security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-02 12:01:32 +01:00
Code Activity

doc: Update description of LDAP keyservers

Browse Source 
--

(cherry picked from commit 7c4b0eda7462cecf230aba8472d264593257dd0d)
This commit is contained in:
Werner Koch 2021-05-28 15:50:58 +02:00
parent 58e4c82512
commit 0426e6e869
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
doc/dirmngr.texi
View File

@ -334,25 +334,40 @@ If no keyserver is explicitly configured, dirmngr will use the
built-in default of @code{hkps://hkps.pool.sks-keyservers.net}.
Windows users with a keyserver running on their Active Directory
should use @code{ldap:///} for @var{name} to access this directory.
As an alternative it is also possible to add @code{gpgNtds=1} as
extension (i.e. after the fourth question mark).
may use the short form @code{ldap:///} for @var{name} to access this directory.
For accessing anonymous LDAP keyservers @var{name} is in general just
a @code{ldaps://ldap.example.com}. A BaseDN parameter should never be
specified. If authentication is required the value of @var{name} is
for example:
specified. If authentication is required things are more complicated
and two methods are available:
The modern method (since version 2.2.28) is to use the very same syntax
as used with the option @option{--ldapserver}. Please see over
there for details; here is an example:
@example
keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users,
dc=example,dc=com:PASSWORD::starttls
@end example
The other method is to use a full URL for @var{name}; for example:
@example
keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME
%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD
@end example
Put this all on one line without any spaces and keep the '%2C' as given.
Replace USERNAME, PASSWORD, and the 'dc' parts according to the
instructions received from the LDAP administrator. Note that only
simple authentication (i.e. cleartext passwords) is supported and thus
using ldaps is strongly suggested.
Put this all on one line without any spaces and keep the '%2C'
as given. Replace USERNAME, PASSWORD, and the 'dc' parts
according to the instructions received from your LDAP
administrator. Note that only simple authentication
(i.e. cleartext passwords) is supported and thus using ldaps is
strongly suggested (since 2.2.28 "ldaps" defaults to port 389
and uses STARTTLS). On Windows authentication via AD can be
requested by adding @code{gpgNtds=1} after the fourth question
mark instead of the bindname and password parameter.
@item --nameserver @var{ipaddr}
@opindex nameserver