ldapd: adding bsd.schema

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

ldapd: adding bsd.schema

Aisha Tammy-3
Hi,
  Am reviving an old thread from
https://marc.info/?l=openbsd-tech&m=152663835315469&w=4
(i did cc reyk@ sorry if it is noise)

For some reason seems like the patch didn't go through...

I am reattaching it here, maybe someone can take a look and
see if it can be merged ?
Getting sshPublicKey would be really nice!

Aisha
 

Index: etc/examples/ldapd.conf

===================================================================

RCS file: /cvs/src/etc/examples/ldapd.conf,v

retrieving revision 1.1

diff -u -p -u -p -r1.1 ldapd.conf

--- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000 1.1

+++ etc/examples/ldapd.conf 18 May 2018 10:09:45 -0000

@@ -3,6 +3,7 @@

 schema "/etc/ldap/core.schema"

 schema "/etc/ldap/inetorgperson.schema"

 schema "/etc/ldap/nis.schema"

+schema "/etc/ldap/bsd.schema"

 

 listen on lo0

 listen on "/var/run/ldapi"

Index: usr.sbin/ldapd/Makefile

===================================================================

RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v

retrieving revision 1.15

diff -u -p -u -p -r1.15 Makefile

--- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000 1.15

+++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45 -0000

@@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast

 CFLAGS+= -Wsign-compare

 CLEANFILES+= y.tab.h parse.c

 

-SCHEMA_FILES= core.schema \

+SCHEMA_FILES= bsd.schema \

+ core.schema \

  inetorgperson.schema \

  nis.schema

 

Index: usr.sbin/ldapd/schema/bsd.schema

===================================================================

RCS file: usr.sbin/ldapd/schema/bsd.schema

diff -N usr.sbin/ldapd/schema/bsd.schema

--- /dev/null 1 Jan 1970 00:00:00 -0000

+++ usr.sbin/ldapd/schema/bsd.schema 18 May 2018 10:09:45 -0000

@@ -0,0 +1,17 @@

+attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword'

+ DESC 'POSIX hashed password'

+ EQUALITY caseExactIA5Match

+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

+

+attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'

+ DESC 'SSH public key'

+ EQUALITY caseExactIA5Match

+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

+

+objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount'

+ SUP top

+ AUXILIARY

+ DESC 'Abstraction of an account with OpenBSD attributes'

+ MUST ( uid )

+ MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ userClass $

+ sshPublicKey ))

Reply | Threaded
Open this post in threaded view
|

Re: ldapd: adding bsd.schema

Aisha Tammy-3
On 7/26/20 5:21 PM, Aisha Tammy wrote:

> Hi,
>   Am reviving an old thread from
> https://marc.info/?l=openbsd-tech&m=152663835315469&w=4
> (i did cc reyk@ sorry if it is noise)
>
> For some reason seems like the patch didn't go through...
>
> I am reattaching it here, maybe someone can take a look and
> see if it can be merged ?
> Getting sshPublicKey would be really nice!
>
> Aisha
>  

reattaching it because thunderbird....

bsd_schema.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ldapd: adding bsd.schema

Aisha Tammy-3
On 7/26/20 5:25 PM, Aisha Tammy wrote:

> On 7/26/20 5:21 PM, Aisha Tammy wrote:
>> Hi,
>>   Am reviving an old thread from
>> https://marc.info/?l=openbsd-tech&m=152663835315469&w=4
>> (i did cc reyk@ sorry if it is noise)
>>
>> For some reason seems like the patch didn't go through...
>>
>> I am reattaching it here, maybe someone can take a look and
>> see if it can be merged ?
>> Getting sshPublicKey would be really nice!
>>
>> Aisha
>>  
>
>
> reattaching it because thunderbird....
>

Bump, can anyone see if this is fine ?

Thanks,
Aisha

Reply | Threaded
Open this post in threaded view
|

Re: ldapd: adding bsd.schema

Aisha Tammy-3
On 8/2/20 9:34 AM, Aisha Tammy wrote:

> On 7/26/20 5:25 PM, Aisha Tammy wrote:
>> On 7/26/20 5:21 PM, Aisha Tammy wrote:
>>> Hi,
>>>   Am reviving an old thread from
>>> https://marc.info/?l=openbsd-tech&m=152663835315469&w=4
>>> (i did cc reyk@ sorry if it is noise)
>>>
>>> For some reason seems like the patch didn't go through...
>>>
>>> I am reattaching it here, maybe someone can take a look and
>>> see if it can be merged ?
>>> Getting sshPublicKey would be really nice!
>>>
>>> Aisha
>>>  
>>
>>
>> reattaching it because thunderbird....
>>
>
> Bump, can anyone see if this is fine ?
>
> Thanks,
> Aisha
>

Another bump.

Aisha

Reply | Threaded
Open this post in threaded view
|

Re: ldapd: adding bsd.schema

Theo Buehler-3
On Tue, Aug 11, 2020 at 10:22:51PM -0400, Aisha Tammy wrote:
> Another bump.

I think this is useful and am ok with this.

Are there any concerns? If not, I'm going to commit it tomorrow.

Index: etc/examples/ldapd.conf
===================================================================
RCS file: /cvs/src/etc/examples/ldapd.conf,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 ldapd.conf
--- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000 1.1
+++ etc/examples/ldapd.conf 18 May 2018 10:09:45 -0000
@@ -3,6 +3,7 @@
 schema "/etc/ldap/core.schema"
 schema "/etc/ldap/inetorgperson.schema"
 schema "/etc/ldap/nis.schema"
+schema "/etc/ldap/bsd.schema"
 
 listen on lo0
 listen on "/var/run/ldapi"
Index: usr.sbin/ldapd/Makefile
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
retrieving revision 1.15
diff -u -p -u -p -r1.15 Makefile
--- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000 1.15
+++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45 -0000
@@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast
 CFLAGS+= -Wsign-compare
 CLEANFILES+= y.tab.h parse.c
 
-SCHEMA_FILES= core.schema \
+SCHEMA_FILES= bsd.schema \
+ core.schema \
  inetorgperson.schema \
  nis.schema
 
Index: usr.sbin/ldapd/schema/bsd.schema
===================================================================
RCS file: usr.sbin/ldapd/schema/bsd.schema
diff -N usr.sbin/ldapd/schema/bsd.schema
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ usr.sbin/ldapd/schema/bsd.schema 18 May 2018 10:09:45 -0000
@@ -0,0 +1,17 @@
+attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword'
+ DESC 'POSIX hashed password'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'
+ DESC 'SSH public key'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount'
+ SUP top
+ AUXILIARY
+ DESC 'Abstraction of an account with OpenBSD attributes'
+ MUST ( uid )
+ MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $ userClass $
+ sshPublicKey ))

Reply | Threaded
Open this post in threaded view
|

Re: ldapd: adding bsd.schema

Robert Klein
Hi,

On Wed, 12 Aug 2020 09:00:18 +0200
Theo Buehler <[hidden email]> wrote:

> On Tue, Aug 11, 2020 at 10:22:51PM -0400, Aisha Tammy wrote:
> > Another bump.  
>
> I think this is useful and am ok with this.
>
> Are there any concerns? If not, I'm going to commit it tomorrow.

for an sshPublicKey attribute, there's a “openssh-lpk” schema which
seems to be in common use.  It's defined as

# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
        DESC 'OpenSSH Public key'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP
top AUXILIARY DESC 'OpenSSH LPK objectclass'
        MUST uid
        MAY sshPublicKey
        )

though there are versions of the “ldapPublicKey” definitions with both
uid and sshPublicKye in the MUST  and both in the MAY clause.  The
“both MAY” version is imho more flexible.


The original mail proposing bsd.schema seems to have added both
“shadowPassword” and “bsdaccount” more as an afterthought, it seems.


Best regards
Robert


>
> Index: etc/examples/ldapd.conf
> ===================================================================
> RCS file: /cvs/src/etc/examples/ldapd.conf,v
> retrieving revision 1.1
> diff -u -p -u -p -r1.1 ldapd.conf
> --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000
> 1.1 +++ etc/examples/ldapd.conf 18 May 2018 10:09:45 -0000
> @@ -3,6 +3,7 @@
>  schema "/etc/ldap/core.schema"
>  schema "/etc/ldap/inetorgperson.schema"
>  schema "/etc/ldap/nis.schema"
> +schema "/etc/ldap/bsd.schema"
>  
>  listen on lo0
>  listen on "/var/run/ldapi"
> Index: usr.sbin/ldapd/Makefile
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
> retrieving revision 1.15
> diff -u -p -u -p -r1.15 Makefile
> --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000
> 1.15 +++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45 -0000
> @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast
>  CFLAGS+= -Wsign-compare
>  CLEANFILES+= y.tab.h parse.c
>  
> -SCHEMA_FILES= core.schema \
> +SCHEMA_FILES= bsd.schema \
> + core.schema \
>   inetorgperson.schema \
>   nis.schema
>  
> Index: usr.sbin/ldapd/schema/bsd.schema
> ===================================================================
> RCS file: usr.sbin/ldapd/schema/bsd.schema
> diff -N usr.sbin/ldapd/schema/bsd.schema
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ usr.sbin/ldapd/schema/bsd.schema 18 May 2018 10:09:45 -0000
> @@ -0,0 +1,17 @@
> +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword'
> + DESC 'POSIX hashed password'
> + EQUALITY caseExactIA5Match
> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> +
> +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'
> + DESC 'SSH public key'
> + EQUALITY caseExactIA5Match
> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> +
> +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount'
> + SUP top
> + AUXILIARY
> + DESC 'Abstraction of an account with OpenBSD attributes'
> + MUST ( uid )
> + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $
> userClass $
> + sshPublicKey ))
>

Reply | Threaded
Open this post in threaded view
|

Re: ldapd: adding bsd.schema

Aisha Tammy-3
Sorry for the late reply.

On 8/12/20 8:19 AM, Robert Klein wrote:

> Hi,
>
> On Wed, 12 Aug 2020 09:00:18 +0200
> Theo Buehler <[hidden email]> wrote:
>
>> On Tue, Aug 11, 2020 at 10:22:51PM -0400, Aisha Tammy wrote:
>>> Another bump.  
>>
>> I think this is useful and am ok with this.
>>
>> Are there any concerns? If not, I'm going to commit it tomorrow.
>
> for an sshPublicKey attribute, there's a “openssh-lpk” schema which
> seems to be in common use.  It's defined as
>
> # octetString SYNTAX
> attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
> DESC 'OpenSSH Public key'
> EQUALITY octetStringMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
>
I prefer the non-octet version mostly because of inconsistent spacing when

copy pasting.



> # printableString SYNTAX yes|no
> objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP
> top AUXILIARY DESC 'OpenSSH LPK objectclass'
> MUST uid
> MAY sshPublicKey
> )
>
> though there are versions of the “ldapPublicKey” definitions with both
> uid and sshPublicKye in the MUST  and both in the MAY clause.  The
> “both MAY” version is imho more flexible.
>
>
> The original mail proposing bsd.schema seems to have added both
> “shadowPassword” and “bsdaccount” more as an afterthought, it seems.
>
The bsd account is a bit more flexible than the ldapPublicKey and can be substituted
for this.
I am fine with moving the `uid` to MAY as well, that would be very nice for virtual
user setups, where uid is unimportant and not used.

I've attached the updated patch which moves uid to MAY.
I would really like this to be in 6.8.

OK?

Thanks,
Aisha

>
> Best regards
> Robert
>
>
>>
>> Index: etc/examples/ldapd.conf
>> ===================================================================
>> RCS file: /cvs/src/etc/examples/ldapd.conf,v
>> retrieving revision 1.1
>> diff -u -p -u -p -r1.1 ldapd.conf
>> --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000
>> 1.1 +++ etc/examples/ldapd.conf 18 May 2018 10:09:45 -0000
>> @@ -3,6 +3,7 @@
>>  schema "/etc/ldap/core.schema"
>>  schema "/etc/ldap/inetorgperson.schema"
>>  schema "/etc/ldap/nis.schema"
>> +schema "/etc/ldap/bsd.schema"
>>  
>>  listen on lo0
>>  listen on "/var/run/ldapi"
>> Index: usr.sbin/ldapd/Makefile
>> ===================================================================
>> RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
>> retrieving revision 1.15
>> diff -u -p -u -p -r1.15 Makefile
>> --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000
>> 1.15 +++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45 -0000
>> @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast
>>  CFLAGS+= -Wsign-compare
>>  CLEANFILES+= y.tab.h parse.c
>>  
>> -SCHEMA_FILES= core.schema \
>> +SCHEMA_FILES= bsd.schema \
>> + core.schema \
>>   inetorgperson.schema \
>>   nis.schema
>>  
>> Index: usr.sbin/ldapd/schema/bsd.schema
>> ===================================================================
>> RCS file: usr.sbin/ldapd/schema/bsd.schema
>> diff -N usr.sbin/ldapd/schema/bsd.schema
>> --- /dev/null 1 Jan 1970 00:00:00 -0000
>> +++ usr.sbin/ldapd/schema/bsd.schema 18 May 2018 10:09:45 -0000
>> @@ -0,0 +1,17 @@
>> +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword'
>> + DESC 'POSIX hashed password'
>> + EQUALITY caseExactIA5Match
>> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>> +
>> +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'
>> + DESC 'SSH public key'
>> + EQUALITY caseExactIA5Match
>> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>> +
>> +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount'
>> + SUP top
>> + AUXILIARY
>> + DESC 'Abstraction of an account with OpenBSD attributes'
>> + MUST ( uid )
>> + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $
>> userClass $
>> + sshPublicKey ))
>>
>


bsd_schema.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ldapd: adding bsd.schema

Robert Klein
On Sat, 5 Sep 2020 18:47:08 -0400
Aisha Tammy <[hidden email]> wrote:

> Sorry for the late reply.
>
> On 8/12/20 8:19 AM, Robert Klein wrote:
> > Hi,
> >
> > On Wed, 12 Aug 2020 09:00:18 +0200
> > Theo Buehler <[hidden email]> wrote:
> >
> >> On Tue, Aug 11, 2020 at 10:22:51PM -0400, Aisha Tammy wrote:
> >>> Another bump.  
> >>
> >> I think this is useful and am ok with this.
> >>
> >> Are there any concerns? If not, I'm going to commit it tomorrow.
> >
> > for an sshPublicKey attribute, there's a “openssh-lpk” schema which
> > seems to be in common use.  It's defined as
> >
> > # octetString SYNTAX
> > attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
> > DESC 'OpenSSH Public key'
> > EQUALITY octetStringMatch
> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
> >
> I prefer the non-octet version mostly because of inconsistent spacing
> when
>
> copy pasting.

IA5Match precludes non-ascii comments.  BTW, your version has 'SSH
public key' as DESC.  I suppose it means a 'OpenSSH public key', as
above, not a RFC4716 public key which wouldn't make much sense in
OpenBSD context I guess.


>
>
>
> > # printableString SYNTAX yes|no
> > objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP
> > top AUXILIARY DESC 'OpenSSH LPK objectclass'
> > MUST uid
> > MAY sshPublicKey
> > )
> >
> > though there are versions of the “ldapPublicKey” definitions with
> > both uid and sshPublicKye in the MUST  and both in the MAY clause.
> > The “both MAY” version is imho more flexible.
> >
> >
> > The original mail proposing bsd.schema seems to have added both
> > “shadowPassword” and “bsdaccount” more as an afterthought, it seems.
> >
> The bsd account is a bit more flexible than the ldapPublicKey and can
> be substituted for this.
> I am fine with moving the `uid` to MAY as well, that would be very
> nice for virtual user setups, where uid is unimportant and not used.

+1


Best regards
Robert


>
> I've attached the updated patch which moves uid to MAY.
> I would really like this to be in 6.8.
>
> OK?
>
> Thanks,
> Aisha
>
> >
> > Best regards
> > Robert
> >
> >
> >>
> >> Index: etc/examples/ldapd.conf
> >> ===================================================================
> >> RCS file: /cvs/src/etc/examples/ldapd.conf,v
> >> retrieving revision 1.1
> >> diff -u -p -u -p -r1.1 ldapd.conf
> >> --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000
> >> 1.1 +++ etc/examples/ldapd.conf 18 May 2018 10:09:45 -0000
> >> @@ -3,6 +3,7 @@
> >>  schema "/etc/ldap/core.schema"
> >>  schema "/etc/ldap/inetorgperson.schema"
> >>  schema "/etc/ldap/nis.schema"
> >> +schema "/etc/ldap/bsd.schema"
> >>  
> >>  listen on lo0
> >>  listen on "/var/run/ldapi"
> >> Index: usr.sbin/ldapd/Makefile
> >> ===================================================================
> >> RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
> >> retrieving revision 1.15
> >> diff -u -p -u -p -r1.15 Makefile
> >> --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000
> >> 1.15 +++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45 -0000
> >> @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast
> >>  CFLAGS+= -Wsign-compare
> >>  CLEANFILES+= y.tab.h parse.c
> >>  
> >> -SCHEMA_FILES= core.schema \
> >> +SCHEMA_FILES= bsd.schema \
> >> + core.schema \
> >>   inetorgperson.schema \
> >>   nis.schema
> >>  
> >> Index: usr.sbin/ldapd/schema/bsd.schema
> >> ===================================================================
> >> RCS file: usr.sbin/ldapd/schema/bsd.schema
> >> diff -N usr.sbin/ldapd/schema/bsd.schema
> >> --- /dev/null 1 Jan 1970 00:00:00 -0000
> >> +++ usr.sbin/ldapd/schema/bsd.schema 18 May 2018 10:09:45
> >> -0000 @@ -0,0 +1,17 @@
> >> +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword'
> >> + DESC 'POSIX hashed password'
> >> + EQUALITY caseExactIA5Match
> >> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> >> +
> >> +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'
> >> + DESC 'SSH public key'
> >> + EQUALITY caseExactIA5Match
> >> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> >> +
> >> +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount'
> >> + SUP top
> >> + AUXILIARY
> >> + DESC 'Abstraction of an account with OpenBSD attributes'
> >> + MUST ( uid )
> >> + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $
> >> userClass $
> >> + sshPublicKey ))
> >>
> >
>

Reply | Threaded
Open this post in threaded view
|

Re: ldapd: adding bsd.schema

Aisha Tammy-3
On 9/10/20 2:03 AM, Robert Klein wrote:

> On Sat, 5 Sep 2020 18:47:08 -0400
> Aisha Tammy <[hidden email]> wrote:
>
>> Sorry for the late reply.
>>
>> On 8/12/20 8:19 AM, Robert Klein wrote:
>>> Hi,
>>>
>>> On Wed, 12 Aug 2020 09:00:18 +0200
>>> Theo Buehler <[hidden email]> wrote:
>>>
>>>> On Tue, Aug 11, 2020 at 10:22:51PM -0400, Aisha Tammy wrote:
>>>>> Another bump.  
>>>>
>>>> I think this is useful and am ok with this.
>>>>
>>>> Are there any concerns? If not, I'm going to commit it tomorrow.
>>>
>>> for an sshPublicKey attribute, there's a “openssh-lpk” schema which
>>> seems to be in common use.  It's defined as
>>>
>>> # octetString SYNTAX
>>> attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
>>> DESC 'OpenSSH Public key'
>>> EQUALITY octetStringMatch
>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
>>>
>> I prefer the non-octet version mostly because of inconsistent spacing
>> when
>>
>> copy pasting.
>
> IA5Match precludes non-ascii comments.  BTW, your version has 'SSH
> public key' as DESC.  I suppose it means a 'OpenSSH public key', as
> above, not a RFC4716 public key which wouldn't make much sense in
> OpenBSD context I guess.
>
Haha, I wasn't even aware SSH public key was a different thing >.<
(how do ya'll know/remember these weird RFCs...)
Updated patch with OpenSSH public key.

OK?

Aisha

>
>>
>>
>>
>>> # printableString SYNTAX yes|no
>>> objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP
>>> top AUXILIARY DESC 'OpenSSH LPK objectclass'
>>> MUST uid
>>> MAY sshPublicKey
>>> )
>>>
>>> though there are versions of the “ldapPublicKey” definitions with
>>> both uid and sshPublicKye in the MUST  and both in the MAY clause.
>>> The “both MAY” version is imho more flexible.
>>>
>>>
>>> The original mail proposing bsd.schema seems to have added both
>>> “shadowPassword” and “bsdaccount” more as an afterthought, it seems.
>>>
>> The bsd account is a bit more flexible than the ldapPublicKey and can
>> be substituted for this.
>> I am fine with moving the `uid` to MAY as well, that would be very
>> nice for virtual user setups, where uid is unimportant and not used.
>
> +1
>
>
> Best regards
> Robert
>
>
>>
>> I've attached the updated patch which moves uid to MAY.
>> I would really like this to be in 6.8.
>>
>> OK?
>>
>> Thanks,
>> Aisha
>>
>>>
>>> Best regards
>>> Robert
>>>
>>>
>>>>
>>>> Index: etc/examples/ldapd.conf
>>>> ===================================================================
>>>> RCS file: /cvs/src/etc/examples/ldapd.conf,v
>>>> retrieving revision 1.1
>>>> diff -u -p -u -p -r1.1 ldapd.conf
>>>> --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000
>>>> 1.1 +++ etc/examples/ldapd.conf 18 May 2018 10:09:45 -0000
>>>> @@ -3,6 +3,7 @@
>>>>  schema "/etc/ldap/core.schema"
>>>>  schema "/etc/ldap/inetorgperson.schema"
>>>>  schema "/etc/ldap/nis.schema"
>>>> +schema "/etc/ldap/bsd.schema"
>>>>  
>>>>  listen on lo0
>>>>  listen on "/var/run/ldapi"
>>>> Index: usr.sbin/ldapd/Makefile
>>>> ===================================================================
>>>> RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
>>>> retrieving revision 1.15
>>>> diff -u -p -u -p -r1.15 Makefile
>>>> --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000
>>>> 1.15 +++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45 -0000
>>>> @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast
>>>>  CFLAGS+= -Wsign-compare
>>>>  CLEANFILES+= y.tab.h parse.c
>>>>  
>>>> -SCHEMA_FILES= core.schema \
>>>> +SCHEMA_FILES= bsd.schema \
>>>> + core.schema \
>>>>   inetorgperson.schema \
>>>>   nis.schema
>>>>  
>>>> Index: usr.sbin/ldapd/schema/bsd.schema
>>>> ===================================================================
>>>> RCS file: usr.sbin/ldapd/schema/bsd.schema
>>>> diff -N usr.sbin/ldapd/schema/bsd.schema
>>>> --- /dev/null 1 Jan 1970 00:00:00 -0000
>>>> +++ usr.sbin/ldapd/schema/bsd.schema 18 May 2018 10:09:45
>>>> -0000 @@ -0,0 +1,17 @@
>>>> +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword'
>>>> + DESC 'POSIX hashed password'
>>>> + EQUALITY caseExactIA5Match
>>>> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>>>> +
>>>> +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'
>>>> + DESC 'SSH public key'
>>>> + EQUALITY caseExactIA5Match
>>>> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>>>> +
>>>> +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount'
>>>> + SUP top
>>>> + AUXILIARY
>>>> + DESC 'Abstraction of an account with OpenBSD attributes'
>>>> + MUST ( uid )
>>>> + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $
>>>> userClass $
>>>> + sshPublicKey ))
>>>>
>>>
>>
>


bsd_schema.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ldapd: adding bsd.schema

Robert Klein
On Thu, 10 Sep 2020 17:03:28 -0400
Aisha Tammy <[hidden email]> wrote:

> On 9/10/20 2:03 AM, Robert Klein wrote:
> > On Sat, 5 Sep 2020 18:47:08 -0400
> > Aisha Tammy <[hidden email]> wrote:
> >  
> >> Sorry for the late reply.
> >>
> >> On 8/12/20 8:19 AM, Robert Klein wrote:  
> >>> Hi,
> >>>
> >>> On Wed, 12 Aug 2020 09:00:18 +0200
> >>> Theo Buehler <[hidden email]> wrote:
> >>>  
> >>>> On Tue, Aug 11, 2020 at 10:22:51PM -0400, Aisha Tammy wrote:  
> >>>>> Another bump.    
> >>>>
> >>>> I think this is useful and am ok with this.
> >>>>
> >>>> Are there any concerns? If not, I'm going to commit it tomorrow.
> >>>>  
> >>>
> >>> for an sshPublicKey attribute, there's a “openssh-lpk” schema
> >>> which seems to be in common use.  It's defined as
> >>>
> >>> # octetString SYNTAX
> >>> attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
> >>> DESC 'OpenSSH Public key'
> >>> EQUALITY octetStringMatch
> >>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
> >>>  
> >> I prefer the non-octet version mostly because of inconsistent
> >> spacing when
> >>
> >> copy pasting.  
> >
> > IA5Match precludes non-ascii comments.  BTW, your version has 'SSH
> > public key' as DESC.  I suppose it means a 'OpenSSH public key', as
> > above, not a RFC4716 public key which wouldn't make much sense in
> > OpenBSD context I guess.
> >  
> Haha, I wasn't even aware SSH public key was a different thing >.<
> (how do ya'll know/remember these weird RFCs...)
Honestly, I like to read.

> Updated patch with OpenSSH public key.

I'd still prefer octetstring instead of ia5string.  Don't care enough
though to object if someones willing to ok and commit it.

Best regards
Robert

>
> OK?
>
> Aisha
>
> >  
> >>
> >>
> >>  
> >>> # printableString SYNTAX yes|no
> >>> objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey'
> >>> SUP top AUXILIARY DESC 'OpenSSH LPK objectclass'
> >>> MUST uid
> >>> MAY sshPublicKey
> >>> )
> >>>
> >>> though there are versions of the “ldapPublicKey” definitions with
> >>> both uid and sshPublicKye in the MUST  and both in the MAY clause.
> >>> The “both MAY” version is imho more flexible.
> >>>
> >>>
> >>> The original mail proposing bsd.schema seems to have added both
> >>> “shadowPassword” and “bsdaccount” more as an afterthought, it
> >>> seems.
> >> The bsd account is a bit more flexible than the ldapPublicKey and
> >> can be substituted for this.
> >> I am fine with moving the `uid` to MAY as well, that would be very
> >> nice for virtual user setups, where uid is unimportant and not
> >> used.  
> >
> > +1
> >
> >
> > Best regards
> > Robert
> >
> >  
> >>
> >> I've attached the updated patch which moves uid to MAY.
> >> I would really like this to be in 6.8.
> >>
> >> OK?
> >>
> >> Thanks,
> >> Aisha
> >>  
> >>>
> >>> Best regards
> >>> Robert
> >>>
> >>>  
> >>>>
> >>>> Index: etc/examples/ldapd.conf
> >>>> ===================================================================
> >>>> RCS file: /cvs/src/etc/examples/ldapd.conf,v
> >>>> retrieving revision 1.1
> >>>> diff -u -p -u -p -r1.1 ldapd.conf
> >>>> --- etc/examples/ldapd.conf 11 Jul 2014 21:20:10 -0000
> >>>> 1.1 +++ etc/examples/ldapd.conf 18 May 2018 10:09:45 -0000
> >>>> @@ -3,6 +3,7 @@
> >>>>  schema "/etc/ldap/core.schema"
> >>>>  schema "/etc/ldap/inetorgperson.schema"
> >>>>  schema "/etc/ldap/nis.schema"
> >>>> +schema "/etc/ldap/bsd.schema"
> >>>>  
> >>>>  listen on lo0
> >>>>  listen on "/var/run/ldapi"
> >>>> Index: usr.sbin/ldapd/Makefile
> >>>> ===================================================================
> >>>> RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
> >>>> retrieving revision 1.15
> >>>> diff -u -p -u -p -r1.15 Makefile
> >>>> --- usr.sbin/ldapd/Makefile 20 Jan 2017 11:55:08 -0000
> >>>> 1.15 +++ usr.sbin/ldapd/Makefile 18 May 2018 10:09:45
> >>>> -0000 @@ -17,7 +17,8 @@ CFLAGS+= -Wshadow -Wpointer-arith
> >>>> -Wcast CFLAGS+= -Wsign-compare
> >>>>  CLEANFILES+= y.tab.h parse.c
> >>>>  
> >>>> -SCHEMA_FILES= core.schema \
> >>>> +SCHEMA_FILES= bsd.schema \
> >>>> + core.schema \
> >>>>   inetorgperson.schema \
> >>>>   nis.schema
> >>>>  
> >>>> Index: usr.sbin/ldapd/schema/bsd.schema
> >>>> ===================================================================
> >>>> RCS file: usr.sbin/ldapd/schema/bsd.schema
> >>>> diff -N usr.sbin/ldapd/schema/bsd.schema
> >>>> --- /dev/null 1 Jan 1970 00:00:00 -0000
> >>>> +++ usr.sbin/ldapd/schema/bsd.schema 18 May 2018 10:09:45
> >>>> -0000 @@ -0,0 +1,17 @@
> >>>> +attributetype ( 1.3.6.1.4.1.30155.115.2 NAME 'shadowPassword'
> >>>> + DESC 'POSIX hashed password'
> >>>> + EQUALITY caseExactIA5Match
> >>>> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> >>>> +
> >>>> +attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'
> >>>> + DESC 'SSH public key'
> >>>> + EQUALITY caseExactIA5Match
> >>>> + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> >>>> +
> >>>> +objectclass ( 1.3.6.1.4.1.30155.115.1 NAME 'bsdAccount'
> >>>> + SUP top
> >>>> + AUXILIARY
> >>>> + DESC 'Abstraction of an account with OpenBSD
> >>>> attributes'
> >>>> + MUST ( uid )
> >>>> + MAY ( shadowPassword $ shadowExpire $ modifyTimestamp $
> >>>> userClass $
> >>>> + sshPublicKey ))
> >>>>  
> >>>  
> >>  
> >  
>