diff --git a/web/misc/gnupg-ldap-ad-init-v1.ldif b/web/misc/gnupg-ldap-ad-init-v1.ldif new file mode 100644 index 0000000..a4f523e --- /dev/null +++ b/web/misc/gnupg-ldap-ad-init-v1.ldif @@ -0,0 +1,17 @@ +# gnupg-ldap-ad-init.ldif -*- conf -*- +# +# Entries connecting the schema specified in gnupg-ldap-ad-schema.ldif. +# Revision: 2021-09-01 v1 + +dn: cn=GnuPG Keys,DC=EXAMPLEDC +changetype: add +objectClass: container +cn: GnuPG Keys + +dn: cn=PGPServerInfo,DC=EXAMPLEDC +changetype: add +objectClass: pgpServerInfo +cn: PGPServerInfo +pgpBaseKeySpaceDN: cn=GnuPG Keys,DC=EXAMPLEDC +pgpSoftware: GnuPG +pgpVersion: 2 ntds diff --git a/web/misc/gnupg-ldap-ad-schema-v1.ldif b/web/misc/gnupg-ldap-ad-schema-v1.ldif new file mode 100644 index 0000000..cf07744 --- /dev/null +++ b/web/misc/gnupg-ldap-ad-schema-v1.ldif @@ -0,0 +1,343 @@ +# gnupg-ldap-ad-scheme.ldif -*- conf -*- +# +# Schema for an OpenPGP LDAP keyserver. This is a slighly enhanced +# version of the original LDAP schema used for PGP keyservers as +# installed at quite some sites. +# Revision: 2021-09-01 v1 + +# Some notes: +# - Backup your AD! It is not possible to revert changes of the schema. +# - Try it first on a test system. +# - To import the new attributes and classes use: +# ldifde -i -v -f gnupg-ldap-ad-schema.ldif +# -c "DC=EXAMPLEDC" "#configurationNamingContext" +# (the above command is given as one line) +# - The schema does not get its own distingished name as done with OpenLDAP. +# - The first GUID we use is f406e7a5-a5ea-411e-9ddd-2e4e66899800 +# and incremented for each attribute. +# +# - Some OIDs, oMSyntax, and original OIDs: +# 2.5.5.1 (127) Object (DS-DN) (1.3.6.1.4.1.1466.115.121.1.12) +# 2.5.5.3 (27) Case-sensitive string +# 2.5.5.9 (2) 32 bit signed integer +# 2.5.5.10 (4) Octet string (1.3.6.1.4.1.1466.115.121.1.26) +# 2.5.5.11 (23) UTC-Time string +# 2.5.5.12 (64) Case-insensitive Unicode string +# 2.5.5.12 (64) Directory String in UTF-8 (1.3.6.1.4.1.1466.115.121.1.15) +# 2.5.5.16 (65) 64 bit signed integer + +# The base DN for the PGP key space by querying the +# pgpBaseKeySpaceDN attribute (This is normally +# 'ou=GnuPG Keys,dc=example,dc=com'). +dn: CN=pgpBaseKeySpaceDN,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.8 +lDAPDisplayName: pgpBaseKeySpaceDN +description: Points to DN of the object that will store the PGP keys. +attributeSyntax: 2.5.5.1 +oMSyntax: 127 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAA== + +# See gnupg-ldap-init.ldif for a description of this attribute +dn: CN=pgpSoftware,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.9 +lDAPDisplayName: pgpSoftware +description: 'Origin of the GnuPG keyserver schema' +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAQ== + +# See gnupg-ldap-init.ldif for a description of this attribute +dn: CN=pgpVersion,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.10 +lDAPDisplayName: pgpVersion +description: Version of this schema +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAg== + + +# The attribute holding the OpenPGP keyblock. +# The legacy PGP LDAP server used pgpKeyV2 instead. +dn: CN=pgpKey,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.11 +lDAPDisplayName: pgpKey +description: OpenPGP public key block +attributeSyntax: 2.5.5.10 +oMSyntax: 4 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYAw== + +# The long key-ID +dn: CN=pgpCertID,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.12 +lDAPDisplayName: pgpCertID +description: OpenPGP long key id +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBA== + +# A flag to temporary disable a keyblock +dn: CN=pgpDisabled,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.13 +lDAPDisplayName: pgpDisabled +description: pgpDisabled attribute for PGP +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBQ== + +# The short key id. This is actually not required and should thus not +# be used by client software. +dn: CN=pgpKeyID,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.14 +lDAPDisplayName: pgpKeyID +description: OpenPGP short key id +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBg== + +# The algorithm of the key. Used to be "RSA" or "DSS/DH". +dn: CN=pgpKeyType,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.15 +lDAPDisplayName: pgpKeyType +description: pgpKeyType attribute for PGP +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYBw== + +# The User-ID. GnuPG maps its user-ID classes this way: +# exact: (pgpUserID=%s) +# substr: (pgpUserID=*%s*) +# mail: (pgpUserID=*<%s>*) +# mailsub: (pgpUserID=*<*%s*>*) +# mailend: (pgpUserID=*<*%s>*) +dn: CN=pgpUserID,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.16 +lDAPDisplayName: pgpUserID +description: User ID(s) associated with the key +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: FALSE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCA== + +# The creation time of the primary key. +# Stored in ISO format: "20201231 120000" +dn: CN=pgpKeyCreateTime,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.17 +lDAPDisplayName: pgpKeyCreateTime +description: Primary key creation time +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCQ== + +# SignerIDs are not used +dn: CN=pgpSignerID,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.18 +lDAPDisplayName: pgpSignerID +description: pgpSignerID attribute for PGP +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: FALSE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCg== + +# A value of 1 indicates that the keyblock has been revoked +dn: CN=pgpRevoked,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.19 +lDAPDisplayName: pgpRevoked +description: pgpRevoked attribute for PGP +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYCw== + +# The Subkey key ids (16 hex digits) +dn: CN=pgpSubKeyID,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.20 +lDAPDisplayName: pgpSubKeyID +description: Sub-key ID(s) of the PGP key +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: FALSE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDA== + +# A hint on the keysize. +dn: CN=pgpKeySize,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.21 +lDAPDisplayName: pgpKeySize +description: pgpKeySize attribute for PGP +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: FALSE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDQ== + +# Expiration time of the primary key. +# Stored in ISO format: "20201231 120000" +dn: CN=pgpKeyExpireTime,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.3401.8.2.22 +lDAPDisplayName: pgpKeyExpireTime +description: pgpKeyExpireTime attribute for PGP +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDg== + +# The hex encoded fingerprint of the primary key. +dn: CN=gpgFingerprint,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.11591.2.4.1.1 +lDAPDisplayName: gpgFingerprint +description: Fingerprint of the primary key +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: TRUE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYDw== + +# A list of hex encoded fingerprints of the subkeys. +dn: CN=gpgSubFingerprint,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.11591.2.4.1.2 +lDAPDisplayName: gpgSubFingerprint +description: Fingerprints of the secondary keys +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: FALSE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYEA== + +# A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox +dn: CN=gpgMailbox,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: attributeSchema +attributeID: 1.3.6.1.4.1.11591.2.4.1.3 +lDAPDisplayName: gpgMailbox +description: The utf8 encoded addr-spec of a mailbox +attributeSyntax: 2.5.5.12 +oMSyntax: 64 +isSingleValued: FALSE +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYEQ== + +# Unused GUIDs: +# 9AbnpaXqQR6d3S5OZomYEw== +# 9AbnpaXqQR6d3S5OZomYFA== +# 9AbnpaXqQR6d3S5OZomYFQ== +# 9AbnpaXqQR6d3S5OZomYFg== +# 9AbnpaXqQR6d3S5OZomYFw== +# 9AbnpaXqQR6d3S5OZomYGA== +# 9AbnpaXqQR6d3S5OZomYGQ== +# 9AbnpaXqQR6d3S5OZomYGg== +# 9AbnpaXqQR6d3S5OZomYGw== +# 9AbnpaXqQR6d3S5OZomYHA== +# 9AbnpaXqQR6d3S5OZomYHQ== +# 9AbnpaXqQR6d3S5OZomYHg== +# 9AbnpaXqQR6d3S5OZomYHw== + + +# Sync the schema cache +DN: +changetype: modify +add: schemaUpdateNow +schemaUpdateNow: 1 +- + + +# +# Used by regular LDAP servers to indicate pgp support. +# (structural class) +# +dn: CN=pgpServerInfo,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: classSchema +governsID: 1.3.6.1.4.1.3401.8.2.23 +lDAPDisplayName: pgpServerInfo +description: An OpenPGP public keyblock store +subClassOf: top +objectClassCategory: 1 +mustContain: cn +mustContain: pgpBaseKeySpaceDN +mayContain: pgpSoftware +mayContain: pgpVersion +systemPossSuperiors: domainDNS +systemPossSuperiors: container +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYIA== + +# The original PGP key object extended with a few extra attributes. +# All new software should set them but this is not enforced for +# backward compatibility of client software. +# (structural class, writable) +dn: CN=pgpKeyInfo,CN=Schema,DC=EXAMPLEDC +changetype: ntdsSchemaAdd +objectClass: classSchema +governsID: 1.3.6.1.4.1.3401.8.2.24 +lDAPDisplayName: pgpKeyInfo +description: An OpenPGP public keyblock +subClassOf: top +objectClassCategory: 1 +instanceType: 4 +mustContain: pgpCertID +mustContain: pgpKey +mayContain: pgpDisabled +mayContain: pgpKeyID +mayContain: pgpKeyType +mayContain: pgpUserID +mayContain: pgpKeyCreateTime +mayContain: pgpSignerID +mayContain: pgpRevoked +mayContain: pgpSubKeyID +mayContain: pgpKeySize +mayContain: pgpKeyExpireTime +mayContain: gpgFingerprint +mayContain: gpgSubFingerprint +mayContain: gpgMailbox +systemPossSuperiors: container +schemaIDGUID:: 9AbnpaXqQR6d3S5OZomYIQ== + + +# Sync the schema cache +DN: +changetype: modify +add: schemaUpdateNow +schemaUpdateNow: 1 +- + + +# +# end-of-file +#