The crl ldap command configures the device to automatically update CRL using LDAP and specifies the attribute and identifier used to obtain CRL from the LDAP server.
The undo crl ldap command deletes the attribute and identifier used to obtain CRL from the LDAP server.
By default, the system automatically updates CRL using HTTP.
| Parameter | Description | Value |
|---|---|---|
| attribute attr-value | Specifies the attribute value that a device uses to obtain a CRL from an LDAP server. | The value is a string of 1 to 64 case-sensitive characters. By default, the value is certificateRevocationList. |
| dn dn-value | Specifies the ID that a device uses to obtain a CRL from an LDAP server. The ID is generally composed of information, such as the user common name, organization name, country, or name of a certificate holder. | The value is a string of 1 to 128 case-sensitive characters, with spaces supported. |
Usage Scenario
Before you use LDAP to automatically update a CRL, run the crl ldap command.
When a PKI entity automatically updates CRL using LDAP, it queries the attribute and identifier of LDAP server in the CRL query packet and obtains CRL from the LDAP server. In this situation, run the crl ldap [ attribute attr-value ] dn dn-value command to specify the attribute and identifier used to obtain CRL from the LADP server.
Precautions
The attribute and identifier used to obtain CRL from the LDAP server can be configured only after the crl ldap command is executed.
Before selecting the LDAP mode, ensure that the CF card or Hda1 has sufficient space for the CRL file. This effectively avoids upgrade failures.