Sunday, March 31, 2013

OpenLDAP GPG KeyServer Private

The below post shows you how you can create your own Private gpg keyserver through LDAP.
tested on Fedora 17 (other distros may be different) 
NOTE: all configs are at bottom of blog

1) install the proper packages. then change into the LDAP config directory. move slapd.d because we are using the older API then modify ldap.conf to add the servers IP

sudo -s
yum install openldap openldap-servers openldap-clients 
optionally: yum install gq (LDAP browser)
service slapd stop (stop LDAP)
cd /etc/openldap
ls -l
mv slapd.d{,-old}
gvim ldap.conf (add ip address of server) (config below)
nm-tool

2) create slapd.conf, create db directory download and install gpg-keyserver schemas, then start the server
gvim slapd.conf (config at bottom)
mkdir /var/db/openldap
chown ldap:ldap  /var/db/openldap  
download and install the schemas
 wget http://members.kstp.at/wh/pgp/openldap_pgp_keyserver.tar.gz
tar xvfz openldap_pgp_keyserver.tar.gz | cp -Rv openldap/schema/* /etc/openldap/schema
slapd -d -1 -u ldap -g ldap (use -d 128 for ACL's)

3) create the LDAP directory structure and add the extra users
gvim directory_base_user.ldif (config below)
ldapadd -H ldap://10.0.0.11 -x -D "cn=Justin,dc=Manager,dc=Private" -f directory_base_user.ldif -w dirtysecret
gvim remote_user.ldif (config below)
ldapadd -H ldap://10.0.0.11 -x -D "cn=Justin,dc=Manager,dc=Private" -f remote_user.ldif -w dirtysecret
exit as root

4) create and exchange keys with host and remote host:

cd
cd .gnupg
gpg --gen-keys (answer questions)
gpg --list-keys
gvim gpg.conf (add the entries for gpg keyserver, above picture
send and recv keys:
gpg   --keyserver ldap://10.0.0.11 --send-key C9AD4D9B (send key)
gpg   --keyserver ldap://10.0.0.11 --recv-key C9AD4D9B (recvkey)   

on the remote hot perform the same steps to create the new key and send and recv

5) use gq to view the entries




and there you have it, your own Private GPG Keyserver!!

below are the configuration files for the above:

ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=Manager,dc=Private
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldap://10.0.0.11

SIZELIMIT 0
TIMELIMIT 900
#DEREF never
#TLS_REQCERT try
#TLS_CACERT     /etc/openldap/ssl/certs/ca.pem
#TLS_CERT        /etc/openldap/ssl/certs/ldap.pem
#TLS_KEY /etc/openldap/ssl/keys/ldap.key



slapd.conf



include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/pgp-keyserver.schema
include /etc/openldap/schema/pgp-recon.schema
include /etc/openldap/schema/pgp-remte-prefs.schema

loglevel -1

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

modulepath      /usr/lib/openldap
moduleload back_bdb.la
moduleload back_ldap.la
moduleload back_monitor.la

allow bind_anon_dn
allow update_anon
allow bind_anon_cred

access to dn.base=""
        by * read

access to dn="cn=Subschema"
        by * read
access to attrs="userPassword"
        by self write
        by * auth

# OPTIONAL: gq for viewing directories etc..
access to dn="dc=Manager,dc=Private"
by * read

access to dn="ou=PGP Users,dc=Manager,dc=Private"
by * read

access to dn.subtree="uid=Justin,ou=PGP Users,dc=Manager,dc=Private"
by * read
access to dn.subtree="uid=Justin_2,ou=PGP Users,dc=Manager,dc=Private"
by * read

# read  server pgpKeyInfo 
access to dn="cn=pgpServerInfo,dc=Manager,dc=Private"
        by * read

# remote access.. change for better ACL's 
access to dn.subtree="ou=PGP Keys,dc=Manager,dc=Private"
        by * write
by * read 

access to * by * none

database bdb
directory /var/db/openldap/

suffix "dc=Manager,dc=Private"
rootdn "cn=justin,dc=Manager,dc=Private"
rootpw dirtysecret

cachesize 10000
checkpoint 128 15

index objectClass eq
index pgpCertID,pgpKeyID,pgpKeyType,pgpUserID,pgpKeyCreateTime sub,eq
index pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime sub,eq
index pgpDisabled,pgpRevoked eq

database monitor


directory_base_user.ldif


# domain
dn: dc=Manager,dc=Private
dc: Manager
objectClass: domain
objectClass: top

# person part of domain
dn: cn=Manager,dc=Manager,dc=Private
cn: Manager
sn: Manager
objectClass: person
objectClass: top

# applicationProcess and/or organizationalUnit works
dn: ou=PGP Keys,dc=Manager,dc=Private
objectclass: applicationProcess
cn: PGP KEYSERVER PRIVATE "KEYS"
ou: PGP Keys
description: gpg keyserver for private company use.

# Main area for gpg to do stuff
dn: cn=pgpServerInfo,dc=Manager,dc=Private
cn: pgpServerInfo 
objectclass: pgpserverinfo
pgpSoftware: OpenLDAP 2.4.33
pgpVersion:  gpg (GnuPG) 1.4.13
pgpBaseKeyspaceDN: ou=PGP Keys,dc=Manager,dc=Private

# applicationProcess and/or organizationalUnit works
dn: ou=PGP Users,dc=Manager,dc=Private
objectclass: applicationProcess
cn: PGP KEYSERVER PRIVATE "Users"
ou: PGP Users
description: gpg keyserver for private company use.

# company employee(s)
dn: uid=Justin,ou=PGP Users,dc=Manager,dc=Private
objectClass: inetOrgPerson
objectClass: uidObject
objectClass: userSecurityInformation
uid: Justin
# password is test56
userPassword: {SSHA}PGJjmqxXpro95gho76Gz27qiqQp59LwM
sn: Mattock
cn: Private Company Employee(s).

# photo stuff never got it working maybe u can!
# adds using URL format
#add: jpegphoto
#jpegphoto: < file://path/to/jpeg/file.jpg

# adding a binary cert, use gpgsm to convert format(DER,PEM,etc..)
#changetype: modify
#add: userCertificate;binary
#userCertificate;binary:< file:///path/to/file/binary.asc
#objectClass: stongAuthenticationUser
#UserCertificate: file:///path/to/regular.asc


remote_user.ldif

# company employee(s)
dn: uid=Justin_2,ou=PGP Users,dc=Manager,dc=Private
objectClass: inetOrgPerson
objectClass: uidObject
objectClass: userSecurityInformation
uid: Justin_2
# password is test56
userPassword: {SSHA}PGJjmqxXpro95gho76Gz27qiqQp59LwM
sn: Mattock_2
cn: Private Company Employee(s).
# photo stuff never got it working maybe u can!
# adds using URL format
#add: jpegphoto
#jpegphoto: < file://path/to/jpeg/file.jpg

# adding a binary cert, use gpgsm to convert format(DER,PEM,etc..)
#changetype: modify
#add: userCertificate;binary
#userCertificate;binary:< file:///path/to/file/binary.asc
#objectClass: stongAuthenticationUser
#UserCertificate: file:///path/to/regular.asc


1 comment:

  1. This post is very interesting and a good knowledge is given about linux.
    Because windows and linux are two OS and their fuctionalities are getting better day by day.

    For more Details please visit
    windows mobile app // Android application development // mobile application development

    ReplyDelete