SSH Key was refused by the LDAP directory

[liszca]

Hi,
I am not able to replace my existing sshPublicKey, who to get more Information about what could be wrong? Changing the password is working, I looked into the function for changeing the sshkey, but no idea what could be wrong.

# liszca, people, mufi
dn: uid=liszca,ou=people,dc=mufi
uid: liszca
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDwopjgUZ/R4UAxSh1sg9zNLaAG
 wBrC+q3AiA/wHG6dLLTQTPhvWCaCTV0F2fQdgZGpLC37j7+Ec1v2llBvTndCKew9Pynr8KML1ZLKC

/usr/share/self-service-password/conf/config.inc.php

$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=mufi";
$ldap_bindpw = "Geh31m";
$ldap_base = "ou=people,dc=mufi";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";

#  [ ... ]

# What attribute should be changed by the changesshkey action?
$change_sshkey_attribute = "sshPublicKey";

[coudot]

Do you have loaded the LDAP schema needed to define the sshPublicKey attribute?

[liszca]

I created the attribute with an ldif file:

dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
    DESC 'MANDATORY: OpenSSH Public key'
    EQUALITY octetStringMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
    DESC 'MANDATORY: OpenSSH LPK objectclass'
    MAY ( sshPublicKey $ uid )
    )

and added it:

ldapadd -Y EXTERNAL -H ldapi:/// -f config_sshpublickey.ldif

Yes it looks like the schema is missing, but there is none in the folder:

Where to get the openssh-ldap.schema?

Edit:
I tried to include the schema from gosa into my slapd.conf, but it didn't work for me

 cat  /etc/ldap/schema/gosa/openssh-lpk.schema
#
# LDAP Public Key Patch schema for use with openssh-ldappubkey
# Author: Eric AUGE <[email protected]>
#
# Based on the proposal of : Mark Ruijter
#


# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
        DESC 'MANDATORY: OpenSSH Public key'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
        DESC 'MANDATORY: OpenSSH LPK objectclass'
        MAY ( sshPublicKey $ uid )
        )

[coudot]

You imported the schema correctly, it should now be inside OpenLDAP configuration. You can check with:

# slapcat -n0

Now you must add the ldapPublicKey objectClass to your user entries.

[liszca]

I added the attribute to one user and for ssh it is working, but its a simple string comparison with a bash script.

When the new SSH key is pasted into the web form, are newlines allowed?

# ldapsearch -x -H ldap://nginx.local -D cn=admin,dc=nginx -W -b dc=nginx '(&(objectclass=person))'
[ ... ]
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: ldapPublicKey
objectClass: ownCloud
loginShell: /bin/bash
ownCloudQuota: 24 GB
uid: liszca
sshPublicKey: ssh-rsa AAA [ .... ] pK3R0h9o9AAdNBhpVig1bAtufgp716FfEzcxTiHnwDK6NoIN1S5TZXI6rQjQx6
 YIik7HJl liszca@DESKTOP-K1EQTF2

[coudot]

For the moment the SSH key value syntax is not checked, so new lines are allowed. An issue is opened to control the submitted value #108

[plewin]

Hi @liszca, do you still need assistance on this issue ?

[plewin]

I am closing this issue because the questions were answered
If something related to this issue appears again please open a new issue, thanks