Page MenuHome GnuPG

dirmngr only using cAcertificate attr type when querying LDAP directory
Closed, ResolvedPublic

Description

When trying to import CRLs using gpgsm --call-dirmngr loadcrl and with debug as guru, it reports using attr cACertificate when querying LDAP. This does not work against Microsoft Active Directory which uses usercertificate as the attr. Reviewing and the code supports either attr type (in dirmngr/ldap.c) but for the call start_default_fetch_ldap() from dirmngr/crlfetch.c which has hardcoded cACertificate as part of the call. I am working with version 2.1.18 of dirmngr. Can this be fix to support either a flag or an additional LDAP query to know what type of code to use automatically.

Event Timeline

justus triaged this task as Wishlist priority.Jun 8 2017, 3:00 PM
justus added a project: gnupg (gpg22).
werner raised the priority of this task from Wishlist to High.
werner added projects: gnupg24, gnupg22.
werner added a subscriber: werner.

We need to extend dirmngr_ldap.c to take a list of attributes to return. We already have the --multi option which returns all attributes for latter filtering by the caller but the specified attr is also used and thus dirmngr's start_cacert_fetch_ldap() retruns only the requested caCertificate.

werner removed projects: gnupg22, gnupg24.

After diligently reading the code I realized that this bug has long been fixed. For reference here is the patch I wrote to extend dirmngr_ldap during my tests: