[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with internal processing of add



"Kurt D. Zeilenga" wrote:
I have included two schemas one for netscape roaming user and the pgp
scheam I am using.  I included them so people can look at them, I don't
trust my knowledge at schema design yet.


I think my ignorance on ldap directory design is showing.  I don't
understand what is being said here.  I thought that NAI is using it as a
ldap search function.  you can search on name, email by sending a filter
on dn of pgpuserid, you can search for key numbers by using
pgpcertificate.  There is no key athority only a web of trust.  X509 and
SMIME does use a key athority.  Any person can say "yes that key is
valid".

There can also be subkeys  where encrypting key can be changed every
week.  This means the server needs to keep two keys for that person. The
rfc defines the key transfer packet.

the one pgpSecurityObject has the armored key and name attributes and
other attributes.
can one item have two types of search.

dn: pgpuserid=XXXX,pgpcertid=xxxxxx,ou=active,o=pgp keyspace
pgpkey:  ------PGP.........
pgpuserid: xxxxx
pgpcertid: xxxxx
...

can there be a search on pgpuserid (*foo*) and/or pgpcertid (xxxxxxxx)?
in one record.

by using one record instead of two then a simple patch in slapd/add.c
(5lines) and pgp subdirectory is all that is needed.

Shaun Savage 

> 
> The directory server should just be repository for PGP keys.  The
> schema should be modeled after the schema used to hold X.509 and
> SMIME keys.  The only PGP specific smarts the directory server
> should have is knowledge of the PGP key syntax and matching rules.
> I would suggest defining an auxiliary object class (pGPSecurityObject)
> which allowed one attribute type (pGPPublicKey) to be added to any
> entry.  This attribute type would be of syntax pgpPublicKeySynax
> with an appropriate equallity matching rule.  I suggest then defining
> a number of extensible matching rules to allow match by id, e-mail,
> etc..   This provides the ability for clients to add/delete keys from
> the directory as well as the ability for clients to locate keys within
> the directory.
> 
> However, the directory does not provides key management or key
> authority functionality.  These functions should be preformed
> by an appropriate authorized client.   PGP clients needing to
> update a key (such as when signing a key), should talk to
> a PGP key authority which in turn would update the directory
> as needed.  Note that the PGP client could use information in
> the directory to locate the PGP key authority.
> 
> The current (NAI) PGP keyserver design combined the functions of the
> key authority and directory service which, IMO, is not terribly
> smart.  It hinders implementation of proper security and disallows
> the use of general-purpose directory services.
#
# pgp-keyserver-schema.conf
#
# PGP Key Server schema
#

#I added 
#attribute pgpBasePendingDN     1.3.6.1.4.1.3401.8.2.7  cis
attributeType ( 1.3.6.1.4.1.3401.8.2.7
	NAME 'basePendingDN'
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
#attribute pgpBaseKeySpaceDN     1.3.6.1.4.1.3401.8.2.8  cis
attributeType ( 1.3.6.1.4.1.3401.8.2.8
	NAME 'baseKeySpaceDN'
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
#attribute pgpSoftware           1.3.6.1.4.1.3401.8.2.9  cis
attributeType ( 1.3.6.1.4.1.3401.8.2.9
	NAME 'Software'
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )
#	EQUALITY caseIgnoreMatch

#attribute pgpVersion            1.3.6.1.4.1.3401.8.2.10 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.10
	NAME 'Version'
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )
#	EQUALITY caseIgnoreMatch 
	
#attribute pgpKey                1.3.6.1.4.1.3401.8.2.11 ces
attributeType ( 1.3.6.1.4.1.3401.8.2.11
	NAME 'pgpKey'
	EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

#attribute pgpCertID             1.3.6.1.4.1.3401.8.2.12 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.12
	NAME  'pgpCertID'
	EQUALITY caseIgnoreMatch 
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )

#attribute pgpDisabled           1.3.6.1.4.1.3401.8.2.13 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.13
	NAME 'pgpDisabled' 
	EQUALITY caseIgnoreMatch 
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )

#attribute pgpKeyID              1.3.6.1.4.1.3401.8.2.14 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.14
	NAME 'pgpKeyID'
	EQUALITY caseIgnoreMatch 
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )

#attribute pgpKeyType            1.3.6.1.4.1.3401.8.2.15 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.15
	NAME 'pgpKeyType'
	EQUALITY caseExactMatch 
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )

#attribute pgpUserID             1.3.6.1.4.1.3401.8.2.16 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.16
	NAME 'pgpUserID'   
	EQUALITY caseIgnoreMatch 
	SUBSTR caseIgnoreSubstringsMatch
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )

#attribute pgpKeyCreateTime      1.3.6.1.4.1.3401.8.2.17 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.17
	NAME 'pgpKeyCreateTime'
	EQUALITY caseExactMatch 
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )

#attribute pgpSignerID           1.3.6.1.4.1.3401.8.2.18 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.18
	NAME 'pgpSignerID'
	EQUALITY caseIgnoreMatch 
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )

#attribute pgpRevoked            1.3.6.1.4.1.3401.8.2.19 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.19
	NAME 'pgpRevoked'
	EQUALITY caseExactMatch 
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )

#attribute pgpSubKeyID           1.3.6.1.4.1.3401.8.2.20 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.20
	NAME 'pgpSubKeyID'
	EQUALITY caseIgnoreMatch 
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )

#attribute pgpKeySize            1.3.6.1.4.1.3401.8.2.21 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.21
	NAME 'pgpKeySize'
	EQUALITY caseExactMatch 
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )

#attribute pgpKeyExpireTime      1.3.6.1.4.1.3401.8.2.22 cis
attributeType ( 1.3.6.1.4.1.3401.8.2.22
	NAME 'pgpKeyExpireTime' 
	EQUALITY caseExactMatch 
	SYNTAX	1.3.6.1.4.1.1466.115.121.1.15 )

#objectclass pgpServerInfo
#    oid 1.3.6.1.4.1.3401.8.2.23
#    requires
#        objectclass,
#        cn,
#        pgpBaseKeySpaceDN
#    allows
#        pgpSoftware,
#        pgpVersion
objectclass ( 1.3.6.1.4.1.3401.8.2.23
	NAME 'pgpServerInfo'
	MUST ( objectclass $ cn $ baseKeySpaceDN $ basePendingDN )
	MAY  (Software $ Version ) )

#objectclass pgpKey
#    oid 1.3.6.1.4.1.3401.8.2.24
#    requires
#        objectclass,
#        pgpKey
#    allows
#        pgpCertID,
#        pgpDisabled,
#        pgpKeyID,
#        pgpKeyType,
#        pgpUserID,
#        pgpKeyCreateTime,
#        pgpSignerID,
#        pgpRevoked,
#        pgpSubKeyID,
#        pgpKeySize,
#        pgpKeyExpireTime

#objectclass ( 1.3.6.1.4.1.3401.8.2.24
#	NAME 'pgpKey'
#	MUST ( objectclass $ pgpKey )
#	MAY  ( pgpCertID $ pgpDisabled $ pgpKeyID $ pgpKeyType $ pgpUserID $ pgpKeyCreateTime $ pgpSignerID $ pgpRevoked $ pgpSubKeyID $ pgpKeySize $ pgpKeyExpireTime ) )

objectclass ( 1.3.6.1.4.1.3401.8.2.25
	NAME 'pgpUserID'
	MUST  ( objectclass $ pgpCertID $ pgpDisabled $ pgpKeyID $ pgpKeyType $ pgpUserID $ pgpKeyCreateTime $ pgpSignerID $ pgpRevoked $ pgpKeySize $ pgpKeyExpireTime $ modifyTimestamp) 
	MAY  ( pgpSubKeyID ) )

objectclass ( 1.3.6.1.4.1.3401.8.2.26
	NAME 'pgpCertificate'
	MUST ( objectclass $ pgpKey )
	MAY  ( version $ modifyTimestamp ) )


# ns-mcd-li.schema
## Originally from
## http://help.netscape.com/products/client/communicator/manual_roaming2.html
## Edited to work with OpenLDAP 2.x by Hugo van der Kooij <hugo@vanderkooij.org>
# The original file can be found in a LinuxWorld article on
# http://www.linuxworld.com/linuxworld/lw-1999-09/lw-09-ldap-netscape.html
# Many thanks to Kartik Subbarao <subbarao@computer.org> for this nice article
#
# Netscape Mission Control Desktop Roaming Access schema
#

#ORG#	attribute nsLIPtrURL 2.16.840.1.113730.3.1.399 ces 
attributeType ( 2.16.840.1.113730.3.1.399
	NAME 'nsLIPtrURL'
	EQUALITY caseExactMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

#ORG#	attribute nsLIPrefs 2.16.840.1.113730.3.1.400 ces 
attributeType ( 2.16.840.1.113730.3.1.400
	NAME 'nsLIPrefs'
	EQUALITY caseExactMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

#ORG#	attribute nsLIProfileName 2.16.840.1.113730.3.1.401 cis 
attributeType ( 2.16.840.1.113730.3.1.401
	NAME 'nsLIProfileName'
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

#ORG#	attribute nsLIData 2.16.840.1.113730.3.1.402 bin 
attributeType ( 2.16.840.1.113730.3.1.402
	NAME 'nsLIData'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#	EQUALITY octetString

#ORG#	attribute nsLIElementType 2.16.840.1.113730.3.1.403 cis 
attributeType ( 2.16.840.1.113730.3.1.403
	NAME 'nsLIElementType'
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

#ORG#	attribute nsLIServerType 2.16.840.1.113730.3.1.404 cis
attributeType ( 2.16.840.1.113730.3.1.404
	NAME 'nsLIServerType'
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

#ORG#	##attribute nsLIVersion 2.16.840.1.113730.3.1.405 integer
#ORG#	attribute nsLIVersion 2.16.840.1.113730.3.1.405 bin
attributeType ( 2.16.840.1.113730.3.1.405
	NAME 'nsLIVersion'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
#	EQUALITY octetString )

#ORG#	attribute nsServerPort 2.16.840.1.113730.3.1.280 cis
attributeType ( 2.16.840.1.113730.3.1.280
	NAME 'nsServerPort'
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )


#ORG#	objectclass nsLIPtr
#ORG#	## oid 2.16.840.1.113730.3.2.74
#ORG#		requires
#ORG#			objectclass
#ORG#		allows
#ORG#			nsLIPtrURL,
#ORG#			owner
objectclass ( 2.16.840.1.113730.3.2.74
	NAME 'nsLIPtr'
	MUST  objectclass 
	MAY ( nsLIPtrURL $ owner ) )

#ORG#	objectclass nsLIProfile
#ORG#	## oid 2.16.840.1.113730.3.2.75
#ORG#		requires
#ORG#			objectclass,
#ORG#			nsLIProfileName
#ORG#		allows
#ORG#			nsLIPrefs,
#ORG#			uid,
#ORG#			owner
objectclass ( 2.16.840.1.113730.3.2.75
	NAME 'nsLIProfile'
	MUST ( objectclass $ nsLIProfileName )
	MAY ( nsLIPrefs $ uid $ owner ) )

#ORG#	objectclass nsLIProfileElement
#ORG#	## oid 2.16.840.1.113730.3.2.76
#ORG#		requires
#ORG#			objectclass,
#ORG#			nsLIElementType
#ORG#		allows
#ORG#			owner,
#ORG#			nsLIData
#ORG#			nsLIVersion
objectclass ( 2.16.840.1.113730.3.2.76
	NAME 'nsLIProfileElement'
	MUST ( objectclass $ nsLIElementType )
	MAY ( owner $ nsLIData $ nsLIVersion ) )

#ORG#	objectclass nsLIServer
#ORG#	## oid 2.16.840.1.113730.3.2.77
#ORG#		requires
#ORG#			objectclass,
#ORG#			serverhostname
#ORG#		allows
#ORG#			description,
#ORG#			cn,
#ORG#			nsServerPort,
#ORG#			nsLIServerType,
#ORG#			serverroot
#objectclass ( 2.16.840.1.113730.3.2.77
#	NAME 'nsLIServer'
#	MUST ( objectclass $ serverhostname )
#	MAY ( description $ cn $ nsServerPort $ nsLIServerType $ serverroot ) )

# EOF