Re: ldapd: add bsd.schema?
On Fri, May 18, 2018 at 10:42:43AM +0200, Reyk Floeter wrote: > So, OK? > As sthen@ pointed out, I had shadowPassword in both MUST and MAY. (The reason is that I intended to move it from MUST to MAY, but forgot to remove the MUST). userPassword in nis.schema is also MAY, so it must not be MUST but it must be MAY. A user also may not have a cn so remove it from MUST as well. s/MUST/MAY/ I get an OK? Index: etc/examples/ldapd.conf === RCS file: /cvs/src/etc/examples/ldapd.conf,v retrieving revision 1.1 diff -u -p -u -p -r1.1 ldapd.conf --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 - 1.1 +++ etc/examples/ldapd.conf 18 May 2018 10:09:45 - @@ -3,6 +3,7 @@ schema "/etc/ldap/core.schema" schema "/etc/ldap/inetorgperson.schema" schema "/etc/ldap/nis.schema" +schema "/etc/ldap/bsd.schema" listen on lo0 listen on "/var/run/ldapi" Index: usr.sbin/ldapd/Makefile === RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v retrieving revision 1.15 diff -u -p -u -p -r1.15 Makefile --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 - 1.15 +++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45 - @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast CFLAGS+= -Wsign-compare CLEANFILES+= y.tab.h parse.c -SCHEMA_FILES= core.schema \ +SCHEMA_FILES= bsd.schema \ + core.schema \ inetorgperson.schema \ nis.schema Index: usr.sbin/ldapd/schema/bsd.schema === RCS file: usr.sbin/ldapd/schema/bsd.schema diff -N usr.sbin/ldapd/schema/bsd.schema --- /dev/null 1 Jan 1970 00:00:00 - +++ usr.sbin/ldapd/schema/bsd.schema18 May 2018 10:09:45 - @@ -0,0 +1,17 @@ +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword' + DESC 'POSIX hashed password' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey' + DESC 'SSH public key' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount' + SUP top + AUXILIARY + DESC 'Abstraction of an account with OpenBSD attributes' + MUST ( uid ) + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ userClass $ + sshPublicKey ))
Re: ldapd: add bsd.schema?
So, OK?
On Tue, May 15, 2018 at 02:24:19PM +0200, Reyk Floeter wrote:
> Hi,
>
> could we add an LDAP schema file that makes it easier to use sshd's
> "AuthorizedKeysCommand"?
>
> While most howtos out there agree on the attribute name
> "sshPublicKey", there is no common LDAP schema that implements it.
> Some people patch nis.schema (which seems a bad idea), others add
> their own schema files.
>
> What about adding our own schema (using OpenBSD's allocated
> 1.3.6.1.4.1.30155 PEN) that includes the required "sshPublicKey"
> attribute? It can be used to extend existing LDAP users with the
> additional bsdAccount objectClass.
>
> The "shadowPassword" attribute is useful for ypldap(8) + ldapd(8)
> without login_ldap (for example, userPassword: {BSDAUTH}reyk,
> shadowPassword: $2b$10$...).
>
> Comments?
>
> Reyk
>
> Index: etc/examples/ldapd.conf
> ===
> RCS file: /cvs/src/etc/examples/ldapd.conf,v
> retrieving revision 1.1
> diff -u -p -u -p -r1.1 ldapd.conf
> --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 - 1.1
> +++ etc/examples/ldapd.conf 15 May 2018 12:09:57 -
> @@ -3,6 +3,7 @@
> schema "/etc/ldap/core.schema"
> schema "/etc/ldap/inetorgperson.schema"
> schema "/etc/ldap/nis.schema"
> +schema "/etc/ldap/bsd.schema"
>
> listen on lo0
> listen on "/var/run/ldapi"
> Index: usr.sbin/ldapd/Makefile
> ===
> RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
> retrieving revision 1.15
> diff -u -p -u -p -r1.15 Makefile
> --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 - 1.15
> +++ usr.sbin/ldapd/Makefile 15 May 2018 12:09:57 -
> @@ -17,7 +17,8 @@ CFLAGS+=-Wshadow -Wpointer-arith -Wcast
> CFLAGS+= -Wsign-compare
> CLEANFILES+= y.tab.h parse.c
>
> -SCHEMA_FILES=core.schema \
> +SCHEMA_FILES=bsd.schema \
> + core.schema \
> inetorgperson.schema \
> nis.schema
>
> Index: usr.sbin/ldapd/schema/bsd.schema
> ===
> RCS file: usr.sbin/ldapd/schema/bsd.schema
> diff -N usr.sbin/ldapd/schema/bsd.schema
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ usr.sbin/ldapd/schema/bsd.schema 15 May 2018 12:09:57 -
> @@ -0,0 +1,17 @@
> +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword'
> + DESC 'POSIX hashed password'
> + EQUALITY caseExactIA5Match
> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> +
> +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'
> + DESC 'SSH public key'
> + EQUALITY caseExactIA5Match
> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> +
> +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount'
> + SUP top
> + AUXILIARY
> + DESC 'Abstraction of an account with OpenBSD attributes'
> + MUST ( cn $ uid $ shadowPassword )
> + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ userClass $
> + sshPublicKey ))
--
Re: ldapd: add bsd.schema?
Hi Reyk, Reyk Floeter wrote: could we add an LDAP schema file that makes it easier to use sshd's "AuthorizedKeysCommand"? While most howtos out there agree on the attribute name "sshPublicKey", there is no common LDAP schema that implements it. Some people patch nis.schema (which seems a bad idea), others add their own schema files. ack! Especially in regard to patching nis.schema. What about adding our own schema (using OpenBSD's allocated 1.3.6.1.4.1.30155 PEN) that includes the required "sshPublicKey" attribute? It can be used to extend existing LDAP users with the additional bsdAccount objectClass. I think, this is a good idea. felix
ldapd: add bsd.schema?
Hi,
could we add an LDAP schema file that makes it easier to use sshd's
"AuthorizedKeysCommand"?
While most howtos out there agree on the attribute name
"sshPublicKey", there is no common LDAP schema that implements it.
Some people patch nis.schema (which seems a bad idea), others add
their own schema files.
What about adding our own schema (using OpenBSD's allocated
1.3.6.1.4.1.30155 PEN) that includes the required "sshPublicKey"
attribute? It can be used to extend existing LDAP users with the
additional bsdAccount objectClass.
The "shadowPassword" attribute is useful for ypldap(8) + ldapd(8)
without login_ldap (for example, userPassword: {BSDAUTH}reyk,
shadowPassword: $2b$10$...).
Comments?
Reyk
Index: etc/examples/ldapd.conf
===
RCS file: /cvs/src/etc/examples/ldapd.conf,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 ldapd.conf
--- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 - 1.1
+++ etc/examples/ldapd.conf 15 May 2018 12:09:57 -
@@ -3,6 +3,7 @@
schema "/etc/ldap/core.schema"
schema "/etc/ldap/inetorgperson.schema"
schema "/etc/ldap/nis.schema"
+schema "/etc/ldap/bsd.schema"
listen on lo0
listen on "/var/run/ldapi"
Index: usr.sbin/ldapd/Makefile
===
RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
retrieving revision 1.15
diff -u -p -u -p -r1.15 Makefile
--- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 - 1.15
+++ usr.sbin/ldapd/Makefile 15 May 2018 12:09:57 -
@@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast
CFLAGS+= -Wsign-compare
CLEANFILES+= y.tab.h parse.c
-SCHEMA_FILES= core.schema \
+SCHEMA_FILES= bsd.schema \
+ core.schema \
inetorgperson.schema \
nis.schema
Index: usr.sbin/ldapd/schema/bsd.schema
===
RCS file: usr.sbin/ldapd/schema/bsd.schema
diff -N usr.sbin/ldapd/schema/bsd.schema
--- /dev/null 1 Jan 1970 00:00:00 -
+++ usr.sbin/ldapd/schema/bsd.schema15 May 2018 12:09:57 -
@@ -0,0 +1,17 @@
+attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword'
+ DESC 'POSIX hashed password'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'
+ DESC 'SSH public key'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount'
+ SUP top
+ AUXILIARY
+ DESC 'Abstraction of an account with OpenBSD attributes'
+ MUST ( cn $ uid $ shadowPassword )
+ MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ userClass $
+ sshPublicKey ))
