ldapd: add bsd.schema?

Tue, 15 May 2018 05:25:00 -0700 

Hi,

could we add an LDAP schema file that makes it easier to use sshd's
"AuthorizedKeysCommand"?

While most howtos out there agree on the attribute name
"sshPublicKey", there is no common LDAP schema that implements it.
Some people patch nis.schema (which seems a bad idea), others add
their own schema files.

What about adding our own schema (using OpenBSD's allocated
1.3.6.1.4.1.30155 PEN) that includes the required "sshPublicKey"
attribute?  It can be used to extend existing LDAP users with the
additional bsdAccount objectClass.

The "shadowPassword" attribute is useful for ypldap(8) + ldapd(8)
without login_ldap (for example, userPassword: {BSDAUTH}reyk,
shadowPassword: $2b$10$...).

Comments?

Reyk

Index: etc/examples/ldapd.conf
===================================================================
RCS file: /cvs/src/etc/examples/ldapd.conf,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 ldapd.conf
--- etc/examples/ldapd.conf     11 Jul 2014 21:20:10 -0000      1.1
+++ etc/examples/ldapd.conf     15 May 2018 12:09:57 -0000
@@ -3,6 +3,7 @@
 schema "/etc/ldap/core.schema"
 schema "/etc/ldap/inetorgperson.schema"
 schema "/etc/ldap/nis.schema"
+schema "/etc/ldap/bsd.schema"
 
 listen on lo0
 listen on "/var/run/ldapi"
Index: usr.sbin/ldapd/Makefile
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
retrieving revision 1.15
diff -u -p -u -p -r1.15 Makefile
--- usr.sbin/ldapd/Makefile     20 Jan 2017 11:55:08 -0000      1.15
+++ usr.sbin/ldapd/Makefile     15 May 2018 12:09:57 -0000
@@ -17,7 +17,8 @@ CFLAGS+=      -Wshadow -Wpointer-arith -Wcast
 CFLAGS+=       -Wsign-compare
 CLEANFILES+=   y.tab.h parse.c
 
-SCHEMA_FILES=  core.schema \
+SCHEMA_FILES=  bsd.schema \
+               core.schema \
                inetorgperson.schema \
                nis.schema
 
Index: usr.sbin/ldapd/schema/bsd.schema
===================================================================
RCS file: usr.sbin/ldapd/schema/bsd.schema
diff -N usr.sbin/ldapd/schema/bsd.schema
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ usr.sbin/ldapd/schema/bsd.schema    15 May 2018 12:09:57 -0000
@@ -0,0 +1,17 @@
+attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword'
+       DESC 'POSIX hashed password'
+       EQUALITY caseExactIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'
+       DESC 'SSH public key'
+       EQUALITY caseExactIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount'
+       SUP top
+       AUXILIARY
+       DESC 'Abstraction of an account with OpenBSD attributes'
+       MUST ( cn $ uid $ shadowPassword )
+       MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ userClass $
+               sshPublicKey ))

Reply via email to