Skip to content

Knowledge Base

Jump to bottom
mihkeltammsalu edited this page Dec 6, 2023 · 8 revisions

This page gathers technical instructions of the LDAP structure and use of the LDAP directory service.

ESTEID LDAP technical description

The directory service queries must be submitted using the LDAPS protocol. The service access is unrestricted (anonymous bind, simple authentication) around the clock. There is support only for data exchange with TLS encryption and TLS client authentication. Maximum of 50 certificate entries will be returned as a response.

Directory is available via esteid.ldap.sk.ee port 636.

Below you will find a detailed description of the directory layout. Knowledge of the layout is necessary for conducting data searches in the directory. Directory tree list structure (personal certificates) on following figure:

Figure1

Searching for personal certificates is restricted by certificate owner’s identity number (serialNumber) in the form "PNOEE-38001085718" or by certificate’s CN (CommonName) field in the form "JÕEORG,JAAK-KRISTJAN,38001085718".

ESTEID LDAP query examples Example query from the Linux or Mac command line to search for a personal certificate:

Query without CA certificate chain of LDAP:

LDAPTLS_REQCERT=allow ldapsearch -H ldaps://esteid.ldap.sk.ee/ -x -b "c=EE" "(serialNumber=PNOEE-38510016016)"

Query with CA certificate of LDAP (to get LDAP certificate, use: openssl s_client -showcerts -connect esteid.ldap.sk.ee:636):

LDAPTLS_CACERT=ldapca.crt ldapsearch -H ldaps://esteid.ldap.sk.ee/ -x -b "c=EE" "(cn= JÕEORG,JAAK-KRISTJAN,38001085718)"

KLASS3 LDAP technical description

The directory service queries must be submitted using the LDAPS protocol. The service access is unrestricted (anonymous bind, simple authentication) around the clock. There is support only for data exchange with TLS encryption and TLS client authentication. Maximum of 50 certificate entries will be returned as a response.

Directory is available via k3.ldap.sk.ee port 636.

Below you will find a detailed description of the directory layout. Knowledge of the layout is necessary for conducting data searches in the directory. Directory tree list structure (organisation certificates) on following figure:

Figure2

ORG LDAP query examples Example queries from the Linux or Mac command line for finding organisation certificates:

Query without CA certificate chain of LDAP. By the name of the organisation:

LDAPTLS_REQCERT=allow ldapsearch -H ldaps://k3.ldap.sk.ee/ -x -b "" "(cn=SK ID Solutions AS)"

By the registry code:

LDAPTLS_REQCERT=allow ldapsearch -H ldaps://k3.ldap.sk.ee/ -x -b "" "(serialNumber=10747013)"

Query with CA certificate of LDAP (To get LDAP certificate, use: openssl s_client -showcerts -connect k3.ldap.sk.ee.ee:636).

By the name of the organisation:

LDAPTLS_CACERT=ldapca.crt ldapsearch -H ldaps://k3.ldap.sk.ee/ -x -b "" "(cn=SK ID Solutions AS)"

By the registry code:

LDAPTLS_CACERT=ldapca.crt ldapsearch -H ldaps://k3.ldap.sk.ee/ -x -b "" "(serialNumber=10747013)"

Queries can be narrowed using a country code if the location of the organisation is known:

LDAPTLS_REQCERT=allow ldapsearch -H ldaps://k3.ldap.sk.ee/ -x -b "c=EE" "(cn=SK ID Solutions AS)"

Clone this wiki locally