gpgsm: Allow sepcification of ldaps servers.

* sm/gpgsm.h (struct keyserver_spec): Add field use_ldaps. * sm/gpgsm.c (parse_keyserver_line): Parse flags. * sm/call-dirmngr.c (prepare_dirmngr): Send ldaps flag to the dirmngr. * dirmngr/dirmngr.h (struct ldap_server_s): Add field use_ldaps. * dirmngr/ldapserver.c (ldapserver_parse_one): Parse flags. * dirmngr/ldap.c (start_cert_fetch_ldap): Call wrapper with --tls. * dirmngr/dirmngr_ldap.c: New option --tls. (fetch_ldap): Make use of that option. -- There was no way to specify an LDAPS server in dirmngr_ldapserver.socnf or with gpgsm's --keyserver option. This patch fixes this. Eventually we should allow to replace host and port by a partial URI in the same way ldap_initialize does it. For backward compatibility we do not yet do that. Although the dirmngr code accepts an URL (eg. taken from a certificate), I can't see how the scheme was ever used. Thus the patch also detects an ldaps scheme and uses this. That part has not been tested, though. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2019-11-09 11:29:59 +01:00 · 2019-11-09 11:29:59 +01:00 · 6e1c99bc39
commit 6e1c99bc39
parent 2b9d399cf0
9 changed files with 145 additions and 17 deletions
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@ -406,10 +406,14 @@ client for its session. The default value for @var{file} is

 This server list file contains one LDAP server per line in the format

-@sc{hostname:port:username:password:base_dn}
+@sc{hostname:port:username:password:base_dn:flags}

 Lines starting with a  @samp{#} are comments.

+The only defined flag is @code{ldaps} to specify that a TLS
+connections shall be used.  Flags are comma delimited; unknown flags
+are ignored.
+
 Note that as usual all strings entered are expected to be UTF-8 encoded.
 Obviously this will lead to problems if the password has originally been
 encoded as Latin-1.  There is no other solution here than to put such a
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@ -356,13 +356,27 @@ Note that the @command{dirmngr} can in addition be configured with a
 default list of LDAP servers to be used after those configured with
 this option.  The syntax of @var{string} is:

-@sc{hostname:port:username:password:base_dn}
+@sc{hostname:port:username:password:base_dn:flags}
+
+The only defined flag is @code{ldaps} to specify that a TLS
+connections shall be used.  Flags are comma delimited; unknown flags
+are ignored.

 Note that all parts of that string are expected to be UTF-8 encoded.
 This may lead to problems if the @sc{password} has originally been
-encoded as Latin-1; in such a case better configure this LDAP server
+encoded as Latin-1; in such a case better configure tsuch an LDAP server
 using the global configuration of @command{dirmngr}.

+Here is an example which uses the default port, no username, no
+password, and requests a TLS connection:
+
+@c man:.RS
+@example
+--keyserver ldap.pca.dfn.de::::o=DFN-Verein,c=DE:ldaps
+@end example
+@c man:.RE
+
+
@item --policy-file @var{filename}
@opindex policy-file
 Change the default name of the policy file to @var{filename}.  The