OpenLDAP schema to store OpenPGP keys?

David Shaw dshaw at
Tue Feb 21 00:00:25 CET 2006

On Mon, Feb 20, 2006 at 11:14:33PM +0100, Walter Haidinger wrote:
> On Mon, 20 Feb 2006, David Shaw wrote:
> > Here's a rough guide for OpenLDAP:
> [--cut--]
> Thanks, no problem following the guide.
> > The configuration above obviously allows anyone to write/delete keys.
> I'll add appropriate access rules once key import/export works.
> However, I'm having trouble with authentication (see below), despite
> I've removed all restrictions (allow * by * write).
> > Note that GPG will use TLS or LDAPS just fine if you want to use that.
> TLS too? How to tell GnuPG to use TLS over port 389 (ldap://)?

Try for TLS, and do nothing if TLS can't start:
  keyserver-options tls=try

Try for TLS, and print a warning if TLS can't start:
  keyserver-options tls=warn

Try for TLS, and fail if TLS can't start:
  keyserver-options tls=require

If you want to use a particular certificate file:
  keyserver-options ca-cert-file=/path/to/the/file

If you don't want to check the certificate chain (default is to check
  keyserver-options no-check-cert

(Incidentally, the new keyserver handlers in 1.4.3 can do SSL and TLS
for HTTP and FTP as well).

> When I try to import my first key, I get the following:
> > gpg --keyserver "ldap://ldap.private" --keyserver-options verbose \
>       --keyserver-options verbose --send-keys 5802B67C
> gpg: sending key 5802B67C to ldap server ldap.private
> Host:           ldap.private
> Command:        SEND
> Server:         OpenLDAP slapd
> Version:        2.2.27
> gpgkeys: error adding key 5802B67C to keyserver: Strong(er)
> authentication required

You could probably use a "allow update_anon" in slapd.conf.

> Also, will --passphrase-fd read the password for LDAP login?

No.  There isn't really a strong notion of authentication for
keyservers beyond IP restriction in the server at the moment.  In
fact, the current LDAP code doesn't explicitly bind at all.  The
assumption is that any server we're likely to run into is V3 (or that
odd NAI semi-LDAP keyserver that's not really used any longer), and
doesn't need a bind.

I'm not against adding authentication, but I'd want to know more about
what you're doing.  There are not too many people running their own
LDAP servers with OpenPGP keys on them.  I'd love to hear how it goes.


More information about the Gnupg-users mailing list