Using DirName from CRLDP extension as search filter

Joacim Kosonen alakaterai at
Mon Jul 8 13:59:42 CEST 2013

Greetings, novice at freeradius here. I would like to use the ldap module
in Freeradius to check certs against CRLS, nothing special there. What I'm
wondering is how, if it is in fact possible, can I take the DN provided by
the cert to filter the ldap search done by the module. All I really need to
filter on is the CN part of the DirName. Example:


There are quite a few CRLs on the ldap server and it seems that having more
than one result returned results in an ambiguous search and a subsequent
failure. Is what I'm looking to do possible?

Somewhat related question about CRLs, in my testing I've run across the
error "Different CRL scope". It seems that the CRLs have the UsersOnly flag
set, but I can still successfully verify that a revoked certificate that
fails in this fashion is indeed revoked by using openssl verify. My
suspicion is that openssl verify doesn't care about scope, but I haven't
found anything that says one or the other.

I'm running freeradius 2.1.12 from the debian wheezy repo, openssl 1.0.1e
from the same, if this is relevant.

Joacim Kosonen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list