LDAP support w/ PGP 8.0 & iPlanet Directory Server

William Korb korb at qisc.com
Fri Jan 10 04:18:01 CET 2003

We recently purchased PGP 8.0 for our PC users, but would like to use 
GnuPG 1.2.1 for our various Unix flavors (Solaris, Irix, Linux, AIX, 
etc.). Because we already maintained a corporate LDAP infrastructure, we 
decided that the most appropriate approach (i.e., the easiest to support) 
would be to use our LDAP servers as our internal keyservers rather than 
deploying the keyserver that came with PGP 8.0.

Herein lies the problem: PGP Corp. supplied the schema necessary to 
support PGP keys storage in our iPlanet 5.1 LDAP server, but GnuPG 
doesn't work with it (--send-keys reports "gpgkeys: error adding key 
XXXXXXXX to keyserver: Object class violation") and --search-keys reports 
"gpg: keyserver internal error"). However, the PGP 8.0 PC client works 
just fine with our LDAP server.

I already figured out why the searches were failing: the algorithm used 
to find the pgpBaseKeySpaceDN in gpg simply looks for a cn=PGPServerInfo 
entry in the base scope, whereas the PGP client queries the base scope 
for all of the servers namingContexts then looks for a cn=PGPServerInfo 
entry relative to each namingContext. I was able to create the code that 
does that fairly easily.

The changes needed to send keys to the LDAP server are not so simple.

The object class violation seems to be a result of gpgkeys_ldap trying to 
send a simple entry as pgpCertid=virtual,ou=pgpKeySpace,o=cray.com, but 
this simple entry is missing some required attributes. I also don't 
understand the significance of the "pgpCertid=virtual" keyid - the keys 
that the PGP client inserts have the full 16 digit keys.

So what I'm asking is this: is anyone actively working on getting the 
LDAP plug-in to work in this type of environment?


William Korb, President & CTO          Phone:  715-382-5462
QISC, Inc.                             Fax:    715-382-5462
19945 82nd Ave., Suite 201             E-mail: korb at qisc.com
Chippewa Falls, WI 54729-5631          URL:    http://www.qisc.com/
"Tilting at Digital Windmills since 1995."

More information about the Gnupg-devel mailing list