On Fri, 2009-01-02 at 23:04 -0500, John A. Sullivan III wrote: > Hello, all. I've been fairly adventurous in testing OpenCA lately > including single database installations and using domain components > instead of O and C. As part of the latter, I typically have two domain > component elements. I also sometimes use multiple OUs in a dn. > > This seems to be feasible using the old request files, e.g., here is a > snippet of ca.conf > > DN_TYPE_BASIC_BASE "DC" "DC" > # if you have more than one OU simply add them > # this works for all possible attributes > # DN_TYPE_BASIC_ELEMENTS "EMAIL" "CN" "OU" "OU" > DN_TYPE_BASIC_ELEMENTS "emailAddress" "CN" "OU" "OU" "O" "O" > DN_TYPE_BASIC_NAME "Basic User Request" > > DN_TYPE_BASIC_BASE_1 "mycompany" > DN_TYPE_BASIC_BASE_2 "com" > > DN_TYPE_BASIC_ELEMENT_1 "E-Mail" > DN_TYPE_BASIC_ELEMENT_1_MINIMUM_LENGTH 7 > DN_TYPE_BASIC_ELEMENT_1_REQUIRED "NO" > DN_TYPE_BASIC_ELEMENT_1_CHARACTERSET "EMAIL" > > DN_TYPE_BASIC_ELEMENT_2 "Name" > DN_TYPE_BASIC_ELEMENT_2_MINIMUM_LENGTH 3 > DN_TYPE_BASIC_ELEMENT_2_REQUIRED "YES" > DN_TYPE_BASIC_ELEMENT_2_CHARACTERSET "UTF8_LETTERS" > > DN_TYPE_BASIC_ELEMENT_3 "Organizational Unit 1" > DN_TYPE_BASIC_ELEMENT_3_SELECT "OfficeUsers" "Engineers" > "HelpDesk" "Operators" "VPNGateways" "WebServers" > DN_TYPE_BASIC_ELEMENT_3_MINIMUM_LENGTH 2 > DN_TYPE_BASIC_ELEMENT_3_REQUIRED "YES" > DN_TYPE_BASIC_ELEMENT_3_CHARACTERSET "LATIN1_LETTERS" > > DN_TYPE_BASIC_ELEMENT_4 "Organizational Unit 2" > DN_TYPE_BASIC_ELEMENT_4_SELECT "OfficeUsers" "Engineers" > "HelpDesk" "Operators" "VPNGateways" "WebServers" > DN_TYPE_BASIC_ELEMENT_4_MINIMUM_LENGTH 2 > DN_TYPE_BASIC_ELEMENT_4_REQUIRED "NO" > DN_TYPE_BASIC_ELEMENT_4_CHARACTERSET "LATIN1_LETTERS" > > However, I'm running into problems with the new format using > browser_req.xml. I commented out the rdns as I wanted it all > configurable from the request form. Here is my dn section: > > <input> > <name>cn</name> > <label>Subject Name</label> > <type>textfield</type> > <charset>UTF8_LETTERS</charset> > <value>$ADDITIONAL_ATTRIBUTE_UID</value> > <minlen>2</minlen> > <required>YES</required> > </input> > <input> > <name>ou</name> > <label>Certificate Group 1</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value>OfficeUsers</value> > <value>Engineers</value> > <value>HelpDesk</value> > <value>Operators</value> > <value>VPNGateways</value> > <value>WebServers</value> > <minlen>2</minlen> > <required>YES</required> > </input> > <input> > <name>ou</name> > <label>Certificate Group 2</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value></value> > <value>OfficeUsers</value> > <value>Engineers</value> > <value>HelpDesk</value> > <value>Operators</value> > <value>VPNGateways</value> > <value>WebServers</value> > <minlen>2</minlen> > <required>NO</required> > </input> > <input> > <name>o</name> > <label>Organization 1</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value></value> > <value>@ca_organization@</value> > <value>a0000-0100</value> > <minlen>2</minlen> > <required>NO</required> > </input> > <input> > <name>o</name> > <label>Organization 2</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value></value> > <value>Internal</value> > <value>External</value> > <value>SysAccounts</value> > <minlen>2</minlen> > <required>NO</required> > </input> > <input> > <name>C</name> > <label>Country</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value>@ca_country@</value> > <value>GB</value> > <minlen>2</minlen> > <required>NO</required> > </input> > <input> > <name>dc</name> > <label>Domain Component</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value>mycompany</value> > <minlen>1</minlen> > <required>NO</required> > </input> > <input> > <name>dc</name> > <label>Domain Component</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value>com</value> > <minlen>2</minlen> > <required>NO</required> > </input> > > The problem is the multiple elements with the same name appear to be > confusing the request generation logic. The first entry of the > duplicate name shows up twice. For example, using the above snippet, if > I select what I think is cn=John,ou=Engineers,dc=mycompany,dc=com, the > request is generated as CN=John, OU=Engineers, OU=Engineers, O=, O=, C=, > DC=mycompany, DC=mycompany. > > There are actually several problems here: > 1) The ou field was only specified once but it appears twice with the > first value > > 2) The O field was not specified at all nor the C field. We used a tag > of <value></value> and <required>NO</required> to represent a > non-present field but it appears request logic is interpreting this as a > present but empty field. > > 3) Both values were specified for dc but the first value is used twice > whereas the second value does not appear at all. > > I tried changing the fields to make them unique, e.g., ou1, ou2, hoping > they would somehow map according to the ra.conf or ca.conf file but they > do not. I get a dn like CN=John, OU1=Engineers, OU2=, O1=, O2=, C=, > DC1=mycompany, DC2=com > > So how do we use multiple elements and represent optional elements of > type select in browser_req.xml? Thanks - John I should mention that after the request has been given to the RA, the edit request form shows the empty fields have been stripped. However, the duplicate fields are still a problem. -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com
http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
