Hi, Finally I found some time to run a test using an LDAP directory storing the CRL and the RootCA I basically used the following setup ===================================== ........ ......... # Example section using LDAP for data retrival dbms = dbms_ldap # # Example section using FILES for data retrival # dbms = dbms_file
[ dbms_ldap ] 0.ca = @ldap_ca_1 [ ldap_ca_1 ] crl_url = ldap://10.2.91.241:389 crl_entry_dn = "cn=ngrca, ou=services, o=ema" crl_entry_attribute = "certificateRevocationList;binary" ca_entry_dn = "cn = ntsgroot, ou=services, o=ema" .......... .......... ===================================== I took a LAN trace with Ethereal but there is no LDAPactivity at all. Communication between the OCSP responder and the LDAP server is fine. I can as well store Certificates and CRLs using the same LDAP server by making use of the SuSE YastCA tool The debug output of the daemon returns ====================================== \dus-lab-lnkgast:/etc/ocspd # \Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: OpenCA OCSPD v - starting. Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: Using configuration from //etc/ocspd/ocspd.conf Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: section set to OCSPD_default Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: Using Engine 'LunaCA3' Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: Added 'login:1:10:11:myPassword' to PRE COMMANDS Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: Initialising HSM [LunaCA3] Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: invalid engine "LunaCA3" Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: reading certificate file (//etc/ocspd/certs/ocspd_cert.pem). Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: Reading Private Key file //etc/ocspd/private/ocspd_key.pem Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: reading CA certificate file. Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: OCSP Daemon setup completed Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: variable lookup failed for OCSPD_default::max_childs_num Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: variable lookup failed for OCSPD_default::chroot Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: Auto CRL reload every 3600 secs Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: Reload on expired CRLs enabled Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: Number of CAs in configuration is 1 Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: variable lookup failed for ldap_ca_1::ca_url Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: CRL validity check every 600 sec. Oct 2 20:38:27 dus-lab-lnkgast ocspd[1602]: Configuration loaded and parsed Oct 2 20:38:27 dus-lab-lnkgast ocspd[1603]: Successfully binded to *:8888 Oct 2 20:38:27 dus-lab-lnkgast ocspd[1603]: Pre-Spawning 5 processes (live 0) Oct 2 20:38:27 dus-lab-lnkgast ocspd[1603]: Add Child to List child [1604] Oct 2 20:38:27 dus-lab-lnkgast ocspd[1603]: Add Child to List child [1605] Oct 2 20:38:27 dus-lab-lnkgast ocspd[1603]: Add Child to List child [1606] Oct 2 20:38:27 dus-lab-lnkgast ocspd[1603]: Add Child to List child [1607] Oct 2 20:38:27 dus-lab-lnkgast ocspd[1603]: Add Child to List child [1608] Oct 2 20:38:27 dus-lab-lnkgast ocspd[1603]: server.c:809 Active Childrens [ 5 ] ================================================== Any kind of ideas or help would be nice Best Regards Klaus On Thu, 2006-09-21 at 20:27 +0200, Massimiliano Pala wrote: > Klaus Gast wrote: > > Hi Max, > > Hello, > > > First of all I got the OCSP responder working based on your help. > > Great! > > > On Open SuSE 10 the follwing stpes were required: > > 1) Additional Packes: > > ============================= > > - cyrus-sasl-devel.rpm > > - openldap2-devel.rpm > > - openssl-devel-0.9.7g-2 > > (openssl-0.9.7g-2.6 and kernel sources were already installed) > > ============================= > > These informations are interesting, I am repackaging the projects and I am > also making new spec files for RPMs.. so I guess it is useful to have those > infos, thanks! Maybe when I have the new versions, could you please try to > build the binary packages on your SuSe installation(s) ? So that we can add > the distribution to the one directly downloadable from our website ? > > > 2) run: "./configure --with-openldap-prefix=/usr/lib/ (as suggested) > [...] > > As next step I will place the CRL as objects into an LDAP tree. > > Let us know if you encounter problems... keep in mind it is sometimes tricky > to deal with LDAP structures (especially if the server is used for different > purposes), so be patience :-D I found a nice LDAP browsing tool.. it is quite > old but it helped me when I had to deal with LDAP servers I did not had > control over. It is called "GQ LDAP Client" and it should be available on the > freshmeat.net website.. or at this site: > > http://biot.com/gq/ > > It can be a little tricky to install.. be prepared! But it is a nice and > useful tool (not JAVA!!!!) :-D > > > Thanks for the fast response !!! > > :-D Thanks for providing feedback!!! > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
