More SSH than ever

98sshAsText.ldif

@@ -0,0 +1,50 @@
+#
+# LDAP Public Key schema where the key is stored as plain text
+#
+# The MIT License
+#
+# Copyright 2024 WEEE Open
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+#---------------------------------------------------------------------
+#
+dn: cn=schema
+#
+#---------------------------------------------------------------------
+#
+attributeTypes: (
+  2.25.203046914991419968316830242105494635245.1.1
+  NAME 'sshPublicKeyText'
+  DESC 'OpenSSH Public key as text'
+  EQUALITY caseExactMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+  X-ORIGIN 'WEEE Open'
+  )
+#
+#---------------------------------------------------------------------
+#
+objectClasses: (
+  2.25.203046914991419968316830242105494635245.2.1
+  NAME 'hasSshPublicKeyText'
+  DESC 'OpenSSH Public key as text, as an objectClass'
+  AUXILIARY
+  MAY sshPublicKeyText
+  X-ORIGIN 'WEEE Open'
+  )

README.md

@@ -14,6 +14,10 @@ The file `97schac.ldif` comes from the [official schema](https://wiki.refeds.org
 
 Located at `98ssh.ldif`, it allows storing public SSH keys. It's an OpenLDAP schema with minor modifications to adapt it to 389DS.
 
+### SSH as Text
+
+A single objectClass with a single plain text variable to add an SSH key to things. This is `98sshAsText.ldif`. 
+
 ### Telegram
 
 `98telegram.ldif` is a simple schema to store some [Telegram](https://telegram.org/) related inforamation: ID, nickname and group invite links.
@@ -24,6 +28,15 @@ The very large OID from the UUID arc (i.e. `2.25.1008418248464193827828833840633
 
 There are a few more bits and bobs in `98weeeopen.ldif`. Not very interesting.
 
+## Generating UUIDs for OIDs
+
+Since this ancient knowledge seems to have disappeared from the Internet after 2019, those UUIDs can be generated like this:
+
+```python
+import uuid
+int(uuid.uuid4())
+```
+
 ## Password Policies
 
 Use `policies.yml` to replace existing values.

aci/make_acis.py

@@ -35,7 +35,7 @@ def acis(suffix: str) -> dict[str, tuple]:
 		make_aci('Allow Nextcloud to read users', ('targetfilter = "(uid=*)"', 'targetattr = "objectClass || memberOf || sn || cn || givenName || uid || mail || jpegPhoto || createTimestamp || creatorsName || entrydn || entryid || hasSubordinates || modifiersName || modifyTimestamp || weeeOpenUniqueId || numSubordinates || parentid || subschemaSubentry"'), {'read', 'search', 'compare'}, f'userdn = "ldap:///cn=nextcloud,ou=Services,{suffix}"'),
 		# make_aci('Allow Keycloak to change OTP secrets', ('targetfilter = "(uid=*)"', 'targetattr = "otpSecretKey"'), {'write'}, f'userdn = "ldap:///cn=Keycloak,ou=Services,{suffix}"'),
 		# make_aci('Allow users to change their password', ('targetfilter = "(uid=*)"', 'targetattr = "userPassword"'), {'write'}, f'userdn = "ldap:///self"'),
-		make_aci('Allow Crauto to read users', ('targetfilter = "(uid=*)"', 'targetattr = "uid || cn || givenname || sn || memberof || mail || schacpersonaluniquecode || degreecourse || schacdateofbirth || schacplaceofbirth || mobile || safetytestdate || telegramid || telegramnickname || weeelabnickname || hasKey || signedSir || websiteDescription || pronouns || sshpublickey || description || nsaccountlock || createTimestamp || modifyTimestamp || objectClass"'), {'read', 'search', 'compare'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'),
+		make_aci('Allow Crauto to read users', ('targetfilter = "(uid=*)"', 'targetattr = "uid || cn || givenname || sn || memberof || mail || schacpersonaluniquecode || degreecourse || schacdateofbirth || schacplaceofbirth || mobile || safetytestdate || telegramid || telegramnickname || weeelabnickname || hasKey || signedSir || websiteDescription || pronouns || sshPublicKeyText || description || nsaccountlock || createTimestamp || modifyTimestamp || objectClass"'), {'read', 'search', 'compare'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'),
 		make_aci('Allow Crauto to edit users', ('targetfilter="(&(uid=*)(objectClass=inetOrgPerson)(objectClass=schacPersonalCharacteristics)(objectClass=schacLinkageIdentifiers)(objectClass=telegramAccount)(objectClass=weeeOpenPerson))"', 'targetattr = "objectClass || cn || givenname || sn || memberof || mail || schacpersonaluniquecode || degreecourse || schacdateofbirth || schacplaceofbirth || mobile || safetytestdate || telegramid || telegramnickname || weeelabnickname || hasKey || signedSir || websiteDescription  || pronouns || description || nsaccountlock || description"'), {'add', 'write', 'delete'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'),
 		make_aci('Allow Crauto to change users password', ('targetfilter = "(uid=*)"', 'targetattr = "userPassword"'), {'add', 'write'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'),
 
@@ -68,8 +68,8 @@ def acis(suffix: str) -> dict[str, tuple]:
 	)
 
 	result[f"ou=Machines,{suffix}"] = (
-		make_aci('Allow Crauto to manage groups', ('targetfilter = "(cn=*)"', 'targetattr = "objectClass || cn || ou || description || member || uniqueMember || createTimestamp || modifyTimestamp"',), {'read', 'search', 'compare', 'write', 'add'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'),
-		make_aci('Allow machines to read their data', ('targetfilter = "(cn=*)"', 'targetattr = "objectClass || cn || ou || description || member || uniqueMember || createTimestamp || modifyTimestamp"',), {'read', 'search', 'compare'}, f'userdn = "ldap:///self"'),
+		make_aci('Allow Crauto to manage groups', ('targetfilter = "(cn=*)"', 'targetattr = "objectClass || uid || cn || ou || description || member || uniqueMember || createTimestamp || modifyTimestamp || sshPublicKeyText"',), {'read', 'search', 'compare', 'write', 'add'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'),
+		make_aci('Allow machines to read their data', ('targetfilter = "(cn=*)"', 'targetattr = "objectClass || uid || cn || ou || description || member || uniqueMember || createTimestamp || modifyTimestamp || sshPublicKeyText"',), {'read', 'search', 'compare'}, f'userdn = "ldap:///self"'),
 		# make_aci('Allow Crauto to change machine accounts password', ('targetfilter = "(cn=*)"', 'targetattr = "userPassword"'), {'add', 'write'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'),
 	)