doc: Minor update of the AD schema.

--

doc/ldap/README.ldap

@@ -1,7 +1,7 @@
 # README.ldap                                             -*- org -*-
 #+TITLE: How to use LDAP with GnuPG
 #+AUTHOR:    GnuPG.com
-#+DATE:      2021-05-28
+#+DATE:      2021-09-01
 #
 # The following comment lines are for use by Org-mode.
 #+EXPORT_FILE_NAME: gnupg-and-ldap
@@ -522,17 +522,17 @@ Controller and open a shell (Command Prompt).  Copy the above
 mentioned ldif files to your working directory and run the following
 command:
 
-: ldifde -i -v -f gnupg-ldap-ad-schema.ldif
-:   -c "DC=EXAMPLEDC" "DC=example,DC=org"
+: ldifde -i -f gnupg-ldap-ad-schema.ldif
+:   -c "DC=EXAMPLEDC" "#configurationNamingContext"
 
-This is one line and the last string (="DC=example,DC=org"=) needs to
-be replaced with your actual domain.  If the command succeeds you have
-extended the schema to store OpenPGP keys at a well known location.
-The next step is to provide information and space in the tree.  This
-is done similar to the above, namely:
+Note that this is a single line (for an LDS installation you need to
+add more options like =-s localhost=).  If the command succeeds the
+schema has been extended to store OpenPGP keys at a well known
+location.  The next step is to provide information and space in the
+tree.  This is done similar to the above, namely:
 
 : ldifde -i -v -f gnupg-ldap-ad-init.ldif
-:   -c "DC=EXAMPLEDC" "DC=example,DC=org"
+:   -c "DC=EXAMPLEDC" "#defaultNamingContext"
 
 You may now check your work with ADSI (enter "adsiedit").  Compare
 with this [[https://gnupg.org/blog/img/ad-with-gnupg-schema.png][screenshot]] and notice the two marked entries.
@@ -559,7 +559,7 @@ that these permissions apply to /This object and all descendant
 objects/.
 
 In case you want to access the keys also from non-Windows boxes, it is
-probably best to created a dedicated guest user for read access.
+probably best to create a dedicated guest user for read access.
 
 ** Using GnuPG with AD
 
@@ -570,12 +570,17 @@ need to put
 
 into =dirmngr.conf= and Windows takes care of authentication.  Note
 that we use 3 slashes and not ldaps because AD takes care of
-protecting the traffic.
+protecting the traffic.  If you use an LDS configure this
 
-GnuPG can be advised to consult the local AD similar to a Web Key
-Directory.  For this put
+: keyserver ldap://mykeyserver.example.org/????gpgNtds=1
+
+this will use the LDS at the given server (add a port if required) and
+uses the AD for authentication.
+
+GnuPG can also be advised to consult this configured AD or LDS similar
+to a Web Key Directory (WKD).  For this put
 
 : auto-key-locate local,ntds,wkd
 
-into =gpg.conf= so that a missing key is first looked up in the AD
-before a WKD query is done.
+into =gpg.conf= so that a missing key is first looked up in the AD or
+LDS before a WKD query is done.

doc/ldap/gnupg-ldap-ad-init.ldif

@@ -1,7 +1,7 @@
 # gnupg-ldap-ad-init.ldif                                 -*- conf -*-
 #
 # Entries connecting the schema specified in gnupg-ldap-ad-schema.ldif.
-# Revision: 2020-12-16
+# Revision: 2021-09-01 v1
 
 dn: cn=GnuPG Keys,DC=EXAMPLEDC
 changetype: add

doc/ldap/gnupg-ldap-ad-schema.ldif

@@ -3,14 +3,14 @@
 # Schema for an OpenPGP LDAP keyserver.  This is a slighly enhanced
 # version of the original LDAP schema used for PGP keyservers as
 # installed at quite some sites.
-# Revision: 2020-12-15
+# Revision: 2021-09-01  v1
 
 # Some notes:
 # - Backup your AD! It is not possible to revert changes of the schema.
 # - Try it first on a test system.
 # - To import the new attributes and classes use:
 #      ldifde -i -v -f gnupg-ldap-ad-schema.ldif
-#             -c "DC=EXAMPLEDC" "DC=example,DC=org"
+#             -c "DC=EXAMPLEDC" "#configurationNamingContext"
 #   (the above command is given as one line)
 # - The schema does not get its own distingished name as done with OpenLDAP.
 # - The first GUID we use is f406e7a5-a5ea-411e-9ddd-2e4e66899800
@@ -28,8 +28,8 @@
 
 # The base DN for the PGP key space by querying the
 #  pgpBaseKeySpaceDN attribute (This is normally
-#  'ou=PGP Keys,dc=example,dc=com').
-dn: CN=pgpBaseKeySpaceDN,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+#  'ou=GnuPG Keys,dc=example,dc=com').
+dn: CN=pgpBaseKeySpaceDN,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.8
@@ -41,7 +41,7 @@ isSingleValued: TRUE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAA==
 
 # See gnupg-ldap-init.ldif for a description of this attribute
-dn: CN=pgpSoftware,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpSoftware,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.9
@@ -53,7 +53,7 @@ isSingleValued: TRUE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAQ==
 
 # See gnupg-ldap-init.ldif for a description of this attribute
-dn: CN=pgpVersion,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpVersion,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.10
@@ -67,7 +67,7 @@ schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAg==
 
 # The attribute holding the OpenPGP keyblock.
 # The legacy PGP LDAP server used pgpKeyV2 instead.
-dn: CN=pgpKey,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpKey,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.11
@@ -79,7 +79,7 @@ isSingleValued: TRUE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAw==
 
 # The long key-ID
-dn: CN=pgpCertID,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpCertID,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.12
@@ -91,7 +91,7 @@ isSingleValued: TRUE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBA==
 
 # A flag to temporary disable a keyblock
-dn: CN=pgpDisabled,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpDisabled,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.13
@@ -104,7 +104,7 @@ schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBQ==
 
 # The short key id.  This is actually not required and should thus not
 # be used by client software.
-dn: CN=pgpKeyID,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpKeyID,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.14
@@ -116,7 +116,7 @@ isSingleValued: TRUE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBg==
 
 # The algorithm of the key.  Used to be "RSA" or "DSS/DH".
-dn: CN=pgpKeyType,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpKeyType,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.15
@@ -133,7 +133,7 @@ schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBw==
 #     mail:    (pgpUserID=*<%s>*)
 #     mailsub: (pgpUserID=*<*%s*>*)
 #     mailend: (pgpUserID=*<*%s>*)
-dn: CN=pgpUserID,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpUserID,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.16
@@ -146,7 +146,7 @@ schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCA==
 
 # The creation time of the primary key.
 # Stored in ISO format: "20201231 120000"
-dn: CN=pgpKeyCreateTime,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpKeyCreateTime,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.17
@@ -158,7 +158,7 @@ isSingleValued: TRUE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCQ==
 
 # SignerIDs are not used
-dn: CN=pgpSignerID,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpSignerID,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.18
@@ -170,7 +170,7 @@ isSingleValued: FALSE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCg==
 
 # A value of 1 indicates that the keyblock has been revoked
-dn: CN=pgpRevoked,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpRevoked,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.19
@@ -182,7 +182,7 @@ isSingleValued: TRUE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCw==
 
 # The Subkey key ids (16 hex digits)
-dn: CN=pgpSubKeyID,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpSubKeyID,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.20
@@ -194,7 +194,7 @@ isSingleValued: FALSE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDA==
 
 # A hint on the keysize.
-dn: CN=pgpKeySize,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpKeySize,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.21
@@ -207,7 +207,7 @@ schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDQ==
 
 # Expiration time of the primary key.
 # Stored in ISO format: "20201231 120000"
-dn: CN=pgpKeyExpireTime,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpKeyExpireTime,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.3401.8.2.22
@@ -219,7 +219,7 @@ isSingleValued: TRUE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDg==
 
 # The hex encoded fingerprint of the primary key.
-dn: CN=gpgFingerprint,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=gpgFingerprint,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.11591.2.4.1.1
@@ -231,7 +231,7 @@ isSingleValued: TRUE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDw==
 
 # A list of hex encoded fingerprints of the subkeys.
-dn: CN=gpgSubFingerprint,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=gpgSubFingerprint,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.11591.2.4.1.2
@@ -243,7 +243,7 @@ isSingleValued: FALSE
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYEA==
 
 # A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox
-dn: CN=gpgMailbox,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=gpgMailbox,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: attributeSchema
 attributeID: 1.3.6.1.4.1.11591.2.4.1.3
@@ -282,7 +282,7 @@ schemaUpdateNow: 1
 # Used by regular LDAP servers to indicate pgp support.
 # (structural class)
 #
-dn: CN=pgpServerInfo,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpServerInfo,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: classSchema
 governsID: 1.3.6.1.4.1.3401.8.2.23
@@ -295,13 +295,14 @@ mustContain: pgpBaseKeySpaceDN
 mayContain: pgpSoftware
 mayContain: pgpVersion
 systemPossSuperiors: domainDNS
+systemPossSuperiors: container
 schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYIA==
 
 # The original PGP key object extended with a few extra attributes.
 # All new software should set them but this is not enforced for
 # backward compatibility of client software.
 # (structural class, writable)
-dn: CN=pgpKeyInfo,CN=Schema,CN=Configuration,DC=EXAMPLEDC
+dn: CN=pgpKeyInfo,CN=Schema,DC=EXAMPLEDC
 changetype: ntdsSchemaAdd
 objectClass: classSchema
 governsID: 1.3.6.1.4.1.3401.8.2.24