[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: extrange problem with ldapsearch



ldapsearch(1) provides LDIF as output, and as what you provide
is not LDIF, it not clear what ldapsearch(1) is actually producing.
I suspect a case of garbage-in/garbage-out where the data, though
it may be valid, wasn't provided in the correct form and his
is not provided in correct form.  Unfornuately, OpenLDAP 2.0
didn't conformance to each values proper syntax.  2.0 is,
of course, historic.  You should consider upgrading to at
least the latest stable release (presently 2.2.26).

(The remainder of this post is actually not specific to
OpenLDAP Software.  Follow questions to anything in the
remainder should likely be directed to the general LDAP
mailing list at <ldap@umich.edu>.)

I note the proper format for a CRL in LDIF would be:

certificateRevocationList;binary:: base64-encoded-value

where base64-encoded-value is the Base64 encoding of the
DER encoding of the X.509 CRL.  See RFC 2849 for details on
the LDIF format, and RFC 2256/2252 for details on the proper
LDAP encoding of CRLs.

Kurt


At 10:57 AM 6/2/2005, Pablo J Royo wrote:
>Hello
>
>I have a curious problem with OpenLDAP when I download a CRL from a LDAP using ldapsearch. I can download some CRLs but no others, althought using other software (Softerra) I can also download problematic CRLs. When the error happens, CRLs are cut to 25 bytes.
>The problem happens with last version of OpenLdap, but also with an old 2.0.11 version.
>I´m sure CRLs are correct, because they are from an official organization. (well, I think so...)
>
>This is the line I use to test the problem:
>
>ldapsearch -v -t -x -P 2 -D 'cn=XXXXX' -w XXXXX -b "OU=blah,OU=blah..." -h ldap.host.com -p 389 'cn=CRL2001' certificateRevocationList
>
>This is the CRL (which seems Ok) that gives problems (obtained with Softerra browser):
>
>-----BEGIN X509 CRL-----
>MIIDcTCCAtoCAQEwDQYJKoZIhvcNAQEFBQAwNjELMAkGA1UEBhMCRVMxDTALBgNV
>BAoTBEZOTVQxGDAWBgNVBAsTD0ZOTVQgQ2xhc2UgMiBDQRcNMDUwNjAyMTQxOTU4
>WhcNMDUwNjAzMTQxOTU4WjCCAdowPQIEPIJCARcNMDUwNTMwMTIxMjQxWjAmMAoG
>A1UdFQQDCgEBMBgGA1UdGAQRGA8yMDA1MDUzMDEyMTAyOFowPQIEPIJCJxcNMDUw
>NTI0MTAwODQ3WjAmMAoGA1UdFQQDCgEBMBgGA1UdGAQRGA8yMDA1MDUyNDEwMDQ1
>NVowPQIEPIJCPRcNMDUwNTMxMDcxOTM1WjAmMAoGA1UdFQQDCgEBMBgGA1UdGAQR
>GA8yMDA1MDUzMTA3MTUwMlowIwIEPIJCgxcNMDUwNTI1MDczMDAwWjAMMAoGA1Ud
>FQQDCgEEMD0CBDyCQuMXDTA1MDUzMDA3MjExN1owJjAKBgNVHRUEAwoBATAYBgNV
>HRgEERgPMjAwNTA1MzAwNzE4NDhaMCMCBDyCQ2cXDTA1MDUyNjA3MzcwNlowDDAK
>BgNVHRUEAwoBBDAjAgQ8gkQUFw0wNTA1MzAxMTQ4MTNaMAwwCgYDVR0VBAMKAQQw
>IwIEPIJEeBcNMDUwNTMwMTE0NTQzWjAMMAoGA1UdFQQDCgEEMCMCBDyCRIoXDTA1
>MDUyNTA5MjE1MlowDDAKBgNVHRUEAwoBBDAjAgQ8gkSiFw0wNTA1MjQxMDQyMzRa
>MAwwCgYDVR0VBAMKAQSggZEwgY4wCgYDVR0UBAMCARwwHwYDVR0jBBgwFoAUQJp2
>RJd0B8SsFMsejU86RXww12EwXwYDVR0cAQH/BFUwU6BOoEykSjBIMQswCQYDVQQG
>EwJFUzENMAsGA1UEChMERk5NVDEYMBYGA1UECxMPRk5NVCBDbGFzZSAyIENBMRAw
>DgYDVQQDEwdDUkwyMDAygQH/MA0GCSqGSIb3DQEBBQUAA4GBAIN9d0Wq5a7megaK
>583xOuokYQ7AVNFiYbqmem2Kctwh1s4ySvFVoBm6iNMZozYdEFh4NIT9NeTZStl1
>p008F6arcT7bVhfQtxn5Wskr9fRgrvWen6i14SIPrRaYkirA4BVYbHI4A8mbG7Be
>/RfyM6g1OHicKsFxnOxyS575ggjZ
>-----END X509 CRL-----
>
>and this is a correctly downloaded CRL with ldapsearch 
>
>-----BEGIN X509 CRL-----
>MIIE2DCCBEECAQEwDQYJKoZIhvcNAQEFBQAwNjELMAkGA1UEBhMCRVMxDTALBgNV
>BAoTBEZOTVQxGDAWBgNVBAsTD0ZOTVQgQ2xhc2UgMiBDQRcNMDUwNjAyMDgwNjM2
>WhcNMDUwNjAzMDgwNjM2WjCCA0EwPQIEPIGSQRcNMDUwNTI0MTkzNTMwWjAmMAoG
>A1UdFQQDCgEBMBgGA1UdGAQRGA8yMDA1MDUyNDE5MzAyNFowIwIEPIGSRBcNMDUw
>NTE2MDk0NjQyWjAMMAoGA1UdFQQDCgEEMCMCBDyBklIXDTA1MDUwOTE1MTkyNVow
>DDAKBgNVHRUEAwoBBDAjAgQ8gZJzFw0wNTA1MDkxNTQwNDVaMAwwCgYDVR0VBAMK
>AQQwIwIEPIGShxcNMDUwNTEwMTUwMzI3WjAMMAoGA1UdFQQDCgEAMCMCBDyBktUX
>DTA1MDUxMzIwMjg0MFowDDAKBgNVHRUEAwoBBDA9AgQ8gZLYFw0wNTA1MTAwODIy
>MzJaMCYwCgYDVR0VBAMKAQEwGAYDVR0YBBEYDzIwMDUwNTEwMDgxNzQyWjA9AgQ8
>gZMoFw0wNTA1MTEwODI3NDdaMCYwCgYDVR0VBAMKAQEwGAYDVR0YBBEYDzIwMDUw
>NTExMDgyMTM1WjAjAgQ8gZMrFw0wNTA1MjQxMzU1MTVaMAwwCgYDVR0VBAMKAQQw
>IwIEPIGTyBcNMDUwNTEyMTMwMjMwWjAMMAoGA1UdFQQDCgEEMCMCBDyBk9YXDTA1
>MDUyNTEzMDUyMFowDDAKBgNVHRUEAwoBBDA9AgQ8gZPsFw0wNTA1MTExMDM2MjJa
>MCYwCgYDVR0VBAMKAQEwGAYDVR0YBBEYDzIwMDUwNTExMTAzNDMwWjA9AgQ8gZPz
>Fw0wNTA1MTExMDM5MDhaMCYwCgYDVR0VBAMKAQEwGAYDVR0YBBEYDzIwMDUwNTEx
>MTAzNzAxWjAjAgQ8gZQ4Fw0wNTA1MTYwOTQ3MzZaMAwwCgYDVR0VBAMKAQQwIwIE
>PIGUUxcNMDUwNTEzMTk1NzU0WjAMMAoGA1UdFQQDCgEEMCMCBDyBlJAXDTA1MDUy
>NDE5NTA0NlowDDAKBgNVHRUEAwoBBDAjAgQ8gZSgFw0wNTA1MDkyMDEyMzlaMAww
>CgYDVR0VBAMKAQQwIwIEPIGU4xcNMDUwNTE4MjAyNDEwWjAMMAoGA1UdFQQDCgEE
>MCMCBDyBlOgXDTA1MDUwOTE5MzUzOVowDDAKBgNVHRUEAwoBAKCBkTCBjjAKBgNV
>HRQEAwIBQzAfBgNVHSMEGDAWgBRAmnZEl3QHxKwUyx6NTzpFfDDXYTBfBgNVHRwB
>Af8EVTBToE6gTKRKMEgxCzAJBgNVBAYTAkVTMQ0wCwYDVQQKEwRGTk1UMRgwFgYD
>VQQLEw9GTk1UIENsYXNlIDIgQ0ExEDAOBgNVBAMTB0NSTDE5NDKBAf8wDQYJKoZI
>hvcNAQEFBQADgYEAArUm2IlqcoJdunZuvAVbX4dTDqWz1RU5ppBGozzxNNM6glWv
>zGJ0F06D5jcEdBHQZesDL4h9fKtQkrm7NWqQI4f9wQr1BM3GRTKDTMCgAt0P2Xje
>dtSO8lsO0j7UOaFTh5r5mZ+VuslBwRb6oGi/l+23KU7rsOB61aJQZmPqsZI=
>-----END X509 CRL-----
>
>The two CRLs are correct. The problem is with its retrieval from the LDAP.
>
>Does somebody knows what happens?