[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attribute for storing SSH RSA host keys

To: Michael Ströder <michael@stroeder.com>
Subject: Re: attribute for storing SSH RSA host keys
From: Mike Jackson <mj@netauth.com>
Date: Wed, 16 Apr 2014 22:47:33 +0300
Cc: ML mail <mlnospam@yahoo.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <534EB3D3.804@stroeder.com>
References: <1397640920.30162.YahooMailNeo@web162501.mail.bf1.yahoo.com> <534EB3D3.804@stroeder.com>

On 16 Apr 2014, at 19.46, Michael Ströder <michael@stroeder.com> wrote:

> ML mail wrote:
>> On my already existing OpenLDAP server I would like to add an attribute in
>> order to store SSH RSA host keys. Currently there are no such attributes
>> (for example: sshRSAHostKey) in any standard schemas.
>> 
>> What would be the best strategy to add this attribute to my OpenLDAP
>> server? Create a new objectClass? or simply add it to another already
>> standard objectClass such as the NIS schema?
> 
> Do you already have LDAP entries representing your host/systems? That's really
> hard part.
> 
> If you already have host entries, you can simply add aux object class
> 'ldapPublicKey' to this entries and put the various host keys (different
> algorithms) in the multi-valued attribute 'sshPublicKey'.
> 
> Ciao, Michael.
> 

There doesn’t exist any sort of objectClass named ldapPublicKey in any standard LDAP objectClasses or in any submitted RFCs.

Of course anybody can register an OID with IANA and create their own schema, but it would really be best for the OpenBSD project to publish an SSH LDAP schema under 1.3.6.1.4.1.30155 .

Nobody benefits when people who are not authoritative start publishing schema and OIDs to blog posts and HOWTOs around the net. What eventually ends up happening is that search results turn up multiple schemas assigning different OIDs to the same named objectClasses and attributes, people use them, and the OID, objectClass, and attribute namespaces all go into conflict.There are a lot of people who try to write LDAP schema just to get something working, who have absolutely zero idea of what an OID namespace means. Here in the LDAP world, we live by the IANA assigned namespace so that’s what we need to abide by.

A better strategy would be to model these things with "ObjectClass: extensibleObject” in the short term and wait for something official. That could mean changing your own code to comply with the official objectClass and attribute names sooner or later.

—mike

Follow-Ups:
- Re: attribute for storing SSH RSA host keys
  - From: Michael Ströder <michael@stroeder.com>

References:
- attribute for storing SSH RSA host keys
  - From: ML mail <mlnospam@yahoo.com>
- Re: attribute for storing SSH RSA host keys
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: attribute for storing SSH RSA host keys
Next by Date: Re: attribute for storing SSH RSA host keys
Index(es):
- Chronological
- Thread