OpenLDAP schema to store OpenPGP keys?

Walter Haidinger walter.haidinger at gmx.at
Tue Feb 21 23:35:02 CET 2006 

On Tue, 21 Feb 2006, David Shaw wrote:

> On Tue, Feb 21, 2006 at 01:15:08AM +0100, Walter Haidinger wrote:
> > On Mon, 20 Feb 2006, David Shaw wrote:
> > 
> > > LDAP had TLS support back in 1.3.5.  HTTP and FTP just got TLS support
> > > in 1.4.3.  At one point, I started documenting the new options and
> > > stopped because the man page would be enormous.  At some point, I'll
> > > probably make a "gpgkeys" man page so as to not grow the main "gpg"
> > > page too much.
> > 
> > Well, at least some hints that tls support exists at all would have
> > been useful! ;-)  (*)
> 
> It's in the NEWS file for 2004-02-26, but it's true there wasn't any
> way to know how to turn it on without reading the source...

I have to admit, I haven't read NEWS either. Had a brief look at 
gpgkeys_ldap.c but did not notice the tls keyserver options (if they're
there).
 
> > > A LDAP keyserver would be useful as a company keyserver where people
> > > inside the company IP range or an administrator can add keys, and the
> > > rest of the world can just read. 
> > 
> > That eliminates tcp-wrapping. You'd have to grant write access by 
> > using the peername statement in the access <who> field, right? 
> 
> Yes.  Something like peername.ip=192.168.1.0%255.255.255.0 to specify
> the "inside the company" range for those who can write.

I see, but I'd rather have IP based access control handled by 
either tcp-wrappers or firewall rules. 
Read/write access should be governed by user authentication, IMHO.
 
> The problem here is remote authentication.  Each user would need some
> way to authenticate to the LDAP server to give them the delete
> ability.  

Every user could get this own DN just for authentication, like 
dn="uid=username,ou=pgpusers,dc=example" 

> LDAP can do this, of course, and GPG doesn't care one way or
> the other, but how would you handle password distribution for each
> user?

Why not give out initial passwords for DN's like above and let 
people change the userPassword attribute using either ldapmodify 
or a frontend? Then, each user would have to specify his login DN 
to access his keys.

Walter

More information about the Gnupg-users mailing list