OpenLDAP schema to store OpenPGP keys?

David Shaw dshaw at jabberwocky.com
Tue Feb 21 23:51:46 CET 2006


On Tue, Feb 21, 2006 at 11:42:56PM +0100, Walter Haidinger wrote:
> On Tue, 21 Feb 2006, David Shaw wrote:
> 
> > On Tue, Feb 21, 2006 at 11:12:32PM +0100, Walter Haidinger wrote:
> > > On Tue, 21 Feb 2006, David Shaw wrote:
> > > 
> > > > > beause GnuPG looks for PGPServerInfo unter the base DN,
> > > > > not under dn="ou=PGP Keys,dc=DOMAIN,dc=COM".
> > > > 
> > > > Not exactly.  It looks for PGPServerInfo under each DN returned from
> > > > namingContexts in order.  It may well check for
> > > > "cn=PGPServerInfo,dc=DOMAIN,dc=COM" first, but once that fails, it'll
> > > > get to "cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM" next.
> > > 
> > > As far as I can tell from my slapd logs, it only checks for 
> > > "cn=PGPServerInfo,dc=DOMAIN,dc=COM" once and stops failing that.
> > 
> > What does:
> > 
> >  ldapsearch -h your-ldap-server -x -b "" -s base namingcontexts
> > 
> > return?
> 
> dn:
> namingContexts: dc=private
> 
> This is my base DN (i.e. the suffix specified in slapd.conf). 
> Should probably be "dc=DOMAIN,dc=COM" following the example above.

gpgkeys_ldap will only check DNs given in namingContexts.  That's part
of the LDAP design that the PGP folks did, to allow programs to
automatically locate the key store.

If you need to override the autodetection, do something like:

  keyserver-options basedn="ou=PGP Keys,dc=DOMAIN,dc=COM"

David



More information about the Gnupg-users mailing list