Hello Oliver,
Oliver Welter wrote:
Hi Johnny,
its ok that you get LDAP errors because your DNs dont match - the order
is important... :P
So if your certs have this DN
serialNumber=4,1.3.6.1.4.1.4710.1.3.2=#0C0B0C09383030373839373839,1.3.6.1.4.1.4710.1.3.1=#0C0A0C083739393837393837,2.5.4.9=#0C120C106372612032302063616C6C6520313539,C=CO,O=Ubiquando,OU=Internet,CN=LDAP
You must create your LDAP nodes even in the same order, this means that
"CN=LDAP" is the top node.
I assume that you have a config-problem in your openca/etc/pub.conf,
there is
DN_TYPE_BASIC_BASE "OU" "O" "C"
This means that "C" is the top node, its value ist given by
All the requests are arriving through pkcs#10 requests and I have
modified to be able to receive requests no matter the company, so in my
pkcs#10 section I have this:
DN_TYPE_PKCS10_REQUIRED_ELEMENTS "CN" "OU" "O" "C"
DN_TYPE_PKCS10_BASE "C"
## YES, EXIST, NO
DN_TYPE_PKCS10_ENFORCE_BASE "EXIST"
DN_TYPE_PKCS10_BASE_1 "CO"
ADDITIONAL_REQUEST_ATTRIBUTES "requestercn" "email" "department"
"telephone"
ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Name (first and Last name)"
"Email" "Department" "Telephone"
ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE "LATIN1_LETTERS" "EMAIL"
"LATIN1_LETTERS" "LATIN1_LETTERS"
The only change was to define only one base ("C"), to be able to accept
requests from many companies, the other relevant config option:
DN_TYPE_PKCS10_REQUIRED_ELEMENTS "CN" "OU" "O" "C"
is unchanged from instalation. so, should I change this order to :
DN_TYPE_PKCS10_REQUIRED_ELEMENTS "C" "O" "OU" "CN"
DN_TYPE_BASIC_BASE_3 "DE"
Why 3 ? Unfortunatley we start couting from the beginning of the base,
so BASE_ELEMENT_1 ist the 1 Element of the Base DB which IS NOT the
topmost node !!!
mm, so do I have to set my option base to this?:
DN_TYPE_PKCS10_BASE_3 "CO"
or even bigger? in some cases I will have a DN like:
"CN" "OU" "O" "L" "ST "C"
so in this case the base should be 5??
I think you have your problem here
There are really 2 problems, the other problem is how to configure
OpenCA to accept my new OIDs when trying to upload to LDAP.
I have set a rdn in ldap.xml like this:
- <rdn>
<attributetype>cn</attributetype>
- <must>
<attributetype>cn</attributetype>
</must>
- <may>
<attributetype>ou</attributetype>
<attributetype>st</attributetype>
<attributetype>l</attributetype>
<attributetype>mail</attributetype>
<attributetype>emailAddress</attributetype>
<!--I added these three lines to tell that there will possible be those
fields-->
<attributetype>nit</attributetype>
<attributetype>cedula</attributetype>
<attributetype>street</attributetype>
<!--I also tryed using the oid numbers but I guess didn't work -->
</may>
- <structural>
<objectclass>organizationalRole</objectclass>
</structural>
- <auxiliary>
<objectclass>opencaEmailAddress</objectclass>
<objectclass>pkiCA</objectclass>
</auxiliary>
</rdn>
Should I have to modify this file like I did to be able to upload
certificates with my 3 new OIDs?
Thanks for your help,
Johnny
Oliver
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
