doc/ldap/gnupg-ldap-schema.ldif


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

# gnupg-ldap-scheme.ldif                                 -*- conf -*-
#
# Schema for an OpenPGP LDAP keyserver.  This is a slightly enhanced
# version of the original LDAP schema used for PGP keyservers as
# installed at quite some sites.
# Revision: 2020-10-07

# Note: The index 1000 is just a high number so that OpenLDAP assigns
# the next available number.
dn: cn={1000}gnupg-keyserver,cn=schema,cn=config
objectClass: olcSchemaConfig
# The base DN for the PGP key space by querying the
#  pgpBaseKeySpaceDN attribute (This is normally
#  'ou=PGP Keys,dc=example,dc=com').
olcAttributeTypes: {0}(
    1.3.6.1.4.1.3401.8.2.8
    NAME 'pgpBaseKeySpaceDN'
    DESC 'Points to DN of the object that will store the PGP keys.'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
    SINGLE-VALUE )
# See gnupg-ldap-init.ldif for a description of the next two attributes
olcAttributeTypes: {1}(
    1.3.6.1.4.1.3401.8.2.9
    NAME 'pgpSoftware'
    DESC 'Origin of the schema'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
olcAttributeTypes: {2}(
    1.3.6.1.4.1.3401.8.2.10
    NAME 'pgpVersion'
    DESC 'Version of this schema'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
#
# The attribute holding the OpenPGP keyblock.
# The legacy PGP LDAP server used pgpKeyV2 instead.
olcAttributeTypes: {3}(
    1.3.6.1.4.1.3401.8.2.11
    NAME 'pgpKey'
    DESC 'OpenPGP public key block'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
    SINGLE-VALUE )
# The long key-ID
olcAttributeTypes: {4}(
    1.3.6.1.4.1.3401.8.2.12
    NAME 'pgpCertID'
    DESC 'OpenPGP long key id'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# A flag to temporary disable a keyblock
olcAttributeTypes: {5}(
    1.3.6.1.4.1.3401.8.2.13
    NAME 'pgpDisabled'
    DESC 'pgpDisabled attribute for PGP'
    EQUALITY caseIgnoreMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# The short key id.  This is actually not required and should thus not
# be used by client software.
olcAttributeTypes: {6}(
    1.3.6.1.4.1.3401.8.2.14
    NAME 'pgpKeyID'
    DESC 'OpenPGP short key id'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# The algorithm of the key.  Used to be "RSA" or "DSS/DH".
olcAttributeTypes: {7}(
    1.3.6.1.4.1.3401.8.2.15
    NAME 'pgpKeyType'
    DESC 'pgpKeyType attribute for PGP'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# The User-ID.  GnuPG maps its user-ID classes this way:
#     exact:   (pgpUserID=%s)
#     substr:  (pgpUserID=*%s*)
#     mail:    (pgpUserID=*<%s>*)
#     mailsub: (pgpUserID=*<*%s*>*)
#     mailend: (pgpUserID=*<*%s>*)
olcAttributeTypes: {8}(
    1.3.6.1.4.1.3401.8.2.16
    NAME 'pgpUserID'
    DESC 'User ID(s) associated with the key'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# The creation time of the primary key.
# Stored in ISO format: "20201231 120000"
olcAttributeTypes: {9}(
    1.3.6.1.4.1.3401.8.2.17
    NAME 'pgpKeyCreateTime'
    DESC 'Primary key creation time'
    EQUALITY caseIgnoreMatch
    ORDERING caseIgnoreOrderingMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# Not used
olcAttributeTypes: {10}(
    1.3.6.1.4.1.3401.8.2.18
    NAME 'pgpSignerID'
    DESC 'pgpSignerID attribute for PGP'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# A value of 1 indicated that the keyblock has been revoked
olcAttributeTypes: {11}(
    1.3.6.1.4.1.3401.8.2.19
    NAME 'pgpRevoked'
    DESC 'pgpRevoked attribute for PGP'
    EQUALITY caseIgnoreMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# Note that there is no short subkeyid despite that the name
# is similar to the name of short keyid of the primary key.
olcAttributeTypes: {12}(
    1.3.6.1.4.1.3401.8.2.20
    NAME 'pgpSubKeyID'
    DESC 'OpenPGP long Subkey ID(s) of the PGP key.'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# A hint on the keysize.
olcAttributeTypes: {13}(
    1.3.6.1.4.1.3401.8.2.21
    NAME 'pgpKeySize'
    DESC 'pgpKeySize attribute for PGP'
    EQUALITY caseIgnoreMatch
    ORDERING caseIgnoreOrderingMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# Expiration time of the primary key.
# Stored in ISO format: "20201231 120000"
olcAttributeTypes: {14}(
    1.3.6.1.4.1.3401.8.2.22
    NAME 'pgpKeyExpireTime'
    DESC 'pgpKeyExpireTime attribute for PGP'
    EQUALITY caseIgnoreMatch
    ORDERING caseIgnoreOrderingMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
#
# The hex encoded fingerprint of the primary key.
olcAttributeTypes: {15}(
    1.3.6.1.4.1.11591.2.4.1.1
    NAME 'gpgFingerprint'
    DESC 'Fingerprint of the primary key'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )
# A list of hex encoded fingerprints of the subkeys.
olcAttributeTypes: {16}(
    1.3.6.1.4.1.11591.2.4.1.2
    NAME 'gpgSubFingerprint'
    DESC 'Fingerprints of the secondary keys'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# A list of utf8 encoded addr-spec used instead of mail/rfc822Mailbox
olcAttributeTypes: {17}(
    1.3.6.1.4.1.11591.2.4.1.3
    NAME 'gpgMailbox'
    DESC 'The utf8 encoded addr-spec of a mailbox'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
# Note: OID 1.3.6.1.4.1.11591.2.4.1.4 is reserved
# because it was used for short time during development.
#
#
# Used by regular LDAP servers to indicate pgp support.
#
olcObjectClasses: {0}(
    1.3.6.1.4.1.3401.8.2.23
    NAME 'pgpServerInfo'
    DESC 'An OpenPGP public keyblock store'
    SUP top
    STRUCTURAL MUST ( cn $ pgpBaseKeySpaceDN )
                MAY ( pgpSoftware $ pgpVersion ) )
#
# The original PGP key object extended with a few extra attributes.
# All new software should set them but this is not enforced for
# backward compatibility
olcObjectClasses: {1}(
    1.3.6.1.4.1.3401.8.2.24
    NAME 'pgpKeyInfo'
    DESC 'An OpenPGP public keyblock'
    SUP top
    STRUCTURAL MUST ( pgpCertID $ pgpKey )
                MAY ( pgpDisabled $ pgpKeyID $ pgpKeyType $
                      pgpUserID $ pgpKeyCreateTime $ pgpSignerID $
                      pgpRevoked $ pgpSubKeyID $ pgpKeySize $
                      pgpKeyExpireTime $ gpgFingerprint $
                      gpgSubFingerprint $ gpgMailbox ) )
#
# end-of-file
#