Fwd: using gnupg with a secure ldap (ldaps) keyserver

Sanchez the Cactus sanchezthecactus at yahoo.com
Thu Jul 22 22:43:43 CEST 2004

--- David Shaw <dshaw at jabberwocky.com> wrote:
> On Fri, Jul 16, 2004 at 09:58:40AM -0700, Sanchez the Cactus wrote:
> > when I try with GnuPG 1.3.6 linked against OpenLDAP linked against either
> > GNUTLS or OpenSSL, i get the following error:
> > 
> > ./gpg -v --keyserver "ldaps://ldap.company.com/ou=pgp
> keys,dc=company,dc=com"
> > --search-keys keymaster
> > gpg: It is only intended for test purposes and should NOT be
> > gpg: used in a production environment or with production keys!
> > gpg: WARNING: using insecure memory!
> > gpg: please see http://www.gnupg.org/faq.html for more information
> > gpgkeys: unable to make SSL connection: not supported by the NAI LDAP
> keyserver
> > 
> > gpg: key "keymaster" not found on keyserver
> > gpg: keyserver internal error
> > gpg: keyserver search failed: keyserver error
> > 
> > 
> > 
> > is the "NAI LDAP keyserver" not supported by GnuPG, or is there some
> > other way to make GnuPG access it?
> It's not that GnuPG doesn't support it.  The keyserver itself doesn't
> support ldaps.  GnuPG supports both ldaps and ldap using TLS.  The old
> NAI keyserver supports neither.  If you want to communicate with the
> NAI keyserver, you have to turn off ldaps or TLS.
> I think there is some confusion here.  What exactly are you doing?
> That is, where did you get this server?  What software is it running?
> What do you get if you run:
>   ldapsearch -h ldap.company.com -P2 -x -b "cn=pgpServerInfo" -s base
> cn=pgpServerInfo
> David

that command gives:
# extended LDIF
# LDAPv2
# base <cn=pgpServerInfo> with scope base
# filter: cn=pgpServerInfo
# requesting: ALL

# search result
search: 2
result: 32 No such object

# numResponses: 1

anything else I try returns the same thing, but I don't know much/anything
about LDAP, so I'm not sure what types of things I should be searching for. 
Trying ldapsearch with the -Z option (which, I believe, tries SSL), returns:

ldap_start_tls: Connect error (91)
        additional info: Error in the certificate.
ldap_bind: Local error (82)
        additional info: Error in the certificate.

However, the ldap server is running phpLDAPadmin on an https:// port, so maybe
if i describe the left tree, you can tell me what to try to search for using

The top level item is a computer icon with the label: ldap.company.com
( schema | search | refresh | create | info | import | logout ) are all links
immediately below that.

The only child of the computer is a globe icon with the label:

the globe has the following children:
ou=PGP Keys

I'll just comment on what appear to be the interesting ones:
cn=pgpprefs has no child nodes.  clicking on it gives the following entry
cn: pgpprefs
objectClass: pgpProfile

ou=PGP Keys has the following children:
    cn=PGPServerInfo, which has the following entry attributes:
        pgpBaseKeySpaceDN=ou=PGP Keys,dc=company,dc=com
        pgpSoftware=OpenLDAP slapd
    and a number of pgpCertID=XXXXXXXX entries, which contain the pgp keys,
uids, etc as entry attribute

Any ideas how I can get openldap to see these things?


Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!

More information about the Gnupg-users mailing list