[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]
Hi!
I don't understand the solution you propose at the end of the message of
a fake entry. Thanks!
At 16:18 13.01.2002 +0300, you wrote:
hi there!
----- Original Message -----
From: "Peter Marschall" <peter.marschall@mayn.de>
To: <openldap-software@OpenLDAP.org>
Sent: Sunday, January 13, 2002 1:33 PM
Subject: Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]
> Hi,
>
> On Friday 11 January 2002 10:48, you wrote:
> > The implemented schema works perfectly for all PGP
applications
> > (certification, encryption,... anything), the only thing that
stops me
from
> > really substituting the PGP KeyServer with the OpenLDAP is
the
permission
> > access. I sniffed the packages, however I don't get any hints
of the
exact
> > denial, because if the PGP client doesn't have writing
permissions it
wont
> > even bind to the LDAP server (the LDAP server response is just
a success
> > acknowledgement instead of the normal response with the basedn
to bind).
It
> > is really strange. I'm trying to ask NAI what's happening
because if
they
> > give the option of connecting the clients to this kind of
servers they
> > SHOULD give support for these errors.
>
> If you trace the connections you should be able to find out, to
which
> objects the PGP clients wants to have which kind of access
(search,
> read, write, ..)
> This information should be sufficient to build more restrictive
ACLs
> than you have now.
JFYI - if you are talking about how native NAI client accesses LDAP
directory:
It does not need any writable access permission, because it using
LDAP_ADD
just to inform PGP keyserver about arriving key. All processing are hold
by
keyserver itself - process ascii armoured key, get all attributes from
this
key to create a searcheable entry in the database and write this entry
along
with armoured key(as children) to directory. So, it almost impossible to
use
pure OpenLDAP server to process all request from NAI client - first of
all
because you will search for some attributes in the entrie when all keys
are
stored as children to this entries. You can create a single directiry
entry
that holds all attributes - pgpcertid,.., and pgpkey itself, but anyway
-
you must process incoming key to parse it - and it is not an
openldap
function, because you must use a PGPSDK or openPGP library to do
this.
This information from my resarch of NAI PGPkeyserver about 3 year
ago.
Something can be changed, but i'm sure that you MUST NOT give an
write
permission to ACTIVE_DN directory tree, because it break all security -
you
can easy create entry with fake pgpkey attribute, like pgpid and user
will
forced to check every search response for really valid entries
manually.
______________________________________________________________________
Alejandra Moreno Espinar
at rete ag
mailto:alejandra.moreno@atrete.ch,
http://www.atrete.ch
snail mail: Oberdorfstrasse 2, P.O.
Box 674, 8024 Zurich, Switzerland
voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88
_____________________________________________________________________