On Mon, Feb 20, 2006 at 11:14:33PM +0100, Walter Haidinger wrote: > On Mon, 20 Feb 2006, David Shaw wrote: > > > Here's a rough guide for OpenLDAP: > [--cut--] > > Thanks, no problem following the guide. > > > The configuration above obviously allows anyone to write/delete keys. > > I'll add appropriate access rules once key import/export works. > However, I'm having trouble with authentication (see below), despite > I've removed all restrictions (allow * by * write). > > > Note that GPG will use TLS or LDAPS just fine if you want to use that. > > TLS too? How to tell GnuPG to use TLS over port 389 (ldap://)?
Try for TLS, and do nothing if TLS can't start: keyserver-options tls=try Try for TLS, and print a warning if TLS can't start: keyserver-options tls=warn Try for TLS, and fail if TLS can't start: keyserver-options tls=require If you want to use a particular certificate file: keyserver-options ca-cert-file=/path/to/the/file If you don't want to check the certificate chain (default is to check it): keyserver-options no-check-cert (Incidentally, the new keyserver handlers in 1.4.3 can do SSL and TLS for HTTP and FTP as well). > When I try to import my first key, I get the following: > > > gpg --keyserver "ldap://ldap.private"; --keyserver-options verbose \ > --keyserver-options verbose --send-keys 5802B67C > gpg: sending key 5802B67C to ldap server ldap.private > Host: ldap.private > Command: SEND > Server: OpenLDAP slapd > Version: 2.2.27 > gpgkeys: error adding key 5802B67C to keyserver: Strong(er) > authentication required You could probably use a "allow update_anon" in slapd.conf. > Also, will --passphrase-fd read the password for LDAP login? No. There isn't really a strong notion of authentication for keyservers beyond IP restriction in the server at the moment. In fact, the current LDAP code doesn't explicitly bind at all. The assumption is that any server we're likely to run into is V3 (or that odd NAI semi-LDAP keyserver that's not really used any longer), and doesn't need a bind. I'm not against adding authentication, but I'd want to know more about what you're doing. There are not too many people running their own LDAP servers with OpenPGP keys on them. I'd love to hear how it goes. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
