On Mon, 20 Feb 2006, David Shaw wrote: > Here's a rough guide for OpenLDAP: [--cut--]
Thanks, no problem following the guide. > The configuration above obviously allows anyone to write/delete keys. I'll add appropriate access rules once key import/export works. However, I'm having trouble with authentication (see below), despite I've removed all restrictions (allow * by * write). > Note that GPG will use TLS or LDAPS just fine if you want to use that. TLS too? How to tell GnuPG to use TLS over port 389 (ldap://)? When I try to import my first key, I get the following: > gpg --keyserver "ldap://ldap.private"; --keyserver-options verbose \ --keyserver-options verbose --send-keys 5802B67C gpg: sending key 5802B67C to ldap server ldap.private Host: ldap.private Command: SEND Server: OpenLDAP slapd Version: 2.2.27 gpgkeys: error adding key 5802B67C to keyserver: Strong(er) authentication required gpg: keyserver internal error gpg: keyserver send failed: keyserver error > slapd logs to syslog (loglevel=448): : => access_allowed: read access granted by write(=wrscx) : => access_allowed: read access to "cn=PGPServerInfo,dc=private" "pgpBaseKeySpaceDN" requested : => acl_get: [1] attr pgpBaseKeySpaceDN : access_allowed: no res from state (pgpBaseKeySpaceDN) : => acl_mask: access to entry "cn=PGPServerInfo,dc=private", attr "pgpBaseKeySpaceDN" requested : => acl_mask: to value by "", (=n) : <= check a_dn_pat: * : <= acl_mask: [1] applying write(=wrscx) (stop) : <= acl_mask: [1] mask: write(=wrscx) : => access_allowed: read access granted by write(=wrscx) : conn=1 op=1 ENTRY dn="cn=PGPServerInfo,dc=private" : conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= : conn=1 op=2 MOD dn="pgpCertID=B18138775802B67C,ou=PGP Keys,dc=private" : conn=1 op=2 MOD attr=pgpDisabled pgpKeyID pgpKeyType pgpUserID pgpKeyCreateTime pgpSignerID pgpRevoked pgpSubKeyID pgpKeySize pgpKeyExpireTime pgpCertID pgpCertID pgpKeyID pgpKeyType pgpKeySize pgpKeyCreateTime pgpDisabled pgpRevoked pgpUserID pgpSignerID pgpSubKeyID objectClass pgpKey : conn=1 op=2 RESULT tag=103 err=8 text=modifications require authentication : conn=1 fd=13 closed Now, GnuPG gets the base keyspace right but modifications fails because of lack of authentication. Since I'd like to have authentication anyways (users should only be able to remove their own keys) later on, how do I tell GnuPG to use a certain DN to bind? Also, will --passphrase-fd read the password for LDAP login? Regards, Walter _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
