Hi all I want to start LDAP service for publishing CRLs and Certificates for a Certificate Authority. I am new to ldap and I have not yet found any good references to guide me how to use ldap for these purposes. so I started playing around with Verisign's directory to get some ideas: according to VeriSign's knowledge base ( https://knowledge.verisign.com/support/mpki-support/index?page=content&id=SO2121&actp=search&viewlocale=en_US&searchid=1305455725926) the script * ldapsearch -h directory.verisign.com -b "cn=<common name>,o=<Org Name>" "(o=*)" "certificaterevocationlist" *should return the CRL. but as I mentioned SASL error was shown. I also tried openldap on ubuntu but still the same problem. and when I tried to do ldapsearch on an Active Directory server which was publishing CRLs, again the same SASL error was shown . using -x somehow solved the problem for verisign but doing an empty search showed the following error: result: 53 server is unwilling to perform text: please enter more characters
but using -x on active directory server returned the following error: result: 1 operation error text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this operation a successful bind must be completed on connection., data 0 can anyone guide how to download a CRL from Verisign (or any other public CA) by ldap? any guides or references regarding how to setup a LDAP server for publishing Certificates and CRLs would be appreciated. 2011/5/16 Michael Ströder <[email protected]> > Dan White wrote: > > On 15/05/11 17:59 +0430, Mohammad D wrote: > >> I have installed openldap 2.4.23 on windows server 2003. when I run this > >> query on ldapsearch: > >> ldapsearch -h directory.verisign.com -b "cn=<*>" "(o=*)" > >> "certificaterevocationlist" > >> I get the following error: > >> SASL/EXTERNAL authentication started > >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > >> additional info: SASL(-4): no mechanism available: > >> > >> I installed MIT kerberos but it did not solve the problem. > >> any one know whats the issue and how can it be solved? > > > > Did you build cyrus sasl with GSSAPI support? > > Dan, why do you ask for GSSAPI? > > I guess the original poster just wants to use command-line option -x for > simple anonymous bind. Also the search base (-b) seems to be wrong. It > should > be -b "" for an empty search base. > > I doubt that this will work anyway. Playing around with > ldap://directory.verisign.com it returns > > Server is unwilling to perform: > Presence filter is unsupported > > when searching with filter (o=*). Frankly I don't know whether this server > is > usable anymore for anything one would consider useful. That's the reason I > removed it from the default select list in web2ldap's demo server. > > Side note: > Verisign publishes its CRLs via HTTP: http://crl.verisign.com/ > > Ciao, Michael. >
