Home GnuPG
Diffusion GnuPG ff17aee5d10c

dirmngr: New option --ldapserver


dirmngr: New option --ldapserver

* dirmngr/dirmngr.c (opts): Add option --ldapserver.
(ldapserver_list_needs_reset): New var.
(parse_rereadable_options): Implement option.
(main): Ignore dirmngr_ldapservers.conf if no --ldapserver is used.
* dirmngr/server.c (cmd_ldapserver): Add option --clear and list
configured servers if none are given.

This option allows to specify LDAP keyserver in dirmngr instead of
using gpgsm.conf.

  • Signed-off-by: Werner Koch <wk@gnupg.org>


wernerAuthored on May 26 2021, 3:49 PM
rG2b4cddf9086f: dirmngr: Allow for non-URL specified ldap keyservers.

Event Timeline

ikloecker added inline comments.

Did you add jj on purpose? I'm just wondering. It does not seem to have an effect on the creation of dirmngr.8.


I cannot parse this sentence. It reads like a mix of two conflicting statements.


What about

Note that dirmngr_ldapservers.conf is never read again after a reload signal has been send to dirmngr. However, --ldapserver options are read again on a reload signal.


The @var{spec} is either a proper LDAP URL or a colon delimited list of the form

Do you really intend to support "proper LDAP URLs" for this option? If yes, then I strongly suggest to reconsider.

Is there a good reason for supporting "proper LDAP URLs" (apart from "ldap:///" being a nice and short synonym for ":::::ntds")?

Reasons for not supporting the "proper LDAP URL" form:

  • This new option is supposed to replace gpgsm's keyserver option and the ldapserver list file. Both ways to specify LDAP servers for X.509 only support the colon delimited form (at least according to the man pages).
  • The currently implemented code for the new --ldapserver option only supports the colon delimited form.
  • Having a look at the LDAP URL parsing code in ldap-url.c, which I would have to duplicate in QGpgME/Kleopatra, if I wanted to add a user friendly editor GUI for such URLs, gives me the creeps. I would limit support for "proper LDAP URLs" to a simple unvalidated text field, i.e. as it's done for OpenPGP LDAP keyservers.

Alright, we can keep just the colon delimited format for --ldapservers et al. Because we support ldap URLs in CrlDistributionPoints in X.509 certificates we need to handle them internally. But there is indeed no need to support them in the config files.