OpenLDAP schema to store OpenPGP keys?

Walter Haidinger walter.haidinger at
Thu Feb 23 12:04:06 CET 2006

On Thu, February 23, 2006 04:24, David Shaw wrote:
>> Does GnuPG support remote keyrings?
> No, unless it's via a remote filesystem (NFS, SMB, some magic with
> fuse, etc).

Well, would have been nice, though. I'll stick to rsync to distribute
secret keyrings then.

>> This is a general limitation, not to be solved by the ldap code,
>> IMHO. AFAIK, 1.4.2 only supports a single keyserver, right?
>> Therefore, any keyserver options apply to the one set. There should
>> be a mechanism to specify multiple keyservers, each with its own
>> option set, binddn and bindpw just being one of them.
> I'm not sure I agree with this.  GnuPG does support multiple
> keyservers in the sense that it handles preferred keyserver records on
> keys, as well as the new auto-key-locate feature.  All of these have
> the same set of options, as keyserver options are not per-keyserver.

I was unaware that _all_ keyserver options apply to any type, i.e.
The manpage talks about 'a' preferred keyserver, though, so I thought
that there can be only one, which means all options are global anyways.
Haven't had a look at the new auto-key-locate feature yet.

> They're not "options for keyserver x" - they are "options that pertain
> to keyservers".

No, not yet but would make sense now with binddn and binddn.
However, just a single LDAP server I can authenticate against, is fine for me.

> Until yesterday, in fact, when I added binddn and bindpw, all the
> options were not meaningful except in the general sense.

That's what I meant with "general limitation" above.

> I think the right place for the solution is in gpgkeys_ldap itself.
> Certainly, HTTP, FTP, and HKP have no notion of a DN to bind to.

If you create a framework which allows for options to apply to
certain keyservers, why limit yourself to LDAP only?
What if HTTP or FTP keyservers require authentication?
How would you do e.g. basic authentication against multiple
HTTP keyservers, each with different username and password?

Therefore, implementing keyserver specific options _just_ for LDAP
simply doesn't make sense, or does it?


More information about the Gnupg-users mailing list