Hi Ashley, Burk, Ashley wrote:
I think you never used LDAP before, right?Thanks for the response. Here's a personal cert that will not post to LDAP: serialNumber=21,CN=testlec,OU=Datasylum,O=SNS Datacom,L=Tulsa,ST=Oklahoma,C=US Here's a webserver cert that will not post either: serialNumber=18,CN=wcgra.wcg.williams.com,OU=Information Security,O=Williams Communication,L=Tulsa,ST=OK,C=US Here is a cert that sucessfully posts to LDAP: serialNumber=0A,CN=Ashley Burk,OU=Employees,O=WCG,C=US
An LDAP-server is a tree. This means a DN is stored in the following way for example:
server-root: O=WCG,C=US
1. sub-level: OU=Employees,O=WCG,C=US
2. sub-level: CN=Ashley Burk,OU=Employees,O=WCG,C=US
3. serialNumber=0A,CN=Ashley Burk,OU=Employees,O=WCG,C=US (your cert is stored in this node of the tree)
The root of the tree has not to be O=WCG,C=US but I think you use this configuration - correct?
Every DN must base on this root. OpenLDAP call this root "suffix" and we use the configurationoption "basedn" (I use the OpenLDAP-style now).
Example:
server cert: serialNumber=18,CN=wcgra.wcg.williams.com,OU=Information Security,L=Tulsa,ST=OK,O=WCG,C=US
The personal certificate is a problem because the only common part of the cert is the country. So you must setup an LDAP with suffix "c=us" or you must setup a LDAP with more than one root. This is possible with OpenLDAP v2.0.x. Please see "man slapd.conf" (see suffix-option).
personal cert: serialNumber=21,CN=testlec,OU=Datasylum,L=Tulsa,ST=Oklahoma,O=SNS Datacom,C=US
Another question, why do you include the state and the city into the server certs? Do you only do this because the default OpenSSL configuration asks during the request generation for these fields? If you don't need thse field you can simply enter "." there. Another option is to edit the request in the RA-webinterface of OpenCA and simply remove the L and ST fields.
There are two important reasons why you should not set these options.
1. You cannot move your servers without changing the certs.
2. You publish your internal structure to the world wide web without a reason.
Best regards
Michael
--
-------------------------------------------------------------------
Michael Bell Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email: [EMAIL PROTECTED]
Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax: +49 (0)30-2093 2959
10099 Berlin
Germany http://www.openca.org
-------------------------------------------------------
This sf.net email is sponsored by:
Access Your PC Securely with GoToMyPC. Try Free Now
https://www.gotomypc.com/s/OSND/DD
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
