Patrick Patterson skrev, on 25-02-2008 21:25:
I am working on a PKI project, and would like to be able to use OpenLDAP, however, the certificate policy that we have to conform to mandates that CA entries be a member of pkiCA and cpCps auxiliary object classes. Now, the pkiCA requirement is easy, as it looks like OpenLDAP supports that just fine, however, I'm wondering if cpCPS is able to be supported.
I guess my question is twofold:
Have the syntax checking routines mandated for the cpCps object class (I presume out of ITU-T X.509 chapter 11) been implemented in OpenLDAP, and if so, does anyone happen to have a schema file available so that I don't have to write one myself to add this objectClass to OpenLDAP.
If not, is it possible to add these syntax checking routines in the same way as one can extend the schema for object classes and attributes?
(I know that I could probably cheat, turn schema checking off and just build have the server support the attributes in a somewhat custom fashion, but since this is for a PKI system that needs a certain level of trust, I am a bit loath to do this).
Not to put too fine a point on it (I have no need for this schema myself), but if I Google (just for the interest) on 'cpCps "object class" schema' it comes up with (i.a.) draft-ietf-pkix-ldap-pki-schema-00.txt, which would appear to be exactly what you're looking for for building your "own" schema. Besides which, 25 other links.
Best,
--Tonni