Hi all<br>I want to start LDAP service for publishing CRLs and Certificates for a Certificate Authority.<br>I am new to ldap and I have not yet found any good references to guide me how to use ldap for these purposes.<br>so I started playing around with Verisign&#39;s directory to get some ideas:<br>


according to VeriSign&#39;s knowledge base (<a href="https://knowledge.verisign.com/support/mpki-support/index?page=content&amp;id=SO2121&amp;actp=search&amp;viewlocale=en_US&amp;searchid=1305455725926">https://knowledge.verisign.com/support/mpki-support/index?page=content&amp;id=SO2121&amp;actp=search&amp;viewlocale=en_US&amp;searchid=1305455725926</a>) the script <b><br>

ldapsearch -h <a href="http://directory.verisign.com" target="_blank">directory.verisign.com</a> -b &quot;cn=&lt;common name&gt;,o=&lt;Org Name&gt;&quot; &quot;(o=*)&quot; &quot;certificaterevocationlist&quot;<br>
</b>should return the CRL. but as I mentioned SASL error was shown.<br>I also tried openldap on ubuntu but still the same problem. and when I tried to do ldapsearch on an Active Directory server which was publishing CRLs, again the same SASL error was shown .<br>

using -x somehow solved the problem for verisign but doing an empty search showed the following error:<br>result: 53 server is unwilling to perform<br>text: please enter more characters<br><br>but using -x on active directory server returned the following error:<br>

result: 1 operation error<br>text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this operation a successful bind must be completed on connection., data 0 <br><br>can anyone guide how to download a CRL from Verisign (or any other public CA) by ldap?<br>

<br>any guides or references regarding how to setup a LDAP server for publishing Certificates and CRLs would be appreciated. <br><br><br><br><div class="gmail_quote">2011/5/16 Michael Ströder <span dir="ltr">&lt;<a href="mailto:michael@stroeder.com" target="_blank">michael@stroeder.com</a>&gt;</span><br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>Dan White wrote:<br>
&gt; On 15/05/11 17:59 +0430, Mohammad D wrote:<br>
</div><div>&gt;&gt; I have installed openldap 2.4.23 on windows server 2003. when I run this<br>
&gt;&gt; query on ldapsearch:<br>
&gt;&gt; ldapsearch -h <a href="http://directory.verisign.com" target="_blank">directory.verisign.com</a> -b &quot;cn=&lt;*&gt;&quot; &quot;(o=*)&quot;<br>
&gt;&gt; &quot;certificaterevocationlist&quot;<br>
&gt;&gt; I get the following error:<br>
&gt;&gt; SASL/EXTERNAL authentication started<br>
&gt;&gt; ldap_sasl_interactive_bind_s: Unknown authentication method (-6)<br>
&gt;&gt;        additional info: SASL(-4): no mechanism available:<br>
&gt;&gt;<br>
&gt;&gt; I installed MIT kerberos but it did not solve the problem.<br>
&gt;&gt; any one know whats the issue and how can it be solved?<br>
&gt;<br>
&gt; Did you build cyrus sasl with GSSAPI support?<br>
<br>
</div>Dan, why do you ask for GSSAPI?<br>
<br>
I guess the original poster just wants to use command-line option -x for<br>
simple anonymous bind. Also the search base (-b) seems to be wrong. It should<br>
be -b &quot;&quot; for an empty search base.<br>
<br>
I doubt that this will work anyway. Playing around with<br>
ldap://<a href="http://directory.verisign.com" target="_blank">directory.verisign.com</a> it returns<br>
<br>
Server is unwilling to perform:<br>
Presence filter is unsupported<br>
<br>
when searching with filter (o=*). Frankly I don&#39;t know whether this server is<br>
usable anymore for anything one would consider useful. That&#39;s the reason I<br>
removed it from the default select list in web2ldap&#39;s demo server.<br>
<br>
Side note:<br>
Verisign publishes its CRLs via HTTP: <a href="http://crl.verisign.com/" target="_blank">http://crl.verisign.com/</a><br>
<br>
Ciao, Michael.<br>
</blockquote></div><br>