Re: OpenLDAP PGP key server

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

You might want to search the archives for reasons why others
who came before you gave up...

Kurt

At 12:16 AM 8/26/2004, Luna, Joe wrote:
>All,
>
>Anyone have experience implementing a PGP key server using openldap and the
>schemas provided by PGP corporation? I'm trying to get a OpenLDAP PGP key
>server up and running, so far I haven't had any major issues but this one is
>driving me crazy. 
>
>This is the deal, I cant add more than one key when sending to a 'ldaps' key
>server, no not more than one at a time, one period.
>
>This is the log entry for a successful key upload via an ldaps connection:
>
>Aug 21 19:32:38 pgp-keyserver slapd[1352]: conn=8 fd=12 ACCEPT from
>IP=192.168.254.1:1878 (IP=0.0.0.0:636) Aug 21 19:32:38 pgp-keyserver
>slapd[1352]: conn=8 op=0 ADD dn="pgpCertID=07CADF9E0CC0E12C,ou=PGP
>Keys,dc=domain,dc=com" 
>Aug 21 19:32:38 pgp-keyserver slapd[1352]: conn=8 op=0 RESULT tag=105 err=0
>text= Aug 21 19:32:38 pgp-keyserver slapd[1352]: conn=8 op=0 RESULT tag=105
>err=0 text= Aug 21 19:32:38 pgp-keyserver slapd[1352]: conn=8 op=1 UNBIND
>Aug 21 19:32:38 pgp-keyserver slapd[1352]: conn=8 fd=12 closed 
>
>If I try to send another key, this shows up in the log:
>
>Aug 21 19:32:47 pgp-keyserver slapd[1352]: conn=9 fd=12 ACCEPT from
>IP=192.168.254.1:1879 (IP=0.0.0.0:636) Aug 21 19:32:47 pgp-keyserver
>slapd[1352]: conn=9 op=0 SRCH base="cn=PGPServerInfo" scope=0
>filter="(objectClass=*)" 
>Aug 21 19:32:47 pgp-keyserver slapd[1352]: conn=9 op=0 SRCH
>attr=baseKeyspaceDN basePendingDN version Aug 21 19:32:47 pgp-keyserver
>slapd[1352]: conn=9 op=0 RESULT tag=101 err=32 text= Aug 21 19:33:10
>pgp-keyserver slapd[1352]: conn=9 fd=12 closed
>
>Notice how line 2 is a 'SRCH' instead of an 'ADD' like line 2 of the
>successful attempt? What could be causing this? Is this a client side issue,
>im beginning to think so. So far the only thing I see to get around this is
>to close the PGP client software and reopen it to send the second key. After
>that key is uploaded the fun starts again, nothing else can be uploaded.
>
>Relevant information:
>
>Client OS: Windows XP Pro
>Client Software: PGP Corporate desktop 8.1 LDAP Server: Fedora Core 2 LDAP
>Software: # rpm -aq | grep ldap
>        nss_ldap-217-1
>        openldap-devel-2.1.29-1
>        openldap-2.1.29-1
>        php-ldap-4.3.4-11
>        openldap-clients-2.1.29-1
>        openldap-servers-2.1.29-1
>
>[root@pgp-keyserver ]# cat /etc/openldap/slapd.conf ####### BEGIN #######
>
>include /etc/openldap/schema/core.schema include
>/etc/openldap/schema/pgp-keyserver.schema
>include /etc/openldap/schema/pgp-remte-prefs.schema
>
>TLSCipherSuite HIGH:MEDIUM:+SSLv2
>TLSCertificateFile /etc/openldap/slapdcert.pem TLSCertificateKeyFile
>/etc/openldap/slapdkey.pem
>
>pidfile /var/run/slapd.pid
>
>sockbuf_max_incoming    524288
>allow   bind_v2
>allow   update_anon
>
>access to dn.sub="ou=PGP Keys,dc=domain,dc=com" by peername=127.0.0.1 write
>by * read access to dn="cn=pgpprefs,dc=domain,dc=com" by peername=127.0.0.1
>write by * read
>
>database        bdb
>suffix  "ou=PGP Keys,dc=domain,dc=com"
>rootdn  "cn=Manager,ou=PGP Keys,dc=domain,dc=com"
>rootpw  {SSHA}KHgPsXtozlpujHbD1UBn$dWxYvr07j5Z
>
>directory       /var/lib/ldap
>
>index   objectClass     eq
>index   pgpUserID       sub,eq
>index   pgpCertID,pgpKeyID,pgpKeyType,pgpKeyCreateTime  eq
>index   pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime     eq
>index   pgpDisabled,pgpRevoked  eq
>index   pgpElementType  sub,eq
>####### END #######
>
>I don't have much of a background with LDAP, so I hope I have provided
>enough information. If someone knows a more appropriate list to post this to
>please let me know. 
>
>Thanks,
>
>Joe
>
>
>.