Page MenuHome GnuPG

Kleopatra: OpenPGP LDAP keyserver configuration impossible for at least 2.3
Testing, HighPublic

Description

For now assigned to me to figure out what should be the right way for this. I don't have time for it right now but I should do it this week.

You need to use this keyserver line:
keyserver ldaps://ldap.example.com/????bindname=uid=LordPrivySeal
%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=abc
(Enter this all on one line; "%2C" directly at the end of "Seal")

This is not a valid url and if you enter it this way into the OpenPGP Keyserver field in Kleopatra it will end up with 2.3 in dirmngr.conf with spaces inside it and the next start you load the config dialog everything after the first space will be gone.

For 2.2 i think this will also be different because then it will be put into gpg.conf but probably have similar problems.

Details

Version
master

Event Timeline

aheinecke created this task.

Well,

ldap:///

or

ldap://someserver.in.my.domain/????gpgNtds=1

is more important

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 25 2021, 10:35 AM
ikloecker changed the task status from Open to Testing.May 26 2021, 2:15 PM
ikloecker reassigned this task from ikloecker to aheinecke.
ikloecker added a subscriber: ikloecker.

Fixed. Kleopatra no longer tries to parse the keyserver option and treats it as simple text (instead of as URL).

Editing an LDAP keyserver entry isn't very user friendly, but making it more user friendly should probably be done with a different task once the new format has been implemented in gpg/dirmngr.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 26 2021, 2:15 PM

I implemented the new format in 2.2 but we need to discuss how to handle this in gpgconf.

I implemented the new format in 2.2 but we need to discuss how to handle this in gpgconf.

I think it would be best if gpgconf always used the new format. Then gpgme does not need to reimplement the parsing of the old format. The same format should also be used for dirmngr's keyserver option. Additionally, dirmngr's keyserver option should become a list option instead of single value option.

What I'm not really happy about is that there are two options with pretty generic names keyserver and ldapserver where the first is only used for OpenPGP and the second is only used for S/MIME (as far as I know). But okay, confusion can be avoid by a proper UI in Kleopatra.

Now, it is still time to change the name of the new option "--ldapserver". "--x509server" maybe?

Yes, --x509server does better convey the semantics of this option.