Howto setup an OpenLDAP PGP keyserver

Walter Haidinger walter.haidinger at gmx.at
Thu Feb 23 17:01:08 CET 2006 

Hi!

After all issues are finally resolved, I'm glad to post this
howto about setting up a PGP keyserver with OpenLDAP.
The inital thread that finally leads to here starts at:
http://marc.theaimsgroup.com/?l=gnupg-users&m=114028686432264&w=2

Many thanks to Peter Palfrader for providing the LDAP schema and
especially to David Shaw for providing invaluable help and adding
LDAP basic authentication to GnuPG.

Used software: OpenLDAP 2.2.27, run under SuSE 10.0
GnuPG 1.4.3rc1 (subversion revision 4020).

If you don't want to wait until 1.4.3 is officially released,
grab yourself a copy from svn:
> svn co svn://cvs.gnupg.org/gnupg/trunk

Attached is tarball with the files for OpenLDAP configuration,
to which will be refered to below. I hope this doesn't violate
the rules of this list but the attachment is very small anyways.

You should have a basic understanding about LDAP first.
If not, I'd recommend to read the OpenLDAP Admin Guide on
http://www.openldap.org, which provides excellent documentation.

Also, as an LDAP client and excellent server management tool,
I'd recommend phpLDAPadmin: http://phpldapadmin.sourceforge.net

The LDAP tree created in this example setup looks like:

  dc=EXAMPLE,dc=COM
  |
  +----cn=Manager
  +----cn=PGPServerInfo
  +----ou=PGP Keys
  |    +---pgpCertID=...
  |    +---pgpCertID=...
  +----ou=PGP Users
       +---uid=...
       +---uid=...

where dc=EXAMPLE,dc=COM is obviously the base DN.

First, install pgp-keyserver.schema from the tarball into to your
schema directory. There are two more files which are not used here,
but have been part of the schema I got from Peter, so I kept them
for completeness.

Next, install slapd.conf and edit to suit your needs.
That is, select either anonymous or user authentication.

In the provided file, anonymous writes are enabled.
However, access is restricted to writes from localhost only.
You may lift this restriction by modifying the peername.ip
statement. See slapd.access(5) for details and examples.

Think twice before opening up anonymous writes, as _any_ user
who can connect to your LDAP server can not only upload but also
delete keys.

For user authentication, comment out update_anon and the
access rule for anonymous writes. Users are stored as
DN "uid=<username>,ou=PGP Users,dc=EXAMPLE,dc=COM".

You need to create users to bind to LDAP. One sample user is
provided in ldif/pgpusers.ldif. Just copy the entry and
modify it to create more and read the file to learn
the used password.

Also, the password for the OpenLDAP manager is stored
as a hash. It is 'gpg'. Run slappasswd(8) to create a
stronger password and replace the hash in slapd.conf.

Try to start your OpenLDAP server now.
Under SuSE, I run "/etc/init.d/ldap start".

Next, populate the directory with the basic layout by
importing the example.ldif file (enter on a single line):
> cat example.ldif | ldapadd -x -W -h localhost
      -D "cn=Manager,dc=EXAMPLE,dc=COM"

When prompted for a password, enter the one you've created
above or 'gpg' if you did not.

If you selected anonymous writes, you're done configuring
your OpenLDAP PGP keyserver.

If you selected user authentication, you need to add users now:
> cat pgpusers.ldif | ldapadd -x -W -h localhost
      -D "cn=Manager,dc=EXAMPLE,dc=COM"

Finally, you can use GnuPG to add keys (always on a single line):

For anonymous write:
> gpg --keyserver ldap://localhost --send-key 12345678

For user authentication (insecure on command-line, see below):
> gpg --keyserver ldap://localhost --keyserver-options
   "binddn=\"uid=user1,ou=PGPUsers,dc=EXAMPLE,dc=COM\""
   --keyserver-options bindpw=user1 --send-keys 12345678

To receive keys, simply do:
> gpg --keyserver ldap://localhost --recv-keys 12345678

Further notes:
* GnuPG looks for PGPServerInfo under the base DN.
  If you decide to put it somewhere else, use keyserver-option
  basedn to specify the new location, e.g.:
  keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\""

* Beware of shell quoting, like above which is the correct format
  if you  have spaces in your DN and specify the keyserver option
  on the command line.

* GnuPG can use TLS/SSL. For SSL, use ldaps:// and for tls the
  keyserver-options tls. It takes 'no','try','warn' or 'require'
  as an argument, e.g.:
  keyserver-options tls=require

* Put other keyserver options into ~/.gnupg/gpg.conf, e.g.:

  keyserver ldap://localhost
  keyserver-options binddn="uid=test1,ou=PGP Keys,dc=EXAMPLE,dc=COM"
  keyserver-options bindpw=verysecret
  keyserver-options tls=try
  keyserver-options verbose

  Then the following will just work:
  > gpg --send-keys 12345678
  or
  > gpg --recv-keys 12345678

* As it is INSECURE to specify your bind password on the command
  line, you should put it to your ~/.gnupg/gpg.conf and protect
  this file with 0600 permissions.

Well, that's it for now. I hope this howto is helpful and somewhat
complete! Good luck setting up your PGP keyserver with OpenLDAP.

I'd be glad if someone could verify the steps so that there are no
glitches. Comments, notes, questions or else are appreciated.

Last but not least a final request: Please add a CC: to my email
address too if you reply to this list. Thanks.

Regards, Walter

-- 
Walter Haidinger <walter.haidinger at gmx.at>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openldap_pgp_keyserver.tar.gz
Type: application/x-gzip
Size: 4220 bytes
Desc: not available
Url : /pipermail/attachments/20060223/76391f9b/openldap_pgp_keyserver.tar.bin

More information about the Gnupg-users mailing list