Question concerning OpenLDAP PGP Keyserver setup guide (wiki.gnupg.org)

Stephan Beck stebe at mailbox.org
Fri Mar 13 00:00:16 CET 2015 

Hi,

reproducing the OpenLDAP PGP keyserver setup guide on http://wiki.gnupg.org,
published by Neal, I get the following error message:

ldapmodify: wrong attributeType at line 5, entry "olcDatabase={1}hdb,cn=config"

I am reproducing the guide on debian stable (main sources only), which uses
"hdb" (not "mdb") database format, OpenLDAP3, being the server package slapd.

To see the error message in its context:


$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config"  | grep olcDatabase:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcDatabase: {-1}frontend
olcDatabase: {0}config
olcDatabase: {1}hdb


$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/keyserver-acls.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapmodify: wrong attributeType at line 5, entry "olcDatabase={1}hdb,cn=config"


contents of keyserver-acls.ldif are as follows:


# userPassword may be written only by users themselves
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
# Allow access via localhost to add or modify keys.
# Allow authenticated PGP Users to update keys.
# Allow anyone else to read the keys.
olcAccess: {2} to dn.subtree="ou=PGP Keys,dc=FOO,dc=EXAMPLE,dc=ORG"
  by peername.ip=127.0.0.1 write
  by peername.ip=:: write
  by dn.regex="^uid=([^,]+),ou=PGP Users,dc=FOO,dc=EXAMPLE,dc=ORG" write
  by * read

# Allow any connection to localhost to update the PGP keys
# (including removing them!)  This is only needed if the anonymous
# updates from localhost are desired.
dn: cn=config
add: olcAllows
olcAllows: update_anon
--------------------------------------------------------------------------

It seems that the error message indicates that line 5

by peername.ip=127.0.0.1 write

has a a wrong attribute type.

I checked the LDAP for Rocket scientists guide on zytrax.com (1) and (3) for
hours, and also some documentation about the peername.ip attribute, but I cannot
figure out what's wrong.
I found that there are 2 ways of using the peername.[ip] attribute.

If you use it with ipv4 you do not have to put peername.ipv4, but just
peername.ip, being the value (127.0.0.1) that which defines the format (ipv4).
With ipv6 you would have to specify it, i.e. peername.ipv6=[ipv6]

The other way is using "peername.[type]" but that's not the case here.


Is there anyone who can lend me a hand?

TIA

Stephan

Note: On slapd debconf install I used FOO.EXAMPLE.ORG, so whenever the wiki
guide uses dc=EXAMPLE,dc=ORG I use dc=FOO,dc=EXAMPLE,dc=ORG

(1) http://www.zytrax.com/books/ldap/ch6
(2) http://www.zytrax.com/books/ldap/ch3



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150313/f827a631/attachment.sig>

More information about the Gnupg-users mailing list