Help setting gpgsm to do LDAP lookup

John Scott jscott at
Sun May 17 05:24:23 CEST 2020


I'm stumped getting gpgsm to lookup S/MIME certificates in my organization. 
I've got a temporary working solution with ldapsearch after logging into my 
VPN with NetworkManager+OpenConnect:
    ldapsearch -Wt -b OU=Accounts,DC=ads,DC=foo,DC=com -D 
CN=jscott,OU=Accounts,DC=ads,DC=foo,DC=com '(mailNickname=[recipient])' 

This saves the signed message to a temporary file which I do gpgsm --verify on, 
although the certs themselves are also stored in the userCertificate record 
IIRC. ldapsearch also works if I use only LDAPv2.

My dirmngr_ldapservers.conf reads\jscott:PassPhrase:ou=Accounts,dc=ads,dc=foo,dc=com
and to be extra safe I've put an explicit no-use-tor and ldapserverlist-file 
dirmngr_ldapservers.conf in my dirmngr.conf. Reloading dirmngr and gpgsm after 
getting on the VPN doesn't help.

Looking up recipients with both dirmngr-client and
    gpgsm --verbose --list-external-keys [recipient]
are fruitless whether I drop the ads\ from my username or not. I've bumped the 
ldaptimeout to 25. Still both commands finish instantaneously—not unlike 
ldapsearch however.

$ gpgsm --debug-level expert -vvvvv --list-external-keys anything
gpgsm: enabled debug flags: x509 crypto cache ipc
gpgsm: DBG: chan_3 <- # Home: /home/john/.gnupg
gpgsm: DBG: chan_3 <- # Config: /home/john/.gnupg/dirmngr.conf
gpgsm: DBG: chan_3 <- OK Dirmngr 2.2.20 at your service
gpgsm: DBG: connection to the dirmngr established
gpgsm: DBG: chan_3 -> GETINFO version
gpgsm: DBG: chan_3 <- D 2.2.20
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION audit-events=1
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> LOOKUP anything
gpgsm: DBG: chan_3 <- OK
secmem usage: 0/16384 bytes in 0 blocks

I'm using 2.2.20 on Debian Bullseye. Other options set are add-servers in 
dirmngr.conf and auto-issuer-key-retrieve in gpgsm.conf.

$ systemctl --user status dirmngr
● dirmngr.service - GnuPG network certificate management daemon
     Loaded: loaded (/usr/lib/systemd/user/dirmngr.service; static; vendor 
preset: enabled)
     Active: active (running) since Sat 2020-05-16 22:52:38 EDT; 23min ago
TriggeredBy: ● dirmngr.socket
       Docs: man:dirmngr(8)
   Main PID: 26309 (dirmngr)
     CGroup: /user.slice/user-1000.slice/user at 1000.service/dirmngr.service
             └─26309 /usr/bin/dirmngr --supervised

I also use GnuPG's SSH agent emulation and have in my .bashrc
    export GPG_TTY=$(tty)
    export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
    gpg-connect-agent updatestartuptty /bye >/dev/null
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Gnupg-users mailing list