security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-17 15:44:34 +02:00
Code Activity

doc: Minor update of the AD schema.

Browse Source 
--
This commit is contained in:
Werner Koch 2021-09-09 13:28:41 +02:00
parent 255d4d5815
commit 265d993c76
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
3 changed files with 45 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
doc/ldap/README.ldap
View File

@ -1,7 +1,7 @@
# README.ldap -*- org -*- # README.ldap -*- org -*-
#+TITLE: How to use LDAP with GnuPG #+TITLE: How to use LDAP with GnuPG
#+AUTHOR: GnuPG.com #+AUTHOR: GnuPG.com
#+DATE: 2021-05-28 #+DATE: 2021-09-01
# #
# The following comment lines are for use by Org-mode. # The following comment lines are for use by Org-mode.
#+EXPORT_FILE_NAME: gnupg-and-ldap #+EXPORT_FILE_NAME: gnupg-and-ldap
@ -522,17 +522,17 @@ Controller and open a shell (Command Prompt). Copy the above
mentioned ldif files to your working directory and run the following mentioned ldif files to your working directory and run the following
command: command:
: ldifde -i -v -f gnupg-ldap-ad-schema.ldif : ldifde -i -f gnupg-ldap-ad-schema.ldif
: -c "DC=EXAMPLEDC" "DC=example,DC=org" : -c "DC=EXAMPLEDC" "#configurationNamingContext"
This is one line and the last string (="DC=example,DC=org"=) needs to Note that this is a single line (for an LDS installation you need to
be replaced with your actual domain. If the command succeeds you have add more options like =-s localhost=). If the command succeeds the
extended the schema to store OpenPGP keys at a well known location. schema has been extended to store OpenPGP keys at a well known
The next step is to provide information and space in the tree. This location. The next step is to provide information and space in the
is done similar to the above, namely: tree. This is done similar to the above, namely:
: ldifde -i -v -f gnupg-ldap-ad-init.ldif : ldifde -i -v -f gnupg-ldap-ad-init.ldif
: -c "DC=EXAMPLEDC" "DC=example,DC=org" : -c "DC=EXAMPLEDC" "#defaultNamingContext"
You may now check your work with ADSI (enter "adsiedit"). Compare You may now check your work with ADSI (enter "adsiedit"). Compare
with this [[https://gnupg.org/blog/img/ad-with-gnupg-schema.png][screenshot]] and notice the two marked entries. with this [[https://gnupg.org/blog/img/ad-with-gnupg-schema.png][screenshot]] and notice the two marked entries.
@ -559,7 +559,7 @@ that these permissions apply to /This object and all descendant
objects/. objects/.
In case you want to access the keys also from non-Windows boxes, it is In case you want to access the keys also from non-Windows boxes, it is
probably best to created a dedicated guest user for read access. probably best to create a dedicated guest user for read access.
** Using GnuPG with AD ** Using GnuPG with AD
@ -570,12 +570,17 @@ need to put
into =dirmngr.conf= and Windows takes care of authentication. Note into =dirmngr.conf= and Windows takes care of authentication. Note
that we use 3 slashes and not ldaps because AD takes care of that we use 3 slashes and not ldaps because AD takes care of
protecting the traffic. protecting the traffic. If you use an LDS configure this
GnuPG can be advised to consult the local AD similar to a Web Key : keyserver ldap://mykeyserver.example.org/????gpgNtds=1
Directory. For this put
this will use the LDS at the given server (add a port if required) and
uses the AD for authentication.
GnuPG can also be advised to consult this configured AD or LDS similar
to a Web Key Directory (WKD). For this put
: auto-key-locate local,ntds,wkd : auto-key-locate local,ntds,wkd
into =gpg.conf= so that a missing key is first looked up in the AD into =gpg.conf= so that a missing key is first looked up in the AD or
before a WKD query is done. LDS before a WKD query is done.

2
doc/ldap/gnupg-ldap-ad-init.ldif
View File

@ -1,7 +1,7 @@
# gnupg-ldap-ad-init.ldif -*- conf -*- # gnupg-ldap-ad-init.ldif -*- conf -*-
# #
# Entries connecting the schema specified in gnupg-ldap-ad-schema.ldif. # Entries connecting the schema specified in gnupg-ldap-ad-schema.ldif.
# Revision: 2020-12-16 # Revision: 2021-09-01 v1
dn: cn=GnuPG Keys,DC=EXAMPLEDC dn: cn=GnuPG Keys,DC=EXAMPLEDC
changetype: add changetype: add

47
doc/ldap/gnupg-ldap-ad-schema.ldif
View File

@ -3,14 +3,14 @@
# Schema for an OpenPGP LDAP keyserver. This is a slighly enhanced # Schema for an OpenPGP LDAP keyserver. This is a slighly enhanced
# version of the original LDAP schema used for PGP keyservers as # version of the original LDAP schema used for PGP keyservers as
# installed at quite some sites. # installed at quite some sites.
# Revision: 2020-12-15 # Revision: 2021-09-01 v1
# Some notes: # Some notes:
# - Backup your AD! It is not possible to revert changes of the schema. # - Backup your AD! It is not possible to revert changes of the schema.
# - Try it first on a test system. # - Try it first on a test system.
# - To import the new attributes and classes use: # - To import the new attributes and classes use:
# ldifde -i -v -f gnupg-ldap-ad-schema.ldif # ldifde -i -v -f gnupg-ldap-ad-schema.ldif
# -c "DC=EXAMPLEDC" "DC=example,DC=org" # -c "DC=EXAMPLEDC" "#configurationNamingContext"
# (the above command is given as one line) # (the above command is given as one line)
# - The schema does not get its own distingished name as done with OpenLDAP. # - The schema does not get its own distingished name as done with OpenLDAP.
# - The first GUID we use is f406e7a5-a5ea-411e-9ddd-2e4e66899800 # - The first GUID we use is f406e7a5-a5ea-411e-9ddd-2e4e66899800
@ -28,8 +28,8 @@
# The base DN for the PGP key space by querying the # The base DN for the PGP key space by querying the
# pgpBaseKeySpaceDN attribute (This is normally # pgpBaseKeySpaceDN attribute (This is normally
# 'ou=PGP Keys,dc=example,dc=com'). # 'ou=GnuPG Keys,dc=example,dc=com').
dn: CN=pgpBaseKeySpaceDN,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpBaseKeySpaceDN,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.8 attributeID: 1.3.6.1.4.1.3401.8.2.8
@ -41,7 +41,7 @@ isSingleValued: TRUE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAA== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAA==
# See gnupg-ldap-init.ldif for a description of this attribute # See gnupg-ldap-init.ldif for a description of this attribute
dn: CN=pgpSoftware,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpSoftware,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.9 attributeID: 1.3.6.1.4.1.3401.8.2.9
@ -53,7 +53,7 @@ isSingleValued: TRUE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAQ== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAQ==
# See gnupg-ldap-init.ldif for a description of this attribute # See gnupg-ldap-init.ldif for a description of this attribute
dn: CN=pgpVersion,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpVersion,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.10 attributeID: 1.3.6.1.4.1.3401.8.2.10
@ -67,7 +67,7 @@ schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAg==
# The attribute holding the OpenPGP keyblock. # The attribute holding the OpenPGP keyblock.
# The legacy PGP LDAP server used pgpKeyV2 instead. # The legacy PGP LDAP server used pgpKeyV2 instead.
dn: CN=pgpKey,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpKey,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.11 attributeID: 1.3.6.1.4.1.3401.8.2.11
@ -79,7 +79,7 @@ isSingleValued: TRUE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAw== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAw==
# The long key-ID # The long key-ID
dn: CN=pgpCertID,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpCertID,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.12 attributeID: 1.3.6.1.4.1.3401.8.2.12
@ -91,7 +91,7 @@ isSingleValued: TRUE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBA== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBA==
# A flag to temporary disable a keyblock # A flag to temporary disable a keyblock
dn: CN=pgpDisabled,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpDisabled,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.13 attributeID: 1.3.6.1.4.1.3401.8.2.13
@ -104,7 +104,7 @@ schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBQ==
# The short key id. This is actually not required and should thus not # The short key id. This is actually not required and should thus not
# be used by client software. # be used by client software.
dn: CN=pgpKeyID,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpKeyID,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.14 attributeID: 1.3.6.1.4.1.3401.8.2.14
@ -116,7 +116,7 @@ isSingleValued: TRUE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBg== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBg==
# The algorithm of the key. Used to be "RSA" or "DSS/DH". # The algorithm of the key. Used to be "RSA" or "DSS/DH".
dn: CN=pgpKeyType,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpKeyType,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.15 attributeID: 1.3.6.1.4.1.3401.8.2.15
@ -133,7 +133,7 @@ schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBw==
# mail: (pgpUserID=*<%s>*) # mail: (pgpUserID=*<%s>*)
# mailsub: (pgpUserID=*<*%s*>*) # mailsub: (pgpUserID=*<*%s*>*)
# mailend: (pgpUserID=*<*%s>*) # mailend: (pgpUserID=*<*%s>*)
dn: CN=pgpUserID,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpUserID,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.16 attributeID: 1.3.6.1.4.1.3401.8.2.16
@ -146,7 +146,7 @@ schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCA==
# The creation time of the primary key. # The creation time of the primary key.
# Stored in ISO format: "20201231 120000" # Stored in ISO format: "20201231 120000"
dn: CN=pgpKeyCreateTime,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpKeyCreateTime,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.17 attributeID: 1.3.6.1.4.1.3401.8.2.17
@ -158,7 +158,7 @@ isSingleValued: TRUE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCQ== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCQ==
# SignerIDs are not used # SignerIDs are not used
dn: CN=pgpSignerID,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpSignerID,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.18 attributeID: 1.3.6.1.4.1.3401.8.2.18
@ -170,7 +170,7 @@ isSingleValued: FALSE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCg== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCg==
# A value of 1 indicates that the keyblock has been revoked # A value of 1 indicates that the keyblock has been revoked
dn: CN=pgpRevoked,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpRevoked,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.19 attributeID: 1.3.6.1.4.1.3401.8.2.19
@ -182,7 +182,7 @@ isSingleValued: TRUE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCw== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCw==
# The Subkey key ids (16 hex digits) # The Subkey key ids (16 hex digits)
dn: CN=pgpSubKeyID,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpSubKeyID,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.20 attributeID: 1.3.6.1.4.1.3401.8.2.20
@ -194,7 +194,7 @@ isSingleValued: FALSE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDA== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDA==
# A hint on the keysize. # A hint on the keysize.
dn: CN=pgpKeySize,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpKeySize,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.21 attributeID: 1.3.6.1.4.1.3401.8.2.21
@ -207,7 +207,7 @@ schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDQ==
# Expiration time of the primary key. # Expiration time of the primary key.
# Stored in ISO format: "20201231 120000" # Stored in ISO format: "20201231 120000"
dn: CN=pgpKeyExpireTime,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpKeyExpireTime,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.3401.8.2.22 attributeID: 1.3.6.1.4.1.3401.8.2.22
@ -219,7 +219,7 @@ isSingleValued: TRUE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDg== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDg==
# The hex encoded fingerprint of the primary key. # The hex encoded fingerprint of the primary key.
dn: CN=gpgFingerprint,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=gpgFingerprint,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.11591.2.4.1.1 attributeID: 1.3.6.1.4.1.11591.2.4.1.1
@ -231,7 +231,7 @@ isSingleValued: TRUE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDw== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDw==
# A list of hex encoded fingerprints of the subkeys. # A list of hex encoded fingerprints of the subkeys.
dn: CN=gpgSubFingerprint,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=gpgSubFingerprint,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.11591.2.4.1.2 attributeID: 1.3.6.1.4.1.11591.2.4.1.2
@ -243,7 +243,7 @@ isSingleValued: FALSE
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYEA== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYEA==
# A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox # A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox
dn: CN=gpgMailbox,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=gpgMailbox,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: attributeSchema objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.11591.2.4.1.3 attributeID: 1.3.6.1.4.1.11591.2.4.1.3
@ -282,7 +282,7 @@ schemaUpdateNow: 1
# Used by regular LDAP servers to indicate pgp support. # Used by regular LDAP servers to indicate pgp support.
# (structural class) # (structural class)
# #
dn: CN=pgpServerInfo,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpServerInfo,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: classSchema objectClass: classSchema
governsID: 1.3.6.1.4.1.3401.8.2.23 governsID: 1.3.6.1.4.1.3401.8.2.23
@ -295,13 +295,14 @@ mustContain: pgpBaseKeySpaceDN
mayContain: pgpSoftware mayContain: pgpSoftware
mayContain: pgpVersion mayContain: pgpVersion
systemPossSuperiors: domainDNS systemPossSuperiors: domainDNS
systemPossSuperiors: container
schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYIA== schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYIA==
# The original PGP key object extended with a few extra attributes. # The original PGP key object extended with a few extra attributes.
# All new software should set them but this is not enforced for # All new software should set them but this is not enforced for
# backward compatibility of client software. # backward compatibility of client software.
# (structural class, writable) # (structural class, writable)
dn: CN=pgpKeyInfo,CN=Schema,CN=Configuration,DC=EXAMPLEDC dn: CN=pgpKeyInfo,CN=Schema,DC=EXAMPLEDC
changetype: ntdsSchemaAdd changetype: ntdsSchemaAdd
objectClass: classSchema objectClass: classSchema
governsID: 1.3.6.1.4.1.3401.8.2.24 governsID: 1.3.6.1.4.1.3401.8.2.24