Page MenuHome GnuPG
Create Task
Maniphest T6047

Dirmngr - LDAP Schema V2 not used when Base DN is specified
Closed, ResolvedPublic
Actions

Description

When publishing keys to an LDAP server with a base DN specified in the dirmngr config (https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html#:~:text=%2D%2Dkeyserver), dirmngr forces schema version 1 and as a result doesn't push newer attributes to the LDAP server.

This is problematic when using some applications such as Kleopatra, which now seem to require that key fingerprints be present in search results.

For reference, the relevant code is here: https://github.com/gpg/gnupg/blob/master/dirmngr/ks-engine-ldap.c#L559
When a base DN is specified, it bypasses the keyserver probing functionality, which would normally attempt to find the PGPServerInfo entry and flag the appropriate schema version.

It would be useful if one of the following was implemented:

  • Dirmngr could auto detect if the provided base DN is a PGPServerInfo entry and then just inspect the pgpKeySpaceDN to get the DN for the keys
  • There was a new config option to specify the DN for the PGPServerInfo entry to allow for probing with a manually specified path
  • There was a new config option to override the LDAP keyserver flags and specify that a keyserver uses schema V2

I would be happy to work on a PR for any of these options if any option is deemed acceptable.

Revisions and Commits

rG GnuPG
rG4cf8dc2d968f dirmngr: Minor fix for baseDN fallback.
rG98fbac614105 dirmngr: Change interrogate_ldap_dn for better memory semantics.
rG5516f92224b6 dirmngr: Interrogate LDAP server when base DN specified.
rG44960e702ee3 dirmngr: Factor out interrogate_ldap_dn function.
rG11aa5a93a754 dirmngr: Minor fix for baseDN fallback.
rG4b2066afb498 dirmngr: Change interrogate_ldap_dn for better memory semantics.
rG3257385378bb dirmngr: Interrogate LDAP server when base DN specified.
rG993820c31521 dirmngr: Factor out interrogate_ldap_dn function.

Related Objects

Event Timeline

joeyberkovitz created this task.Jun 28 2022, 4:34 PM
werner triaged this task as Normal priority.Jun 29 2022, 5:16 PM
werner edited projects, added Feature Request, gnupg (gpg23), dirmngr, LDAP; removed Bug Report.
werner added a subscriber: werner.

The first ideas sounds best to me. Patches please to the mailing list.

joeyberkovitz added a comment.Jul 5 2022, 3:27 AM

I tried to submit the below patch to gnupg-devel@lists.gnupg.org, but get an Unrouteable address error. Let me know how best to submit it

0001-dirmngr-Interrogate-LDAP-server-when-base-DN-specifi.patch7 KBDownload

gniibe added a subscriber: gniibe.Jul 5 2022, 4:36 AM

Let me know how best to submit it

Please use the address: gnupg-devel@gnupg.org
(lists.gnupg.org doesn't work now)

joeyberkovitz added a comment.Jul 8 2022, 4:54 PM

Any chance someone is able to review the posted patch?

Posted on the mailing list here: https://lists.gnupg.org/pipermail/gnupg-devel/2022-July/035082.html

ikloecker added a subscriber: ikloecker.Jul 10 2022, 11:59 AM

Due to vacation the review may take some time.

joeyberkovitz added a comment.Sep 19 2022, 3:41 PM

just checking in about getting this patch reviewed

gniibe added a comment.Sep 26 2022, 9:03 AM

To proceed, I pushed an initial part as rG993820c31521: dirmngr: Factor out interrogate_ldap_dn function., which doesn't change any behavior.
Then, the point of the change will be clearer.

gniibe added a commit: rG993820c31521: dirmngr: Factor out interrogate_ldap_dn function..Sep 26 2022, 9:08 AM
werner added a comment.Sep 26 2022, 9:41 AM

BTW, I have also in mind to use an AD entry to figure out the used keyserver. It turned out that people don't like to modify the schema of their AD but instead use a separate LDS.

gniibe added a commit: rG4b2066afb498: dirmngr: Change interrogate_ldap_dn for better memory semantics..Sep 29 2022, 2:54 AM
gniibe added a commit: rG3257385378bb: dirmngr: Interrogate LDAP server when base DN specified..
gniibe added a comment.Sep 29 2022, 3:10 AM

Applied and pushed the change from @joeyberkovitz in rG3257385378bb: dirmngr: Interrogate LDAP server when base DN specified..

I applied another change in rG4b2066afb498: dirmngr: Change interrogate_ldap_dn for better memory semantics. to simplify the code (no behavior changes, eliminating an allocation).

werner added a commit: rG11aa5a93a754: dirmngr: Minor fix for baseDN fallback..Sep 29 2022, 4:01 PM
werner added a commit: rG44960e702ee3: dirmngr: Factor out interrogate_ldap_dn function..Oct 7 2022, 2:24 PM
werner added a commit: rG5516f92224b6: dirmngr: Interrogate LDAP server when base DN specified..
werner added a commit: rG98fbac614105: dirmngr: Change interrogate_ldap_dn for better memory semantics..
werner added a commit: rG4cf8dc2d968f: dirmngr: Minor fix for baseDN fallback..
gniibe changed the task status from Open to Testing.Oct 11 2022, 8:16 AM
werner mentioned this in T6181: Release GnuPG 2.2.40.Oct 14 2022, 6:01 PM
werner mentioned this in T6106: Release GnuPG 2.3.8.
werner closed this task as Resolved.Nov 17 2022, 9:33 AM
werner claimed this task.