Mohammad D wrote:
I want to start LDAP service for publishing CRLs and Certificates for a Certificate Authority. I am new to ldap and I have not yet found any good references to guide me how to use ldap for these purposes.
See RFC 4523 for object class pkiCA etc.
You can find examples in LDAP servers of various german trust centers.
One example:
http://demo.web2ldap.de:1760/web2ldap?ldap://www.trustcenter.de/o%3DTC%20Tru...
There is also ldap.signtrust.de directory.d-trust.de and others
so I started playing around with Verisign's directory to get some ideas: according to VeriSign's knowledge base https://knowledge.verisign.com/support/mpki-support/index?page=content&id=SO2121&actp=search&viewlocale=en_US&searchid=1305455725926)
In the example command-line you would have to know the cn and o of an existing entry to form a correct search base.
$ -b "cn=<common name>,o=<Org Name>"
<common name> <Org Name>
are just placeholders.
but as I mentioned SASL error was shown.
That's why you have to use -x with ldapsearch to send a simple bind request.
using -x somehow solved the problem for verisign but doing an empty search showed the following error: result: 53 server is unwilling to perform text: please enter more characters
That's because you are just using the placeholders.
but using -x on active directory server returned the following error: result: 1 operation error text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this operation a successful bind must be completed on connection., data 0
That's because MS AD does not allow anonymous searches.
Ciao, Michael.