From cef8ef60e96d84890311c2a76fc0422795db1938 Mon Sep 17 00:00:00 2001
From: Michael Scherer <misc@mageia.org>
Date: Sat, 21 Jan 2012 22:09:35 +0000
Subject: force some constraint on ssh key in ldap, since several packagers did
 not correctly put their keys today

---
 modules/openldap/templates/slapd.conf | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'modules/openldap')

diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf
index ac67b714..6ae637c2 100644
--- a/modules/openldap/templates/slapd.conf
+++ b/modules/openldap/templates/slapd.conf
@@ -37,6 +37,7 @@ moduleload	ppolicy.la
 moduleload  memberof.la
 moduleload  unique.la
 moduleload  dynlist.la
+moduleload  constraint.la
 
 TLSCertificateFile      /etc/ssl/openldap/ldap.<%= domain %>.pem
 TLSCertificateKeyFile   /etc/ssl/openldap/ldap.<%= domain %>.pem
@@ -101,6 +102,9 @@ unique_uri ldap:///?mail?sub?
 overlay dynlist
 dynlist-attrset groupOfURLs memberURL member
 
+overlay constraint
+constraint_attribute sshPublicKey regex ^ssh-[rd]sa [[:graph:]]+ [[:graph:]]+$
+
 # uncomment if you want to automatically update group
 # memberships when an user is removed from the tree
 # Also uncomment the refint.la moduleload above
-- 
cgit v1.2.1