It seems that adding the same LDAP server in kleopatra is possible and, worse, the entry is then saved to the conf file and the next time a third copy is shown. Test was done using an ldap server in the global config and one in the local config.
Do we have a problem with --ldapserver vs. the legacy ldapserver-file thing here? Or is this due to an gpgconf option parser oddity
| rLIBKLEO Libkleo | |||
| rLIBKLEO645d07246bb5 Adapt test to changes to make KeyserverConfig comparable | |||
| rLIBKLEO072fde550cf7 Make KeyserverConfig comparable | |||
| rKLEOPATRA Kleopatra | |||
| rKLEOPATRAa7670cb67f4d Ignore duplicate LDAP server config entries | |||
I guess this is easy to explain:
The problem might be even worse:
Each time you save changes on the Directory Services page of Kleopatra's config dialog copies of all LDAP servers configured in the global config are added to the local config. This happens in gpgme via gpgconf.
I think this is a general problem of list entries. gpgconf simply prints them as comma separated list. Hence, users of this output are totally unaware if an entry is defined in the global config or the local config.
I think gpgconf needs to
a) not write an LDAP server to the local config if an identical entry is already in the global config
and/or
b) consolidate LDAP servers read from the global config and the local config before passing the list of LDAP servers to its callers.
gpgconf does not know about the global config files. Nor does it known about things like gpg.conf-2 etc.
Then I don't see how we can avoid this. It should be easy to reproduce this with gpgconf alone if you know how to use --change-options manually. Simply set the LDAP server that's already configured in the global config file.
It would be possible as a workaround in Kleopatra to show any identical entries only once. Saving after that will not add any more entries.
One doesn't even need a global config file to reproduce the duplication.
All you have to do is add an ldapserver option to dirmngr.conf after the ###+++--- GPGConf ---+++### block. Kleopatra/gpgconf will happily duplicate this LDAP server when writing the configuration.
The fix is only a workaround, the duplicate entries are no longer shown in Kleopatra, they still exist and multiply on save.
To avoid that, an organization could make the Ldapserver setting immutable by putting it in a force section in the global config file.
The workaround is ready for testing. Kleopatra shouldn't show duplicate LDAP servers in the settings dialog. As a side effect global ldapserver entries should no longer multiply in the local dirmngr.conf each time the LDAP servers are changed, but one copy of the global ldapserver entries is still written to the local dirmngr.conf.
Note that the list of LDAP servers in Kleopatra's Settings dialog only shows the LDAP server's domain name (or "Active Directory" for the special entry), i.e. you might see some entries with same domain name but with different settings (user, port, flags, etc.).