Hi all
I want to start LDAP service for publishing CRLs and Certificates for a Certificate Authority.
I am new to ldap and I have not yet found any good references to guide me how to use ldap for these purposes.
so I started playing around with Verisign's directory to get some ideas:
according to VeriSign's knowledge base (https://knowledge.verisign.com/support/mpki-support/index?page=content&id=SO2121&actp=search&viewlocale=en_US&searchid=1305455725926) the script
ldapsearch -h directory.verisign.com -b "cn=<common name>,o=<Org Name>" "(o=*)" "certificaterevocationlist"
should return the CRL. but as I mentioned SASL error was shown.
I also tried openldap on ubuntu but still the same problem. and when I tried to do ldapsearch on an Active Directory server which was publishing CRLs, again the same SASL error was shown .
using -x somehow solved the problem for verisign but doing an empty search showed the following error:
result: 53 server is unwilling to perform
text: please enter more characters

but using -x on active directory server returned the following error:
result: 1 operation error
text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this operation a successful bind must be completed on connection., data 0

can anyone guide how to download a CRL from Verisign (or any other public CA) by ldap?

any guides or references regarding how to setup a LDAP server for publishing Certificates and CRLs would be appreciated.



2011/5/16 Michael Ströder <michael@stroeder.com>
Dan White wrote:
> On 15/05/11 17:59 +0430, Mohammad D wrote:
>> I have installed openldap 2.4.23 on windows server 2003. when I run this
>> query on ldapsearch:
>> ldapsearch -h directory.verisign.com -b "cn=<*>" "(o=*)"
>> "certificaterevocationlist"
>> I get the following error:
>> SASL/EXTERNAL authentication started
>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>        additional info: SASL(-4): no mechanism available:
>>
>> I installed MIT kerberos but it did not solve the problem.
>> any one know whats the issue and how can it be solved?
>
> Did you build cyrus sasl with GSSAPI support?

Dan, why do you ask for GSSAPI?

I guess the original poster just wants to use command-line option -x for
simple anonymous bind. Also the search base (-b) seems to be wrong. It should
be -b "" for an empty search base.

I doubt that this will work anyway. Playing around with
ldap://directory.verisign.com it returns

Server is unwilling to perform:
Presence filter is unsupported

when searching with filter (o=*). Frankly I don't know whether this server is
usable anymore for anything one would consider useful. That's the reason I
removed it from the default select list in web2ldap's demo server.

Side note:
Verisign publishes its CRLs via HTTP: http://crl.verisign.com/

Ciao, Michael.