diff options
| author | Werner Koch <[email protected]> | 2025-08-04 16:10:05 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2025-08-04 16:15:05 +0000 |
| commit | cef53c875683aee0301db2b9e81e51bd6e2f2908 (patch) | |
| tree | 53144aa1f05a93b420e81a48760c7a9c69e44358 | |
| parent | dirmngr: Implement command KS_DEL for ldap servers. (diff) | |
| download | gnupg-STABLE-BRANCH-2-2.tar.gz gnupg-STABLE-BRANCH-2-2.zip | |
dirmngr: Allow the use of an ntds like schema on OpenLDAP et al.STABLE-BRANCH-2-2
* dirmngr/ks-engine-ldap.c (SERVERINFO_CNFPR): New. Replace all
SERVERINFO_NTDS with this one.
(interrogate_ldap_dn): Parse "cnfpr" flag and set SERVERINFO_CNFPR.
Set this flag also for "ntds".
* doc/ldap/gnupg-ldap-init.ldif (pgpVersion): Suggest the use of the
"cnfpr" flag.
--
Note that SERVERINFO_NTDS is currently not anymore used directly but
we keep it in case we need to do other NTDS specific things in the
future.
The advantage of using a fingerprint for referencing a key is that
there won't be any collisions in the keyid. Further this unifies the
schema with an LDS (Windows) installation where DNs must anyway be
unique. But take care the client needs to support this new flag.
GnuPG-bug-id: 7742
Backported-from-master: 4061b34ef31e467870c01c9263b07fe5a76b9a45
| -rw-r--r-- | dirmngr/ks-engine-ldap.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index e1b0b6caa..a9e21b0f9 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -54,7 +54,8 @@ #define SERVERINFO_PGPKEYV2 2 /* Needs "pgpKeyV2" instead of "pgpKey"*/ #define SERVERINFO_SCHEMAV2 4 /* Version 2 of the Schema. */ #define SERVERINFO_NTDS 8 /* Server is an Active Directory. */ -#define SERVERINFO_GENERIC 16 /* Connected in genric mode. */ +#define SERVERINFO_GENERIC 16 /* Connected in generic mode. */ +#define SERVERINFO_CNFPR 32 /* Server uses CN=fingerprint. */ /* The page size requested from the server. */ @@ -589,7 +590,10 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search, *r_serverinfo |= SERVERINFO_SCHEMAV2; if (nfields > 1 && !ascii_strcasecmp (fields[1], "ntds")) - *r_serverinfo |= SERVERINFO_NTDS; + *r_serverinfo |= (SERVERINFO_NTDS|SERVERINFO_CNFPR); + else if (nfields > 1 + && !ascii_strcasecmp (fields[1], "cnfpr")) + *r_serverinfo |= SERVERINFO_CNFPR; } } my_ldap_value_free (vals); @@ -2918,7 +2922,7 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri, char **attrval; char *dn; - if ((serverinfo & SERVERINFO_NTDS)) + if ((serverinfo & SERVERINFO_CNFPR)) { /* The modern way using a CN RDN with the fingerprint. This * has the advantage that we won't have duplicate 64 bit @@ -3041,12 +3045,12 @@ ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t fprlist) if (opt.verbose) log_info ("%s: Using DN: %s,%s\n", __func__, - (serverinfo & SERVERINFO_NTDS)? "CN=<fingerprint>" - /* */ : "pgpCertID=<keyid>", + (serverinfo & SERVERINFO_CNFPR)? "CN=<fingerprint>" + /* */ : "pgpCertID=<keyid>", basedn); for (fpr = fprlist; fpr; fpr = fpr->next) { - if ((serverinfo & SERVERINFO_NTDS)) + if ((serverinfo & SERVERINFO_CNFPR)) { xfree (dn); dn = xtryasprintf ("CN=%s,%s", fpr->d, basedn); |