mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
doc: Add notes on how to setup LDAP
--
This commit is contained in:
parent
4eb9ce8478
commit
f4166209e3
3
.gitignore
vendored
3
.gitignore
vendored
@ -162,3 +162,6 @@ x.parm
|
|||||||
/VERSION
|
/VERSION
|
||||||
/swdb.lst
|
/swdb.lst
|
||||||
/swdb.lst.sig
|
/swdb.lst.sig
|
||||||
|
/doc/ldap/gnupg-and-ldap.pdf
|
||||||
|
/doc/ldap/gnupg-and-ldap.tex
|
||||||
|
/doc/ldap/gnupg-and-ldap.txt
|
||||||
|
445
doc/ldap/README.ldap
Normal file
445
doc/ldap/README.ldap
Normal file
@ -0,0 +1,445 @@
|
|||||||
|
# README.ldap -*- org -*-
|
||||||
|
#+TITLE: How to use LDAP with GnuPG
|
||||||
|
#+AUTHOR: GnuPG.com
|
||||||
|
#+DATE: 2020-10-07
|
||||||
|
#
|
||||||
|
# The following comment lines are for use by Org-mode.
|
||||||
|
#+EXPORT_FILE_NAME: gnupg-and-ldap
|
||||||
|
#+LANGUAGE: en
|
||||||
|
#+OPTIONS: H:3 num:t toc:t \n:nil @:t ::t |:t ^:{} -:t f:t *:t TeX:t LaTeX:t skip:nil d:(HIDE) tags:not-in-toc
|
||||||
|
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="https://gnupg.org/share/site.css" />
|
||||||
|
#+LATEX_CLASS: article
|
||||||
|
#+LATEX_CLASS_OPTIONS: [a4paper,11pt]
|
||||||
|
#+LATEX_HEADER: \usepackage{a4wide}
|
||||||
|
#+LATEX_HEADER_EXTRA: \parindent0mm
|
||||||
|
#+STARTUP: showall
|
||||||
|
|
||||||
|
* How to use LDAP with GnuPG
|
||||||
|
|
||||||
|
In GnuPG the handling of LDAP is done by its Dirmngr component. This
|
||||||
|
is due to the architecture of the system where Dirmngr is the sole
|
||||||
|
process responsible for network related tasks. Network access is
|
||||||
|
required for:
|
||||||
|
|
||||||
|
- CRL fetching and caching for S/MIME
|
||||||
|
- OCSP checking
|
||||||
|
- S/MIME (X.509) certificate search via LDAP
|
||||||
|
- OpenPGP keyserver access (HTTP, LDAP, etc.)
|
||||||
|
- Checking for software updates (if enabled)
|
||||||
|
|
||||||
|
In the following we describe how S/MIME and OpenPGP certificate search
|
||||||
|
is implemented. If you want to skip this background information feel
|
||||||
|
free to continue with the next section where LDAP installation and
|
||||||
|
configuration is described. In any case we need to explain a few
|
||||||
|
terms used with LDAP:
|
||||||
|
|
||||||
|
- DIT :: /Directory Information Tree/ also known as /naming context/.
|
||||||
|
This is is often referred to as the /LDAP directory/. It is
|
||||||
|
where the data for a single organization described by a DNS
|
||||||
|
name is stored (e.g. "example.org").
|
||||||
|
- DN :: /Distinguished Name/ is the key for an entry in the DIT. It
|
||||||
|
is a similar concept as used in the DNS system.
|
||||||
|
- RDN :: /Relative Distinguished Name/ is a component or part of a
|
||||||
|
DN. For example the DN "cn=admin,dc=example,dc=com" consist
|
||||||
|
of the 3 RDNs "cn=admin", "dc=example", and "dc=com". Each
|
||||||
|
RDN has a name (e.g. "cn" for /common name/ or "dc" for
|
||||||
|
/domain component/) and a values (e.g. "admin").
|
||||||
|
- LDIF :: /LDAP Data Interchange Format/ is a description for the
|
||||||
|
human readable data exchange format used with LDAP.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
** OpenPGP
|
||||||
|
|
||||||
|
To serve OpenPGP certificates via LDAP a dedicated schema needs to be
|
||||||
|
installed. The schema supported by GnuPG was originally defined by
|
||||||
|
PGP Inc. in the end of the 1990ies. This is today still the schema
|
||||||
|
installed on LDAP servers for access by PGP or GnuPG. However, this
|
||||||
|
schema has a couple of deficits which need to be fixed. For that
|
||||||
|
reason we have defined additional attributes. These new attributes
|
||||||
|
eventually allow to lookup certificates by their fingerprints and not
|
||||||
|
just by the shorter and thus non-unique Key-ID. The new schema also
|
||||||
|
supports storing of information on the subkeys and the UTF-8 encoded
|
||||||
|
mail addresses. Current versions of GnuPG do not yet make use of
|
||||||
|
these new attributes but for new LDAP installations it is highly
|
||||||
|
recommended to use the new schema so that a future version of the
|
||||||
|
software can make use if these attributes.
|
||||||
|
|
||||||
|
Note that the OpenPGP certificates are stored in the DIT under a
|
||||||
|
separate organizational unit using the long Key-ID to distinguish
|
||||||
|
them. An example for such an DN is:
|
||||||
|
|
||||||
|
: pgpCertID=63113AE866587D0A,ou=GnuPG Keys,dc=example,dc=com
|
||||||
|
|
||||||
|
This design means that entries stored under "GnuPG Keys" are not
|
||||||
|
connected to the users commonly found on an LDAP server. This allows
|
||||||
|
to store arbitrary OpenPGP certificates in the directory and is
|
||||||
|
commonly used to make the certificates of external communication
|
||||||
|
partners easily available.
|
||||||
|
|
||||||
|
|
||||||
|
** S/MIME
|
||||||
|
|
||||||
|
Standard X.509 LDAP semantics apply for S/MIME certificate search.
|
||||||
|
The current version of Dirmngr (2.2.23) supports 3 pattern formats
|
||||||
|
which are translated from GnuPG's User-ID syntax, as given to the gpg
|
||||||
|
and gpgsm commands, to the LDAP syntax:
|
||||||
|
|
||||||
|
- Mail :: Indicated by a leading left angle and translated to the
|
||||||
|
query:
|
||||||
|
: "<ADDRSPEC>" -> "mail=ADDRSPEC"
|
||||||
|
|
||||||
|
- Subject DN :: Indicated by a leading slash. The DN is formatted
|
||||||
|
according to RFC-2253 rules and thus directly usable
|
||||||
|
for an LDAP query.
|
||||||
|
|
||||||
|
- Substring search :: If no other syntax matches or the pattern is
|
||||||
|
prefixed with an asterisk the User-ID is translated to:
|
||||||
|
: "USERID" -> "(|(sn=*USERID*)(|(cn=*USERID*)(mail=*USERID*)))"
|
||||||
|
or in other word a substring search on the serial-number, the
|
||||||
|
common-name, and the mail attribute is done.
|
||||||
|
|
||||||
|
The result is expected to be in one of the attributes
|
||||||
|
"userCertificate", "cACertificate", or "x509caCert". In cases where
|
||||||
|
we are looking for the issuer certificate only "cACertificate" is
|
||||||
|
used. "ObjectClass=*" is always used a filter.
|
||||||
|
|
||||||
|
Note: The attribute "mail" with the OID 0.9.2342.19200300.100.1.3 was
|
||||||
|
originally defined with this OID under the name "rfc822Mailbox" using
|
||||||
|
a different although similar syntax. Take care: This is not an UTF-8
|
||||||
|
encoded mail address and in theory GnuPG should use IDN mapping here.
|
||||||
|
However, it is questionable whether any real world installation
|
||||||
|
would be able to handle such a mapping.
|
||||||
|
|
||||||
|
|
||||||
|
* How to install OpenLDAP
|
||||||
|
|
||||||
|
To install a standard LDAP server to provide S/MIME certificate lookup
|
||||||
|
follow the instructions of your OS vendor. For example on Debian
|
||||||
|
based systems this is:
|
||||||
|
|
||||||
|
: apt-get install slapd ldap-utils libsasl2-modules
|
||||||
|
|
||||||
|
Follow the prompts during installation, set an initial admin password,
|
||||||
|
and, most important, the domain you want to serve. Note that we use
|
||||||
|
"example.com" in following. If you ever need to change the
|
||||||
|
configuration on a Debian based system you can do so by running
|
||||||
|
|
||||||
|
: dpkg-reconfigure slapd
|
||||||
|
|
||||||
|
Serving LDAP requests for S/MIME (X.509) certificates will then work
|
||||||
|
out of the box. Use your standard tools to maintain these
|
||||||
|
entries. Some hints on how to manually add certificates can be found
|
||||||
|
below in the section "Useful LDAP Commands".
|
||||||
|
|
||||||
|
Please read on if you want to serve also OpenPGP certificates.
|
||||||
|
|
||||||
|
** Installation of the OpenPGP Schema
|
||||||
|
|
||||||
|
Assuming a standard OpenLDAP installation, it is easy to add a new
|
||||||
|
schema to store OpenPGP certificate. We describe this now step by
|
||||||
|
step.
|
||||||
|
|
||||||
|
First you need to download the two LDIF files
|
||||||
|
- https://gnupg.org/misc/gnupg-ldap-schema.ldif
|
||||||
|
- https://gnupg.org/misc/gnupg-ldap-init.ldif.
|
||||||
|
|
||||||
|
|
||||||
|
As administrator (root) on your LDAP server use the command
|
||||||
|
|
||||||
|
: ldapadd -v -Y EXTERNAL -H ldapi:/// -f ./gnupg-ldap-schema.ldif
|
||||||
|
|
||||||
|
to install the schema. The options given to the ldapadd tool are:
|
||||||
|
|
||||||
|
- -v :: Given some diagnostic output (be verbose). To be even more
|
||||||
|
verbose you may use =-vv= or =-vvv=. The diagnostics are
|
||||||
|
written to stdout.
|
||||||
|
- -Y :: Specify the authentication mechanism. Here we use =EXTERN=
|
||||||
|
which is in this case local socket based authentication
|
||||||
|
(ldapi).
|
||||||
|
- -H :: The URL to access the LDAP server. Only scheme, host, and
|
||||||
|
port are allowed. In our case we use =ldapi:///= to request
|
||||||
|
a connection on the standard OpenLDAP socket (usually this is
|
||||||
|
=/var/run/slapd/ldapi=).
|
||||||
|
- -f :: Specify a file with data to add to the directory. The file
|
||||||
|
used here is the specification of the keyserver schema. If
|
||||||
|
this option is not used ldapadd expects this data on stdin.
|
||||||
|
|
||||||
|
The new schema should now be installed. Check this by using this
|
||||||
|
command:
|
||||||
|
|
||||||
|
: ldapsearch -Q -Y EXTERNAL -L -H ldapi:/// \
|
||||||
|
: -b 'cn=schema,cn=config' cn | grep cn:
|
||||||
|
(on Unix the backslash indicates that the line is continued with the
|
||||||
|
next line)
|
||||||
|
|
||||||
|
The options not used by ldapsearch which have not yet been explained
|
||||||
|
above are:
|
||||||
|
|
||||||
|
- -Q :: Be quiet about authentication and never prompt.
|
||||||
|
- -b :: Specify the search base. In this case we want the internal
|
||||||
|
OpenLDAP schema which stores the server's own configuration.
|
||||||
|
|
||||||
|
The final argument =cn= restricts the output to the DN and the CN
|
||||||
|
attribute; the grep then shows only the latter. With a freshly
|
||||||
|
installed OpenLDAP system you should get an output like:
|
||||||
|
|
||||||
|
#+begin_example
|
||||||
|
cn: schema
|
||||||
|
cn: {0}core
|
||||||
|
cn: {1}cosine
|
||||||
|
cn: {2}nis
|
||||||
|
cn: {3}inetorgperson
|
||||||
|
cn: {4}gnupg-keyserver
|
||||||
|
#+end_example
|
||||||
|
|
||||||
|
This tells you that the keyserver schema has been installed under (in
|
||||||
|
this case) the index "{4}".
|
||||||
|
|
||||||
|
The next step is to connect the new schema with your DIT. This means
|
||||||
|
that entries to actually store the certificates and meta data are
|
||||||
|
created. This way GnuPG will be able to find the data. For this you
|
||||||
|
need to edit the downloaded file =gnupg-ldap-init.ldif= and replace
|
||||||
|
all the RDNs with name "dc" with your own. For example, in our own
|
||||||
|
LDAP we would change
|
||||||
|
: dn: cn=PGPServerInfo,dc=example,dc=com
|
||||||
|
to
|
||||||
|
: dn: cn=PGPServerInfo,dc=gnupg,dc=com
|
||||||
|
and do that also for the other 3 appearances of the "dc" RDNs. In case
|
||||||
|
you use a 3-level domain, add another "dc" in the same way you did when
|
||||||
|
setting up OpenLDAP. With that modified file run
|
||||||
|
|
||||||
|
: ldapadd -v -x -H ldapi:/// -D 'cn=admin,dc=example,dc=com' \
|
||||||
|
: -W -f ./gnupg-ldap-init.ldif
|
||||||
|
|
||||||
|
Remember to change the "dc" RDNs also here to what you actually use.
|
||||||
|
We use simple authentication by means of these options:
|
||||||
|
|
||||||
|
- -x :: Use simple authentication
|
||||||
|
- -D :: The Bind-DN used to bind to the LDAP directory
|
||||||
|
- -W :: Ask for the admin's passphrase. You may also use a lowercase
|
||||||
|
=-w= followed by the passphrase but that would reveal the
|
||||||
|
passphrase in the shell's history etc.
|
||||||
|
|
||||||
|
All users with access right to the LDAP server may now retrieve
|
||||||
|
OpenPGP certificates. But wait, we also need a user allowed to insert
|
||||||
|
or update OpenPGP certificates. Choose a useful name for that user
|
||||||
|
and create a file =newuser.ldif=. In our example domain we name that
|
||||||
|
user "LordPrivySeal" and thus the file is:
|
||||||
|
|
||||||
|
#+begin_src
|
||||||
|
dn: uid=LordPrivySeal,ou=GnuPG Users,dc=example,dc=com
|
||||||
|
objectClass: inetOrgPerson
|
||||||
|
objectClass: uidObject
|
||||||
|
sn: Lord Keeper of the Privy Seal
|
||||||
|
cn: Lord Privy Seal
|
||||||
|
userPassword: {SSHA}u6oxl9ulaS57RPyjApyPcE7mNECNK1Tg
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
The =userPassword= has been created by running
|
||||||
|
: /usr/sbin/slappasswd
|
||||||
|
entering the password, and paste the output into the file (the
|
||||||
|
password used in the above example is "abc").
|
||||||
|
|
||||||
|
Now run
|
||||||
|
|
||||||
|
: ldapadd -v -x -H ldapi:/// -D 'cn=admin,dc=gnupg,dc=com' \
|
||||||
|
: -W -f ./newuser.ldif
|
||||||
|
|
||||||
|
On the password prompt enter the admin's password (not the one of the
|
||||||
|
new user). Note that the user is created below the "GnuPG Users"
|
||||||
|
organizational unit and not in the standard name space. Thus this is
|
||||||
|
a dedicated user for OpenPGP certificates.
|
||||||
|
|
||||||
|
See below how you can list the entire DIT. With
|
||||||
|
a fresh install you should see these DNs:
|
||||||
|
#+begin_example
|
||||||
|
dn: dc=example,dc=com
|
||||||
|
dn: cn=admin,dc=example,dc=com
|
||||||
|
dn: cn=PGPServerInfo,dc=example,dc=com
|
||||||
|
dn: ou=GnuPG Keys,dc=example,dc=com
|
||||||
|
dn: ou=GnuPG Users,dc=example,dc=com
|
||||||
|
dn: uid=LordPrivySeal,ou=GnuPG Users,dc=example,dc=com
|
||||||
|
#+end_example
|
||||||
|
|
||||||
|
Finally we need to give all users read access to the server's database
|
||||||
|
and allow an authenticated user to modify the database. To do this
|
||||||
|
you need to figure out the used database; run the command
|
||||||
|
|
||||||
|
: ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b 'cn=config' dn | grep olcDatabase=
|
||||||
|
|
||||||
|
which should give you a list like this:
|
||||||
|
|
||||||
|
#+begin_example
|
||||||
|
dn: olcDatabase={-1}frontend,cn=config
|
||||||
|
dn: olcDatabase={0}config,cn=config
|
||||||
|
dn: olcDatabase={1}mdb,cn=config
|
||||||
|
#+end_example
|
||||||
|
|
||||||
|
The first two databases are for internal purposes, the last one is our
|
||||||
|
database. Now create a file =grantaccess.ldif= with this content:
|
||||||
|
|
||||||
|
#+begin_example
|
||||||
|
dn: olcDatabase={1}mdb,cn=config
|
||||||
|
changetype: modify
|
||||||
|
replace: olcAccess
|
||||||
|
olcAccess: {0} to dn.subtree="dc=example,dc=com"
|
||||||
|
by dn.regex="^uid=LordPrivySeal,ou=GnuPG Users,dc=example,dc=com" write
|
||||||
|
by * read
|
||||||
|
#+end_example
|
||||||
|
|
||||||
|
As usual replace all "dc=example,dc=com" accordingly. Take care not
|
||||||
|
to insert a blank line anywhere. The first line needs to give the DN
|
||||||
|
of the database as determined above. Excute the rules from that file
|
||||||
|
using the command:
|
||||||
|
|
||||||
|
: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f grantaccess.ldif
|
||||||
|
|
||||||
|
Now all users have read access and the user LordPrivySeal has write
|
||||||
|
access. In case you want to give several users permissions to update the
|
||||||
|
keys replace the regex line in =grantaccess.ldif= with
|
||||||
|
|
||||||
|
: by dn.regex="^uid=([^,]+),ou=GnuPG Users,dc=example,dc=com" write
|
||||||
|
|
||||||
|
and create those users below the RDN "ou=GnuPG Users".
|
||||||
|
|
||||||
|
That's all you need to do at the server.
|
||||||
|
|
||||||
|
** Configuration for GnuPG
|
||||||
|
|
||||||
|
The easiest way to enable LDAP for S/MIME is to put
|
||||||
|
|
||||||
|
#+begin_src
|
||||||
|
keyserver ldap.example.com::::dc=example,dc=com:
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
into =gpgsm.conf=. If you prefer to use a dedicated configuration
|
||||||
|
file you can do this with dirmngr by adding a line
|
||||||
|
|
||||||
|
: ldap.example.com::::dc=example,dc=com:
|
||||||
|
|
||||||
|
to =dirmngr_ldapservers.conf=.
|
||||||
|
|
||||||
|
Assuming you want to use the machine running the LDAP server also to
|
||||||
|
maintain OpenPGP certificates, put the following line into the
|
||||||
|
=dirmngr.conf= configuration of a dedicated user for this task:
|
||||||
|
|
||||||
|
#+begin_src
|
||||||
|
keyserver ldapi:///????bindname=uid=LordPrivySeal
|
||||||
|
%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=abc
|
||||||
|
#+end_src
|
||||||
|
(Enter this all on one line; "%2C" directly at the end of "Seal")
|
||||||
|
|
||||||
|
That is a pretty long line with weird escaping rules. Just enter it
|
||||||
|
verbatim but replace the "dc" RDNs accordingly. Remember that =ldapi=
|
||||||
|
uses local socket connection instead of TCP to connect to the server.
|
||||||
|
The password given in that file is the password of the OpenPGP
|
||||||
|
maintainer (LordPrivySeal). Use appropriate permissions for that
|
||||||
|
file to make it not too easy to access that password. See the GnuPG
|
||||||
|
manual for other ways to configure an LDAP keyserver.
|
||||||
|
|
||||||
|
With that configuration in place you may add arbitrary OpenPGP keys to
|
||||||
|
your LDAP. For example user "joe@example.org" sends you a key and
|
||||||
|
asks to insert that key. If you feel comfortable with that you should
|
||||||
|
first check the key, import it into your local keyring, and then send
|
||||||
|
it off to your LDAP server:
|
||||||
|
|
||||||
|
: gpg --show-key < file-with-joes-key.asc
|
||||||
|
|
||||||
|
Looks good? Note the fingerprint of the key and run
|
||||||
|
|
||||||
|
: gpg --import < file-with-joes-key.asc
|
||||||
|
: gpg --send-keys FINGERPRINT
|
||||||
|
|
||||||
|
That's all. If you want to work from a different machine or use the
|
||||||
|
Kleopatra GUI you need to make sure that ldaps has been correctly
|
||||||
|
configured (for example on the machine =ldap.example.org=) and you
|
||||||
|
need to use this keyserver line:
|
||||||
|
#+begin_src
|
||||||
|
keyserver ldaps://ldap.example.com/????bindname=uid=LordPrivySeal
|
||||||
|
%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=abc
|
||||||
|
#+end_src
|
||||||
|
(Enter this all on one line; "%2C" directly at the end of "Seal")
|
||||||
|
|
||||||
|
The easier case is the configuration line for anonymous users which is
|
||||||
|
a mere
|
||||||
|
#+begin_src
|
||||||
|
keyserver ldaps://ldap.example.com
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
This assumes that you have a valid TLS server certificate for that
|
||||||
|
domain and ldaps is enabled on the server.
|
||||||
|
|
||||||
|
* Useful LDAP Commands
|
||||||
|
|
||||||
|
** List the entire DIT
|
||||||
|
|
||||||
|
To list the entire DIT for the domain "example.com" use this command:
|
||||||
|
|
||||||
|
: ldapsearch -Q -Y EXTERNAL -LLL -H ldapi:/// -b dc=example,dc=com dn
|
||||||
|
|
||||||
|
This lists just the DNs. If you need the entire content of the DIT
|
||||||
|
leave our the "dn" argument. The option "-LLL" selects a useful
|
||||||
|
formatting options for the output.
|
||||||
|
|
||||||
|
** Insert X.509 Certficate
|
||||||
|
|
||||||
|
If you don't have a handy tool to insert a certificate via LDAP you
|
||||||
|
can do it manually. First put the certificate in binary (DER) format
|
||||||
|
into a file. For example using gpgsm:
|
||||||
|
|
||||||
|
: gpgsm --export berta.boss@example.com >berta.crt
|
||||||
|
|
||||||
|
Then create a file =addcert.ldif=:
|
||||||
|
#+begin_example
|
||||||
|
dn: CN=Berta Boss,dc=example,dc=com
|
||||||
|
objectclass: inetOrgPerson
|
||||||
|
cn: Berta Boss
|
||||||
|
sn: Boss
|
||||||
|
gn: Berta
|
||||||
|
uid: berta
|
||||||
|
mail: berta.boss@example.com
|
||||||
|
usercertificate;binary:< file:///home/admin/berta.crt
|
||||||
|
#+end_example
|
||||||
|
(Note that an absolute file name is required.)
|
||||||
|
|
||||||
|
Finally run
|
||||||
|
|
||||||
|
: ldapadd -x -H ldapi:/// -D 'cn=admin,dc=example,dc=com' -W -f adduser.ldif
|
||||||
|
|
||||||
|
|
||||||
|
** Change RootDN Password:
|
||||||
|
|
||||||
|
Create temporary file named =passwd.ldif=:
|
||||||
|
#+begin_src
|
||||||
|
dn: olcDatabase={1}mdb,cn=config
|
||||||
|
changetype: modify
|
||||||
|
replace: olcRootPW
|
||||||
|
olcRootPW: XXXX
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
For XXXX insert the output of slappasswd and run
|
||||||
|
: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f passwd.ldif
|
||||||
|
|
||||||
|
followed by
|
||||||
|
|
||||||
|
: ldappasswd -x -D cn=admin,dc=example,dc=com -W -S
|
||||||
|
|
||||||
|
and enter the new and old password again.
|
||||||
|
|
||||||
|
** Show ACLs
|
||||||
|
|
||||||
|
: ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b 'cn=config' olcAccess
|
||||||
|
|
||||||
|
** Show a list of databases
|
||||||
|
|
||||||
|
: ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b 'cn=config' | grep ^olcDatabase:
|
||||||
|
|
||||||
|
** Change the log level
|
||||||
|
|
||||||
|
To debug access problems, it is useful to change the log level:
|
||||||
|
|
||||||
|
: printf "dn: cn=config\nchangetype: %s\nreplace: %s\n%s: %s\n" \
|
||||||
|
: modify olcLogLevel olcLogLevel ACL | ldapadd -Q -Y EXTERNAL -H ldapi:///
|
||||||
|
|
||||||
|
to revert replace "ACL" by "none".
|
27
doc/ldap/gnupg-ldap-init.ldif
Normal file
27
doc/ldap/gnupg-ldap-init.ldif
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# gnupg-ldap-init.ldif -*- conf -*-
|
||||||
|
#
|
||||||
|
# Entries connecting the schema specified in gnupg-ldap-schema.ldif.
|
||||||
|
# Revision: 2020-10-07
|
||||||
|
|
||||||
|
dn: cn=PGPServerInfo,dc=example,dc=com
|
||||||
|
objectClass: pgpServerInfo
|
||||||
|
cn: PGPServerInfo
|
||||||
|
# Note that we suggest the use of ou=GnuPG keys instead of the often
|
||||||
|
# used PGP Keys. This makes it easy to spot this is a new schema.
|
||||||
|
pgpBaseKeySpaceDN: ou=GnuPG Keys,dc=example,dc=com
|
||||||
|
# Using the value GnuPG here indicates that pgpVersion below has a
|
||||||
|
# well-defined meaning.
|
||||||
|
pgpSoftware: GnuPG
|
||||||
|
# Currently used values:
|
||||||
|
# 1 :: Classic PGP schema
|
||||||
|
# 2 :: The attributes gpgFingerprint, gpgSubFingerprint,
|
||||||
|
# gpgSubCertID, and gpgMailbox are part of the schema.
|
||||||
|
pgpVersion: 2
|
||||||
|
|
||||||
|
dn: ou=GnuPG Keys,dc=example,dc=com
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
ou: GnuPG Keys
|
||||||
|
|
||||||
|
dn: ou=GnuPG Users,dc=example,dc=com
|
||||||
|
objectclass: organizationalUnit
|
||||||
|
ou: GnuPG Users
|
209
doc/ldap/gnupg-ldap-schema.ldif
Normal file
209
doc/ldap/gnupg-ldap-schema.ldif
Normal file
@ -0,0 +1,209 @@
|
|||||||
|
# gnupg-ldap-scheme.ldif -*- conf -*-
|
||||||
|
#
|
||||||
|
# Schema for an OpenPGP LDAP keyserver. This is a slighly enhanced
|
||||||
|
# version of the original LDAP schema used for PGP keyservers as
|
||||||
|
# installed at quite some sites.
|
||||||
|
# Revision: 2020-10-07
|
||||||
|
|
||||||
|
# Note: The index 1000 is just a high number so that OpenLDAP assigns
|
||||||
|
# the next available number.
|
||||||
|
dn: cn={1000}gnupg-keyserver,cn=schema,cn=config
|
||||||
|
objectClass: olcSchemaConfig
|
||||||
|
# The base DN for the PGP key space by querying the
|
||||||
|
# pgpBaseKeySpaceDN attribute (This is normally
|
||||||
|
# 'ou=PGP Keys,dc=example,dc=com').
|
||||||
|
olcAttributeTypes: {0}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.8
|
||||||
|
NAME 'pgpBaseKeySpaceDN'
|
||||||
|
DESC 'Points to DN of the object that will store the PGP keys.'
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||||||
|
SINGLE-VALUE )
|
||||||
|
# See gnupg-ldap-init.ldif for a description of the next two attributes
|
||||||
|
olcAttributeTypes: {1}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.9
|
||||||
|
NAME 'pgpSoftware'
|
||||||
|
DESC 'Origin of the schema'
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||||
|
SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {2}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.10
|
||||||
|
NAME 'pgpVersion'
|
||||||
|
DESC 'Version of this schema'
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||||
|
SINGLE-VALUE )
|
||||||
|
#
|
||||||
|
# The attribute holding the OpenPGP keyblock.
|
||||||
|
# The legacy PGP LDAP server used pgpKeyV2 instead.
|
||||||
|
olcAttributeTypes: {3}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.11
|
||||||
|
NAME 'pgpKey'
|
||||||
|
DESC 'OpenPGP public key block'
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||||
|
SINGLE-VALUE )
|
||||||
|
# The long key-ID
|
||||||
|
olcAttributeTypes: {4}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.12
|
||||||
|
NAME 'pgpCertID'
|
||||||
|
DESC 'OpenPGP long key id'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||||
|
SINGLE-VALUE )
|
||||||
|
# A flag to temporary disable a keyblock
|
||||||
|
olcAttributeTypes: {5}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.13
|
||||||
|
NAME 'pgpDisabled'
|
||||||
|
DESC 'pgpDisabled attribute for PGP'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||||
|
SINGLE-VALUE )
|
||||||
|
# The short key id. This is actually not required and should thus not
|
||||||
|
# be used by cleint software.
|
||||||
|
olcAttributeTypes: {6}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.14
|
||||||
|
NAME 'pgpKeyID'
|
||||||
|
DESC 'OpenPGP short key id'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||||
|
SINGLE-VALUE )
|
||||||
|
# The algorithm of the key. Used to be "RSA" or "DSS/DH".
|
||||||
|
olcAttributeTypes: {7}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.15
|
||||||
|
NAME 'pgpKeyType'
|
||||||
|
DESC 'pgpKeyType attribute for PGP'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||||
|
SINGLE-VALUE )
|
||||||
|
# The User-ID. GnuPG maps its user-ID classes this way:
|
||||||
|
# exact: (pgpUserID=%s)
|
||||||
|
# substr: (pgpUserID=*%s*)
|
||||||
|
# mail: (pgpUserID=*<%s>*)
|
||||||
|
# mailsub: (pgpUserID=*<*%s*>*)
|
||||||
|
# mailend: (pgpUserID=*<*%s>*)
|
||||||
|
olcAttributeTypes: {8}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.16
|
||||||
|
NAME 'pgpUserID'
|
||||||
|
DESC 'User ID(s) associated with the key'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||||
|
# The creation time of the primary key.
|
||||||
|
# Stored in ISO format: "20201231 120000"
|
||||||
|
olcAttributeTypes: {9}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.17
|
||||||
|
NAME 'pgpKeyCreateTime'
|
||||||
|
DESC 'Primary key creation time'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
ORDERING caseIgnoreOrderingMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||||
|
SINGLE-VALUE )
|
||||||
|
# Not used
|
||||||
|
olcAttributeTypes: {10}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.18
|
||||||
|
NAME 'pgpSignerID'
|
||||||
|
DESC 'pgpSignerID attribute for PGP'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||||
|
# A value of 1 indicated that the keyblock has been revoked
|
||||||
|
olcAttributeTypes: {11}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.19
|
||||||
|
NAME 'pgpRevoked'
|
||||||
|
DESC 'pgpRevoked attribute for PGP'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||||
|
SINGLE-VALUE )
|
||||||
|
olcAttributeTypes: {12}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.20
|
||||||
|
NAME 'pgpSubKeyID'
|
||||||
|
DESC 'Sub-key ID(s) of the PGP key.'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||||
|
# A hin on the keysize.
|
||||||
|
olcAttributeTypes: {13}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.21
|
||||||
|
NAME 'pgpKeySize'
|
||||||
|
DESC 'pgpKeySize attribute for PGP'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
ORDERING caseIgnoreOrderingMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||||
|
# Expiration time of the primary key.
|
||||||
|
# Stored in ISO format: "20201231 120000"
|
||||||
|
olcAttributeTypes: {14}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.22
|
||||||
|
NAME 'pgpKeyExpireTime'
|
||||||
|
DESC 'pgpKeyExpireTime attribute for PGP'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
ORDERING caseIgnoreOrderingMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||||
|
SINGLE-VALUE )
|
||||||
|
#
|
||||||
|
# The hex encoded fingerprint of the primary key.
|
||||||
|
olcAttributeTypes: {15}(
|
||||||
|
1.3.6.1.4.1.11591.2.4.1.1
|
||||||
|
NAME 'gpgFingerprint'
|
||||||
|
DESC 'Fingerprint of the primary key'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||||
|
SINGLE-VALUE )
|
||||||
|
# A list of hex encoded fingerprints of the subkeys.
|
||||||
|
olcAttributeTypes: {16}(
|
||||||
|
1.3.6.1.4.1.11591.2.4.1.2
|
||||||
|
NAME 'gpgSubFingerprint'
|
||||||
|
DESC 'Fingerprints of the secondary keys'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||||
|
# A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox
|
||||||
|
olcAttributeTypes: {17}(
|
||||||
|
1.3.6.1.4.1.11591.2.4.1.3
|
||||||
|
NAME 'gpgMailbox'
|
||||||
|
DESC 'The utf8 encoded addr-spec of a mailbox'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||||
|
# A list of hex encoded long keyids of all subkeys.
|
||||||
|
olcAttributeTypes: {18}(
|
||||||
|
1.3.6.1.4.1.11591.2.4.1.4
|
||||||
|
NAME 'gpgSubCertID'
|
||||||
|
DESC 'OpenPGP long subkey id'
|
||||||
|
EQUALITY caseIgnoreMatch
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Used by regular LDAP servers to indicate pgp support.
|
||||||
|
#
|
||||||
|
olcObjectClasses: {0}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.23
|
||||||
|
NAME 'pgpServerInfo'
|
||||||
|
DESC 'An OpenPGP public keyblock store'
|
||||||
|
SUP top
|
||||||
|
STRUCTURAL MUST ( cn $ pgpBaseKeySpaceDN )
|
||||||
|
MAY ( pgpSoftware $ pgpVersion ) )
|
||||||
|
#
|
||||||
|
# The original PGP key object extended with a few extra attributes.
|
||||||
|
# All new software should set them but this is not enforced for
|
||||||
|
# backward compatibility
|
||||||
|
olcObjectClasses: {1}(
|
||||||
|
1.3.6.1.4.1.3401.8.2.24
|
||||||
|
NAME 'pgpKeyInfo'
|
||||||
|
DESC 'An OpenPGP public keyblock'
|
||||||
|
SUP top
|
||||||
|
STRUCTURAL MUST ( pgpCertID $ pgpKey )
|
||||||
|
MAY ( pgpDisabled $ pgpKeyID $ pgpKeyType $
|
||||||
|
pgpUserID $ pgpKeyCreateTime $ pgpSignerID $
|
||||||
|
pgpRevoked $ pgpSubKeyID $ pgpKeySize $
|
||||||
|
pgpKeyExpireTime $ gpgFingerprint $
|
||||||
|
gpgSubFingerprint $ gpgSubCertID $
|
||||||
|
gpgMailbox ) )
|
||||||
|
#
|
||||||
|
# end-of-file
|
||||||
|
#
|
Loading…
x
Reference in New Issue
Block a user