OpenLDAP schema to store OpenPGP keys?
walter.haidinger at gmx.at
Tue Feb 21 23:35:02 CET 2006
On Tue, 21 Feb 2006, David Shaw wrote:
> On Tue, Feb 21, 2006 at 01:15:08AM +0100, Walter Haidinger wrote:
> > On Mon, 20 Feb 2006, David Shaw wrote:
> > > LDAP had TLS support back in 1.3.5. HTTP and FTP just got TLS support
> > > in 1.4.3. At one point, I started documenting the new options and
> > > stopped because the man page would be enormous. At some point, I'll
> > > probably make a "gpgkeys" man page so as to not grow the main "gpg"
> > > page too much.
> > Well, at least some hints that tls support exists at all would have
> > been useful! ;-) (*)
> It's in the NEWS file for 2004-02-26, but it's true there wasn't any
> way to know how to turn it on without reading the source...
I have to admit, I haven't read NEWS either. Had a brief look at
gpgkeys_ldap.c but did not notice the tls keyserver options (if they're
> > > A LDAP keyserver would be useful as a company keyserver where people
> > > inside the company IP range or an administrator can add keys, and the
> > > rest of the world can just read.
> > That eliminates tcp-wrapping. You'd have to grant write access by
> > using the peername statement in the access <who> field, right?
> Yes. Something like peername.ip=192.168.1.0%255.255.255.0 to specify
> the "inside the company" range for those who can write.
I see, but I'd rather have IP based access control handled by
either tcp-wrappers or firewall rules.
Read/write access should be governed by user authentication, IMHO.
> The problem here is remote authentication. Each user would need some
> way to authenticate to the LDAP server to give them the delete
Every user could get this own DN just for authentication, like
> LDAP can do this, of course, and GPG doesn't care one way or
> the other, but how would you handle password distribution for each
Why not give out initial passwords for DN's like above and let
people change the userPassword attribute using either ldapmodify
or a frontend? Then, each user would have to specify his login DN
to access his keys.
More information about the Gnupg-users