1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

doc: Add instructions on how to setup an Active Directory.

--
This commit is contained in:
Werner Koch 2020-12-23 14:45:20 +01:00
parent ea3fb3dc94
commit 15e065dee8
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 89 additions and 9 deletions

View File

@ -1,7 +1,7 @@
# README.ldap -*- org -*- # README.ldap -*- org -*-
#+TITLE: How to use LDAP with GnuPG #+TITLE: How to use LDAP with GnuPG
#+AUTHOR: GnuPG.com #+AUTHOR: GnuPG.com
#+DATE: 2020-10-07 #+DATE: 2020-12-23
# #
# The following comment lines are for use by Org-mode. # The following comment lines are for use by Org-mode.
#+EXPORT_FILE_NAME: gnupg-and-ldap #+EXPORT_FILE_NAME: gnupg-and-ldap
@ -48,7 +48,6 @@ terms used with LDAP:
human readable data exchange format used with LDAP. human readable data exchange format used with LDAP.
** OpenPGP ** OpenPGP
To serve OpenPGP certificates via LDAP a dedicated schema needs to be To serve OpenPGP certificates via LDAP a dedicated schema needs to be
@ -71,13 +70,16 @@ them. An example for such an DN is:
: pgpCertID=63113AE866587D0A,ou=GnuPG Keys,dc=example,dc=com : pgpCertID=63113AE866587D0A,ou=GnuPG Keys,dc=example,dc=com
or for Active Directory
: cn=C312[...]0A,cn=GnuPG Keys,dc=example,dc=com
This design means that entries stored under "GnuPG Keys" are not This design means that entries stored under "GnuPG Keys" are not
connected to the users commonly found on an LDAP server. This allows connected to the users commonly found on an LDAP server. This allows
to store arbitrary OpenPGP certificates in the directory and is to store arbitrary OpenPGP certificates in the directory and is
commonly used to make the certificates of external communication commonly used to make the certificates of external communication
partners easily available. partners easily available.
** S/MIME ** S/MIME
Standard X.509 LDAP semantics apply for S/MIME certificate search. Standard X.509 LDAP semantics apply for S/MIME certificate search.
@ -111,7 +113,6 @@ encoded mail address and in theory GnuPG should use IDN mapping here.
However, it is questionable whether any real world installation However, it is questionable whether any real world installation
would be able to handle such a mapping. would be able to handle such a mapping.
* How to install OpenLDAP * How to install OpenLDAP
To install a standard LDAP server to provide S/MIME certificate lookup To install a standard LDAP server to provide S/MIME certificate lookup
@ -299,9 +300,10 @@ Now all users have read access and the user LordPrivySeal has write
access. In case you want to give several users permissions to update the access. In case you want to give several users permissions to update the
keys replace the regex line in =grantaccess.ldif= with keys replace the regex line in =grantaccess.ldif= with
: by dn.regex="^uid=([^,]+),ou=GnuPG Users,dc=example,dc=com" write : by dn.regex="^uid=([^,]+),ou=GnuPG Users,dc=example,dc=com" write
and create those users below the RDN "ou=GnuPG Users". (take care to insert two spaces at the begin of the line.) Then
create those users below the RDN "ou=GnuPG Users".
That's all you need to do at the server. That's all you need to do at the server.
@ -370,7 +372,7 @@ keyserver ldaps://ldap.example.com
This assumes that you have a valid TLS server certificate for that This assumes that you have a valid TLS server certificate for that
domain and ldaps is enabled on the server. domain and ldaps is enabled on the server.
* Useful LDAP Commands * Useful OpenLDAP Commands
** List the entire DIT ** List the entire DIT
@ -443,3 +445,81 @@ To debug access problems, it is useful to change the log level:
: modify olcLogLevel olcLogLevel ACL | ldapadd -Q -Y EXTERNAL -H ldapi:/// : modify olcLogLevel olcLogLevel ACL | ldapadd -Q -Y EXTERNAL -H ldapi:///
to revert replace "ACL" by "none". to revert replace "ACL" by "none".
* How to use with Active Directory
** Extending the AD Schema
The Active Directory on Windows is actually an LDAP server but
configuration differs from OpenLDAP. The used schema is the same but
the data objects are slighly different. To extend the schema the
LDIF format is used but with variants of the files used for OpenLDAP.
Thus please download these two files:
- [[https://gnupg.org/misc/gnupg-ldap-ad-schema.ldif]]
- [[https://gnupg.org/misc/gnupg-ldap-ad-init.ldif]].
*Important*: Backup your Active Directory before you extend the
schema. There are *no ways to revert changes* made to a schema. You
should also first try this all on a test system and not on a
production system.
To extend the schema become Adminstrator on your Primary Domain
Controller and open a shell (Command Prompt). Copy the above
mentioned ldif files to your working directory and run the following
command:
: ldifde -i -v -f gnupg-ldap-ad-schema.ldif
: -c "DC=EXAMPLEDC" "DC=example,DC=org"
This is one line and the last string (="DC=example,DC=org"=) needs to
be replaced with your actual domain. If the command succeeds you have
extended the schema to store OpenPGP keys at a well known location.
The next step is to provide information and space in the tree. This
is done similar to the above, namely:
: ldifde -i -v -f gnupg-ldap-ad-init.ldif
: -c "DC=EXAMPLEDC" "DC=example,DC=org"
You may now check your work with ADSI (enter "adsiedit"). Compare
with this [[https://gnupg.org/blog/img/ad-with-gnupg-schema.png][screenshot]] and notice the two marked entries.
The last step is to setup permissions. This depends on your
policy. Here we assume that all authenticated users get read access
to all OpenPGP keys and only certain users may insert or update those
keys.
What you need to do in all cases is to give the group /Everyone/ read
access to the =CN=PGPServerInfo= object. This allows the
clients to notice that the schema has been installed and where to look
further.
The actual keys will be stored under =CN=GnuPG Keys=. Thus give all
users of the /AuthenticatedUsers/ group read access and use the
Advanced button to set /Applies to/ to /This object and all descendant
objects/.
To insert and update keys, use a group or users and give them
permissions for =CN=GnuPG Keys= to /Read/, /Write/, /Create all child
objects/, and /Delete all child objects/. As above make sure
that these permissions apply to /This object and all descendant
objects/.
In case you want to access the keys also from non-Windows boxes, it is
probably best to created a dedicated guest user for read access.
** Using GnuPG with AD
Using the Active Directory is really easy since GnuPG 2.2.26: You only
need to put
: keyserver ldap:///
into =dirmngr.conf= and Windows takes care of authentication. Note
that we use 3 slashes and not ldaps because AD takes care of
protecting the traffic.
GnuPG can be advised to consult the local AD similar to a Web Key
Directory. For this put
: auto-key-locate local,ntds,wkd
into =gpg.conf= so that a missing key is first looked up in the AD
before a WKD query is done.

View File

@ -1,4 +1,4 @@
# gnupg-ldap-scheme.ldif -*- conf -*- # gnupg-ldap-ad-scheme.ldif -*- conf -*-
# #
# Schema for an OpenPGP LDAP keyserver. This is a slighly enhanced # Schema for an OpenPGP LDAP keyserver. This is a slighly enhanced
# version of the original LDAP schema used for PGP keyservers as # version of the original LDAP schema used for PGP keyservers as
@ -9,7 +9,7 @@
# - Backup your AD! It is not possible to revert changes of the schema. # - Backup your AD! It is not possible to revert changes of the schema.
# - Try it first on a test system. # - Try it first on a test system.
# - To import the new attributes and classes use: # - To import the new attributes and classes use:
# ldifde -i -vv -f gnupg-ldap-ad-schema.ldif # ldifde -i -v -f gnupg-ldap-ad-schema.ldif
# -c "DC=EXAMPLEDC" "DC=example,DC=org" # -c "DC=EXAMPLEDC" "DC=example,DC=org"
# (the above command is given as one line) # (the above command is given as one line)
# - The schema does not get its own distingished name as done with OpenLDAP. # - The schema does not get its own distingished name as done with OpenLDAP.