dirmngr: Allow the use of an ntds like schema on OpenLDAP et al.

* dirmngr/ks-engine-ldap.c (SERVERINFO_CNFPR): New.  Replace all
SERVERINFO_NTDS with this one.
(interrogate_ldap_dn): Parse "cnfpr" flag and set SERVERINFO_CNFPR.
Set this flag also for "ntds".
* doc/ldap/gnupg-ldap-init.ldif (pgpVersion): Suggest the use of the
"cnfpr" flag.
--

Note that SERVERINFO_NTDS is currently not anymore used directly but
we keep it in case we need to do other NTDS specific things in the
future.

The advantage of using a fingerprint for referencing a key is that
there won't be any collisions in the keyid.  Further this unifies the
schema with an LDS (Windows) installation where DNs must anyway be
unique.  But take care the client needs to support this new flag.

GnuPG-bug-id: 7742

1 files changed, 6 insertions, 2 deletions

diff --git a/doc/ldap/gnupg-ldap-init.ldif b/doc/ldap/gnupg-ldap-init.ldif
index 8f62c5c61..fa302e750 100644
--- a/doc/ldap/gnupg-ldap-init.ldif
+++ b/doc/ldap/gnupg-ldap-init.ldif
@@ -19,12 +19,16 @@ pgpSoftware: GnuPG
 #          1 = Classic PGP schema (default)
 #          2 = The attributes gpgFingerprint, gpgSubFingerprint,
 #              gpgSubCertID, and gpgMailbox are part of the schema.
-# Item 2 - A string with the used LDAP server
+# Item 2 - A string with the LDAP server type
 #          "-"        = Unknown (default)
 #          "ntds"     = Windows Directory Service (AD DS)
 #          "openldap" = OpenLDAP
+#          "cnfpr"    = As with "ntds" the DN has CN=fingerprint
+#                       instead of the legacy pgpCertID=keyid.
+#                       Use this for openldap if your client software
+#                       is new enough (gnupg >= (2.2.28 or 2.5.12).
 #
-pgpVersion: 2
+pgpVersion: 2 cnfpr
 
 dn: ou=GnuPG Keys,dc=example,dc=com
 objectClass: organizationalUnit