LDAP support w/ PGP 8.0 & iPlanet Directory Server

David Shaw dshaw at jabberwocky.com
Fri Jan 10 18:51:01 CET 2003

On Fri, Jan 10, 2003 at 04:56:23PM +0000, William Korb wrote:

> > > So what I'm asking is this: is anyone actively working on getting the
> > > LDAP plug-in to work in this type of environment?
> > Not actively, but that doesn't mean "no".  I'd be interested in
> > updating gpgkeys_ldap to work in your environment, but I don't want to
> > raise any legal issues.  I am reluctant to look at the PGP 8 source
> > for obvious reasons.
> Well, we don't have access to any "source" code. I've pretty much 
> reverse-engineered everything to get to where I am now.

PGP makes the client source available on their web site, but I can't
read it ;)

> The iPlanet Directory Server is extensible using their "plug-in" 
> architecture, so I could probably duplicate what the PGP keyserver is 
> doing with the pgpCertid=virtual thing by writing a plug-in, but since 
> the PGP 8.0 client approach already assumes a trust relationship with the 
> LDAP server, I'd rather do the same thing with gpg. Also, an iDS plug-in 
> would also limit the utility of this change as it would then require that 
> something comparable be added to any LDAP server that we'd want to use as 
> a PGP key store.

Exactly.  I'd rather see gpgkeys_ldap do the same thing that PGP 8
does so it works with any old LDAP server.  I think (I'm checking on
this) that we're okay so long as we black-box figure it out and don't
read the source.

Your ed script didn't apply cleanly, but if I understand the bit that
you've reverse engineered so far, the algorithm should look like:

 Try and get the namingContexts from the server.

   If namingContexts are found, try each namingContext in server order
   (i.e. don't sort them in the client) to get cn=PGPServerInfo.  Stop
   after finding one.

   If there are no namingContexts, try for cn=PGPServerInfo in the
   base scope.

Once we have a PGPServerInfo record to give us the baseKeySpaceDN,
then searching and key retrieval at least should work.

Could the problem with adding be as simple as providing all of the
missing attributes (pgpRevoked, pgpKeyCreatetime, etc.) ?

What is "pgpbasekeyspacedn"?  The same thing as "basekeyspacedn" for
non-keyserver LDAP servers?


   David Shaw  |  dshaw at jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list