2020-10-07 18:33:58 +02:00
|
|
|
# gnupg-ldap-scheme.ldif -*- conf -*-
|
|
|
|
#
|
2024-05-12 18:09:23 -04:00
|
|
|
# Schema for an OpenPGP LDAP keyserver. This is a slightly enhanced
|
2020-10-07 18:33:58 +02:00
|
|
|
# version of the original LDAP schema used for PGP keyservers as
|
|
|
|
# installed at quite some sites.
|
|
|
|
# Revision: 2020-10-07
|
|
|
|
|
|
|
|
# Note: The index 1000 is just a high number so that OpenLDAP assigns
|
|
|
|
# the next available number.
|
|
|
|
dn: cn={1000}gnupg-keyserver,cn=schema,cn=config
|
|
|
|
objectClass: olcSchemaConfig
|
|
|
|
# The base DN for the PGP key space by querying the
|
|
|
|
# pgpBaseKeySpaceDN attribute (This is normally
|
|
|
|
# 'ou=PGP Keys,dc=example,dc=com').
|
|
|
|
olcAttributeTypes: {0}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.8
|
|
|
|
NAME 'pgpBaseKeySpaceDN'
|
|
|
|
DESC 'Points to DN of the object that will store the PGP keys.'
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|
|
|
SINGLE-VALUE )
|
|
|
|
# See gnupg-ldap-init.ldif for a description of the next two attributes
|
|
|
|
olcAttributeTypes: {1}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.9
|
|
|
|
NAME 'pgpSoftware'
|
|
|
|
DESC 'Origin of the schema'
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
|
SINGLE-VALUE )
|
|
|
|
olcAttributeTypes: {2}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.10
|
|
|
|
NAME 'pgpVersion'
|
|
|
|
DESC 'Version of this schema'
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
|
SINGLE-VALUE )
|
|
|
|
#
|
|
|
|
# The attribute holding the OpenPGP keyblock.
|
|
|
|
# The legacy PGP LDAP server used pgpKeyV2 instead.
|
|
|
|
olcAttributeTypes: {3}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.11
|
|
|
|
NAME 'pgpKey'
|
|
|
|
DESC 'OpenPGP public key block'
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
|
|
|
SINGLE-VALUE )
|
|
|
|
# The long key-ID
|
|
|
|
olcAttributeTypes: {4}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.12
|
|
|
|
NAME 'pgpCertID'
|
|
|
|
DESC 'OpenPGP long key id'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
|
SINGLE-VALUE )
|
|
|
|
# A flag to temporary disable a keyblock
|
|
|
|
olcAttributeTypes: {5}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.13
|
|
|
|
NAME 'pgpDisabled'
|
|
|
|
DESC 'pgpDisabled attribute for PGP'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
|
SINGLE-VALUE )
|
|
|
|
# The short key id. This is actually not required and should thus not
|
2024-05-12 18:09:23 -04:00
|
|
|
# be used by client software.
|
2020-10-07 18:33:58 +02:00
|
|
|
olcAttributeTypes: {6}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.14
|
|
|
|
NAME 'pgpKeyID'
|
|
|
|
DESC 'OpenPGP short key id'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
|
SINGLE-VALUE )
|
|
|
|
# The algorithm of the key. Used to be "RSA" or "DSS/DH".
|
|
|
|
olcAttributeTypes: {7}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.15
|
|
|
|
NAME 'pgpKeyType'
|
|
|
|
DESC 'pgpKeyType attribute for PGP'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
|
SINGLE-VALUE )
|
|
|
|
# The User-ID. GnuPG maps its user-ID classes this way:
|
|
|
|
# exact: (pgpUserID=%s)
|
|
|
|
# substr: (pgpUserID=*%s*)
|
|
|
|
# mail: (pgpUserID=*<%s>*)
|
|
|
|
# mailsub: (pgpUserID=*<*%s*>*)
|
|
|
|
# mailend: (pgpUserID=*<*%s>*)
|
|
|
|
olcAttributeTypes: {8}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.16
|
|
|
|
NAME 'pgpUserID'
|
|
|
|
DESC 'User ID(s) associated with the key'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
|
# The creation time of the primary key.
|
|
|
|
# Stored in ISO format: "20201231 120000"
|
|
|
|
olcAttributeTypes: {9}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.17
|
|
|
|
NAME 'pgpKeyCreateTime'
|
|
|
|
DESC 'Primary key creation time'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
ORDERING caseIgnoreOrderingMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
|
SINGLE-VALUE )
|
|
|
|
# Not used
|
|
|
|
olcAttributeTypes: {10}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.18
|
|
|
|
NAME 'pgpSignerID'
|
|
|
|
DESC 'pgpSignerID attribute for PGP'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
|
# A value of 1 indicated that the keyblock has been revoked
|
|
|
|
olcAttributeTypes: {11}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.19
|
|
|
|
NAME 'pgpRevoked'
|
|
|
|
DESC 'pgpRevoked attribute for PGP'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
|
SINGLE-VALUE )
|
2020-12-15 08:52:06 +01:00
|
|
|
# Note that there is no short subkeyid despite that the name
|
|
|
|
# is similar to the name of short keyid of the primary key.
|
2020-10-07 18:33:58 +02:00
|
|
|
olcAttributeTypes: {12}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.20
|
|
|
|
NAME 'pgpSubKeyID'
|
2020-12-15 08:52:06 +01:00
|
|
|
DESC 'OpenPGP long Subkey ID(s) of the PGP key.'
|
2020-10-07 18:33:58 +02:00
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
2020-12-15 08:52:06 +01:00
|
|
|
# A hint on the keysize.
|
2020-10-07 18:33:58 +02:00
|
|
|
olcAttributeTypes: {13}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.21
|
|
|
|
NAME 'pgpKeySize'
|
|
|
|
DESC 'pgpKeySize attribute for PGP'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
ORDERING caseIgnoreOrderingMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
|
# Expiration time of the primary key.
|
|
|
|
# Stored in ISO format: "20201231 120000"
|
|
|
|
olcAttributeTypes: {14}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.22
|
|
|
|
NAME 'pgpKeyExpireTime'
|
|
|
|
DESC 'pgpKeyExpireTime attribute for PGP'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
ORDERING caseIgnoreOrderingMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
|
SINGLE-VALUE )
|
|
|
|
#
|
|
|
|
# The hex encoded fingerprint of the primary key.
|
|
|
|
olcAttributeTypes: {15}(
|
|
|
|
1.3.6.1.4.1.11591.2.4.1.1
|
|
|
|
NAME 'gpgFingerprint'
|
|
|
|
DESC 'Fingerprint of the primary key'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
|
SINGLE-VALUE )
|
|
|
|
# A list of hex encoded fingerprints of the subkeys.
|
|
|
|
olcAttributeTypes: {16}(
|
|
|
|
1.3.6.1.4.1.11591.2.4.1.2
|
|
|
|
NAME 'gpgSubFingerprint'
|
|
|
|
DESC 'Fingerprints of the secondary keys'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
|
# A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox
|
|
|
|
olcAttributeTypes: {17}(
|
|
|
|
1.3.6.1.4.1.11591.2.4.1.3
|
|
|
|
NAME 'gpgMailbox'
|
|
|
|
DESC 'The utf8 encoded addr-spec of a mailbox'
|
|
|
|
EQUALITY caseIgnoreMatch
|
|
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
2020-12-15 08:52:06 +01:00
|
|
|
#
|
|
|
|
# Note: OID 1.3.6.1.4.1.11591.2.4.1.4 is reserved
|
|
|
|
# because it was used for short time during development.
|
2020-10-07 18:33:58 +02:00
|
|
|
#
|
|
|
|
#
|
|
|
|
# Used by regular LDAP servers to indicate pgp support.
|
|
|
|
#
|
|
|
|
olcObjectClasses: {0}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.23
|
|
|
|
NAME 'pgpServerInfo'
|
|
|
|
DESC 'An OpenPGP public keyblock store'
|
|
|
|
SUP top
|
|
|
|
STRUCTURAL MUST ( cn $ pgpBaseKeySpaceDN )
|
|
|
|
MAY ( pgpSoftware $ pgpVersion ) )
|
|
|
|
#
|
|
|
|
# The original PGP key object extended with a few extra attributes.
|
|
|
|
# All new software should set them but this is not enforced for
|
|
|
|
# backward compatibility
|
|
|
|
olcObjectClasses: {1}(
|
|
|
|
1.3.6.1.4.1.3401.8.2.24
|
|
|
|
NAME 'pgpKeyInfo'
|
|
|
|
DESC 'An OpenPGP public keyblock'
|
|
|
|
SUP top
|
|
|
|
STRUCTURAL MUST ( pgpCertID $ pgpKey )
|
|
|
|
MAY ( pgpDisabled $ pgpKeyID $ pgpKeyType $
|
|
|
|
pgpUserID $ pgpKeyCreateTime $ pgpSignerID $
|
|
|
|
pgpRevoked $ pgpSubKeyID $ pgpKeySize $
|
|
|
|
pgpKeyExpireTime $ gpgFingerprint $
|
2020-12-15 08:52:06 +01:00
|
|
|
gpgSubFingerprint $ gpgMailbox ) )
|
2020-10-07 18:33:58 +02:00
|
|
|
#
|
|
|
|
# end-of-file
|
|
|
|
#
|