Question concerning OpenLDAP PGP Keyserver setup guide (wiki.gnupg.org)

Stephan Beck stebe at mailbox.org
Fri Mar 13 23:56:55 CET 2015 

Obviously, this ** has to be OpenLDAP(slapd)2.4.31 not 3, sorry! Still stuck in
there, though.

Am 13.03.2015 um 00:00 schrieb Stephan Beck:
> Hi,
> 
> reproducing the OpenLDAP PGP keyserver setup guide on http://wiki.gnupg.org,
> published by Neal, I get the following error message:
> 
> ldapmodify: wrong attributeType at line 5, entry "olcDatabase={1}hdb,cn=config"
> 
> I am reproducing the guide on debian stable (main sources only), which uses
> "hdb" (not "mdb") database format, *OpenLDAP3*, being the server package slapd.
> 
> To see the error message in its context:
> 
> 
> $ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config"  | grep olcDatabase:
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> olcDatabase: {-1}frontend
> olcDatabase: {0}config
> olcDatabase: {1}hdb
> 
> 
> $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/keyserver-acls.ldif
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> ldapmodify: wrong attributeType at line 5, entry "olcDatabase={1}hdb,cn=config"
> 
> 
> contents of keyserver-acls.ldif are as follows:
> 
> 
> # userPassword may be written only by users themselves
> dn: olcDatabase={1}hdb,cn=config
> changetype: modify
> add: olcAccess
> # Allow access via localhost to add or modify keys.
> # Allow authenticated PGP Users to update keys.
> # Allow anyone else to read the keys.
> olcAccess: {2} to dn.subtree="ou=PGP Keys,dc=FOO,dc=EXAMPLE,dc=ORG"
>   by peername.ip=127.0.0.1 write
>   by peername.ip=:: write
>   by dn.regex="^uid=([^,]+),ou=PGP Users,dc=FOO,dc=EXAMPLE,dc=ORG" write
>   by * read
> 
> # Allow any connection to localhost to update the PGP keys
> # (including removing them!)  This is only needed if the anonymous
> # updates from localhost are desired.
> dn: cn=config
> add: olcAllows
> olcAllows: update_anon
> --------------------------------------------------------------------------
> 
> It seems that the error message indicates that line 5
> 
> by peername.ip=127.0.0.1 write
> 
> has a a wrong attribute type.
> 
> I checked the LDAP for Rocket scientists guide on zytrax.com (1) and (3) for
> hours, and also some documentation about the peername.ip attribute, but I cannot
> figure out what's wrong.
> I found that there are 2 ways of using the peername.[ip] attribute.
> 
> If you use it with ipv4 you do not have to put peername.ipv4, but just
> peername.ip, being the value (127.0.0.1) that which defines the format (ipv4).
> With ipv6 you would have to specify it, i.e. peername.ipv6=[ipv6]
> 
> The other way is using "peername.[type]" but that's not the case here.
> 
> 
> Is there anyone who can lend me a hand?
> 
> TIA
> 
> Stephan
> 
> Note: On slapd debconf install I used FOO.EXAMPLE.ORG, so whenever the wiki
> guide uses dc=EXAMPLE,dc=ORG I use dc=FOO,dc=EXAMPLE,dc=ORG
> 
> (1) http://www.zytrax.com/books/ldap/ch6
> (2) http://www.zytrax.com/books/ldap/ch3
> 
> 
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150313/7c82e2d7/attachment.sig>

More information about the Gnupg-users mailing list