dirmngr: New option --ldapserver

* dirmngr/dirmngr.c (opts): Add option --ldapserver.
(ldapserver_list_needs_reset): New var.
(parse_rereadable_options): Implement option.
(main): Ignore dirmngr_ldapservers.conf if no --ldapserver is used.

* dirmngr/server.c (cmd_ldapserver): Add option --clear and list
configured servers if none are given.
--

This option allows to specify LDAP keyserver in dirmngr instead of
using gpgsm.conf.

Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit ff17aee5d10c8c5ab902253fb4332001c3fc3701)

1 files changed, 37 insertions, 10 deletions

diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 981b48b4e..516433e11 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -14,7 +14,7 @@
 @manpage dirmngr.8
 @ifset manverb
 .B dirmngr
-\- CRL and OCSP daemon
+\- GnuPG's network access daemon
 @end ifset
 
 @mansect synopsis
@@ -424,10 +424,9 @@ configured LDAP server if the connection using the "proxy" failed.
 
 @item --ldapserverlist-file @var{file}
 @opindex ldapserverlist-file
-Read a list of LDAP servers to consult for CRLs and certificates from
-file.  This servers from this list are used after any servers set by a
-client for its session. The default value for @var{file} is
-@file{dirmngr_ldapservers.conf}.
+Read the list of LDAP servers to consult for CRLs and X.509 certificates from
+file instead of the default per-user ldap server list file. The default
+value for @var{file} is @file{dirmngr_ldapservers.conf}.
 
 This server list file contains one LDAP server per line in the format
 
@@ -435,17 +434,45 @@ This server list file contains one LDAP server per line in the format
 
 Lines starting with a  @samp{#} are comments.
 
-The only defined flag is @code{ldaps} to specify that a TLS
-connections shall be used.  Flags are comma delimited; unknown flags
-are ignored.
-
 Note that as usual all strings entered are expected to be UTF-8 encoded.
 Obviously this will lead to problems if the password has originally been
 encoded as Latin-1.  There is no other solution here than to put such a
 password in the binary encoding into the file (i.e. non-ascii characters
 won't show up readable).@footnote{The @command{gpgconf} tool might be
 helpful for frontends as it enables editing this configuration file using
-percent-escaped strings.}
+percent-escaped strings.}jj
+
+
+@item --ldapserver @var{spec}
+@opindex ldapserver
+This is an alternative way to specify LDAP servers for CRL and X.509
+certificate retrieval.  If this option is used the servers configured
+in @file{dirmngr_ldapservers.conf} (or the file given by
+@option{--ldapserverlist-file}) are cleared.  Reloading dirmngr will
+consider these again will in no case use those from
+@file{dirmngr_ldapservers.conf} again.  The @var{spec} is either a
+proper LDAP URL or a colon delimited list of the form
+
+@sc{hostname:port:username:password:base_dn:flags:}
+
+with an optional prefix of @code{ldap:} (but without the two slashes
+which would turn this into a proper LDAP URL).  @sc{flags} is a list
+of one or more comma delimited keywords:
+@table @code
+@item plain
+The default: Do not use a TLS secured connection at all; the default
+port is 389.
+@item starttls
+Use STARTTLS to secure the connection; the default port is 389.
+@item ldaptls
+Tunnel LDAP through a TLS connection; the default port is 636.
+@item ntds
+On Windows authenticate the LDAP connection using the Active Directory
+with the current user.
+@end table
+
+Note that in an URL style specification the scheme @code{ldaps://}
+refers to STARTTLS and _not_ to LDAP-over-TLS.
 
 
 @item --ldaptimeout @var{secs}