On 9/10/20 2:03 AM, Robert Klein wrote: > On Sat, 5 Sep 2020 18:47:08 -0400 > Aisha Tammy <openbsd.t...@aisha.cc> wrote: > >> Sorry for the late reply. >> >> On 8/12/20 8:19 AM, Robert Klein wrote: >>> Hi, >>> >>> On Wed, 12 Aug 2020 09:00:18 +0200 >>> Theo Buehler <t...@theobuehler.org> wrote: >>> >>>> On Tue, Aug 11, 2020 at 10:22:51PM -0400, Aisha Tammy wrote: >>>>> Another bump. >>>> >>>> I think this is useful and am ok with this. >>>> >>>> Are there any concerns? If not, I'm going to commit it tomorrow. >>> >>> for an sshPublicKey attribute, there's a “openssh-lpk” schema which >>> seems to be in common use. It's defined as >>> >>> # octetString SYNTAX >>> attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' >>> DESC 'OpenSSH Public key' >>> EQUALITY octetStringMatch >>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) >>> >> I prefer the non-octet version mostly because of inconsistent spacing >> when >> >> copy pasting. > > IA5Match precludes non-ascii comments. BTW, your version has 'SSH > public key' as DESC. I suppose it means a 'OpenSSH public key', as > above, not a RFC4716 public key which wouldn't make much sense in > OpenBSD context I guess. > Haha, I wasn't even aware SSH public key was a different thing >.< (how do ya'll know/remember these weird RFCs...) Updated patch with OpenSSH public key.
OK? Aisha > >> >> >> >>> # printableString SYNTAX yes|no >>> objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP >>> top AUXILIARY DESC 'OpenSSH LPK objectclass' >>> MUST uid >>> MAY sshPublicKey >>> ) >>> >>> though there are versions of the “ldapPublicKey” definitions with >>> both uid and sshPublicKye in the MUST and both in the MAY clause. >>> The “both MAY” version is imho more flexible. >>> >>> >>> The original mail proposing bsd.schema seems to have added both >>> “shadowPassword” and “bsdaccount” more as an afterthought, it seems. >>> >> The bsd account is a bit more flexible than the ldapPublicKey and can >> be substituted for this. >> I am fine with moving the `uid` to MAY as well, that would be very >> nice for virtual user setups, where uid is unimportant and not used. > > +1 > > > Best regards > Robert > > >> >> I've attached the updated patch which moves uid to MAY. >> I would really like this to be in 6.8. >> >> OK? >> >> Thanks, >> Aisha >> >>> >>> Best regards >>> Robert >>> >>> >>>> >>>> Index: etc/examples/ldapd.conf >>>> =================================================================== >>>> RCS file: /cvs/src/etc/examples/ldapd.conf,v >>>> retrieving revision 1.1 >>>> diff -u -p -u -p -r1.1 ldapd.conf >>>> --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000 >>>> 1.1 +++ etc/examples/ldapd.conf 18 May 2018 10:09:45 -0000 >>>> @@ -3,6 +3,7 @@ >>>> schema "/etc/ldap/core.schema" >>>> schema "/etc/ldap/inetorgperson.schema" >>>> schema "/etc/ldap/nis.schema" >>>> +schema "/etc/ldap/bsd.schema" >>>> >>>> listen on lo0 >>>> listen on "/var/run/ldapi" >>>> Index: usr.sbin/ldapd/Makefile >>>> =================================================================== >>>> RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v >>>> retrieving revision 1.15 >>>> diff -u -p -u -p -r1.15 Makefile >>>> --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000 >>>> 1.15 +++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45 -0000 >>>> @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast >>>> CFLAGS+= -Wsign-compare >>>> CLEANFILES+= y.tab.h parse.c >>>> >>>> -SCHEMA_FILES= core.schema \ >>>> +SCHEMA_FILES= bsd.schema \ >>>> + core.schema \ >>>> inetorgperson.schema \ >>>> nis.schema >>>> >>>> Index: usr.sbin/ldapd/schema/bsd.schema >>>> =================================================================== >>>> RCS file: usr.sbin/ldapd/schema/bsd.schema >>>> diff -N usr.sbin/ldapd/schema/bsd.schema >>>> --- /dev/null 1 Jan 1970 00:00:00 -0000 >>>> +++ usr.sbin/ldapd/schema/bsd.schema 18 May 2018 10:09:45 >>>> -0000 @@ -0,0 +1,17 @@ >>>> +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword' >>>> + DESC 'POSIX hashed password' >>>> + EQUALITY caseExactIA5Match >>>> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) >>>> + >>>> +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey' >>>> + DESC 'SSH public key' >>>> + EQUALITY caseExactIA5Match >>>> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) >>>> + >>>> +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount' >>>> + SUP top >>>> + AUXILIARY >>>> + DESC 'Abstraction of an account with OpenBSD attributes' >>>> + MUST ( uid ) >>>> + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ >>>> userClass $ >>>> + sshPublicKey )) >>>> >>> >> >
diff --git a/etc/examples/ldapd.conf b/etc/examples/ldapd.conf index 1bc6aa462c1..183563d6f9a 100644 --- a/etc/examples/ldapd.conf +++ b/etc/examples/ldapd.conf @@ -3,6 +3,7 @@ schema "/etc/ldap/core.schema" schema "/etc/ldap/inetorgperson.schema" schema "/etc/ldap/nis.schema" +schema "/etc/ldap/bsd.schema" listen on lo0 listen on "/var/run/ldapi" diff --git a/usr.sbin/ldapd/Makefile b/usr.sbin/ldapd/Makefile index bf445832576..5af25895787 100644 --- a/usr.sbin/ldapd/Makefile +++ b/usr.sbin/ldapd/Makefile @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast-qual CFLAGS+= -Wsign-compare CLEANFILES+= y.tab.h parse.c -SCHEMA_FILES= core.schema \ +SCHEMA_FILES= bsd.schema \ + core.schema \ inetorgperson.schema \ nis.schema diff --git a/usr.sbin/ldapd/schema/bsd.schema b/usr.sbin/ldapd/schema/bsd.schema new file mode 100644 index 00000000000..b21fabacbf4 --- /dev/null +++ b/usr.sbin/ldapd/schema/bsd.schema @@ -0,0 +1,16 @@ +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword' + DESC 'POSIX hashed password' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey' + DESC 'OpenSSH public key' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount' + SUP top + AUXILIARY + DESC 'Abstraction of an account with OpenBSD attributes' + MAY ( uid $ shadowPassword $ shadowExpire $ modifyTimestamp $ + userClass $ sshPublicKey ))
