From 7c021fd38d40a43cb05ebd7110c79afc86e60eea Mon Sep 17 00:00:00 2001 From: Ludovico Pavesi Date: Mon, 15 Apr 2024 22:19:01 +0200 Subject: [PATCH] More SSH than ever --- 98sshAsText.ldif | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 13 +++++++++++++ aci/make_acis.py | 6 +++--- 3 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 98sshAsText.ldif diff --git a/98sshAsText.ldif b/98sshAsText.ldif new file mode 100644 index 0000000..74d85c2 --- /dev/null +++ b/98sshAsText.ldif @@ -0,0 +1,50 @@ +# +# LDAP Public Key schema where the key is stored as plain text +# +# The MIT License +# +# Copyright 2024 WEEE Open +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. +# +#--------------------------------------------------------------------- +# +dn: cn=schema +# +#--------------------------------------------------------------------- +# +attributeTypes: ( + 2.25.203046914991419968316830242105494635245.1.1 + NAME 'sshPublicKeyText' + DESC 'OpenSSH Public key as text' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'WEEE Open' + ) +# +#--------------------------------------------------------------------- +# +objectClasses: ( + 2.25.203046914991419968316830242105494635245.2.1 + NAME 'hasSshPublicKeyText' + DESC 'OpenSSH Public key as text, as an objectClass' + AUXILIARY + MAY sshPublicKeyText + X-ORIGIN 'WEEE Open' + ) diff --git a/README.md b/README.md index 4ab80b8..9e7fcf1 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,10 @@ The file `97schac.ldif` comes from the [official schema](https://wiki.refeds.org Located at `98ssh.ldif`, it allows storing public SSH keys. It's an OpenLDAP schema with minor modifications to adapt it to 389DS. +### SSH as Text + +A single objectClass with a single plain text variable to add an SSH key to things. This is `98sshAsText.ldif`. + ### Telegram `98telegram.ldif` is a simple schema to store some [Telegram](https://telegram.org/) related inforamation: ID, nickname and group invite links. @@ -24,6 +28,15 @@ The very large OID from the UUID arc (i.e. `2.25.1008418248464193827828833840633 There are a few more bits and bobs in `98weeeopen.ldif`. Not very interesting. +## Generating UUIDs for OIDs + +Since this ancient knowledge seems to have disappeared from the Internet after 2019, those UUIDs can be generated like this: + +```python +import uuid +int(uuid.uuid4()) +``` + ## Password Policies Use `policies.yml` to replace existing values. diff --git a/aci/make_acis.py b/aci/make_acis.py index 01e48b7..17fd5d2 100755 --- a/aci/make_acis.py +++ b/aci/make_acis.py @@ -35,7 +35,7 @@ def acis(suffix: str) -> dict[str, tuple]: make_aci('Allow Nextcloud to read users', ('targetfilter = "(uid=*)"', 'targetattr = "objectClass || memberOf || sn || cn || givenName || uid || mail || jpegPhoto || createTimestamp || creatorsName || entrydn || entryid || hasSubordinates || modifiersName || modifyTimestamp || weeeOpenUniqueId || numSubordinates || parentid || subschemaSubentry"'), {'read', 'search', 'compare'}, f'userdn = "ldap:///cn=nextcloud,ou=Services,{suffix}"'), # make_aci('Allow Keycloak to change OTP secrets', ('targetfilter = "(uid=*)"', 'targetattr = "otpSecretKey"'), {'write'}, f'userdn = "ldap:///cn=Keycloak,ou=Services,{suffix}"'), # make_aci('Allow users to change their password', ('targetfilter = "(uid=*)"', 'targetattr = "userPassword"'), {'write'}, f'userdn = "ldap:///self"'), - make_aci('Allow Crauto to read users', ('targetfilter = "(uid=*)"', 'targetattr = "uid || cn || givenname || sn || memberof || mail || schacpersonaluniquecode || degreecourse || schacdateofbirth || schacplaceofbirth || mobile || safetytestdate || telegramid || telegramnickname || weeelabnickname || hasKey || signedSir || websiteDescription || pronouns || sshpublickey || description || nsaccountlock || createTimestamp || modifyTimestamp || objectClass"'), {'read', 'search', 'compare'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'), + make_aci('Allow Crauto to read users', ('targetfilter = "(uid=*)"', 'targetattr = "uid || cn || givenname || sn || memberof || mail || schacpersonaluniquecode || degreecourse || schacdateofbirth || schacplaceofbirth || mobile || safetytestdate || telegramid || telegramnickname || weeelabnickname || hasKey || signedSir || websiteDescription || pronouns || sshPublicKeyText || description || nsaccountlock || createTimestamp || modifyTimestamp || objectClass"'), {'read', 'search', 'compare'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'), make_aci('Allow Crauto to edit users', ('targetfilter="(&(uid=*)(objectClass=inetOrgPerson)(objectClass=schacPersonalCharacteristics)(objectClass=schacLinkageIdentifiers)(objectClass=telegramAccount)(objectClass=weeeOpenPerson))"', 'targetattr = "objectClass || cn || givenname || sn || memberof || mail || schacpersonaluniquecode || degreecourse || schacdateofbirth || schacplaceofbirth || mobile || safetytestdate || telegramid || telegramnickname || weeelabnickname || hasKey || signedSir || websiteDescription || pronouns || description || nsaccountlock || description"'), {'add', 'write', 'delete'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'), make_aci('Allow Crauto to change users password', ('targetfilter = "(uid=*)"', 'targetattr = "userPassword"'), {'add', 'write'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'), @@ -68,8 +68,8 @@ def acis(suffix: str) -> dict[str, tuple]: ) result[f"ou=Machines,{suffix}"] = ( - make_aci('Allow Crauto to manage groups', ('targetfilter = "(cn=*)"', 'targetattr = "objectClass || cn || ou || description || member || uniqueMember || createTimestamp || modifyTimestamp"',), {'read', 'search', 'compare', 'write', 'add'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'), - make_aci('Allow machines to read their data', ('targetfilter = "(cn=*)"', 'targetattr = "objectClass || cn || ou || description || member || uniqueMember || createTimestamp || modifyTimestamp"',), {'read', 'search', 'compare'}, f'userdn = "ldap:///self"'), + make_aci('Allow Crauto to manage groups', ('targetfilter = "(cn=*)"', 'targetattr = "objectClass || uid || cn || ou || description || member || uniqueMember || createTimestamp || modifyTimestamp || sshPublicKeyText"',), {'read', 'search', 'compare', 'write', 'add'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'), + make_aci('Allow machines to read their data', ('targetfilter = "(cn=*)"', 'targetattr = "objectClass || uid || cn || ou || description || member || uniqueMember || createTimestamp || modifyTimestamp || sshPublicKeyText"',), {'read', 'search', 'compare'}, f'userdn = "ldap:///self"'), # make_aci('Allow Crauto to change machine accounts password', ('targetfilter = "(cn=*)"', 'targetattr = "userPassword"'), {'add', 'write'}, f'userdn = "ldap:///cn=crauto,ou=Services,{suffix}"'), )