Mailing List Archive

[PATCH gnupg] dirmngr: Interrogate LDAP server when base DN specified
Patch attached, related to https://dev.gnupg.org/T6047

Description copied below:
* dirmngr/ks-engine-ldap.c
(interrogate_ldap_dn): refactored out of my_ldap_connect
(my_ldap_connect): interrogate LDAP server when basedn specified

--
This patch implements the first proposed solution in bug 6047. Using
the old logic, if a base DN is specified in dirmngr, then dirmngr would
force usage of schema version 1 instead of checking if the LDAP server
is capable of version 2. With the new functionality, dirmngr will first
check if the provided base DN has a `cn=PGPServerInfo` as a direct
descendant. If the PGPServerInfo entry is not found immediately, it
then does a search again in the parent DN. The second search is useful
for backwards compatibility since any users that had specified a base
DN likely were pointing directly to the pgp keyspace DN, which is
commonly a sibling of PGPServerInfo.

Note that dirmngr does not seem to update/replace LDAP entries, so if a
user wants to update their keys from schema V1 to V2, they will need to
manually delete the entry before re-sending the keys.
Re: [PATCH gnupg] dirmngr: Interrogate LDAP server when base DN specified [ In reply to ]
Joey Berkovitz wrote:
> Patch attached, related to https://dev.gnupg.org/T6047

I tried to apply your patch, but I found questionable parts in your
patch. So, to proceed, firstly, I pushed a change of factoring to
interrogate_ldap_dn function (993820c31521).

Questionable parts for me are:

* ldap_count_entries is a function name. I don't understand "if"
statement evaluating ldap_count_entries.

* IIUC, with user specified base DN, it may introduce a memory leak for
basedn.

Fixing those things, I think that changes needed will be something like
the patch attached.

Could you test if it works well?
--
Re: [PATCH gnupg] dirmngr: Interrogate LDAP server when base DN specified [ In reply to ]
Thanks. I modified the proposed patch slightly - changing it to still
duplicate the user provided basedn. To avoid the mentioned memory
leak, in interrogate_ldap_dn, I check if the provided pointer is set,
and if so, free it.
I think it's preferable to use the user-provided basedn as a fallback
in case the provided LDAP DN doesn't have a PGPServerInfo, gpg would
just fallback to V1-schema operations treating the provided DN as the
keyspace DN (as GPG currently operates now).

Example LDAP schema: dc=pgp,dc=example,dc=org
- cn=PGPServerInfo (pgpVersion = 2, pgpBaseKeySpaceDN = ou=GnuPG
Keys,dc=pgp,dc=example,dc=org)
- ou=GnuPG Keys

Some test cases are:
- No PGPServerInfo entry (as described above) - pushing a key
results in keys stored in the provided DN (ex: ou=GnuPG
Keys,dc=pgp,dc=example,dc=org)
- PGPServerInfo entry, and user provided entry corresponds to
keyspace DN (ex: ou=GnuPG Keys,dc=pgp,dc=example,dc=org) - pushing a
key results in keys stored in the provided DN, but schema V2 is used
if support is indicated
- PGPServerInfo entry, and user provided entry corresponds to
PGPServerInfo parent (ex: dc=pgp,dc=example,dc=org) - keyspace DN
auto-detected, keys pushed there, schema V2 used if supported

I tested those three cases with the attached patch. The second case
would just enable backwards compatibility, so anyone using a hardcoded
basedn would auto-upgrade to schema V2 if they have a PGPServerInfo
entry indicating support. The third case would probably represent how
future configs should be set - the provided base DN doesn't need to
correspond to the keyspace DN if the PGPServerInfo entry exists.

Best,
Joey Berkovitz

On Mon, Sep 26, 2022 at 9:54 PM NIIBE Yutaka <gniibe@fsij.org> wrote:
>
> Joey Berkovitz wrote:
> > Patch attached, related to https://dev.gnupg.org/T6047
>
> I tried to apply your patch, but I found questionable parts in your
> patch. So, to proceed, firstly, I pushed a change of factoring to
> interrogate_ldap_dn function (993820c31521).
>
> Questionable parts for me are:
>
> * ldap_count_entries is a function name. I don't understand "if"
> statement evaluating ldap_count_entries.
>
> * IIUC, with user specified base DN, it may introduce a memory leak for
> basedn.
>
> Fixing those things, I think that changes needed will be something like
> the patch attached.
>
> Could you test if it works well?
> --
Re: [PATCH gnupg] dirmngr: Interrogate LDAP server when base DN specified [ In reply to ]
Hello,

Joey Berkovitz <joeyberkovitz@gmail.com> wrte:
> I tested those three cases with the attached patch.

Thank you. Applied and pushed.

Over your change, I applied another change to simplify the code.

It is tracked at:
https://dev.gnupg.org/T6047
--

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel