# gnupg-ldap-scheme.ldif -*- conf -*- # # Schema for an OpenPGP LDAP keyserver. This is a slightly enhanced # version of the original LDAP schema used for PGP keyservers as # installed at quite some sites. # Revision: 2020-10-07 # Note: The index 1000 is just a high number so that OpenLDAP assigns # the next available number. dn: cn={1000}gnupg-keyserver,cn=schema,cn=config objectClass: olcSchemaConfig # The base DN for the PGP key space by querying the # pgpBaseKeySpaceDN attribute (This is normally # 'ou=PGP Keys,dc=example,dc=com'). olcAttributeTypes: {0}( 1.3.6.1.4.1.3401.8.2.8 NAME 'pgpBaseKeySpaceDN' DESC 'Points to DN of the object that will store the PGP keys.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) # See gnupg-ldap-init.ldif for a description of the next two attributes olcAttributeTypes: {1}( 1.3.6.1.4.1.3401.8.2.9 NAME 'pgpSoftware' DESC 'Origin of the schema' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.3401.8.2.10 NAME 'pgpVersion' DESC 'Version of this schema' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # # The attribute holding the OpenPGP keyblock. # The legacy PGP LDAP server used pgpKeyV2 instead. olcAttributeTypes: {3}( 1.3.6.1.4.1.3401.8.2.11 NAME 'pgpKey' DESC 'OpenPGP public key block' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) # The long key-ID olcAttributeTypes: {4}( 1.3.6.1.4.1.3401.8.2.12 NAME 'pgpCertID' DESC 'OpenPGP long key id' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # A flag to temporary disable a keyblock olcAttributeTypes: {5}( 1.3.6.1.4.1.3401.8.2.13 NAME 'pgpDisabled' DESC 'pgpDisabled attribute for PGP' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # The short key id. This is actually not required and should thus not # be used by client software. olcAttributeTypes: {6}( 1.3.6.1.4.1.3401.8.2.14 NAME 'pgpKeyID' DESC 'OpenPGP short key id' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # The algorithm of the key. Used to be "RSA" or "DSS/DH". olcAttributeTypes: {7}( 1.3.6.1.4.1.3401.8.2.15 NAME 'pgpKeyType' DESC 'pgpKeyType attribute for PGP' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # The User-ID. GnuPG maps its user-ID classes this way: # exact: (pgpUserID=%s) # substr: (pgpUserID=*%s*) # mail: (pgpUserID=*<%s>*) # mailsub: (pgpUserID=*<*%s*>*) # mailend: (pgpUserID=*<*%s>*) olcAttributeTypes: {8}( 1.3.6.1.4.1.3401.8.2.16 NAME 'pgpUserID' DESC 'User ID(s) associated with the key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # The creation time of the primary key. # Stored in ISO format: "20201231 120000" olcAttributeTypes: {9}( 1.3.6.1.4.1.3401.8.2.17 NAME 'pgpKeyCreateTime' DESC 'Primary key creation time' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # Not used olcAttributeTypes: {10}( 1.3.6.1.4.1.3401.8.2.18 NAME 'pgpSignerID' DESC 'pgpSignerID attribute for PGP' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # A value of 1 indicated that the keyblock has been revoked olcAttributeTypes: {11}( 1.3.6.1.4.1.3401.8.2.19 NAME 'pgpRevoked' DESC 'pgpRevoked attribute for PGP' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # Note that there is no short subkeyid despite that the name # is similar to the name of short keyid of the primary key. olcAttributeTypes: {12}( 1.3.6.1.4.1.3401.8.2.20 NAME 'pgpSubKeyID' DESC 'OpenPGP long Subkey ID(s) of the PGP key.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # A hint on the keysize. olcAttributeTypes: {13}( 1.3.6.1.4.1.3401.8.2.21 NAME 'pgpKeySize' DESC 'pgpKeySize attribute for PGP' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # Expiration time of the primary key. # Stored in ISO format: "20201231 120000" olcAttributeTypes: {14}( 1.3.6.1.4.1.3401.8.2.22 NAME 'pgpKeyExpireTime' DESC 'pgpKeyExpireTime attribute for PGP' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # # The hex encoded fingerprint of the primary key. olcAttributeTypes: {15}( 1.3.6.1.4.1.11591.2.4.1.1 NAME 'gpgFingerprint' DESC 'Fingerprint of the primary key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # A list of hex encoded fingerprints of the subkeys. olcAttributeTypes: {16}( 1.3.6.1.4.1.11591.2.4.1.2 NAME 'gpgSubFingerprint' DESC 'Fingerprints of the secondary keys' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox olcAttributeTypes: {17}( 1.3.6.1.4.1.11591.2.4.1.3 NAME 'gpgMailbox' DESC 'The utf8 encoded addr-spec of a mailbox' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # # Note: OID 1.3.6.1.4.1.11591.2.4.1.4 is reserved # because it was used for short time during development. # # # Used by regular LDAP servers to indicate pgp support. # olcObjectClasses: {0}( 1.3.6.1.4.1.3401.8.2.23 NAME 'pgpServerInfo' DESC 'An OpenPGP public keyblock store' SUP top STRUCTURAL MUST ( cn $ pgpBaseKeySpaceDN ) MAY ( pgpSoftware $ pgpVersion ) ) # # The original PGP key object extended with a few extra attributes. # All new software should set them but this is not enforced for # backward compatibility olcObjectClasses: {1}( 1.3.6.1.4.1.3401.8.2.24 NAME 'pgpKeyInfo' DESC 'An OpenPGP public keyblock' SUP top STRUCTURAL MUST ( pgpCertID $ pgpKey ) MAY ( pgpDisabled $ pgpKeyID $ pgpKeyType $ pgpUserID $ pgpKeyCreateTime $ pgpSignerID $ pgpRevoked $ pgpSubKeyID $ pgpKeySize $ pgpKeyExpireTime $ gpgFingerprint $ gpgSubFingerprint $ gpgMailbox ) ) # # end-of-file #