[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Help with internal processing of add
"Kurt D. Zeilenga" wrote:
I have included two schemas one for netscape roaming user and the pgp
scheam I am using. I included them so people can look at them, I don't
trust my knowledge at schema design yet.
I think my ignorance on ldap directory design is showing. I don't
understand what is being said here. I thought that NAI is using it as a
ldap search function. you can search on name, email by sending a filter
on dn of pgpuserid, you can search for key numbers by using
pgpcertificate. There is no key athority only a web of trust. X509 and
SMIME does use a key athority. Any person can say "yes that key is
valid".
There can also be subkeys where encrypting key can be changed every
week. This means the server needs to keep two keys for that person. The
rfc defines the key transfer packet.
the one pgpSecurityObject has the armored key and name attributes and
other attributes.
can one item have two types of search.
dn: pgpuserid=XXXX,pgpcertid=xxxxxx,ou=active,o=pgp keyspace
pgpkey: ------PGP.........
pgpuserid: xxxxx
pgpcertid: xxxxx
...
can there be a search on pgpuserid (*foo*) and/or pgpcertid (xxxxxxxx)?
in one record.
by using one record instead of two then a simple patch in slapd/add.c
(5lines) and pgp subdirectory is all that is needed.
Shaun Savage
>
> The directory server should just be repository for PGP keys. The
> schema should be modeled after the schema used to hold X.509 and
> SMIME keys. The only PGP specific smarts the directory server
> should have is knowledge of the PGP key syntax and matching rules.
> I would suggest defining an auxiliary object class (pGPSecurityObject)
> which allowed one attribute type (pGPPublicKey) to be added to any
> entry. This attribute type would be of syntax pgpPublicKeySynax
> with an appropriate equallity matching rule. I suggest then defining
> a number of extensible matching rules to allow match by id, e-mail,
> etc.. This provides the ability for clients to add/delete keys from
> the directory as well as the ability for clients to locate keys within
> the directory.
>
> However, the directory does not provides key management or key
> authority functionality. These functions should be preformed
> by an appropriate authorized client. PGP clients needing to
> update a key (such as when signing a key), should talk to
> a PGP key authority which in turn would update the directory
> as needed. Note that the PGP client could use information in
> the directory to locate the PGP key authority.
>
> The current (NAI) PGP keyserver design combined the functions of the
> key authority and directory service which, IMO, is not terribly
> smart. It hinders implementation of proper security and disallows
> the use of general-purpose directory services.
#
# pgp-keyserver-schema.conf
#
# PGP Key Server schema
#
#I added
#attribute pgpBasePendingDN 1.3.6.1.4.1.3401.8.2.7 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.7
NAME 'basePendingDN'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpBaseKeySpaceDN 1.3.6.1.4.1.3401.8.2.8 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.8
NAME 'baseKeySpaceDN'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpSoftware 1.3.6.1.4.1.3401.8.2.9 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.9
NAME 'Software'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# EQUALITY caseIgnoreMatch
#attribute pgpVersion 1.3.6.1.4.1.3401.8.2.10 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.10
NAME 'Version'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# EQUALITY caseIgnoreMatch
#attribute pgpKey 1.3.6.1.4.1.3401.8.2.11 ces
attributeType ( 1.3.6.1.4.1.3401.8.2.11
NAME 'pgpKey'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#attribute pgpCertID 1.3.6.1.4.1.3401.8.2.12 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.12
NAME 'pgpCertID'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpDisabled 1.3.6.1.4.1.3401.8.2.13 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.13
NAME 'pgpDisabled'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpKeyID 1.3.6.1.4.1.3401.8.2.14 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.14
NAME 'pgpKeyID'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpKeyType 1.3.6.1.4.1.3401.8.2.15 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.15
NAME 'pgpKeyType'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpUserID 1.3.6.1.4.1.3401.8.2.16 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.16
NAME 'pgpUserID'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpKeyCreateTime 1.3.6.1.4.1.3401.8.2.17 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.17
NAME 'pgpKeyCreateTime'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpSignerID 1.3.6.1.4.1.3401.8.2.18 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.18
NAME 'pgpSignerID'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpRevoked 1.3.6.1.4.1.3401.8.2.19 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.19
NAME 'pgpRevoked'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpSubKeyID 1.3.6.1.4.1.3401.8.2.20 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.20
NAME 'pgpSubKeyID'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpKeySize 1.3.6.1.4.1.3401.8.2.21 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.21
NAME 'pgpKeySize'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attribute pgpKeyExpireTime 1.3.6.1.4.1.3401.8.2.22 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.22
NAME 'pgpKeyExpireTime'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#objectclass pgpServerInfo
# oid 1.3.6.1.4.1.3401.8.2.23
# requires
# objectclass,
# cn,
# pgpBaseKeySpaceDN
# allows
# pgpSoftware,
# pgpVersion
objectclass ( 1.3.6.1.4.1.3401.8.2.23
NAME 'pgpServerInfo'
MUST ( objectclass $ cn $ baseKeySpaceDN $ basePendingDN )
MAY (Software $ Version ) )
#objectclass pgpKey
# oid 1.3.6.1.4.1.3401.8.2.24
# requires
# objectclass,
# pgpKey
# allows
# pgpCertID,
# pgpDisabled,
# pgpKeyID,
# pgpKeyType,
# pgpUserID,
# pgpKeyCreateTime,
# pgpSignerID,
# pgpRevoked,
# pgpSubKeyID,
# pgpKeySize,
# pgpKeyExpireTime
#objectclass ( 1.3.6.1.4.1.3401.8.2.24
# NAME 'pgpKey'
# MUST ( objectclass $ pgpKey )
# MAY ( pgpCertID $ pgpDisabled $ pgpKeyID $ pgpKeyType $ pgpUserID $ pgpKeyCreateTime $ pgpSignerID $ pgpRevoked $ pgpSubKeyID $ pgpKeySize $ pgpKeyExpireTime ) )
objectclass ( 1.3.6.1.4.1.3401.8.2.25
NAME 'pgpUserID'
MUST ( objectclass $ pgpCertID $ pgpDisabled $ pgpKeyID $ pgpKeyType $ pgpUserID $ pgpKeyCreateTime $ pgpSignerID $ pgpRevoked $ pgpKeySize $ pgpKeyExpireTime $ modifyTimestamp)
MAY ( pgpSubKeyID ) )
objectclass ( 1.3.6.1.4.1.3401.8.2.26
NAME 'pgpCertificate'
MUST ( objectclass $ pgpKey )
MAY ( version $ modifyTimestamp ) )
# ns-mcd-li.schema
## Originally from
## http://help.netscape.com/products/client/communicator/manual_roaming2.html
## Edited to work with OpenLDAP 2.x by Hugo van der Kooij <hugo@vanderkooij.org>
# The original file can be found in a LinuxWorld article on
# http://www.linuxworld.com/linuxworld/lw-1999-09/lw-09-ldap-netscape.html
# Many thanks to Kartik Subbarao <subbarao@computer.org> for this nice article
#
# Netscape Mission Control Desktop Roaming Access schema
#
#ORG# attribute nsLIPtrURL 2.16.840.1.113730.3.1.399 ces
attributeType ( 2.16.840.1.113730.3.1.399
NAME 'nsLIPtrURL'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#ORG# attribute nsLIPrefs 2.16.840.1.113730.3.1.400 ces
attributeType ( 2.16.840.1.113730.3.1.400
NAME 'nsLIPrefs'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#ORG# attribute nsLIProfileName 2.16.840.1.113730.3.1.401 cis
attributeType ( 2.16.840.1.113730.3.1.401
NAME 'nsLIProfileName'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#ORG# attribute nsLIData 2.16.840.1.113730.3.1.402 bin
attributeType ( 2.16.840.1.113730.3.1.402
NAME 'nsLIData'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# EQUALITY octetString
#ORG# attribute nsLIElementType 2.16.840.1.113730.3.1.403 cis
attributeType ( 2.16.840.1.113730.3.1.403
NAME 'nsLIElementType'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#ORG# attribute nsLIServerType 2.16.840.1.113730.3.1.404 cis
attributeType ( 2.16.840.1.113730.3.1.404
NAME 'nsLIServerType'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#ORG# ##attribute nsLIVersion 2.16.840.1.113730.3.1.405 integer
#ORG# attribute nsLIVersion 2.16.840.1.113730.3.1.405 bin
attributeType ( 2.16.840.1.113730.3.1.405
NAME 'nsLIVersion'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
# EQUALITY octetString )
#ORG# attribute nsServerPort 2.16.840.1.113730.3.1.280 cis
attributeType ( 2.16.840.1.113730.3.1.280
NAME 'nsServerPort'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#ORG# objectclass nsLIPtr
#ORG# ## oid 2.16.840.1.113730.3.2.74
#ORG# requires
#ORG# objectclass
#ORG# allows
#ORG# nsLIPtrURL,
#ORG# owner
objectclass ( 2.16.840.1.113730.3.2.74
NAME 'nsLIPtr'
MUST objectclass
MAY ( nsLIPtrURL $ owner ) )
#ORG# objectclass nsLIProfile
#ORG# ## oid 2.16.840.1.113730.3.2.75
#ORG# requires
#ORG# objectclass,
#ORG# nsLIProfileName
#ORG# allows
#ORG# nsLIPrefs,
#ORG# uid,
#ORG# owner
objectclass ( 2.16.840.1.113730.3.2.75
NAME 'nsLIProfile'
MUST ( objectclass $ nsLIProfileName )
MAY ( nsLIPrefs $ uid $ owner ) )
#ORG# objectclass nsLIProfileElement
#ORG# ## oid 2.16.840.1.113730.3.2.76
#ORG# requires
#ORG# objectclass,
#ORG# nsLIElementType
#ORG# allows
#ORG# owner,
#ORG# nsLIData
#ORG# nsLIVersion
objectclass ( 2.16.840.1.113730.3.2.76
NAME 'nsLIProfileElement'
MUST ( objectclass $ nsLIElementType )
MAY ( owner $ nsLIData $ nsLIVersion ) )
#ORG# objectclass nsLIServer
#ORG# ## oid 2.16.840.1.113730.3.2.77
#ORG# requires
#ORG# objectclass,
#ORG# serverhostname
#ORG# allows
#ORG# description,
#ORG# cn,
#ORG# nsServerPort,
#ORG# nsLIServerType,
#ORG# serverroot
#objectclass ( 2.16.840.1.113730.3.2.77
# NAME 'nsLIServer'
# MUST ( objectclass $ serverhostname )
# MAY ( description $ cn $ nsServerPort $ nsLIServerType $ serverroot ) )
# EOF