[PATCH gnupg] dirmngr: Interrogate LDAP server when base DN specified

Joey Berkovitz joeyberkovitz at gmail.com
Tue Jul 5 13:29:59 CEST 2022

Patch attached, related to https://dev.gnupg.org/T6047

Description copied below:
* dirmngr/ks-engine-ldap.c
(interrogate_ldap_dn): refactored out of my_ldap_connect
(my_ldap_connect): interrogate LDAP server when basedn specified

This patch implements the first proposed solution in bug 6047. Using
the old logic, if a base DN is specified in dirmngr, then dirmngr would
force usage of schema version 1 instead of checking if the LDAP server
is capable of version 2. With the new functionality, dirmngr will first
check if the provided base DN has a `cn=PGPServerInfo` as a direct
descendant. If the PGPServerInfo entry is not found immediately, it
then does a search again in the parent DN. The second search is useful
for backwards compatibility since any users that had specified a base
DN likely were pointing directly to the pgp keyspace DN, which is
commonly a sibling of PGPServerInfo.

Note that dirmngr does not seem to update/replace LDAP entries, so if a
user wants to update their keys from schema V1 to V2, they will need to
manually delete the entry before re-sending the keys.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dirmngr-Interrogate-LDAP-server-when-base-DN-specifi.patch.sig
Type: application/octet-stream
Size: 119 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20220705/9f64d4e3/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dirmngr-Interrogate-LDAP-server-when-base-DN-specifi.patch
Type: application/octet-stream
Size: 7931 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20220705/9f64d4e3/attachment-0003.obj>

More information about the Gnupg-devel mailing list