[Pki-users] Subject Directory Ext

Veale, Sean sean.veale at gdc4s.com
Mon Nov 23 20:18:46 UTC 2009 

Is this the correct format for the subject directory extenstion format
with no constraint?

policyset.xxx.11.constraint.class_id=noConstraintImpl
policyset.xxx.11.constraint.name=No Constraint
policyset.xxx.11.default.class_id=subjectDirAttributesExtDefaultImpl
policyset.xxx.11.default.name=Subject Directory Attributes Extension
Default
policyset.xxx.11.default.params.subjDirAttrEnable_0=true
policyset.xxx.11.default.params.subjDirAttrName_0=cn
policyset.xxx.11.default.params.subjDirAttrPattern_0=$request.cn$
policyset.xxx.11.default.params.subjDirAttrsCritical=true

I correctly see the subject directory populated but the logs  doesn't
like the name supplied.

[23/Nov/2009:14:29:50][http-9444-Processor25]:
SubjectDirAttributesExtDefault: populate start
[23/Nov/2009:14:29:50][http-9444-Processor25]:
SubjectDirAttributesExtDefault: invalid OID syntax: cn
[23/Nov/2009:14:29:50][http-9444-Processor25]:
SubjectDirAttributesExtDefault: populate end

The admin guide implies it can be any LDAP attribute. 
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Certificat
e_and_CRL_Extensions.html#Subject_Directory_Attributes_Extension_Default

Also, I've extended inetorg person with to add my own custom attributes.
The data can be correctly found by the certificate, but
subjectDirAttributes is giving a another error as this snippit of logs
show.  Can you use custom attributes or are you limted to what is in
inetorgperson object class?  In this case the certificate is not
generated. 

[23/Nov/2009:15:01:29][http-9444-Processor25]:
nsTokenUserKeySubjectNameDefault: getSubjectName(): got attribute:
edipi=1605353424
...
[23/Nov/2009:15:01:29][http-9444-Processor25]:
SubjectDirAttributesExtDefault: populate start
[23/Nov/2009:15:01:29][http-9444-Processor25]:
SubjectDirAttributesExtDefault: invalid OID syntax: edipi
[23/Nov/2009:15:01:29][http-9444-Processor25]: ProfileSubmitServlet:
populate Invalid attribute edipi


Thanks
Sean






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20091123/6aa47061/attachment.htm>

More information about the Pki-users mailing list