ok. thanks for the help so far
I could finally configure active directory server to allow anonymous LDAP
searches. the CRL Distribution Point given in the certificates issued by
this server is :
*
ldap:///CN=test,CN=testca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mohamad,DC=ir?certificateRevocationList?base?objectClass=cRLDistributionPoint
*I did the following search on ubuntu:
*ldapsearch -x -h 192.168.81.129 -b "CN=test,CN=testca,CN=CDP,CN=*
*Public Key Services,CN=Services,CN=**Configuration,DC=mohamad,DC=**ir"
"(objectClass=**cRLDistributionPoint)" certificateRevocationList*
it returns:
*# extended LDIF
#
# LDAPv3
# base <CN=test,CN=testca,CN=CDP,CN=*
*Public Key Services,CN=Services,CN=**Configuration,DC=mohamad,DC=**ir> with
scope subtree
# filter: (objectClass=**cRLDistributionPoint)
# requesting: certificateRevocationList
#
# search result
search: 2
result: 32 No such object
matchedDN: CN=Configuration,DC=mohamad,**DC=ir
text: 0000208D: NameErr: DSID-03151EFD, problem 2001 (NO_OBJECT), data 0,
bes
t match of:
'CN=Configuration,DC=mohamad,**DC=ir'
# numResponses: 1*
is the search query wrong or the server is not publishing the CRL? (there is
one revoked Certificate in the CRL)
BTW only the second link works but its German and I don't know German. Any
References or advice in this context will be appreciated.
2011/5/16 Michael Ströder <[email protected]>
> Mohammad D wrote:
> > I want to start LDAP service for publishing CRLs and Certificates for a
> > Certificate Authority.
> > I am new to ldap and I have not yet found any good references to guide me
> how
> > to use ldap for these purposes.
>
> See RFC 4523 for object class pkiCA etc.
>
> You can find examples in LDAP servers of various german trust centers.
>
> One example:
>
>
> http://demo.web2ldap.de:1760/web2ldap?ldap://www.trustcenter.de/o%3DTC%20TrustCenter%2Cou%3Dcacerts%2Cdc%3Dtrustcenter%2Cdc%3Dde??one?%28objectClass%3D%2A%29
>
> There is also
> ldap.signtrust.de
> directory.d-trust.de
> and others
>
> > so I started playing around with Verisign's directory to get some ideas:
> > according to VeriSign's knowledge base
> > <
> https://knowledge.verisign.com/support/mpki-support/index?page=content&id=SO2121&actp=search&viewlocale=en_US&searchid=1305455725926
> >)
>
> In the example command-line you would have to know the cn and o of an
> existing
> entry to form a correct search base.
>
> $ -b "cn=<common name>,o=<Org Name>"
>
> <common name>
> <Org Name>
>
> are just placeholders.
>
> > but as I mentioned SASL error was shown.
>
> That's why you have to use -x with ldapsearch to send a simple bind
> request.
>
> > using -x somehow solved the problem for verisign but doing an empty
> search
> > showed the following error:
> > result: 53 server is unwilling to perform
> > text: please enter more characters
>
> That's because you are just using the placeholders.
>
> > but using -x on active directory server returned the following error:
> > result: 1 operation error
> > text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this
> > operation a successful bind must be completed on connection., data 0
>
> That's because MS AD does not allow anonymous searches.
>
> Ciao, Michael.
>
