1# Novell Kerberos Schema Definitions
2# Novell Inc.
3# 1800 South Novell Place
4# Provo, UT 84606
5#
6# VeRsIoN=1.0
7# CoPyRiGhT=(c) Copyright 2006, Novell, Inc.  All rights reserved
8#
9# OIDs:
10#    joint-iso-ccitt(2)
11#      country(16)
12#        us(840)
13#          organization(1)
14#            Novell(113719)
15#              applications(1)
16#                kerberos(301)
17#                 Kerberos Attribute Type(4) attr# version#
18#                    specific attribute definitions
19#                 Kerberos Attribute Syntax(5)
20#                    specific syntax definitions
21#                 Kerberos Object Class(6) class# version#
22#                    specific class definitions
23#
24#    iso(1)
25#      member-body(2)
26#        United States(840)
27#          mit (113554)
28#            infosys(1)
29#              ldap(4)
30#                attributeTypes(1)
31#                  Kerberos(6)
32
33########################################################################
34
35
36########################################################################
37#                     Attribute Type Definitions                       #
38########################################################################
39
40##### This is the principal name in the RFC 1964 specified format
41
42dn: cn=schema
43changetype: modify
44add: attributetypes
45attributetypes: ( 2.16.840.1.113719.1.301.4.1.1
46                NAME 'krbPrincipalName'
47                EQUALITY caseExactIA5Match
48                SUBSTR caseExactSubstringsMatch
49                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
50
51
52##### If there are multiple krbPrincipalName values for an entry, this
53##### is the canonical principal name in the RFC 1964 specified
54##### format.  (If this attribute does not exist, then all
55##### krbPrincipalName values are treated as canonical.)
56
57dn: cn=schema
58changetype: modify
59add: attributetypes
60attributetypes: ( 1.2.840.113554.1.4.1.6.1
61                NAME 'krbCanonicalName'
62                EQUALITY caseExactIA5Match
63                SUBSTR caseExactSubstringsMatch
64                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
65                SINGLE-VALUE )
66
67##### This specifies the type of the principal, the types could be any of
68##### the types mentioned in section 6.2 of RFC 4120
69
70dn: cn=schema
71changetype: modify
72add: attributetypes
73attributetypes: ( 2.16.840.1.113719.1.301.4.3.1
74                NAME 'krbPrincipalType'
75                EQUALITY integerMatch
76                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
77                SINGLE-VALUE )
78
79
80##### This flag is used to find whether directory User Password has to be used
81##### as kerberos password.
82##### TRUE, if User Password is to be used as the kerberos password.
83##### FALSE, if User Password and the kerberos password are different.
84
85dn: cn=schema
86changetype: modify
87add: attributetypes
88attributetypes: ( 2.16.840.1.113719.1.301.4.5.1
89                NAME 'krbUPEnabled'
90                DESC 'Boolean'
91                SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
92                SINGLE-VALUE )
93
94
95##### The time at which the principal expires
96
97dn: cn=schema
98changetype: modify
99add: attributetypes
100attributetypes: ( 2.16.840.1.113719.1.301.4.6.1
101                NAME 'krbPrincipalExpiration'
102                EQUALITY generalizedTimeMatch
103                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
104                SINGLE-VALUE )
105
106
107##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
108##### The values (0x00000001 - 0x00800000) are reserved for standards and
109##### values (0x01000000 - 0x80000000) can be used for proprietary extensions.
110##### The flags and values as per RFC 4120 and MIT implementation are,
111##### DISALLOW_POSTDATED        0x00000001
112##### DISALLOW_FORWARDABLE      0x00000002
113##### DISALLOW_TGT_BASED        0x00000004
114##### DISALLOW_RENEWABLE        0x00000008
115##### DISALLOW_PROXIABLE        0x00000010
116##### DISALLOW_DUP_SKEY         0x00000020
117##### DISALLOW_ALL_TIX          0x00000040
118##### REQUIRES_PRE_AUTH         0x00000080
119##### REQUIRES_HW_AUTH          0x00000100
120##### REQUIRES_PWCHANGE         0x00000200
121##### DISALLOW_SVR              0x00001000
122##### PWCHANGE_SERVICE          0x00002000
123
124
125dn: cn=schema
126changetype: modify
127add: attributetypes
128attributetypes: ( 2.16.840.1.113719.1.301.4.8.1
129                NAME 'krbTicketFlags'
130                EQUALITY integerMatch
131                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
132                SINGLE-VALUE )
133
134
135##### The maximum ticket lifetime for a principal in seconds
136
137dn: cn=schema
138changetype: modify
139add: attributetypes
140attributetypes: ( 2.16.840.1.113719.1.301.4.9.1
141                NAME 'krbMaxTicketLife'
142                EQUALITY integerMatch
143                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
144                SINGLE-VALUE )
145
146
147##### Maximum renewable lifetime for a principal's ticket in seconds
148
149dn: cn=schema
150changetype: modify
151add: attributetypes
152attributetypes: ( 2.16.840.1.113719.1.301.4.10.1
153                NAME 'krbMaxRenewableAge'
154                EQUALITY integerMatch
155                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
156                SINGLE-VALUE )
157
158
159##### Forward reference to the Realm object.
160##### (FDN of the krbRealmContainer object).
161##### Example:   cn=ACME.COM, cn=Kerberos, cn=Security
162
163dn: cn=schema
164changetype: modify
165add: attributetypes
166attributetypes: ( 2.16.840.1.113719.1.301.4.14.1
167                NAME 'krbRealmReferences'
168                EQUALITY distinguishedNameMatch
169                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
170
171
172##### List of LDAP servers that kerberos servers can contact.
173##### The attribute holds data in the ldap uri format,
174##### Example: ldaps://acme.com:636
175#####
176##### The values of this attribute need to be updated, when
177##### the LDAP servers listed here are renamed, moved or deleted.
178
179dn: cn=schema
180changetype: modify
181add: attributetypes
182attributetypes: ( 2.16.840.1.113719.1.301.4.15.1
183                NAME 'krbLdapServers'
184                EQUALITY caseIgnoreMatch
185                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
186
187
188##### A set of forward references to the KDC Service objects.
189##### (FDNs of the krbKdcService objects).
190##### Example:   cn=kdc - server 1, ou=uvw, o=xyz
191
192dn: cn=schema
193changetype: modify
194add: attributetypes
195attributetypes: ( 2.16.840.1.113719.1.301.4.17.1
196                NAME 'krbKdcServers'
197                EQUALITY distinguishedNameMatch
198                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
199
200
201##### A set of forward references to the Password Service objects.
202##### (FDNs of the krbPwdService objects).
203##### Example:   cn=kpasswdd - server 1, ou=uvw, o=xyz
204
205dn: cn=schema
206changetype: modify
207add: attributetypes
208attributetypes: ( 2.16.840.1.113719.1.301.4.18.1
209                NAME 'krbPwdServers'
210                EQUALITY distinguishedNameMatch
211                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
212
213
214##### This attribute holds the Host Name or the ip address,
215##### transport protocol and ports of the kerberos service host
216##### The format is host_name-or-ip_address#protocol#port
217##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP.
218
219dn: cn=schema
220changetype: modify
221add: attributetypes
222attributetypes: ( 2.16.840.1.113719.1.301.4.24.1
223                NAME 'krbHostServer'
224                EQUALITY caseExactIA5Match
225                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
226
227
228##### This attribute holds the scope for searching the principals
229##### under krbSubTree attribute of krbRealmContainer
230##### The value can either be 1 (ONE) or 2 (SUB_TREE).
231
232dn: cn=schema
233changetype: modify
234add: attributetypes
235attributetypes: ( 2.16.840.1.113719.1.301.4.25.1
236                NAME 'krbSearchScope'
237                EQUALITY integerMatch
238                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
239                SINGLE-VALUE )
240
241
242##### FDNs pointing to Kerberos principals
243
244dn: cn=schema
245changetype: modify
246add: attributetypes
247attributetypes: ( 2.16.840.1.113719.1.301.4.26.1
248                NAME 'krbPrincipalReferences'
249                EQUALITY distinguishedNameMatch
250                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
251
252
253##### This attribute specifies which attribute of the user objects
254##### be used as the principal name component for Kerberos.
255##### The allowed values are cn, sn, uid, givenname, fullname.
256
257dn: cn=schema
258changetype: modify
259add: attributetypes
260attributetypes: ( 2.16.840.1.113719.1.301.4.28.1
261                NAME 'krbPrincNamingAttr'
262                EQUALITY caseIgnoreMatch
263                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
264                SINGLE-VALUE )
265
266
267##### A set of forward references to the Administration Service objects.
268##### (FDNs of the krbAdmService objects).
269##### Example:   cn=kadmindd - server 1, ou=uvw, o=xyz
270
271dn: cn=schema
272changetype: modify
273add: attributetypes
274attributetypes: ( 2.16.840.1.113719.1.301.4.29.1
275                NAME 'krbAdmServers'
276                EQUALITY distinguishedNameMatch
277                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
278
279
280##### Maximum lifetime of a principal's password
281
282dn: cn=schema
283changetype: modify
284add: attributetypes
285attributetypes: ( 2.16.840.1.113719.1.301.4.30.1
286                NAME 'krbMaxPwdLife'
287                EQUALITY integerMatch
288                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
289                SINGLE-VALUE )
290
291
292##### Minimum lifetime of a principal's password
293
294dn: cn=schema
295changetype: modify
296add: attributetypes
297attributetypes: ( 2.16.840.1.113719.1.301.4.31.1
298                NAME 'krbMinPwdLife'
299                EQUALITY integerMatch
300                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
301                SINGLE-VALUE )
302
303
304##### Minimum number of character clases allowed in a password
305
306dn: cn=schema
307changetype: modify
308add: attributetypes
309attributetypes: ( 2.16.840.1.113719.1.301.4.32.1
310                NAME 'krbPwdMinDiffChars'
311                EQUALITY integerMatch
312                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
313                SINGLE-VALUE )
314
315
316##### Minimum length of the password
317
318dn: cn=schema
319changetype: modify
320add: attributetypes
321attributetypes: ( 2.16.840.1.113719.1.301.4.33.1
322                NAME 'krbPwdMinLength'
323                EQUALITY integerMatch
324                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
325                SINGLE-VALUE )
326
327
328##### Number of previous versions of passwords that are stored
329
330dn: cn=schema
331changetype: modify
332add: attributetypes
333attributetypes: ( 2.16.840.1.113719.1.301.4.34.1
334                NAME 'krbPwdHistoryLength'
335                EQUALITY integerMatch
336                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
337                SINGLE-VALUE )
338
339
340##### Number of consecutive pre-authentication failures before lockout
341
342dn: cn=schema
343changetype: modify
344add: attributetypes
345attributetypes: ( 1.3.6.1.4.1.5322.21.2.1
346                NAME 'krbPwdMaxFailure'
347                EQUALITY integerMatch
348                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
349                SINGLE-VALUE )
350
351
352##### Period after which bad preauthentication count will be reset
353
354dn: cn=schema
355changetype: modify
356add: attributetypes
357attributetypes: ( 1.3.6.1.4.1.5322.21.2.2
358                NAME 'krbPwdFailureCountInterval'
359                EQUALITY integerMatch
360                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
361                SINGLE-VALUE )
362
363
364##### Period in which lockout is enforced
365
366dn: cn=schema
367changetype: modify
368add: attributetypes
369attributetypes: ( 1.3.6.1.4.1.5322.21.2.3
370                NAME 'krbPwdLockoutDuration'
371                EQUALITY integerMatch
372                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
373                SINGLE-VALUE )
374
375
376##### Policy attribute flags
377
378dn: cn=schema
379changetype: modify
380add: attributetypes
381attributetypes: ( 1.2.840.113554.1.4.1.6.2
382                NAME 'krbPwdAttributes'
383                EQUALITY integerMatch
384                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
385                SINGLE-VALUE )
386
387
388##### Policy maximum ticket lifetime
389
390dn: cn=schema
391changetype: modify
392add: attributetypes
393attributetypes: ( 1.2.840.113554.1.4.1.6.3
394                NAME 'krbPwdMaxLife'
395                EQUALITY integerMatch
396                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
397                SINGLE-VALUE )
398
399
400##### Policy maximum ticket renewable lifetime
401
402dn: cn=schema
403changetype: modify
404add: attributetypes
405attributetypes: ( 1.2.840.113554.1.4.1.6.4
406                NAME 'krbPwdMaxRenewableLife'
407                EQUALITY integerMatch
408                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
409                SINGLE-VALUE )
410
411
412##### Allowed enctype:salttype combinations for key changes
413
414dn: cn=schema
415changetype: modify
416add: attributetypes
417attributetypes: ( 1.2.840.113554.1.4.1.6.5
418                NAME 'krbPwdAllowedKeysalts'
419                EQUALITY caseIgnoreIA5Match
420                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
421                SINGLE-VALUE )
422
423
424##### FDN pointing to a Kerberos Password Policy object
425
426dn: cn=schema
427changetype: modify
428add: attributetypes
429attributetypes: ( 2.16.840.1.113719.1.301.4.36.1
430                NAME 'krbPwdPolicyReference'
431                EQUALITY distinguishedNameMatch
432                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
433                SINGLE-VALUE )
434
435
436##### The time at which the principal's password expires
437
438dn: cn=schema
439changetype: modify
440add: attributetypes
441attributetypes: ( 2.16.840.1.113719.1.301.4.37.1
442                NAME 'krbPasswordExpiration'
443                EQUALITY generalizedTimeMatch
444                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
445                SINGLE-VALUE )
446
447
448##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with
449##### the master key (krbMKey).
450##### The attribute is ASN.1 encoded.
451#####
452##### The format of the value for this attribute is explained below,
453##### KrbKeySet ::= SEQUENCE {
454##### attribute-major-vno       [0] UInt16,
455##### attribute-minor-vno       [1] UInt16,
456##### kvno                      [2] UInt32,
457##### mkvno                     [3] UInt32 OPTIONAL,
458##### keys                      [4] SEQUENCE OF KrbKey,
459##### ...
460##### }
461#####
462##### KrbKey ::= SEQUENCE {
463##### salt      [0] KrbSalt OPTIONAL,
464##### key       [1] EncryptionKey,
465##### s2kparams [2] OCTET STRING OPTIONAL,
466##### ...
467##### }
468#####
469##### KrbSalt ::= SEQUENCE {
470##### type      [0] Int32,
471##### salt      [1] OCTET STRING OPTIONAL
472##### }
473#####
474##### EncryptionKey ::= SEQUENCE {
475##### keytype   [0] Int32,
476##### keyvalue  [1] OCTET STRING
477##### }
478
479dn: cn=schema
480changetype: modify
481add: attributetypes
482attributetypes: ( 2.16.840.1.113719.1.301.4.39.1
483                NAME 'krbPrincipalKey'
484                EQUALITY octetStringMatch
485                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
486
487
488##### FDN pointing to a Kerberos Ticket Policy object.
489
490dn: cn=schema
491changetype: modify
492add: attributetypes
493attributetypes: ( 2.16.840.1.113719.1.301.4.40.1
494                NAME 'krbTicketPolicyReference'
495                EQUALITY distinguishedNameMatch
496                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
497                SINGLE-VALUE )
498
499
500##### Forward reference to an entry that starts sub-trees
501##### where principals and other kerberos objects in the realm are configured.
502##### Example:   ou=acme, ou=pq, o=xyz
503
504dn: cn=schema
505changetype: modify
506add: attributetypes
507attributetypes: ( 2.16.840.1.113719.1.301.4.41.1
508                NAME 'krbSubTrees'
509                EQUALITY distinguishedNameMatch
510                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
511
512
513##### Holds the default encryption/salt type combinations of principals for
514##### the Realm. Stores in the form of key:salt strings.
515##### Example: aes256-cts-hmac-sha384-192:normal
516
517dn: cn=schema
518changetype: modify
519add: attributetypes
520attributetypes: ( 2.16.840.1.113719.1.301.4.42.1
521                NAME 'krbDefaultEncSaltTypes'
522                EQUALITY caseIgnoreMatch
523                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
524
525
526##### Holds the Supported encryption/salt type combinations of principals for
527##### the Realm. Stores in the form of key:salt strings.
528##### The supported encryption types are mentioned in RFC 3961
529##### The supported salt types are,
530##### NORMAL
531##### V4
532##### NOREALM
533##### ONLYREALM
534##### SPECIAL
535##### AFS3
536##### Example: aes256-cts-hmac-sha384-192:normal
537#####
538##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes
539##### attributes.
540
541dn: cn=schema
542changetype: modify
543add: attributetypes
544attributetypes: ( 2.16.840.1.113719.1.301.4.43.1
545                NAME 'krbSupportedEncSaltTypes'
546                EQUALITY caseIgnoreMatch
547                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
548
549
550##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with
551##### the kadmin/history key.
552##### The attribute is ASN.1 encoded.
553#####
554##### The format of the value for this attribute is explained below,
555##### KrbKeySet ::= SEQUENCE {
556##### attribute-major-vno       [0] UInt16,
557##### attribute-minor-vno       [1] UInt16,
558##### kvno                      [2] UInt32,
559##### mkvno                     [3] UInt32 OPTIONAL -- actually kadmin/history key,
560##### keys                      [4] SEQUENCE OF KrbKey,
561##### ...
562##### }
563#####
564##### KrbKey ::= SEQUENCE {
565##### salt      [0] KrbSalt OPTIONAL,
566##### key       [1] EncryptionKey,
567##### s2kparams [2] OCTET STRING OPTIONAL,
568##### ...
569##### }
570#####
571##### KrbSalt ::= SEQUENCE {
572##### type      [0] Int32,
573##### salt      [1] OCTET STRING OPTIONAL
574##### }
575#####
576##### EncryptionKey ::= SEQUENCE {
577##### keytype   [0] Int32,
578##### keyvalue  [1] OCTET STRING
579##### }
580
581dn: cn=schema
582changetype: modify
583add: attributetypes
584attributetypes: ( 2.16.840.1.113719.1.301.4.44.1
585                NAME 'krbPwdHistory'
586                EQUALITY octetStringMatch
587                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
588
589
590##### The time at which the principal's password last password change happened.
591
592dn: cn=schema
593changetype: modify
594add: attributetypes
595attributetypes: ( 2.16.840.1.113719.1.301.4.45.1
596                NAME 'krbLastPwdChange'
597                EQUALITY generalizedTimeMatch
598                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
599                SINGLE-VALUE )
600
601##### The time at which the principal was last administratively unlocked.
602
603dn: cn=schema
604changetype: modify
605add: attributetypes
606attributetypes: ( 1.3.6.1.4.1.5322.21.2.5
607                NAME 'krbLastAdminUnlock'
608                EQUALITY generalizedTimeMatch
609                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
610                SINGLE-VALUE )
611
612##### This attribute holds the kerberos master key.
613##### This can be used to encrypt principal keys.
614##### This attribute has to be secured in directory.
615#####
616##### This attribute is ASN.1 encoded.
617##### The format of the value for this attribute is explained below,
618##### KrbMKey ::= SEQUENCE {
619##### kvno    [0] UInt32,
620##### key     [1] MasterKey
621##### }
622#####
623##### MasterKey ::= SEQUENCE {
624##### keytype         [0] Int32,
625##### keyvalue        [1] OCTET STRING
626##### }
627
628
629dn: cn=schema
630changetype: modify
631add: attributetypes
632attributetypes: ( 2.16.840.1.113719.1.301.4.46.1
633                NAME 'krbMKey'
634                EQUALITY octetStringMatch
635                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
636
637
638##### This stores the alternate principal names for the principal in the RFC 1961 specified format
639
640dn: cn=schema
641changetype: modify
642add: attributetypes
643attributetypes: ( 2.16.840.1.113719.1.301.4.47.1
644                NAME 'krbPrincipalAliases'
645                EQUALITY caseExactIA5Match
646                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
647
648
649##### The time at which the principal's last successful authentication happened.
650
651dn: cn=schema
652changetype: modify
653add: attributetypes
654attributetypes: ( 2.16.840.1.113719.1.301.4.48.1
655                NAME 'krbLastSuccessfulAuth'
656                EQUALITY generalizedTimeMatch
657                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
658                SINGLE-VALUE )
659
660
661##### The time at which the principal's last failed authentication happened.
662
663dn: cn=schema
664changetype: modify
665add: attributetypes
666attributetypes: ( 2.16.840.1.113719.1.301.4.49.1
667                NAME 'krbLastFailedAuth'
668                EQUALITY generalizedTimeMatch
669                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
670                SINGLE-VALUE )
671
672
673##### This attribute stores the number of failed authentication attempts
674##### happened for the principal since the last successful authentication.
675
676dn: cn=schema
677changetype: modify
678add: attributetypes
679attributetypes: ( 2.16.840.1.113719.1.301.4.50.1
680                NAME 'krbLoginFailedCount'
681                EQUALITY integerMatch
682                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
683                SINGLE-VALUE )
684
685
686
687##### This attribute holds the application specific data.
688
689dn: cn=schema
690changetype: modify
691add: attributetypes
692attributetypes: ( 2.16.840.1.113719.1.301.4.51.1
693                NAME 'krbExtraData'
694                EQUALITY octetStringMatch
695                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
696
697
698##### This attributes holds references to the set of directory objects.
699##### This stores the DNs of the directory objects to which the
700##### principal object belongs to.
701
702dn: cn=schema
703changetype: modify
704add: attributetypes
705attributetypes: ( 2.16.840.1.113719.1.301.4.52.1
706                NAME 'krbObjectReferences'
707                EQUALITY distinguishedNameMatch
708                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
709
710
711##### This attribute holds references to a Container object where
712##### the additional principal objects and stand alone principal
713##### objects (krbPrincipal) can be created.
714
715dn: cn=schema
716changetype: modify
717add: attributetypes
718attributetypes: ( 2.16.840.1.113719.1.301.4.53.1
719                NAME 'krbPrincContainerRef'
720                EQUALITY distinguishedNameMatch
721                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
722
723
724##### A list of authentication indicator strings, one of which must be satisfied
725##### to authenticate to the principal as a service.
726##### FreeIPA OID:
727#####  joint-iso-ccitt(3) country(16) us(840) organization(1) netscape(113730)
728#####  ldap(3) freeipa(8) krb5(15) attributes(2)
729dn: cn=schema
730changetype: modify
731add: attributetypes
732attributetypes: ( 2.16.840.1.113730.3.8.15.2.1
733                NAME 'krbPrincipalAuthInd'
734                EQUALITY caseExactMatch
735                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
736
737
738##### A list of services to which a service principal can delegate.
739dn: cn=schema
740changetype: modify
741add: attributetypes
742attributetypes: ( 1.3.6.1.4.1.5322.21.2.4
743                NAME 'krbAllowedToDelegateTo'
744                EQUALITY caseExactIA5Match
745                SUBSTR caseExactSubstringsMatch
746                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
747
748########################################################################
749########################################################################
750#                       Object Class Definitions                       #
751########################################################################
752
753#### This is a kerberos container for all the realms in a tree.
754
755dn: cn=schema
756changetype: modify
757add: objectclasses
758objectClasses: ( 2.16.840.1.113719.1.301.6.1.1
759                NAME 'krbContainer'
760                SUP top
761                MUST ( cn ) )
762
763
764##### The krbRealmContainer is created per realm and holds realm specific data.
765
766dn: cn=schema
767changetype: modify
768add: objectclasses
769objectClasses: ( 2.16.840.1.113719.1.301.6.2.1
770                NAME 'krbRealmContainer'
771                SUP top
772                MUST ( cn )
773                MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) )
774
775
776##### An instance of a class derived from krbService is created per
777##### kerberos authentication or administration server in an realm and holds
778##### references to the realm objects. These references is used to further read
779##### realm specific data to service AS/TGS requests. Additionally this object
780##### contains some server specific data like pathnames and ports that the
781##### server uses. This is the identity the kerberos server logs in with. A key
782##### pair for the same is created and the kerberos server logs in with the same.
783#####
784##### krbKdcService, krbAdmService and krbPwdService derive from this class.
785
786dn: cn=schema
787changetype: modify
788add: objectclasses
789objectClasses: ( 2.16.840.1.113719.1.301.6.3.1
790                NAME 'krbService'
791                ABSTRACT
792                SUP ( top )
793                MUST ( cn )
794                MAY ( krbHostServer $ krbRealmReferences ) )
795
796
797##### Representative object for the KDC server to bind into a LDAP directory
798##### and have a connection to access Kerberos data with the required
799##### access rights.
800
801dn: cn=schema
802changetype: modify
803add: objectclasses
804objectClasses: ( 2.16.840.1.113719.1.301.6.4.1
805                NAME 'krbKdcService'
806                SUP ( krbService ) )
807
808
809##### Representative object for the Kerberos Password server to bind into a LDAP directory
810##### and have a connection to access Kerberos data with the required
811##### access rights.
812
813dn: cn=schema
814changetype: modify
815add: objectclasses
816objectClasses: ( 2.16.840.1.113719.1.301.6.5.1
817                NAME 'krbPwdService'
818                SUP ( krbService ) )
819
820
821###### The principal data auxiliary class. Holds principal information
822###### and is used to store principal information for Person, Service objects.
823
824dn: cn=schema
825changetype: modify
826add: objectclasses
827objectClasses: ( 2.16.840.1.113719.1.301.6.8.1
828                NAME 'krbPrincipalAux'
829                AUXILIARY
830                MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) )
831
832
833###### This class is used to create additional principals and stand alone principals.
834
835dn: cn=schema
836changetype: modify
837add: objectclasses
838objectClasses: ( 2.16.840.1.113719.1.301.6.9.1
839                NAME 'krbPrincipal'
840                SUP ( top )
841                MUST ( krbPrincipalName )
842                MAY ( krbObjectReferences ) )
843
844
845###### The principal references auxiliary class. Holds all principals referred
846###### from a service
847
848dn: cn=schema
849changetype: modify
850add: objectclasses
851objectClasses: ( 2.16.840.1.113719.1.301.6.11.1
852                NAME 'krbPrincRefAux'
853                SUP top
854                AUXILIARY
855                MAY krbPrincipalReferences )
856
857
858##### Representative object for the Kerberos Administration server to bind into a LDAP directory
859##### and have a connection Id to access Kerberos data with the required access rights.
860
861dn: cn=schema
862changetype: modify
863add: objectclasses
864objectClasses: ( 2.16.840.1.113719.1.301.6.13.1
865                NAME 'krbAdmService'
866                SUP ( krbService ) )
867
868
869##### The krbPwdPolicy object is a template password policy that
870##### can be applied to principals when they are created.
871##### These policy attributes will be in effect, when the Kerberos
872##### passwords are different from users' passwords (UP).
873
874dn: cn=schema
875changetype: modify
876add: objectclasses
877objectClasses: ( 2.16.840.1.113719.1.301.6.14.1
878                NAME 'krbPwdPolicy'
879                SUP top
880                MUST ( cn )
881                MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
882
883
884##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
885##### This class can be attached to a principal object or realm object.
886
887dn: cn=schema
888changetype: modify
889add: objectclasses
890objectClasses: ( 2.16.840.1.113719.1.301.6.16.1
891                NAME 'krbTicketPolicyAux'
892                AUXILIARY
893                MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
894
895
896##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal
897
898dn: cn=schema
899changetype: modify
900add: objectclasses
901objectClasses: ( 2.16.840.1.113719.1.301.6.17.1
902                NAME 'krbTicketPolicy'
903                SUP top
904                MUST ( cn ) )
905
906