dirmngr: LDAP search by a mailbox now ignores revoked keys.

* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Ignore revoked and disable keys in mail mode. -- The LDAP schema has a revoked and a disabled flag. The former will be set if a revoked key is uploaded; the latter can be set by other means. With this change a search by mailbox does not anymore return keys with these LDAP attributes set. This allows to better maintain a directory with multiple keys per mailbox. Doing the same for expired keys could also be done but requires more effort. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-01-30 16:17:02 +01:00 · 2021-05-17 15:35:27 +02:00 · 2021-05-17 15:35:27 +02:00 · b6f8cd7eef
commit b6f8cd7eef
parent 987b816860
1 changed files with 2 additions and 1 deletions
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@ -379,7 +379,8 @@ keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact,
      else
        p = freeme;
      if ((serverinfo & SERVERINFO_SCHEMAV2))
-        f = xasprintf ("(gpgMailbox=%s)", p);
+        f = xasprintf ("(&(gpgMailbox=%s)(!(|(pgpRevoked=1)(pgpDisabled=1))))",
+                       p);
      else if (!only_exact)
        f = xasprintf ("(pgpUserID=*<%s>*)", p);
      break;