Patrick Patterson skrev, on 25-02-2008 21:25:
I am working on a PKI project, and would like to be able to use
OpenLDAP, however, the certificate policy that we have to conform to
mandates that CA entries be a member of pkiCA and cpCps auxiliary object
classes. Now, the pkiCA requirement is easy, as it looks like OpenLDAP
supports that just fine, however, I'm wondering if cpCPS is able to be
I guess my question is twofold:
Have the syntax checking routines mandated for the cpCps object class (I
presume out of ITU-T X.509 chapter 11) been implemented in OpenLDAP, and
if so, does anyone happen to have a schema file available so that I
don't have to write one myself to add this objectClass to OpenLDAP.
If not, is it possible to add these syntax checking routines in the same
way as one can extend the schema for object classes and attributes?
(I know that I could probably cheat, turn schema checking off and just
build have the server support the attributes in a somewhat custom
fashion, but since this is for a PKI system that needs a certain level
of trust, I am a bit loath to do this).
Not to put too fine a point on it (I have no need for this schema
myself), but if I Google (just for the interest) on 'cpCps "object
class" schema' it comes up with (i.a.)
draft-ietf-pkix-ldap-pki-schema-00.txt, which would appear to be exactly
what you're looking for for building your "own" schema. Besides which,
25 other links.
Email: tonni at hetnet dot nl