So, OK? On Tue, May 15, 2018 at 02:24:19PM +0200, Reyk Floeter wrote: > Hi, > > could we add an LDAP schema file that makes it easier to use sshd's > "AuthorizedKeysCommand"? > > While most howtos out there agree on the attribute name > "sshPublicKey", there is no common LDAP schema that implements it. > Some people patch nis.schema (which seems a bad idea), others add > their own schema files. > > What about adding our own schema (using OpenBSD's allocated > 1.3.6.1.4.1.30155 PEN) that includes the required "sshPublicKey" > attribute? It can be used to extend existing LDAP users with the > additional bsdAccount objectClass. > > The "shadowPassword" attribute is useful for ypldap(8) + ldapd(8) > without login_ldap (for example, userPassword: {BSDAUTH}reyk, > shadowPassword: $2b$10$...). > > Comments? > > Reyk > > Index: etc/examples/ldapd.conf > =================================================================== > RCS file: /cvs/src/etc/examples/ldapd.conf,v > retrieving revision 1.1 > diff -u -p -u -p -r1.1 ldapd.conf > --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000 1.1 > +++ etc/examples/ldapd.conf 15 May 2018 12:09:57 -0000 > @@ -3,6 +3,7 @@ > schema "/etc/ldap/core.schema" > schema "/etc/ldap/inetorgperson.schema" > schema "/etc/ldap/nis.schema" > +schema "/etc/ldap/bsd.schema" > > listen on lo0 > listen on "/var/run/ldapi" > Index: usr.sbin/ldapd/Makefile > =================================================================== > RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v > retrieving revision 1.15 > diff -u -p -u -p -r1.15 Makefile > --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000 1.15 > +++ usr.sbin/ldapd/Makefile 15 May 2018 12:09:57 -0000 > @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast > CFLAGS+= -Wsign-compare > CLEANFILES+= y.tab.h parse.c > > -SCHEMA_FILES= core.schema \ > +SCHEMA_FILES= bsd.schema \ > + core.schema \ > inetorgperson.schema \ > nis.schema > > Index: usr.sbin/ldapd/schema/bsd.schema > =================================================================== > RCS file: usr.sbin/ldapd/schema/bsd.schema > diff -N usr.sbin/ldapd/schema/bsd.schema > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ usr.sbin/ldapd/schema/bsd.schema 15 May 2018 12:09:57 -0000 > @@ -0,0 +1,17 @@ > +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword' > + DESC 'POSIX hashed password' > + EQUALITY caseExactIA5Match > + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > + > +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey' > + DESC 'SSH public key' > + EQUALITY caseExactIA5Match > + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > + > +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount' > + SUP top > + AUXILIARY > + DESC 'Abstraction of an account with OpenBSD attributes' > + MUST ( cn $ uid $ shadowPassword ) > + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ userClass $ > + sshPublicKey ))
--