Hi, >- I had to add the openca.schemai file, but had to modify it from the latest > version to only include the objectclasses: > * opencaUniquelyIdentifiedUser > * opencaEmailAddress > * opencaSCEPDevice > Are those really _needed_ in a normal environment, they sound fairly > specific to me? I wouldn't want to force the customer to change their > schema without it actually making sense ...
Any schema one want to use must match schema settings in ldappublic.xml which define DN conversion rules. So the right way is to change ldappublic.xml according to the LDAP schema the customer is used to and to the rules of DN-conversion you want to implement. > - What's with the sn=NOT SUBSTITUTED YET, can I turn that off? What's > the purpose of modifying entries apart from userCertificate anyways? The DN conversion rules specified in the current version of ldappublic.xml use objectClass 'person' which requires both 'cn' and 'sn' attributes to be specified in DN. Some certificate profiles in the OpenXPKI verion which was installed for LDAP testing had no 'sn' field, that is why 'sn=NOT SUBSTITUTED YET' workaround was hardcoded in ./OpenXPKI/Server/Workflow/Activity/CertLdapPublish/AddMissingNode.pm It can be certainly turned off provided that three entities match each other: - the DN conversion rules in ldappublic.xml - the LDAP schema - the certificate profiles in OpenXPKI (profile.xml). >- The customer wants the certificate DNs to be different from the LDAP > DNs (which I guess is a fairly typical situation), I don't think this > is possible with the current code yet, am I correct? If so, I'd try > adding a workflow activity that tries to map a certificate DN to an > LDAP DN (for example by extracting the CN, searching for it below a > certain base DN and then using the found DN as the certificate DN - > fully configurable, of course) - do you think this makes sense? All the conversions are performed in AddMissingNode.pm according to conversion rules in ldappublic.xml. See http://www7.openxpki.org/docs/openxpki-ldap.pdf Some details changed since the time the document was created but DN-conversion mechanism is described correctly. Best regards, Petr Grigoriev. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ OpenXPKI-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-devel
