Mohammad D wrote: > I want to start LDAP service for publishing CRLs and Certificates for a > Certificate Authority. > I am new to ldap and I have not yet found any good references to guide me how > to use ldap for these purposes.
See RFC 4523 for object class pkiCA etc. You can find examples in LDAP servers of various german trust centers. One example: http://demo.web2ldap.de:1760/web2ldap?ldap://www.trustcenter.de/o%3DTC%20TrustCenter%2Cou%3Dcacerts%2Cdc%3Dtrustcenter%2Cdc%3Dde??one?%28objectClass%3D%2A%29 There is also ldap.signtrust.de directory.d-trust.de and others > so I started playing around with Verisign's directory to get some ideas: > according to VeriSign's knowledge base > <https://knowledge.verisign.com/support/mpki-support/index?page=content&id=SO2121&actp=search&viewlocale=en_US&searchid=1305455725926>) In the example command-line you would have to know the cn and o of an existing entry to form a correct search base. $ -b "cn=<common name>,o=<Org Name>" <common name> <Org Name> are just placeholders. > but as I mentioned SASL error was shown. That's why you have to use -x with ldapsearch to send a simple bind request. > using -x somehow solved the problem for verisign but doing an empty search > showed the following error: > result: 53 server is unwilling to perform > text: please enter more characters That's because you are just using the placeholders. > but using -x on active directory server returned the following error: > result: 1 operation error > text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this > operation a successful bind must be completed on connection., data 0 That's because MS AD does not allow anonymous searches. Ciao, Michael.
