OpenLDAP schema to store OpenPGP keys?

David Shaw dshaw at
Thu Feb 23 04:24:27 CET 2006

On Thu, Feb 23, 2006 at 01:04:10AM +0100, Walter Haidinger wrote:
> On Wed, 22 Feb 2006, David Shaw wrote:

> > Are you looking for a remote keyring?  
> > That's slightly different than a keyserver, or at least the thing 
> > that GnuPG calls a keyserver.
> Now that you mention it: acutally yes, for private keys. I've not done
> any research about that yet. Just came to my mind during the discussion
> in this thread. 
> Does GnuPG support remote keyrings?

No, unless it's via a remote filesystem (NFS, SMB, some magic with
fuse, etc).

> > This is just for testing though - the actual feature needs a little
> > more work before 1.4.3 release - the binddn and bindpw is global for
> > all keyservers, so if someone selects a different ldap keyserver
> > without removing the binddn and bindpw, they likely will be refused
> > (bad password).  This can happen automatically with keyserver URLs.
> > What is really needed is a .netrc-style "ldap-password" file that
> > contains binddn and bindpw for different machines.
> This is a general limitation, not to be solved by the ldap code, 
> IMHO. AFAIK, 1.4.2 only supports a single keyserver, right? 
> Therefore, any keyserver options apply to the one set. There should 
> be a mechanism to specify multiple keyservers, each with its own 
> option set, binddn and bindpw just being one of them.

I'm not sure I agree with this.  GnuPG does support multiple
keyservers in the sense that it handles preferred keyserver records on
keys, as well as the new auto-key-locate feature.  All of these have
the same set of options, as keyserver options are not per-keyserver.
They're not "options for keyserver x" - they are "options that pertain
to keyservers".  For example, "auto-key-retrieve" is not meaningful
except in the general sense.

Until yesterday, in fact, when I added binddn and bindpw, all the
options were not meaningful except in the general sense.  I think the
right place for the solution is in gpgkeys_ldap itself.  Certainly,
HTTP, FTP, and HKP have no notion of a DN to bind to.


More information about the Gnupg-users mailing list