diff options
| author | Werner Koch <[email protected]> | 2025-08-04 16:10:05 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2025-08-04 16:11:39 +0000 |
| commit | 4061b34ef31e467870c01c9263b07fe5a76b9a45 (patch) | |
| tree | e953beb33656cbead2386a756d0f622a3df99f0b | |
| parent | gpg: Do not compress 7z files by default. (diff) | |
| download | gnupg-4061b34ef31e467870c01c9263b07fe5a76b9a45.tar.gz gnupg-4061b34ef31e467870c01c9263b07fe5a76b9a45.zip | |
dirmngr: Allow the use of an ntds like schema on OpenLDAP et al.
* dirmngr/ks-engine-ldap.c (SERVERINFO_CNFPR): New. Replace all
SERVERINFO_NTDS with this one.
(interrogate_ldap_dn): Parse "cnfpr" flag and set SERVERINFO_CNFPR.
Set this flag also for "ntds".
* doc/ldap/gnupg-ldap-init.ldif (pgpVersion): Suggest the use of the
"cnfpr" flag.
--
Note that SERVERINFO_NTDS is currently not anymore used directly but
we keep it in case we need to do other NTDS specific things in the
future.
The advantage of using a fingerprint for referencing a key is that
there won't be any collisions in the keyid. Further this unifies the
schema with an LDS (Windows) installation where DNs must anyway be
unique. But take care the client needs to support this new flag.
GnuPG-bug-id: 7742
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | dirmngr/ks-engine-ldap.c | 14 | ||||
| -rw-r--r-- | doc/ldap/gnupg-ldap-init.ldif | 8 |
3 files changed, 18 insertions, 7 deletions
@@ -1,6 +1,9 @@ Noteworthy changes in version 2.5.12 (unreleased) ------------------------------------------------- + * dirmgr: Support LDAP servers using a schema like the Windows LDS + servers. [T7742] + * gpgtar: Fix regression in end-of-archive detection. [T7757] Release-info: https://dev.gnupg.org/T7756 diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index 9bb604707..789f9706b 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -54,6 +54,7 @@ #define SERVERINFO_SCHEMAV2 4 /* Version 2 of the Schema. */ #define SERVERINFO_NTDS 8 /* Server is an Active Directory. */ #define SERVERINFO_GENERIC 16 /* Connected in generic mode. */ +#define SERVERINFO_CNFPR 32 /* Server uses CN=fingerprint. */ /* The page size requested from the server. */ @@ -648,7 +649,10 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search, *r_serverinfo |= SERVERINFO_SCHEMAV2; if (nfields > 1 && !ascii_strcasecmp (fields[1], "ntds")) - *r_serverinfo |= SERVERINFO_NTDS; + *r_serverinfo |= (SERVERINFO_NTDS|SERVERINFO_CNFPR); + else if (nfields > 1 + && !ascii_strcasecmp (fields[1], "cnfpr")) + *r_serverinfo |= SERVERINFO_CNFPR; } } my_ldap_value_free (vals); @@ -2978,7 +2982,7 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri, char **attrval; char *dn; - if ((serverinfo & SERVERINFO_NTDS)) + if ((serverinfo & SERVERINFO_CNFPR)) { /* The modern way using a CN RDN with the fingerprint. This * has the advantage that we won't have duplicate 64 bit @@ -3101,12 +3105,12 @@ ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t fprlist) if (opt.verbose) log_info ("%s: Using DN: %s,%s\n", __func__, - (serverinfo & SERVERINFO_NTDS)? "CN=<fingerprint>" - /* */ : "pgpCertID=<keyid>", + (serverinfo & SERVERINFO_CNFPR)? "CN=<fingerprint>" + /* */ : "pgpCertID=<keyid>", basedn); for (fpr = fprlist; fpr; fpr = fpr->next) { - if ((serverinfo & SERVERINFO_NTDS)) + if ((serverinfo & SERVERINFO_CNFPR)) { xfree (dn); dn = xtryasprintf ("CN=%s,%s", fpr->d, basedn); diff --git a/doc/ldap/gnupg-ldap-init.ldif b/doc/ldap/gnupg-ldap-init.ldif index 8f62c5c61..fa302e750 100644 --- a/doc/ldap/gnupg-ldap-init.ldif +++ b/doc/ldap/gnupg-ldap-init.ldif @@ -19,12 +19,16 @@ pgpSoftware: GnuPG # 1 = Classic PGP schema (default) # 2 = The attributes gpgFingerprint, gpgSubFingerprint, # gpgSubCertID, and gpgMailbox are part of the schema. -# Item 2 - A string with the used LDAP server +# Item 2 - A string with the LDAP server type # "-" = Unknown (default) # "ntds" = Windows Directory Service (AD DS) # "openldap" = OpenLDAP +# "cnfpr" = As with "ntds" the DN has CN=fingerprint +# instead of the legacy pgpCertID=keyid. +# Use this for openldap if your client software +# is new enough (gnupg >= (2.2.28 or 2.5.12). # -pgpVersion: 2 +pgpVersion: 2 cnfpr dn: ou=GnuPG Keys,dc=example,dc=com objectClass: organizationalUnit |