Hi, it seems that your schema for the LDAP is incomplete. There's a small guide here:
http://www.openca.org/~madwolf/ch04s07.html
Basically what you have to do is to import the right schemas so that
the attributes cACertificate, userCertificate are allowed. Also, remember
that the structure of a LDAP server is like a tree: the parent node
has to exists before you can add a child node. Also, the basedn is your
root node - check your configs in both OpenCA and OpenLDAP.
This should help you,
Cheers,
Max
On 02/18/2011 05:42 AM, amert...@avameo.com wrote:
Hi There, i've up and running an openCA PKI-Server 1.1.1 (fedora8 or Debian5) with openLDAP 2.4 (SLES11) an i really get rid off, getting them working together in a suitable way. I'm sure, the reason is my small LDAP-know-How and i don't want to become a LDAP-Guru. I just want to upload some CA and User-Certificates into my LDAP Instance, but i'm getting crasy with bindDN, baseDN and RDN and where to configure what exactly. Sometimes i'm sucessfull and i can see a certificate in my LDAP-Structure, but sometimes i get an error. Of course i includes the ldap-Schema openca.schema on the LDAP-Server-Side. But are there any additional LDIF-Imports neccessary? Here you see my error, while i try to upload the CA-Certificate from the openCA-Webinterface into the LDAP-Server: Certificate 9 FAILED (error 65: attribute 'cACertificate;binary' not allowed) Here's a detailed part from the LDAP-Server side log: Feb 15 19:21:53 ip-10-227-42-19 slapd[1959]: Entry (dc=org,dc=openldap,dc=wien), attribute 'cACertificate;binary' not allowed Feb 15 19:21:53 ip-10-227-42-19 slapd[1959]: entry failed schema check: attribute 'cACertificate;binary' not allowed Feb 15 19:21:53 ip-10-227-42-19 slapd[1959]: hdb_modify: modify failed (65) Feb 15 19:21:53 ip-10-227-42-19 slapd[1959]: send_ldap_result: conn=1015 op=4 p=3 Feb 15 19:21:53 ip-10-227-42-19 slapd[1959]: send_ldap_result: err=65 matched="" text="attribute 'cACertificate;binary' not allowed" Feb 15 19:21:53 ip-10-227-42-19 slapd[1959]: send_ldap_response: msgid=5 tag=103 err=65 Feb 15 19:21:53 ip-10-227-42-19 slapd[1959]: conn=1015 op=4 RESULT tag=103 err=65 text=attribute 'cACertificate;binary' not allowed Feb 15 19:21:53 ip-10-227-42-19 slapd[1959]: slap_graduate_commit_csn: removing 0xb7897278 20110215192153.874662Z#000000#000#000000 is there a openLDAP / openCA-Tutorial, which some can recommend? I found nothing about this in the web. Thx 4 help, andy germany ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
