LDAP KeyServer Schemas

David Shaw dshaw@jabberwocky.com
Mon Mar 31 03:58:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Mar 30, 2003 at 11:34:28PM +0100, alan wrote:

> I now have an array of much more informed questions as (i) there is
> quite an amount of non-apparent stuff; (ii) some stuff is just plain wrong.
> 
> I am using GPG-1.2.2rc1 and OpenLDAP-2.0.21 (sorry my openldap is a bit
> old, but I'm tied to python-ldap/Zope with much of this...)
> 
> Firstly, with the previously posted schema, new context, and appropriate
> anonymous permissions, I manage to get the PGPServerInfo structure out
> of the LDAP server, and into gpgkey_ldap.
> 
> However, on the gpg --send-keys, it then fails dismally with a 'no
> objectClass' error.  I am loath to remove any schema checking from the
> LDAP server - so this is a fairly terminal error.
> 
> It seems that a banal dn of 'pgpCertid=virtual,...' is being sent with
> only a pgpKey field (unless with my tracedump, eyeballing gpgkey_ldap.c
> and slapd with max debug I've missed something...).

You haven't missed anything.  You can't make OpenLDAP, or any other
LDAP server, become a PGP LDAP keyserver.  It just doesn't work that
way, as the PGP LDAP keyserver product is actually a LDAP front end to
a PGP backend that does the actual key manipulation work.  It may
speak LDAP to the outside world, but it isn't LDAP inside.  The way
the schema is written, in fact, it simply cannot be handled with a
regular LDAP server.

There is a *different* schema, available from PGP.com, that allows you
to store keys in a regular old LDAP server.  This is not the same
schema as the PGP LDAP keyserver product.  GnuPG does not yet support
this new schema.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+h6DN4mZch0nhy8kRAhkxAJ9wg998FCGmfaGzz8b/P+a6CjHSZgCZARZ/
J70WdGEwGJXABN1pRw7uiQc=
=Evg+
-----END PGP SIGNATURE-----