add openssh

2026-01-25 00:02:38 -07:00
parent 63da7e8ae4
commit 6e2486166b
4 changed files with 24 additions and 96 deletions
--- a/ansible/roles/openldap_server/tasks/files/openssh-lpk.ldif
+++ b/ansible/roles/openldap_server/tasks/files/openssh-lpk.ldif
@@ -1,22 +0,0 @@
 #
 # LDAP Public Key Patch schema for use with openssh-ldappubkey
 #                              useful with PKA-LDAP also
 #
 # Author: Eric AUGE <eau@phear.org>
 # 
 # Based on the proposal of : Mark Ruijter
 #
 # octetString SYNTAX
 attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
 	DESC 'MANDATORY: OpenSSH Public key' 
 	EQUALITY octetStringMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
 # printableString SYNTAX yes|no
 objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
 	DESC 'MANDATORY: OpenSSH LPK objectclass'
 	MUST ( sshPublicKey $ uid ) 
 	)
--- a/ansible/roles/openldap_server/tasks/files/openssh.ldif
+++ b/ansible/roles/openldap_server/tasks/files/openssh.ldif
@@ -1,16 +1,8 @@
-dn: cn=openssh,cn=schema,cn=config
+dn: cn=openssh-lpk-openldap,cn=schema,cn=config
 objectClass: olcSchemaConfig
-cn: openssh
+olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' D
-
+ ESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.
-olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13
+ 1.4.1.1466.115.121.1.40 )
-  NAME 'sshPublicKey'
+olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DE
-  DESC 'OpenSSH Public key'
+ SC 'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicK
-  EQUALITY octetStringMatch
+ ey $ uid ) )
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
 olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0
  NAME 'ldapPublicKey'
  DESC 'OpenSSH LPK object class'
  SUP top
  AUXILIARY
  MAY ( sshPublicKey ) )
--- a/ansible/roles/openldap_server/tasks/files/sudo.ldif
+++ b/ansible/roles/openldap_server/tasks/files/sudo.ldif
@@ -1,42 +0,0 @@
 dn: cn=sudo,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: sudo
 # Attribute definitions for sudo
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1
  NAME 'sudoUser'
  DESC 'SudoUser'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2
  NAME 'sudoHost'
  DESC 'SudoHost'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3
  NAME 'sudoCommand'
  DESC 'SudoCommand'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4
  NAME 'sudoRunAs'
  DESC 'SudoRunAs'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5
  NAME 'sudoOption'
  DESC 'SudoOption'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 # sudoRole objectClass definition
 olcObjectClasses: ( 1.3.6.1.4.1.15953.9.1.6
  NAME 'sudoRole'
  DESC 'Sudo Role'
  SUP top
  AUXILIARY
  MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption ) )
--- a/ansible/roles/openldap_server/tasks/schemas.yaml
+++ b/ansible/roles/openldap_server/tasks/schemas.yaml
@@ -32,24 +32,24 @@
 #    group: ldap
 #    mode: '0600'
 #
-#- name: Copy openssh schema into place
+- name: Copy openssh schema into place
-#  copy:
+  copy:
-#    src: files/openssh.ldif
+    src: files/openssh.ldif
-#    dest: /etc/openldap/schema/openssh.ldif
+    dest: /etc/openldap/schema/openssh.ldif
-#    owner: ldap
+    owner: ldap
-#    group: ldap
+    group: ldap
-#    mode: '0600'
+    mode: '0600'
-#- name: Ensure custom LDAP schemas (sudo + openssh) are loaded
+- name: Ensure custom LDAP schemas (sudo + openssh) are loaded
-#  ansible.builtin.command: >
+  ansible.builtin.command: >
-#    ldapadd -Y EXTERNAL -H ldapi:/// -f {{ item.file }}
+    ldapadd -Y EXTERNAL -H ldapi:/// -f {{ item.file }}
-#  args:
+  args:
-#    creates: "/etc/openldap/schema/.{{ item.name }}_loaded"
+    creates: "/etc/openldap/schema/.{{ item.name }}_loaded"
-#  loop:
+  loop:
-#    - { name: "sudo", file: "/etc/openldap/schema/sudo.ldif" }
+    #- { name: "sudo", file: "/etc/openldap/schema/sudo.ldif" }
-#    - { name: "openssh", file: "/etc/openldap/schema/openssh.ldif" }
+    - { name: "openssh", file: "/etc/openldap/schema/openssh.ldif" }
-#  loop_control:
+  loop_control:
-#    label: "{{ item.name }}"
+    label: "{{ item.name }}"
 # Touch marker files for idempotency (optional but recommended)
 - name: Ensure marker files exist