[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: OpenLDAP PGP key server
Since many of us are experiencing issues with PGP+OpenLDAP+TLS I'm curious
to know how others are handling this.
Are you going with the windows version of the keyserver?
Are you just using a public keyserver?
Are you using another solution? If so what software are you using?
-Joe
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Thomas Vincent
Sent: Thursday, August 26, 2004 9:23 AM
To: ray v; OpenLDAP
Subject: Re: OpenLDAP PGP key server
Me 2,
Has anyone tried taking this issue up with PGP? We tried support, but they
said they don't support this.
Cheers,
Tom
On 8/26/04 8:32 AM, "ray v" <rayv5n@yahoo.com> wrote:
>
>
> I'm trying to accomplish the same thing and I've run into a similar
> problem. I put three keys on the server through ldap. After which I
> enabled ssl and tried to add more through ldaps. The error message I
> get is...
>
>
> "An error has occurred: server open failed"
>
> here are my logs
>
> ------------------------------------------
> Aug 26 08:27:22 corpldap02 slapd: <<< dnPrettyNormal:
> <cn=PGPServerInfo>, <cn=pgpserverinfo> Aug 26 08:27:22 corpldap02
> slapd: SRCH
> "cn=PGPServerInfo" 0 0 0 0 0
> Aug 26 08:27:22 corpldap02 slapd: begin get_filter Aug 26 08:27:22
> corpldap02 slapd: PRESENT Aug 26 08:27:22 corpldap02 slapd: ber_scanf
> fmt (m)
> ber:
> Aug 26 08:27:22 corpldap02 slapd: ber_dump:
> buf=0x099838b8 ptr=0x099838de end=0x09983915 len=55
> Aug 26 08:27:22 corpldap02 slapd: 0000: 87 0b 6f 62
> 6a 65 63 74 63 6c 61 73 73 30 28 04
> ..objectclass0(.
> Aug 26 08:27:22 corpldap02 slapd: 0010: 0e 62 61 73
> 65 4b 65 79 73 70 61 63 65 44 4e 04
> .baseKeyspaceDN.
> Aug 26 08:27:22 corpldap02 slapd: 0020: 0d 62 61 73
> 65 50 65 6e 64 69 6e 67 44 4e 04 07
> .basePendingDN..
> Aug 26 08:27:22 corpldap02 slapd: 0030: 76 65 72 73
> 69 6f 6e version
> Aug 26 08:27:22 corpldap02 slapd: end get_filter 0
>
> Above you see the SRCH function then afterward I get an attempted
> write. BTW I had to go back to using "database ldbm" rather then bdb
> because for some reason the client will not work when openldap is
> using berekeley.
>
>
> Aug 26 08:27:23 corpldap02 slapd: tls_write: want=74,
> written=74
> Aug 26 08:27:23 corpldap02 slapd: 0000: 17 03 01 00
> 18 8b 62 fe 6f 9c 03 98 72 5c 09 ba
> ......b.o...r\..
> Aug 26 08:27:23 corpldap02 slapd: 0010: 3a c2 d6 2c
> a4 0e 12 85 a0 69 34 91 97 17 03 01
> :..,.....i4.....
> Aug 26 08:27:23 corpldap02 slapd: 0020: 00 28 63 74
> cf 6b b2 55 3a d7 82 73 b2 75 c1 4f
> .(ct.k.U:..s.u.O
> Aug 26 08:27:23 corpldap02 slapd: 0030: ec 87 6d 6b
> e8 30 b5 d5 dd 31 b2 78 ed 20 43 30 ..mk.0...1.x.
> C0
> Aug 26 08:27:23 corpldap02 slapd: 0040: a8 69 d2 9d
> 79 43 d8 48 af 70 .i..yC.H.p
> Aug 26 08:27:23 corpldap02 slapd: ldap_write: want=14,
> written=14
> Aug 26 08:27:23 corpldap02 slapd: 0000: 30 0c 02 01
> 01 65 07 0a 01 00 04 00 04 00 0....e........
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=6 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=7 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=8 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=9 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: activity on
> 1 descriptors
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=6 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=7 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=8 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: daemon: select:
> listen=9 active_threads=1 tvp=NULL
> Aug 26 08:27:23 corpldap02 slapd: send_ldap_result:
> conn=0 op=1 p=3
> Aug 26 08:27:23 corpldap02 slapd: send_ldap_result:
> err=10 matched="" text=""
> Aug 26 08:27:23 corpldap02 slapd: send_ldap_response:
> msgid=2 tag=101 err=32
> Aug 26 08:27:23 corpldap02 slapd: ber_flush: 14 bytes to sd 11
> Aug 26 08:27:23 corpldap02 slapd: 0000: 30 0c 02 01
> 02 65 07 0a 01 20 04 00 04 00 0....e... ....
> Aug 26 08:27:23 corpldap02 slapd: tls_write: want=74,
> written=74
> Aug 26 08:27:23 corpldap02 slapd: 0000: 17 03 01 00
> 18 35 88 36 57 4c a3 b5 35 ff 00 09
> .....5.6WL..5...
> Aug 26 08:27:23 corpldap02 slapd: 0010: 1e a0 5c 65
> bc 36 ca c1 ca c1 3a ad 00 17 03 01
> ..\e.6....:.....
> Aug 26 08:27:23 corpldap02 slapd: 0020: 00 28 1f 0a
> 19 a3 88 a9 b1 0e 94 cd 17 62 21 7e
> .(...........b!~
> Aug 26 08:27:23 corpldap02 slapd: 0030: cd 2d 85 1b
> 66 20 62 f3 15 08 ba 2f 7e 56 5f 58 .-..f
> b..../~V_X
> Aug 26 08:27:23 corpldap02 slapd: 0040: 11 18 50 42
> 7e a7 10 e0 54 cc ..PB~...T.
> Aug 26 08:27:23 corpldap02 slapd: ldap_write: want=14,
> written=14
> Aug 26 08:27:23 corpldap02 slapd: 0000: 30 0c 02 01
> 02 65 07 0a 01 20 04 00 04 00 0....e... ....
>
>
> ------------------------------------------
>
>
>
> --- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
>
>> You might want to search the archives for reasons why others who came
>> before you gave up...
>>
>> Kurt
>>
>> At 12:16 AM 8/26/2004, Luna, Joe wrote:
>>> All,
>>>
>>> Anyone have experience implementing a PGP key
>> server using openldap and the
>>> schemas provided by PGP corporation? I'm trying to
>> get a OpenLDAP PGP key
>>> server up and running, so far I haven't had any
>> major issues but this one is
>>> driving me crazy.
>>>
>>> This is the deal, I cant add more than one key when
>> sending to a 'ldaps' key
>>> server, no not more than one at a time, one period.
>>>
>>> This is the log entry for a successful key upload
>> via an ldaps connection:
>>>
>>> Aug 21 19:32:38 pgp-keyserver slapd[1352]: conn=8
>> fd=12 ACCEPT from
>>> IP=192.168.254.1:1878 (IP=0.0.0.0:636) Aug 21
>> 19:32:38 pgp-keyserver
>>> slapd[1352]: conn=8 op=0 ADD
>> dn="pgpCertID=07CADF9E0CC0E12C,ou=PGP
>>> Keys,dc=domain,dc=com"
>>> Aug 21 19:32:38 pgp-keyserver slapd[1352]: conn=8
>> op=0 RESULT tag=105 err=0
>>> text= Aug 21 19:32:38 pgp-keyserver slapd[1352]:
>> conn=8 op=0 RESULT tag=105
>>> err=0 text= Aug 21 19:32:38 pgp-keyserver
>> slapd[1352]: conn=8 op=1 UNBIND
>>> Aug 21 19:32:38 pgp-keyserver slapd[1352]: conn=8
>> fd=12 closed
>>>
>>> If I try to send another key, this shows up in the
>> log:
>>>
>>> Aug 21 19:32:47 pgp-keyserver slapd[1352]: conn=9
>> fd=12 ACCEPT from
>>> IP=192.168.254.1:1879 (IP=0.0.0.0:636) Aug 21
>> 19:32:47 pgp-keyserver
>>> slapd[1352]: conn=9 op=0 SRCH
>> base="cn=PGPServerInfo" scope=0
>>> filter="(objectClass=*)"
>>> Aug 21 19:32:47 pgp-keyserver slapd[1352]: conn=9
>> op=0 SRCH
>>> attr=baseKeyspaceDN basePendingDN version Aug 21
>> 19:32:47 pgp-keyserver
>>> slapd[1352]: conn=9 op=0 RESULT tag=101 err=32
>> text= Aug 21 19:33:10
>>> pgp-keyserver slapd[1352]: conn=9 fd=12 closed
>>>
>>> Notice how line 2 is a 'SRCH' instead of an 'ADD'
>> like line 2 of the
>>> successful attempt? What could be causing this? Is
>> this a client side issue,
>>> im beginning to think so. So far the only thing I
>> see to get around this is
>>> to close the PGP client software and reopen it to
>> send the second key. After
>>> that key is uploaded the fun starts again, nothing
>> else can be uploaded.
>>>
>>> Relevant information:
>>>
>>> Client OS: Windows XP Pro
>>> Client Software: PGP Corporate desktop 8.1 LDAP
>> Server: Fedora Core 2 LDAP
>>> Software: # rpm -aq | grep ldap
>>> nss_ldap-217-1
>>> openldap-devel-2.1.29-1
>>> openldap-2.1.29-1
>>> php-ldap-4.3.4-11
>>> openldap-clients-2.1.29-1
>>> openldap-servers-2.1.29-1
>>>
>>> [root@pgp-keyserver ]# cat /etc/openldap/slapd.conf
>> ####### BEGIN #######
>>>
>>> include /etc/openldap/schema/core.schema include
>>> /etc/openldap/schema/pgp-keyserver.schema
>>> include /etc/openldap/schema/pgp-remte-prefs.schema
>>>
>>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>>> TLSCertificateFile /etc/openldap/slapdcert.pem
>> TLSCertificateKeyFile
>>> /etc/openldap/slapdkey.pem
>>>
>>> pidfile /var/run/slapd.pid
>>>
>>> sockbuf_max_incoming 524288
>>> allow bind_v2
>>> allow update_anon
>>>
>>> access to dn.sub="ou=PGP Keys,dc=domain,dc=com" by
>> peername=127.0.0.1 write
>>> by * read access to
>> dn="cn=pgpprefs,dc=domain,dc=com" by
>> peername=127.0.0.1
>>> write by * read
>>>
>>> database bdb
>>> suffix "ou=PGP Keys,dc=domain,dc=com"
>>> rootdn "cn=Manager,ou=PGP Keys,dc=domain,dc=com"
>>> rootpw {SSHA}KHgPsXtozlpujHbD1UBn$dWxYvr07j5Z
>>>
>>> directory /var/lib/ldap
>>>
>>> index objectClass eq
>>> index pgpUserID sub,eq
>>> index
>> pgpCertID,pgpKeyID,pgpKeyType,pgpKeyCreateTime eq
>>> index
>> pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime
>> eq
>>> index pgpDisabled,pgpRevoked eq
>>> index pgpElementType sub,eq
>>> ####### END #######
>>>
>>> I don't have much of a background with LDAP, so I
>> hope I have provided
>>> enough information. If someone knows a more
>> appropriate list to post this to
>>> please let me know.
>>>
>>> Thanks,
>>>
>>> Joe
>>>
>>>
>>> .
>>
>>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Read only the mail you want - Yahoo! Mail SpamGuard.
> http://promotions.yahoo.com/new_mail
.