Searching for X.509 certificates and CRLs in LDAP directories has not been possible until recently. Release 2.1 of OpenLDAP introduced a limited capability, with exact certificate matching based on issuer name and serial number. A subsequent release will convert OpenLDAP into an X.509 attribute Parsing Server (XPS). XPS will parse any X.509 defined attributes e.g. public key certificates, attribute certificates, CRLs and ACRLs, split them up into their component attributes (as defined in recent PKIX IDs) and store the X.509 attributes and their component attributes in a backend LDAP server, so that they can be searched for using existing LDAP clients. OpenLDAP can be configured to act as a standalone XPS, e.g. fronting a SunONE LDAP server, or as a combined XPS/LDAP server, using its backend database as the LDAP directory. The ASN.1 of the X.509 attributes (and any yet-to-be-defined certificate extensions) and the LDAP schema for their corresponding component attributes, will be configurable, so that OpenLDAP will be extensible and modifiable to easily migrate to storing new attributes and ASN.1 type definitions.
This presentation is available in the following formats:
© Copyright 2013, OpenLDAP Foundation. Privacy Statement
$Id: a3fcff13c9eec0bbc9f274f038f01e1b0a08e1c0 $