Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Help setting gpgsm to do LDAP lookup
gnupg-users at gnupg
May 16, 2020, 8:24 PM
Post #1 of 3 (415 views)
Permalink
Hi,

I'm stumped getting gpgsm to lookup S/MIME certificates in my organization.
I've got a temporary working solution with ldapsearch after logging into my
VPN with NetworkManager+OpenConnect:
ldapsearch -Wt -b OU=Accounts,DC=ads,DC=foo,DC=com -D
CN=jscott,OU=Accounts,DC=ads,DC=foo,DC=com '(mailNickname=[recipient])'
userSMIMECertificate

This saves the signed message to a temporary file which I do gpgsm --verify on,
although the certs themselves are also stored in the userCertificate record
IIRC. ldapsearch also works if I use only LDAPv2.

My dirmngr_ldapservers.conf reads
ads.foo.com:636:ads\jscott:PassPhrase:ou=Accounts,dc=ads,dc=foo,dc=com

and to be extra safe I've put an explicit no-use-tor and ldapserverlist-file
dirmngr_ldapservers.conf in my dirmngr.conf. Reloading dirmngr and gpgsm after
getting on the VPN doesn't help.

Looking up recipients with both dirmngr-client and
gpgsm --verbose --list-external-keys [recipient]
are fruitless whether I drop the ads\ from my username or not. I've bumped the
ldaptimeout to 25. Still both commands finish instantaneously—not unlike
ldapsearch however.

$ gpgsm --debug-level expert -vvvvv --list-external-keys anything
gpgsm: enabled debug flags: x509 crypto cache ipc
gpgsm: DBG: chan_3 <- # Home: /home/john/.gnupg
gpgsm: DBG: chan_3 <- # Config: /home/john/.gnupg/dirmngr.conf
gpgsm: DBG: chan_3 <- OK Dirmngr 2.2.20 at your service
gpgsm: DBG: connection to the dirmngr established
gpgsm: DBG: chan_3 -> GETINFO version
gpgsm: DBG: chan_3 <- D 2.2.20
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION audit-events=1
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> LOOKUP anything
gpgsm: DBG: chan_3 <- OK
secmem usage: 0/16384 bytes in 0 blocks

I'm using 2.2.20 on Debian Bullseye. Other options set are add-servers in
dirmngr.conf and auto-issuer-key-retrieve in gpgsm.conf.

$ systemctl --user status dirmngr
? dirmngr.service - GnuPG network certificate management daemon
Loaded: loaded (/usr/lib/systemd/user/dirmngr.service; static; vendor
preset: enabled)
Active: active (running) since Sat 2020-05-16 22:52:38 EDT; 23min ago
TriggeredBy: ? dirmngr.socket
Docs: man:dirmngr(8)
Main PID: 26309 (dirmngr)
CGroup: /user.slice/user-1000.slice/user@1000.service/dirmngr.service
??26309 /usr/bin/dirmngr --supervised

I also use GnuPG's SSH agent emulation and have in my .bashrc
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpg-connect-agent updatestartuptty /bye >/dev/null

Attached Files:

Re: Help setting gpgsm to do LDAP lookup [ In reply to ]
gnupg-users at gnupg
May 17, 2020, 11:53 PM
Post #2 of 3 (414 views)
Permalink
On Sat, 16 May 2020 23:24, John Scott said:

> Looking up recipients with both dirmngr-client and
> gpgsm --verbose --list-external-keys [recipient]
> are fruitless whether I drop the ads\ from my username or not. I've bumped the
> ldaptimeout to 25. Still both commands finish instantaneously—not unlike

I just did a quick test using using

ldap.pca.dfn.de::::o=DFN-Verein,c=DE:ldap

which works as expected. It has no username and password, though.
To better debug this you should add

--8<---------------cut here---------------start------------->8---
verbose
log-file socket://
debug ipc,lookup,extprog
no-use-tor
--8<---------------cut here---------------end--------------->8---

(if you are not using watchgnupg, repalce socket:// by a regular file name)

This gives more specifc debug output. (BTW, "dirmngr --debug help" shows
all debug options). Instead of using gpgsm it is often easier to use
gpg-connect-agent:

$ gpg-connect-agent --dirmngr
> /hex
> lookup Werner
D[0000] 30 82 05 AF 30 82 04 97 A0 03 02 01 02 02 0C 1D 0...0...........
D[0010] B0 E4 78 EA 1D 5C 64 E5 03 8C 9E 30 25 30 44 06 ..x..\d....0%0D.
[...]
END
S TRUNCATED 3
OK

Look at the log file while running these commands; hopefully you see an
error message.


Shalom-Salam,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Attached Files:

Re: Help setting gpgsm to do LDAP lookup [ In reply to ]
gnupg-users at gnupg
May 27, 2020, 9:33 PM
Post #3 of 3 (408 views)
Permalink
On Monday, May 18, 2020 2:53:55 AM EDT Werner Koch wrote:
> On Sat, 16 May 2020 23:24, John Scott said:
>> Looking up recipients with both dirmngr-client and
>> gpgsm --verbose --list-external-keys [recipient]
>> are fruitless whether I drop the ads\ from my username or not. I've bumped
>> the ldaptimeout to 25. Still both commands finish instantaneously
> I just did a quick test using using
>
> ldap.pca.dfn.de::::o=DFN-Verein,c=DE:ldap
>
> which works as expected. It has no username and password, though.
> To better debug this you should add
>
> --8<---------------cut here---------------start------------->8---
> verbose
> log-file socket://
> debug ipc,lookup,extprog
> no-use-tor
> --8<---------------cut here---------------end--------------->8---
> [...]
> Look at the log file while running these commands; hopefully you see an
> error message.
Thank you. The extra logging and options didn't reveal anything insightful to
me (attached). I've also adjusted the credentials after getting help in my
organization.

I notice that if I use a non-SSL port like 389 or 3268—which I'm not sure they
support the use of, I think they might require non-opportunistic TLS—I get an
'S PROGRESS TICK ? 0 0" message and Dirmngr takes its time before calling it
quits.

On the other hand using 636 or 3269 Dirmngr seems to not try and gets the log.
The URI says only ldap://, can/could/should I specify TLS?

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal