On Thu, February 23, 2006 00:28, David Shaw wrote:
>> Next release of 1.4.x or 1.9.x?
>
> 1.4.3. I've added the new feature, so you could probably grab the
> gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. There
> aren't significant changes to the keyserver protocol between the two.
> Just replace the existing gpgkeys_ldap.c with the new one and
> recompile.
I've checked out rev. 4020 (gpg reports version 1.4.3rc1).
First the good news: Anonymous access works, can send and receive
keys just fine. The problem about the pgpKeysize is gone, although
I did _not_ do any changes to the code. The CVS diffs show that you
probably took care of this.
Now for the bad news: binding with a DN does not work yet.
I tried the new binddn and bindpw options with the following setup:
> cat pgpusers.ldif
dn: ou=PGP Users,dc=EXAMPLE,dc=COM
objectclass: organizationalUnit
ou: PGP Users
dn: uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM
objectClass: inetOrgPerson
objectClass: uidObject
uid: user1
# password is 'user1'. Use slappasswd(8) to create a new
# one and replace the string here!
userPassword: {SSHA}sLbxdJt53SZvU9BMRSSmdD78vfiSoPHR
sn: User1
cn: Test User1
> ldapadd -x -h localhost -W -D "cn=Manager,dc=EXAMPLE,dc=COM" < pgpusers.ldif
adding new entry "ou=PGP Users,dc=EXAMPLE,dc=COM"
...
Changed the acl in slapd.conf from
# PGP keystore: limit write access to localhost
access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM"
by peername.ip=127.0.0.1 write
by * read
to:
# PGP keystore: only users of "ou=PGP Users,dc=EXAMPLE,dc=COM" may write
access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM"
by dn.regex="uid=([^,]+),ou=PGP Users,dc=EXAMPLE,dc=COM" write
by * read
and tried the following:
> gpg --keyserver ldap://localhost --keyserver-option verbose --keyserver-option
"binddn=uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM" --keyserver-option
bindpw=user1
--send-keys B15BBBE2
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: sending key B15BBBE2 to ldap server localhost
gpgkeys: internal LDAP bind error: Invalid credentials
gpg: keyserver internal error
gpg: keyserver send failed: keyserver error
Syslog shows that pgp only binds with DN 'uid=user1' instead
of the whole specified DN:
slapd[10055]: conn=6 op=2 BIND dn="uid=user1" method=128
There is a bug in the option parsing. Added a few diagnostics
in main() of gpgkeys_ldap.c, which showed that binddn is already
truncated after and including the first comma when you strdup() it
from start[], i.e. any DN, like 'a,b,c,d' would be truncated to 'a'.
Had a quick look but no obvious origin of the problem.
Walter
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
