Imported Upstream version 2.4.3

[platform/upstream/gpg2.git] / dirmngr / ks-engine-ldap.c

diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c
index 6bf19cb..c2a2105 100644 (file)
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@@ -1,7 +1,7 @@
 /* ks-engine-ldap.c - talk to a LDAP keyserver
  * Copyright (C) 2001, 2002, 2004, 2005, 2006
  *               2007  Free Software Foundation, Inc.
- * Copyright (C) 2015, 2020  g10 Code GmbH
+ * Copyright (C) 2015, 2020, 2023  g10 Code GmbH
  *
  * This file is part of GnuPG.
  *
@@ -24,17 +24,22 @@
 #include <string.h>
 #include <time.h>
 #include <unistd.h>
-#ifdef HAVE_GETOPT_H
-# include <getopt.h>
-#endif
 #include <stdlib.h>
 #include <npth.h>
+#ifdef HAVE_W32_SYSTEM
+# ifndef WINVER
+#  define WINVER 0x0500  /* Same as in common/sysutils.c */
+# endif
+# include <winsock2.h>
+# include <sddl.h>
+#endif
 
 
 #include "dirmngr.h"
 #include "misc.h"
 #include "../common/userids.h"
 #include "../common/mbox-util.h"
+#include "ks-action.h"
 #include "ks-engine.h"
 #include "ldap-misc.h"
 #include "ldap-parse-uri.h"
@@ -43,9 +48,14 @@
 
 /* Flags with infos from the connected server.  */
 #define SERVERINFO_REALLDAP 1 /* This is not the PGP keyserver.      */
-#define SERVERINFO_PGPKEYV2 2 /* Needs "pgpeyV2" instead of "pgpKey" */
+#define SERVERINFO_PGPKEYV2 2 /* Needs "pgpKeyV2" instead of "pgpKey"*/
 #define SERVERINFO_SCHEMAV2 4 /* Version 2 of the Schema.            */
 #define SERVERINFO_NTDS     8 /* Server is an Active Directory.      */
+#define SERVERINFO_GENERIC 16 /* Connected in genric mode.           */
+
+
+/* The page size requested from the server.  */
+#define PAGE_SIZE  100
 
 
 #ifndef HAVE_TIMEGM
@@ -53,6 +63,28 @@ time_t timegm(struct tm *tm);
 #endif
 
 
+/* Object to keep state pertaining to this module.  */
+struct ks_engine_ldap_local_s
+{
+  LDAP *ldap_conn;
+  LDAPMessage *message;
+  LDAPMessage *msg_iter;  /* Iterator for message.  */
+  unsigned int serverinfo;
+  int scope;
+  char *basedn;
+  char *keyspec;
+  char *filter;
+  struct berval *pagecookie;
+  unsigned int pageno;  /* Current page number (starting at 1). */
+  unsigned int total;   /* Total number of attributes read.     */
+  int more_pages;       /* More pages announced by server.      */
+};
+
+/*-- prototypes --*/
+static char *map_rid_to_dn (ctrl_t ctrl, const char *rid);
+static char *basedn_from_rootdse (ctrl_t ctrl, parsed_uri_t uri);
+
+
 \f
 static time_t
 ldap2epochtime (const char *timestr)
@@ -128,6 +160,114 @@ my_ldap_value_free (char **vals)
 }
 
 
+/* Print a description of supported variables.  */
+void
+ks_ldap_help_variables (ctrl_t ctrl)
+{
+  const char data[] =
+    "Supported variables in LDAP filter expressions:\n"
+    "\n"
+    "domain           - The defaultNamingContext.\n"
+    "domain_admins    - Group of domain admins.\n"
+    "domain_users     - Group with all user accounts.\n"
+    "domain_guests    - Group with the builtin gues account.\n"
+    "domain_computers - Group with all clients and servers.\n"
+    "cert_publishers  - Group with all cert issuing computers.\n"
+    "protected_users  - Group of users with extra protection.\n"
+    "key_admins       - Group for delegated access to msdsKeyCredentialLink.\n"
+    "enterprise_key_admins     - Similar to key_admins.\n"
+    "domain_domain_controllers - Group with all domain controllers.\n"
+    "sid_domain       - SubAuthority numbers.\n";
+
+  ks_print_help (ctrl, data);
+}
+
+
+/* Helper function for substitute_vars.  */
+static const char *
+getval_for_filter (void *cookie, const char *name)
+{
+  ctrl_t ctrl = cookie;
+  const char *result = NULL;
+
+  if (!strcmp (name, "sid_domain"))
+    {
+#ifdef HAVE_W32_SYSTEM
+      PSID mysid;
+      static char *sidstr;
+      char *s, *s0;
+      int i;
+
+      if (!sidstr)
+        {
+          mysid = w32_get_user_sid ();
+          if (!mysid)
+            {
+              gpg_err_set_errno (ENOENT);
+              goto leave;
+            }
+
+          if (!ConvertSidToStringSid (mysid, &sidstr))
+            {
+              gpg_err_set_errno (EINVAL);
+              goto leave;
+            }
+          /* Example for SIDSTR:
+           * S-1-5-21-3636969917-2569447256-918939550-1127 */
+          for (s0=NULL,s=sidstr,i=0; (s=strchr (s, '-')); i++)
+            {
+              s++;
+              if (i == 3)
+                s0 = s;
+              else if (i==6)
+                {
+                  s[-1] = 0;
+                  break;
+                }
+            }
+          if (!s0)
+            {
+              log_error ("oops: invalid SID received from OS");
+              gpg_err_set_errno (EINVAL);
+              LocalFree (sidstr);
+              goto leave;
+            }
+          sidstr = s0;  /* (We never release SIDSTR thus no memmove.)  */
+        }
+      result = sidstr;
+#else
+      gpg_err_set_errno (ENOSYS);
+      goto leave;
+#endif
+    }
+  else if (!strcmp (name, "domain"))
+    result = basedn_from_rootdse (ctrl, NULL);
+  else if (!strcmp (name, "domain_admins"))
+    result = map_rid_to_dn (ctrl, "512");
+  else if (!strcmp (name, "domain_users"))
+    result = map_rid_to_dn (ctrl, "513");
+  else if (!strcmp (name, "domain_guests"))
+    result = map_rid_to_dn (ctrl, "514");
+  else if (!strcmp (name, "domain_computers"))
+    result = map_rid_to_dn (ctrl, "515");
+  else if (!strcmp (name, "domain_domain_controllers"))
+    result = map_rid_to_dn (ctrl, "516");
+  else if (!strcmp (name, "cert_publishers"))
+    result = map_rid_to_dn (ctrl, "517");
+  else if (!strcmp (name, "protected_users"))
+    result = map_rid_to_dn (ctrl, "525");
+  else if (!strcmp (name, "key_admins"))
+    result = map_rid_to_dn (ctrl, "526");
+  else if (!strcmp (name, "enterprise_key_admins"))
+    result = map_rid_to_dn (ctrl, "527");
+  else
+    result = "";  /* Unknown variables are empty.  */
+
+ leave:
+  return result;
+}
+
+
 \f
 /* Print a help output for the schemata supported by this module. */
 gpg_error_t
@@ -159,16 +299,113 @@ ks_ldap_help (ctrl_t ctrl, parsed_uri_t uri)
 
   if(!uri)
     err = ks_print_help (ctrl, "  ldap");
-  else if (!strcmp (uri->scheme, "ldap")
-           || !strcmp (uri->scheme, "ldaps")
-           || !strcmp (uri->scheme, "ldapi")
-           || uri->opaque)
+  else if (uri->is_ldap || uri->opaque)
     err = ks_print_help (ctrl, data);
   else
     err = 0;
 
   return err;
 }
+
+
+\f
+/* Create a new empty state object.  Returns NULL on error */
+static struct ks_engine_ldap_local_s *
+ks_ldap_new_state (void)
+{
+  struct ks_engine_ldap_local_s *state;
+
+  state = xtrycalloc (1, sizeof(struct ks_engine_ldap_local_s));
+  if (state)
+    state->scope = LDAP_SCOPE_SUBTREE;
+  return state;
+}
+
+
+/* Clear the state object STATE.  Returns the STATE object.  */
+static struct ks_engine_ldap_local_s *
+ks_ldap_clear_state (struct ks_engine_ldap_local_s *state)
+{
+  if (state->ldap_conn)
+    {
+      ldap_unbind (state->ldap_conn);
+      state->ldap_conn = NULL;
+    }
+  if (state->message)
+    {
+      ldap_msgfree (state->message);
+      state->message = NULL;
+    }
+  if (state->pagecookie)
+    {
+      ber_bvfree (state->pagecookie);
+      state->pagecookie = NULL;
+    }
+  state->serverinfo = 0;
+  xfree (state->basedn);
+  state->scope = LDAP_SCOPE_SUBTREE;
+  state->basedn = NULL;
+  xfree (state->keyspec);
+  state->keyspec = NULL;
+  xfree (state->filter);
+  state->filter = NULL;
+  state->pageno = 0;
+  state->total = 0;
+  state->more_pages = 0;
+  return state;
+}
+
+
+/* Release a state object.  */
+void
+ks_ldap_free_state (struct ks_engine_ldap_local_s *state)
+{
+  if (!state)
+    return;
+  ks_ldap_clear_state (state);
+  xfree (state);
+}
+
+
+/* Helper for ks_ldap_get and ks_ldap_query.  On return first_mode and
+ * next_mode are set accordingly.  */
+static gpg_error_t
+ks_ldap_prepare_my_state (ctrl_t ctrl, unsigned int ks_get_flags,
+                          int *first_mode, int *next_mode)
+{
+  *first_mode = *next_mode = 0;
+
+  if ((ks_get_flags & KS_GET_FLAG_FIRST))
+    {
+      if (ctrl->ks_get_state)
+        ks_ldap_clear_state (ctrl->ks_get_state);
+      else if (!(ctrl->ks_get_state = ks_ldap_new_state ()))
+        return gpg_error_from_syserror ();
+      *first_mode = 1;
+    }
+
+  if ((ks_get_flags & KS_GET_FLAG_NEXT))
+    {
+      if (!ctrl->ks_get_state || !ctrl->ks_get_state->ldap_conn
+          || !ctrl->ks_get_state->message)
+        {
+          log_error ("ks-ldap: --next requested but no state\n");
+          return gpg_error (GPG_ERR_INV_STATE);
+        }
+      *next_mode = 1;
+    }
+
+  /* Do not keep an old state around if not needed.  */
+  if (!(*first_mode || *next_mode))
+    {
+      ks_ldap_free_state (ctrl->ks_get_state);
+      ctrl->ks_get_state = NULL;
+    }
+
+  return 0;
+}
+
+
 \f
 /* Convert a keyspec to a filter.  Return an error if the keyspec is
    bad or is not supported.  The filter is escaped and returned in
@@ -227,13 +464,19 @@ keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact,
       break;
 
     case KEYDB_SEARCH_MODE_MAILSUB:
-      if (! only_exact)
+      if ((serverinfo & SERVERINFO_SCHEMAV2))
+       f = xasprintf("(&(gpgMailbox=*%s*)(!(|(pgpRevoked=1)(pgpDisabled=1))))",
+                      (freeme = ldap_escape_filter (desc.u.name)));
+      else if (!only_exact)
        f = xasprintf ("(pgpUserID=*<*%s*>*)",
                       (freeme = ldap_escape_filter (desc.u.name)));
       break;
 
     case KEYDB_SEARCH_MODE_MAILEND:
-      if (! only_exact)
+      if ((serverinfo & SERVERINFO_SCHEMAV2))
+       f = xasprintf("(&(gpgMailbox=*%s)(!(|(pgpRevoked=1)(pgpDisabled=1))))",
+                      (freeme = ldap_escape_filter (desc.u.name)));
+      else if (!only_exact)
        f = xasprintf ("(pgpUserID=*<*%s>*)",
                       (freeme = ldap_escape_filter (desc.u.name)));
       break;
@@ -246,12 +489,10 @@ keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact,
                     (ulong) desc.u.kid[0], (ulong) desc.u.kid[1]);
       break;
 
-    case KEYDB_SEARCH_MODE_FPR16:
-    case KEYDB_SEARCH_MODE_FPR20:
     case KEYDB_SEARCH_MODE_FPR:
       if ((serverinfo & SERVERINFO_SCHEMAV2))
         {
-          freeme = bin2hex (desc.u.fpr, 20, NULL);
+          freeme = bin2hex (desc.u.fpr, desc.fprlen, NULL);
           if (!freeme)
             return gpg_error_from_syserror ();
           f = xasprintf ("(|(gpgFingerprint=%s)(gpgSubFingerprint=%s))",
@@ -288,44 +529,96 @@ keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact,
 }
 
 
-\f
-/* Connect to an LDAP server and interrogate it.
 
-     - uri describes the server to connect to and various options
-       including whether to use TLS and the username and password (see
-       ldap_parse_uri for a description of the various fields).
+/* Helper for my_ldap_connect.  */
+static char *
+interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search,
+                     unsigned int *r_serverinfo)
+{
+  int lerr;
+  char **vals;
+  LDAPMessage *si_res;
+  int is_gnupg = 0;
+  char *basedn = NULL;
+  char *attr2[] = { "pgpBaseKeySpaceDN", "pgpVersion", "pgpSoftware", NULL };
+  char *object;
 
-   This function returns:
 
-     - The ldap connection handle in *LDAP_CONNP.
+  object = xasprintf ("cn=pgpServerInfo,%s", basedn_search);
 
-     - The base DN for the PGP key space by querying the
-       pgpBaseKeySpaceDN attribute (This is normally
-       'ou=PGP Keys,dc=EXAMPLE,dc=ORG').
+  npth_unprotect ();
+  lerr = ldap_search_s (ldap_conn, object, LDAP_SCOPE_BASE,
+                        "(objectClass=*)", attr2, 0, &si_res);
+  npth_protect ();
+  xfree (object);
 
-     - The attribute to lookup to find the pgp key.  This is either
-       'pgpKey' or 'pgpKeyV2'.
+  if (lerr == LDAP_SUCCESS)
+    {
+      vals = ldap_get_values (ldap_conn, si_res, "pgpBaseKeySpaceDN");
+      if (vals && vals[0])
+        basedn = xtrystrdup (vals[0]);
+      my_ldap_value_free (vals);
 
-     - Whether this is a real ldap server.  (It's unclear what this
-       exactly means.)
+      vals = ldap_get_values (ldap_conn, si_res, "pgpSoftware");
+      if (vals && vals[0])
+        {
+          if (opt.debug)
+            log_debug ("Server: \t%s\n", vals[0]);
+          if (!ascii_strcasecmp (vals[0], "GnuPG"))
+            is_gnupg = 1;
+        }
+      my_ldap_value_free (vals);
 
-   The values are returned in the passed variables.  If you pass NULL,
-   then the value won't be returned.  It is the caller's
-   responsibility to release *LDAP_CONNP with ldap_unbind and xfree
-   *BASEDNP.
+      vals = ldap_get_values (ldap_conn, si_res, "pgpVersion");
+      if (vals && vals[0])
+        {
+          if (opt.debug)
+            log_debug ("Version:\t%s\n", vals[0]);
+          if (is_gnupg)
+            {
+              const char *fields[2];
+              int nfields;
+              nfields = split_fields (vals[0], fields, DIM(fields));
+              if (nfields > 0 && atoi(fields[0]) > 1)
+                *r_serverinfo |= SERVERINFO_SCHEMAV2;
+              if (nfields > 1
+                  && !ascii_strcasecmp (fields[1], "ntds"))
+                *r_serverinfo |= SERVERINFO_NTDS;
+            }
+        }
+      my_ldap_value_free (vals);
+    }
 
-   If this function successfully interrogated the server, it returns
-   0.  If there was an LDAP error, it returns the LDAP error code.  If
-   an error occurred, *basednp, etc., are undefined (and don't need to
-   be freed.)
+  /* From man ldap_search_s: "res parameter of
+     ldap_search_ext_s() and ldap_search_s() should be
+     freed with ldap_msgfree() regardless of return
+     value of these functions.  */
+  ldap_msgfree (si_res);
+  return basedn;
+}
 
-   R_SERVERINFO receives information about the server.
 
-   If no LDAP error occurred, you still need to check that *basednp is
-   valid.  If it is NULL, then the server does not appear to be an
-   OpenPGP Keyserver.  */
+\f
+/* Connect to an LDAP server and interrogate it.
+ *
+ * URI describes the server to connect to and various options
+ * including whether to use TLS and the username and password (see
+ * ldap_parse_uri for a description of the various fields).  Be
+ * default a PGP keyserver is assumed; if GENERIC is true a generic
+ * ldap conenction is instead established.
+ *
+ * Returns: The ldap connection handle in *LDAP_CONNP, R_BASEDN is set
+ * to the base DN for the PGP key space, several flags will be stored
+ * at SERVERINFO, If you pass NULL, then the value won't be returned.
+ * It is the caller's responsibility to release *LDAP_CONNP with
+ * ldap_unbind and to xfree *BASEDNP.  On error these variables are
+ * cleared.
+ *
+ * Note: On success, you still need to check that *BASEDNP is valid.
+ * If it is NULL, then the server does not appear to be an OpenPGP
+ * keyserver.  */
 static gpg_error_t
-my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
+my_ldap_connect (parsed_uri_t uri, unsigned int generic, LDAP **ldap_connp,
                  char **r_basedn, char **r_host, int *r_use_tls,
                  unsigned int *r_serverinfo)
 {
@@ -338,6 +631,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
   int port;            /* Port to use.  */
   int use_tls;         /* 1 = starttls, 2 = ldap-over-tls  */
   int use_ntds;        /* Use Active Directory authentication.  */
+  int use_areconly;    /* Lookup only via A record (Windows).  */
   const char *bindname;
   const char *password;
   const char *basedn_arg;
@@ -365,6 +659,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
       basedn_arg = server->base;
       use_tls = server->starttls? 1 : server->ldap_over_tls? 2 : 0;
       use_ntds = server->ntds;
+      use_areconly = server->areconly;
     }
   else
     {
@@ -375,12 +670,12 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
       basedn_arg = uri->path;
       use_tls = uri->use_tls ? 1 : 0;
       use_ntds = uri->ad_current;
+      use_areconly = 0;
     }
 
   if (!port)
     port = use_tls == 2? 636 : 389;
 
-
   if (host)
     {
       host = xtrystrdup (host);
@@ -392,14 +687,15 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
     }
 
   if (opt.verbose)
-    log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s'\n",
+    log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s%s'%s\n",
               host, port,
               basedn_arg ? basedn_arg : "",
               bindname ? bindname : "",
               password ? "*****" : "",
               use_tls == 1? "starttls" : use_tls == 2? "ldaptls" : "plain",
-              use_ntds ? ",ntds":"");
-
+              use_ntds ? ",ntds":"",
+              use_areconly? ",areconly":"",
+              generic? " (generic)":"");
 
   /* If the uri specifies a secure connection and we don't support
      TLS, then fail; don't silently revert to an insecure
@@ -407,7 +703,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
   if (use_tls)
     {
 #ifndef HAVE_LDAP_START_TLS_S
-      log_error ("ldap: can't connect to the server: no TLS support.");
+      log_error ("ks-ldap: can't connect to the server: no TLS support.");
       err = GPG_ERR_LDAP_NOT_SUPPORTED;
       goto out;
 #endif
@@ -427,6 +723,18 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
                  host, port, ldap_err2string (lerr));
       goto out;
     }
+  if (use_areconly)
+    {
+      lerr = ldap_set_option (ldap_conn, LDAP_OPT_AREC_EXCLUSIVE, LDAP_OPT_ON);
+      if (lerr != LDAP_SUCCESS)
+        {
+          log_error ("ks-ldap: unable to set LDAP_OPT_AREC_EXLUSIVE: %s\n",
+                     ldap_err2string (lerr));
+          err = ldap_err_to_gpg_err (lerr);
+          goto out;
+        }
+    }
+
 #else /* Unix */
   tmpstr = xtryasprintf ("%s://%s:%d",
                          use_tls == 2? "ldaps" : "ldap",
@@ -467,6 +775,8 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
     {
       int ver = opt.ldaptimeout;
 
+      /* fixme: also use LDAP_OPT_SEND_TIMEOUT?  */
+
       lerr = ldap_set_option (ldap_conn, LDAP_OPT_TIMELIMIT, &ver);
       if (lerr != LDAP_SUCCESS)
         {
@@ -544,13 +854,8 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
     }
   else if (bindname)
     {
-
       npth_unprotect ();
-      /* Older Windows header dont have the const for the last two args.
-       * Thus we need to cast to avoid warnings.  */
-      lerr = ldap_simple_bind_s (ldap_conn,
-                                 (char * const)bindname,
-                                 (char * const)password);
+      lerr = ldap_simple_bind_s (ldap_conn, bindname, password);
       npth_protect ();
       if (lerr != LDAP_SUCCESS)
        {
@@ -564,17 +869,39 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
       /* By default we don't bind as there is usually no need to.  */
     }
 
-  if (basedn_arg && *basedn_arg)
+  if (generic)
+    {
+      /* Generic use of this function for arbitrary LDAP servers.  */
+      *r_serverinfo |= SERVERINFO_GENERIC;
+      if (basedn_arg && *basedn_arg)
+        {
+          basedn = xtrystrdup (basedn_arg);
+          if (!basedn)
+            {
+              err = gpg_error_from_syserror ();
+              goto out;
+            }
+        }
+    }
+  else if (basedn_arg && *basedn_arg)
     {
       /* User specified base DN.  In this case we know the server is a
        * real LDAP server.  */
-      basedn = xtrystrdup (basedn_arg);
+      const char *user_basedn = basedn_arg;
+
+      *r_serverinfo |= SERVERINFO_REALLDAP;
+
+      /* First try with provided basedn, else retry up one level.
+       * Retry assumes that provided entry is for keyspace,
+       * matching old behavior */
+      basedn = interrogate_ldap_dn (ldap_conn, user_basedn, r_serverinfo);
       if (!basedn)
         {
-          err = gpg_error_from_syserror ();
-          goto out;
+          const char *basedn_parent = strchr (user_basedn, ',');
+          if (basedn_parent && *basedn_parent)
+            basedn = interrogate_ldap_dn (ldap_conn, basedn_parent + 1,
+                                          r_serverinfo);
         }
-      *r_serverinfo |= SERVERINFO_REALLDAP;
     }
   else
     { /* Look for namingContexts.  */
@@ -600,76 +927,12 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
                * we found this, we know we're talking to a regular-ish
                * LDAP server and not an LDAP keyserver.  */
              int i;
-             char *attr2[] =
-               { "pgpBaseKeySpaceDN", "pgpVersion", "pgpSoftware", NULL };
 
               *r_serverinfo |= SERVERINFO_REALLDAP;
 
              for (i = 0; context[i] && !basedn; i++)
-               {
-                 char **vals;
-                 LDAPMessage *si_res;
-                  int is_gnupg = 0;
-
-                  {
-                    char *object = xasprintf ("cn=pgpServerInfo,%s",
-                                              context[i]);
-                    npth_unprotect ();
-                    lerr = ldap_search_s (ldap_conn, object, LDAP_SCOPE_BASE,
-                                         "(objectClass=*)", attr2, 0, &si_res);
-                    npth_protect ();
-                    xfree (object);
-                  }
-
-                 if (lerr == LDAP_SUCCESS)
-                   {
-                     vals = ldap_get_values (ldap_conn, si_res,
-                                             "pgpBaseKeySpaceDN");
-                     if (vals && vals[0])
-                       {
-                         basedn = xtrystrdup (vals[0]);
-                       }
-                      my_ldap_value_free (vals);
-
-                     vals = ldap_get_values (ldap_conn, si_res,
-                                             "pgpSoftware");
-                     if (vals && vals[0])
-                       {
-                          if (opt.debug)
-                            log_debug ("Server: \t%s\n", vals[0]);
-                          if (!ascii_strcasecmp (vals[0], "GnuPG"))
-                            is_gnupg = 1;
-                       }
-                      my_ldap_value_free (vals);
-
-                     vals = ldap_get_values (ldap_conn, si_res,
-                                             "pgpVersion");
-                     if (vals && vals[0])
-                       {
-                          if (opt.debug)
-                            log_debug ("Version:\t%s\n", vals[0]);
-                          if (is_gnupg)
-                            {
-                              char *fields[2];
-                              int nfields;
-                              nfields = split_fields (vals[0],
-                                                      fields, DIM(fields));
-                              if (nfields > 0 && atoi(fields[0]) > 1)
-                                *r_serverinfo |= SERVERINFO_SCHEMAV2;
-                              if (nfields > 1
-                                  && !ascii_strcasecmp (fields[1], "ntds"))
-                                *r_serverinfo |= SERVERINFO_NTDS;
-                            }
-                       }
-                      my_ldap_value_free (vals);
-                   }
-
-                 /* From man ldap_search_s: "res parameter of
-                    ldap_search_ext_s() and ldap_search_s() should be
-                    freed with ldap_msgfree() regardless of return
-                    value of these functions.  */
-                 ldap_msgfree (si_res);
-               }
+                basedn = interrogate_ldap_dn (ldap_conn, context[i],
+                                              r_serverinfo);
 
              ldap_value_free (context);
            }
@@ -740,11 +1003,15 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
   if (!err && opt.debug)
     {
       log_debug ("ldap_conn: %p\n", ldap_conn);
-      log_debug ("server_type: %s\n", ((*r_serverinfo & SERVERINFO_REALLDAP)
-                                       ? "LDAP" : "PGP.com keyserver") );
+      log_debug ("server_type: %s\n",
+                 ((*r_serverinfo & SERVERINFO_GENERIC)
+                  ? "Generic" :
+                  (*r_serverinfo & SERVERINFO_REALLDAP)
+                  ? "LDAP" : "PGP.com keyserver") );
       log_debug ("basedn: %s\n", basedn);
-      log_debug ("pgpkeyattr: %s\n",
-                 (*r_serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2":"pgpKey");
+      if (!(*r_serverinfo & SERVERINFO_GENERIC))
+        log_debug ("pgpkeyattr: %s\n",
+                   (*r_serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2":"pgpKey");
     }
 
   ldapserver_list_free (server);
@@ -855,173 +1122,670 @@ extract_keys (estream_t output,
     }
   my_ldap_value_free (vals);
 
+  vals = ldap_get_values (ldap_conn, message, "modifyTimestamp");
+  if (vals && vals[0])
+    {
+      gnupg_isotime_t atime;
+      if (!rfc4517toisotime (atime, vals[0]))
+        es_fprintf (output, "chg:%s:\n", atime);
+    }
+  my_ldap_value_free (vals);
+
   es_fprintf (output, "INFO %s END\n", certid);
 }
 
+
+/* For now we do not support LDAP over Tor.  */
+static gpg_error_t
+no_ldap_due_to_tor (ctrl_t ctrl)
+{
+  gpg_error_t err = gpg_error (GPG_ERR_NOT_SUPPORTED);
+  const char *msg = _("LDAP access not possible due to Tor mode");
+
+  log_error ("%s", msg);
+  dirmngr_status_printf (ctrl, "NOTE", "no_ldap_due_to_tor %u %s", err, msg);
+  return gpg_error (GPG_ERR_NOT_SUPPORTED);
+}
+
+
+/* Helper for ks_ldap_get.  Returns 0 if a key was fetched and printed
+ * to FP.  The error code GPG_ERR_NO_DATA is returned if no key was
+ * printed.  Note that FP is updated by this function. */
+static gpg_error_t
+return_one_keyblock (LDAP *ldap_conn, LDAPMessage *msg, unsigned int serverinfo,
+                     estream_t *fp, strlist_t *seenp)
+{
+  gpg_error_t err;
+  char **vals;
+  char **certid;
+
+  /* Use the long keyid to remove duplicates.  The LDAP server returns
+   * the same keyid more than once if there are multiple user IDs on
+   * the key.  Note that this does NOT mean that a keyid that exists
+   * multiple times on the keyserver will not be fetched.  It means
+   * that each KEY, no matter how many user IDs share its keyid, will
+   * be fetched only once.  If a keyid that belongs to more than one
+   * key is fetched, the server quite properly responds with all
+   * matching keys. -ds
+   *
+   * Note that in --first/--next mode we don't do any duplicate
+   * detection.
+   */
+
+  certid = ldap_get_values (ldap_conn, msg, "pgpcertid");
+  if (certid && certid[0])
+    {
+      if (!seenp || !strlist_find (*seenp, certid[0]))
+        {
+          /* It's not a duplicate, add it */
+          if (seenp)
+            add_to_strlist (seenp, certid[0]);
+
+          if (!*fp)
+            {
+              *fp = es_fopenmem(0, "rw");
+              if (!*fp)
+                {
+                  err = gpg_error_from_syserror ();
+                  goto leave;
+                }
+            }
+
+          extract_keys (*fp, ldap_conn, certid[0], msg);
+
+          vals = ldap_get_values (ldap_conn, msg,
+                                  (serverinfo & SERVERINFO_PGPKEYV2)?
+                                  "pgpKeyV2" : "pgpKey");
+          if (!vals)
+            {
+              err = ldap_to_gpg_err (ldap_conn);
+              log_error("ks-ldap: unable to retrieve key %s "
+                        "from keyserver\n", certid[0]);
+            }
+          else
+            {
+              /* We should strip the new lines.  */
+              es_fprintf (*fp, "KEY 0x%s BEGIN\n", certid[0]);
+              es_fputs (vals[0], *fp);
+              es_fprintf (*fp, "\nKEY 0x%s END\n", certid[0]);
+
+              ldap_value_free (vals);
+              err = 0;
+            }
+        }
+      else /* Duplicate.  */
+        err = gpg_error (GPG_ERR_NO_DATA);
+    }
+  else
+    err = gpg_error (GPG_ERR_NO_DATA);
+
+ leave:
+  my_ldap_value_free (certid);
+  return err;
+}
+
+
+/* Helper for ks_ldap_query.  Returns 0 if an attr was fetched and
+ * printed to FP.  The error code GPG_ERR_NO_DATA is returned if no
+ * data was printed.  Note that FP is updated by this function. */
+static gpg_error_t
+return_all_attributes (LDAP *ld, LDAPMessage *msg, estream_t *fp)
+{
+  gpg_error_t err = 0;
+  BerElement *berctx = NULL;
+  char *attr = NULL;
+  const char *attrprefix;
+  struct berval **values = NULL;
+  int idx;
+  int any = 0;
+  const char *s;
+  const char *val;
+  size_t len;
+  char *mydn;
+
+  mydn = ldap_get_dn (ld, msg);
+  if (!*fp)
+    {
+      *fp = es_fopenmem(0, "rw");
+      if (!*fp)
+        {
+          err = gpg_error_from_syserror ();
+          goto leave;
+        }
+    }
+
+  /* Always print the DN - note that by using only unbkown attributes
+   * it is pissible to list just the DNs with out addiional
+   * linefeeds.  */
+  es_fprintf (*fp, "Dn: %s\n", mydn? mydn : "[oops DN missing]");
+
+  for (npth_unprotect (), attr = ldap_first_attribute (ld, msg, &berctx),
+         npth_protect ();
+       attr;
+       npth_unprotect (), attr = ldap_next_attribute (ld, msg, berctx),
+         npth_protect ())
+    {
+      npth_unprotect ();
+      values = ldap_get_values_len (ld, msg, attr);
+      npth_protect ();
+
+      if (!values)
+        {
+          if (opt.verbose)
+            log_info ("attribute '%s' not found\n", attr);
+          ldap_memfree (attr);
+          attr = NULL;
+          continue;
+        }
+
+      any = 1;
+
+      if (opt.verbose > 1)
+        {
+          log_info ("found attribute '%s'\n", attr);
+          for (idx=0; values[idx]; idx++)
+            log_info ("         length[%d]=%d\n",
+                      idx, (int)values[0]->bv_len);
+        }
+
+      if (!ascii_strcasecmp (attr, "Dn"))
+        attrprefix = "X-";
+      else if (*attr == '#')
+        attrprefix = "X-hash-";
+      else if (*attr == ' ')
+        attrprefix = "X-blank-";
+      else
+        attrprefix = "";
+      /* FIXME: We should remap all invalid chars in ATTR.   */
+
+      for (idx=0; values[idx]; idx++)
+        {
+          es_fprintf (*fp, "%s%s: ", attrprefix, attr);
+          val = values[idx]->bv_val;
+          len = values[idx]->bv_len;
+          while (len && (s = memchr (val, '\n', len)))
+            {
+              s++; /* We als want to print the LF.  */
+              if (es_fwrite (val, s - val, 1, *fp) != 1)
+                goto fwrite_failed;
+              len -= (s-val);
+              val = s;
+              if (len && es_fwrite (" ", 1, 1, *fp) != 1)
+                goto fwrite_failed;
+            }
+          if (len && es_fwrite (val, len, 1, *fp) != 1)
+            goto fwrite_failed;
+          if (es_fwrite ("\n", 1, 1, *fp) != 1)  /* Final LF.  */
+            goto fwrite_failed;
+        }
+
+      ldap_value_free_len (values);
+      values = NULL;
+      ldap_memfree (attr);
+      attr = NULL;
+    }
+
+  /* One final linefeed to prettify the output.  */
+  if (any && es_fwrite ("\n", 1, 1, *fp) != 1)
+    goto fwrite_failed;
+
+
+ leave:
+  if (values)
+    ldap_value_free_len (values);
+  ldap_memfree (attr);
+  if (mydn)
+    ldap_memfree (mydn);
+  ber_free (berctx, 0);
+  return err;
+
+ fwrite_failed:
+  err = gpg_error_from_syserror ();
+  log_error ("error writing to stdout: %s\n", gpg_strerror (err));
+  goto leave;
+}
+
+
+/* Helper for ks_ldap_get and ks_ldap_query.  Note that KEYSPEC is
+ * only used for diagnostics. */
+static gpg_error_t
+search_and_parse (ctrl_t ctrl, const char *keyspec,
+                  LDAP *ldap_conn, char *basedn, int scope, char *filter,
+                  char **attrs, LDAPMessage **r_message)
+{
+  gpg_error_t err = 0;
+  int l_err, l_reserr;
+  LDAPControl *srvctrls[2] = { NULL, NULL };
+  int count;
+  unsigned int totalcount = 0;
+  LDAPControl *pagectrl = NULL;
+  LDAPControl **resctrls = NULL;
+
+  /* first/next mode is used to retrieve many entries; thus we should
+   * use paged results.  We assume first/next mode if we have a state.
+   * We make the paged mode non-critical so that we get at least as
+   * many entries the server delivers anyway.  */
+  if (ctrl->ks_get_state)
+    {
+      l_err = ldap_create_page_control (ldap_conn, PAGE_SIZE,
+                                        ctrl->ks_get_state->pagecookie, 0,
+                                        &pagectrl);
+      if (err)
+        {
+          err = ldap_err_to_gpg_err (l_err);
+          log_error ("ks-ldap: create_page_control failed: %s\n",
+                     ldap_err2string (l_err));
+          goto leave;
+        }
+
+      ctrl->ks_get_state->more_pages = 0;
+      srvctrls[0] = pagectrl;
+    }
+
+  npth_unprotect ();
+  l_err = ldap_search_ext_s (ldap_conn, basedn, scope,
+                             filter, attrs, 0,
+                             srvctrls[0]? srvctrls : NULL, NULL, NULL, 0,
+                             r_message);
+  npth_protect ();
+  if (l_err)
+    {
+      err = ldap_err_to_gpg_err (l_err);
+      log_error ("ks-ldap: LDAP search error: %s\n", ldap_err2string (l_err));
+      goto leave;
+    }
+
+  if (ctrl->ks_get_state)
+    {
+      l_err = ldap_parse_result (ldap_conn, *r_message, &l_reserr,
+                                 NULL, NULL, NULL, &resctrls, 0);
+      if (l_err)
+        {
+          err = ldap_err_to_gpg_err (l_err);
+          log_error ("ks-ldap: LDAP parse result error: %s\n",
+                     ldap_err2string (l_err));
+          goto leave;
+        }
+      /* Get the current cookie.  */
+      if (ctrl->ks_get_state->pagecookie)
+        {
+          ber_bvfree (ctrl->ks_get_state->pagecookie);
+          ctrl->ks_get_state->pagecookie = NULL;
+        }
+      l_err = ldap_parse_page_control (ldap_conn, resctrls,
+                                       &totalcount,
+                                       &ctrl->ks_get_state->pagecookie);
+      if (l_err)
+        {
+          err = ldap_err_to_gpg_err (l_err);
+          log_error ("ks-ldap: LDAP parse page control error: %s\n",
+                     ldap_err2string (l_err));
+          goto leave;
+        }
+
+      ctrl->ks_get_state->pageno++;
+
+      /* Decide whether there will be more pages.  */
+      ctrl->ks_get_state->more_pages =
+        (ctrl->ks_get_state->pagecookie
+         && ctrl->ks_get_state->pagecookie->bv_val
+         && *ctrl->ks_get_state->pagecookie->bv_val);
+
+      srvctrls[0] = NULL;
+    }
+
+  count = ldap_count_entries (ldap_conn, *r_message);
+  if (ctrl->ks_get_state)
+    {
+      if (count >= 0)
+        ctrl->ks_get_state->total += count;
+      if (opt.verbose)
+        log_info ("ks-ldap: received result page %u%s (%d/%u/%u)\n",
+                  ctrl->ks_get_state->pageno,
+                  ctrl->ks_get_state->more_pages? "":" (last)",
+                  count, ctrl->ks_get_state->total, totalcount);
+    }
+  if (count < 1)
+    {
+      if (!ctrl->ks_get_state || ctrl->ks_get_state->pageno == 1)
+        log_info ("ks-ldap: '%s' not found on LDAP server\n", keyspec);
+
+      if (count == -1)
+        err = ldap_to_gpg_err (ldap_conn);
+      else
+        err = gpg_error (GPG_ERR_NO_DATA);
+
+      goto leave;
+    }
+
+
+ leave:
+  if (resctrls)
+    ldap_controls_free (resctrls);
+  if (pagectrl)
+    ldap_control_free (pagectrl);
+  return err;
+}
+
+
+/* Fetch all entries from the RootDSE and return them as a name value
+ * object.  */
+static nvc_t
+fetch_rootdse (ctrl_t ctrl, parsed_uri_t uri)
+{
+  gpg_error_t err;
+  estream_t infp = NULL;
+  uri_item_t puri;  /* The broken down URI (only one item used).  */
+  nvc_t nvc = NULL;
+
+  /* FIXME: We need the unparsed URI here - use uri_item_t instead
+   * of fix the parser to fill in original */
+  err = ks_action_parse_uri (uri && uri->original? uri->original : "ldap://",
+                             &puri);
+  if (err)
+    return NULL;
+
+  /* Reset authentication for a serverless.  */
+  puri->parsed_uri->ad_current = 0;
+  puri->parsed_uri->auth = NULL;
+
+  if (!strcmp (puri->parsed_uri->scheme, "ldap")
+      || !strcmp (puri->parsed_uri->scheme, "ldaps")
+      || !strcmp (puri->parsed_uri->scheme, "ldapi")
+      || puri->parsed_uri->opaque)
+    {
+      err = ks_ldap_query (ctrl, puri->parsed_uri, KS_GET_FLAG_ROOTDSE,
+                           "^&base&(objectclass=*)", NULL, NULL, &infp);
+      if (err)
+        log_error ("ldap: reading the rootDES failed: %s\n",
+                   gpg_strerror (err));
+      else if ((err = nvc_parse (&nvc, NULL, infp)))
+        log_error ("parsing the rootDES failed: %s\n", gpg_strerror (err));
+    }
+
+  es_fclose (infp);
+  release_uri_item_list (puri);
+  if (err)
+    {
+      nvc_release (nvc);
+      nvc = NULL;
+    }
+  return nvc;
+}
+
+
+/* Return the DN for the given RID.  This is used with the Active
+ * Directory.  */
+static char *
+map_rid_to_dn (ctrl_t ctrl, const char *rid)
+{
+  gpg_error_t err;
+  char *result = NULL;
+  estream_t infp = NULL;
+  uri_item_t puri;  /* The broken down URI.  */
+  nvc_t nvc = NULL;
+  char *filter = NULL;
+  const char *s;
+  char *attr[2] = {"dn", NULL};
+
+  err = ks_action_parse_uri ("ldap:///", &puri);
+  if (err)
+    return NULL;
+
+  filter = strconcat ("(objectSid=S-1-5-21-$sid_domain-", rid, ")", NULL);
+  if (!filter)
+    goto leave;
+
+  err = ks_ldap_query (ctrl, puri->parsed_uri, KS_GET_FLAG_SUBST,
+                       filter, attr, NULL, &infp);
+  if (err)
+    {
+      log_error ("ldap: AD query '%s' failed: %s\n", filter,gpg_strerror (err));
+      goto leave;
+    }
+  if ((err = nvc_parse (&nvc, NULL, infp)))
+    {
+      log_error ("ldap: parsing the result failed: %s\n",gpg_strerror (err));
+      goto leave;
+    }
+  if (!(s = nvc_get_string (nvc, "Dn:")))
+    {
+      err = gpg_error (GPG_ERR_NOT_FOUND);
+      log_error ("ldap: mapping rid '%s'failed: %s\n", rid, gpg_strerror (err));
+      goto leave;
+    }
+  result = xtrystrdup (s);
+  if (!result)
+    {
+      err = gpg_error_from_syserror ();
+      log_error ("ldap: strdup failed: %s\n", gpg_strerror (err));
+      goto leave;
+    }
+
+ leave:
+  es_fclose (infp);
+  release_uri_item_list (puri);
+  xfree (filter);
+  nvc_release (nvc);
+  return result;
+}
+
+
+/* Return the baseDN for URI which might have already been cached for
+ * this session.  */
+static char *
+basedn_from_rootdse (ctrl_t ctrl, parsed_uri_t uri)
+{
+  const char *s;
+
+  if (!ctrl->rootdse && !ctrl->rootdse_tried)
+    {
+      ctrl->rootdse = fetch_rootdse (ctrl, uri);
+      ctrl->rootdse_tried = 1;
+      if (ctrl->rootdse)
+        {
+          log_debug ("Dump of all rootDSE attributes:\n");
+          nvc_write (ctrl->rootdse, log_get_stream ());
+          log_debug ("End of dump\n");
+        }
+    }
+  s = nvc_get_string (ctrl->rootdse, "defaultNamingContext:");
+  return s? xtrystrdup (s): NULL;
+}
+
+
+
+\f
 /* Get the key described key the KEYSPEC string from the keyserver
-   identified by URI.  On success R_FP has an open stream to read the
-   data.  */
+ * identified by URI.  On success R_FP has an open stream to read the
+ * data.  KS_GET_FLAGS conveys flags from the client.  */
 gpg_error_t
 ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
-            estream_t *r_fp)
+            unsigned int ks_get_flags, gnupg_isotime_t newer, estream_t *r_fp)
 {
-  gpg_error_t err = 0;
-  int ldap_err;
+  gpg_error_t err;
   unsigned int serverinfo;
   char *host = NULL;
   int use_tls;
   char *filter = NULL;
   LDAP *ldap_conn = NULL;
   char *basedn = NULL;
+  int scope = LDAP_SCOPE_SUBTREE;
   estream_t fp = NULL;
   LDAPMessage *message = NULL;
-
-  (void) ctrl;
-
-  if (dirmngr_use_tor ())
+  LDAPMessage *msg;
+  int anykey = 0;
+  int first_mode = 0;
+  int next_mode = 0;
+  int get_first;
+  strlist_t seen = NULL; /* The set of entries that we've seen.  */
+  /* The ordering is significant.  Specifically, "pgpcertid" needs to
+   * be the second item in the list, since everything after it may be
+   * discarded if we aren't in verbose mode.  */
+  char *attrs[] =
     {
-      /* For now we do not support LDAP over Tor.  */
-      log_error (_("LDAP access not possible due to Tor mode\n"));
-      return gpg_error (GPG_ERR_NOT_SUPPORTED);
-    }
+     "dummy", /* (to be be replaced.)  */
+     "pgpcertid", "pgpuserid", "pgpkeyid", "pgprevoked", "pgpdisabled",
+     "pgpkeycreatetime", "modifyTimestamp", "pgpkeysize", "pgpkeytype",
+     "gpgfingerprint",
+     NULL
+    };
 
-  /* Make sure we are talking to an OpenPGP LDAP server.  */
-  err = my_ldap_connect (uri, &ldap_conn,
-                         &basedn, &host, &use_tls, &serverinfo);
-  if (err || !basedn)
+  if (dirmngr_use_tor ())
     {
-      if (!err)
-       err = gpg_error (GPG_ERR_GENERAL);
-      goto out;
+      return no_ldap_due_to_tor (ctrl);
     }
 
-  /* Now that we have information about the server we can construct a
-   * query best suited for the capabilities of the server.  */
-  err = keyspec_to_ldap_filter (keyspec, &filter, 1, serverinfo);
+  err = ks_ldap_prepare_my_state (ctrl, ks_get_flags, &first_mode, &next_mode);
   if (err)
-    goto out;
+    return err;
 
-  if (opt.debug)
-    log_debug ("ks-ldap: using filter: %s\n", filter);
+  if (next_mode)
+    {
+    next_again:
+      if (!ctrl->ks_get_state->msg_iter && ctrl->ks_get_state->more_pages)
+        {
+          /* Get the next page of results.  */
+          if (ctrl->ks_get_state->message)
+            {
+              ldap_msgfree (ctrl->ks_get_state->message);
+              ctrl->ks_get_state->message = NULL;
+            }
+          attrs[0] = ((ctrl->ks_get_state->serverinfo & SERVERINFO_PGPKEYV2)?
+                      "pgpKeyV2" : "pgpKey");
+          err = search_and_parse (ctrl, ctrl->ks_get_state->keyspec,
+                                  ctrl->ks_get_state->ldap_conn,
+                                  ctrl->ks_get_state->basedn,
+                                  ctrl->ks_get_state->scope,
+                                  ctrl->ks_get_state->filter,
+                                  attrs,
+                                  &ctrl->ks_get_state->message);
+          if (err)
+            goto leave;
+          ctrl->ks_get_state->msg_iter = ctrl->ks_get_state->message;
+          get_first = 1;
+        }
+      else
+        get_first = 0;
 
-  {
-    /* The ordering is significant.  Specifically, "pgpcertid" needs
-       to be the second item in the list, since everything after it
-       may be discarded if we aren't in verbose mode. */
-    char *attrs[] =
-      {
-       "dummy",
-       "pgpcertid", "pgpuserid", "pgpkeyid", "pgprevoked", "pgpdisabled",
-       "pgpkeycreatetime", "modifytimestamp", "pgpkeysize", "pgpkeytype",
-        "gpgfingerprint",
-       NULL
-      };
-    /* 1 if we want just attribute types; 0 if we want both attribute
-     * types and values.  */
-    int attrsonly = 0;
-    int count;
+      while (ctrl->ks_get_state->msg_iter)
+        {
+          npth_unprotect ();
+          ctrl->ks_get_state->msg_iter
+            = get_first? ldap_first_entry (ctrl->ks_get_state->ldap_conn,
+                                           ctrl->ks_get_state->msg_iter)
+              /*    */ : ldap_next_entry (ctrl->ks_get_state->ldap_conn,
+                                          ctrl->ks_get_state->msg_iter);
+          npth_protect ();
+          get_first = 0;
+          if (ctrl->ks_get_state->msg_iter)
+            {
+              err = return_one_keyblock (ctrl->ks_get_state->ldap_conn,
+                                         ctrl->ks_get_state->msg_iter,
+                                         ctrl->ks_get_state->serverinfo,
+                                         &fp, NULL);
+              if (!err)
+                break;  /* Found.  */
+              else if (gpg_err_code (err) == GPG_ERR_NO_DATA)
+                err = 0;  /* Skip empty attributes. */
+              else
+                goto leave;
+            }
+        }
 
-    /* Replace "dummy".  */
-    attrs[0] = (serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2" : "pgpKey";
+      if (!ctrl->ks_get_state->msg_iter || !fp)
+        {
+          ctrl->ks_get_state->msg_iter = NULL;
+          if (ctrl->ks_get_state->more_pages)
+            goto next_again;
+          err = gpg_error (GPG_ERR_NO_DATA);
+        }
 
-    npth_unprotect ();
-    ldap_err = ldap_search_s (ldap_conn, basedn, LDAP_SCOPE_SUBTREE,
-                             filter, attrs, attrsonly, &message);
-    npth_protect ();
-    if (ldap_err)
-      {
-       err = ldap_err_to_gpg_err (ldap_err);
+    }
+  else /* Not in --next mode.  */
+    {
+      /* Make sure we are talking to an OpenPGP LDAP server.  */
+      err = my_ldap_connect (uri, 0, &ldap_conn,
+                             &basedn, &host, &use_tls, &serverinfo);
+      if (err || !basedn)
+        {
+          if (!err)
+            err = gpg_error (GPG_ERR_GENERAL);
+          goto leave;
+        }
 
-       log_error ("ks-ldap: LDAP search error: %s\n",
-                  ldap_err2string (ldap_err));
-       goto out;
-      }
+      /* Now that we have information about the server we can construct a
+       * query best suited for the capabilities of the server.  */
+      if (first_mode && !*keyspec)
+        {
+          filter = xtrystrdup("(!(|(pgpRevoked=1)(pgpDisabled=1)))");
+          err = filter? 0 : gpg_error_from_syserror ();
+        }
+      else
+        err = keyspec_to_ldap_filter (keyspec, &filter, 1, serverinfo);
+      if (err)
+        goto leave;
 
-    count = ldap_count_entries (ldap_conn, message);
-    if (count < 1)
-      {
-       log_info ("ks-ldap: key %s not found on keyserver\n", keyspec);
+      if (*newer)
+        {
+          char *tstr, *fstr;
+
+          tstr = isotime2rfc4517 (newer);
+          if (!tstr)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+          fstr = strconcat ("(&", filter,
+                            "(modifyTimestamp>=", tstr, "))", NULL);
+          xfree (tstr);
+          if (!fstr)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+          xfree (filter);
+          filter = fstr;
+        }
 
-       if (count == -1)
-         err = ldap_to_gpg_err (ldap_conn);
-       else
-         err = gpg_error (GPG_ERR_NO_DATA);
+      if (opt.debug)
+        log_debug ("ks-ldap: using filter: %s\n", filter);
 
-       goto out;
-      }
+      /* Replace "dummy".  */
+      attrs[0] = (serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2" : "pgpKey";
 
-    {
-      /* There may be more than one unique result for a given keyID,
-        so we should fetch them all (test this by fetching short key
-        id 0xDEADBEEF). */
+      err = search_and_parse (ctrl, keyspec, ldap_conn, basedn, scope,
+                              filter, attrs, &message);
+      if (err)
+        goto leave;
 
-      /* The set of entries that we've seen.  */
-      strlist_t seen = NULL;
-      LDAPMessage *each;
-      int anykey = 0;
 
       for (npth_unprotect (),
-             each = ldap_first_entry (ldap_conn, message),
+             msg = ldap_first_entry (ldap_conn, message),
              npth_protect ();
-          each;
+          msg;
            npth_unprotect (),
-             each = ldap_next_entry (ldap_conn, each),
+             msg = ldap_next_entry (ldap_conn, msg),
              npth_protect ())
        {
-         char **vals;
-         char **certid;
-
-         /* Use the long keyid to remove duplicates.  The LDAP
-            server returns the same keyid more than once if there
-            are multiple user IDs on the key.  Note that this does
-            NOT mean that a keyid that exists multiple times on the
-            keyserver will not be fetched.  It means that each KEY,
-            no matter how many user IDs share its keyid, will be
-            fetched only once.  If a keyid that belongs to more
-            than one key is fetched, the server quite properly
-            responds with all matching keys. -ds */
-
-         certid = ldap_get_values (ldap_conn, each, "pgpcertid");
-         if (certid && certid[0])
-           {
-             if (! strlist_find (seen, certid[0]))
-               {
-                 /* It's not a duplicate, add it */
-
-                 add_to_strlist (&seen, certid[0]);
-
-                 if (! fp)
-                   fp = es_fopenmem(0, "rw");
-
-                 extract_keys (fp, ldap_conn, certid[0], each);
-
-                 vals = ldap_get_values (ldap_conn, each, attrs[0]);
-                 if (! vals)
-                   {
-                     err = ldap_to_gpg_err (ldap_conn);
-                     log_error("ks-ldap: unable to retrieve key %s "
-                               "from keyserver\n", certid[0]);
-                     goto out;
-                   }
-                 else
-                   {
-                     /* We should strip the new lines.  */
-                     es_fprintf (fp, "KEY 0x%s BEGIN\n", certid[0]);
-                     es_fputs (vals[0], fp);
-                     es_fprintf (fp, "\nKEY 0x%s END\n", certid[0]);
-
-                     ldap_value_free (vals);
-                      anykey = 1;
-                   }
-               }
-           }
-
-          my_ldap_value_free (certid);
+          err = return_one_keyblock (ldap_conn, msg, serverinfo,
+                                     &fp, first_mode? NULL : &seen);
+          if (!err)
+            {
+              anykey = 1;
+              if (first_mode)
+                break;
+            }
+          else if (gpg_err_code (err) == GPG_ERR_NO_DATA)
+            err = 0;  /* Skip empty/duplicate attributes. */
+          else
+            goto leave;
        }
 
-      free_strlist (seen);
+      if (ctrl->ks_get_state) /* Save the iterator.  */
+        ctrl->ks_get_state->msg_iter = msg;
 
-      if (! fp)
+      if (!fp) /* Nothing was found.  */
        err = gpg_error (GPG_ERR_NO_DATA);
 
       if (!err && anykey)
@@ -1029,25 +1793,46 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
                                      use_tls? "ldaps" : "ldap",
                                      host? host:"");
     }
-  }
 
- out:
+
+ leave:
+  /* Store our state if needed.  */
+  if (!err && (ks_get_flags & KS_GET_FLAG_FIRST))
+    {
+      log_assert (!ctrl->ks_get_state->ldap_conn);
+      ctrl->ks_get_state->ldap_conn = ldap_conn;
+      ldap_conn = NULL;
+      log_assert (!ctrl->ks_get_state->message);
+      ctrl->ks_get_state->message = message;
+      message = NULL;
+      ctrl->ks_get_state->serverinfo = serverinfo;
+      ctrl->ks_get_state->scope = scope;
+      ctrl->ks_get_state->basedn = basedn;
+      basedn = NULL;
+      ctrl->ks_get_state->keyspec = keyspec? xtrystrdup (keyspec) : NULL;
+      ctrl->ks_get_state->filter = filter;
+      filter = NULL;
+    }
+  if ((ks_get_flags & KS_GET_FLAG_NEXT))
+    {
+      /* Keep the state in --next mode even with errors.  */
+      ldap_conn = NULL;
+      message = NULL;
+    }
+
   if (message)
     ldap_msgfree (message);
 
   if (err)
-    {
-      if (fp)
-       es_fclose (fp);
-    }
+    es_fclose (fp);
   else
     {
       if (fp)
        es_fseek (fp, 0, SEEK_SET);
-
       *r_fp = fp;
     }
 
+  free_strlist (seen);
   xfree (basedn);
   xfree (host);
 
@@ -1078,13 +1863,11 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
 
   if (dirmngr_use_tor ())
     {
-      /* For now we do not support LDAP over Tor.  */
-      log_error (_("LDAP access not possible due to Tor mode\n"));
-      return gpg_error (GPG_ERR_NOT_SUPPORTED);
+      return no_ldap_due_to_tor (ctrl);
     }
 
   /* Make sure we are talking to an OpenPGP LDAP server.  */
-  err = my_ldap_connect (uri, &ldap_conn, &basedn, NULL, NULL, &serverinfo);
+  err = my_ldap_connect (uri, 0, &ldap_conn, &basedn, NULL, NULL, &serverinfo);
   if (err || !basedn)
     {
       if (!err)
@@ -1120,7 +1903,7 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
     char *attrs[] =
       {
        "pgpcertid", "pgpuserid", "pgprevoked", "pgpdisabled",
-       "pgpkeycreatetime", "pgpkeyexpiretime", "modifytimestamp",
+       "pgpkeycreatetime", "pgpkeyexpiretime", "modifyTimestamp",
        "pgpkeysize", "pgpkeytype", "gpgfingerprint",
         NULL
       };
@@ -1274,19 +2057,17 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
                  }
                 my_ldap_value_free (vals);
 
-#if 0
-               /* This is not yet specified in the keyserver
-                  protocol, but may be someday. */
                es_fputc (':', fp);
 
-               vals = ldap_get_values (ldap_conn, each, "modifytimestamp");
-               if(vals && vals[0] strlen (vals[0]) == 15)
+               vals = ldap_get_values (ldap_conn, each, "modifyTimestamp");
+               if(vals && vals[0])
                  {
-                   es_fprintf (fp, "%u",
-                               (unsigned int) ldap2epochtime (vals[0]));
+                    gnupg_isotime_t atime;
+                    if (rfc4517toisotime (atime, vals[0]))
+                      *atime = 0;
+                    es_fprintf (fp, "%s", atime);
                  }
                 my_ldap_value_free (vals);
-#endif
 
                es_fprintf (fp, "\n");
 
@@ -1924,7 +2705,7 @@ extract_attributes (LDAPMod ***modlist, int *extract_state,
 
       uncescape (uid);
       modlist_add (modlist, "pgpUserID", uid);
-      if (schemav2 && (mbox = mailbox_from_userid (uid)))
+      if (schemav2 && (mbox = mailbox_from_userid (uid, 0)))
         {
           modlist_add (modlist, "gpgMailbox", mbox);
           xfree (mbox);
@@ -1970,12 +2751,10 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
 
   if (dirmngr_use_tor ())
     {
-      /* For now we do not support LDAP over Tor.  */
-      log_error (_("LDAP access not possible due to Tor mode\n"));
-      return gpg_error (GPG_ERR_NOT_SUPPORTED);
+      return no_ldap_due_to_tor (ctrl);
     }
 
-  err = my_ldap_connect (uri, &ldap_conn, &basedn, NULL, NULL, &serverinfo);
+  err = my_ldap_connect (uri, 0, &ldap_conn, &basedn, NULL, NULL, &serverinfo);
   if (err || !basedn)
     {
       if (!err)
@@ -2201,3 +2980,265 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
 
   return err;
 }
+
+
+\f
+/* Get the data described by FILTER_ARG from URI.  On success R_FP has
+ * an open stream to read the data.  KS_GET_FLAGS conveys flags from
+ * the client.  ATTRS is a NULL terminated list of attributes to
+ * return or NULL for all. */
+gpg_error_t
+ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags,
+               const char *filter_arg, char **attrs,
+               gnupg_isotime_t newer, estream_t *r_fp)
+{
+  gpg_error_t err;
+  unsigned int serverinfo;
+  char *host = NULL;
+  int use_tls;
+  LDAP *ldap_conn = NULL;
+  char *basedn = NULL;
+  estream_t fp = NULL;
+  char *filter_arg_buffer = NULL;
+  char *filter = NULL;
+  int scope = LDAP_SCOPE_SUBTREE;
+  LDAPMessage *message = NULL;
+  LDAPMessage *msg;
+  int anydata = 0;
+  int first_mode = 0;
+  int next_mode = 0;
+  int get_first;
+
+  if (dirmngr_use_tor ())
+    return no_ldap_due_to_tor (ctrl);
+
+  if ((!filter_arg || !*filter_arg) && (ks_get_flags & KS_GET_FLAG_ROOTDSE))
+    filter_arg = "^&base&(objectclass=*)";
+
+  if ((ks_get_flags & KS_GET_FLAG_SUBST)
+      && filter_arg && strchr (filter_arg, '$'))
+    {
+      filter_arg_buffer = substitute_vars (filter_arg, getval_for_filter, ctrl);
+      if (!filter_arg_buffer)
+        {
+          err = gpg_error_from_syserror ();
+          log_error ("substituting filter variables failed: %s\n",
+                     gpg_strerror (err));
+          goto leave;
+        }
+      filter_arg = filter_arg_buffer;
+    }
+
+  err = ks_ldap_prepare_my_state (ctrl, ks_get_flags, &first_mode, &next_mode);
+  if (err)
+    goto leave;
+
+  if (!next_mode) /* (In --next mode the filter is ignored.)  */
+    {
+      if (!filter_arg || !*filter_arg)
+        {
+          err = gpg_error (GPG_ERR_LDAP_FILTER);
+          goto leave;
+        }
+      err = ldap_parse_extfilter (filter_arg, 0, &basedn, &scope, &filter);
+      if (err)
+        goto leave;
+      if (newer && *newer)
+        {
+          char *tstr, *fstr;
+
+          tstr = isotime2rfc4517 (newer);
+          if (!tstr)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+          if (filter && *filter)
+            fstr = strconcat ("(&", filter,
+                              "(modifyTimestamp>=", tstr, "))", NULL);
+          else
+            fstr = strconcat ("(modifyTimestamp>=", tstr, ")", NULL);
+          xfree (tstr);
+          if (!fstr)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+          xfree (filter);
+          filter = fstr;
+        }
+    }
+
+
+  if (next_mode)
+    {
+    next_again:
+      if (!ctrl->ks_get_state->msg_iter && ctrl->ks_get_state->more_pages)
+        {
+          /* Get the next page of results.  */
+          if (ctrl->ks_get_state->message)
+            {
+              ldap_msgfree (ctrl->ks_get_state->message);
+              ctrl->ks_get_state->message = NULL;
+            }
+          err = search_and_parse (ctrl, ctrl->ks_get_state->keyspec,
+                                  ctrl->ks_get_state->ldap_conn,
+                                  ctrl->ks_get_state->basedn,
+                                  ctrl->ks_get_state->scope,
+                                  ctrl->ks_get_state->filter,
+                                  attrs,
+                                  &ctrl->ks_get_state->message);
+          if (err)
+            goto leave;
+          ctrl->ks_get_state->msg_iter = ctrl->ks_get_state->message;
+          get_first = 1;
+        }
+      else
+        get_first = 0;
+
+      while (ctrl->ks_get_state->msg_iter)
+        {
+          npth_unprotect ();
+          ctrl->ks_get_state->msg_iter
+            = get_first? ldap_first_entry (ctrl->ks_get_state->ldap_conn,
+                                           ctrl->ks_get_state->msg_iter)
+              /*    */ : ldap_next_entry (ctrl->ks_get_state->ldap_conn,
+                                          ctrl->ks_get_state->msg_iter);
+          npth_protect ();
+          get_first = 0;
+          if (ctrl->ks_get_state->msg_iter)
+            {
+              err = return_all_attributes (ctrl->ks_get_state->ldap_conn,
+                                           ctrl->ks_get_state->msg_iter,
+                                           &fp);
+              if (!err)
+                break;  /* Found.  */
+              else if (gpg_err_code (err) == GPG_ERR_NO_DATA)
+                err = 0;  /* Skip empty attributes. */
+              else
+                goto leave;
+            }
+        }
+
+      if (!ctrl->ks_get_state->msg_iter || !fp)
+        {
+          ctrl->ks_get_state->msg_iter = NULL;
+          if (ctrl->ks_get_state->more_pages)
+            goto next_again;
+          err = gpg_error (GPG_ERR_NO_DATA);
+        }
+
+    }
+  else /* Not in --next mode.  */
+    {
+      /* Connect to the LDAP server in generic mode. */
+      char *tmpbasedn;
+
+      err = my_ldap_connect (uri, 1 /*generic*/, &ldap_conn,
+                             &tmpbasedn, &host, &use_tls, &serverinfo);
+      if (err)
+        goto leave;
+      if (basedn)
+        xfree (tmpbasedn); /* Extended syntax overrides.  */
+      else if (tmpbasedn)
+        basedn = tmpbasedn;
+      else if (!(ks_get_flags & KS_GET_FLAG_ROOTDSE))
+        {
+          /* No BaseDN known - get one.  */
+          basedn = basedn_from_rootdse (ctrl, uri);
+        }
+
+      if (opt.debug)
+        {
+          log_debug ("ks-ldap: using basedn: %s\n", basedn);
+          log_debug ("ks-ldap: using filter: %s\n", filter);
+        }
+
+      err = search_and_parse (ctrl, filter, ldap_conn, basedn, scope, filter,
+                              attrs, &message);
+      if (err)
+        goto leave;
+
+
+      for (npth_unprotect (),
+             msg = ldap_first_entry (ldap_conn, message),
+             npth_protect ();
+          msg;
+           npth_unprotect (),
+             msg = ldap_next_entry (ldap_conn, msg),
+             npth_protect ())
+       {
+          err = return_all_attributes (ldap_conn, msg, &fp);
+          if (!err)
+            {
+              anydata = 1;
+              if (first_mode)
+                break;
+            }
+          else if (gpg_err_code (err) == GPG_ERR_NO_DATA)
+            err = 0;  /* Skip empty/duplicate attributes. */
+          else
+            goto leave;
+       }
+
+      if (ctrl->ks_get_state) /* Save the iterator.  */
+        ctrl->ks_get_state->msg_iter = msg;
+
+      if (!fp) /* Nothing was found.  */
+       err = gpg_error (GPG_ERR_NO_DATA);
+
+      if (!err && anydata)
+        err = dirmngr_status_printf (ctrl, "SOURCE", "%s://%s",
+                                     use_tls? "ldaps" : "ldap",
+                                     host? host:"");
+    }
+
+
+ leave:
+  /* Store our state if needed.  */
+  if (!err && (ks_get_flags & KS_GET_FLAG_FIRST))
+    {
+      log_assert (!ctrl->ks_get_state->ldap_conn);
+      ctrl->ks_get_state->ldap_conn = ldap_conn;
+      ldap_conn = NULL;
+      log_assert (!ctrl->ks_get_state->message);
+      ctrl->ks_get_state->message = message;
+      message = NULL;
+      ctrl->ks_get_state->serverinfo = serverinfo;
+      ctrl->ks_get_state->scope = scope;
+      ctrl->ks_get_state->basedn = basedn;
+      basedn = NULL;
+      ctrl->ks_get_state->keyspec = filter? xtrystrdup (filter) : NULL;
+      ctrl->ks_get_state->filter = filter;
+      filter = NULL;
+    }
+  if ((ks_get_flags & KS_GET_FLAG_NEXT))
+    {
+      /* Keep the state in --next mode even with errors.  */
+      ldap_conn = NULL;
+      message = NULL;
+    }
+
+  if (message)
+    ldap_msgfree (message);
+
+  if (err)
+    es_fclose (fp);
+  else
+    {
+      if (fp)
+       es_fseek (fp, 0, SEEK_SET);
+      *r_fp = fp;
+    }
+
+  xfree (basedn);
+  xfree (host);
+
+  if (ldap_conn)
+    ldap_unbind (ldap_conn);
+
+  xfree (filter);
+  xfree (filter_arg_buffer);
+
+  return err;
+}