diff --git a/web/misc/gnupg-ldap-init.ldif b/web/misc/gnupg-ldap-init.ldif new file mode 100644 index 0000000..f184f9e --- /dev/null +++ b/web/misc/gnupg-ldap-init.ldif @@ -0,0 +1,27 @@ +# gnupg-ldap-init.ldif -*- conf -*- +# +# Entries connecting the schema specified in gnupg-ldap-schema.ldif. +# Revision: 2020-10-07 + +dn: cn=PGPServerInfo,dc=example,dc=com +objectClass: pgpServerInfo +cn: PGPServerInfo +# Note that we suggest the use of ou=GnuPG keys instead of the often +# used PGP Keys. This makes it easy to spot this is a new schema. +pgpBaseKeySpaceDN: ou=GnuPG Keys,dc=example,dc=com +# Using the value GnuPG here indicates that pgpVersion below has a +# well-defined meaning. +pgpSoftware: GnuPG +# Currently used values: +# 1 :: Classic PGP schema +# 2 :: The attributes gpgFingerprint, gpgSubFingerprint, +# gpgSubCertID, and gpgMailbox are part of the schema. +pgpVersion: 2 + +dn: ou=GnuPG Keys,dc=example,dc=com +objectClass: organizationalUnit +ou: GnuPG Keys + +dn: ou=GnuPG Users,dc=example,dc=com +objectclass: organizationalUnit +ou: GnuPG Users diff --git a/web/misc/gnupg-ldap-schema.ldif b/web/misc/gnupg-ldap-schema.ldif new file mode 100644 index 0000000..02d04fa --- /dev/null +++ b/web/misc/gnupg-ldap-schema.ldif @@ -0,0 +1,209 @@ +# gnupg-ldap-scheme.ldif -*- conf -*- +# +# Schema for an OpenPGP LDAP keyserver. This is a slighly enhanced +# version of the original LDAP schema used for PGP keyservers as +# installed at quite some sites. +# Revision: 2020-10-07 + +# Note: The index 1000 is just a high number so that OpenLDAP assigns +# the next available number. +dn: cn={1000}gnupg-keyserver,cn=schema,cn=config +objectClass: olcSchemaConfig +# The base DN for the PGP key space by querying the +# pgpBaseKeySpaceDN attribute (This is normally +# 'ou=PGP Keys,dc=example,dc=com'). +olcAttributeTypes: {0}( + 1.3.6.1.4.1.3401.8.2.8 + NAME 'pgpBaseKeySpaceDN' + DESC 'Points to DN of the object that will store the PGP keys.' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE ) +# See gnupg-ldap-init.ldif for a description of the next two attributes +olcAttributeTypes: {1}( + 1.3.6.1.4.1.3401.8.2.9 + NAME 'pgpSoftware' + DESC 'Origin of the schema' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcAttributeTypes: {2}( + 1.3.6.1.4.1.3401.8.2.10 + NAME 'pgpVersion' + DESC 'Version of this schema' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +# +# The attribute holding the OpenPGP keyblock. +# The legacy PGP LDAP server used pgpKeyV2 instead. +olcAttributeTypes: {3}( + 1.3.6.1.4.1.3401.8.2.11 + NAME 'pgpKey' + DESC 'OpenPGP public key block' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +# The long key-ID +olcAttributeTypes: {4}( + 1.3.6.1.4.1.3401.8.2.12 + NAME 'pgpCertID' + DESC 'OpenPGP long key id' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +# A flag to temporary disable a keyblock +olcAttributeTypes: {5}( + 1.3.6.1.4.1.3401.8.2.13 + NAME 'pgpDisabled' + DESC 'pgpDisabled attribute for PGP' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +# The short key id. This is actually not required and should thus not +# be used by cleint software. +olcAttributeTypes: {6}( + 1.3.6.1.4.1.3401.8.2.14 + NAME 'pgpKeyID' + DESC 'OpenPGP short key id' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +# The algorithm of the key. Used to be "RSA" or "DSS/DH". +olcAttributeTypes: {7}( + 1.3.6.1.4.1.3401.8.2.15 + NAME 'pgpKeyType' + DESC 'pgpKeyType attribute for PGP' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +# The User-ID. GnuPG maps its user-ID classes this way: +# exact: (pgpUserID=%s) +# substr: (pgpUserID=*%s*) +# mail: (pgpUserID=*<%s>*) +# mailsub: (pgpUserID=*<*%s*>*) +# mailend: (pgpUserID=*<*%s>*) +olcAttributeTypes: {8}( + 1.3.6.1.4.1.3401.8.2.16 + NAME 'pgpUserID' + DESC 'User ID(s) associated with the key' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# The creation time of the primary key. +# Stored in ISO format: "20201231 120000" +olcAttributeTypes: {9}( + 1.3.6.1.4.1.3401.8.2.17 + NAME 'pgpKeyCreateTime' + DESC 'Primary key creation time' + EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +# Not used +olcAttributeTypes: {10}( + 1.3.6.1.4.1.3401.8.2.18 + NAME 'pgpSignerID' + DESC 'pgpSignerID attribute for PGP' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# A value of 1 indicated that the keyblock has been revoked +olcAttributeTypes: {11}( + 1.3.6.1.4.1.3401.8.2.19 + NAME 'pgpRevoked' + DESC 'pgpRevoked attribute for PGP' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcAttributeTypes: {12}( + 1.3.6.1.4.1.3401.8.2.20 + NAME 'pgpSubKeyID' + DESC 'Sub-key ID(s) of the PGP key.' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# A hin on the keysize. +olcAttributeTypes: {13}( + 1.3.6.1.4.1.3401.8.2.21 + NAME 'pgpKeySize' + DESC 'pgpKeySize attribute for PGP' + EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# Expiration time of the primary key. +# Stored in ISO format: "20201231 120000" +olcAttributeTypes: {14}( + 1.3.6.1.4.1.3401.8.2.22 + NAME 'pgpKeyExpireTime' + DESC 'pgpKeyExpireTime attribute for PGP' + EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +# +# The hex encoded fingerprint of the primary key. +olcAttributeTypes: {15}( + 1.3.6.1.4.1.11591.2.4.1.1 + NAME 'gpgFingerprint' + DESC 'Fingerprint of the primary key' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +# A list of hex encoded fingerprints of the subkeys. +olcAttributeTypes: {16}( + 1.3.6.1.4.1.11591.2.4.1.2 + NAME 'gpgSubFingerprint' + DESC 'Fingerprints of the secondary keys' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox +olcAttributeTypes: {17}( + 1.3.6.1.4.1.11591.2.4.1.3 + NAME 'gpgMailbox' + DESC 'The utf8 encoded addr-spec of a mailbox' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# A list of hex encoded long keyids of all subkeys. +olcAttributeTypes: {18}( + 1.3.6.1.4.1.11591.2.4.1.4 + NAME 'gpgSubCertID' + DESC 'OpenPGP long subkey id' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# +# +# Used by regular LDAP servers to indicate pgp support. +# +olcObjectClasses: {0}( + 1.3.6.1.4.1.3401.8.2.23 + NAME 'pgpServerInfo' + DESC 'An OpenPGP public keyblock store' + SUP top + STRUCTURAL MUST ( cn $ pgpBaseKeySpaceDN ) + MAY ( pgpSoftware $ pgpVersion ) ) +# +# The original PGP key object extended with a few extra attributes. +# All new software should set them but this is not enforced for +# backward compatibility +olcObjectClasses: {1}( + 1.3.6.1.4.1.3401.8.2.24 + NAME 'pgpKeyInfo' + DESC 'An OpenPGP public keyblock' + SUP top + STRUCTURAL MUST ( pgpCertID $ pgpKey ) + MAY ( pgpDisabled $ pgpKeyID $ pgpKeyType $ + pgpUserID $ pgpKeyCreateTime $ pgpSignerID $ + pgpRevoked $ pgpSubKeyID $ pgpKeySize $ + pgpKeyExpireTime $ gpgFingerprint $ + gpgSubFingerprint $ gpgSubCertID $ + gpgMailbox ) ) +# +# end-of-file +#