PGP Corporation Tech Note

Windows 2000 Active Directory:
Setting Up and Troubleshooting Querying and Storage of PGP Keys

Copyright © 2002 by PGP Corporation. All Rights Reserved.


This Tech Note describes how to set up and troubleshoot the querying and storage of PGP keys with Windows 2000 Active Directory.

  1. Copy the pgpschema.ldf to a directory where you can access it from the machine on which you plan to do the import.

    This file is in LDIF (RFC 2849) format. LDIF stands for LDAP (RFC 2251) Data Interchange Format and is an Internet Standard for a common file format for operating on LDAP compliant directory services from different vendors. You might choose to work on the DC (domain controller) itself or choose to login on another machine as a user that has schema change rights. You should have the Windows 2000 support tool ldifde.exe in your path. ldifde stands for LDIF Directory Exchange. This is the only tool you need to affect the schema changes. The support tools installer automatically adds the target directory to your path.

  2. Open the ldf file in an editor that has search and replace capabilities. Search and replace DC=yoursubdomain,DC=yourdomain with your domain hierarchy. (Notepad, for example, would do the job on an interactive logon session.) Save and close the file.
  3. Before the ldf file can be imported, the DC should be the Schema Master and schema updates should be allowed on the DC. Schema Master is a FSMO (Flexible Single Master Operations) role that makes the DC responsible for performing updates to the directory schema. The first DC installed in an enterprise is the Schema Master by default. In general, the fsmoRoleOwner property of the schema container on any DC has the DN of the nTDSDSA object whose parent is the Schema Master server.

    For more information on how to view and transfer the FSMO role of Schema Master, refer to Microsoft Knowledge Base articles Q255690 and Q255504.

    To turn on schema updates on the DC, run the MMC snapin called "Active Directory Schema". Right click on the root node of that snapin and choose operations master. A dialog pops up; make sure the check box that says "The schema may be modified on this Domain Controller" is checked. You may also have the same effect by setting REG_DWORD value “Schema Update Allowed” to 1 (or greater) under the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

    For more on how to enable schema updates, refer to Microsoft Knowledge Base articles Q279978 and Q285172.

  4. In the simplest of cases you need to type on the command prompt "ldifde -i -f pgpschema.ldf -v".

    -i stands for import and -f supplies the file name to import from. -v turns on verbose mode.

    For more on command line options, type ldifde /? You may look at Microsoft Knowledge Base article Q237677 for more information on import and export using ldifde. Other options might be necessary (for example, if you have changed the server port from 389 to something else or if you want the log files to be located at a different directory than the current directory, etc.).

  5. You should see the imports happening on screen for the entries. ldifde should create ldif.err and ldif.log files in the directory, providing more information about the import. If there is an error reported, the ldif.log file is very useful in identifying and locating the error and the line number. In case of an error, go to the erring line number and take a close look to see if anything looks suspicious. If nothing looks wrong, remove all successful entries before the erring line and save the file. Rerun ldifde with identical parameters and look for errors. Sometimes the "No such attribute" error can happen even though the attribute has been defined and imported. In any case, the deletions make the file smaller and easier to inspect while avoiding "already existing" errors when you try to import a second time.

    After a successful import, you should see the new attributes and classes in the lists shown by the "Active Directory Schema" MMC snapin. Their names always start with pgp.

  6. Now get into ADSI Edit MMC snapin and connect to the domain naming context ("Domain NC"). Go to the entry that corresponds to the path that you used to replace the domain paths in the ldf file. This will be the topmost node under the "Domain NC" node shown by ADSI Edit and would look like "DC=example,DC=com". Click on that node. You should see various objects under this such as Builtin and Computers etc. We will refer to this as the topmost node.

    Now you need to create a container where PGP keys will be stored. Traverse the tree to a node where you would like to keep the keys container. Right click on the list on the right hand side and choose New Object from the context menu. Choose class as container. Name it as appropriate. Keep the DN of this container handy; you will be needing it soon.

    Go to the topmost node again. Right click on the list to the right and choose New Object from the context menu. The create object wizard comes up, asking you to choose a class. Choose pgpServerInfo and press Next. The ADSI Edit MMC snapin may report "An invalid Active Directory pathname was passed." In that case, cancel the wizard and right click on the Domain NC node and choose the "Update schema now" command. Then go back to the new object wizard and choose pgpServerInfo again. In the value for attribute CN, use "PGPServerInfo". This is very important. The PGP client looks for this CN after searching for the naming contexts. Press Next. The value for pgpBaseKeySpaceDN should be the DN of the container for PGP key storage. Type in the DN of the container you just created. You may set the optional string attributes pgpSoftware and pgpVersion as you deem appropriate by clicking on the More Attributes button. Press Finish.

  7. After creating the new object, you need to make sure the permissions are good enough to be accessed by the PGP client. PGP currently talks LDAPv2 with simple authentication. Right click on the node under which you created the pgpServerInfo object. Click on the Security tab. Click the Advanced button and add "Everyone" to the access list. In the permission entry property sheet choose applies onto "This object and all child objects" and grant "List contents" and "Read All Properties" permissions. Check the box titled "Apply these permissions to objects and/or containers within this container only". Make sure that no other permission is accidentally turned on. Press OK. Verify that the pgpServerInfo object has inherited this permission. Check individual permissions on the new object and make sure that "Everyone" has the permissions exactly as you intended.

    You might want to check permissions on other immediate containers to make sure Everyone does not have more access than needed. Since this permission only affects just the immediate containers, check to make sure that no access is being propagated to other containers within those containers.

  8. To additionally make sure the permissions are sufficient for PGP clients, you might want to access the pgpServerInfo object through LDAP. Run the support tool ldp. After connecting, choose Browse -> Search. In BaseDN, enter the DN of your object; something like "CN=PGPServerInfo, DC=yoursubdomain, DC=yourdomain". Leave the filter at "(objectClass=*)" and choose scope as base. Click Options. Delete all attributes in the Attributes field. This will mean all attributes will be requested to be returned from the LDAP server. Click OK, then click Run.

    You should see attributes of the newly created pgpServerInfo instance. If no attributes are returned,go back and see if the required permissions are indeed granted.

  9. Next you need to make sure permissions on the PGP key container object (whose DN is stored in the pgpBaseKeySpaceDN attribute) is sufficient. Right click on the key container node and choose Properties. Click on the Security tab. Click the Advanced button and add “Everyone” to the access list. In the permission entry property sheet, choose applies to "This object and all child objects" and grant "List contents", "Read All Properties", “Write All properties”, and “Create pgpKeyInfo objects” permissions. Check the box titled "Apply these permissions to objects and/or containers within this container only".

    If the permissions are correct, you will be able to upload keys from PGP applications. If an insufficient rights error is reported while uploading keys to the server, verify the access rights again and make sure the access is exactly as you intended it to be. Also, make sure the access is not any more than desired.

  10. Try uploading and searching for PGP keys.

Your Active Directory is now integrated with PGP.