[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: getting CRL from Active Directory using ldapsearch



Title: RE: getting CRL from Active Directory using ldapsearch

Actually, this worked. 

Please ignore my previous message.  Sorry about that.

ldapsearch -x -h orion.pslab.activcard.com -b "CN=ORION-MS-CA,CN=orion,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=pslab,DC=activcard,DC=com" "(objectclass=cRLDistributionPoint)" certificateRevocationList

> -----Original Message-----
> From: Naomaru Itoi
> Sent: Thursday, March 27, 2003 6:00 PM
> To: 'openldap-software@openldap.org'
> Subject: getting CRL from Active Directory using ldapsearch
>
>
> Hello,
>
> I am new to OpenLDAP - please excuse me for my ignorance.
>
> I am trying to download a Certificate Revocation List (CRL)
> from Microsoft Active Directory from my Linux/MacOSX box,
> with ldapsearch.  However, I am failing.  Here's what I did:
>
> - Issue a certificate using Microsoft CA.
> - Get a CRL Distribution Point from the certificate, using
> "openssl x509".  Like this.
>
> openssl x509 -text -noout -in openssl/naomaru_pmlab-fixed.pem
> ...
>             X509v3 CRL Distribution Points:
>            
> URI:ldap:///CN=ORION-MS-CA,CN=orion,CN=CDP,CN=Public%20Key%0Se
rvices,CN=Services,CN=Configuration,DC=pslab,DC=activcard,DC=com?certificateRevocationList?base?> objectclass=cRLDistributionPoint

>
> - I feed this URI into "ldapsearch -H". 
>
> ldapsearch -H
> "ldap:///CN=ORION-MS-CA,CN=orion,CN=CDP,CN=Public%20Key%20Serv
ices,CN=Services,CN=Configuration,DC=pslab,DC=activcard,DC=com?certificateRevocationList?base?> objectclass=cRLDistributionPoint"

> Could not create LDAP session handle (3): Time limit exceeded
>
> - Maybe it needs to know the hostname.  So I put it in the URI.
>
> ldapsearch -H
> "ldap://orion.pslab.activcard.com/CN=ORION-MS-CA,CN=orion,CN=C
> DP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=
> pslab,DC=activcard,DC=com?certificateRevocationList?base?objec
> tclass=cRLDistributionPoint"
> Could not create LDAP session handle (3): Time limit exceeded
>
> - Maybe -H doesn't like the format, so I break the URI down
> to hostname, base, filter and attributes.
>
> ldapsearch -x -h orion.pslab.activcard.com -b
> CN=ORION-MS-CA,CN=orion,CN=CDP,CN=Public%20Key%20Services,CN=S
ervices,CN=Configuration,DC=pslab,DC=activcard,DC=com objectclass=cRLDistributionPoint > certificateRevocationList
> # extended LDIF
> #
> # LDAPv3
> # filter: objectclass=cRLDistributionPoint
> # requesting: certificateRevocationList
> #
>
> # search result
> search: 2
> result: 32 No such object
> matchedDN: CN=Services,CN=Configuration,DC=pslab,DC=activcard,DC=com
> text: 0000208D: NameErr: DSID-031001C9, problem 2001
> (NO_OBJECT), data 0, bes
>  t match of:
>         'CN=Services,CN=Configuration,DC=pslab,DC=activcard,DC=com'
>
> The first two approaches didn't even connect to my LDAP server.
> The third approach went further, but couldn't find the CRL.
>
> Has anyone tried this (getting a CRL from Active Directory
> using ldapsearch)?
> Any advice on how I should attack this problem?
>
> Thank you.
>
> --
> Concentration ... Naomaru Itoi
>