Copyright © 2002 by PGP Corporation. All Rights Reserved.
This Tech Note describes how to set up and troubleshoot the querying and storage of PGP keys with Windows 2000 Active Directory.
This file is in LDIF (RFC 2849) format. LDIF stands for LDAP (RFC 2251) Data Interchange Format and is an Internet Standard for a common file format for operating on LDAP compliant directory services from different vendors. You might choose to work on the DC (domain controller) itself or choose to login on another machine as a user that has schema change rights. You should have the Windows 2000 support tool ldifde.exe in your path. ldifde stands for LDIF Directory Exchange. This is the only tool you need to affect the schema changes. The support tools installer automatically adds the target directory to your path.
For more information on how to view and transfer the FSMO role of Schema Master, refer to Microsoft Knowledge Base articles Q255690 and Q255504.
To turn on schema updates on the DC, run the MMC snapin called "Active Directory Schema". Right click on the root node of that snapin and choose operations master. A dialog pops up; make sure the check box that says "The schema may be modified on this Domain Controller" is checked. You may also have the same effect by setting REG_DWORD value “Schema Update Allowed” to 1 (or greater) under the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
For more on how to enable schema updates, refer to Microsoft Knowledge Base articles Q279978 and Q285172.
-i stands for import and -f supplies the file name to import from. -v turns on verbose mode.
For more on command line options, type ldifde /? You may look at Microsoft Knowledge Base article Q237677 for more information on import and export using ldifde. Other options might be necessary (for example, if you have changed the server port from 389 to something else or if you want the log files to be located at a different directory than the current directory, etc.).
After a successful import, you should see the new attributes and classes in the lists shown by the "Active Directory Schema" MMC snapin. Their names always start with pgp.
Now you need to create a container where PGP keys will be stored. Traverse the tree to a node where you would like to keep the keys container. Right click on the list on the right hand side and choose New Object from the context menu. Choose class as container. Name it as appropriate. Keep the DN of this container handy; you will be needing it soon.
Go to the topmost node again. Right click on the list to the right and choose New Object from the context menu. The create object wizard comes up, asking you to choose a class. Choose pgpServerInfo and press Next. The ADSI Edit MMC snapin may report "An invalid Active Directory pathname was passed." In that case, cancel the wizard and right click on the Domain NC node and choose the "Update schema now" command. Then go back to the new object wizard and choose pgpServerInfo again. In the value for attribute CN, use "PGPServerInfo". This is very important. The PGP client looks for this CN after searching for the naming contexts. Press Next. The value for pgpBaseKeySpaceDN should be the DN of the container for PGP key storage. Type in the DN of the container you just created. You may set the optional string attributes pgpSoftware and pgpVersion as you deem appropriate by clicking on the More Attributes button. Press Finish.
You might want to check permissions on other immediate containers to make sure Everyone does not have more access than needed. Since this permission only affects just the immediate containers, check to make sure that no access is being propagated to other containers within those containers.
You should see attributes of the newly created pgpServerInfo instance. If no attributes are returned,go back and see if the required permissions are indeed granted.
If the permissions are correct, you will be able to upload keys from PGP applications. If an insufficient rights error is reported while uploading keys to the server, verify the access rights again and make sure the access is exactly as you intended it to be. Also, make sure the access is not any more than desired.
Your Active Directory is now integrated with PGP.