Copyright © 2002 by PGP Corporation. All Rights Reserved.
This Tech Note tells you how to use an OpenLDAP server as a PGP keyserver and for storing PGPadmin preferences and key reconstruction data.
Install OpenLDAP.
See www.openldap.org for distributions and installation instructions. The remainder of these instructions will assume that you have a working installation of OpenLDAP with configuration files in /etc/openldap.
Install the PGP schema for OpenLDAP.
Copy pgp-keyserver.schema into /etc/openldap/schema.
Edit /etc/openldap/slapd.conf to add one more include line for this new schema file:
include /etc/openldap/schema/pgp-keyserver.schema
Optional: To allow users to upload some of the larger PGP keys, it is recommended that you increase the maximum allowed size of anonymous LDAP PDUs (Protocol Data Units), by adding this line to /etc/openldap/slapd.conf:
sockbuf_max_incoming 524288
Create space to store the PGP keys.
Assuming your root database is located at dc=DOMAIN,dc=COM, Add the following lines to /etc/openldap/slapd.conf:
database ldbm suffix "ou=PGP Keys,dc=DOMAIN,dc=COM" index objectClass eq index pgpCertID,pgpKeyID,pgpKeyType,pgpUserID,pgpKeyCreateTime sub,eq index pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime sub,eq index pgpDisabled,pgpRevoked eq
Set the access permissions to our new key store by adding these lines to /etc/openldap/slapd.conf:
access to dn="ou=PGP Keys,dc=DOMAIN,dc=COM" by * write
Restart slapd.
Create a file called pgpkeyspace.ldif with the following contents:
dn: ou=PGP Keys,dc=DOMAIN,dc=COM objectclass: organizationalUnit ou: PGP KeysAnd run the following command:
ldapadd -x -D "cn=Manager,dc=DOMAIN,dc=COM" -W -f pgpkeyspace.ldif
Add a PGPServerInfo entry to tell the client where the PGP keyspace is.
Create a file called pgpserverinfo.ldif with the following contents:
dn: cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM cn: PGPServerInfo objectclass: pgpserverinfo pgpSoftware: OpenLDAP slapd pgpVersion: 2.0.23 pgpBaseKeyspaceDN: ou=PGP Keys,dc=DOMAIN,dc=COM
The values of pgpSoftware and pgpVersion do not actually matter. They are just there for informational use.
Run the following command:
ldapadd -x -D "cn=Manager,dc=DOMAIN,dc=COM" -W -f pgpserverinfo.ldif
Send some keys to the server and search for them.
Install OpenLDAP.
See www.openldap.org for distributions and installation instructions. The remainder of these instructions will assume that you have a working installation of OpenLDAP with configuration files in /etc/openldap.
Install the PGP schema for OpenLDAP.
Copy pgp-remte-prefs.schema into /etc/openldap/schema.
Edit /etc/openldap/slapd.conf to add one more include line for this new schema file:
include /etc/openldap/schema/pgp-remte-prefs.schema
Create space to store the admin prefs.
Assuming your root database is located at dc=DOMAIN,DC=COM, Add the following lines to /etc/openldap/slapd.conf:
database ldbm suffix "cn=pgpprefs,dc=DOMAIN,dc=COM" index objectClass eq index pgpElementType sub,eq
Set the access permissions to our new prefs store by adding these lines to /etc/openldap/slapd.conf:
access to dn="cn=pgpprefs,dc=DOMAIN,dc=COM" by * read
Restart slapd.
Create a file called pgpprefsspace.ldif with the following contents:
dn: cn=pgpprefs,dc=DOMAIN,dc=COM cn: pgpprefs objectclass: pgpProfileAnd run the following command:
ldapadd -x -D "cn=Manager,dc=DOMAIN,dc=COM" -W -f pgpprefsspace.ldif
You can now send prefs to the ldap server, using "cn=pgpprefs,dc=DOMAIN,dc=COM" as the DN, and using the user "cn=Manager,dc=DOMAIN,dc=COM" to upload them. Prefs can be downloaded anonymously by anyone.
Install OpenLDAP.
See www.openldap.org for distributions and installation instructions. The remainder of these instructions will assume that you have a working installation of OpenLDAP with configuration files in /etc/openldap.
Install the PGP schema for OpenLDAP.
Copy pgp-recon.schema into /etc/openldap/schema.
Edit /etc/openldap/slapd.conf to add one more include line for this new schema file:
include /etc/openldap/schema/pgp-recon.schema
Create a space for the user profiles.
Assuming your root database is located at dc=DOMAIN,dc=COM, Add the following lines to /etc/openldap/slapd.conf:
database ldbm suffix "ou=users,dc=DOMAIN,dc=COM" index objectClass eq index pgpReconCertID sub,eq
Set the access permissions to our new user profiles by adding these lines to /etc/openldap/slapd.conf:
access to dn="pgpReconCertID=.*,cn=.*,ou=users,dc=DOMAIN,dc=COM" by dnattr=owner write by * none access to dn="ou=users,dc=DOMAIN,dc=COM" by * read by self write by anonymous auth
Restart slapd.
Create a file userspace.ldif with the following contents:
dn: ou=users,dc=DOMAIN,dc=COM objectclass: organizationalUnit ou: users
And run the following command:
ldapadd -x -D "cn=Manager,dc=DOMAIN,dc=COM" -W -f userspace.ldif
Add your users.
For example, to add user Joe Smith, use this LDIF file:
dn: cn=joe,ou=users,dc=DOMAIN,dc=COM objectClass: organizationalPerson sn: smith cn: joe userPassword: joesPassword
And this command:
ldapadd -x -D "cn=Manager,dc=DOMAIN,dc=COM" -W -f sampleuser.ldif
For more information about OpenLDAP passwords, see the OpenLDAP Faq-O-Matic at http://www.openldap.org/faq/ and the man pages for slappasswd(8c) and ldappasswd(1).
Use PGPadmin to configure the PGP client to send reconstruction data to ldap://yourserver/cn=$USERID,ou=users,dc=DOMAIN,dc=COM. Users will need to authenticate themselves with their username (the LDAP cn field) and their password.