security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

dirmngr: LDAP search by a mailbox now ignores revoked keys. 

* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Ignore revoked
and disable keys in mail mode.
--

The LDAP schema has a revoked and a disabled flag.  The former will be
set if a revoked key is uploaded; the latter can be set by other
means.   With this change a search by mailbox does not anymore return
keys with these LDAP attributes set.  This allows to better maintain a
directory with multiple keys per mailbox.

Doing the same for expired keys could also be done but requires more
effort.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2021-05-17 15:35:27 +02:00
parent eeb65d3bbd
commit 1406f551f1
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
dirmngr/ks-engine-ldap.c
View File

@ -379,7 +379,8 @@ keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact,
else
p = freeme;
if ((serverinfo & SERVERINFO_SCHEMAV2))
f = xasprintf ("(gpgMailbox=%s)", p);
f = xasprintf ("(&(gpgMailbox=%s)(!(|(pgpRevoked=1)(pgpDisabled=1))))",
p);
else if (!only_exact)
f = xasprintf ("(pgpUserID=*<%s>*)", p);
break;