Hi all
I have installed openldap 2.4.23 on windows server 2003. when I run this query on ldapsearch: ldapsearch -h directory.verisign.com -b "cn=<*>" "(o=*)" "certificaterevocationlist" I get the following error: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:
I installed MIT kerberos but it did not solve the problem. any one know whats the issue and how can it be solved?
On 15/05/11 17:59 +0430, Mohammad D wrote:
Hi all
I have installed openldap 2.4.23 on windows server 2003. when I run this query on ldapsearch: ldapsearch -h directory.verisign.com -b "cn=<*>" "(o=*)" "certificaterevocationlist" I get the following error: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:
I installed MIT kerberos but it did not solve the problem. any one know whats the issue and how can it be solved?
Did you build cyrus sasl with GSSAPI support?
See:
http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/windows.php
Dan White wrote:
On 15/05/11 17:59 +0430, Mohammad D wrote:
I have installed openldap 2.4.23 on windows server 2003. when I run this query on ldapsearch: ldapsearch -h directory.verisign.com -b "cn=<*>" "(o=*)" "certificaterevocationlist" I get the following error: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:
I installed MIT kerberos but it did not solve the problem. any one know whats the issue and how can it be solved?
Did you build cyrus sasl with GSSAPI support?
Dan, why do you ask for GSSAPI?
I guess the original poster just wants to use command-line option -x for simple anonymous bind. Also the search base (-b) seems to be wrong. It should be -b "" for an empty search base.
I doubt that this will work anyway. Playing around with ldap://directory.verisign.com it returns
Server is unwilling to perform: Presence filter is unsupported
when searching with filter (o=*). Frankly I don't know whether this server is usable anymore for anything one would consider useful. That's the reason I removed it from the default select list in web2ldap's demo server.
Side note: Verisign publishes its CRLs via HTTP: http://crl.verisign.com/
Ciao, Michael.
Hi all I want to start LDAP service for publishing CRLs and Certificates for a Certificate Authority. I am new to ldap and I have not yet found any good references to guide me how to use ldap for these purposes. so I started playing around with Verisign's directory to get some ideas: according to VeriSign's knowledge base ( https://knowledge.verisign.com/support/mpki-support/index?page=content&i...) the script * ldapsearch -h directory.verisign.com -b "cn=<common name>,o=<Org Name>" "(o=*)" "certificaterevocationlist" *should return the CRL. but as I mentioned SASL error was shown. I also tried openldap on ubuntu but still the same problem. and when I tried to do ldapsearch on an Active Directory server which was publishing CRLs, again the same SASL error was shown . using -x somehow solved the problem for verisign but doing an empty search showed the following error: result: 53 server is unwilling to perform text: please enter more characters
but using -x on active directory server returned the following error: result: 1 operation error text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this operation a successful bind must be completed on connection., data 0
can anyone guide how to download a CRL from Verisign (or any other public CA) by ldap?
any guides or references regarding how to setup a LDAP server for publishing Certificates and CRLs would be appreciated.
2011/5/16 Michael Ströder michael@stroeder.com
Dan White wrote:
On 15/05/11 17:59 +0430, Mohammad D wrote:
I have installed openldap 2.4.23 on windows server 2003. when I run this query on ldapsearch: ldapsearch -h directory.verisign.com -b "cn=<*>" "(o=*)" "certificaterevocationlist" I get the following error: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:
I installed MIT kerberos but it did not solve the problem. any one know whats the issue and how can it be solved?
Did you build cyrus sasl with GSSAPI support?
Dan, why do you ask for GSSAPI?
I guess the original poster just wants to use command-line option -x for simple anonymous bind. Also the search base (-b) seems to be wrong. It should be -b "" for an empty search base.
I doubt that this will work anyway. Playing around with ldap://directory.verisign.com it returns
Server is unwilling to perform: Presence filter is unsupported
when searching with filter (o=*). Frankly I don't know whether this server is usable anymore for anything one would consider useful. That's the reason I removed it from the default select list in web2ldap's demo server.
Side note: Verisign publishes its CRLs via HTTP: http://crl.verisign.com/
Ciao, Michael.
Mohammad D wrote:
I want to start LDAP service for publishing CRLs and Certificates for a Certificate Authority. I am new to ldap and I have not yet found any good references to guide me how to use ldap for these purposes.
See RFC 4523 for object class pkiCA etc.
You can find examples in LDAP servers of various german trust centers.
One example:
http://demo.web2ldap.de:1760/web2ldap?ldap://www.trustcenter.de/o%3DTC%20Tru...
There is also ldap.signtrust.de directory.d-trust.de and others
so I started playing around with Verisign's directory to get some ideas: according to VeriSign's knowledge base https://knowledge.verisign.com/support/mpki-support/index?page=content&id=SO2121&actp=search&viewlocale=en_US&searchid=1305455725926)
In the example command-line you would have to know the cn and o of an existing entry to form a correct search base.
$ -b "cn=<common name>,o=<Org Name>"
<common name> <Org Name>
are just placeholders.
but as I mentioned SASL error was shown.
That's why you have to use -x with ldapsearch to send a simple bind request.
using -x somehow solved the problem for verisign but doing an empty search showed the following error: result: 53 server is unwilling to perform text: please enter more characters
That's because you are just using the placeholders.
but using -x on active directory server returned the following error: result: 1 operation error text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this operation a successful bind must be completed on connection., data 0
That's because MS AD does not allow anonymous searches.
Ciao, Michael.
ok. thanks for the help so far I could finally configure active directory server to allow anonymous LDAP searches. the CRL Distribution Point given in the certificates issued by this server is : * ldap:///CN=test,CN=testca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mohamad,DC=ir?certificateRevocationList?base?objectClass=cRLDistributionPoint
*I did the following search on ubuntu: *ldapsearch -x -h 192.168.81.129 -b "CN=test,CN=testca,CN=CDP,CN=* *Public Key Services,CN=Services,CN=**Configuration,DC=mohamad,DC=**ir" "(objectClass=**cRLDistributionPoint)" certificateRevocationList*
it returns: *# extended LDIF # # LDAPv3 # base <CN=test,CN=testca,CN=CDP,CN=* *Public Key Services,CN=Services,CN=**Configuration,DC=mohamad,DC=**ir> with scope subtree # filter: (objectClass=**cRLDistributionPoint) # requesting: certificateRevocationList #
# search result search: 2 result: 32 No such object matchedDN: CN=Configuration,DC=mohamad,**DC=ir text: 0000208D: NameErr: DSID-03151EFD, problem 2001 (NO_OBJECT), data 0, bes t match of: 'CN=Configuration,DC=mohamad,**DC=ir'
# numResponses: 1*
is the search query wrong or the server is not publishing the CRL? (there is one revoked Certificate in the CRL)
BTW only the second link works but its German and I don't know German. Any References or advice in this context will be appreciated.
2011/5/16 Michael Ströder michael@stroeder.com
Mohammad D wrote:
I want to start LDAP service for publishing CRLs and Certificates for a Certificate Authority. I am new to ldap and I have not yet found any good references to guide me
how
to use ldap for these purposes.
See RFC 4523 for object class pkiCA etc.
You can find examples in LDAP servers of various german trust centers.
One example:
http://demo.web2ldap.de:1760/web2ldap?ldap://www.trustcenter.de/o%3DTC%20Tru...
There is also ldap.signtrust.de directory.d-trust.de and others
so I started playing around with Verisign's directory to get some ideas: according to VeriSign's knowledge base <
https://knowledge.verisign.com/support/mpki-support/index?page=content&i...
)
In the example command-line you would have to know the cn and o of an existing entry to form a correct search base.
$ -b "cn=<common name>,o=<Org Name>"
<common name> <Org Name>
are just placeholders.
but as I mentioned SASL error was shown.
That's why you have to use -x with ldapsearch to send a simple bind request.
using -x somehow solved the problem for verisign but doing an empty
search
showed the following error: result: 53 server is unwilling to perform text: please enter more characters
That's because you are just using the placeholders.
but using -x on active directory server returned the following error: result: 1 operation error text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this operation a successful bind must be completed on connection., data 0
That's because MS AD does not allow anonymous searches.
Ciao, Michael.
Mohammad D wrote:
I could finally configure active directory server to allow anonymous LDAP searches.
You should not do that. At least you should not assume that an AD admin is willing to allow that. You should bind as any user who can read the configuration partition.
the CRL Distribution Point given in the certificates issued by this server is : ldap:///CN=test,CN=testca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mohamad,DC=ir?certificateRevocationList?base?objectClass=cRLDistributionPoint
Is this a running CA? Details about how MS Certificate Services work with MS AD are best asked in Microsoft forums.
I did the following search on ubuntu: ldapsearch -x -h 192.168.81.129 -b "CN=test,CN=testca,CN=CDP,CN= Public Key Services,CN=Services,CN=Configuration,DC=mohamad,DC=ir" "(objectClass=cRLDistributionPoint)" certificateRevocationList
it returns: [..] result: 32 No such object
Which means the entry specified with -b does not exist.
BTW only the second link works but its German and I don't know German.
2011/5/16 Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com> There is also ldap.signtrust.de http://ldap.signtrust.de directory.d-trust.de http://directory.d-trust.de
That's what your mail reader automagically turned my text into. But these were meant just as the *hostnames* not HTTP URLs of LDAP servers listening on port 389.
ldap://ldap.signtrust.de ldap://directory.d-trust.de
Sorry, I can't help you any further at that detailed level.
Ciao, Michael.
Mohammad D wrote:
Hi all I want to start LDAP service for publishing CRLs and Certificates for a Certificate Authority. I am new to ldap and I have not yet found any good references to guide me how to use ldap for these purposes. so I started playing around with Verisign's directory to get some ideas: according to VeriSign's knowledge base ( https://knowledge.verisign.com/support/mpki-support/index?page=conten t&id=SO2121&actp=search&viewlocale=en_US&searchid=1305455725926) the script * ldapsearch -h directory.verisign.com -b "cn=<common name>,o=<Org Name>" "(o=*)" "certificaterevocationlist" *should return the CRL.
If a pubkey and/or a CRL is stored ;-)
I am only a poor man :-) and do not have a verisign cert. From my Firefox browsers cert cache their is only one verisign cert, but w/o crl :-( . I assume that this cert is no longer stored at verisign.
"cn" and "o" are from the old public key of "KAPLAN INC". A company which is totally unkown to me. I believe they have changed their CA.
ldapsearch -x -h directory.verisign.com -b "cn=www.selftestsoftware.com,o=KAPLAN INC" "o=KAPLAN INC" "certificaterevocationlist" # extended LDIF # # LDAPv3 # base <cn=www.selftestsoftware.com,o=KAPLAN INC> with scope subtree # filter: o=KAPLAN INC # requesting: certificaterevocationlist #
# search result search: 2 result: 32 No such object
# numResponses: 1
On Sunday, 15 May 2011 15:29:34 Mohammad D wrote:
Hi all
I have installed openldap 2.4.23 on windows server 2003. when I run this query on ldapsearch: ldapsearch -h directory.verisign.com -b "cn=<*>" "(o=*)" "certificaterevocationlist" I get the following error: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:
If you don't want SASL, use the -x option.
I installed MIT kerberos but it did not solve the problem. any one know whats the issue and how can it be solved?
It is better to tell us what you are trying to achieve first, than what you did in an attempt to reach some unknown goal ...
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Dan White -
harry.jede@arcor.de -
Michael Ströder -
Mohammad D