OpenLDAP schema to store OpenPGP keys?

David Shaw dshaw at
Mon Feb 20 21:36:57 CET 2006

On Sat, Feb 18, 2006 at 10:11:32PM +0100, Peter Palfrader wrote:
> Walter Haidinger schrieb am Samstag, dem 18. Feber 2006:
> > Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for
> > use with GnuPG). Please note that I already have a working OpenLDAP
> > server, so I'd only need to add schema, acls and keys, of course.
> > 
> > Btw, can GnuPG also store secret keys in the keyserver?
> > 
> > However, I was unable to find any schema definiton...
> If you get an LDAP keyserver running please document your steps
> somewhere and let us know.

Here's a rough guide for OpenLDAP:

0) Have a working OpenLDAP server running already.

1) Copy pgp-keyserver.schema wherever your schemas go.

2) Add an include line in /etc/openldap/slapd.conf for it:

 include         /etc/openldap/schema/pgp-keyserver.schema

3) Add a place to store the keys to /etc/openldap/slapd.conf:

 database    bdb
 suffix      "ou=PGP Keys,dc=DOMAIN,dc=COM"
 index       objectClass eq
 index       pgpCertID,pgpKeyID,pgpKeyType,pgpUserID,pgpKeyCreateTime sub,eq
 index       pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime sub,eq
 index       pgpDisabled,pgpRevoked eq
 directory   /var/lib/ldap
 access to dn="ou=PGP Keys,dc=DOMAIN,dc=COM" by * write
 rootdn          "cn=Manager,dc=DOMAIN,dc=COM"

4) Restart slapd

5) Make this file:
cat > pgp.ldif
dn: ou=PGP Keys,dc=DOMAIN,dc=COM
objectclass: organizationalUnit
ou: PGP Keys

dn: cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM
cn: PGPServerInfo
objectclass: pgpserverinfo
pgpSoftware: OpenLDAP
pgpVersion: 2.2.29
pgpBaseKeyspaceDN: ou=PGP Keys,dc=DOMAIN,dc=COM
6) ldapadd -x -D "cn=Manager,dc=DOMAIN,dc=COM" -W -f pgp.ldif

The configuration above obviously allows anyone to write/delete keys.
That may or may not be what you want.  Note that GPG will use TLS or
LDAPS just fine if you want to use that.


More information about the Gnupg-users mailing list