Howto setup an OpenLDAP PGP keyserver
walter.haidinger at gmx.at
Thu Feb 23 17:01:08 CET 2006
After all issues are finally resolved, I'm glad to post this
howto about setting up a PGP keyserver with OpenLDAP.
The inital thread that finally leads to here starts at:
Many thanks to Peter Palfrader for providing the LDAP schema and
especially to David Shaw for providing invaluable help and adding
LDAP basic authentication to GnuPG.
Used software: OpenLDAP 2.2.27, run under SuSE 10.0
GnuPG 1.4.3rc1 (subversion revision 4020).
If you don't want to wait until 1.4.3 is officially released,
grab yourself a copy from svn:
> svn co svn://cvs.gnupg.org/gnupg/trunk
Attached is tarball with the files for OpenLDAP configuration,
to which will be refered to below. I hope this doesn't violate
the rules of this list but the attachment is very small anyways.
You should have a basic understanding about LDAP first.
If not, I'd recommend to read the OpenLDAP Admin Guide on
http://www.openldap.org, which provides excellent documentation.
Also, as an LDAP client and excellent server management tool,
I'd recommend phpLDAPadmin: http://phpldapadmin.sourceforge.net
The LDAP tree created in this example setup looks like:
where dc=EXAMPLE,dc=COM is obviously the base DN.
First, install pgp-keyserver.schema from the tarball into to your
schema directory. There are two more files which are not used here,
but have been part of the schema I got from Peter, so I kept them
Next, install slapd.conf and edit to suit your needs.
That is, select either anonymous or user authentication.
In the provided file, anonymous writes are enabled.
However, access is restricted to writes from localhost only.
You may lift this restriction by modifying the peername.ip
statement. See slapd.access(5) for details and examples.
Think twice before opening up anonymous writes, as _any_ user
who can connect to your LDAP server can not only upload but also
For user authentication, comment out update_anon and the
access rule for anonymous writes. Users are stored as
DN "uid=<username>,ou=PGP Users,dc=EXAMPLE,dc=COM".
You need to create users to bind to LDAP. One sample user is
provided in ldif/pgpusers.ldif. Just copy the entry and
modify it to create more and read the file to learn
the used password.
Also, the password for the OpenLDAP manager is stored
as a hash. It is 'gpg'. Run slappasswd(8) to create a
stronger password and replace the hash in slapd.conf.
Try to start your OpenLDAP server now.
Under SuSE, I run "/etc/init.d/ldap start".
Next, populate the directory with the basic layout by
importing the example.ldif file (enter on a single line):
> cat example.ldif | ldapadd -x -W -h localhost
When prompted for a password, enter the one you've created
above or 'gpg' if you did not.
If you selected anonymous writes, you're done configuring
your OpenLDAP PGP keyserver.
If you selected user authentication, you need to add users now:
> cat pgpusers.ldif | ldapadd -x -W -h localhost
Finally, you can use GnuPG to add keys (always on a single line):
For anonymous write:
> gpg --keyserver ldap://localhost --send-key 12345678
For user authentication (insecure on command-line, see below):
> gpg --keyserver ldap://localhost --keyserver-options
--keyserver-options bindpw=user1 --send-keys 12345678
To receive keys, simply do:
> gpg --keyserver ldap://localhost --recv-keys 12345678
* GnuPG looks for PGPServerInfo under the base DN.
If you decide to put it somewhere else, use keyserver-option
basedn to specify the new location, e.g.:
keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\""
* Beware of shell quoting, like above which is the correct format
if you have spaces in your DN and specify the keyserver option
on the command line.
* GnuPG can use TLS/SSL. For SSL, use ldaps:// and for tls the
keyserver-options tls. It takes 'no','try','warn' or 'require'
as an argument, e.g.:
* Put other keyserver options into ~/.gnupg/gpg.conf, e.g.:
keyserver-options binddn="uid=test1,ou=PGP Keys,dc=EXAMPLE,dc=COM"
Then the following will just work:
> gpg --send-keys 12345678
> gpg --recv-keys 12345678
* As it is INSECURE to specify your bind password on the command
line, you should put it to your ~/.gnupg/gpg.conf and protect
this file with 0600 permissions.
Well, that's it for now. I hope this howto is helpful and somewhat
complete! Good luck setting up your PGP keyserver with OpenLDAP.
I'd be glad if someone could verify the steps so that there are no
glitches. Comments, notes, questions or else are appreciated.
Last but not least a final request: Please add a CC: to my email
address too if you reply to this list. Thanks.
Walter Haidinger <walter.haidinger at gmx.at>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4220 bytes
Desc: not available
Url : /pipermail/attachments/20060223/76391f9b/openldap_pgp_keyserver.tar.bin
More information about the Gnupg-users