[Freeipa-users] Integrating Yubikey tokens into FreeIPA

Dale Macartney dale at themacartneyclan.com
Wed Dec 19 13:32:12 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 12/19/2012 01:20 PM, Simo Sorce wrote:
> On Wed, 2012-12-19 at 12:30 +0000, Dale Macartney wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Morning all
>>
>> Heres something I was working on last night with Gavin Spurgeon.
>>
>> If anyone would like to comment on better ways to achieve this, i'd love
>> to here it so I can update my own procedures (and the article of course)
>>
>>
https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/
>>
>> I hope some people find it useful.
>
> Hi Dale,
> what problem do you have adding new schema ?
we weren't able to add any objectIdentifier fields... when trying to
search for existing schema entries, we received the below output.

[root at ds01 ~]# ldapsearch -LLL -h localhost -D "cn=Directory Manager" -x
-w redhat123 -b "cn=schema"
dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema

[root at ds01 ~]#


We were trying to use this schema which what created by Michal, however
we never managed to get it imported with the objectidentifier values there.

dn: cn=yubikey,cn=config
objectClass: SchemaConfig
cn: yubikey
#
# YubiKey LDAP schema
#
# Author: Michal Ludvig <michal at logix.cz>
# Consider a small PayPal donation:
#         http://logix.cz/michal/devel/yubikey-ldap/
#
# Common Logix OID structure
# <LogixOID>.<Project>.<SNMP/LDAP>.<...>
ObjectIdentifier: {0}logixOID        1.3.6.1.4.1.40789
ObjectIdentifier: {1}YubiKeyPrj    logixOID:2012.11.1
ObjectIdentifier: {2}YkSNMP        YubiKeyPrj:1
ObjectIdentifier: {3}YkLDAP        YubiKeyPrj:2
# YubiKey schema sub-tree
ObjectIdentifier: {4}YkAttribute   YkLDAP:1
ObjectIdentifier: {5}YkObjectClass YkLDAP:2
AttributeTypes: {0}( YkAttribute:1
  NAME 'yubiKeyId'
  DESC 'Yubico YubiKey ID'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
ObjectClasses: {0}( YkObjectClass:1
  NAME 'yubiKeyUser'
  DESC 'Yubico YubiKey User'
  SUP top
  AUXILIARY
  MAY ( yubiKeyId ) )

we ended up having to settle for

dn: cn=schema
#
attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC
'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{1
objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC
'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) )


Is there any security restrictions on the schema or perhaps something
done differently to normal LDAP? Unless of course I'm doing something silly.

thoughts?

>
>
> Simo.
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ0cHaAAoJEAJsWS61tB+qwhwQAJF96eCzWsD2RYXZJpu9p2X9
bItiGZ5i1TYwc37CtSKkMaCf1TQzPcSvgCc3dGdUqpLYzO0zbiUmxJBXBCplTaXi
J4ETOnkJQ5gheW1LpsCXGmGpX1eDIxC3PjtyjOFHKkFavdpvcxxgdzKhR7w1BK9J
vw+QjPBs5DoUDQaihE0DbhEOPkZR2aqFHenI5ozv7ifSWpV3yq/zLpGADRAcOAEh
/8FrYCu4GpIMKD7UTAee8U/Mrmekq8z2ZUVn5P1c/QOU41dy6aKMBS7tN6Evgpp6
SFOxX23wWd6ukIh3QSWCcwSOafiF0SQI9B9Ds2SHogf9FToq+R3xfXXM6bDEfU7B
FhRQhIeqqUrz9zsj/FeL1rDvXgD7Moynm6x3pBokBEvQlHPdWwQteSzVi841eJg+
+akNxR9pJtvuigTF4md71M0JqBUx+vJVkpIN3SU5u/L2LOud6/d14GcybdIynrC6
FRYfvglR5NuwhcVEZZIn5fZmiROERXtgqqmxy0nTFDpJ1njm80jOH4blmmqtRFGM
lumq+0jFDrWCpv4bJIPmlu3xlORSOpp8WcwqzKVS3Ss07owMXXqGmXCpmSxNMdJk
6hfnKvewQrH8Lpf9A8M92hFrvaXfbWp55EmN4VokiQjoFRpS51YjuLYPwMkT/8vA
PNDkBUrrn2eUu/41BaNc
=yKMg
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 8187 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121219/2c1e0a63/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121219/2c1e0a63/attachment.sig>

More information about the Freeipa-users mailing list