Copyright © 2002 by PGP Corporation. All Rights Reserved.
This Tech Note describes how to set up LDAP key reconstruction and LDAP remote preferences on Netscape Directory Server 4.1.
Install Netscape Directory Server 4.1.
Note: Netscape's servers have some problems with pathnames with spaces in them, so PGP Corporation recommends against using "Program Files". The default is "C:\Netscape\Server4". Use the default.
For the examples in this document, we assume you chose "o=PGP" for your suffix.
Install PGP schemas for Netscape DS (Directory Server).
Assuming you have installed DS into C:\Netscape\Server4, copy the files pgp-recon-schema.conf and pgp-remte-prefs-schema.conf into C:\Netscape\Server4\slapd-<instancename>\config.
Edit ns-schema.conf in this directory and add two more include lines, one for each of these new schema files.
Restart Netscape DS.
On the "Tasks" page of the Netscape DS Console, click the Restart the Directory Server button.
Add a new user for each user wishing to store key reconstruction data.
Open up the tree for the suffix you chose when you installed DS (o=PGP, etc. The tree doesn't display the "o=", just the value). Right click on the People tree item, and select New --> User.
On the "User" page (tabs are on the left of the window), type in the new user's first and last name into "First Name" and "Last Name", respectively. You may change his User ID if you wish. Finally, type a password for this user into "Password" and "Confirm Password". Click OK.
Set the access permissions to allow the user to add key reconstruction data.
Right click on the People tree item and select Set Access Permissions. Click New. Click View/Edit Syntax and change the ACI to:
(target="ldap:///ou=People, o=PGP")(targetattr="*")(version 3.0; acl "PGP Key Reconstruction"; allow (all) (userdnattr = "owner"); )
Change the "target=" according to the suffix you chose while installing Netscape DS.
Set up PGP to use your server as the key reconstruction server.
PGPadmin will usually handle setting this up, but for now, you need to manually edit your PGPPrefs.txt and add/change the lines:
LDAPReconServerType=0 LDAPReconServer= <LDAPURL>
Where <LDAPURL> is the URL of the newly created user. The URL should look like:
ldap://<hostname.or.IP>/uid=$USERID, ou=People, o=PGPWhen sending or retrieving key reconstruciton data, you will be prompted for a username and password. The username will be substitued for the strings "$USERID" and "%USERID%" in the LDAP URL.
Send a key to the reconstruction server.
In PGPkeys, right click on your keypair and select Send to --> Reconstruction Server. Create five questions and answers. Click OK. Enter the key's passphrase and click OK.
For this box, the User ID is the User ID of the new user and the Password is the password of that user.
Create a user who is allowed to send the prefs to the server.
Right click on the "People" tree item and select New --> User. This user can be anyone, but to simplify things, you might want to call him "pgpprefadmin" or "admin" or something similar. Be sure to give him a password.
Create space to store remote preferences.
Right click on the "o=PGP" (the "o=" is not displayed) tree item and select New --> Other. Select "pgpprofile" from the list. Click OK. In the field labeled "Full name", enter a description for this space, such as "PGP Remote Prefs".
Select Edit --> Add Attribute. Select "owner". Click OK. In the textbox for the new owner attribute, type the full DN of the user who is allowed to send PGP's preferences to the server. For example if you added a user with uid "pgpprefsadmin" under the "People" tree, the DN of this user is "uid=pgpprefsadmin, ou=People, o=PGP".
Set access permissions to allow pref storage.
Right click on the new item in the right-hand panel you added in step 2 and select Set Access Permissions. You may have to click on the "o=PGP" item in the tree for the new item to show up in the right-hand panel. Add the following ACI:
(target="ldap:///cn=PGP Remote Prefs, o=PGP") (targetattr="*")(version 3.0; acl "PGP Remote Preferences"; allow (all) (userdnattr = "owner"); )
Be sure to change the "cn=PGP Remote Prefs, o=PGP" if you chose a different name.
Tell PGP where to send the prefs.
In PGPadmin, under Administrative Options, on the Updates panel, check "Automatically update adminstrative options every xxx days" and set the LDAP Server URL to the URL of the pgpprofile object you created in step 2, such as ldap://server/cn=PGP Remote Prefs, o=PGP.
At this point, the server is completely set up to send and receive remote prefs.