[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authentication problem



ok. thanks for the help so far
I could finally configure active directory server to allow anonymous LDAP searches. the CRL Distribution Point given in the certificates issued by this server is :
ldap:///CN=test,CN=testca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mohamad,DC=ir?certificateRevocationList?base?objectClass=cRLDistributionPoint

I did the following search on ubuntu:
ldapsearch -x -h 192.168.81.129 -b "CN=test,CN=testca,CN=CDP,CN=
Public Key Services,CN=Services,CN=Configuration,DC=mohamad,DC=ir" "(objectClass=cRLDistributionPoint)" certificateRevocationList

it returns:
# extended LDIF
#
# LDAPv3
# base <CN=test,CN=testca,CN=CDP,CN=
Public Key Services,CN=Services,CN=Configuration,DC=mohamad,DC=ir> with scope subtree
# filter: (objectClass=
cRLDistributionPoint)
# requesting: certificateRevocationList
#

# search result
search: 2
result: 32 No such object
matchedDN: CN=Configuration,DC=mohamad,
DC=ir
text: 0000208D: NameErr: DSID-03151EFD, problem 2001 (NO_OBJECT), data 0, bes
 t match of:
    'CN=Configuration,DC=mohamad,
DC=ir'


# numResponses: 1


is the search query wrong or the server is not publishing the CRL? (there is one revoked Certificate in the CRL)

BTW only the second link works but its German and I don't know German. Any References or advice in this context will be appreciated. 

2011/5/16 Michael Ströder <michael@stroeder.com>
Mohammad D wrote:
> I want to start LDAP service for publishing CRLs and Certificates for a
> Certificate Authority.
> I am new to ldap and I have not yet found any good references to guide me how
> to use ldap for these purposes.

See RFC 4523 for object class pkiCA etc.

You can find examples in LDAP servers of various german trust centers.

One example:

http://demo.web2ldap.de:1760/web2ldap?ldap://www.trustcenter.de/o%3DTC%20TrustCenter%2Cou%3Dcacerts%2Cdc%3Dtrustcenter%2Cdc%3Dde??one?%28objectClass%3D%2A%29

There is also
ldap.signtrust.de
directory.d-trust.de
and others

> so I started playing around with Verisign's directory to get some ideas:
> according to VeriSign's knowledge base
> <https://knowledge.verisign.com/support/mpki-support/index?page=content&id=SO2121&actp=search&viewlocale=en_US&searchid=1305455725926>)

In the example command-line you would have to know the cn and o of an existing
entry to form a correct search base.

$ -b "cn=<common name>,o=<Org Name>"

<common name>
<Org Name>

are just placeholders.

> but as I mentioned SASL error was shown.

That's why you have to use -x with ldapsearch to send a simple bind request.

> using -x somehow solved the problem for verisign but doing an empty search
> showed the following error:
> result: 53 server is unwilling to perform
> text: please enter more characters

That's because you are just using the placeholders.

> but using -x on active directory server returned the following error:
> result: 1 operation error
> text: 00000000 LdapErr: DSID-0X090627, comment In order to perform this
> operation a successful bind must be completed on connection., data 0

That's because MS AD does not allow anonymous searches.

Ciao, Michael.