On Thu, 23 Feb 2006, Walter Haidinger wrote:
> Attached is tarball with the files for OpenLDAP configuration,
> to which will be refered to below. I hope this doesn't violate
> the rules of this list but the attachment is very small anyways.
I've uploaded the tarball to my
Walter Haidinger schrieb:
> Used software: OpenLDAP 2.2.27, run under SuSE 10.0
> GnuPG 1.4.3rc1 (subversion revision 4020).
>
> If you don't want to wait until 1.4.3 is officially released,
> grab yourself a copy from svn:
>> svn co svn://cvs.gnupg.org/gnupg/trunk
A
On Thu, 23 Feb 2006, David Shaw wrote:
> On Thu, Feb 23, 2006 at 05:01:08PM +0100, Walter Haidinger wrote:
>
> Thanks for writing this up! I will certainly be pointing people to
> this when they ask inthe future.
Hopefully the setup of an LDAP PGP keyserver will be officially
owto is helpful and somewhat
complete! Good luck setting up your PGP keyserver with OpenLDAP.
I'd be glad if someone could verify the steps so that there are no
glitches. Comments, notes, questions or else are appreciated.
Last but not least a final request: Please add a CC: to my email
address
On Thu, February 23, 2006 16:22, David Shaw wrote:
>> What is wrong here?
>
> keyserver-options. Not keyserver-option. The 's' is part of the
> option name. It works on the command line for convenience, but the
> config file must be strict.
Thanks.
I've just read the following from the manpag
On Thu, February 23, 2006 14:03, David Shaw wrote:
> --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\""
I've got yet another problem when I put keyserver-options into
~/.gnupg/gpg.conf, like:
> nl -b a ~/.gnupg/gpg.conf | tail -5
225 keyserver ldap://localhost
226 k
On Thu, February 23, 2006 14:03, David Shaw wrote:
> Not a bug - you're quoting it wrong in the shell. It takes a lot to
> make the shell not eat stuff sometimes:
>
> --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\""
>
> That is, quote the value, not the name=value. The pa
On Thu, February 23, 2006 00:28, David Shaw wrote:
>> Next release of 1.4.x or 1.9.x?
>
> 1.4.3. I've added the new feature, so you could probably grab the
> gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. There
> aren't significant changes to the keyserver protocol between the two.
On Thu, February 23, 2006 04:24, David Shaw wrote:
>> Does GnuPG support remote keyrings?
>
> No, unless it's via a remote filesystem (NFS, SMB, some magic with
> fuse, etc).
Well, would have been nice, though. I'll stick to rsync to distribute
secret keyrings then.
>> This is a general limitatio
On Wed, 22 Feb 2006, David Shaw wrote:
> It's a bit more complex than that - what LDAP (and any keyserver) does
> is provide the key itself. That key is then imported and lives
> locally from then on until it is deleted. There would need to be
> cleanup after use or keys would be left behind.
Alphax wrote:
> Isn't this what Kerberos was designed for?
No, Kerberos is only an authentication protocol.
I'm talking about _storing_ secret keyrings on LDAP.
What if you access your email by IMAP only? Each MUA with GnuPG support
(e.g. Thunderbird with Enigmail plugin) could then use the publ
On Tue, 21 Feb 2006, David Shaw wrote:
> > If GnuPG could also store secret keys (btw, can it? have never checked)
>
> It's theoretically possible, but no keyserver works that way.
Probably not for HTTP keyservers, but for LDAP offering strong
authentication and TLS/SSL?
A remotely accessible,
On Tue, 21 Feb 2006, David Shaw wrote:
> > > The problem here is remote authentication. Each user would need some
> > > way to authenticate to the LDAP server to give them the delete
> > > ability.
> >
> > Every user could get this own DN just for authentication, like
> > dn="uid=username,ou=
On Tue, 21 Feb 2006, David Shaw wrote:
> On Tue, Feb 21, 2006 at 11:12:32PM +0100, Walter Haidinger wrote:
> > On Tue, 21 Feb 2006, David Shaw wrote:
> >
> > > > beause GnuPG looks for PGPServerInfo unter the base DN,
> > > > not under dn="ou=PGP Keys
On Tue, 21 Feb 2006, David Shaw wrote:
> On Tue, Feb 21, 2006 at 01:15:08AM +0100, Walter Haidinger wrote:
> > On Mon, 20 Feb 2006, David Shaw wrote:
> >
> > > LDAP had TLS support back in 1.3.5. HTTP and FTP just got TLS support
> > > in 1.4.3. At one poi
On Tue, 21 Feb 2006, David Shaw wrote:
> > beause GnuPG looks for PGPServerInfo unter the base DN,
> > not under dn="ou=PGP Keys,dc=DOMAIN,dc=COM".
>
> Not exactly. It looks for PGPServerInfo under each DN returned from
> namingContexts in order. It may well check for
> "cn=PGPServerInfo,dc=DOM
David Shaw wrote:
> 5) Make this file:
>
> cat > pgp.ldif
> dn: ou=PGP Keys,dc=DOMAIN,dc=COM
> objectclass: organizationalUnit
> ou: PGP Keys
>
> dn: cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM
Change this line to:
dn: cn=PGPServerInfo,dc=DOMAIN,dc=COM
beause GnuPG looks for PGPServerInfo unt
On Mon, 20 Feb 2006, David Shaw wrote:
> LDAP had TLS support back in 1.3.5. HTTP and FTP just got TLS support
> in 1.4.3. At one point, I started documenting the new options and
> stopped because the man page would be enormous. At some point, I'll
> probably make a "gpgkeys" man page so as to
On Mon, 20 Feb 2006, David Shaw wrote:
> > TLS too? How to tell GnuPG to use TLS over port 389 (ldap://)?
>
> Try for TLS, and do nothing if TLS can't start:
> keyserver-options tls=try
>
> Try for TLS, and print a warning if TLS can't start:
> keyserver-options tls=warn
>
> Try for TLS, an
On Mon, 20 Feb 2006, David Shaw wrote:
> Here's a rough guide for OpenLDAP:
[--cut--]
Thanks, no problem following the guide.
> The configuration above obviously allows anyone to write/delete keys.
I'll add appropriate access rules once key import/export works.
However, I'm having trouble with
Peter Palfrader schrieb:
> http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip
Thanks! One question, though: Where is this schema from?
Is it the "new" one the GnuPG announcement was talking about or
is it a schema shipped with with a commercial(?) keyserver?
> If you get an LDAP keyserver
Hi!
Quoting from the GnuPG-1.4.0 announcement:
"The LDAP keyserver helper now supports storing, retrieving, and
searching for keys in both the old NAI "LDAP keyserver" as well as the
more recent method to store OpenPGP keys in standard LDAP servers."
Now, I'd like to setup an OpenLDAP server to s
22 matches
Mail list logo
