Fwd: using gnupg with a secure ldap (ldaps) keyserver
Sanchez the Cactus
sanchezthecactus at yahoo.com
Thu Jul 22 22:43:43 CEST 2004
--- David Shaw <dshaw at jabberwocky.com> wrote:
> On Fri, Jul 16, 2004 at 09:58:40AM -0700, Sanchez the Cactus wrote:
>
> > when I try with GnuPG 1.3.6 linked against OpenLDAP linked against either
> > GNUTLS or OpenSSL, i get the following error:
> >
> > ./gpg -v --keyserver "ldaps://ldap.company.com/ou=pgp
> keys,dc=company,dc=com"
> > --search-keys keymaster
> > gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
> > gpg: It is only intended for test purposes and should NOT be
> > gpg: used in a production environment or with production keys!
> > gpg: WARNING: using insecure memory!
> > gpg: please see http://www.gnupg.org/faq.html for more information
> > gpgkeys: unable to make SSL connection: not supported by the NAI LDAP
> keyserver
> >
> > gpg: key "keymaster" not found on keyserver
> > gpg: keyserver internal error
> > gpg: keyserver search failed: keyserver error
> >
> >
> >
> > is the "NAI LDAP keyserver" not supported by GnuPG, or is there some
> > other way to make GnuPG access it?
>
> It's not that GnuPG doesn't support it. The keyserver itself doesn't
> support ldaps. GnuPG supports both ldaps and ldap using TLS. The old
> NAI keyserver supports neither. If you want to communicate with the
> NAI keyserver, you have to turn off ldaps or TLS.
>
> I think there is some confusion here. What exactly are you doing?
> That is, where did you get this server? What software is it running?
> What do you get if you run:
>
> ldapsearch -h ldap.company.com -P2 -x -b "cn=pgpServerInfo" -s base
> cn=pgpServerInfo
>
> David
that command gives:
# extended LDIF
#
# LDAPv2
# base <cn=pgpServerInfo> with scope base
# filter: cn=pgpServerInfo
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
anything else I try returns the same thing, but I don't know much/anything
about LDAP, so I'm not sure what types of things I should be searching for.
Trying ldapsearch with the -Z option (which, I believe, tries SSL), returns:
ldap_start_tls: Connect error (91)
additional info: Error in the certificate.
ldap_bind: Local error (82)
additional info: Error in the certificate.
However, the ldap server is running phpLDAPadmin on an https:// port, so maybe
if i describe the left tree, you can tell me what to try to search for using
ldapsearch.
The top level item is a computer icon with the label: ldap.company.com
( schema | search | refresh | create | info | import | logout ) are all links
immediately below that.
The only child of the computer is a globe icon with the label:
dc=company,dc=com
the globe has the following children:
cn=Manager
cn=pgpprefs
ou=Group
ou=People
ou=PGP Keys
I'll just comment on what appear to be the interesting ones:
cn=pgpprefs has no child nodes. clicking on it gives the following entry
attributes:
cn: pgpprefs
objectClass: pgpProfile
ou=PGP Keys has the following children:
cn=PGPServerInfo, which has the following entry attributes:
cn=PGPServerInfo
objectClass=pgpserverinfo
pgpBaseKeySpaceDN=ou=PGP Keys,dc=company,dc=com
pgpSoftware=OpenLDAP slapd
pgpVersion=2.1.23.8
and a number of pgpCertID=XXXXXXXX entries, which contain the pgp keys,
uids, etc as entry attribute
Any ideas how I can get openldap to see these things?
Thanks,
-Joe
__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
http://advision.webevents.yahoo.com/yahoo/votelifeengine/
More information about the Gnupg-users
mailing list