Name of extended attribute

Hello,
I want to store SSH public keys in UCS4 server. I read documentation and realized that we should create extended attribute.
It has to use univentionFreeAttributes object class and has to have name from univentionFreeAttribute1 to univentionFreeAttribute20.
I’ve successfully created univentionFreeAttribute1 extended attribute and found that it contains SSH public key that I put into there. It was great.

But I was planning to use ssh-ldap-pubkey tool (github.com/jirutka/ssh-ldap-pubkey) for configuring interaction between OpenSSH and LDAP servers.
And this tool uses predefined name “sshPublicKey” of LDAP attribute.

So question is how can I create “sshPublicKey” extended attribute without breaking LDAP schema?
Or maybe there should be another solution? Perhaps UCS4 server supports storing of SSH public keys out of the box?

Thanks in advance.

1 Like

Hey,

you can use your own schema extensions with a UCS LDAP server. The thing to look out for is that all LDAP schemas must be synced to all UCS servers in the domain, and it has to be done at specific points in time with respect to updating packages.

Fortunately UCS provides a way to register schema files so that all management will be done by UCS at the appropriate time. This is mostly done so that external packages like apps from the App Center can register their own extensions (e.g. the Zarafa App does that). However, you can use the same mechanism with your own file.

Fortunately you don’t have to write such a schema file yourself as the ssh-ldap-pubkey project provides one. Download it and store it somewhere on your DC Master server, e.g. as /usr/local/share/openssh-lpk.schema.

Next you’ll have to register that schema with the UCS system. Follow the developer documentation for adding schema extensions. You should be able to use the commands shown in Example 4.1, but replace the example app ID environment variable with something sensible.

I’ve just tried the following successfully:

wget -O /usr/local/share/openssh-lpk.schema https://github.com/jirutka/ssh-ldap-pubkey/raw/master/etc/openssh-lpk.schema export UNIVENTION_APP_IDENTIFIER="sshldappubkey-1" . /usr/share/univention-lib/ldap.sh ucs_registerLDAPExtension --schema /usr/local/share/openssh-lpk.schema --packagename sshldappubkey --packageversion 1

Afterwards two things should be the case:

[ol][li]The schema file should have been copied to /var/lib/univention-ldap/openssl-lpk.schema.[/li]
[li]The schema file should be included from /etc/ldap/slapd.conf.[/li][/ol]

Now you can set up your extended attribute just like you did before. Just use ldapPublicKey as the class and sshPublicKey as the LDAP attribute name instead of univentionFreeAttributes and univentionFreeAttribute1.

Kind regards,
mosu

Hello,

I’ve done how you described. And I was able to import additional object class and create extended attribute.
I’ve made tests and ssh-ldap-pubkey utility works perfectly. It is really great!
I want to say that Univention Corporate Server is awesome!
And guys who develops it are awesome too.

Thank you very much for your explanation!
I am grateful to you for your help.

Sorry for bothering.

Looks like I faced with another issue.
If we remove user’s SSH public key or create new user without specifying key, we will get following error:
“The LDAP object could not be saved: LDAP Error Object class violation: object class ‘ldapPublicKey’ requires attribute ‘sshPublicKey’”.

I checked settings of extended attribute and noticed that there is “Value required” parameter. But this option is disabled.

Seems that we have to assign any value to “sshPublicKey” attribute in any case.
Can we avoid such requirements somehow?

Hey,

you should configure the extended attribute to remove the object class if the attribute is empty. That should solve your problem. See the attached screenshot.

Kind regards,
mosu

Hello,

I’ve just enabled option for removing the object class and checked.
It has not helped.
I am still receiving the same error:
“The LDAP object could not be saved: LDAP Error Object class violation: object class ‘ldapPublicKey’ requires attribute ‘sshPublicKey’”

Maybe I missed something?

Hey,

you’re not really missing anything. This seems to be a bug in the UDM.

As a workaround you can modify the schema you’ve stored in /usr/local/share. Change the object class so that the “sshPublicKey” attribute becomes optional instead of mandatory. Example:

objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY DESC 'Optional: OpenSSH LPK objectclass' MUST ( uid ) MAY ( sshPublicKey ) )

Afterwards register the new version similar to how you’ve registered the schema the first time:

export UNIVENTION_APP_IDENTIFIER="sshldappubkey-2" . /usr/share/univention-lib/ldap.sh ucs_registerLDAPExtension --schema /usr/local/share/openssh-lpk.schema --packagename sshldappubkey --packageversion 2

Afterwards the content of /var/lib/univention-ldap/local-schema/openssh-lpk.schema should match the file in /usr/local/share.

Kind regards,
mosu

Hello,

Sorry for long reply.
I was able to do changes as you described and it worked. Excellent!

Thank you very much again!
It is very nice that there are people like you.
Thank you for your work.

Mastodon