On Thu, 10 Sep 2020 17:03:28 -0400 Aisha Tammy <[email protected]> wrote:
> On 9/10/20 2:03 AM, Robert Klein wrote: > > On Sat, 5 Sep 2020 18:47:08 -0400 > > Aisha Tammy <[email protected]> wrote: > > > >> Sorry for the late reply. > >> > >> On 8/12/20 8:19 AM, Robert Klein wrote: > >>> Hi, > >>> > >>> On Wed, 12 Aug 2020 09:00:18 +0200 > >>> Theo Buehler <[email protected]> wrote: > >>> > >>>> On Tue, Aug 11, 2020 at 10:22:51PM -0400, Aisha Tammy wrote: > >>>>> Another bump. > >>>> > >>>> I think this is useful and am ok with this. > >>>> > >>>> Are there any concerns? If not, I'm going to commit it tomorrow. > >>>> > >>> > >>> for an sshPublicKey attribute, there's a “openssh-lpk” schema > >>> which seems to be in common use. It's defined as > >>> > >>> # octetString SYNTAX > >>> attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' > >>> DESC 'OpenSSH Public key' > >>> EQUALITY octetStringMatch > >>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) > >>> > >> I prefer the non-octet version mostly because of inconsistent > >> spacing when > >> > >> copy pasting. > > > > IA5Match precludes non-ascii comments. BTW, your version has 'SSH > > public key' as DESC. I suppose it means a 'OpenSSH public key', as > > above, not a RFC4716 public key which wouldn't make much sense in > > OpenBSD context I guess. > > > Haha, I wasn't even aware SSH public key was a different thing >.< > (how do ya'll know/remember these weird RFCs...) Honestly, I like to read. > Updated patch with OpenSSH public key. I'd still prefer octetstring instead of ia5string. Don't care enough though to object if someones willing to ok and commit it. Best regards Robert > > OK? > > Aisha > > > > >> > >> > >> > >>> # printableString SYNTAX yes|no > >>> objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' > >>> SUP top AUXILIARY DESC 'OpenSSH LPK objectclass' > >>> MUST uid > >>> MAY sshPublicKey > >>> ) > >>> > >>> though there are versions of the “ldapPublicKey” definitions with > >>> both uid and sshPublicKye in the MUST and both in the MAY clause. > >>> The “both MAY” version is imho more flexible. > >>> > >>> > >>> The original mail proposing bsd.schema seems to have added both > >>> “shadowPassword” and “bsdaccount” more as an afterthought, it > >>> seems. > >> The bsd account is a bit more flexible than the ldapPublicKey and > >> can be substituted for this. > >> I am fine with moving the `uid` to MAY as well, that would be very > >> nice for virtual user setups, where uid is unimportant and not > >> used. > > > > +1 > > > > > > Best regards > > Robert > > > > > >> > >> I've attached the updated patch which moves uid to MAY. > >> I would really like this to be in 6.8. > >> > >> OK? > >> > >> Thanks, > >> Aisha > >> > >>> > >>> Best regards > >>> Robert > >>> > >>> > >>>> > >>>> Index: etc/examples/ldapd.conf > >>>> =================================================================== > >>>> RCS file: /cvs/src/etc/examples/ldapd.conf,v > >>>> retrieving revision 1.1 > >>>> diff -u -p -u -p -r1.1 ldapd.conf > >>>> --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000 > >>>> 1.1 +++ etc/examples/ldapd.conf 18 May 2018 10:09:45 -0000 > >>>> @@ -3,6 +3,7 @@ > >>>> schema "/etc/ldap/core.schema" > >>>> schema "/etc/ldap/inetorgperson.schema" > >>>> schema "/etc/ldap/nis.schema" > >>>> +schema "/etc/ldap/bsd.schema" > >>>> > >>>> listen on lo0 > >>>> listen on "/var/run/ldapi" > >>>> Index: usr.sbin/ldapd/Makefile > >>>> =================================================================== > >>>> RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v > >>>> retrieving revision 1.15 > >>>> diff -u -p -u -p -r1.15 Makefile > >>>> --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000 > >>>> 1.15 +++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45 > >>>> -0000 @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith > >>>> -Wcast CFLAGS+= -Wsign-compare > >>>> CLEANFILES+= y.tab.h parse.c > >>>> > >>>> -SCHEMA_FILES= core.schema \ > >>>> +SCHEMA_FILES= bsd.schema \ > >>>> + core.schema \ > >>>> inetorgperson.schema \ > >>>> nis.schema > >>>> > >>>> Index: usr.sbin/ldapd/schema/bsd.schema > >>>> =================================================================== > >>>> RCS file: usr.sbin/ldapd/schema/bsd.schema > >>>> diff -N usr.sbin/ldapd/schema/bsd.schema > >>>> --- /dev/null 1 Jan 1970 00:00:00 -0000 > >>>> +++ usr.sbin/ldapd/schema/bsd.schema 18 May 2018 10:09:45 > >>>> -0000 @@ -0,0 +1,17 @@ > >>>> +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword' > >>>> + DESC 'POSIX hashed password' > >>>> + EQUALITY caseExactIA5Match > >>>> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > >>>> + > >>>> +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey' > >>>> + DESC 'SSH public key' > >>>> + EQUALITY caseExactIA5Match > >>>> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > >>>> + > >>>> +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount' > >>>> + SUP top > >>>> + AUXILIARY > >>>> + DESC 'Abstraction of an account with OpenBSD > >>>> attributes' > >>>> + MUST ( uid ) > >>>> + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ > >>>> userClass $ > >>>> + sshPublicKey )) > >>>> > >>> > >> > > >
