From 1406f551f1e00a03eabf5b8bd3011bf6393ce318 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 17 May 2021 15:35:27 +0200
Subject: [PATCH] dirmngr: LDAP search by a mailbox now ignores revoked keys.

* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Ignore revoked
and disable keys in mail mode.
--

The LDAP schema has a revoked and a disabled flag.  The former will be
set if a revoked key is uploaded; the latter can be set by other
means.   With this change a search by mailbox does not anymore return
keys with these LDAP attributes set.  This allows to better maintain a
directory with multiple keys per mailbox.

Doing the same for expired keys could also be done but requires more
effort.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/ks-engine-ldap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c
index 67c456ce3..15def111c 100644
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@@ -379,7 +379,8 @@ keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact,
       else
         p = freeme;
       if ((serverinfo & SERVERINFO_SCHEMAV2))
-        f = xasprintf ("(gpgMailbox=%s)", p);
+        f = xasprintf ("(&(gpgMailbox=%s)(!(|(pgpRevoked=1)(pgpDisabled=1))))",
+                       p);
       else if (!only_exact)
         f = xasprintf ("(pgpUserID=*<%s>*)", p);
       break;