security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

dirmngr: Support new gpgNtds parameter in LDAP keyserver URLs.

Browse source 
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Support a new gpgNtds
extension.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Do ldap_init always with
hostname - which is NULL and thus the same if not given.  Fix minor
error in error code handling.
--

Note that "gpgNtds" is per RFC-4512 case insensitive and has not yet
been officially regisetered.  Thus for correctness the OID can be
used:

  1.3.6.1.4.1.11591.2.5          LDAP URL extensions
  1.3.6.1.4.1.11591.2.5.1          gpgNtds=1 (auth. with current user)

Note that the value must be 1; all other values won't enable AD
authentication and are resevered for future use.
This commit is contained in:
Werner Koch 2021-02-17 17:31:36 +01:00
parent cdc828f690
commit 55f46b33df
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
4 changed files with 32 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

2
doc/dirmngr.texi
View file

@ -332,6 +332,8 @@ built-in default of @code{hkps://hkps.pool.sks-keyservers.net}.
Windows users with a keyserver running on their Active Directory
should use @code{ldap:///} for @var{name} to access this directory.
As an alternative it is also possible to add @code{gpgNtds=1} as
extension (i.e. after the fourth question mark).
For accessing anonymous LDAP keyservers @var{name} is in general just
a @code{ldaps://ldap.example.com}. A BaseDN parameter should never be

14
doc/gpg.texi
View file

@ -1910,13 +1910,13 @@ Use @var{name} as your keyserver. This is the server that
will communicate with to receive keys from, send keys to, and search for
keys on. The format of the @var{name} is a URI:
`scheme:[//]keyservername[:port]' The scheme is the type of keyserver:
"hkp" for the HTTP (or compatible) keyservers, "ldap" for the LDAP
keyservers, or "mailto" for the Graff email keyserver. Note that your
particular installation of GnuPG may have other keyserver types
available as well. Keyserver schemes are case-insensitive. After the
keyserver name, optional keyserver configuration options may be
provided. These are the same as the global @option{--keyserver-options}
from below, but apply only to this particular keyserver.
"hkp"/"hkps" for the HTTP (or compatible) keyservers or "ldap"/"ldaps"
for the LDAP keyservers. Note that your particular installation of
GnuPG may have other keyserver types available as well. Keyserver
schemes are case-insensitive. After the keyserver name, optional
keyserver configuration options may be provided. These are the same as
the global @option{--keyserver-options} from below, but apply only to
this particular keyserver.
Most keyservers synchronize with each other, so there is generally no
need to send keys to more than one server. The keyserver