how to authenticate an ldaps keyserver lookup

Ralf Hauser ralfhauser at gmx.ch
Thu Jun 15 07:14:57 CEST 2006


David,

Thanks - your hint on v1.4.3 solved the bind problem.
> > Furthermore, when trying to do that with apache's ldap server, it did
> not like the SSL it got from my gpg
> (http://issues.apache.org/jira/browse/DIR-185).
> 
> Try adding "keyserver-options debug=1" and running it again to get
> some idea what GPG is seeing.
Since I didn't find a 1.4.3 version for Linux or windows with TLS support enabled, I am doing my other experiments with cygwin 1.4.2 version (without the bind).

The "unknown_ca" error (reported in the above issue tracker 185) I saw on the server (directory.apache.org) side apparently was issued by the gpg client.

For other ldapclients such as EQ or command-line ldapsearch, we solved that by creating a ~/.ldaprc file and either adding the server key with
   TLS_CACERT /path/to/cacert.pem
or reducing the protection by adding
   TLS_REQCERT never

Unfortunately, with gpg, this did not help. 
Putting the same into /etc/ldap/ldap.conf as per http://marc.theaimsgroup.com/?l=gnupg-users&m=109095590410758&w=2 didn't do it either.

So my log now is:

Ralf Hauser at Acer_Ralf:/etc/ldap> gpg.1.4.2.1 --keyserver ldaps://localhost:2636 --keyserver-options 'binddn="dn=micky"' --keyserver-options "debug=5" --keyserver-options bindpw=mouse --search-keys Tes
t
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: searching for "Test" from ldaps server localhost
gpgkeys: debug level 5
ldap_create
ldap_search
put_filter: "(objectClass=*)"
put_filter: simple
put_simple_filter: "objectClass=*"
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:2636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:2636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: /DC=com/DC=netcetera/emailAddress=vlatkogj at domain.com.mk, issuer: /DC=com/DC=netcetera/emailAddress=vlatkogj at domain.com.mk
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_search
put_filter: "(objectClass=*)"
put_filter: simple
put_simple_filter: "objectClass=*"
ldap_send_initial_request
ldap_send_server_request
ldap_err2string
gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
gpg: key "Test" not found on keyserver
gpg: keyserver internal error
gpg: keyserver search failed: keyserver error

Any hints would still be highly appreciated

    Ralf




More information about the Gnupg-users mailing list