[Date Prev][Date Next] [Chronological] [Thread] [Top]

getting CRL from Active Directory using ldapsearch

Title: getting CRL from Active Directory using ldapsearch

Hello,

I am new to OpenLDAP - please excuse me for my ignorance.

I am trying to download a Certificate Revocation List (CRL) from Microsoft Active Directory from my Linux/MacOSX box, with ldapsearch.  However, I am failing.  Here's what I did:

- Issue a certificate using Microsoft CA.
- Get a CRL Distribution Point from the certificate, using "openssl x509".  Like this.

openssl x509 -text -noout -in openssl/naomaru_pmlab-fixed.pem
...
            X509v3 CRL Distribution Points:
            URI:ldap:///CN=ORION-MS-CA,CN=orion,CN=CDP,CN=Public%20Key%0Services,CN=Services,CN=Configuration,DC=pslab,DC=activcard,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint

- I feed this URI into "ldapsearch -H". 

ldapsearch -H "ldap:///CN=ORION-MS-CA,CN=orion,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=pslab,DC=activcard,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint"

Could not create LDAP session handle (3): Time limit exceeded

- Maybe it needs to know the hostname.  So I put it in the URI.

ldapsearch -H "ldap://orion.pslab.activcard.com/CN=ORION-MS-CA,CN=orion,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=pslab,DC=activcard,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint"

Could not create LDAP session handle (3): Time limit exceeded

- Maybe -H doesn't like the format, so I break the URI down to hostname, base, filter and attributes.

ldapsearch -x -h orion.pslab.activcard.com -b CN=ORION-MS-CA,CN=orion,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=pslab,DC=activcard,DC=com objectclass=cRLDistributionPoint certificateRevocationList

# extended LDIF
#
# LDAPv3
# filter: objectclass=cRLDistributionPoint
# requesting: certificateRevocationList
#

# search result
search: 2
result: 32 No such object
matchedDN: CN=Services,CN=Configuration,DC=pslab,DC=activcard,DC=com
text: 0000208D: NameErr: DSID-031001C9, problem 2001 (NO_OBJECT), data 0, bes
 t match of:
        'CN=Services,CN=Configuration,DC=pslab,DC=activcard,DC=com'

The first two approaches didn't even connect to my LDAP server.
The third approach went further, but couldn't find the CRL.

Has anyone tried this (getting a CRL from Active Directory using ldapsearch)?
Any advice on how I should attack this problem?

Thank you.

--
Concentration ... Naomaru Itoi