On Tue, 21 Feb 2006, David Shaw wrote: > On Tue, Feb 21, 2006 at 01:15:08AM +0100, Walter Haidinger wrote: > > On Mon, 20 Feb 2006, David Shaw wrote: > > > > > LDAP had TLS support back in 1.3.5. HTTP and FTP just got TLS support > > > in 1.4.3. At one point, I started documenting the new options and > > > stopped because the man page would be enormous. At some point, I'll > > > probably make a "gpgkeys" man page so as to not grow the main "gpg" > > > page too much. > > > > Well, at least some hints that tls support exists at all would have > > been useful! ;-) (*) > > It's in the NEWS file for 2004-02-26, but it's true there wasn't any > way to know how to turn it on without reading the source...
I have to admit, I haven't read NEWS either. Had a brief look at gpgkeys_ldap.c but did not notice the tls keyserver options (if they're there). > > > A LDAP keyserver would be useful as a company keyserver where people > > > inside the company IP range or an administrator can add keys, and the > > > rest of the world can just read. > > > > That eliminates tcp-wrapping. You'd have to grant write access by > > using the peername statement in the access <who> field, right? > > Yes. Something like peername.ip=192.168.1.0%255.255.255.0 to specify > the "inside the company" range for those who can write. I see, but I'd rather have IP based access control handled by either tcp-wrappers or firewall rules. Read/write access should be governed by user authentication, IMHO. > The problem here is remote authentication. Each user would need some > way to authenticate to the LDAP server to give them the delete > ability. Every user could get this own DN just for authentication, like dn="uid=username,ou=pgpusers,dc=example" > LDAP can do this, of course, and GPG doesn't care one way or > the other, but how would you handle password distribution for each > user? Why not give out initial passwords for DN's like above and let people change the userPassword attribute using either ldapmodify or a frontend? Then, each user would have to specify his login DN to access his keys. Walter _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
