LDAP support w/ PGP 8.0 & iPlanet Directory Server
korb at qisc.com
Fri Jan 10 04:18:01 CET 2003
We recently purchased PGP 8.0 for our PC users, but would like to use
GnuPG 1.2.1 for our various Unix flavors (Solaris, Irix, Linux, AIX,
etc.). Because we already maintained a corporate LDAP infrastructure, we
decided that the most appropriate approach (i.e., the easiest to support)
would be to use our LDAP servers as our internal keyservers rather than
deploying the keyserver that came with PGP 8.0.
Herein lies the problem: PGP Corp. supplied the schema necessary to
support PGP keys storage in our iPlanet 5.1 LDAP server, but GnuPG
doesn't work with it (--send-keys reports "gpgkeys: error adding key
XXXXXXXX to keyserver: Object class violation") and --search-keys reports
"gpg: keyserver internal error"). However, the PGP 8.0 PC client works
just fine with our LDAP server.
I already figured out why the searches were failing: the algorithm used
to find the pgpBaseKeySpaceDN in gpg simply looks for a cn=PGPServerInfo
entry in the base scope, whereas the PGP client queries the base scope
for all of the servers namingContexts then looks for a cn=PGPServerInfo
entry relative to each namingContext. I was able to create the code that
does that fairly easily.
The changes needed to send keys to the LDAP server are not so simple.
The object class violation seems to be a result of gpgkeys_ldap trying to
send a simple entry as pgpCertid=virtual,ou=pgpKeySpace,o=cray.com, but
this simple entry is missing some required attributes. I also don't
understand the significance of the "pgpCertid=virtual" keyid - the keys
that the PGP client inserts have the full 16 digit keys.
So what I'm asking is this: is anyone actively working on getting the
LDAP plug-in to work in this type of environment?
William Korb, President & CTO Phone: 715-382-5462
QISC, Inc. Fax: 715-382-5462
19945 82nd Ave., Suite 201 E-mail: korb at qisc.com
Chippewa Falls, WI 54729-5631 URL: http://www.qisc.com/
"Tilting at Digital Windmills since 1995."
More information about the Gnupg-devel