[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP PGP key server



Since many of us are experiencing issues with PGP+OpenLDAP+TLS I'm curious
to know how others are handling this. 

Are you going with the windows version of the keyserver? 
Are you just using a public keyserver? 
Are you using another solution? If so what software are you using?

-Joe

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Thomas Vincent
Sent: Thursday, August 26, 2004 9:23 AM
To: ray v; OpenLDAP
Subject: Re: OpenLDAP PGP key server

Me 2,
Has anyone tried taking this issue up with PGP? We tried support, but they
said they don't support this.

Cheers,
Tom


On 8/26/04 8:32 AM, "ray v" <rayv5n@yahoo.com> wrote:

> 
> 
> I'm trying to accomplish the same thing and I've run into a similar 
> problem. I put three keys on the server through ldap. After which I 
> enabled ssl and tried to add more through ldaps. The error message I 
> get is...
> 
> 
> "An error has occurred: server open failed"
> 
> here are my logs
> 
> ------------------------------------------
> Aug 26 08:27:22 corpldap02 slapd: <<< dnPrettyNormal:
> <cn=PGPServerInfo>, <cn=pgpserverinfo> Aug 26 08:27:22 corpldap02 
> slapd: SRCH
> "cn=PGPServerInfo" 0 0    0 0 0
> Aug 26 08:27:22 corpldap02 slapd: begin get_filter Aug 26 08:27:22 
> corpldap02 slapd: PRESENT Aug 26 08:27:22 corpldap02 slapd: ber_scanf 
> fmt (m)
> ber:
> Aug 26 08:27:22 corpldap02 slapd: ber_dump:
> buf=0x099838b8 ptr=0x099838de end=0x09983915 len=55
> Aug 26 08:27:22 corpldap02 slapd:   0000:  87 0b 6f 62
> 6a 65 63 74  63 6c 61 73 73 30 28 04
> ..objectclass0(.
> Aug 26 08:27:22 corpldap02 slapd:   0010:  0e 62 61 73
> 65 4b 65 79  73 70 61 63 65 44 4e 04
> .baseKeyspaceDN.
> Aug 26 08:27:22 corpldap02 slapd:   0020:  0d 62 61 73
> 65 50 65 6e  64 69 6e 67 44 4e 04 07
> .basePendingDN..
> Aug 26 08:27:22 corpldap02 slapd:   0030:  76 65 72 73
> 69 6f 6e                               version
> Aug 26 08:27:22 corpldap02 slapd: end get_filter 0
> 
> Above you see the SRCH function then afterward I get an attempted 
> write. BTW I had to go back to using "database ldbm" rather then bdb 
> because for some reason the client will not work when openldap is 
> using berekeley.
> 
> 
> Aug 26 08:27:23 corpldap02 slapd: tls_write: want=74,
> written=74
> Aug 26 08:27:23 corpldap02 slapd:   0000:  17 03 01 00
> 18 8b 62 fe  6f 9c 03 98 72 5c 09 ba
> ......b.o...r\..
> Aug 26 08:27:23 corpldap02 slapd:   0010:  3a c2 d6 2c
> a4 0e 12 85  a0 69 34 91 97 17 03 01
> :..,.....i4.....
> Aug 26 08:27:23 corpldap02 slapd:   0020:  00 28 63 74
> cf 6b b2 55  3a d7 82 73 b2 75 c1 4f
> .(ct.k.U:..s.u.O
> Aug 26 08:27:23 corpldap02 slapd:   0030:  ec 87 6d 6b
> e8 30 b5 d5  dd 31 b2 78 ed 20 43 30   ..mk.0...1.x.
> C0
> Aug 26 08:27:23 corpldap02 slapd:   0040:  a8 69 d2 9d
> 79 43 d8 48  af 70                     .i..yC.H.p
> Aug 26 08:27:23 corpldap02 slapd: ldap_write: want=14,
> written=14
> Aug 26 08:27:23 corpldap02 slapd:   0000:  30 0c 02 01
> 01 65 07 0a  01 00 04 00 04 00         0....e........
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=6 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=7 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=8 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=9 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: activity on
> 1 descriptors
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=6 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=7 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=8 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=9 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: send_ldap_result:
> conn=0 op=1 p=3
> Aug 26 08:27:23 corpldap02 slapd: send_ldap_result:
> err=10 matched="" text=""
> Aug 26 08:27:23 corpldap02 slapd: send_ldap_response:
> msgid=2 tag=101 err=32
> Aug 26 08:27:23 corpldap02 slapd: ber_flush: 14 bytes to sd 11
> Aug 26 08:27:23 corpldap02 slapd:   0000:  30 0c 02 01
> 02 65 07 0a  01 20 04 00 04 00         0....e... ....
> Aug 26 08:27:23 corpldap02 slapd: tls_write: want=74,
> written=74
> Aug 26 08:27:23 corpldap02 slapd:   0000:  17 03 01 00
> 18 35 88 36  57 4c a3 b5 35 ff 00 09
> .....5.6WL..5...
> Aug 26 08:27:23 corpldap02 slapd:   0010:  1e a0 5c 65
> bc 36 ca c1  ca c1 3a ad 00 17 03 01
> ..\e.6....:.....
> Aug 26 08:27:23 corpldap02 slapd:   0020:  00 28 1f 0a
> 19 a3 88 a9  b1 0e 94 cd 17 62 21 7e
> .(...........b!~
> Aug 26 08:27:23 corpldap02 slapd:   0030:  cd 2d 85 1b
> 66 20 62 f3  15 08 ba 2f 7e 56 5f 58   .-..f
> b..../~V_X
> Aug 26 08:27:23 corpldap02 slapd:   0040:  11 18 50 42
> 7e a7 10 e0  54 cc                     ..PB~...T.
> Aug 26 08:27:23 corpldap02 slapd: ldap_write: want=14,
> written=14
> Aug 26 08:27:23 corpldap02 slapd:   0000:  30 0c 02 01
> 02 65 07 0a  01 20 04 00 04 00         0....e... ....
> 
> 
> ------------------------------------------
> 
> 
> 
> --- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
> 
>> You might want to search the archives for reasons why others who came 
>> before you gave up...
>> 
>> Kurt
>> 
>> At 12:16 AM 8/26/2004, Luna, Joe wrote:
>>> All,
>>> 
>>> Anyone have experience implementing a PGP key
>> server using openldap and the
>>> schemas provided by PGP corporation? I'm trying to
>> get a OpenLDAP PGP key
>>> server up and running, so far I haven't had any
>> major issues but this one is
>>> driving me crazy.
>>> 
>>> This is the deal, I cant add more than one key when
>> sending to a 'ldaps' key
>>> server, no not more than one at a time, one period.
>>> 
>>> This is the log entry for a successful key upload
>> via an ldaps connection:
>>> 
>>> Aug 21 19:32:38 pgp-keyserver slapd[1352]: conn=8
>> fd=12 ACCEPT from
>>> IP=192.168.254.1:1878 (IP=0.0.0.0:636) Aug 21
>> 19:32:38 pgp-keyserver
>>> slapd[1352]: conn=8 op=0 ADD
>> dn="pgpCertID=07CADF9E0CC0E12C,ou=PGP
>>> Keys,dc=domain,dc=com"
>>> Aug 21 19:32:38 pgp-keyserver slapd[1352]: conn=8
>> op=0 RESULT tag=105 err=0
>>> text= Aug 21 19:32:38 pgp-keyserver slapd[1352]:
>> conn=8 op=0 RESULT tag=105
>>> err=0 text= Aug 21 19:32:38 pgp-keyserver
>> slapd[1352]: conn=8 op=1 UNBIND
>>> Aug 21 19:32:38 pgp-keyserver slapd[1352]: conn=8
>> fd=12 closed
>>> 
>>> If I try to send another key, this shows up in the
>> log:
>>> 
>>> Aug 21 19:32:47 pgp-keyserver slapd[1352]: conn=9
>> fd=12 ACCEPT from
>>> IP=192.168.254.1:1879 (IP=0.0.0.0:636) Aug 21
>> 19:32:47 pgp-keyserver
>>> slapd[1352]: conn=9 op=0 SRCH
>> base="cn=PGPServerInfo" scope=0
>>> filter="(objectClass=*)"
>>> Aug 21 19:32:47 pgp-keyserver slapd[1352]: conn=9
>> op=0 SRCH
>>> attr=baseKeyspaceDN basePendingDN version Aug 21
>> 19:32:47 pgp-keyserver
>>> slapd[1352]: conn=9 op=0 RESULT tag=101 err=32
>> text= Aug 21 19:33:10
>>> pgp-keyserver slapd[1352]: conn=9 fd=12 closed
>>> 
>>> Notice how line 2 is a 'SRCH' instead of an 'ADD'
>> like line 2 of the
>>> successful attempt? What could be causing this? Is
>> this a client side issue,
>>> im beginning to think so. So far the only thing I
>> see to get around this is
>>> to close the PGP client software and reopen it to
>> send the second key. After
>>> that key is uploaded the fun starts again, nothing
>> else can be uploaded.
>>> 
>>> Relevant information:
>>> 
>>> Client OS: Windows XP Pro
>>> Client Software: PGP Corporate desktop 8.1 LDAP
>> Server: Fedora Core 2 LDAP
>>> Software: # rpm -aq | grep ldap
>>>        nss_ldap-217-1
>>>        openldap-devel-2.1.29-1
>>>        openldap-2.1.29-1
>>>        php-ldap-4.3.4-11
>>>        openldap-clients-2.1.29-1
>>>        openldap-servers-2.1.29-1
>>> 
>>> [root@pgp-keyserver ]# cat /etc/openldap/slapd.conf
>> ####### BEGIN #######
>>> 
>>> include /etc/openldap/schema/core.schema include 
>>> /etc/openldap/schema/pgp-keyserver.schema
>>> include /etc/openldap/schema/pgp-remte-prefs.schema
>>> 
>>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>>> TLSCertificateFile /etc/openldap/slapdcert.pem
>> TLSCertificateKeyFile
>>> /etc/openldap/slapdkey.pem
>>> 
>>> pidfile /var/run/slapd.pid
>>> 
>>> sockbuf_max_incoming    524288
>>> allow   bind_v2
>>> allow   update_anon
>>> 
>>> access to dn.sub="ou=PGP Keys,dc=domain,dc=com" by
>> peername=127.0.0.1 write
>>> by * read access to
>> dn="cn=pgpprefs,dc=domain,dc=com" by
>> peername=127.0.0.1
>>> write by * read
>>> 
>>> database        bdb
>>> suffix  "ou=PGP Keys,dc=domain,dc=com"
>>> rootdn  "cn=Manager,ou=PGP Keys,dc=domain,dc=com"
>>> rootpw  {SSHA}KHgPsXtozlpujHbD1UBn$dWxYvr07j5Z
>>> 
>>> directory       /var/lib/ldap
>>> 
>>> index   objectClass     eq
>>> index   pgpUserID       sub,eq
>>> index
>> pgpCertID,pgpKeyID,pgpKeyType,pgpKeyCreateTime  eq
>>> index
>> pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime
>>    eq
>>> index   pgpDisabled,pgpRevoked  eq
>>> index   pgpElementType  sub,eq
>>> ####### END #######
>>> 
>>> I don't have much of a background with LDAP, so I
>> hope I have provided
>>> enough information. If someone knows a more
>> appropriate list to post this to
>>> please let me know.
>>> 
>>> Thanks,
>>> 
>>> Joe
>>> 
>>> 
>>> .
>> 
>> 
> 
> 
> 
> 
> __________________________________
> Do you Yahoo!?
> Read only the mail you want - Yahoo! Mail SpamGuard.
> http://promotions.yahoo.com/new_mail


.