OpenLDAP schema to store OpenPGP keys?

Walter Haidinger walter.haidinger at
Thu Feb 23 13:01:48 CET 2006

On Thu, February 23, 2006 00:28, David Shaw wrote:
>> Next release of 1.4.x or 1.9.x?
> 1.4.3.  I've added the new feature, so you could probably grab the
> gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like.  There
> aren't significant changes to the keyserver protocol between the two.
> Just replace the existing gpgkeys_ldap.c with the new one and
> recompile.

I've checked out rev. 4020 (gpg reports version 1.4.3rc1).

First the good news: Anonymous access works, can send and receive
keys just fine. The problem about the pgpKeysize is gone, although
I did _not_ do any changes to the code. The CVS diffs show that you
probably took care of this.

Now for the bad news: binding with a DN does not work yet.
I tried the new binddn and bindpw options with the following setup:

> cat pgpusers.ldif
dn: ou=PGP Users,dc=EXAMPLE,dc=COM
objectclass: organizationalUnit
ou: PGP Users

dn: uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM
objectClass: inetOrgPerson
objectClass: uidObject
uid: user1
# password is 'user1'. Use slappasswd(8) to create a new
# one and replace the string here!
userPassword: {SSHA}sLbxdJt53SZvU9BMRSSmdD78vfiSoPHR
sn: User1
cn: Test User1

> ldapadd -x -h localhost -W -D "cn=Manager,dc=EXAMPLE,dc=COM" < pgpusers.ldif
adding new entry "ou=PGP Users,dc=EXAMPLE,dc=COM"

Changed the acl in slapd.conf from

# PGP keystore: limit write access to localhost
access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM"
       by peername.ip= write
       by * read


# PGP keystore: only users of "ou=PGP Users,dc=EXAMPLE,dc=COM" may write
access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM"
        by dn.regex="uid=([^,]+),ou=PGP Users,dc=EXAMPLE,dc=COM" write
        by * read

and tried the following:

> gpg --keyserver ldap://localhost --keyserver-option verbose --keyserver-option
"binddn=uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM" --keyserver-option bindpw=user1
--send-keys B15BBBE2
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: sending key B15BBBE2 to ldap server localhost
gpgkeys: internal LDAP bind error: Invalid credentials
gpg: keyserver internal error
gpg: keyserver send failed: keyserver error

Syslog shows that pgp only binds with DN 'uid=user1' instead
of the whole specified DN:
slapd[10055]: conn=6 op=2 BIND dn="uid=user1" method=128

There is a bug in the option parsing. Added a few diagnostics
in main() of gpgkeys_ldap.c, which showed that binddn is already
truncated after and including the first comma when you strdup() it
from start[], i.e. any DN, like 'a,b,c,d' would be truncated to 'a'.
Had a quick look but no obvious origin of the problem.


More information about the Gnupg-users mailing list