Hi all I want to start LDAP service for publishing CRLs and Certificates for a Certificate Authority. I am new to ldap and I have not yet found any good references to guide me how to use ldap for these purposes. so I started playing around with Verisign's directory to get some ideas: according to VeriSign's knowledge base ( https://knowledge.verisign.com/support/mpki-support/index?page=content&i...) the script * ldapsearch -h directory.verisign.com -b "cn=<common name>,o=<Org Name>" "(o=*)" "certificaterevocationlist" *should return the CRL. but as I mentioned SASL error was shown. I also tried openldap on ubuntu but still the same problem. and when I tried to do ldapsearch on an Active Directory server which was publishing CRLs, again the same SASL error was shown . using -x somehow solved the problem for verisign but doing an empty search showed the following error: result: 53 server is unwilling to perform text: please enter more characters
but using -x on active directory server returned the following error: result: 1 operation error text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this operation a successful bind must be completed on connection., data 0
can anyone guide how to download a CRL from Verisign (or any other public CA) by ldap?
any guides or references regarding how to setup a LDAP server for publishing Certificates and CRLs would be appreciated.
2011/5/16 Michael Ströder michael@stroeder.com
Dan White wrote:
On 15/05/11 17:59 +0430, Mohammad D wrote:
I have installed openldap 2.4.23 on windows server 2003. when I run this query on ldapsearch: ldapsearch -h directory.verisign.com -b "cn=<*>" "(o=*)" "certificaterevocationlist" I get the following error: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:
I installed MIT kerberos but it did not solve the problem. any one know whats the issue and how can it be solved?
Did you build cyrus sasl with GSSAPI support?
Dan, why do you ask for GSSAPI?
I guess the original poster just wants to use command-line option -x for simple anonymous bind. Also the search base (-b) seems to be wrong. It should be -b "" for an empty search base.
I doubt that this will work anyway. Playing around with ldap://directory.verisign.com it returns
Server is unwilling to perform: Presence filter is unsupported
when searching with filter (o=*). Frankly I don't know whether this server is usable anymore for anything one would consider useful. That's the reason I removed it from the default select list in web2ldap's demo server.
Side note: Verisign publishes its CRLs via HTTP: http://crl.verisign.com/
Ciao, Michael.