ok. thanks for the help so far I could finally configure active directory server to allow anonymous LDAP searches. the CRL Distribution Point given in the certificates issued by this server is : * ldap:///CN=test,CN=testca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mohamad,DC=ir?certificateRevocationList?base?objectClass=cRLDistributionPoint
*I did the following search on ubuntu: *ldapsearch -x -h 192.168.81.129 -b "CN=test,CN=testca,CN=CDP,CN=* *Public Key Services,CN=Services,CN=**Configuration,DC=mohamad,DC=**ir" "(objectClass=**cRLDistributionPoint)" certificateRevocationList*
it returns: *# extended LDIF # # LDAPv3 # base <CN=test,CN=testca,CN=CDP,CN=* *Public Key Services,CN=Services,CN=**Configuration,DC=mohamad,DC=**ir> with scope subtree # filter: (objectClass=**cRLDistributionPoint) # requesting: certificateRevocationList #
# search result search: 2 result: 32 No such object matchedDN: CN=Configuration,DC=mohamad,**DC=ir text: 0000208D: NameErr: DSID-03151EFD, problem 2001 (NO_OBJECT), data 0, bes t match of: 'CN=Configuration,DC=mohamad,**DC=ir'
# numResponses: 1*
is the search query wrong or the server is not publishing the CRL? (there is one revoked Certificate in the CRL)
BTW only the second link works but its German and I don't know German. Any References or advice in this context will be appreciated.
2011/5/16 Michael Ströder michael@stroeder.com
Mohammad D wrote:
I want to start LDAP service for publishing CRLs and Certificates for a Certificate Authority. I am new to ldap and I have not yet found any good references to guide me
how
to use ldap for these purposes.
See RFC 4523 for object class pkiCA etc.
You can find examples in LDAP servers of various german trust centers.
One example:
http://demo.web2ldap.de:1760/web2ldap?ldap://www.trustcenter.de/o%3DTC%20Tru...
There is also ldap.signtrust.de directory.d-trust.de and others
so I started playing around with Verisign's directory to get some ideas: according to VeriSign's knowledge base <
https://knowledge.verisign.com/support/mpki-support/index?page=content&i...
)
In the example command-line you would have to know the cn and o of an existing entry to form a correct search base.
$ -b "cn=<common name>,o=<Org Name>"
<common name> <Org Name>
are just placeholders.
but as I mentioned SASL error was shown.
That's why you have to use -x with ldapsearch to send a simple bind request.
using -x somehow solved the problem for verisign but doing an empty
search
showed the following error: result: 53 server is unwilling to perform text: please enter more characters
That's because you are just using the placeholders.
but using -x on active directory server returned the following error: result: 1 operation error text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this operation a successful bind must be completed on connection., data 0
That's because MS AD does not allow anonymous searches.
Ciao, Michael.