LDAP support w/ PGP 8.0 & iPlanet Directory Server

William Korb korb at qisc.com
Fri Jan 10 20:24:01 CET 2003 

> Exactly.  I'd rather see gpgkeys_ldap do the same thing that PGP 8
> does so it works with any old LDAP server.  I think (I'm checking on
> this) that we're okay so long as we black-box figure it out and don't
> read the source.

> Your ed script didn't apply cleanly, but if I understand the bit that 
> you've reverse engineered so far, the algorithm should look like:

>  Try and get the namingContexts from the server.

>    If namingContexts are found, try each namingContext in server order
>    (i.e. don't sort them in the client) to get cn=PGPServerInfo.  Stop
>    after finding one.

>    If there are no namingContexts, try for cn=PGPServerInfo in the
>    base scope.

> Once we have a PGPServerInfo record to give us the baseKeySpaceDN,
> then searching and key retrieval at least should work.

Yes, that's right. I'll send you my gpgkeys_ldap.c as it currently stands 
(in a separate e-mail) so you can see my changes in context.

> Could the problem with adding be as simple as providing all of the
> missing attributes (pgpRevoked, pgpKeyCreatetime, etc.) ?

Yes, I think that's a fair assessment.

> What is "pgpbasekeyspacedn"?  The same thing as "basekeyspacedn" for
> non-keyserver LDAP servers?

That's kinda weird, actually. That was required to make my changes work 
with both a generic LDAP server and the PGP 8.0 LDAP-enabled key server. 
The schema that they had me put into my iDS had this in it:

attributeTypes: (
  1.3.6.1.4.1.3401.8.2.8
  NAME 'pgpBaseKeySpaceDN'
  DESC 'Points to DN of the object that will store the PGP keys.'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
  SINGLE-VALUE
  X-ORIGIN 'Pretty Good Privacy (PGP)' )

But that's not what they named it in their keyserver:

49$ ldapsearch -b 'cn=PGPServerInfo' -s base 'objectclass=*'
CN=PGPSERVERINFO
version=7.0
software=PGP Keyserver, Enterprise Edition
basekeyspacedn=OU=ACTIVE,O=PGP KEYSPACE,C=US
basependingdn=OU=PENDING,O=PGP KEYSPACE,C=US
baseclientprefdn=O=PGP CLIENT PREFS SPACE,C=US

They dropped the "pgp" from the front of their attribute names, for some 
reason. So I guess the answer to your question is yes.

Thanks,
Bill

---
William Korb, President & CTO          Phone:  715-382-5462
QISC, Inc.                             Fax:    715-382-5462
19945 82nd Ave., Suite 201             E-mail: korb at qisc.com
Chippewa Falls, WI 54729-5631          URL:    http://www.qisc.com/
"Tilting at Digital Windmills since 1995."

More information about the Gnupg-devel mailing list