database.sarang.net
UserID
Passwd
Database
DBMS
MySQL
PostgreSQL
Firebird
Oracle
Informix
Sybase
MS-SQL
DB2
Cache
CUBRID
ㆍLDAP
ALTIBASE
Tibero
DB 문서들
스터디
Community
공지사항
자유게시판
구인|구직
DSN 갤러리
도움주신분들
Admin
운영게시판
최근게시물
LDAP Q&A 2317 게시물 읽기
No. 2317
아래글에 이어서...
작성자
이정환(skullq)
작성일
2007-01-31 15:09ⓒ
2007-01-31 15:17ⓜ
조회수
7,910


http://www3.ietf.org/proceedings/03nov/I-D/draft-ietf-pkix-ldap-crl-schema-01.txt


Expire된 draft는 있네요.. 쩝~



하지만 일본사이트에 보니.. 별다른 schema없이도 가능한거 같습니다.


# cat crl.ldif

dn: cn=crl, o=example, c=jp

objectclass: top

objectclass: pkiCA

cACertificate;binary:: MIIEAzCCAuugAwIBAgIBATANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJKUDEt

MCsGA1UECgwkRGVtb25zdHJhdGlvbiBDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzMR4w

HAYDVQQLDBVERU1PTlNUUkFUSU9OIFJPT1QgQ0EwHhcNMDIwMTAxMDAwMDAwWhcN

NDkxMjMxMjM1OTU5WjBeMQswCQYDVQQGEwJKUDEtMCsGA1UEChMkRGVtb25zdHJh

dGlvbiBDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzMSAwHgYDVQQLExdERU1PTlNUUkFU

SU9OIE1JRERMRSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANLm

nTKN7aZbxl4VmcnYbaOyWAoz5cRS/cV6dE0hDBeJuhy9wybjTygFx+bh1pFmROzp

EvCsEmKirOyhcUI2PKtzkjb0rZpEzfU9SBAKSzR8/PM7Bp4Sl6EOC0mfOS/k6KEf

wI5n80D8XlOxWE+V8HZKWL3l1CC82i++bAmwtKGl1MujSHqEDY78i3DPTH6yBSaF

GHeHcejrX0d1VrLPIxMgDYH0AaEzkZa+3M4ssrB5mn0un6iqIRr80O42Mv8G2Rss

lBjeXU53rLg3JMaIVoneekRRsbLevtnKf7xwwNS5mhN3O3a3Np0h6gLu2RstYItN

RWwQ+IN2F3TXNak8b9cCAwEAAaOBzTCByjCBhAYDVR0jBH0we4AU09lDErqfTqhJ

7/XVGLxUnL9/kTKhYKReMFwxCzAJBgNVBAYTAkpQMS0wKwYDVQQKDCREZW1vbnN0

cmF0aW9uIENlcnRpZmljYXRpb24gU2VydmljZXMxHjAcBgNVBAsMFURFTU9OU1RS

QVRJT04gUk9PVCBDQYIBADAdBgNVHQ4EFgQUTSjOaLsPhfSrnFuGAtCJa8lbOb4w

DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQowDQYJKoZIhvcNAQEF

BQADggEBAJeyGjXQ9G9bZOceFw7P6pm4hptC/bwwV2uwF/Mvy33L0J7dm3/okBrL

+LnSUrEtf4V7NDsmOY0OWHwBQftfDtryLzgdXaiqtkjA1X5dxbExwja1iqsumS2y

eIBsOwGvZedu7HAYty2d/LLdu6MFxUP7G1CXl64HSh5Y9g0s/rZa0phde2z5nrrU

TP8KY7E1Ibdcw86O/s11AXMtgX06q8wRhNyMaA8pY7PSWM+hFZPOKuKCYYKn4e3R

AG3vsA5Lv1e4jFIt8x7UwnEx+zDKxjtLlnLz+z0IZdUHU6SQdw9xp5MQtHJYhc17

+IWk9muxoyhaDILoLfXkNGvJZZFgkEc=


certificateRevocationList;binary:: MIIBujCBozANBgkqhkiG9w0BAQQFADBeMQswCQYDVQQGEwJKUDEtMCsGA1UEChMk

RGVtb25zdHJhdGlvbiBDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzMSAwHgYDVQQLExdE

RU1PTlNUUkFUSU9OIE1JRERMRSBDQRcNMDIwMjEzMTIwNjUyWhcNMDIwMzE1MTIw

NjUyWjAUMBICAQUXDTAyMDIxMzEyMDYyMVowDQYJKoZIhvcNAQEEBQADggEBAGe6

rqm67X6XBtBcj+vipV6+c1c4QOvgc9Hon6xaZ+OgGSsTk+VdDIWzHxSYkHt/4/AT

opjypLtWk8M5BSRwRZJA26H4DigFIh/8XKIhpug+y8/c8GL/RR9SWnJn//w3+lw/

cZQlSRz+4O5uo1dYylEJF2T2j2W+2CbiSvvRY2+WhlwN51BobFs20OMLyN9ftzHL

JsPbXwzsdB3kl7G1KKKiXsiPQxtZP904XLcytCmwc0Im1CfF3y8vkQl1moUnRjA1

sksFv1QLqZ1IKOEZWFxc+2nJShlSjIleIrv63BrMD6V8//roAV51qAXncVX8Ig3N

PloUAzl7CVcgI6bz8B0=



# ldapadd -x -D "cn=root,o=example,c=jp" -W -f crl.ldif

Enter LDAP Password:

adding new entry "cn=crl, o=example, c=jp"

ldap_add: Object class violation


ldif_record() = 65



openldap궼redhat7.2궸볺궯궲궋궫귖궻귩럊뾭궢궲궋귏궥갃

slapd.conf궼돷딯궻믅귟궳궥갃


# cat /etc/openldap/slapd.conf

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/redhat/rfc822-MailMember.schema

include         /etc/openldap/schema/redhat/autofs.schema

include         /etc/openldap/schema/redhat/kerberosobject.schema


# Define global ACLs to disable default read access.


# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org


#pidfile                /var/run/slapd.pid

#argsfile       /var/run/slapd.args


# Create a replication log in /var/lib/ldap for use by slurpd.

#replogfile     /var/lib/ldap/master-slapd.replog


# Load dynamic backend modules:

# modulepath    /usr/sbin/openldap

# moduleload    back_ldap.la

# moduleload    back_ldbm.la

# moduleload    back_passwd.la

# moduleload    back_shell.la


# The next two lines allow use of TLS for connections using a dummy test

# certificate, but you should generate a proper certificate by changing to

# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on

# slapd.pem so that the ldap user or group can read it.

#TLSCertificateFile /usr/share/ssl/certs/slapd.pem

#TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem


#######################################################################

# ldbm database definitions

#######################################################################


database        ldbm

suffix          "o=example,c=jp"

rootdn          "cn=root,o=example,c=jp"

rootpw          test

directory       /var/lib/ldap


이 글에 대한 댓글이 총 2건 있습니다.

CRL은 RFC 2459에 자세히 나와 있습니다. 

2459를 참고하시면 될것 같네요 .

그리고 crl.ldif에 올려주신것은 인코딩된 데이터입니다.

certificateRevocationList;binary::  의 값이 CRL 인데요 .

MIIBujCBozANBgkqhkiG9w0BAQQFADBeMQswCQYDVQQGEwJKUDEtMCsGA1UEChMk
RGVtb25zdHJhdGlvbiBDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzMSAwHgYDVQQLExdE
RU1PTlNUUkFUSU9OIE1JRERMRSBDQRcNMDIwMjEzMTIwNjUyWhcNMDIwMzE1MTIw
NjUyWjAUMBICAQUXDTAyMDIxMzEyMDYyMVowDQYJKoZIhvcNAQEEBQADggEBAGe6
rqm67X6XBtBcj+vipV6+c1c4QOvgc9Hon6xaZ+OgGSsTk+VdDIWzHxSYkHt/4/AT
opjypLtWk8M5BSRwRZJA26H4DigFIh/8XKIhpug+y8/c8GL/RR9SWnJn//w3+lw/
cZQlSRz+4O5uo1dYylEJF2T2j2W+2CbiSvvRY2+WhlwN51BobFs20OMLyN9ftzHL
JsPbXwzsdB3kl7G1KKKiXsiPQxtZP904XLcytCmwc0Im1CfF3y8vkQl1moUnRjA1
sksFv1QLqZ1IKOEZWFxc+2nJShlSjIleIrv63BrMD6V8//roAV51qAXncVX8Ig3N
PloUAzl7CVcgI6bz8B0=

이 값은  X509 표준에 따라 만들어진 CRL(Structure 형식으로 되어 있겠져....)을 인코딩해서 바이너리 데이터로 변환한 다음.....Base64인코딩된 값인 것 같네요.

어째됐든간에...저기에 나온 것은 X509스키마가 아니라 LDAP에서 사용하는 스키마입니다. 
X509와 혼동을 하신듯하네요 . 

초보(haha001)님이 2007-01-31 17:17에 작성한 댓글입니다.

음...

CRL에 대한건 이미 알고 있습니다.

단.. X.509 Ver3에 맞게끔 LDAP에서 schema를 추가해서 objectclass를 만들려는 노력이 있었던듯 합니다.

물론 draft가 expire되었지만요...


http://ldap.akbkhome.com/index.php/objectclass/certificationAuthority.html?PHPSESSID=ba79c841c187450fd370554f9e70638e#authorityRevocationList


Object Class: certificationAuthority

이미 존재하고 있었더군요... 좀 약한면이 있네요..


관심에 감사드립니다..


이정환(skullq)님이 2007-01-31 18:43에 작성한 댓글입니다.
[Top]
No.
제목
작성자
작성일
조회
2321LDap으로 게시판작성시 적당한 스키마가 무엇이 있나요? [2]
ssukai
2007-03-13
7033
2320LDAP에서 패스워드가 틀린것 같습니다만.. [1]
수하
2007-02-22
6898
2319ldapsearch 에서 데이타를 찾을 수가 없습니다만; [2]
손형석
2007-02-20
6163
2317아래글에 이어서... [2]
이정환
2007-01-31
7910
2316LDAP에서 CRL 관련 질문입니다. [5]
이정환
2007-01-31
6665
2315DAP의 연산자 설명좀 해주셔요 [2]
윤상원
2007-01-15
7450
2313ldap 자료나 사이트점 알려주세요 [2]
김영진
2007-01-03
6255
Valid XHTML 1.0!
All about the DATABASE... Copyleft 1999-2021 DSN, All rights reserved.
작업시간: 0.071초, 이곳 서비스는
	PostgreSQL v13.3으로 자료를 관리합니다