OpenLDAP schema to store OpenPGP keys?

Walter Haidinger walter.haidinger at
Mon Feb 20 23:14:33 CET 2006

On Mon, 20 Feb 2006, David Shaw wrote:

> Here's a rough guide for OpenLDAP:

Thanks, no problem following the guide.

> The configuration above obviously allows anyone to write/delete keys.

I'll add appropriate access rules once key import/export works.
However, I'm having trouble with authentication (see below), despite
I've removed all restrictions (allow * by * write).

> Note that GPG will use TLS or LDAPS just fine if you want to use that.

TLS too? How to tell GnuPG to use TLS over port 389 (ldap://)?

When I try to import my first key, I get the following:

> gpg --keyserver "ldap://ldap.private" --keyserver-options verbose \
      --keyserver-options verbose --send-keys 5802B67C
gpg: sending key 5802B67C to ldap server ldap.private
Host:           ldap.private
Command:        SEND
Server:         OpenLDAP slapd
Version:        2.2.27
gpgkeys: error adding key 5802B67C to keyserver: Strong(er) authentication required
gpg: keyserver internal error
gpg: keyserver send failed: keyserver error

slapd logs to syslog (loglevel=448):
: => access_allowed: read access granted by write(=wrscx)
: => access_allowed: read access to "cn=PGPServerInfo,dc=private" "pgpBaseKeySpaceDN" requested
: => acl_get: [1] attr pgpBaseKeySpaceDN
: access_allowed: no res from state (pgpBaseKeySpaceDN)
: => acl_mask: access to entry "cn=PGPServerInfo,dc=private", attr "pgpBaseKeySpaceDN" requested
: => acl_mask: to value by "", (=n)
: <= check a_dn_pat: *
: <= acl_mask: [1] applying write(=wrscx) (stop)
: <= acl_mask: [1] mask: write(=wrscx)
: => access_allowed: read access granted by write(=wrscx)
: conn=1 op=1 ENTRY dn="cn=PGPServerInfo,dc=private"
: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
: conn=1 op=2 MOD dn="pgpCertID=B18138775802B67C,ou=PGP Keys,dc=private"
: conn=1 op=2 MOD attr=pgpDisabled pgpKeyID pgpKeyType pgpUserID pgpKeyCreateTime pgpSignerID pgpRevoked pgpSubKeyID pgpKeySize pgpKeyExpireTime pgpCertID pgpCertID pgpKeyID pgpKeyType pgpKeySize pgpKeyCreateTime pgpDisabled pgpRevoked pgpUserID pgpSignerID pgpSubKeyID objectClass pgpKey
: conn=1 op=2 RESULT tag=103 err=8 text=modifications require authentication
: conn=1 fd=13 closed

Now, GnuPG gets the base keyspace right but modifications fails because
of lack of authentication.

Since I'd like to have authentication anyways (users should only be able
to remove their own keys) later on, how do I tell GnuPG to use a certain
DN to bind? 
Also, will --passphrase-fd read the password for LDAP login?

Regards, Walter

More information about the Gnupg-users mailing list