diff options
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | dirmngr/ks-engine-ldap.c | 14 | ||||
| -rw-r--r-- | doc/ldap/gnupg-ldap-init.ldif | 8 |
3 files changed, 18 insertions, 7 deletions
@@ -1,6 +1,9 @@ Noteworthy changes in version 2.5.12 (unreleased) ------------------------------------------------- + * dirmgr: Support LDAP servers using a schema like the Windows LDS + servers. [T7742] + * gpgtar: Fix regression in end-of-archive detection. [T7757] Release-info: https://dev.gnupg.org/T7756 diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index 9bb604707..789f9706b 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -54,6 +54,7 @@ #define SERVERINFO_SCHEMAV2 4 /* Version 2 of the Schema. */ #define SERVERINFO_NTDS 8 /* Server is an Active Directory. */ #define SERVERINFO_GENERIC 16 /* Connected in generic mode. */ +#define SERVERINFO_CNFPR 32 /* Server uses CN=fingerprint. */ /* The page size requested from the server. */ @@ -648,7 +649,10 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search, *r_serverinfo |= SERVERINFO_SCHEMAV2; if (nfields > 1 && !ascii_strcasecmp (fields[1], "ntds")) - *r_serverinfo |= SERVERINFO_NTDS; + *r_serverinfo |= (SERVERINFO_NTDS|SERVERINFO_CNFPR); + else if (nfields > 1 + && !ascii_strcasecmp (fields[1], "cnfpr")) + *r_serverinfo |= SERVERINFO_CNFPR; } } my_ldap_value_free (vals); @@ -2978,7 +2982,7 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri, char **attrval; char *dn; - if ((serverinfo & SERVERINFO_NTDS)) + if ((serverinfo & SERVERINFO_CNFPR)) { /* The modern way using a CN RDN with the fingerprint. This * has the advantage that we won't have duplicate 64 bit @@ -3101,12 +3105,12 @@ ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t fprlist) if (opt.verbose) log_info ("%s: Using DN: %s,%s\n", __func__, - (serverinfo & SERVERINFO_NTDS)? "CN=<fingerprint>" - /* */ : "pgpCertID=<keyid>", + (serverinfo & SERVERINFO_CNFPR)? "CN=<fingerprint>" + /* */ : "pgpCertID=<keyid>", basedn); for (fpr = fprlist; fpr; fpr = fpr->next) { - if ((serverinfo & SERVERINFO_NTDS)) + if ((serverinfo & SERVERINFO_CNFPR)) { xfree (dn); dn = xtryasprintf ("CN=%s,%s", fpr->d, basedn); diff --git a/doc/ldap/gnupg-ldap-init.ldif b/doc/ldap/gnupg-ldap-init.ldif index 8f62c5c61..fa302e750 100644 --- a/doc/ldap/gnupg-ldap-init.ldif +++ b/doc/ldap/gnupg-ldap-init.ldif @@ -19,12 +19,16 @@ pgpSoftware: GnuPG # 1 = Classic PGP schema (default) # 2 = The attributes gpgFingerprint, gpgSubFingerprint, # gpgSubCertID, and gpgMailbox are part of the schema. -# Item 2 - A string with the used LDAP server +# Item 2 - A string with the LDAP server type # "-" = Unknown (default) # "ntds" = Windows Directory Service (AD DS) # "openldap" = OpenLDAP +# "cnfpr" = As with "ntds" the DN has CN=fingerprint +# instead of the legacy pgpCertID=keyid. +# Use this for openldap if your client software +# is new enough (gnupg >= (2.2.28 or 2.5.12). # -pgpVersion: 2 +pgpVersion: 2 cnfpr dn: ou=GnuPG Keys,dc=example,dc=com objectClass: organizationalUnit |