doc: Add notes on how to setup LDAP

--
2025-07-02 22:46:30 +02:00 · 2020-10-07 18:33:58 +02:00 · 2020-10-07 18:33:58 +02:00 · f4166209e3
commit f4166209e3
parent 4eb9ce8478
4 changed files with 684 additions and 0 deletions
--- a/doc/ldap/gnupg-ldap-schema.ldif
+++ b/doc/ldap/gnupg-ldap-schema.ldif
@ -0,0 +1,209 @@
+# gnupg-ldap-scheme.ldif                                 -*- conf -*-
+#
+# Schema for an OpenPGP LDAP keyserver.  This is a slighly enhanced
+# version of the original LDAP schema used for PGP keyservers as
+# installed at quite some sites.
+# Revision: 2020-10-07
+
+# Note: The index 1000 is just a high number so that OpenLDAP assigns
+# the next available number.
+dn: cn={1000}gnupg-keyserver,cn=schema,cn=config
+objectClass: olcSchemaConfig
+# The base DN for the PGP key space by querying the
+#  pgpBaseKeySpaceDN attribute (This is normally
+#  'ou=PGP Keys,dc=example,dc=com').
+olcAttributeTypes: {0}(
+    1.3.6.1.4.1.3401.8.2.8
+    NAME 'pgpBaseKeySpaceDN'
+    DESC 'Points to DN of the object that will store the PGP keys.'
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+    SINGLE-VALUE )
+# See gnupg-ldap-init.ldif for a description of the next two attributes
+olcAttributeTypes: {1}(
+    1.3.6.1.4.1.3401.8.2.9
+    NAME 'pgpSoftware'
+    DESC 'Origin of the schema'
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+    SINGLE-VALUE )
+olcAttributeTypes: {2}(
+    1.3.6.1.4.1.3401.8.2.10
+    NAME 'pgpVersion'
+    DESC 'Version of this schema'
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+    SINGLE-VALUE )
+#
+# The attribute holding the OpenPGP keyblock.
+# The legacy PGP LDAP server used pgpKeyV2 instead.
+olcAttributeTypes: {3}(
+    1.3.6.1.4.1.3401.8.2.11
+    NAME 'pgpKey'
+    DESC 'OpenPGP public key block'
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+    SINGLE-VALUE )
+# The long key-ID
+olcAttributeTypes: {4}(
+    1.3.6.1.4.1.3401.8.2.12
+    NAME 'pgpCertID'
+    DESC 'OpenPGP long key id'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+    SINGLE-VALUE )
+# A flag to temporary disable a keyblock
+olcAttributeTypes: {5}(
+    1.3.6.1.4.1.3401.8.2.13
+    NAME 'pgpDisabled'
+    DESC 'pgpDisabled attribute for PGP'
+    EQUALITY caseIgnoreMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+    SINGLE-VALUE )
+# The short key id.  This is actually not required and should thus not
+# be used by cleint software.
+olcAttributeTypes: {6}(
+    1.3.6.1.4.1.3401.8.2.14
+    NAME 'pgpKeyID'
+    DESC 'OpenPGP short key id'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+    SINGLE-VALUE )
+# The algorithm of the key.  Used to be "RSA" or "DSS/DH".
+olcAttributeTypes: {7}(
+    1.3.6.1.4.1.3401.8.2.15
+    NAME 'pgpKeyType'
+    DESC 'pgpKeyType attribute for PGP'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+    SINGLE-VALUE )
+# The User-ID.  GnuPG maps its user-ID classes this way:
+#     exact:   (pgpUserID=%s)
+#     substr:  (pgpUserID=*%s*)
+#     mail:    (pgpUserID=*<%s>*)
+#     mailsub: (pgpUserID=*<*%s*>*)
+#     mailend: (pgpUserID=*<*%s>*)
+olcAttributeTypes: {8}(
+    1.3.6.1.4.1.3401.8.2.16
+    NAME 'pgpUserID'
+    DESC 'User ID(s) associated with the key'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# The creation time of the primary key.
+# Stored in ISO format: "20201231 120000"
+olcAttributeTypes: {9}(
+    1.3.6.1.4.1.3401.8.2.17
+    NAME 'pgpKeyCreateTime'
+    DESC 'Primary key creation time'
+    EQUALITY caseIgnoreMatch
+    ORDERING caseIgnoreOrderingMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+    SINGLE-VALUE )
+# Not used
+olcAttributeTypes: {10}(
+    1.3.6.1.4.1.3401.8.2.18
+    NAME 'pgpSignerID'
+    DESC 'pgpSignerID attribute for PGP'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# A value of 1 indicated that the keyblock has been revoked
+olcAttributeTypes: {11}(
+    1.3.6.1.4.1.3401.8.2.19
+    NAME 'pgpRevoked'
+    DESC 'pgpRevoked attribute for PGP'
+    EQUALITY caseIgnoreMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+    SINGLE-VALUE )
+olcAttributeTypes: {12}(
+    1.3.6.1.4.1.3401.8.2.20
+    NAME 'pgpSubKeyID'
+    DESC 'Sub-key ID(s) of the PGP key.'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# A hin on the keysize.
+olcAttributeTypes: {13}(
+    1.3.6.1.4.1.3401.8.2.21
+    NAME 'pgpKeySize'
+    DESC 'pgpKeySize attribute for PGP'
+    EQUALITY caseIgnoreMatch
+    ORDERING caseIgnoreOrderingMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# Expiration time of the primary key.
+# Stored in ISO format: "20201231 120000"
+olcAttributeTypes: {14}(
+    1.3.6.1.4.1.3401.8.2.22
+    NAME 'pgpKeyExpireTime'
+    DESC 'pgpKeyExpireTime attribute for PGP'
+    EQUALITY caseIgnoreMatch
+    ORDERING caseIgnoreOrderingMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+    SINGLE-VALUE )
+#
+# The hex encoded fingerprint of the primary key.
+olcAttributeTypes: {15}(
+    1.3.6.1.4.1.11591.2.4.1.1
+    NAME 'gpgFingerprint'
+    DESC 'Fingerprint of the primary key'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+    SINGLE-VALUE )
+# A list of hex encoded fingerprints of the subkeys.
+olcAttributeTypes: {16}(
+    1.3.6.1.4.1.11591.2.4.1.2
+    NAME 'gpgSubFingerprint'
+    DESC 'Fingerprints of the secondary keys'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox
+olcAttributeTypes: {17}(
+    1.3.6.1.4.1.11591.2.4.1.3
+    NAME 'gpgMailbox'
+    DESC 'The utf8 encoded addr-spec of a mailbox'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# A list of hex encoded long keyids of all subkeys.
+olcAttributeTypes: {18}(
+    1.3.6.1.4.1.11591.2.4.1.4
+    NAME 'gpgSubCertID'
+    DESC 'OpenPGP long subkey id'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+#
+#
+# Used by regular LDAP servers to indicate pgp support.
+#
+olcObjectClasses: {0}(
+    1.3.6.1.4.1.3401.8.2.23
+    NAME 'pgpServerInfo'
+    DESC 'An OpenPGP public keyblock store'
+    SUP top
+    STRUCTURAL MUST ( cn $ pgpBaseKeySpaceDN )
+                MAY ( pgpSoftware $ pgpVersion ) )
+#
+# The original PGP key object extended with a few extra attributes.
+# All new software should set them but this is not enforced for
+# backward compatibility
+olcObjectClasses: {1}(
+    1.3.6.1.4.1.3401.8.2.24
+    NAME 'pgpKeyInfo'
+    DESC 'An OpenPGP public keyblock'
+    SUP top
+    STRUCTURAL MUST ( pgpCertID $ pgpKey )
+                MAY ( pgpDisabled $ pgpKeyID $ pgpKeyType $
+                      pgpUserID $ pgpKeyCreateTime $ pgpSignerID $
+                      pgpRevoked $ pgpSubKeyID $ pgpKeySize $
+                      pgpKeyExpireTime $ gpgFingerprint $
+                      gpgSubFingerprint $ gpgSubCertID $
+                      gpgMailbox ) )
+#
+# end-of-file
+#