OpenLDAP schema to store OpenPGP keys?

Walter Haidinger walter.haidinger at
Thu Feb 23 01:04:10 CET 2006

On Wed, 22 Feb 2006, David Shaw wrote:

> It's a bit more complex than that - what LDAP (and any keyserver) does
> is provide the key itself.  That key is then imported and lives
> locally from then on until it is deleted.  There would need to be
> cleanup after use or keys would be left behind.  

I see. Obviously not a problem for public keys put definitely 
for private... Should have thought a bit more about how GnuPG 
works first. I guess I was too enthusiastic about the soon-working 
LDAP keyserver... Btw, I'll test the unique flag later today.

> Are you looking for a remote keyring?  
> That's slightly different than a keyserver, or at least the thing 
> that GnuPG calls a keyserver.

Now that you mention it: acutally yes, for private keys. I've not done
any research about that yet. Just came to my mind during the discussion
in this thread. 
Does GnuPG support remote keyrings?
> 1.4.3.  I've added the new feature, so you could probably grab the
> gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like.  

Thanks. I was about to ask if I can get it from the SVN tree early...
You're just too quick! ;-)

> There aren't significant changes to the keyserver protocol between 
> the two.
> Just replace the existing gpgkeys_ldap.c with the new one and
> recompile.

I'll try a full checkout, though. I've read about another option
which allows for keyserver failover, 'query' IIRC.

> This is just for testing though - the actual feature needs a little
> more work before 1.4.3 release - the binddn and bindpw is global for
> all keyservers, so if someone selects a different ldap keyserver
> without removing the binddn and bindpw, they likely will be refused
> (bad password).  This can happen automatically with keyserver URLs.
> What is really needed is a .netrc-style "ldap-password" file that
> contains binddn and bindpw for different machines.

This is a general limitation, not to be solved by the ldap code, 
IMHO. AFAIK, 1.4.2 only supports a single keyserver, right? 
Therefore, any keyserver options apply to the one set. There should 
be a mechanism to specify multiple keyservers, each with its own 
option set, binddn and bindpw just being one of them.


More information about the Gnupg-users mailing list