1# Novell Kerberos Schema Definitions 2# Novell Inc. 3# 1800 South Novell Place 4# Provo, UT 84606 5# 6# VeRsIoN=1.0 7# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved 8# 9# OIDs: 10# joint-iso-ccitt(2) 11# country(16) 12# us(840) 13# organization(1) 14# Novell(113719) 15# applications(1) 16# kerberos(301) 17# Kerberos Attribute Type(4) attr# version# 18# specific attribute definitions 19# Kerberos Attribute Syntax(5) 20# specific syntax definitions 21# Kerberos Object Class(6) class# version# 22# specific class definitions 23# 24# iso(1) 25# member-body(2) 26# United States(840) 27# mit (113554) 28# infosys(1) 29# ldap(4) 30# attributeTypes(1) 31# Kerberos(6) 32 33######################################################################## 34 35 36######################################################################## 37# Attribute Type Definitions # 38######################################################################## 39 40##### This is the principal name in the RFC 1964 specified format 41 42dn: cn=schema 43changetype: modify 44add: attributetypes 45attributetypes: ( 2.16.840.1.113719.1.301.4.1.1 46 NAME 'krbPrincipalName' 47 EQUALITY caseExactIA5Match 48 SUBSTR caseExactSubstringsMatch 49 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 50 51 52##### If there are multiple krbPrincipalName values for an entry, this 53##### is the canonical principal name in the RFC 1964 specified 54##### format. (If this attribute does not exist, then all 55##### krbPrincipalName values are treated as canonical.) 56 57dn: cn=schema 58changetype: modify 59add: attributetypes 60attributetypes: ( 1.2.840.113554.1.4.1.6.1 61 NAME 'krbCanonicalName' 62 EQUALITY caseExactIA5Match 63 SUBSTR caseExactSubstringsMatch 64 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 65 SINGLE-VALUE ) 66 67##### This specifies the type of the principal, the types could be any of 68##### the types mentioned in section 6.2 of RFC 4120 69 70dn: cn=schema 71changetype: modify 72add: attributetypes 73attributetypes: ( 2.16.840.1.113719.1.301.4.3.1 74 NAME 'krbPrincipalType' 75 EQUALITY integerMatch 76 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 77 SINGLE-VALUE ) 78 79 80##### This flag is used to find whether directory User Password has to be used 81##### as kerberos password. 82##### TRUE, if User Password is to be used as the kerberos password. 83##### FALSE, if User Password and the kerberos password are different. 84 85dn: cn=schema 86changetype: modify 87add: attributetypes 88attributetypes: ( 2.16.840.1.113719.1.301.4.5.1 89 NAME 'krbUPEnabled' 90 DESC 'Boolean' 91 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 92 SINGLE-VALUE ) 93 94 95##### The time at which the principal expires 96 97dn: cn=schema 98changetype: modify 99add: attributetypes 100attributetypes: ( 2.16.840.1.113719.1.301.4.6.1 101 NAME 'krbPrincipalExpiration' 102 EQUALITY generalizedTimeMatch 103 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 104 SINGLE-VALUE ) 105 106 107##### The krbTicketFlags attribute holds information about the kerberos flags for a principal 108##### The values (0x00000001 - 0x00800000) are reserved for standards and 109##### values (0x01000000 - 0x80000000) can be used for proprietary extensions. 110##### The flags and values as per RFC 4120 and MIT implementation are, 111##### DISALLOW_POSTDATED 0x00000001 112##### DISALLOW_FORWARDABLE 0x00000002 113##### DISALLOW_TGT_BASED 0x00000004 114##### DISALLOW_RENEWABLE 0x00000008 115##### DISALLOW_PROXIABLE 0x00000010 116##### DISALLOW_DUP_SKEY 0x00000020 117##### DISALLOW_ALL_TIX 0x00000040 118##### REQUIRES_PRE_AUTH 0x00000080 119##### REQUIRES_HW_AUTH 0x00000100 120##### REQUIRES_PWCHANGE 0x00000200 121##### DISALLOW_SVR 0x00001000 122##### PWCHANGE_SERVICE 0x00002000 123 124 125dn: cn=schema 126changetype: modify 127add: attributetypes 128attributetypes: ( 2.16.840.1.113719.1.301.4.8.1 129 NAME 'krbTicketFlags' 130 EQUALITY integerMatch 131 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 132 SINGLE-VALUE ) 133 134 135##### The maximum ticket lifetime for a principal in seconds 136 137dn: cn=schema 138changetype: modify 139add: attributetypes 140attributetypes: ( 2.16.840.1.113719.1.301.4.9.1 141 NAME 'krbMaxTicketLife' 142 EQUALITY integerMatch 143 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 144 SINGLE-VALUE ) 145 146 147##### Maximum renewable lifetime for a principal's ticket in seconds 148 149dn: cn=schema 150changetype: modify 151add: attributetypes 152attributetypes: ( 2.16.840.1.113719.1.301.4.10.1 153 NAME 'krbMaxRenewableAge' 154 EQUALITY integerMatch 155 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 156 SINGLE-VALUE ) 157 158 159##### Forward reference to the Realm object. 160##### (FDN of the krbRealmContainer object). 161##### Example: cn=ACME.COM, cn=Kerberos, cn=Security 162 163dn: cn=schema 164changetype: modify 165add: attributetypes 166attributetypes: ( 2.16.840.1.113719.1.301.4.14.1 167 NAME 'krbRealmReferences' 168 EQUALITY distinguishedNameMatch 169 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 170 171 172##### List of LDAP servers that kerberos servers can contact. 173##### The attribute holds data in the ldap uri format, 174##### Example: ldaps://acme.com:636 175##### 176##### The values of this attribute need to be updated, when 177##### the LDAP servers listed here are renamed, moved or deleted. 178 179dn: cn=schema 180changetype: modify 181add: attributetypes 182attributetypes: ( 2.16.840.1.113719.1.301.4.15.1 183 NAME 'krbLdapServers' 184 EQUALITY caseIgnoreMatch 185 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 186 187 188##### A set of forward references to the KDC Service objects. 189##### (FDNs of the krbKdcService objects). 190##### Example: cn=kdc - server 1, ou=uvw, o=xyz 191 192dn: cn=schema 193changetype: modify 194add: attributetypes 195attributetypes: ( 2.16.840.1.113719.1.301.4.17.1 196 NAME 'krbKdcServers' 197 EQUALITY distinguishedNameMatch 198 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 199 200 201##### A set of forward references to the Password Service objects. 202##### (FDNs of the krbPwdService objects). 203##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz 204 205dn: cn=schema 206changetype: modify 207add: attributetypes 208attributetypes: ( 2.16.840.1.113719.1.301.4.18.1 209 NAME 'krbPwdServers' 210 EQUALITY distinguishedNameMatch 211 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 212 213 214##### This attribute holds the Host Name or the ip address, 215##### transport protocol and ports of the kerberos service host 216##### The format is host_name-or-ip_address#protocol#port 217##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. 218 219dn: cn=schema 220changetype: modify 221add: attributetypes 222attributetypes: ( 2.16.840.1.113719.1.301.4.24.1 223 NAME 'krbHostServer' 224 EQUALITY caseExactIA5Match 225 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 226 227 228##### This attribute holds the scope for searching the principals 229##### under krbSubTree attribute of krbRealmContainer 230##### The value can either be 1 (ONE) or 2 (SUB_TREE). 231 232dn: cn=schema 233changetype: modify 234add: attributetypes 235attributetypes: ( 2.16.840.1.113719.1.301.4.25.1 236 NAME 'krbSearchScope' 237 EQUALITY integerMatch 238 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 239 SINGLE-VALUE ) 240 241 242##### FDNs pointing to Kerberos principals 243 244dn: cn=schema 245changetype: modify 246add: attributetypes 247attributetypes: ( 2.16.840.1.113719.1.301.4.26.1 248 NAME 'krbPrincipalReferences' 249 EQUALITY distinguishedNameMatch 250 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 251 252 253##### This attribute specifies which attribute of the user objects 254##### be used as the principal name component for Kerberos. 255##### The allowed values are cn, sn, uid, givenname, fullname. 256 257dn: cn=schema 258changetype: modify 259add: attributetypes 260attributetypes: ( 2.16.840.1.113719.1.301.4.28.1 261 NAME 'krbPrincNamingAttr' 262 EQUALITY caseIgnoreMatch 263 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 264 SINGLE-VALUE ) 265 266 267##### A set of forward references to the Administration Service objects. 268##### (FDNs of the krbAdmService objects). 269##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz 270 271dn: cn=schema 272changetype: modify 273add: attributetypes 274attributetypes: ( 2.16.840.1.113719.1.301.4.29.1 275 NAME 'krbAdmServers' 276 EQUALITY distinguishedNameMatch 277 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 278 279 280##### Maximum lifetime of a principal's password 281 282dn: cn=schema 283changetype: modify 284add: attributetypes 285attributetypes: ( 2.16.840.1.113719.1.301.4.30.1 286 NAME 'krbMaxPwdLife' 287 EQUALITY integerMatch 288 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 289 SINGLE-VALUE ) 290 291 292##### Minimum lifetime of a principal's password 293 294dn: cn=schema 295changetype: modify 296add: attributetypes 297attributetypes: ( 2.16.840.1.113719.1.301.4.31.1 298 NAME 'krbMinPwdLife' 299 EQUALITY integerMatch 300 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 301 SINGLE-VALUE ) 302 303 304##### Minimum number of character clases allowed in a password 305 306dn: cn=schema 307changetype: modify 308add: attributetypes 309attributetypes: ( 2.16.840.1.113719.1.301.4.32.1 310 NAME 'krbPwdMinDiffChars' 311 EQUALITY integerMatch 312 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 313 SINGLE-VALUE ) 314 315 316##### Minimum length of the password 317 318dn: cn=schema 319changetype: modify 320add: attributetypes 321attributetypes: ( 2.16.840.1.113719.1.301.4.33.1 322 NAME 'krbPwdMinLength' 323 EQUALITY integerMatch 324 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 325 SINGLE-VALUE ) 326 327 328##### Number of previous versions of passwords that are stored 329 330dn: cn=schema 331changetype: modify 332add: attributetypes 333attributetypes: ( 2.16.840.1.113719.1.301.4.34.1 334 NAME 'krbPwdHistoryLength' 335 EQUALITY integerMatch 336 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 337 SINGLE-VALUE ) 338 339 340##### Number of consecutive pre-authentication failures before lockout 341 342dn: cn=schema 343changetype: modify 344add: attributetypes 345attributetypes: ( 1.3.6.1.4.1.5322.21.2.1 346 NAME 'krbPwdMaxFailure' 347 EQUALITY integerMatch 348 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 349 SINGLE-VALUE ) 350 351 352##### Period after which bad preauthentication count will be reset 353 354dn: cn=schema 355changetype: modify 356add: attributetypes 357attributetypes: ( 1.3.6.1.4.1.5322.21.2.2 358 NAME 'krbPwdFailureCountInterval' 359 EQUALITY integerMatch 360 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 361 SINGLE-VALUE ) 362 363 364##### Period in which lockout is enforced 365 366dn: cn=schema 367changetype: modify 368add: attributetypes 369attributetypes: ( 1.3.6.1.4.1.5322.21.2.3 370 NAME 'krbPwdLockoutDuration' 371 EQUALITY integerMatch 372 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 373 SINGLE-VALUE ) 374 375 376##### Policy attribute flags 377 378dn: cn=schema 379changetype: modify 380add: attributetypes 381attributetypes: ( 1.2.840.113554.1.4.1.6.2 382 NAME 'krbPwdAttributes' 383 EQUALITY integerMatch 384 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 385 SINGLE-VALUE ) 386 387 388##### Policy maximum ticket lifetime 389 390dn: cn=schema 391changetype: modify 392add: attributetypes 393attributetypes: ( 1.2.840.113554.1.4.1.6.3 394 NAME 'krbPwdMaxLife' 395 EQUALITY integerMatch 396 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 397 SINGLE-VALUE ) 398 399 400##### Policy maximum ticket renewable lifetime 401 402dn: cn=schema 403changetype: modify 404add: attributetypes 405attributetypes: ( 1.2.840.113554.1.4.1.6.4 406 NAME 'krbPwdMaxRenewableLife' 407 EQUALITY integerMatch 408 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 409 SINGLE-VALUE ) 410 411 412##### Allowed enctype:salttype combinations for key changes 413 414dn: cn=schema 415changetype: modify 416add: attributetypes 417attributetypes: ( 1.2.840.113554.1.4.1.6.5 418 NAME 'krbPwdAllowedKeysalts' 419 EQUALITY caseIgnoreIA5Match 420 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 421 SINGLE-VALUE ) 422 423 424##### FDN pointing to a Kerberos Password Policy object 425 426dn: cn=schema 427changetype: modify 428add: attributetypes 429attributetypes: ( 2.16.840.1.113719.1.301.4.36.1 430 NAME 'krbPwdPolicyReference' 431 EQUALITY distinguishedNameMatch 432 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 433 SINGLE-VALUE ) 434 435 436##### The time at which the principal's password expires 437 438dn: cn=schema 439changetype: modify 440add: attributetypes 441attributetypes: ( 2.16.840.1.113719.1.301.4.37.1 442 NAME 'krbPasswordExpiration' 443 EQUALITY generalizedTimeMatch 444 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 445 SINGLE-VALUE ) 446 447 448##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with 449##### the master key (krbMKey). 450##### The attribute is ASN.1 encoded. 451##### 452##### The format of the value for this attribute is explained below, 453##### KrbKeySet ::= SEQUENCE { 454##### attribute-major-vno [0] UInt16, 455##### attribute-minor-vno [1] UInt16, 456##### kvno [2] UInt32, 457##### mkvno [3] UInt32 OPTIONAL, 458##### keys [4] SEQUENCE OF KrbKey, 459##### ... 460##### } 461##### 462##### KrbKey ::= SEQUENCE { 463##### salt [0] KrbSalt OPTIONAL, 464##### key [1] EncryptionKey, 465##### s2kparams [2] OCTET STRING OPTIONAL, 466##### ... 467##### } 468##### 469##### KrbSalt ::= SEQUENCE { 470##### type [0] Int32, 471##### salt [1] OCTET STRING OPTIONAL 472##### } 473##### 474##### EncryptionKey ::= SEQUENCE { 475##### keytype [0] Int32, 476##### keyvalue [1] OCTET STRING 477##### } 478 479dn: cn=schema 480changetype: modify 481add: attributetypes 482attributetypes: ( 2.16.840.1.113719.1.301.4.39.1 483 NAME 'krbPrincipalKey' 484 EQUALITY octetStringMatch 485 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) 486 487 488##### FDN pointing to a Kerberos Ticket Policy object. 489 490dn: cn=schema 491changetype: modify 492add: attributetypes 493attributetypes: ( 2.16.840.1.113719.1.301.4.40.1 494 NAME 'krbTicketPolicyReference' 495 EQUALITY distinguishedNameMatch 496 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 497 SINGLE-VALUE ) 498 499 500##### Forward reference to an entry that starts sub-trees 501##### where principals and other kerberos objects in the realm are configured. 502##### Example: ou=acme, ou=pq, o=xyz 503 504dn: cn=schema 505changetype: modify 506add: attributetypes 507attributetypes: ( 2.16.840.1.113719.1.301.4.41.1 508 NAME 'krbSubTrees' 509 EQUALITY distinguishedNameMatch 510 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 511 512 513##### Holds the default encryption/salt type combinations of principals for 514##### the Realm. Stores in the form of key:salt strings. 515##### Example: aes256-cts-hmac-sha384-192:normal 516 517dn: cn=schema 518changetype: modify 519add: attributetypes 520attributetypes: ( 2.16.840.1.113719.1.301.4.42.1 521 NAME 'krbDefaultEncSaltTypes' 522 EQUALITY caseIgnoreMatch 523 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 524 525 526##### Holds the Supported encryption/salt type combinations of principals for 527##### the Realm. Stores in the form of key:salt strings. 528##### The supported encryption types are mentioned in RFC 3961 529##### The supported salt types are, 530##### NORMAL 531##### V4 532##### NOREALM 533##### ONLYREALM 534##### SPECIAL 535##### AFS3 536##### Example: aes256-cts-hmac-sha384-192:normal 537##### 538##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes 539##### attributes. 540 541dn: cn=schema 542changetype: modify 543add: attributetypes 544attributetypes: ( 2.16.840.1.113719.1.301.4.43.1 545 NAME 'krbSupportedEncSaltTypes' 546 EQUALITY caseIgnoreMatch 547 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 548 549 550##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with 551##### the kadmin/history key. 552##### The attribute is ASN.1 encoded. 553##### 554##### The format of the value for this attribute is explained below, 555##### KrbKeySet ::= SEQUENCE { 556##### attribute-major-vno [0] UInt16, 557##### attribute-minor-vno [1] UInt16, 558##### kvno [2] UInt32, 559##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key, 560##### keys [4] SEQUENCE OF KrbKey, 561##### ... 562##### } 563##### 564##### KrbKey ::= SEQUENCE { 565##### salt [0] KrbSalt OPTIONAL, 566##### key [1] EncryptionKey, 567##### s2kparams [2] OCTET STRING OPTIONAL, 568##### ... 569##### } 570##### 571##### KrbSalt ::= SEQUENCE { 572##### type [0] Int32, 573##### salt [1] OCTET STRING OPTIONAL 574##### } 575##### 576##### EncryptionKey ::= SEQUENCE { 577##### keytype [0] Int32, 578##### keyvalue [1] OCTET STRING 579##### } 580 581dn: cn=schema 582changetype: modify 583add: attributetypes 584attributetypes: ( 2.16.840.1.113719.1.301.4.44.1 585 NAME 'krbPwdHistory' 586 EQUALITY octetStringMatch 587 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) 588 589 590##### The time at which the principal's password last password change happened. 591 592dn: cn=schema 593changetype: modify 594add: attributetypes 595attributetypes: ( 2.16.840.1.113719.1.301.4.45.1 596 NAME 'krbLastPwdChange' 597 EQUALITY generalizedTimeMatch 598 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 599 SINGLE-VALUE ) 600 601##### The time at which the principal was last administratively unlocked. 602 603dn: cn=schema 604changetype: modify 605add: attributetypes 606attributetypes: ( 1.3.6.1.4.1.5322.21.2.5 607 NAME 'krbLastAdminUnlock' 608 EQUALITY generalizedTimeMatch 609 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 610 SINGLE-VALUE ) 611 612##### This attribute holds the kerberos master key. 613##### This can be used to encrypt principal keys. 614##### This attribute has to be secured in directory. 615##### 616##### This attribute is ASN.1 encoded. 617##### The format of the value for this attribute is explained below, 618##### KrbMKey ::= SEQUENCE { 619##### kvno [0] UInt32, 620##### key [1] MasterKey 621##### } 622##### 623##### MasterKey ::= SEQUENCE { 624##### keytype [0] Int32, 625##### keyvalue [1] OCTET STRING 626##### } 627 628 629dn: cn=schema 630changetype: modify 631add: attributetypes 632attributetypes: ( 2.16.840.1.113719.1.301.4.46.1 633 NAME 'krbMKey' 634 EQUALITY octetStringMatch 635 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) 636 637 638##### This stores the alternate principal names for the principal in the RFC 1961 specified format 639 640dn: cn=schema 641changetype: modify 642add: attributetypes 643attributetypes: ( 2.16.840.1.113719.1.301.4.47.1 644 NAME 'krbPrincipalAliases' 645 EQUALITY caseExactIA5Match 646 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 647 648 649##### The time at which the principal's last successful authentication happened. 650 651dn: cn=schema 652changetype: modify 653add: attributetypes 654attributetypes: ( 2.16.840.1.113719.1.301.4.48.1 655 NAME 'krbLastSuccessfulAuth' 656 EQUALITY generalizedTimeMatch 657 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 658 SINGLE-VALUE ) 659 660 661##### The time at which the principal's last failed authentication happened. 662 663dn: cn=schema 664changetype: modify 665add: attributetypes 666attributetypes: ( 2.16.840.1.113719.1.301.4.49.1 667 NAME 'krbLastFailedAuth' 668 EQUALITY generalizedTimeMatch 669 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 670 SINGLE-VALUE ) 671 672 673##### This attribute stores the number of failed authentication attempts 674##### happened for the principal since the last successful authentication. 675 676dn: cn=schema 677changetype: modify 678add: attributetypes 679attributetypes: ( 2.16.840.1.113719.1.301.4.50.1 680 NAME 'krbLoginFailedCount' 681 EQUALITY integerMatch 682 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 683 SINGLE-VALUE ) 684 685 686 687##### This attribute holds the application specific data. 688 689dn: cn=schema 690changetype: modify 691add: attributetypes 692attributetypes: ( 2.16.840.1.113719.1.301.4.51.1 693 NAME 'krbExtraData' 694 EQUALITY octetStringMatch 695 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) 696 697 698##### This attributes holds references to the set of directory objects. 699##### This stores the DNs of the directory objects to which the 700##### principal object belongs to. 701 702dn: cn=schema 703changetype: modify 704add: attributetypes 705attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 706 NAME 'krbObjectReferences' 707 EQUALITY distinguishedNameMatch 708 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 709 710 711##### This attribute holds references to a Container object where 712##### the additional principal objects and stand alone principal 713##### objects (krbPrincipal) can be created. 714 715dn: cn=schema 716changetype: modify 717add: attributetypes 718attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 719 NAME 'krbPrincContainerRef' 720 EQUALITY distinguishedNameMatch 721 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 722 723 724##### A list of authentication indicator strings, one of which must be satisfied 725##### to authenticate to the principal as a service. 726##### FreeIPA OID: 727##### joint-iso-ccitt(3) country(16) us(840) organization(1) netscape(113730) 728##### ldap(3) freeipa(8) krb5(15) attributes(2) 729dn: cn=schema 730changetype: modify 731add: attributetypes 732attributetypes: ( 2.16.840.1.113730.3.8.15.2.1 733 NAME 'krbPrincipalAuthInd' 734 EQUALITY caseExactMatch 735 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) 736 737 738##### A list of services to which a service principal can delegate. 739dn: cn=schema 740changetype: modify 741add: attributetypes 742attributetypes: ( 1.3.6.1.4.1.5322.21.2.4 743 NAME 'krbAllowedToDelegateTo' 744 EQUALITY caseExactIA5Match 745 SUBSTR caseExactSubstringsMatch 746 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 747 748######################################################################## 749######################################################################## 750# Object Class Definitions # 751######################################################################## 752 753#### This is a kerberos container for all the realms in a tree. 754 755dn: cn=schema 756changetype: modify 757add: objectclasses 758objectClasses: ( 2.16.840.1.113719.1.301.6.1.1 759 NAME 'krbContainer' 760 SUP top 761 MUST ( cn ) ) 762 763 764##### The krbRealmContainer is created per realm and holds realm specific data. 765 766dn: cn=schema 767changetype: modify 768add: objectclasses 769objectClasses: ( 2.16.840.1.113719.1.301.6.2.1 770 NAME 'krbRealmContainer' 771 SUP top 772 MUST ( cn ) 773 MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) ) 774 775 776##### An instance of a class derived from krbService is created per 777##### kerberos authentication or administration server in an realm and holds 778##### references to the realm objects. These references is used to further read 779##### realm specific data to service AS/TGS requests. Additionally this object 780##### contains some server specific data like pathnames and ports that the 781##### server uses. This is the identity the kerberos server logs in with. A key 782##### pair for the same is created and the kerberos server logs in with the same. 783##### 784##### krbKdcService, krbAdmService and krbPwdService derive from this class. 785 786dn: cn=schema 787changetype: modify 788add: objectclasses 789objectClasses: ( 2.16.840.1.113719.1.301.6.3.1 790 NAME 'krbService' 791 ABSTRACT 792 SUP ( top ) 793 MUST ( cn ) 794 MAY ( krbHostServer $ krbRealmReferences ) ) 795 796 797##### Representative object for the KDC server to bind into a LDAP directory 798##### and have a connection to access Kerberos data with the required 799##### access rights. 800 801dn: cn=schema 802changetype: modify 803add: objectclasses 804objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 805 NAME 'krbKdcService' 806 SUP ( krbService ) ) 807 808 809##### Representative object for the Kerberos Password server to bind into a LDAP directory 810##### and have a connection to access Kerberos data with the required 811##### access rights. 812 813dn: cn=schema 814changetype: modify 815add: objectclasses 816objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 817 NAME 'krbPwdService' 818 SUP ( krbService ) ) 819 820 821###### The principal data auxiliary class. Holds principal information 822###### and is used to store principal information for Person, Service objects. 823 824dn: cn=schema 825changetype: modify 826add: objectclasses 827objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 828 NAME 'krbPrincipalAux' 829 AUXILIARY 830 MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) ) 831 832 833###### This class is used to create additional principals and stand alone principals. 834 835dn: cn=schema 836changetype: modify 837add: objectclasses 838objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 839 NAME 'krbPrincipal' 840 SUP ( top ) 841 MUST ( krbPrincipalName ) 842 MAY ( krbObjectReferences ) ) 843 844 845###### The principal references auxiliary class. Holds all principals referred 846###### from a service 847 848dn: cn=schema 849changetype: modify 850add: objectclasses 851objectClasses: ( 2.16.840.1.113719.1.301.6.11.1 852 NAME 'krbPrincRefAux' 853 SUP top 854 AUXILIARY 855 MAY krbPrincipalReferences ) 856 857 858##### Representative object for the Kerberos Administration server to bind into a LDAP directory 859##### and have a connection Id to access Kerberos data with the required access rights. 860 861dn: cn=schema 862changetype: modify 863add: objectclasses 864objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 865 NAME 'krbAdmService' 866 SUP ( krbService ) ) 867 868 869##### The krbPwdPolicy object is a template password policy that 870##### can be applied to principals when they are created. 871##### These policy attributes will be in effect, when the Kerberos 872##### passwords are different from users' passwords (UP). 873 874dn: cn=schema 875changetype: modify 876add: objectclasses 877objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 878 NAME 'krbPwdPolicy' 879 SUP top 880 MUST ( cn ) 881 MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) ) 882 883 884##### The krbTicketPolicyAux holds Kerberos ticket policy attributes. 885##### This class can be attached to a principal object or realm object. 886 887dn: cn=schema 888changetype: modify 889add: objectclasses 890objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 891 NAME 'krbTicketPolicyAux' 892 AUXILIARY 893 MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) 894 895 896##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal 897 898dn: cn=schema 899changetype: modify 900add: objectclasses 901objectClasses: ( 2.16.840.1.113719.1.301.6.17.1 902 NAME 'krbTicketPolicy' 903 SUP top 904 MUST ( cn ) ) 905 906