RE: [Openca-Users] Fwd: Problem to export certificates to Active Directory

Fri, 27 Jan 2006 05:42:09 -0800 

Hi,

i'm still just guessing because I haven't tried to use OpenCA with AD. 

OpenCA needs special object classes in the schema of the LDAP server. In the 
source directory you can find the file "contrib/openldap/openca.schema" in 
which these object classes are defined for OpenLDAP. 
So you probably have to extend the AD schema with these object classes if you 
haven't done so already.

This could explain the error with the caCertificate because in my OpenLDAP the 
CA Certificate is stored in an entry with the objectclass pkiCA which I 
couldn't find in our AD schema.

As for the error with the user certificate you should compare the subject of 
the certificate and your ldap base dn whether they match. (It probably will 
fail anyway because OpenCA seems to use the two objectClasses pkiUser and 
opencaEmailAddress which don't seem to be defined in the standard AD schema 
either).

Perhaps you can configure OpenCA not to use these special object classes but I 
don't know how to do this. Take a look at OpenCA/etc/ldap.xml

Regards
Johannes Derek

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of José E. López
Sent: Friday, January 27, 2006 1:18 PM
To: [email protected]
Subject: Re: [Openca-Users] Fwd: Problem to export certificates to Active 
Directory


Thanks Johannes,

It works, at least I get a different error message. I don't know so much about 
LDAP.

Now when I try to export  CA-Certificate I get:

Certificate 0 FAILED (error 16: LDAP-add failed: 00000057: LdapErr: 
DSID-0C09098B, comment: Error in attribute conversion operation, data 0, v893

But if I try to export all certificates I get a different error:

Exporting valid certificates to LDAP ...
Certificate 2 FAILED (error -4: Distinguished name conflicts with basedn(s).)

Finally, if I export CRL I get another error:

Pushing CRL 6 to LDAP ...
Cannot write CRL to LDAP (error 1: 000020D6: SvcErr: DSID-03100684, problem 
5012 (DIR_ERROR), data 0
Any ideas? 
Thanks

Jose

 
2006/1/26, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: 
Hi,

it's just a guess but I think you have to specify the full dn of the 
administrator in the login field. 
For example:
...
<login>cn=administrator,cn=users,o=openca, c=ES</login>
...

Regards
Johannes Derek

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of José Eleuterio 
López
Sent: Thursday, January 26, 2006 10:55 AM 
To: [email protected]
Subject: [Openca-Users] Fwd: Problem to export certificates to Active Directory


Hi all,
My last message was still incomplete, I hope this will be OK. 
I have installed and configured Openca and it works fine. My organization use 
Active Directory and we want to export certificates there.
I thought that Openca could work with, but when I try to export it doesn't 
work. 
Any ideas?  Can Openca export certificates to Active Directory? Is there a 
misconfiguration? Do I need to configure Active Directory?
Below you can find  the error messages and the configuration files.
When I try to export certificates I get: 
Exporting valid certificates to LDAP ...
Certificate 2 FAILED (error 49: LDAP-bind failed: 80090308: LdapErr: 
DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
In stderr.log file:

DBD::mysql::st execute failed: Unknown system variable 'NAMES' at 
/usr/lib/perl5/site_perl/5.8.3/OpenCA/DBI.pm line 2544. 


My ldap.xml file:

<suffix>
     <dn>o=openca, c=ES</dn>
   </suffix>
   <host>172.x.x.x</host>
   <port>389</port>

<..........>
<chain>/usr/local/openca/var/crypto/chain</chain>
   <login>administrator</login>
   <passwd>xxxxxxxxxxxx</passwd>
<...........>

My ldap.conf file:

LDAP "yes" 
LDAP_CRL_Issuer ""
LDAP_CA_DN      ""
My node.conf file:
LDAP "yes"
updateLDAPautomatic "yes"

Thanks
Jose


------------------------------------------------------- 
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK! 
http://sel.as-us.falkag.net/sel?cmdlnk&kid3432&bid#0486&dat1642
_______________________________________________ 
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to