Table of Contents
Be warned - this is a developer documentation which only documents the possibilities and technical background of OpenCA ldap caode but this is not a howto or a user documentation.
STRUCTURAL
country
device
inetOrgPerson (inherits from organizationalPerson)
locality
person
organization
organizationalPerson (inherits from person)
organizationalRole
organizationalUnit
AUXILIARY
dcObject
pkiCA
pkiUser
opencaUniquelyIdentifiedUser
opencaEmailAddress
opencaSCEPDevice
dc
c
o
st
l
ou
unstructuredName
unstructuredAddress
cn
sn
emailAddress
serialNumber
Table 15.1. Schema usage
LSC of the DN | filled attributes | filled attributes if present | objectclass stack |
---|---|---|---|
dc | dc | top, dcObject | |
c | c | top, country | |
st | st | top, locality | |
l | l | top, locality | |
o | o | top, organization | |
ou | ou | top, organizationalUnit | |
unstructuredName | cn | unstructuredName, unstructuredAddress, serialNumber, st, l, ou | top, device, opencaSCEPDevice |
unstructuredAddress | cn | unstructuredName, unstructuredAddress, serialNumber, st, l, ou | top, device, opencaSCEPDevice |
cn | cn | cn, st, l, ou, mail | top, organizationalRole (opencaEmailAddress) |
sn | cn | cn, st, l, ou, mail | top, organizationalRole (opencaEmailAddress) |
emailAddress | cn | cn, st, l, ou, mail | top, organizationalRole (opencaEmailAddress) |
serialNumber | cn | serialNumber, o, ou, l | top, device |
If we add a node to the directory tree then we add at every time to the objectclass stack the classes pkiCA and pkiUser. This is perhaps not the cleanest solution but it is safe for every possible configuration. If we add a node with the class organizationalRole then we add the auxiliary class opencaEmailAddress if an emailaddress is present.
Table 15.2. Schema usage for user certificates
LSC of the DN | filled attributes | filled attributes if present | objectclass stack |
---|---|---|---|
cn | cn,sn | mail, o, st, l, ou | top, person, organizationalPerson, inetOrgPerson |
sn | cn,sn | mail, o, st, l, ou | top, person, organizationalPerson, inetOrgPerson |
emailAddress | cn,sn | mail, o, st, l, ou | top, person, organizationalPerson, inetOrgPerson |
serialNumber | cn,sn | mail, o, st, l, ou | top, person, organizationalPerson, inetOrgPerson, opencaUniquelyIdentifiedUser |
If the distinguished name doesn't contain an emailaddress but OpenCA detects an emailaddress in the subject alternative name then we use this emailaddress.