Hello, all. I've been fairly adventurous in testing OpenCA lately
including single database installations and using domain components
instead of O and C. As part of the latter, I typically have two domain
component elements. I also sometimes use multiple OUs in a dn.
This seems to be feasible using the old request files, e.g., here is a
snippet of ca.conf
DN_TYPE_BASIC_BASE "DC" "DC"
# if you have more than one OU simply add them
# this works for all possible attributes
# DN_TYPE_BASIC_ELEMENTS "EMAIL" "CN" "OU" "OU"
DN_TYPE_BASIC_ELEMENTS "emailAddress" "CN" "OU" "OU" "O" "O"
DN_TYPE_BASIC_NAME "Basic User Request"
DN_TYPE_BASIC_BASE_1 "mycompany"
DN_TYPE_BASIC_BASE_2 "com"
DN_TYPE_BASIC_ELEMENT_1 "E-Mail"
DN_TYPE_BASIC_ELEMENT_1_MINIMUM_LENGTH 7
DN_TYPE_BASIC_ELEMENT_1_REQUIRED "NO"
DN_TYPE_BASIC_ELEMENT_1_CHARACTERSET "EMAIL"
DN_TYPE_BASIC_ELEMENT_2 "Name"
DN_TYPE_BASIC_ELEMENT_2_MINIMUM_LENGTH 3
DN_TYPE_BASIC_ELEMENT_2_REQUIRED "YES"
DN_TYPE_BASIC_ELEMENT_2_CHARACTERSET "UTF8_LETTERS"
DN_TYPE_BASIC_ELEMENT_3 "Organizational Unit 1"
DN_TYPE_BASIC_ELEMENT_3_SELECT "OfficeUsers" "Engineers"
"HelpDesk" "Operators" "VPNGateways" "WebServers"
DN_TYPE_BASIC_ELEMENT_3_MINIMUM_LENGTH 2
DN_TYPE_BASIC_ELEMENT_3_REQUIRED "YES"
DN_TYPE_BASIC_ELEMENT_3_CHARACTERSET "LATIN1_LETTERS"
DN_TYPE_BASIC_ELEMENT_4 "Organizational Unit 2"
DN_TYPE_BASIC_ELEMENT_4_SELECT "OfficeUsers" "Engineers"
"HelpDesk" "Operators" "VPNGateways" "WebServers"
DN_TYPE_BASIC_ELEMENT_4_MINIMUM_LENGTH 2
DN_TYPE_BASIC_ELEMENT_4_REQUIRED "NO"
DN_TYPE_BASIC_ELEMENT_4_CHARACTERSET "LATIN1_LETTERS"
However, I'm running into problems with the new format using
browser_req.xml. I commented out the rdns as I wanted it all
configurable from the request form. Here is my dn section:
<input>
<name>cn</name>
<label>Subject Name</label>
<type>textfield</type>
<charset>UTF8_LETTERS</charset>
<value>$ADDITIONAL_ATTRIBUTE_UID</value>
<minlen>2</minlen>
<required>YES</required>
</input>
<input>
<name>ou</name>
<label>Certificate Group 1</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value>OfficeUsers</value>
<value>Engineers</value>
<value>HelpDesk</value>
<value>Operators</value>
<value>VPNGateways</value>
<value>WebServers</value>
<minlen>2</minlen>
<required>YES</required>
</input>
<input>
<name>ou</name>
<label>Certificate Group 2</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value></value>
<value>OfficeUsers</value>
<value>Engineers</value>
<value>HelpDesk</value>
<value>Operators</value>
<value>VPNGateways</value>
<value>WebServers</value>
<minlen>2</minlen>
<required>NO</required>
</input>
<input>
<name>o</name>
<label>Organization 1</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value></value>
<value>@ca_organization@</value>
<value>a0000-0100</value>
<minlen>2</minlen>
<required>NO</required>
</input>
<input>
<name>o</name>
<label>Organization 2</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value></value>
<value>Internal</value>
<value>External</value>
<value>SysAccounts</value>
<minlen>2</minlen>
<required>NO</required>
</input>
<input>
<name>C</name>
<label>Country</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value>@ca_country@</value>
<value>GB</value>
<minlen>2</minlen>
<required>NO</required>
</input>
<input>
<name>dc</name>
<label>Domain Component</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value>mycompany</value>
<minlen>1</minlen>
<required>NO</required>
</input>
<input>
<name>dc</name>
<label>Domain Component</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value>com</value>
<minlen>2</minlen>
<required>NO</required>
</input>
The problem is the multiple elements with the same name appear to be
confusing the request generation logic. The first entry of the
duplicate name shows up twice. For example, using the above snippet, if
I select what I think is cn=John,ou=Engineers,dc=mycompany,dc=com, the
request is generated as CN=John, OU=Engineers, OU=Engineers, O=, O=, C=,
DC=mycompany, DC=mycompany.
There are actually several problems here:
1) The ou field was only specified once but it appears twice with the
first value
2) The O field was not specified at all nor the C field. We used a tag
of <value></value> and <required>NO</required> to represent a
non-present field but it appears request logic is interpreting this as a
present but empty field.
3) Both values were specified for dc but the first value is used twice
whereas the second value does not appear at all.
I tried changing the fields to make them unique, e.g., ou1, ou2, hoping
they would somehow map according to the ra.conf or ca.conf file but they
do not. I get a dn like CN=John, OU1=Engineers, OU2=, O1=, O2=, C=,
DC1=mycompany, DC2=com
So how do we use multiple elements and represent optional elements of
type select in browser_req.xml? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsulli...@opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
------------------------------------------------------------------------------
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
