Re: [Pki-users] Does AuthTokenSubjectNameDefault plugin derive SubjectName incorrectly?

Aleksander Adamowski wrote: Just for the record, I've made a patch that actually works and has been tested for your testing pleasure, it's attached in the Bugzilla bug and I'm attaching it here just in case. There's one gotcha: since with this patch applied the subjectName generation started working properly, the old default configuration for certificate profiles will reject the certificates because they expect the incorrect subject name (userDN - based). Now you'll have to customise the LDAP-based certificate profiles to accomodate this - notably the "Subject Name Constraint". Dogtag's default profile had the following subject name constraint pattern: UID=.* While the subjectNames generated by UidPwdDirAuth plugin looks more like this by default: "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c" so they won't ever match the constraint's pattern since they cannot possibly begin with "UID=". In my configuration, I've changed the pattern to this and then the new LDAP-based subject names got accepted: .*CN=.* So in short, my caDirUserCert.cfg has the following now: ... policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.userCertSet.1.constraint.name=Subject Name Constraint policyset.userCertSet.1.constraint.params.pattern=.*CN=.* policyset.userCertSet.1.constraint.params.accept=true ... instead of the official default: ... policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.userCertSet.1.constraint.name=Subject Name Constraint policyset.userCertSet.1.constraint.params.pattern=UID=.* policyset.userCertSet.1.constraint.params.accept=true ... -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl