dirmngr: New option --ldapserver
ff17aee5d10c
Actions

Description

dirmngr: New option --ldapserver

* dirmngr/dirmngr.c (opts): Add option --ldapserver.
(ldapserver_list_needs_reset): New var.
(parse_rereadable_options): Implement option.
(main): Ignore dirmngr_ldapservers.conf if no --ldapserver is used.
* dirmngr/server.c (cmd_ldapserver): Add option --clear and list
configured servers if none are given.

This option allows to specify LDAP keyserver in dirmngr instead of
using gpgsm.conf.

Signed-off-by: Werner Koch <wk@gnupg.org>

Details

Provenance

• werner

Authored on May 26 2021, 3:49 PM

Parents

rG2b4cddf9086f: dirmngr: Allow for non-URL specified ldap keyservers.

Branches

Unknown

Tags

Unknown

Event Timeline

• werner committed rGff17aee5d10c: dirmngr: New option --ldapserver (authored by • werner).May 26 2021, 4:21 PM

ikloecker added a subscriber: ikloecker.May 26 2021, 5:49 PM

ikloecker added inline comments.

/doc/dirmngr.texi
443	Did you add `jj` on purpose? I'm just wondering. It does not seem to have an effect on the creation of dirmngr.8.
451–453	I cannot parse this sentence. It reads like a mix of two conflicting statements.

• werner added inline comments.May 26 2021, 6:07 PM

/doc/dirmngr.texi
451–453	What about Note that dirmngr_ldapservers.conf is never read again after a reload signal has been send to dirmngr. However, --ldapserver options are read again on a reload signal.

ikloecker added inline comments.Jun 3 2021, 5:49 PM

/doc/dirmngr.texi
453–454	The @var{spec} is either a proper LDAP URL or a colon delimited list of the form Do you really intend to support "proper LDAP URLs" for this option? If yes, then I strongly suggest to reconsider. Is there a good reason for supporting "proper LDAP URLs" (apart from "ldap:///" being a nice and short synonym for ":::::ntds")? Reasons for not supporting the "proper LDAP URL" form: This new option is supposed to replace gpgsm's keyserver option and the ldapserver list file. Both ways to specify LDAP servers for X.509 only support the colon delimited form (at least according to the man pages). The currently implemented code for the new `--ldapserver` option only supports the colon delimited form. Having a look at the LDAP URL parsing code in ldap-url.c, which I would have to duplicate in QGpgME/Kleopatra, if I wanted to add a user friendly editor GUI for such URLs, gives me the creeps. I would limit support for "proper LDAP URLs" to a simple unvalidated text field, i.e. as it's done for OpenPGP LDAP keyservers.

Alright, we can keep just the colon delimited format for --ldapservers et al. Because we support ldap URLs in CrlDistributionPoints in X.509 certificates we need to handle them internally. But there is indeed no need to support them in the config files.

• werner mentioned this in rG52cf32ce2f90: dirmngr: New option --ldapserver.Jun 16 2021, 1:16 PM