OpenLDAP schema to store OpenPGP keys?

Walter Haidinger walter.haidinger at
Tue Feb 21 17:21:25 CET 2006

David Shaw wrote:
> 5) Make this file:
> cat > pgp.ldif
> dn: ou=PGP Keys,dc=DOMAIN,dc=COM
> objectclass: organizationalUnit
> ou: PGP Keys
> dn: cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM

Change this line to:
  dn: cn=PGPServerInfo,dc=DOMAIN,dc=COM

beause GnuPG looks for PGPServerInfo unter the base DN,
not under dn="ou=PGP Keys,dc=DOMAIN,dc=COM".

After adding the following to slapd.conf
  allow update_anon
  allow bind_anon_dn
is was finally be able to import my first pubkey:

> gpg --keyserver ldap://localhost --send-keys B15BBBE2

No news is good news!
ldapsearch confirmed a new DN with the appropriate attributes.

However, adding the next pubkey fails:
> gpg --keyserver ldap://localhost --send-keys C2C148FC
gpg: sending key C2C148FC to ldap server localhost
gpgkeys: error adding key C2C148FC to keyserver: Type or value exists
gpg: keyserver internal error
gpg: keyserver send failed: keyserver error

Syslog shows:
: => access_allowed: read access granted by read(=rscx)
: conn=23 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
: conn=23 op=2 MOD dn="pgpCertID=7809F430C2C148FC,ou=PGP Keys,dc=private"
: conn=23 op=2 MOD attr=pgpDisabled pgpKeyID pgpKeyType pgpUserID pgpKeyCreateTime
pgpSignerID pgpRevoked pgpSubKeyID pgpKeySize pgpKeyExpireTime pgpCertID pgpCertID
pgpKeyID pgpKeyType pgpKeySize pgpKeyCreateTime pgpDisabled pgpRevoked pgpUserID
pgpSignerID pgpSubKeyID objectClass pgpKey
: conn=23 op=2 RESULT tag=103 err=20 text=pgpKeySize: value #0 provided more than once
: conn=23 fd=13 closed

I've checked the pgpKeySize attribute, it is not set to single-value.
Indeed, the first key has two keysize attributes:
> ldapsearch ...  pgpKeySize
dn: pgpCertID=2DCF61D9B15BBBE2,ou=PGP Keys,dc=private
pgpKeySize: 01024
pgpKeySize: 02048

After deleting the first key again, I still can't send any _other_
keys to the now empty LDAP directory (same error in logs as above).
However, resending the _same_ key (B15BBBE2) again works.

Regards, Walter

More information about the Gnupg-users mailing list