Re: openldap config for netscape certificates? (partial success)

[Andy Brady <a.brady@ecmwf.int>]

Thanks for the help.

Good news:
  I have stored the certificates in the LDAP server as
  userCertificate;binary.
  Netscape now recognises that the ldap server has a suitable
  userCertificate;binary attribute and reacts accordingly.

Bad news:
  Netscape does not appear to do anything with the certificate.
  It does not provide an error or any informational messages.
  The certificate which has been found is apparently discarded.

Is this down to the way that openldap encodes the binary
data and how it provides it to netscape in the attribute
value?

I am storing the certificates as PKCS#12. Is this correct?

If I import the PKCS#12 certificate from a file, as a user
certificate in netscape, it is accepted and stored without 
problems.

Retrieving the userCertificate to a file using ldapsearch
and comparing with the original is ok.

I get the same results from Netscape 4.6 on NT4 and
SGI IRIX6.2. I am running openldap-1.2.1 on IRIX6.2.

PS. Our firewall denies access to 389 ports so I cannot
check Marks server (or others) directly.

Cheers,

Andy

John Kristian wrote:
> Try adding the ;binary option to the userCertificate or userSMIMECertificate attribute
> description.  For example (in LDIF):
> 
>      userCertificate;binary:: MIIC2TCCAkKgA...
> 
> It's probably necessary to configure the attribute, including the option, in the
> OpenLDAP server's schema definition (in slapd.conf, or one of the files it includes).


Andy Brady wrote:
> 
> I would like to use openldap to store user certificates
> so that netscape communicator can retrieve them through
> the communicator security dialog:
> 
>   Communicator -> Tools -> Security info -> \
>   Certificates -> People -> Search Directory
>