So, OK?
On Tue, May 15, 2018 at 02:24:19PM +0200, Reyk Floeter wrote:
> Hi,
>
> could we add an LDAP schema file that makes it easier to use sshd's
> "AuthorizedKeysCommand"?
>
> While most howtos out there agree on the attribute name
> "sshPublicKey", there is no common LDAP schema that implements it.
> Some people patch nis.schema (which seems a bad idea), others add
> their own schema files.
>
> What about adding our own schema (using OpenBSD's allocated
> 1.3.6.1.4.1.30155 PEN) that includes the required "sshPublicKey"
> attribute? It can be used to extend existing LDAP users with the
> additional bsdAccount objectClass.
>
> The "shadowPassword" attribute is useful for ypldap(8) + ldapd(8)
> without login_ldap (for example, userPassword: {BSDAUTH}reyk,
> shadowPassword: $2b$10$...).
>
> Comments?
>
> Reyk
>
> Index: etc/examples/ldapd.conf
> ===================================================================
> RCS file: /cvs/src/etc/examples/ldapd.conf,v
> retrieving revision 1.1
> diff -u -p -u -p -r1.1 ldapd.conf
> --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000 1.1
> +++ etc/examples/ldapd.conf 15 May 2018 12:09:57 -0000
> @@ -3,6 +3,7 @@
> schema "/etc/ldap/core.schema"
> schema "/etc/ldap/inetorgperson.schema"
> schema "/etc/ldap/nis.schema"
> +schema "/etc/ldap/bsd.schema"
>
> listen on lo0
> listen on "/var/run/ldapi"
> Index: usr.sbin/ldapd/Makefile
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
> retrieving revision 1.15
> diff -u -p -u -p -r1.15 Makefile
> --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000 1.15
> +++ usr.sbin/ldapd/Makefile 15 May 2018 12:09:57 -0000
> @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast
> CFLAGS+= -Wsign-compare
> CLEANFILES+= y.tab.h parse.c
>
> -SCHEMA_FILES= core.schema \
> +SCHEMA_FILES= bsd.schema \
> + core.schema \
> inetorgperson.schema \
> nis.schema
>
> Index: usr.sbin/ldapd/schema/bsd.schema
> ===================================================================
> RCS file: usr.sbin/ldapd/schema/bsd.schema
> diff -N usr.sbin/ldapd/schema/bsd.schema
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ usr.sbin/ldapd/schema/bsd.schema 15 May 2018 12:09:57 -0000
> @@ -0,0 +1,17 @@
> +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword'
> + DESC 'POSIX hashed password'
> + EQUALITY caseExactIA5Match
> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> +
> +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'
> + DESC 'SSH public key'
> + EQUALITY caseExactIA5Match
> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> +
> +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount'
> + SUP top
> + AUXILIARY
> + DESC 'Abstraction of an account with OpenBSD attributes'
> + MUST ( cn $ uid $ shadowPassword )
> + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ userClass $
> + sshPublicKey ))
--
