# gnupg-ldap-scheme.ldif                                 -*- conf -*-
#
# Schema for an OpenPGP LDAP keyserver.  This is a slightly enhanced
# version of the original LDAP schema used for PGP keyservers as
# installed at quite some sites.
# Revision: 2020-10-07

# Note: The index 1000 is just a high number so that OpenLDAP assigns
# the next available number.
dn: cn={1000}gnupg-keyserver,cn=schema,cn=config
objectClass: olcSchemaConfig
# The base DN for the PGP key space by querying the
#  pgpBaseKeySpaceDN attribute (This is normally
#  'ou=PGP Keys,dc=example,dc=com').
olcAttributeTypes: {0}(
    1.3.6.1.4.1.3401.8.2.8
    NAME 'pgpBaseKeySpaceDN'
    DESC 'Points to DN of the object that will store the PGP keys.'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
    SINGLE-VALUE )
# See gnupg-ldap-init.ldif for a description of the next two attributes
olcAttributeTypes: {1}(
    1.3.6.1.4.1.3401.8.2.9
    NAME 'pgpSoftware'
    DESC 'Origin of the schema'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
olcAttributeTypes: {2}(
    1.3.6.1.4.1.3401.8.2.10
    NAME 'pgpVersion'
    DESC 'Version of this schema'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
#
# The attribute holding the OpenPGP keyblock.
# The legacy PGP LDAP server used pgpKeyV2 instead.
olcAttributeTypes: {3}(
    1.3.6.1.4.1.3401.8.2.11
    NAME 'pgpKey'
    DESC 'OpenPGP public key block'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
    SINGLE-VALUE )
# The long key-ID
olcAttributeTypes: {4}(
    1.3.6.1.4.1.3401.8.2.12
    NAME 'pgpCertID'
    DESC 'OpenPGP long key id'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# A flag to temporary disable a keyblock
olcAttributeTypes: {5}(
    1.3.6.1.4.1.3401.8.2.13
    NAME 'pgpDisabled'
    DESC 'pgpDisabled attribute for PGP'
    EQUALITY caseIgnoreMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# The short key id.  This is actually not required and should thus not
# be used by client software.
olcAttributeTypes: {6}(
    1.3.6.1.4.1.3401.8.2.14
    NAME 'pgpKeyID'
    DESC 'OpenPGP short key id'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# The algorithm of the key.  Used to be "RSA" or "DSS/DH".
olcAttributeTypes: {7}(
    1.3.6.1.4.1.3401.8.2.15
    NAME 'pgpKeyType'
    DESC 'pgpKeyType attribute for PGP'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# The User-ID.  GnuPG maps its user-ID classes this way:
#     exact:   (pgpUserID=%s)
#     substr:  (pgpUserID=*%s*)
#     mail:    (pgpUserID=*<%s>*)
#     mailsub: (pgpUserID=*<*%s*>*)
#     mailend: (pgpUserID=*<*%s>*)
olcAttributeTypes: {8}(
    1.3.6.1.4.1.3401.8.2.16
    NAME 'pgpUserID'
    DESC 'User ID(s) associated with the key'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# The creation time of the primary key.
# Stored in ISO format: "20201231 120000"
olcAttributeTypes: {9}(
    1.3.6.1.4.1.3401.8.2.17
    NAME 'pgpKeyCreateTime'
    DESC 'Primary key creation time'
    EQUALITY caseIgnoreMatch
    ORDERING caseIgnoreOrderingMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# Not used
olcAttributeTypes: {10}(
    1.3.6.1.4.1.3401.8.2.18
    NAME 'pgpSignerID'
    DESC 'pgpSignerID attribute for PGP'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# A value of 1 indicated that the keyblock has been revoked
olcAttributeTypes: {11}(
    1.3.6.1.4.1.3401.8.2.19
    NAME 'pgpRevoked'
    DESC 'pgpRevoked attribute for PGP'
    EQUALITY caseIgnoreMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# Note that there is no short subkeyid despite that the name
# is similar to the name of short keyid of the primary key.
olcAttributeTypes: {12}(
    1.3.6.1.4.1.3401.8.2.20
    NAME 'pgpSubKeyID'
    DESC 'OpenPGP long Subkey ID(s) of the PGP key.'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# A hint on the keysize.
olcAttributeTypes: {13}(
    1.3.6.1.4.1.3401.8.2.21
    NAME 'pgpKeySize'
    DESC 'pgpKeySize attribute for PGP'
    EQUALITY caseIgnoreMatch
    ORDERING caseIgnoreOrderingMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# Expiration time of the primary key.
# Stored in ISO format: "20201231 120000"
olcAttributeTypes: {14}(
    1.3.6.1.4.1.3401.8.2.22
    NAME 'pgpKeyExpireTime'
    DESC 'pgpKeyExpireTime attribute for PGP'
    EQUALITY caseIgnoreMatch
    ORDERING caseIgnoreOrderingMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
#
# The hex encoded fingerprint of the primary key.
olcAttributeTypes: {15}(
    1.3.6.1.4.1.11591.2.4.1.1
    NAME 'gpgFingerprint'
    DESC 'Fingerprint of the primary key'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# A list of hex encoded fingerprints of the subkeys.
olcAttributeTypes: {16}(
    1.3.6.1.4.1.11591.2.4.1.2
    NAME 'gpgSubFingerprint'
    DESC 'Fingerprints of the secondary keys'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox
olcAttributeTypes: {17}(
    1.3.6.1.4.1.11591.2.4.1.3
    NAME 'gpgMailbox'
    DESC 'The utf8 encoded addr-spec of a mailbox'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
# Note: OID 1.3.6.1.4.1.11591.2.4.1.4 is reserved
# because it was used for short time during development.
#
#
# Used by regular LDAP servers to indicate pgp support.
#
olcObjectClasses: {0}(
    1.3.6.1.4.1.3401.8.2.23
    NAME 'pgpServerInfo'
    DESC 'An OpenPGP public keyblock store'
    SUP top
    STRUCTURAL MUST ( cn $ pgpBaseKeySpaceDN )
                MAY ( pgpSoftware $ pgpVersion ) )
#
# The original PGP key object extended with a few extra attributes.
# All new software should set them but this is not enforced for
# backward compatibility
olcObjectClasses: {1}(
    1.3.6.1.4.1.3401.8.2.24
    NAME 'pgpKeyInfo'
    DESC 'An OpenPGP public keyblock'
    SUP top
    STRUCTURAL MUST ( pgpCertID $ pgpKey )
                MAY ( pgpDisabled $ pgpKeyID $ pgpKeyType $
                      pgpUserID $ pgpKeyCreateTime $ pgpSignerID $
                      pgpRevoked $ pgpSubKeyID $ pgpKeySize $
                      pgpKeyExpireTime $ gpgFingerprint $
                      gpgSubFingerprint $ gpgMailbox ) )
#
# end-of-file
#