OpenLDAP schema to store OpenPGP keys?
walter.haidinger at gmx.at
Wed Feb 22 01:07:48 CET 2006
On Tue, 21 Feb 2006, David Shaw wrote:
> > > The problem here is remote authentication. Each user would need some
> > > way to authenticate to the LDAP server to give them the delete
> > > ability.
> > Every user could get this own DN just for authentication, like
> > dn="uid=username,ou=pgpusers,dc=example"
> > > LDAP can do this, of course, and GPG doesn't care one way or
> > > the other, but how would you handle password distribution for each
> > > user?
> > Why not give out initial passwords for DN's like above and let
> > people change the userPassword attribute using either ldapmodify
> > or a frontend? Then, each user would have to specify his login DN
> > to access his keys.
> That sounds like it would work fine. Most of the work is on the LDAP
> configuration side, but it would be easy enough to add binddn and
> bindpw to gpgkeys_ldap for the GPG piece.
On the LDAP side, you only need to create the users DN once.
Authentication can be handled by a single access rule using dn.regex in
<what> and dn.exact,expand in <who>.
There is an example at the bottom of slapd.access(5).
I've done this already for personal addressbooks on OpenLDAP.
> However, the problem is how to handle the password on the GPG side.
> Prompt the user each time he uses the keyserver? Inconvenient, plus
> GPG has no code for this today. Stick it in a config file?
Yes, how about adding keyserver options binddn and bindpw,
like in pam_ldap as mentioned in another post?
Add to your ~/.gnupg/gpg.conf, protect it with 0600 perms
and you're authenticated. You don't even need a dedicated config
file. As your secure keyrings are usually in the same directory,
you need to pay attention to permissions there anyways.
> Potentially dangerous. How sensitive is this password?
> Is a mode 600 file secure for your usage?
Yes, I'd think so. After all, we're talking about protecting
a keystore of _public_ keys...
If GnuPG could also store secret keys (btw, can it? have never checked)
on LDAP, this might be different story. However, at least for now,
being as secure as pam_ldap _is_ sufficient, IMHO.
More information about the Gnupg-users