Mailnode x.500 OIDs

[rgmhtt]

Don't know what forum to ask this one in...

Gee, I thought I left x.500 and x.501 but it always comes back to haunt me. Just like x.509 and PKIX...

The problem is;

What are the OIDs for my mailnodes
How do I display them
If I want to change them, can I do that (with some LDAP magic) without recreating everything.

Why? Well OIDs go into x.509 certs. And you really want them right. You should not work with distinguishName null (which it isn't the case anyway) and just use rfc822Name.

How do I set C, P, A, O, and then OUn. I figure that what we see as the mailnode name is only OU1, OU2. And you cannot setup a mailnode with only OU1.

If you are running multiple domains, you would want at least O to reflect the appropriate company name?

I see the part in the manual on address formating conf files.

[ScalixSupport]

Can you explain a little more of what you're looking to do ? Are you going to be using X.509 certificates with Outlook ?

Cheers

Dave

[rgmhtt]

I am setting up a CA for my domain. I will be issuing my own certs for my servers and clients.

I do not use outlook. Thunderbird, Eudora, EAP-PEAP, etc.

I also host a second domain, and soon a third. I will be running CAs for them as well.

No, there is no Active Directory here. Still an NT domain, migrating to SAMBA....

It is easy to just not use A and P, but C and O are rather important.

And your use of OU1, OU2 for the mailnode makes things a little stretched.

For example, my company name is 'HTT Consulting', the DNS domain is htt-consult.com

I would want 'HTT Consulting' set for O. I can use the name of my mail host, z9m9z as OU1 (kind of a stretch, but that seems needed). And what for OU2? If you say to use OU1 for O, how would I put in 'HTT Consulting' in SAC? And anyway, that is not 'right' per x.500/501 (or how I was told by its authors).

Perhaps I know too much about standards and only a little 'field' experience! :wink:

Bottom line. I want to set the x.500 name structure for my systems and users. I have multiple companies running on a single server.

[jch]

The OU1, .. OU4 and CAPO attributes have little, if anything, to do with X.500. They're actually X.400 attribute types that got used by Scalix way back when it was something else. The X.500 organisationalUnit, Country, ADMD, PRMD and Organisation aren't really connected to the CAPO attributes except by an accident of naming. Blimey, that takes me back. Mailnodes don't have OIDs though, an OID is the "formal" name for an attribute type, not an attribute value (at least I think that's what I thought you were driving at).

If you're creating certificates based on an X.500 naming scheme then go ahead, but keep the X.500 DIT separate from the mail addresses. Mailnodes are a convenient way to group users, nothing more, and the link between a user of the mail system and a DN in the X.500 DIT should probably be their Internet address, although you could pick some other unique attribute in the Scalix directory to act as the link.

jch

[rgmhtt]

It was more than an accident in naming, I have worked with a number of the guilty parties. And some are rather proud of the linkage...

Granted an email (RFC822 or X.400) does not have OIDs; that is reserved for ASN.1 encoded objects (like PKCS encoded mail).

But as the manual points out the O/R Address is carried in headers in the email, and I do desire to have some control over them...

And LDAP has always been a rather interesting creature; schemas and OIDs tend to go together.

So anyway...

Where is the ldap schema stored?
How do I dump the LDAP database? LDAP itself is not running....
And then setting the O/R address. I guess I need to work with some of those CLI tools?

[rgmhtt]

Well I figured out to do:

omldapsearch cn=* > dump

And it looks like so far there are 3 'classes' of objects"

Mailnodes
Groups
Users

It looks like Mailnodes and Groups have the same objects, just slightly different values.

Users have quite different objects. This makes sense...

For all of them, o=Scalix

I might think I would like it to be, HTT Consulting

But this raises a few questions:

Would I do:

omldapmodify -r
dn: cn=*
replace: o
0: HTT Consult
<cntl-D>

And what config file to change so that new entries have this value for o

Will the change impact the operation?
What else do I change?

Is this just a bunch of needless busy work and who cares what the value of o is?
But not if I let outsiders query this directory???

[jch]

The Scalix LDAP directory isn't always a true LDAP directory. It's possible to configure a proper hierarchical DIT but, in practice, no one ever does. This is done by layering a hierarchy on top of the flat system directory (as shown by omsearch).

The o=Scalix suffix RDN is used to identify a flat view of the directory. You can't change it because it's not really there. Well, almost. You can add an organisation attribute but it won't have any effect on the o=Scalix RDN. Take a look at ~/sys/slapd.conf.

jch