Net::LDAP and Active Directory certificate revocation lists

mellin has asked for the wisdom of the Perl Monks concerning the following question:

Not directly Perl related probably but for the couple of days now I've been thinking why Net::LDAP does not find objects with the filter "(objectclass=cRLDistributionPoint)". I know (make that I think) that this information is not in the Domain partition of Active Directory, but is there a way I could still access it?

The code below returns no objects even though the LDAP browser app for windows (by softerra) does:

my $filter = "(objectclass=cRLDistributionPoint)";

my $ldap = $functions->ldap($ldapserver, $useraccount, $password);
my $objects = $functions->ldap_search($ldap, $filter, 'sub', $basedn);

foreach my $entry ($objects->entries)
{
    print $entry->get_value('cn') . "\n";

}
[download]

Don't be scared of the short snippet, since $functions is a object defined elsewhere. I'm just curious why I can use the same filter with other some other LDAP program, but Net::LDAP returns zero objects. And I am binding in all the time with the same Domain User account.

Basically I'm trying to dig out the Certificate Revocation Lists created by my Certification Authorities and then iterate through the serials listed in those lists. There's the Crypt::X509::CRL that I was looking in for the actual decoding part.

Comment on Net::LDAP and Active Directory certificate revocation lists Download Code

Replies are listed 'Best First'.
Re: Net::LDAP and Active Directory certificate revocation lists by hominid (Priest) on Sep 19, 2008 at 17:31 UTC
Not really an answer here, just an observation. I tested the filter "(objectclass=cRLDistributionPoint)" on a Net::LDAP based search program I wrote for $work and it returns one object. That makes me think it may not be simply an issue with Net::LDAP.	[reply]
Re^2: Net::LDAP and Active Directory certificate revocation lists by mellin (Scribe) on Sep 20, 2008 at 01:06 UTC
Are you querying against Active Directory? With hostname like dc.domain.com?	[reply]
Re^3: Net::LDAP and Active Directory certificate revocation lists by hominid (Priest) on Sep 20, 2008 at 21:14 UTC
I query against Novell e-directory on an internal network and can use either just the hostname, e.g. ab123-work, or the i.p. address.	[reply]
Re: Net::LDAP and Active Directory certificate revocation lists by strat (Canon) on Sep 20, 2008 at 09:20 UTC
Do you do proper error handling at connect and bind and search? Best regards, perl -e "s>>F>e=>y)\martinF)stronat)=>print,print v8.8.8.32.11.32"	[reply]
Re^2: Net::LDAP and Active Directory certificate revocation lists by mellin (Scribe) on Sep 22, 2008 at 13:49 UTC
Yes, I can see that the code method from the LDAP object returns 0, which according to Net::LDAP man page means "Operation completed without error". Really strange this issue, because I don't get it how Softerra LDAP browser (and all other LDAP browsers I've used) are able to return objects using the same filter, user account and LDAP server. Maybe I should try to ask from the module creator himself about this	[reply]