# gnupg-ldap-ad-scheme.ldif -*- conf -*- # # Schema for an OpenPGP LDAP keyserver. This is a slightly enhanced # version of the original LDAP schema used for PGP keyservers as # installed at quite some sites. # Revision: 2021-09-01 v1 # Some notes: # - Backup your AD! It is not possible to revert changes of the schema. # - Try it first on a test system. # - To import the new attributes and classes use: # ldifde -i -v -f gnupg-ldap-ad-schema.ldif # -c "DC=EXAMPLEDC" "#configurationNamingContext" # (the above command is given as one line) # - The schema does not get its own distinguished name as done with OpenLDAP. # - The first GUID we use is f406e7a5-a5ea-411e-9ddd-2e4e66899800 # and incremented for each attribute. # # - Some OIDs, oMSyntax, and original OIDs: # 2.5.5.1 (127) Object (DS-DN) (1.3.6.1.4.1.1466.115.121.1.12) # 2.5.5.3 (27) Case-sensitive string # 2.5.5.9 (2) 32 bit signed integer # 2.5.5.10 (4) Octet string (1.3.6.1.4.1.1466.115.121.1.26) # 2.5.5.11 (23) UTC-Time string # 2.5.5.12 (64) Case-insensitive Unicode string # 2.5.5.12 (64) Directory String in UTF-8 (1.3.6.1.4.1.1466.115.121.1.15) # 2.5.5.16 (65) 64 bit signed integer # The base DN for the PGP key space by querying the # pgpBaseKeySpaceDN attribute (This is normally # 'ou=GnuPG Keys,dc=example,dc=com'). dn: CN=pgpBaseKeySpaceDN,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.8 lDAPDisplayName: pgpBaseKeySpaceDN description: Points to DN of the object that will store the PGP keys. attributeSyntax: 2.5.5.1 oMSyntax: 127 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAA== # See gnupg-ldap-init.ldif for a description of this attribute dn: CN=pgpSoftware,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.9 lDAPDisplayName: pgpSoftware description: 'Origin of the GnuPG keyserver schema' attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAQ== # See gnupg-ldap-init.ldif for a description of this attribute dn: CN=pgpVersion,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.10 lDAPDisplayName: pgpVersion description: Version of this schema attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAg== # The attribute holding the OpenPGP keyblock. # The legacy PGP LDAP server used pgpKeyV2 instead. dn: CN=pgpKey,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.11 lDAPDisplayName: pgpKey description: OpenPGP public key block attributeSyntax: 2.5.5.10 oMSyntax: 4 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAw== # The long key-ID dn: CN=pgpCertID,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.12 lDAPDisplayName: pgpCertID description: OpenPGP long key id attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBA== # A flag to temporary disable a keyblock dn: CN=pgpDisabled,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.13 lDAPDisplayName: pgpDisabled description: pgpDisabled attribute for PGP attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBQ== # The short key id. This is actually not required and should thus not # be used by client software. dn: CN=pgpKeyID,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.14 lDAPDisplayName: pgpKeyID description: OpenPGP short key id attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBg== # The algorithm of the key. Used to be "RSA" or "DSS/DH". dn: CN=pgpKeyType,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.15 lDAPDisplayName: pgpKeyType description: pgpKeyType attribute for PGP attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBw== # The User-ID. GnuPG maps its user-ID classes this way: # exact: (pgpUserID=%s) # substr: (pgpUserID=*%s*) # mail: (pgpUserID=*<%s>*) # mailsub: (pgpUserID=*<*%s*>*) # mailend: (pgpUserID=*<*%s>*) dn: CN=pgpUserID,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.16 lDAPDisplayName: pgpUserID description: User ID(s) associated with the key attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: FALSE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCA== # The creation time of the primary key. # Stored in ISO format: "20201231 120000" dn: CN=pgpKeyCreateTime,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.17 lDAPDisplayName: pgpKeyCreateTime description: Primary key creation time attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCQ== # SignerIDs are not used dn: CN=pgpSignerID,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.18 lDAPDisplayName: pgpSignerID description: pgpSignerID attribute for PGP attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: FALSE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCg== # A value of 1 indicates that the keyblock has been revoked dn: CN=pgpRevoked,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.19 lDAPDisplayName: pgpRevoked description: pgpRevoked attribute for PGP attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCw== # The Subkey key ids (16 hex digits) dn: CN=pgpSubKeyID,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.20 lDAPDisplayName: pgpSubKeyID description: Sub-key ID(s) of the PGP key attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: FALSE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDA== # A hint on the keysize. dn: CN=pgpKeySize,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.21 lDAPDisplayName: pgpKeySize description: pgpKeySize attribute for PGP attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: FALSE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDQ== # Expiration time of the primary key. # Stored in ISO format: "20201231 120000" dn: CN=pgpKeyExpireTime,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.3401.8.2.22 lDAPDisplayName: pgpKeyExpireTime description: pgpKeyExpireTime attribute for PGP attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDg== # The hex encoded fingerprint of the primary key. dn: CN=gpgFingerprint,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.11591.2.4.1.1 lDAPDisplayName: gpgFingerprint description: Fingerprint of the primary key attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: TRUE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDw== # A list of hex encoded fingerprints of the subkeys. dn: CN=gpgSubFingerprint,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.11591.2.4.1.2 lDAPDisplayName: gpgSubFingerprint description: Fingerprints of the secondary keys attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: FALSE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYEA== # A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox dn: CN=gpgMailbox,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: attributeSchema attributeID: 1.3.6.1.4.1.11591.2.4.1.3 lDAPDisplayName: gpgMailbox description: The utf8 encoded addr-spec of a mailbox attributeSyntax: 2.5.5.12 oMSyntax: 64 isSingleValued: FALSE schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYEQ== # Unused GUIDs: # 9AbnpaXqQR6d3S5OZomYEw== # 9AbnpaXqQR6d3S5OZomYFA== # 9AbnpaXqQR6d3S5OZomYFQ== # 9AbnpaXqQR6d3S5OZomYFg== # 9AbnpaXqQR6d3S5OZomYFw== # 9AbnpaXqQR6d3S5OZomYGA== # 9AbnpaXqQR6d3S5OZomYGQ== # 9AbnpaXqQR6d3S5OZomYGg== # 9AbnpaXqQR6d3S5OZomYGw== # 9AbnpaXqQR6d3S5OZomYHA== # 9AbnpaXqQR6d3S5OZomYHQ== # 9AbnpaXqQR6d3S5OZomYHg== # 9AbnpaXqQR6d3S5OZomYHw== # Sync the schema cache DN: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - # # Used by regular LDAP servers to indicate pgp support. # (structural class) # dn: CN=pgpServerInfo,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: classSchema governsID: 1.3.6.1.4.1.3401.8.2.23 lDAPDisplayName: pgpServerInfo description: An OpenPGP public keyblock store subClassOf: top objectClassCategory: 1 mustContain: cn mustContain: pgpBaseKeySpaceDN mayContain: pgpSoftware mayContain: pgpVersion systemPossSuperiors: domainDNS systemPossSuperiors: container schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYIA== # The original PGP key object extended with a few extra attributes. # All new software should set them but this is not enforced for # backward compatibility of client software. # (structural class, writable) dn: CN=pgpKeyInfo,CN=Schema,DC=EXAMPLEDC changetype: ntdsSchemaAdd objectClass: classSchema governsID: 1.3.6.1.4.1.3401.8.2.24 lDAPDisplayName: pgpKeyInfo description: An OpenPGP public keyblock subClassOf: top objectClassCategory: 1 instanceType: 4 mustContain: pgpCertID mustContain: pgpKey mayContain: pgpDisabled mayContain: pgpKeyID mayContain: pgpKeyType mayContain: pgpUserID mayContain: pgpKeyCreateTime mayContain: pgpSignerID mayContain: pgpRevoked mayContain: pgpSubKeyID mayContain: pgpKeySize mayContain: pgpKeyExpireTime mayContain: gpgFingerprint mayContain: gpgSubFingerprint mayContain: gpgMailbox systemPossSuperiors: container schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYIQ== # Sync the schema cache DN: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - # # end-of-file #