Sorry for the late reply. On 8/12/20 8:19 AM, Robert Klein wrote: > Hi, > > On Wed, 12 Aug 2020 09:00:18 +0200 > Theo Buehler <t...@theobuehler.org> wrote: > >> On Tue, Aug 11, 2020 at 10:22:51PM -0400, Aisha Tammy wrote: >>> Another bump. >> >> I think this is useful and am ok with this. >> >> Are there any concerns? If not, I'm going to commit it tomorrow. > > for an sshPublicKey attribute, there's a “openssh-lpk” schema which > seems to be in common use. It's defined as > > # octetString SYNTAX > attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' > DESC 'OpenSSH Public key' > EQUALITY octetStringMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) > I prefer the non-octet version mostly because of inconsistent spacing when
copy pasting. > # printableString SYNTAX yes|no > objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP > top AUXILIARY DESC 'OpenSSH LPK objectclass' > MUST uid > MAY sshPublicKey > ) > > though there are versions of the “ldapPublicKey” definitions with both > uid and sshPublicKye in the MUST and both in the MAY clause. The > “both MAY” version is imho more flexible. > > > The original mail proposing bsd.schema seems to have added both > “shadowPassword” and “bsdaccount” more as an afterthought, it seems. > The bsd account is a bit more flexible than the ldapPublicKey and can be substituted for this. I am fine with moving the `uid` to MAY as well, that would be very nice for virtual user setups, where uid is unimportant and not used. I've attached the updated patch which moves uid to MAY. I would really like this to be in 6.8. OK? Thanks, Aisha > > Best regards > Robert > > >> >> Index: etc/examples/ldapd.conf >> =================================================================== >> RCS file: /cvs/src/etc/examples/ldapd.conf,v >> retrieving revision 1.1 >> diff -u -p -u -p -r1.1 ldapd.conf >> --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000 >> 1.1 +++ etc/examples/ldapd.conf 18 May 2018 10:09:45 -0000 >> @@ -3,6 +3,7 @@ >> schema "/etc/ldap/core.schema" >> schema "/etc/ldap/inetorgperson.schema" >> schema "/etc/ldap/nis.schema" >> +schema "/etc/ldap/bsd.schema" >> >> listen on lo0 >> listen on "/var/run/ldapi" >> Index: usr.sbin/ldapd/Makefile >> =================================================================== >> RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v >> retrieving revision 1.15 >> diff -u -p -u -p -r1.15 Makefile >> --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000 >> 1.15 +++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45 -0000 >> @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast >> CFLAGS+= -Wsign-compare >> CLEANFILES+= y.tab.h parse.c >> >> -SCHEMA_FILES= core.schema \ >> +SCHEMA_FILES= bsd.schema \ >> + core.schema \ >> inetorgperson.schema \ >> nis.schema >> >> Index: usr.sbin/ldapd/schema/bsd.schema >> =================================================================== >> RCS file: usr.sbin/ldapd/schema/bsd.schema >> diff -N usr.sbin/ldapd/schema/bsd.schema >> --- /dev/null 1 Jan 1970 00:00:00 -0000 >> +++ usr.sbin/ldapd/schema/bsd.schema 18 May 2018 10:09:45 -0000 >> @@ -0,0 +1,17 @@ >> +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword' >> + DESC 'POSIX hashed password' >> + EQUALITY caseExactIA5Match >> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) >> + >> +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey' >> + DESC 'SSH public key' >> + EQUALITY caseExactIA5Match >> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) >> + >> +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount' >> + SUP top >> + AUXILIARY >> + DESC 'Abstraction of an account with OpenBSD attributes' >> + MUST ( uid ) >> + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ >> userClass $ >> + sshPublicKey )) >> >
diff --git a/etc/examples/ldapd.conf b/etc/examples/ldapd.conf index 1bc6aa462c1..183563d6f9a 100644 --- a/etc/examples/ldapd.conf +++ b/etc/examples/ldapd.conf @@ -3,6 +3,7 @@ schema "/etc/ldap/core.schema" schema "/etc/ldap/inetorgperson.schema" schema "/etc/ldap/nis.schema" +schema "/etc/ldap/bsd.schema" listen on lo0 listen on "/var/run/ldapi" diff --git a/usr.sbin/ldapd/Makefile b/usr.sbin/ldapd/Makefile index bf445832576..5af25895787 100644 --- a/usr.sbin/ldapd/Makefile +++ b/usr.sbin/ldapd/Makefile @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast-qual CFLAGS+= -Wsign-compare CLEANFILES+= y.tab.h parse.c -SCHEMA_FILES= core.schema \ +SCHEMA_FILES= bsd.schema \ + core.schema \ inetorgperson.schema \ nis.schema diff --git a/usr.sbin/ldapd/schema/bsd.schema b/usr.sbin/ldapd/schema/bsd.schema new file mode 100644 index 00000000000..d14fcfe7456 --- /dev/null +++ b/usr.sbin/ldapd/schema/bsd.schema @@ -0,0 +1,16 @@ +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword' + DESC 'POSIX hashed password' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey' + DESC 'SSH public key' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount' + SUP top + AUXILIARY + DESC 'Abstraction of an account with OpenBSD attributes' + MAY ( uid $ shadowPassword $ shadowExpire $ modifyTimestamp $ + userClass $ sshPublicKey ))