On Sat, 5 Sep 2020 18:47:08 -0400 Aisha Tammy <openbsd.t...@aisha.cc> wrote:
> Sorry for the late reply. > > On 8/12/20 8:19 AM, Robert Klein wrote: > > Hi, > > > > On Wed, 12 Aug 2020 09:00:18 +0200 > > Theo Buehler <t...@theobuehler.org> wrote: > > > >> On Tue, Aug 11, 2020 at 10:22:51PM -0400, Aisha Tammy wrote: > >>> Another bump. > >> > >> I think this is useful and am ok with this. > >> > >> Are there any concerns? If not, I'm going to commit it tomorrow. > > > > for an sshPublicKey attribute, there's a “openssh-lpk” schema which > > seems to be in common use. It's defined as > > > > # octetString SYNTAX > > attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' > > DESC 'OpenSSH Public key' > > EQUALITY octetStringMatch > > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) > > > I prefer the non-octet version mostly because of inconsistent spacing > when > > copy pasting. IA5Match precludes non-ascii comments. BTW, your version has 'SSH public key' as DESC. I suppose it means a 'OpenSSH public key', as above, not a RFC4716 public key which wouldn't make much sense in OpenBSD context I guess. > > > > > # printableString SYNTAX yes|no > > objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP > > top AUXILIARY DESC 'OpenSSH LPK objectclass' > > MUST uid > > MAY sshPublicKey > > ) > > > > though there are versions of the “ldapPublicKey” definitions with > > both uid and sshPublicKye in the MUST and both in the MAY clause. > > The “both MAY” version is imho more flexible. > > > > > > The original mail proposing bsd.schema seems to have added both > > “shadowPassword” and “bsdaccount” more as an afterthought, it seems. > > > The bsd account is a bit more flexible than the ldapPublicKey and can > be substituted for this. > I am fine with moving the `uid` to MAY as well, that would be very > nice for virtual user setups, where uid is unimportant and not used. +1 Best regards Robert > > I've attached the updated patch which moves uid to MAY. > I would really like this to be in 6.8. > > OK? > > Thanks, > Aisha > > > > > Best regards > > Robert > > > > > >> > >> Index: etc/examples/ldapd.conf > >> =================================================================== > >> RCS file: /cvs/src/etc/examples/ldapd.conf,v > >> retrieving revision 1.1 > >> diff -u -p -u -p -r1.1 ldapd.conf > >> --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000 > >> 1.1 +++ etc/examples/ldapd.conf 18 May 2018 10:09:45 -0000 > >> @@ -3,6 +3,7 @@ > >> schema "/etc/ldap/core.schema" > >> schema "/etc/ldap/inetorgperson.schema" > >> schema "/etc/ldap/nis.schema" > >> +schema "/etc/ldap/bsd.schema" > >> > >> listen on lo0 > >> listen on "/var/run/ldapi" > >> Index: usr.sbin/ldapd/Makefile > >> =================================================================== > >> RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v > >> retrieving revision 1.15 > >> diff -u -p -u -p -r1.15 Makefile > >> --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000 > >> 1.15 +++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45 -0000 > >> @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast > >> CFLAGS+= -Wsign-compare > >> CLEANFILES+= y.tab.h parse.c > >> > >> -SCHEMA_FILES= core.schema \ > >> +SCHEMA_FILES= bsd.schema \ > >> + core.schema \ > >> inetorgperson.schema \ > >> nis.schema > >> > >> Index: usr.sbin/ldapd/schema/bsd.schema > >> =================================================================== > >> RCS file: usr.sbin/ldapd/schema/bsd.schema > >> diff -N usr.sbin/ldapd/schema/bsd.schema > >> --- /dev/null 1 Jan 1970 00:00:00 -0000 > >> +++ usr.sbin/ldapd/schema/bsd.schema 18 May 2018 10:09:45 > >> -0000 @@ -0,0 +1,17 @@ > >> +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword' > >> + DESC 'POSIX hashed password' > >> + EQUALITY caseExactIA5Match > >> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > >> + > >> +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey' > >> + DESC 'SSH public key' > >> + EQUALITY caseExactIA5Match > >> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > >> + > >> +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount' > >> + SUP top > >> + AUXILIARY > >> + DESC 'Abstraction of an account with OpenBSD attributes' > >> + MUST ( uid ) > >> + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ > >> userClass $ > >> + sshPublicKey )) > >> > > >