap.conf then it will work
perfectly.

crl.ldif (test it, because I've created it with a graphical tool and
not used slapadd

dn: cn=crl,o=PKI,c=IT
cn: crl
objectClass: cRLDistributionPoint

servers/ldap.conf

LDAP "yes"
LDAP_CRL_Issuer "CN=crl,O=PKI,C=IT"
LDAP_CA_DN      "CN=PKI CA,OU=Trust,O=PKI,C=IT"

Now there is the problem with emailAddress. I can resolve it removing
emailAddress from the DNs in the database :-P but this is not so good

On 8/2/05, Diego de Felice <[EMAIL PROTECTED]> wrote:
> Hi to all, sorry for the usual LDAP questions, but this is a very
> difficult "thingh" to configure.
> 
> First of all, the pubblication of normal certificates is working very well.
> 
> The first problem is with CRL pubblication, from the LDAP interface
> when I try to pubblish the CRL, I've this error:
> 
> Loading CRL ...
> loaded CRL 47
> Checking the configuration for a special issuer ...
> No special issuer was specified!
> Pushing CRL 47 to LDAP ...
> Cannot write CRL to LDAP (error 32: No such object)
>         Last Update: Jul 26 15:40:45 2005 GMT
>         Next Update: Aug 25 15:40:45 2005 GMT
> 
> in the stderr.log file I note this rows:
> 
> OpenCA::LDAP->connect: ldap2://10.10.1.90:389
> OpenCA::LDAP->add_attribute: DN=
> [EMAIL PROTECTED],cn=PKI,ou=PKI,o=PKI,c=IT
> OpenCA::LDAP->add_attribute: attr: certificateRevocationList;binary
> OpenCA::LDAP->add_attribute: LDAP Searchfilter:
> (certificateRevocationList;binary=*)
> OpenCA::LDAP->add_attribute: LDAP Search Mesg-Code 32
> OpenCA::LDAP->add_attribute: LDAP Search Mesg-Count 0
> 
> The second problem is with the CA certificate:
> 
> Attributes for the insertion:
> cn = PKI
> ou = PKI
> mail = [EMAIL PROTECTED]
> emailAddress = [EMAIL PROTECTED]
> objectclass = ARRAY(0x9f45128)
> 
> Certificate 2147483647 FAILED (error 17: LDAP-add failed:
> emailaddress: attribute type undefined)
> 
> and the stderr.log says:
> 
> OpenCA::LDAP->add_object: may emailAddress
> OpenCA::LDAP->add_object: structural organizationalRole
> OpenCA::LDAP->add_object: structural opencaEmailAddress
> OpenCA::LDAP->add_object: structural pkiCA
> OpenCA::LDAP->add_object: Must setup a CA-cert
> OpenCA::LDAP->add_object: The resultcode of the nodeinsertion was 17
> 
> I suspect there is a bit of misconfiguration with the attribute
> emailAddress, but I cannot find it in the schemas. If I add the CA
> certificate from the LDAP interface, removing the emailAddress
> attribute from the DN, the certificate is pubblished without problems.
> 
> Thanks for the help.
> 
> p.s. In the slapd.conf file I've included these schemas:
> 
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/redhat/autofs.schema
> include         /etc/openldap/schema/redhat/kerberosobject.schema
> include         /etc/openldap/schema/misc.schema
> include         /etc/openldap/schema/openca.schema
> 
> Note that in openca.schema I've this objectclass:
> 
> objectclass ( 1.3.6.1.4.1.18227.2.1.2 NAME 'opencaEmailAddress' SUP
> top AUXILIARY
>         MAY ( mail $ rfc822Mailbox )
>         )
> 
> this is needed by OpenLDAP to start.
> 
> p.s. in ldap.conf I've these settings:
> 
> LDAP "yes"
> LDAP_CRL_Issuer ""
> LDAP_CA_DN      ""
> 
> but I don't know the meaning.
> 
> 
> p.s. I'm using Linux ES 3.0 with kernel 2.4.21-4.ELsmp #1 SMP
> 
> --
> Diego de Felice
> 


-- 
Diego de Felice


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to