diff --git a/.gitignore b/.gitignore
index 0ace81f68..ac238fe65 100644
--- a/.gitignore
+++ b/.gitignore
@@ -162,3 +162,6 @@ x.parm
/VERSION
/swdb.lst
/swdb.lst.sig
+/doc/ldap/gnupg-and-ldap.pdf
+/doc/ldap/gnupg-and-ldap.tex
+/doc/ldap/gnupg-and-ldap.txt
diff --git a/doc/ldap/README.ldap b/doc/ldap/README.ldap
new file mode 100644
index 000000000..2d0b4c3d9
--- /dev/null
+++ b/doc/ldap/README.ldap
@@ -0,0 +1,445 @@
+# README.ldap -*- org -*-
+#+TITLE: How to use LDAP with GnuPG
+#+AUTHOR: GnuPG.com
+#+DATE: 2020-10-07
+#
+# The following comment lines are for use by Org-mode.
+#+EXPORT_FILE_NAME: gnupg-and-ldap
+#+LANGUAGE: en
+#+OPTIONS: H:3 num:t toc:t \n:nil @:t ::t |:t ^:{} -:t f:t *:t TeX:t LaTeX:t skip:nil d:(HIDE) tags:not-in-toc
+#+HTML_HEAD:
+#+LATEX_CLASS: article
+#+LATEX_CLASS_OPTIONS: [a4paper,11pt]
+#+LATEX_HEADER: \usepackage{a4wide}
+#+LATEX_HEADER_EXTRA: \parindent0mm
+#+STARTUP: showall
+
+* How to use LDAP with GnuPG
+
+In GnuPG the handling of LDAP is done by its Dirmngr component. This
+is due to the architecture of the system where Dirmngr is the sole
+process responsible for network related tasks. Network access is
+required for:
+
+ - CRL fetching and caching for S/MIME
+ - OCSP checking
+ - S/MIME (X.509) certificate search via LDAP
+ - OpenPGP keyserver access (HTTP, LDAP, etc.)
+ - Checking for software updates (if enabled)
+
+In the following we describe how S/MIME and OpenPGP certificate search
+is implemented. If you want to skip this background information feel
+free to continue with the next section where LDAP installation and
+configuration is described. In any case we need to explain a few
+terms used with LDAP:
+
+- DIT :: /Directory Information Tree/ also known as /naming context/.
+ This is is often referred to as the /LDAP directory/. It is
+ where the data for a single organization described by a DNS
+ name is stored (e.g. "example.org").
+- DN :: /Distinguished Name/ is the key for an entry in the DIT. It
+ is a similar concept as used in the DNS system.
+- RDN :: /Relative Distinguished Name/ is a component or part of a
+ DN. For example the DN "cn=admin,dc=example,dc=com" consist
+ of the 3 RDNs "cn=admin", "dc=example", and "dc=com". Each
+ RDN has a name (e.g. "cn" for /common name/ or "dc" for
+ /domain component/) and a values (e.g. "admin").
+- LDIF :: /LDAP Data Interchange Format/ is a description for the
+ human readable data exchange format used with LDAP.
+
+
+
+** OpenPGP
+
+To serve OpenPGP certificates via LDAP a dedicated schema needs to be
+installed. The schema supported by GnuPG was originally defined by
+PGP Inc. in the end of the 1990ies. This is today still the schema
+installed on LDAP servers for access by PGP or GnuPG. However, this
+schema has a couple of deficits which need to be fixed. For that
+reason we have defined additional attributes. These new attributes
+eventually allow to lookup certificates by their fingerprints and not
+just by the shorter and thus non-unique Key-ID. The new schema also
+supports storing of information on the subkeys and the UTF-8 encoded
+mail addresses. Current versions of GnuPG do not yet make use of
+these new attributes but for new LDAP installations it is highly
+recommended to use the new schema so that a future version of the
+software can make use if these attributes.
+
+Note that the OpenPGP certificates are stored in the DIT under a
+separate organizational unit using the long Key-ID to distinguish
+them. An example for such an DN is:
+
+: pgpCertID=63113AE866587D0A,ou=GnuPG Keys,dc=example,dc=com
+
+This design means that entries stored under "GnuPG Keys" are not
+connected to the users commonly found on an LDAP server. This allows
+to store arbitrary OpenPGP certificates in the directory and is
+commonly used to make the certificates of external communication
+partners easily available.
+
+
+** S/MIME
+
+Standard X.509 LDAP semantics apply for S/MIME certificate search.
+The current version of Dirmngr (2.2.23) supports 3 pattern formats
+which are translated from GnuPG's User-ID syntax, as given to the gpg
+and gpgsm commands, to the LDAP syntax:
+
+- Mail :: Indicated by a leading left angle and translated to the
+ query:
+ : "" -> "mail=ADDRSPEC"
+
+- Subject DN :: Indicated by a leading slash. The DN is formatted
+ according to RFC-2253 rules and thus directly usable
+ for an LDAP query.
+
+- Substring search :: If no other syntax matches or the pattern is
+ prefixed with an asterisk the User-ID is translated to:
+ : "USERID" -> "(|(sn=*USERID*)(|(cn=*USERID*)(mail=*USERID*)))"
+ or in other word a substring search on the serial-number, the
+ common-name, and the mail attribute is done.
+
+The result is expected to be in one of the attributes
+"userCertificate", "cACertificate", or "x509caCert". In cases where
+we are looking for the issuer certificate only "cACertificate" is
+used. "ObjectClass=*" is always used a filter.
+
+Note: The attribute "mail" with the OID 0.9.2342.19200300.100.1.3 was
+originally defined with this OID under the name "rfc822Mailbox" using
+a different although similar syntax. Take care: This is not an UTF-8
+encoded mail address and in theory GnuPG should use IDN mapping here.
+However, it is questionable whether any real world installation
+would be able to handle such a mapping.
+
+
+* How to install OpenLDAP
+
+To install a standard LDAP server to provide S/MIME certificate lookup
+follow the instructions of your OS vendor. For example on Debian
+based systems this is:
+
+: apt-get install slapd ldap-utils libsasl2-modules
+
+Follow the prompts during installation, set an initial admin password,
+and, most important, the domain you want to serve. Note that we use
+"example.com" in following. If you ever need to change the
+configuration on a Debian based system you can do so by running
+
+: dpkg-reconfigure slapd
+
+Serving LDAP requests for S/MIME (X.509) certificates will then work
+out of the box. Use your standard tools to maintain these
+entries. Some hints on how to manually add certificates can be found
+below in the section "Useful LDAP Commands".
+
+Please read on if you want to serve also OpenPGP certificates.
+
+** Installation of the OpenPGP Schema
+
+Assuming a standard OpenLDAP installation, it is easy to add a new
+schema to store OpenPGP certificate. We describe this now step by
+step.
+
+First you need to download the two LDIF files
+- https://gnupg.org/misc/gnupg-ldap-schema.ldif
+- https://gnupg.org/misc/gnupg-ldap-init.ldif.
+
+
+As administrator (root) on your LDAP server use the command
+
+: ldapadd -v -Y EXTERNAL -H ldapi:/// -f ./gnupg-ldap-schema.ldif
+
+to install the schema. The options given to the ldapadd tool are:
+
+ - -v :: Given some diagnostic output (be verbose). To be even more
+ verbose you may use =-vv= or =-vvv=. The diagnostics are
+ written to stdout.
+ - -Y :: Specify the authentication mechanism. Here we use =EXTERN=
+ which is in this case local socket based authentication
+ (ldapi).
+ - -H :: The URL to access the LDAP server. Only scheme, host, and
+ port are allowed. In our case we use =ldapi:///= to request
+ a connection on the standard OpenLDAP socket (usually this is
+ =/var/run/slapd/ldapi=).
+ - -f :: Specify a file with data to add to the directory. The file
+ used here is the specification of the keyserver schema. If
+ this option is not used ldapadd expects this data on stdin.
+
+The new schema should now be installed. Check this by using this
+command:
+
+: ldapsearch -Q -Y EXTERNAL -L -H ldapi:/// \
+: -b 'cn=schema,cn=config' cn | grep cn:
+(on Unix the backslash indicates that the line is continued with the
+next line)
+
+The options not used by ldapsearch which have not yet been explained
+above are:
+
+ - -Q :: Be quiet about authentication and never prompt.
+ - -b :: Specify the search base. In this case we want the internal
+ OpenLDAP schema which stores the server's own configuration.
+
+The final argument =cn= restricts the output to the DN and the CN
+attribute; the grep then shows only the latter. With a freshly
+installed OpenLDAP system you should get an output like:
+
+#+begin_example
+cn: schema
+cn: {0}core
+cn: {1}cosine
+cn: {2}nis
+cn: {3}inetorgperson
+cn: {4}gnupg-keyserver
+#+end_example
+
+This tells you that the keyserver schema has been installed under (in
+this case) the index "{4}".
+
+The next step is to connect the new schema with your DIT. This means
+that entries to actually store the certificates and meta data are
+created. This way GnuPG will be able to find the data. For this you
+need to edit the downloaded file =gnupg-ldap-init.ldif= and replace
+all the RDNs with name "dc" with your own. For example, in our own
+LDAP we would change
+: dn: cn=PGPServerInfo,dc=example,dc=com
+to
+: dn: cn=PGPServerInfo,dc=gnupg,dc=com
+and do that also for the other 3 appearances of the "dc" RDNs. In case
+you use a 3-level domain, add another "dc" in the same way you did when
+setting up OpenLDAP. With that modified file run
+
+: ldapadd -v -x -H ldapi:/// -D 'cn=admin,dc=example,dc=com' \
+: -W -f ./gnupg-ldap-init.ldif
+
+Remember to change the "dc" RDNs also here to what you actually use.
+We use simple authentication by means of these options:
+
+ - -x :: Use simple authentication
+ - -D :: The Bind-DN used to bind to the LDAP directory
+ - -W :: Ask for the admin's passphrase. You may also use a lowercase
+ =-w= followed by the passphrase but that would reveal the
+ passphrase in the shell's history etc.
+
+All users with access right to the LDAP server may now retrieve
+OpenPGP certificates. But wait, we also need a user allowed to insert
+or update OpenPGP certificates. Choose a useful name for that user
+and create a file =newuser.ldif=. In our example domain we name that
+user "LordPrivySeal" and thus the file is:
+
+#+begin_src
+dn: uid=LordPrivySeal,ou=GnuPG Users,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: uidObject
+sn: Lord Keeper of the Privy Seal
+cn: Lord Privy Seal
+userPassword: {SSHA}u6oxl9ulaS57RPyjApyPcE7mNECNK1Tg
+#+end_src
+
+The =userPassword= has been created by running
+: /usr/sbin/slappasswd
+entering the password, and paste the output into the file (the
+password used in the above example is "abc").
+
+Now run
+
+: ldapadd -v -x -H ldapi:/// -D 'cn=admin,dc=gnupg,dc=com' \
+: -W -f ./newuser.ldif
+
+On the password prompt enter the admin's password (not the one of the
+new user). Note that the user is created below the "GnuPG Users"
+organizational unit and not in the standard name space. Thus this is
+a dedicated user for OpenPGP certificates.
+
+See below how you can list the entire DIT. With
+a fresh install you should see these DNs:
+#+begin_example
+dn: dc=example,dc=com
+dn: cn=admin,dc=example,dc=com
+dn: cn=PGPServerInfo,dc=example,dc=com
+dn: ou=GnuPG Keys,dc=example,dc=com
+dn: ou=GnuPG Users,dc=example,dc=com
+dn: uid=LordPrivySeal,ou=GnuPG Users,dc=example,dc=com
+#+end_example
+
+Finally we need to give all users read access to the server's database
+and allow an authenticated user to modify the database. To do this
+you need to figure out the used database; run the command
+
+: ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b 'cn=config' dn | grep olcDatabase=
+
+which should give you a list like this:
+
+#+begin_example
+dn: olcDatabase={-1}frontend,cn=config
+dn: olcDatabase={0}config,cn=config
+dn: olcDatabase={1}mdb,cn=config
+#+end_example
+
+The first two databases are for internal purposes, the last one is our
+database. Now create a file =grantaccess.ldif= with this content:
+
+#+begin_example
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0} to dn.subtree="dc=example,dc=com"
+ by dn.regex="^uid=LordPrivySeal,ou=GnuPG Users,dc=example,dc=com" write
+ by * read
+#+end_example
+
+As usual replace all "dc=example,dc=com" accordingly. Take care not
+to insert a blank line anywhere. The first line needs to give the DN
+of the database as determined above. Excute the rules from that file
+using the command:
+
+: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f grantaccess.ldif
+
+Now all users have read access and the user LordPrivySeal has write
+access. In case you want to give several users permissions to update the
+keys replace the regex line in =grantaccess.ldif= with
+
+: by dn.regex="^uid=([^,]+),ou=GnuPG Users,dc=example,dc=com" write
+
+and create those users below the RDN "ou=GnuPG Users".
+
+That's all you need to do at the server.
+
+** Configuration for GnuPG
+
+The easiest way to enable LDAP for S/MIME is to put
+
+#+begin_src
+keyserver ldap.example.com::::dc=example,dc=com:
+#+end_src
+
+into =gpgsm.conf=. If you prefer to use a dedicated configuration
+file you can do this with dirmngr by adding a line
+
+: ldap.example.com::::dc=example,dc=com:
+
+to =dirmngr_ldapservers.conf=.
+
+Assuming you want to use the machine running the LDAP server also to
+maintain OpenPGP certificates, put the following line into the
+=dirmngr.conf= configuration of a dedicated user for this task:
+
+#+begin_src
+keyserver ldapi:///????bindname=uid=LordPrivySeal
+%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=abc
+#+end_src
+(Enter this all on one line; "%2C" directly at the end of "Seal")
+
+That is a pretty long line with weird escaping rules. Just enter it
+verbatim but replace the "dc" RDNs accordingly. Remember that =ldapi=
+uses local socket connection instead of TCP to connect to the server.
+The password given in that file is the password of the OpenPGP
+maintainer (LordPrivySeal). Use appropriate permissions for that
+file to make it not too easy to access that password. See the GnuPG
+manual for other ways to configure an LDAP keyserver.
+
+With that configuration in place you may add arbitrary OpenPGP keys to
+your LDAP. For example user "joe@example.org" sends you a key and
+asks to insert that key. If you feel comfortable with that you should
+first check the key, import it into your local keyring, and then send
+it off to your LDAP server:
+
+: gpg --show-key < file-with-joes-key.asc
+
+Looks good? Note the fingerprint of the key and run
+
+: gpg --import < file-with-joes-key.asc
+: gpg --send-keys FINGERPRINT
+
+That's all. If you want to work from a different machine or use the
+Kleopatra GUI you need to make sure that ldaps has been correctly
+configured (for example on the machine =ldap.example.org=) and you
+need to use this keyserver line:
+#+begin_src
+keyserver ldaps://ldap.example.com/????bindname=uid=LordPrivySeal
+%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=abc
+#+end_src
+(Enter this all on one line; "%2C" directly at the end of "Seal")
+
+The easier case is the configuration line for anonymous users which is
+a mere
+#+begin_src
+keyserver ldaps://ldap.example.com
+#+end_src
+
+This assumes that you have a valid TLS server certificate for that
+domain and ldaps is enabled on the server.
+
+* Useful LDAP Commands
+
+** List the entire DIT
+
+To list the entire DIT for the domain "example.com" use this command:
+
+: ldapsearch -Q -Y EXTERNAL -LLL -H ldapi:/// -b dc=example,dc=com dn
+
+This lists just the DNs. If you need the entire content of the DIT
+leave our the "dn" argument. The option "-LLL" selects a useful
+formatting options for the output.
+
+** Insert X.509 Certficate
+
+If you don't have a handy tool to insert a certificate via LDAP you
+can do it manually. First put the certificate in binary (DER) format
+into a file. For example using gpgsm:
+
+: gpgsm --export berta.boss@example.com >berta.crt
+
+Then create a file =addcert.ldif=:
+#+begin_example
+dn: CN=Berta Boss,dc=example,dc=com
+objectclass: inetOrgPerson
+cn: Berta Boss
+sn: Boss
+gn: Berta
+uid: berta
+mail: berta.boss@example.com
+usercertificate;binary:< file:///home/admin/berta.crt
+#+end_example
+(Note that an absolute file name is required.)
+
+Finally run
+
+: ldapadd -x -H ldapi:/// -D 'cn=admin,dc=example,dc=com' -W -f adduser.ldif
+
+
+** Change RootDN Password:
+
+Create temporary file named =passwd.ldif=:
+#+begin_src
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: XXXX
+#+end_src
+
+For XXXX insert the output of slappasswd and run
+: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f passwd.ldif
+
+followed by
+
+: ldappasswd -x -D cn=admin,dc=example,dc=com -W -S
+
+and enter the new and old password again.
+
+** Show ACLs
+
+: ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b 'cn=config' olcAccess
+
+** Show a list of databases
+
+: ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b 'cn=config' | grep ^olcDatabase:
+
+** Change the log level
+
+To debug access problems, it is useful to change the log level:
+
+: printf "dn: cn=config\nchangetype: %s\nreplace: %s\n%s: %s\n" \
+: modify olcLogLevel olcLogLevel ACL | ldapadd -Q -Y EXTERNAL -H ldapi:///
+
+to revert replace "ACL" by "none".
diff --git a/doc/ldap/gnupg-ldap-init.ldif b/doc/ldap/gnupg-ldap-init.ldif
new file mode 100644
index 000000000..f184f9ee2
--- /dev/null
+++ b/doc/ldap/gnupg-ldap-init.ldif
@@ -0,0 +1,27 @@
+# gnupg-ldap-init.ldif -*- conf -*-
+#
+# Entries connecting the schema specified in gnupg-ldap-schema.ldif.
+# Revision: 2020-10-07
+
+dn: cn=PGPServerInfo,dc=example,dc=com
+objectClass: pgpServerInfo
+cn: PGPServerInfo
+# Note that we suggest the use of ou=GnuPG keys instead of the often
+# used PGP Keys. This makes it easy to spot this is a new schema.
+pgpBaseKeySpaceDN: ou=GnuPG Keys,dc=example,dc=com
+# Using the value GnuPG here indicates that pgpVersion below has a
+# well-defined meaning.
+pgpSoftware: GnuPG
+# Currently used values:
+# 1 :: Classic PGP schema
+# 2 :: The attributes gpgFingerprint, gpgSubFingerprint,
+# gpgSubCertID, and gpgMailbox are part of the schema.
+pgpVersion: 2
+
+dn: ou=GnuPG Keys,dc=example,dc=com
+objectClass: organizationalUnit
+ou: GnuPG Keys
+
+dn: ou=GnuPG Users,dc=example,dc=com
+objectclass: organizationalUnit
+ou: GnuPG Users
diff --git a/doc/ldap/gnupg-ldap-schema.ldif b/doc/ldap/gnupg-ldap-schema.ldif
new file mode 100644
index 000000000..02d04fa46
--- /dev/null
+++ b/doc/ldap/gnupg-ldap-schema.ldif
@@ -0,0 +1,209 @@
+# gnupg-ldap-scheme.ldif -*- conf -*-
+#
+# Schema for an OpenPGP LDAP keyserver. This is a slighly enhanced
+# version of the original LDAP schema used for PGP keyservers as
+# installed at quite some sites.
+# Revision: 2020-10-07
+
+# Note: The index 1000 is just a high number so that OpenLDAP assigns
+# the next available number.
+dn: cn={1000}gnupg-keyserver,cn=schema,cn=config
+objectClass: olcSchemaConfig
+# The base DN for the PGP key space by querying the
+# pgpBaseKeySpaceDN attribute (This is normally
+# 'ou=PGP Keys,dc=example,dc=com').
+olcAttributeTypes: {0}(
+ 1.3.6.1.4.1.3401.8.2.8
+ NAME 'pgpBaseKeySpaceDN'
+ DESC 'Points to DN of the object that will store the PGP keys.'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+ SINGLE-VALUE )
+# See gnupg-ldap-init.ldif for a description of the next two attributes
+olcAttributeTypes: {1}(
+ 1.3.6.1.4.1.3401.8.2.9
+ NAME 'pgpSoftware'
+ DESC 'Origin of the schema'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+olcAttributeTypes: {2}(
+ 1.3.6.1.4.1.3401.8.2.10
+ NAME 'pgpVersion'
+ DESC 'Version of this schema'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+#
+# The attribute holding the OpenPGP keyblock.
+# The legacy PGP LDAP server used pgpKeyV2 instead.
+olcAttributeTypes: {3}(
+ 1.3.6.1.4.1.3401.8.2.11
+ NAME 'pgpKey'
+ DESC 'OpenPGP public key block'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE )
+# The long key-ID
+olcAttributeTypes: {4}(
+ 1.3.6.1.4.1.3401.8.2.12
+ NAME 'pgpCertID'
+ DESC 'OpenPGP long key id'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+# A flag to temporary disable a keyblock
+olcAttributeTypes: {5}(
+ 1.3.6.1.4.1.3401.8.2.13
+ NAME 'pgpDisabled'
+ DESC 'pgpDisabled attribute for PGP'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+# The short key id. This is actually not required and should thus not
+# be used by cleint software.
+olcAttributeTypes: {6}(
+ 1.3.6.1.4.1.3401.8.2.14
+ NAME 'pgpKeyID'
+ DESC 'OpenPGP short key id'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+# The algorithm of the key. Used to be "RSA" or "DSS/DH".
+olcAttributeTypes: {7}(
+ 1.3.6.1.4.1.3401.8.2.15
+ NAME 'pgpKeyType'
+ DESC 'pgpKeyType attribute for PGP'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+# The User-ID. GnuPG maps its user-ID classes this way:
+# exact: (pgpUserID=%s)
+# substr: (pgpUserID=*%s*)
+# mail: (pgpUserID=*<%s>*)
+# mailsub: (pgpUserID=*<*%s*>*)
+# mailend: (pgpUserID=*<*%s>*)
+olcAttributeTypes: {8}(
+ 1.3.6.1.4.1.3401.8.2.16
+ NAME 'pgpUserID'
+ DESC 'User ID(s) associated with the key'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# The creation time of the primary key.
+# Stored in ISO format: "20201231 120000"
+olcAttributeTypes: {9}(
+ 1.3.6.1.4.1.3401.8.2.17
+ NAME 'pgpKeyCreateTime'
+ DESC 'Primary key creation time'
+ EQUALITY caseIgnoreMatch
+ ORDERING caseIgnoreOrderingMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+# Not used
+olcAttributeTypes: {10}(
+ 1.3.6.1.4.1.3401.8.2.18
+ NAME 'pgpSignerID'
+ DESC 'pgpSignerID attribute for PGP'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# A value of 1 indicated that the keyblock has been revoked
+olcAttributeTypes: {11}(
+ 1.3.6.1.4.1.3401.8.2.19
+ NAME 'pgpRevoked'
+ DESC 'pgpRevoked attribute for PGP'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+olcAttributeTypes: {12}(
+ 1.3.6.1.4.1.3401.8.2.20
+ NAME 'pgpSubKeyID'
+ DESC 'Sub-key ID(s) of the PGP key.'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# A hin on the keysize.
+olcAttributeTypes: {13}(
+ 1.3.6.1.4.1.3401.8.2.21
+ NAME 'pgpKeySize'
+ DESC 'pgpKeySize attribute for PGP'
+ EQUALITY caseIgnoreMatch
+ ORDERING caseIgnoreOrderingMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# Expiration time of the primary key.
+# Stored in ISO format: "20201231 120000"
+olcAttributeTypes: {14}(
+ 1.3.6.1.4.1.3401.8.2.22
+ NAME 'pgpKeyExpireTime'
+ DESC 'pgpKeyExpireTime attribute for PGP'
+ EQUALITY caseIgnoreMatch
+ ORDERING caseIgnoreOrderingMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+#
+# The hex encoded fingerprint of the primary key.
+olcAttributeTypes: {15}(
+ 1.3.6.1.4.1.11591.2.4.1.1
+ NAME 'gpgFingerprint'
+ DESC 'Fingerprint of the primary key'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+# A list of hex encoded fingerprints of the subkeys.
+olcAttributeTypes: {16}(
+ 1.3.6.1.4.1.11591.2.4.1.2
+ NAME 'gpgSubFingerprint'
+ DESC 'Fingerprints of the secondary keys'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox
+olcAttributeTypes: {17}(
+ 1.3.6.1.4.1.11591.2.4.1.3
+ NAME 'gpgMailbox'
+ DESC 'The utf8 encoded addr-spec of a mailbox'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# A list of hex encoded long keyids of all subkeys.
+olcAttributeTypes: {18}(
+ 1.3.6.1.4.1.11591.2.4.1.4
+ NAME 'gpgSubCertID'
+ DESC 'OpenPGP long subkey id'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+#
+#
+# Used by regular LDAP servers to indicate pgp support.
+#
+olcObjectClasses: {0}(
+ 1.3.6.1.4.1.3401.8.2.23
+ NAME 'pgpServerInfo'
+ DESC 'An OpenPGP public keyblock store'
+ SUP top
+ STRUCTURAL MUST ( cn $ pgpBaseKeySpaceDN )
+ MAY ( pgpSoftware $ pgpVersion ) )
+#
+# The original PGP key object extended with a few extra attributes.
+# All new software should set them but this is not enforced for
+# backward compatibility
+olcObjectClasses: {1}(
+ 1.3.6.1.4.1.3401.8.2.24
+ NAME 'pgpKeyInfo'
+ DESC 'An OpenPGP public keyblock'
+ SUP top
+ STRUCTURAL MUST ( pgpCertID $ pgpKey )
+ MAY ( pgpDisabled $ pgpKeyID $ pgpKeyType $
+ pgpUserID $ pgpKeyCreateTime $ pgpSignerID $
+ pgpRevoked $ pgpSubKeyID $ pgpKeySize $
+ pgpKeyExpireTime $ gpgFingerprint $
+ gpgSubFingerprint $ gpgSubCertID $
+ gpgMailbox ) )
+#
+# end-of-file
+#