├── LICENSE ├── NOTICE ├── README.md ├── config ├── DB_CONFIG ├── slapd.conf.template └── slapdenv.config ├── ldif └── testdata.ldif ├── schema ├── collective.schema ├── corba.schema ├── core.schema ├── cosine.schema ├── duaconf.schema ├── dyngroup.schema ├── inetorgperson.schema ├── java.schema ├── microsoftattributetype.schema ├── microsoftattributetypestd.schema ├── microsoftobjectclass.schema ├── misc.schema ├── nis.schema ├── openldap.schema ├── pmi.schema └── ppolicy.schema └── scripts ├── ad-schema-to-open-ldap.py ├── add-default-user-password.py ├── ldif-convertor.py ├── set-content.sh └── set-default-slapd.sh /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | 204 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | 2 | Copyright (c) 2015-2017, David Koudela (https://github.com/dkoudela/active-directory-to-openldap) 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Active Directory to OpenLdap 2 | A successful attempt to provide tools and schemas for conversion of Active Directory content to OpenLdap. 3 | 4 | ## Motivation 5 | User services like Jenkins, Confluence or Upsource are usually integrated with an LDAP service in corporate environments. 6 | 7 | 8 | Imagine the following situation: 9 | * You have an Active Directory instance with the production data 10 | * You would like to have a second LDAP instance with full data access 11 | * You cannot use an additional Active Directory instance for some reason, like: 12 | * License costs 13 | * Not having full admin access to the Active Directory 14 | * You need just: 15 | * Authenticate the users against the LDAP service 16 | * Synchronize the user profiles with your user services 17 | 18 | In this case, this project is suitable for you. 19 | 20 | ## Prerequisites 21 | * Installed: 22 | * openldap-2.4.40 23 | * openldap-servers-sql-2.4.40 24 | * openldap-clients-2.4.40 25 | * openldap-devel-2.4.40 26 | * python-ldap-2.3.10 27 | * openldap-servers-2.4.40 28 | 29 | ## Content 30 | ### config directory 31 | It contains the OpenLdap configuration files. 32 | 33 | First, you will need to modify ``config/slapdenv.config`` 34 | Modify ``ROOTDN`` and ``ROOTPW``; if you need a user LDAP authentication, set ``ADDADUSERPW=true`` and ``DEFAULTADUSERPW``. 35 | 36 | If you would like to alter the OpenLdap settings, you should modify ``config/slapd.conf.template``. 37 | 38 | ### ldif directory 39 | It contains your ldif import files containing your LDAP data. 40 | If you have more than one LDIF file, please ensure the right order (e.g. ``01.ldif``, ``02.ldif``, etc.). 41 | 42 | ### schema directory 43 | It contains modified OpenLdap schemas merged with Active Directory specifics. 44 | 45 | ### scripts directory 46 | It contains scripts for OpenLdap setup, LDIF import and Active Directory schema conversion to OpenLdap schemas. 47 | 48 | #### set-default-slapd.sh 49 | This is the first script you should execute. It sets the OpenLdap server according to the configuration. 50 | 51 | #### set-content.sh 52 | This is the second script you should execute. It imports the data from the LDIFs. 53 | 54 | #### ad-schema-to-open-ldap.py 55 | This script converts Active Directory schema LDIF to the OpenLdap schema file. It is just for the reference. 56 | -------------------------------------------------------------------------------- /config/DB_CONFIG: -------------------------------------------------------------------------------- 1 | # $OpenLDAP$ 2 | # Example DB_CONFIG file for use with slapd(8) BDB/HDB databases. 3 | # 4 | # See the Oracle Berkeley DB documentation 5 | # 6 | # for detail description of DB_CONFIG syntax and semantics. 7 | # 8 | # Hints can also be found in the OpenLDAP Software FAQ 9 | # 10 | # in particular: 11 | # 12 | 13 | # Note: most DB_CONFIG settings will take effect only upon rebuilding 14 | # the DB environment. 15 | 16 | # one 0.25 GB cache 17 | set_cachesize 0 268435456 1 18 | 19 | # Data Directory 20 | #set_data_dir db 21 | 22 | # Transaction Log settings 23 | set_lg_regionmax 262144 24 | set_lg_bsize 2097152 25 | #set_lg_dir logs 26 | 27 | # Note: special DB_CONFIG flags are no longer needed for "quick" 28 | # slapadd(8) or slapindex(8) access (see their -q option). 29 | -------------------------------------------------------------------------------- /config/slapd.conf.template: -------------------------------------------------------------------------------- 1 | # 2 | # See slapd.conf(5) for details on configuration options. 3 | # This file should NOT be world readable. 4 | # 5 | 6 | include __SCHEMADIR__/microsoftattributetype.schema 7 | include __SCHEMADIR__/microsoftattributetypestd.schema 8 | include __SCHEMADIR__/corba.schema 9 | include __SCHEMADIR__/core.schema 10 | include __SCHEMADIR__/cosine.schema 11 | include __SCHEMADIR__/duaconf.schema 12 | include __SCHEMADIR__/dyngroup.schema 13 | include __SCHEMADIR__/inetorgperson.schema 14 | include __SCHEMADIR__/java.schema 15 | include __SCHEMADIR__/misc.schema 16 | include __SCHEMADIR__/nis.schema 17 | include __SCHEMADIR__/openldap.schema 18 | include __SCHEMADIR__/ppolicy.schema 19 | include __SCHEMADIR__/collective.schema 20 | include __SCHEMADIR__/microsoftobjectclass.schema 21 | 22 | 23 | # Allow LDAPv2 client connections. This is NOT the default. 24 | allow bind_v2 25 | 26 | # Do not enable referrals until AFTER you have a working directory 27 | # service AND an understanding of referrals. 28 | #referral ldap://root.openldap.org 29 | 30 | pidfile /var/run/openldap/slapd.pid 31 | argsfile /var/run/openldap/slapd.args 32 | 33 | # Load dynamic backend modules 34 | # - modulepath is architecture dependent value (32/64-bit system) 35 | # - back_sql.la overlay requires openldap-server-sql package 36 | # - dyngroup.la and dynlist.la cannot be used at the same time 37 | 38 | # modulepath /usr/lib/openldap 39 | # modulepath /usr/lib64/openldap 40 | 41 | # moduleload accesslog.la 42 | # moduleload auditlog.la 43 | # moduleload back_sql.la 44 | # moduleload chain.la 45 | # moduleload collect.la 46 | # moduleload constraint.la 47 | # moduleload dds.la 48 | # moduleload deref.la 49 | # moduleload dyngroup.la 50 | # moduleload dynlist.la 51 | # moduleload memberof.la 52 | # moduleload pbind.la 53 | # moduleload pcache.la 54 | # moduleload ppolicy.la 55 | # moduleload refint.la 56 | # moduleload retcode.la 57 | moduleload rwm.la 58 | # moduleload seqmod.la 59 | # moduleload smbk5pwd.la 60 | # moduleload sssvlv.la 61 | # moduleload syncprov.la 62 | # moduleload translucent.la 63 | # moduleload unique.la 64 | # moduleload valsort.la 65 | 66 | # The next three lines allow use of TLS for encrypting connections using a 67 | # dummy test certificate which you can generate by running 68 | # /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk 69 | # at self-signed certificates, however. 70 | TLSCACertificatePath /etc/openldap/certs 71 | TLSCertificateFile "\"OpenLDAP Server\"" 72 | TLSCertificateKeyFile /etc/openldap/certs/password 73 | 74 | # Sample security restrictions 75 | # Require integrity protection (prevent hijacking) 76 | # Require 112-bit (3DES or better) encryption for updates 77 | # Require 63-bit encryption for simple bind 78 | # security ssf=1 update_ssf=112 simple_bind=64 79 | 80 | # Sample access control policy: 81 | # Root DSE: allow anyone to read it 82 | # Subschema (sub)entry DSE: allow anyone to read it 83 | # Other DSEs: 84 | # Allow self write access 85 | # Allow authenticated users read access 86 | # Allow anonymous users to authenticate 87 | # Directives needed to implement policy: 88 | # access to dn.base="" by * read 89 | # access to dn.base="cn=Subschema" by * read 90 | # access to * 91 | # by self write 92 | # by users read 93 | # by anonymous auth 94 | # 95 | # if no access controls are present, the default policy 96 | # allows anyone and everyone to read anything but restricts 97 | # updates to rootdn. (e.g., "access to * by * read") 98 | # 99 | # rootdn can always read and write EVERYTHING! 100 | 101 | # enable on-the-fly configuration (cn=config) 102 | database config 103 | access to * 104 | by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 105 | by * none 106 | 107 | # enable server status monitoring (cn=monitor) 108 | database monitor 109 | access to * 110 | by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read 111 | by dn.exact="cn=Manager,dc=example,dc=com" read 112 | by * none 113 | 114 | ####################################################################### 115 | # database definitions 116 | ####################################################################### 117 | 118 | ####################################################################### 119 | # Meta backend providing rewrite of MS non-standard LDAP Search queries 120 | ####################################################################### 121 | database meta 122 | suffix "dc=sub,dc=example,dc=com" 123 | uri "ldap://0.0.0.0/dc=sub,dc=example,dc=com" 124 | suffixmassage "dc=sub,dc=example,dc=com" "dc=example,dc=com" 125 | acl-authcDN "cn=Manager,dc=example,dc=com" 126 | acl-passwd secret 127 | rebind-as-user 128 | rewriteEngine on 129 | rewriteContext searchFilter 130 | rewriteRule "(.*)objectCategory=[a-zA-Z]+(.*)" "%1objectCategory=cn=Person*%2" ":" 131 | 132 | ####################################################################### 133 | # Configuration backend providing config and schema settings 134 | ####################################################################### 135 | database config 136 | rootdn "cn=config" 137 | rootpw secret 138 | 139 | ####################################################################### 140 | # Database backend containing the LDAP data 141 | ####################################################################### 142 | database bdb 143 | suffix "dc=example,dc=com" 144 | checkpoint 1024 15 145 | rootdn "cn=Manager,dc=example,dc=com" 146 | # Cleartext passwords, especially for the rootdn, should 147 | # be avoided. See slappasswd(8) and slapd.conf(5) for details. 148 | # Use of strong authentication encouraged. 149 | # rootpw secret 150 | # rootpw {crypt}ijFYNcSNctBYg 151 | rootpw secret 152 | 153 | # The database directory MUST exist prior to running slapd AND 154 | # should only be accessible by the slapd and slap tools. 155 | # Mode 700 recommended. 156 | directory /var/lib/ldap 157 | 158 | # Indices to maintain for this database 159 | index objectClass eq,pres 160 | index ou,cn,mail,surname,givenname eq,pres,sub 161 | index uidNumber,gidNumber,loginShell eq,pres 162 | index uid,memberUid eq,pres,sub 163 | index nisMapName,nisMapEntry eq,pres,sub 164 | index objectCategory,sAMAccountName eq,pres,sub 165 | 166 | # Replicas of this database 167 | #replogfile /var/lib/ldap/openldap-master-replog 168 | #replica host=ldap-1.example.com:389 starttls=critical 169 | # bindmethod=sasl saslmech=GSSAPI 170 | # authcId=host/ldap-master.example.com@EXAMPLE.COM 171 | -------------------------------------------------------------------------------- /config/slapdenv.config: -------------------------------------------------------------------------------- 1 | ROOTDN="dc=example,dc=com" 2 | ROOTPW="secrets" 3 | ADDADUSERPW=false 4 | DEFAULTADUSERPW="topsecret" 5 | -------------------------------------------------------------------------------- /ldif/testdata.ldif: -------------------------------------------------------------------------------- 1 | dn: dc=example,dc=com 2 | objectClass: top 3 | objectClass: domain 4 | objectClass: domainDNS 5 | instanceType: 5 6 | objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=example,DC=com 7 | 8 | dn: ou=My Company Users,dc=example,dc=com 9 | objectClass: top 10 | objectClass: organizationalUnit 11 | ou: My Company Users 12 | instanceType: 4 13 | objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=example,DC=com 14 | 15 | -------------------------------------------------------------------------------- /schema/collective.schema: -------------------------------------------------------------------------------- 1 | # collective.schema -- Collective attribute schema 2 | # $OpenLDAP$ 3 | ## This work is part of OpenLDAP Software . 4 | ## 5 | ## Copyright 1998-2014 The OpenLDAP Foundation. 6 | ## All rights reserved. 7 | ## 8 | ## Redistribution and use in source and binary forms, with or without 9 | ## modification, are permitted only as authorized by the OpenLDAP 10 | ## Public License. 11 | ## 12 | ## A copy of this license is available in the file LICENSE in the 13 | ## top-level directory of the distribution or, alternatively, at 14 | ## . 15 | # 16 | ## Portions Copyright (C) The Internet Society (2003). 17 | ## Please see full copyright statement below. 18 | 19 | # From RFC 3671 [portions trimmed]: 20 | # Collective Attributes in LDAP 21 | 22 | #Abstract 23 | # 24 | # X.500 collective attributes allow common characteristics to be shared 25 | # between collections of entries. This document summarizes the X.500 26 | # information model for collective attributes and describes use of 27 | # collective attributes in LDAP (Lightweight Directory Access Protocol). 28 | # This document provides schema definitions for collective attributes 29 | # for use in LDAP. 30 | 31 | #3. Collective Attribute Types 32 | # 33 | # A userApplications attribute type can be defined to be COLLECTIVE 34 | # [RFC2252]. This indicates that the same attribute values will appear 35 | # in the entries of an entry collection subject to the use of the 36 | # collectiveExclusions attribute and other administrative controls. 37 | # 38 | # Collective attribute types are commonly defined as subtypes of non- 39 | # collective attribute types. By convention, collective attributes are 40 | # named by prefixing the name of their non-collective supertype with 41 | # "c-". For example, the collective telephone attribute is named 42 | # c-TelephoneNumber after its non-collective supertype telephoneNumber. 43 | # 44 | # Non-collective attributes types SHALL NOT subtype collective 45 | # attributes. 46 | # 47 | # Collective attributes SHALL NOT be SINGLE-VALUED. Collective 48 | # attribute types SHALL NOT appear in the attribute types of an object 49 | # class definition. 50 | # 51 | # Operational attributes SHALL NOT be defined to be collective. 52 | # 53 | # The remainder of section provides a summary of collective attributes 54 | # derived from those defined in [X.520]. Implementations of this 55 | # specification SHOULD support the following collective attributes and 56 | # MAY support additional collective attributes. 57 | # 58 | # 59 | #3.1. Collective Locality Name 60 | # 61 | # The c-l attribute type specifies a locality name for a collection of 62 | # entries. 63 | # 64 | attributeType ( 2.5.4.7.1 NAME 'c-l' 65 | SUP l COLLECTIVE ) 66 | # 67 | # 68 | #3.2. Collective State or Province Name 69 | # 70 | # The c-st attribute type specifies a state or province name for a 71 | # collection of entries. 72 | # 73 | attributeType ( 2.5.4.8.1 NAME 'c-st' 74 | SUP st COLLECTIVE ) 75 | # 76 | # 77 | #3.3. Collective Street Address 78 | # 79 | # The c-street attribute type specifies a street address for a 80 | # collection of entries. 81 | # 82 | attributeType ( 2.5.4.9.1 NAME 'c-street' 83 | SUP street COLLECTIVE ) 84 | # 85 | # 86 | #3.4. Collective Organization Name 87 | # 88 | # The c-o attribute type specifies an organization name for a collection 89 | # of entries. 90 | # 91 | attributeType ( 2.5.4.10.1 NAME 'c-o' 92 | SUP o COLLECTIVE ) 93 | # 94 | # 95 | #3.5. Collective Organizational Unit Name 96 | # 97 | # The c-ou attribute type specifies an organizational unit name for a 98 | # collection of entries. 99 | # 100 | attributeType ( 2.5.4.11.1 NAME 'c-ou' 101 | SUP ou COLLECTIVE ) 102 | # 103 | # 104 | #3.6. Collective Postal Address 105 | # 106 | # The c-PostalAddress attribute type specifies a postal address for a 107 | # collection of entries. 108 | # 109 | attributeType ( 2.5.4.16.1 NAME 'c-PostalAddress' 110 | SUP postalAddress COLLECTIVE ) 111 | # 112 | # 113 | #3.7. Collective Postal Code 114 | # 115 | # The c-PostalCode attribute type specifies a postal code for a 116 | # collection of entries. 117 | # 118 | attributeType ( 2.5.4.17.1 NAME 'c-PostalCode' 119 | SUP postalCode COLLECTIVE ) 120 | # 121 | # 122 | #3.8. Collective Post Office Box 123 | # 124 | # The c-PostOfficeBox attribute type specifies a post office box for a 125 | # collection of entries. 126 | # 127 | attributeType ( 2.5.4.18.1 NAME 'c-PostOfficeBox' 128 | SUP postOfficeBox COLLECTIVE ) 129 | # 130 | # 131 | #3.9. Collective Physical Delivery Office Name 132 | # 133 | # The c-PhysicalDeliveryOfficeName attribute type specifies a physical 134 | # delivery office name for a collection of entries. 135 | # 136 | attributeType ( 2.5.4.19.1 NAME 'c-PhysicalDeliveryOfficeName' 137 | SUP physicalDeliveryOfficeName COLLECTIVE ) 138 | # 139 | # 140 | #3.10. Collective Telephone Number 141 | # 142 | # The c-TelephoneNumber attribute type specifies a telephone number for 143 | # a collection of entries. 144 | # 145 | attributeType ( 2.5.4.20.1 NAME 'c-TelephoneNumber' 146 | SUP telephoneNumber COLLECTIVE ) 147 | # 148 | # 149 | #3.11. Collective Telex Number 150 | # 151 | # The c-TelexNumber attribute type specifies a telex number for a 152 | # collection of entries. 153 | # 154 | attributeType ( 2.5.4.21.1 NAME 'c-TelexNumber' 155 | SUP telexNumber COLLECTIVE ) 156 | # 157 | # 158 | #3.13. Collective Facsimile Telephone Number 159 | # 160 | # The c-FacsimileTelephoneNumber attribute type specifies a facsimile 161 | # telephone number for a collection of entries. 162 | # 163 | attributeType ( 2.5.4.23.1 NAME 'c-FacsimileTelephoneNumber' 164 | SUP facsimileTelephoneNumber COLLECTIVE ) 165 | # 166 | # 167 | #3.14. Collective International ISDN Number 168 | # 169 | # The c-InternationalISDNNumber attribute type specifies an 170 | # international ISDN number for a collection of entries. 171 | # 172 | attributeType ( 2.5.4.25.1 NAME 'c-InternationalISDNNumber' 173 | SUP internationalISDNNumber COLLECTIVE ) 174 | 175 | # Full Copyright 176 | # 177 | # Copyright (C) The Internet Society (2003). All Rights Reserved. 178 | # 179 | # This document and translations of it may be copied and furnished 180 | # to others, and derivative works that comment on or otherwise explain 181 | # it or assist in its implmentation may be prepared, copied, published 182 | # and distributed, in whole or in part, without restriction of any 183 | # kind, provided that the above copyright notice and this paragraph 184 | # are included on all such copies and derivative works. However, 185 | # this document itself may not be modified in any way, such as by 186 | # removing the copyright notice or references to the Internet Society 187 | # or other Internet organizations, except as needed for the purpose 188 | # of developing Internet standards in which case the procedures for 189 | # copyrights defined in the Internet Standards process must be followed, 190 | # or as required to translate it into languages other than English. 191 | -------------------------------------------------------------------------------- /schema/corba.schema: -------------------------------------------------------------------------------- 1 | # corba.schema -- Corba Object Schema 2 | # depends upon core.schema 3 | # $OpenLDAP$ 4 | # $OpenLDAP$ 5 | ## This work is part of OpenLDAP Software . 6 | ## 7 | ## Copyright 1998-2014 The OpenLDAP Foundation. 8 | ## All rights reserved. 9 | ## 10 | ## Redistribution and use in source and binary forms, with or without 11 | ## modification, are permitted only as authorized by the OpenLDAP 12 | ## Public License. 13 | ## 14 | ## A copy of this license is available in the file LICENSE in the 15 | ## top-level directory of the distribution or, alternatively, at 16 | ## . 17 | # 18 | ## Portions Copyright (C) The Internet Society (1999). 19 | ## Please see full copyright statement below. 20 | 21 | 22 | # Network Working Group V. Ryan 23 | # Request for Comments: 2714 R. Lee 24 | # Category: Informational S. Seligman 25 | # Sun Microsystems, Inc. 26 | # October 1999 27 | # 28 | # 29 | # Schema for Representing CORBA Object References in an LDAP Directory 30 | # 31 | # Status of this Memo 32 | # 33 | # This memo provides information for the Internet community. It does 34 | # not specify an Internet standard of any kind. Distribution of this 35 | # memo is unlimited. 36 | # 37 | # Copyright Notice 38 | # 39 | # Copyright (C) The Internet Society (1999). All Rights Reserved. 40 | # 41 | # Abstract 42 | # 43 | # CORBA [CORBA] is the Common Object Request Broker Architecture 44 | # defined by the Object Management Group. This document defines the 45 | # schema for representing CORBA object references in an LDAP directory 46 | # [LDAPv3]. 47 | # 48 | # [trimmed] 49 | 50 | # 3. Attribute Type Definitions 51 | # 52 | # The following attribute types are defined in this document: 53 | # 54 | # corbaIor 55 | # corbaRepositoryId 56 | # 57 | # 3.1 corbaIor 58 | # 59 | # This attribute stores the string representation of the interoperable 60 | # object reference (IOR) for a CORBA object. An IOR is an opaque handle 61 | # for the object which contains the information necessary to locate the 62 | # object, even if the object is in another ORB. 63 | # 64 | # This attribute's syntax is 'IA5 String' and its case is 65 | # insignificant. 66 | # 67 | # ( 1.3.6.1.4.1.42.2.27.4.1.14 68 | # NAME 'corbaIor' 69 | # DESC 'Stringified interoperable object reference of a CORBA object' 70 | # EQUALITY caseIgnoreIA5Match 71 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 72 | # SINGLE-VALUE 73 | # ) 74 | # 75 | attributetype ( 1.3.6.1.4.1.42.2.27.4.1.14 76 | NAME 'corbaIor' 77 | DESC 'Stringified interoperable object reference of a CORBA object' 78 | EQUALITY caseIgnoreIA5Match 79 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 80 | SINGLE-VALUE ) 81 | 82 | # 3.2 corbaRepositoryId 83 | # 84 | # Each CORBA interface has a unique "repository id" (also called "type 85 | # id") that identifies the interface. A CORBA object has one or more 86 | # repository ids, one for each interface that it implements. 87 | # 88 | # The format of a repository id can be any string, but the OMG 89 | # specifies four standard formats: 90 | # 91 | # a. IDL-style 92 | # 93 | # IDL:Prefix/ModuleName/InterfaceName:VersionNumber 94 | # 95 | # For example, the repository id for the "NamingContext" in OMG's COS 96 | # Naming module is: "IDL:omg.org/CosNaming/NamingContext:1.0". 97 | # 98 | # b. RMI-style 99 | # 100 | # RMI:ClassName:HashCode[:SUID] 101 | # 102 | # This format is used by RMI-IIOP remote objects [RMI-IIOP]. 103 | # "ClassName" is the fully qualified name of the class (for example, 104 | # "java.lang.String"). "HashCode" is the object's hash code (that is, 105 | # that obtained by invoking the "hashCode()" method). "SUID" is the 106 | # "stream unique identifier", which is a 64-bit number that uniquely 107 | # identifies the serialization version of the class; SUID is optional 108 | # in the repository id. 109 | # 110 | # c. DCE-style 111 | # 112 | # DCE:UUID 113 | # 114 | # This format is used for DCE/CORBA interoperability [CORBA-DCE]. 115 | # "UUID" represents a DCE UUID. 116 | # 117 | # d. "local" 118 | # 119 | # This format is defined by the local Object Request Broker (ORB). 120 | # 121 | # The corbaRepositoryId attribute is a multivalued attribute; each 122 | # value records a single repository id of an interface implemented by 123 | # the CORBA object. This attribute need not contain a complete list of 124 | # the interfaces implemented by the CORBA object. 125 | # 126 | # This attribute's syntax is 'Directory String' and its case is 127 | # significant. The values of this attribute are encoded using UTF-8. 128 | # Some values may require translation from their native representation 129 | # in order to be correctly encoded using UTF-8. 130 | # 131 | # ( 1.3.6.1.4.1.42.2.27.4.1.15 132 | # NAME 'corbaRepositoryId' 133 | # DESC 'Repository ids of interfaces implemented by a CORBA object' 134 | # EQUALITY caseExactMatch 135 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 136 | # ) 137 | # 138 | # 139 | attributetype ( 1.3.6.1.4.1.42.2.27.4.1.15 140 | NAME 'corbaRepositoryId' 141 | DESC 'Repository ids of interfaces implemented by a CORBA object' 142 | EQUALITY caseExactMatch 143 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 144 | 145 | # 4. Object Class Definitions 146 | # 147 | # The following object classes are defined in this document: 148 | # 149 | # corbaContainer 150 | # corbaObject 151 | # corbaObjectReference 152 | # 153 | # 4.1 corbaContainer 154 | # 155 | # This structural object class represents a container for a CORBA 156 | # object. 157 | # 158 | # ( 1.3.6.1.4.1.42.2.27.4.2.10 159 | # NAME 'corbaContainer' 160 | # DESC 'Container for a CORBA object' 161 | # SUP top 162 | # STRUCTURAL 163 | # MUST ( cn ) 164 | # ) 165 | # 166 | objectclass ( 1.3.6.1.4.1.42.2.27.4.2.10 167 | NAME 'corbaContainer' 168 | DESC 'Container for a CORBA object' 169 | SUP top 170 | STRUCTURAL 171 | MUST cn ) 172 | 173 | # 4.2 corbaObject 174 | # 175 | # This abstract object class is the root class for representing a CORBA 176 | # object. 177 | # 178 | # ( 1.3.6.1.4.1.42.2.27.4.2.9 179 | # NAME 'corbaObject' 180 | # DESC 'CORBA object representation' 181 | # SUP top 182 | # ABSTRACT 183 | # MAY ( corbaRepositoryId $ description ) 184 | # ) 185 | # 186 | objectclass ( 1.3.6.1.4.1.42.2.27.4.2.9 187 | NAME 'corbaObject' 188 | DESC 'CORBA object representation' 189 | SUP top 190 | ABSTRACT 191 | MAY ( corbaRepositoryId $ description ) ) 192 | 193 | # 4.3 corbaObjectReference 194 | # 195 | # This auxiliary object class represents a CORBA object reference. It 196 | # must be mixed in with a structural object class. 197 | # 198 | # ( 1.3.6.1.4.1.42.2.27.4.2.11 199 | # NAME 'corbaObjectReference' 200 | # DESC 'CORBA interoperable object reference' 201 | # SUP corbaObject 202 | # AUXILIARY 203 | # MUST ( corbaIor ) 204 | # ) 205 | # 206 | objectclass ( 1.3.6.1.4.1.42.2.27.4.2.11 207 | NAME 'corbaObjectReference' 208 | DESC 'CORBA interoperable object reference' 209 | SUP corbaObject 210 | AUXILIARY 211 | MUST corbaIor ) 212 | 213 | # 10. Full Copyright Statement 214 | # 215 | # Copyright (C) The Internet Society (1999). All Rights Reserved. 216 | # 217 | # This document and translations of it may be copied and furnished to 218 | # others, and derivative works that comment on or otherwise explain it 219 | # or assist in its implementation may be prepared, copied, published 220 | # and distributed, in whole or in part, without restriction of any 221 | # kind, provided that the above copyright notice and this paragraph are 222 | # included on all such copies and derivative works. However, this 223 | # document itself may not be modified in any way, such as by removing 224 | # the copyright notice or references to the Internet Society or other 225 | # Internet organizations, except as needed for the purpose of 226 | # developing Internet standards in which case the procedures for 227 | # copyrights defined in the Internet Standards process must be 228 | # followed, or as required to translate it into languages other than 229 | # English. 230 | # 231 | # The limited permissions granted above are perpetual and will not be 232 | # revoked by the Internet Society or its successors or assigns. 233 | # 234 | # This document and the information contained herein is provided on an 235 | # "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 236 | # TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 237 | # BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 238 | # HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 239 | # MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 240 | -------------------------------------------------------------------------------- /schema/core.schema: -------------------------------------------------------------------------------- 1 | # OpenLDAP Core schema 2 | # $OpenLDAP$ 3 | ## This work is part of OpenLDAP Software . 4 | ## 5 | ## Copyright 1998-2014 The OpenLDAP Foundation. 6 | ## All rights reserved. 7 | ## 8 | ## Redistribution and use in source and binary forms, with or without 9 | ## modification, are permitted only as authorized by the OpenLDAP 10 | ## Public License. 11 | ## 12 | ## A copy of this license is available in the file LICENSE in the 13 | ## top-level directory of the distribution or, alternatively, at 14 | ## . 15 | # 16 | ## Portions Copyright (C) The Internet Society (1997-2006). 17 | ## All Rights Reserved. 18 | ## 19 | ## This document and translations of it may be copied and furnished to 20 | ## others, and derivative works that comment on or otherwise explain it 21 | ## or assist in its implementation may be prepared, copied, published 22 | ## and distributed, in whole or in part, without restriction of any 23 | ## kind, provided that the above copyright notice and this paragraph are 24 | ## included on all such copies and derivative works. However, this 25 | ## document itself may not be modified in any way, such as by removing 26 | ## the copyright notice or references to the Internet Society or other 27 | ## Internet organizations, except as needed for the purpose of 28 | ## developing Internet standards in which case the procedures for 29 | ## copyrights defined in the Internet Standards process must be 30 | ## followed, or as required to translate it into languages other than 31 | ## English. 32 | ## 33 | ## The limited permissions granted above are perpetual and will not be 34 | ## revoked by the Internet Society or its successors or assigns. 35 | ## 36 | ## This document and the information contained herein is provided on an 37 | ## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 38 | ## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 39 | ## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 40 | ## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 41 | ## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 42 | 43 | # 44 | # 45 | # Includes LDAPv3 schema items from: 46 | # RFC 2252/2256 (LDAPv3) 47 | # 48 | # Select standard track schema items: 49 | # RFC 1274 (uid/dc) 50 | # RFC 2079 (URI) 51 | # RFC 2247 (dc/dcObject) 52 | # RFC 2587 (PKI) 53 | # RFC 2589 (Dynamic Directory Services) 54 | # RFC 4524 (associatedDomain) 55 | # 56 | # Select informational schema items: 57 | # RFC 2377 (uidObject) 58 | 59 | # 60 | # Standard attribute types from RFC 2256 61 | # 62 | 63 | # system schema 64 | #attributetype ( 2.5.4.0 NAME 'objectClass' 65 | # DESC 'RFC2256: object classes of the entity' 66 | # EQUALITY objectIdentifierMatch 67 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 68 | 69 | # system schema 70 | #attributetype ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' ) 71 | # DESC 'RFC2256: name of aliased object' 72 | # EQUALITY distinguishedNameMatch 73 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 74 | 75 | attributetype ( 2.5.4.2 NAME 'knowledgeInformation' 76 | DESC 'RFC2256: knowledge information' 77 | EQUALITY caseIgnoreMatch 78 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 79 | 80 | # system schema 81 | #attributetype ( 2.5.4.3 NAME ( 'cn' 'commonName' ) 82 | # DESC 'RFC2256: common name(s) for which the entity is known by' 83 | # SUP name ) 84 | 85 | attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' ) 86 | DESC 'RFC2256: last (family) name(s) for which the entity is known by' 87 | SUP name ) 88 | 89 | attributetype ( 2.5.4.5 NAME 'serialNumber' 90 | DESC 'RFC2256: serial number of the entity' 91 | EQUALITY caseIgnoreMatch 92 | SUBSTR caseIgnoreSubstringsMatch 93 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) 94 | 95 | # RFC 4519 definition ('countryName' in X.500 and RFC2256) 96 | attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' ) 97 | DESC 'RFC4519: two-letter ISO-3166 country code' 98 | SUP name 99 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.11 100 | SINGLE-VALUE ) 101 | 102 | #attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' ) 103 | # DESC 'RFC2256: ISO-3166 country 2-letter code' 104 | # SUP name SINGLE-VALUE ) 105 | 106 | attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' ) 107 | DESC 'RFC2256: locality which this object resides in' 108 | SUP name ) 109 | 110 | attributetype ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) 111 | DESC 'RFC2256: state or province which this object resides in' 112 | SUP name ) 113 | 114 | attributetype ( 2.5.4.9 NAME ( 'street' 'streetAddress' ) 115 | DESC 'RFC2256: street address of this object' 116 | EQUALITY caseIgnoreMatch 117 | SUBSTR caseIgnoreSubstringsMatch 118 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 119 | 120 | attributetype ( 2.5.4.10 NAME ( 'o' 'organizationName' ) 121 | DESC 'RFC2256: organization this object belongs to' 122 | SUP name ) 123 | 124 | attributetype ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) 125 | DESC 'RFC2256: organizational unit this object belongs to' 126 | SUP name ) 127 | 128 | attributetype ( 2.5.4.12 NAME 'title' 129 | DESC 'RFC2256: title associated with the entity' 130 | SUP name ) 131 | 132 | # system schema 133 | #attributetype ( 2.5.4.13 NAME 'description' 134 | # DESC 'RFC2256: descriptive information' 135 | # EQUALITY caseIgnoreMatch 136 | # SUBSTR caseIgnoreSubstringsMatch 137 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) 138 | 139 | # Deprecated by enhancedSearchGuide 140 | attributetype ( 2.5.4.14 NAME 'searchGuide' 141 | DESC 'RFC2256: search guide, deprecated by enhancedSearchGuide' 142 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) 143 | 144 | attributetype ( 2.5.4.15 NAME 'businessCategory' 145 | DESC 'RFC2256: business category' 146 | EQUALITY caseIgnoreMatch 147 | SUBSTR caseIgnoreSubstringsMatch 148 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 149 | 150 | attributetype ( 2.5.4.16 NAME 'postalAddress' 151 | DESC 'RFC2256: postal address' 152 | EQUALITY caseIgnoreListMatch 153 | SUBSTR caseIgnoreListSubstringsMatch 154 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 155 | 156 | attributetype ( 2.5.4.17 NAME 'postalCode' 157 | DESC 'RFC2256: postal code' 158 | EQUALITY caseIgnoreMatch 159 | SUBSTR caseIgnoreSubstringsMatch 160 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) 161 | 162 | attributetype ( 2.5.4.18 NAME 'postOfficeBox' 163 | DESC 'RFC2256: Post Office Box' 164 | EQUALITY caseIgnoreMatch 165 | SUBSTR caseIgnoreSubstringsMatch 166 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) 167 | 168 | attributetype ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' 169 | DESC 'RFC2256: Physical Delivery Office Name' 170 | EQUALITY caseIgnoreMatch 171 | SUBSTR caseIgnoreSubstringsMatch 172 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 173 | 174 | attributetype ( 2.5.4.20 NAME 'telephoneNumber' 175 | DESC 'RFC2256: Telephone Number' 176 | EQUALITY telephoneNumberMatch 177 | SUBSTR telephoneNumberSubstringsMatch 178 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) 179 | 180 | attributetype ( 2.5.4.21 NAME 'telexNumber' 181 | DESC 'RFC2256: Telex Number' 182 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) 183 | 184 | attributetype ( 2.5.4.22 NAME 'teletexTerminalIdentifier' 185 | DESC 'RFC2256: Teletex Terminal Identifier' 186 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) 187 | 188 | attributetype ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' ) 189 | DESC 'RFC2256: Facsimile (Fax) Telephone Number' 190 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) 191 | 192 | attributetype ( 2.5.4.24 NAME 'x121Address' 193 | DESC 'RFC2256: X.121 Address' 194 | EQUALITY numericStringMatch 195 | SUBSTR numericStringSubstringsMatch 196 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) 197 | 198 | attributetype ( 2.5.4.25 NAME 'internationaliSDNNumber' 199 | DESC 'RFC2256: international ISDN number' 200 | EQUALITY numericStringMatch 201 | SUBSTR numericStringSubstringsMatch 202 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) 203 | 204 | attributetype ( 2.5.4.26 NAME 'registeredAddress' 205 | DESC 'RFC2256: registered postal address' 206 | SUP postalAddress 207 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 208 | 209 | attributetype ( 2.5.4.27 NAME 'destinationIndicator' 210 | DESC 'RFC2256: destination indicator' 211 | EQUALITY caseIgnoreMatch 212 | SUBSTR caseIgnoreSubstringsMatch 213 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) 214 | 215 | attributetype ( 2.5.4.28 NAME 'preferredDeliveryMethod' 216 | DESC 'RFC2256: preferred delivery method' 217 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 218 | SINGLE-VALUE ) 219 | 220 | attributetype ( 2.5.4.29 NAME 'presentationAddress' 221 | DESC 'RFC2256: presentation address' 222 | EQUALITY presentationAddressMatch 223 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 224 | SINGLE-VALUE ) 225 | 226 | attributetype ( 2.5.4.30 NAME 'supportedApplicationContext' 227 | DESC 'RFC2256: supported application context' 228 | EQUALITY objectIdentifierMatch 229 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 230 | 231 | attributetype ( 2.5.4.31 NAME 'member' 232 | DESC 'RFC2256: member of a group' 233 | SUP distinguishedName ) 234 | 235 | attributetype ( 2.5.4.32 NAME 'owner' 236 | DESC 'RFC2256: owner (of the object)' 237 | SUP distinguishedName ) 238 | 239 | attributetype ( 2.5.4.33 NAME 'roleOccupant' 240 | DESC 'RFC2256: occupant of role' 241 | SUP distinguishedName ) 242 | 243 | # system schema 244 | #attributetype ( 2.5.4.34 NAME 'seeAlso' 245 | # DESC 'RFC2256: DN of related object' 246 | # SUP distinguishedName ) 247 | 248 | # system schema 249 | #attributetype ( 2.5.4.35 NAME 'userPassword' 250 | # DESC 'RFC2256/2307: password of user' 251 | # EQUALITY octetStringMatch 252 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) 253 | 254 | # 2.5.4.36 NAME 'userCertificate' Changed: 255 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 -> 1.3.6.1.4.1.1466.115.121.1.40 256 | # EQUALITY certificateExactMatch -> {none} 257 | # 258 | ## Must be transferred using ;binary 259 | ## with certificateExactMatch rule (per X.509) 260 | #attributetype ( 2.5.4.36 NAME 'userCertificate' 261 | # DESC 'RFC2256: X.509 user certificate, use ;binary' 262 | # EQUALITY certificateExactMatch 263 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) 264 | attributetype ( 2.5.4.36 NAME 'userCertificate' 265 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) 266 | 267 | # Must be transferred using ;binary 268 | # with certificateExactMatch rule (per X.509) 269 | attributetype ( 2.5.4.37 NAME 'cACertificate' 270 | DESC 'RFC2256: X.509 CA certificate, use ;binary' 271 | EQUALITY certificateExactMatch 272 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) 273 | 274 | # Must be transferred using ;binary 275 | attributetype ( 2.5.4.38 NAME 'authorityRevocationList' 276 | DESC 'RFC2256: X.509 authority revocation list, use ;binary' 277 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 278 | 279 | # Must be transferred using ;binary 280 | attributetype ( 2.5.4.39 NAME 'certificateRevocationList' 281 | DESC 'RFC2256: X.509 certificate revocation list, use ;binary' 282 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 283 | 284 | # Must be stored and requested in the binary form 285 | attributetype ( 2.5.4.40 NAME 'crossCertificatePair' 286 | DESC 'RFC2256: X.509 cross certificate pair, use ;binary' 287 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) 288 | 289 | # system schema 290 | #attributetype ( 2.5.4.41 NAME 'name' 291 | # EQUALITY caseIgnoreMatch 292 | # SUBSTR caseIgnoreSubstringsMatch 293 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 294 | 295 | attributetype ( 2.5.4.42 NAME ( 'givenName' 'gn' ) 296 | DESC 'RFC2256: first name(s) for which the entity is known by' 297 | SUP name ) 298 | 299 | attributetype ( 2.5.4.43 NAME 'initials' 300 | DESC 'RFC2256: initials of some or all of names, but not the surname(s).' 301 | SUP name ) 302 | 303 | attributetype ( 2.5.4.44 NAME 'generationQualifier' 304 | DESC 'RFC2256: name qualifier indicating a generation' 305 | SUP name ) 306 | 307 | attributetype ( 2.5.4.45 NAME 'x500UniqueIdentifier' 308 | DESC 'RFC2256: X.500 unique identifier' 309 | EQUALITY bitStringMatch 310 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) 311 | 312 | attributetype ( 2.5.4.46 NAME 'dnQualifier' 313 | DESC 'RFC2256: DN qualifier' 314 | EQUALITY caseIgnoreMatch 315 | ORDERING caseIgnoreOrderingMatch 316 | SUBSTR caseIgnoreSubstringsMatch 317 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) 318 | 319 | attributetype ( 2.5.4.47 NAME 'enhancedSearchGuide' 320 | DESC 'RFC2256: enhanced search guide' 321 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) 322 | 323 | attributetype ( 2.5.4.48 NAME 'protocolInformation' 324 | DESC 'RFC2256: protocol information' 325 | EQUALITY protocolInformationMatch 326 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 ) 327 | 328 | # system schema 329 | #attributetype ( 2.5.4.49 NAME 'distinguishedName' 330 | # EQUALITY distinguishedNameMatch 331 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 332 | 333 | attributetype ( 2.5.4.50 NAME 'uniqueMember' 334 | DESC 'RFC2256: unique member of a group' 335 | EQUALITY uniqueMemberMatch 336 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) 337 | 338 | attributetype ( 2.5.4.51 NAME 'houseIdentifier' 339 | DESC 'RFC2256: house identifier' 340 | EQUALITY caseIgnoreMatch 341 | SUBSTR caseIgnoreSubstringsMatch 342 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 343 | 344 | # Must be transferred using ;binary 345 | attributetype ( 2.5.4.52 NAME 'supportedAlgorithms' 346 | DESC 'RFC2256: supported algorithms' 347 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) 348 | 349 | # Must be transferred using ;binary 350 | attributetype ( 2.5.4.53 NAME 'deltaRevocationList' 351 | DESC 'RFC2256: delta revocation list; use ;binary' 352 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 353 | 354 | attributetype ( 2.5.4.54 NAME 'dmdName' 355 | DESC 'RFC2256: name of DMD' 356 | SUP name ) 357 | 358 | attributetype ( 2.5.4.65 NAME 'pseudonym' 359 | DESC 'X.520(4th): pseudonym for the object' 360 | SUP name ) 361 | 362 | # 9.3.33. Friendly Country Name 363 | # 364 | # The Friendly Country Name attribute type specifies names of countries 365 | # in human readable format. The standard attribute country name must 366 | # be one of the two-letter codes defined in ISO 3166. 367 | # 368 | # friendlyCountryName ATTRIBUTE 369 | # WITH ATTRIBUTE-SYNTAX 370 | # caseIgnoreStringSyntax 371 | # ::= {pilotAttributeType 43} 372 | # 373 | attributetype ( 0.9.2342.19200300.100.1.43 374 | NAME ( 'co' 'friendlyCountryName' ) 375 | DESC 'RFC1274: friendly country name' 376 | EQUALITY caseIgnoreMatch 377 | SUBSTR caseIgnoreSubstringsMatch 378 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 379 | 380 | # 9.3.4. Information 381 | # 382 | # The Information attribute type specifies any general information 383 | # pertinent to an object. It is recommended that specific usage of 384 | # this attribute type is avoided, and that specific requirements are 385 | # met by other (possibly additional) attribute types. 386 | # 387 | # info ATTRIBUTE 388 | # WITH ATTRIBUTE-SYNTAX 389 | # caseIgnoreStringSyntax 390 | # (SIZE (1 .. ub-information)) 391 | # ::= {pilotAttributeType 4} 392 | # 393 | attributetype ( 0.9.2342.19200300.100.1.4 NAME 'info' 394 | DESC 'RFC1274: general information' 395 | EQUALITY caseIgnoreMatch 396 | SUBSTR caseIgnoreSubstringsMatch 397 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} ) 398 | 399 | # 400 | # Derived from RFC 1274, but with new "short names" 401 | # 402 | #attributetype ( 0.9.2342.19200300.100.1.1 403 | # NAME ( 'uid' 'userid' ) 404 | # DESC 'RFC1274: user identifier' 405 | # EQUALITY caseIgnoreMatch 406 | # SUBSTR caseIgnoreSubstringsMatch 407 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) 408 | 409 | attributetype ( 0.9.2342.19200300.100.1.3 410 | NAME ( 'mail' 'rfc822Mailbox' ) 411 | DESC 'RFC1274: RFC822 Mailbox' 412 | EQUALITY caseIgnoreIA5Match 413 | SUBSTR caseIgnoreIA5SubstringsMatch 414 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) 415 | 416 | # Standard object classes from RFC2256 417 | 418 | # system schema 419 | #objectclass ( 2.5.6.0 NAME 'top' 420 | # DESC 'RFC2256: top of the superclass chain' 421 | # ABSTRACT 422 | # MUST objectClass ) 423 | 424 | # system schema 425 | #objectclass ( 2.5.6.1 NAME 'alias' 426 | # DESC 'RFC2256: an alias' 427 | # SUP top STRUCTURAL 428 | # MUST aliasedObjectName ) 429 | 430 | objectclass ( 2.5.6.2 NAME 'country' 431 | DESC 'RFC2256: a country' 432 | SUP top STRUCTURAL 433 | MUST c 434 | MAY ( searchGuide $ description ) ) 435 | 436 | objectclass ( 2.5.6.3 NAME 'locality' 437 | DESC 'RFC2256: a locality' 438 | SUP top STRUCTURAL 439 | MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) 440 | 441 | objectclass ( 2.5.6.4 NAME 'organization' 442 | DESC 'RFC2256: an organization' 443 | SUP top STRUCTURAL 444 | MUST o 445 | MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 446 | x121Address $ registeredAddress $ destinationIndicator $ 447 | preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 448 | telephoneNumber $ internationaliSDNNumber $ 449 | facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ 450 | postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) 451 | 452 | # 2.5.6.5 NAME 'organizationalUnit' Mixed: OpenLdap + Microsoft 453 | objectclass ( 2.5.6.5 NAME 'organizationalUnit' 454 | DESC 'RFC2256: an organizational unit + Microsoft hacks' 455 | SUP top STRUCTURAL 456 | MUST ou 457 | MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 458 | x121Address $ registeredAddress $ destinationIndicator $ 459 | preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 460 | telephoneNumber $ internationaliSDNNumber $ 461 | facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ 462 | postalAddress $ physicalDeliveryOfficeName $ st $ l $ description $ 463 | c $ internationalISDNNumber $ co $ countryCode $ desktopProfile $ 464 | defaultGroup $ managedBy $ uPNSuffixes $ gPLink $ gPOptions $ thumbnailLogo 465 | ) ) 466 | 467 | # 2.5.6.6 NAME 'person' Changed: MUST (sn) -> MUST (cn) 468 | objectclass ( 2.5.6.6 NAME 'person' 469 | DESC 'RFC2256: a person' 470 | SUP top STRUCTURAL 471 | MUST ( cn ) 472 | MAY ( userPassword $ telephoneNumber $ seeAlso $ description $ sn ) ) 473 | 474 | # 2.5.6.7 NAME 'organizationalPerson' Mixed: OpenLdap + Microsoft 475 | objectclass ( 2.5.6.7 NAME 'organizationalPerson' 476 | DESC 'RFC2256: an organizational person' 477 | SUP person STRUCTURAL 478 | MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ 479 | preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 480 | telephoneNumber $ internationaliSDNNumber $ 481 | facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ 482 | postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ c $ co $ info $ mailNickname $ 483 | o $ internationalISDNNumber $ givenName $ initials $ generationQualifier $ 484 | otherTelephone $ otherPager $ department $ company $ streetAddress $ otherHomePhone $ 485 | personalTitle $ homePostalAddress $ countryCode $ employeeID $ comment $ division $ 486 | otherFacsimileTelephoneNumber $ otherMobile $ primaryTelexNumber $ 487 | primaryInternationalISDNNumber $ mhsORAddress $ otherMailbox $ assistant $ 488 | ipPhone $ otherIpPhone $ mail $ manager $ homePhone $ mobile $ pager $ middleName $ 489 | thumbnailPhoto $ thumbnailLogo 490 | ) ) 491 | 492 | objectclass ( 2.5.6.8 NAME 'organizationalRole' 493 | DESC 'RFC2256: an organizational role' 494 | SUP top STRUCTURAL 495 | MUST cn 496 | MAY ( x121Address $ registeredAddress $ destinationIndicator $ 497 | preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 498 | telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ 499 | seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ 500 | postOfficeBox $ postalCode $ postalAddress $ 501 | physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) 502 | 503 | objectclass ( 2.5.6.9 NAME 'groupOfNames' 504 | DESC 'RFC2256: a group of names (DNs)' 505 | SUP top STRUCTURAL 506 | MUST ( member $ cn ) 507 | MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) 508 | 509 | objectclass ( 2.5.6.10 NAME 'residentialPerson' 510 | DESC 'RFC2256: an residential person' 511 | SUP person STRUCTURAL 512 | MUST l 513 | MAY ( businessCategory $ x121Address $ registeredAddress $ 514 | destinationIndicator $ preferredDeliveryMethod $ telexNumber $ 515 | teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ 516 | facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ 517 | postOfficeBox $ postalCode $ postalAddress $ 518 | physicalDeliveryOfficeName $ st $ l ) ) 519 | 520 | objectclass ( 2.5.6.11 NAME 'applicationProcess' 521 | DESC 'RFC2256: an application process' 522 | SUP top STRUCTURAL 523 | MUST cn 524 | MAY ( seeAlso $ ou $ l $ description ) ) 525 | 526 | objectclass ( 2.5.6.12 NAME 'applicationEntity' 527 | DESC 'RFC2256: an application entity' 528 | SUP top STRUCTURAL 529 | MUST ( presentationAddress $ cn ) 530 | MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ 531 | description ) ) 532 | 533 | objectclass ( 2.5.6.13 NAME 'dSA' 534 | DESC 'RFC2256: a directory system agent (a server)' 535 | SUP applicationEntity STRUCTURAL 536 | MAY knowledgeInformation ) 537 | 538 | objectclass ( 2.5.6.14 NAME 'device' 539 | DESC 'RFC2256: a device' 540 | SUP top STRUCTURAL 541 | MUST cn 542 | MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) 543 | 544 | objectclass ( 2.5.6.15 NAME 'strongAuthenticationUser' 545 | DESC 'RFC2256: a strong authentication user' 546 | SUP top AUXILIARY 547 | MUST userCertificate ) 548 | 549 | objectclass ( 2.5.6.16 NAME 'certificationAuthority' 550 | DESC 'RFC2256: a certificate authority' 551 | SUP top AUXILIARY 552 | MUST ( authorityRevocationList $ certificateRevocationList $ 553 | cACertificate ) MAY crossCertificatePair ) 554 | 555 | objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames' 556 | DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' 557 | SUP top STRUCTURAL 558 | MUST ( uniqueMember $ cn ) 559 | MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) 560 | 561 | objectclass ( 2.5.6.18 NAME 'userSecurityInformation' 562 | DESC 'RFC2256: a user security information' 563 | SUP top AUXILIARY 564 | MAY ( supportedAlgorithms ) ) 565 | 566 | objectclass ( 2.5.6.16.2 NAME 'certificationAuthority-V2' 567 | SUP certificationAuthority 568 | AUXILIARY MAY ( deltaRevocationList ) ) 569 | 570 | objectclass ( 2.5.6.19 NAME 'cRLDistributionPoint' 571 | SUP top STRUCTURAL 572 | MUST ( cn ) 573 | MAY ( certificateRevocationList $ authorityRevocationList $ 574 | deltaRevocationList ) ) 575 | 576 | objectclass ( 2.5.6.20 NAME 'dmd' 577 | SUP top STRUCTURAL 578 | MUST ( dmdName ) 579 | MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 580 | x121Address $ registeredAddress $ destinationIndicator $ 581 | preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 582 | telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ 583 | street $ postOfficeBox $ postalCode $ postalAddress $ 584 | physicalDeliveryOfficeName $ st $ l $ description ) ) 585 | 586 | # 587 | # Object Classes from RFC 2587 588 | # 589 | objectclass ( 2.5.6.21 NAME 'pkiUser' 590 | DESC 'RFC2587: a PKI user' 591 | SUP top AUXILIARY 592 | MAY userCertificate ) 593 | 594 | objectclass ( 2.5.6.22 NAME 'pkiCA' 595 | DESC 'RFC2587: PKI certificate authority' 596 | SUP top AUXILIARY 597 | MAY ( authorityRevocationList $ certificateRevocationList $ 598 | cACertificate $ crossCertificatePair ) ) 599 | 600 | objectclass ( 2.5.6.23 NAME 'deltaCRL' 601 | DESC 'RFC2587: PKI user' 602 | SUP top AUXILIARY 603 | MAY deltaRevocationList ) 604 | 605 | # 606 | # Standard Track URI label schema from RFC 2079 607 | # system schema 608 | #attributetype ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' 609 | # DESC 'RFC2079: Uniform Resource Identifier with optional label' 610 | # EQUALITY caseExactMatch 611 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 612 | 613 | objectclass ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' 614 | DESC 'RFC2079: object that contains the URI attribute type' 615 | SUP top AUXILIARY 616 | MAY ( labeledURI ) ) 617 | 618 | objectclass ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' 619 | DESC 'RFC1274: simple security object' 620 | SUP top AUXILIARY 621 | MUST userPassword ) 622 | 623 | # RFC 1274 + RFC 2247 624 | attributetype ( 0.9.2342.19200300.100.1.25 625 | NAME ( 'dc' 'domainComponent' ) 626 | DESC 'RFC1274/2247: domain component' 627 | EQUALITY caseIgnoreIA5Match 628 | SUBSTR caseIgnoreIA5SubstringsMatch 629 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 630 | 631 | # RFC 2247 632 | objectclass ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' 633 | DESC 'RFC2247: domain component object' 634 | SUP top AUXILIARY MUST dc ) 635 | 636 | # RFC 2377 637 | objectclass ( 1.3.6.1.1.3.1 NAME 'uidObject' 638 | DESC 'RFC2377: uid object' 639 | SUP top AUXILIARY MUST uid ) 640 | 641 | # RFC 4524 642 | # The 'associatedDomain' attribute specifies DNS [RFC1034][RFC2181] 643 | # host names [RFC1123] that are associated with an object. That is, 644 | # values of this attribute should conform to the following ABNF: 645 | # 646 | # domain = root / label *( DOT label ) 647 | # root = SPACE 648 | # label = LETDIG [ *61( LETDIG / HYPHEN ) LETDIG ] 649 | # LETDIG = %x30-39 / %x41-5A / %x61-7A ; "0" - "9" / "A"-"Z" / "a"-"z" 650 | # SPACE = %x20 ; space (" ") 651 | # HYPHEN = %x2D ; hyphen ("-") 652 | # DOT = %x2E ; period (".") 653 | attributetype ( 0.9.2342.19200300.100.1.37 654 | NAME 'associatedDomain' 655 | DESC 'RFC1274: domain associated with object' 656 | EQUALITY caseIgnoreIA5Match 657 | SUBSTR caseIgnoreIA5SubstringsMatch 658 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 659 | 660 | # RFC 2459 -- deprecated in favor of 'mail' (in cosine.schema) 661 | attributetype ( 1.2.840.113549.1.9.1 662 | NAME ( 'email' 'emailAddress' 'pkcs9email' ) 663 | DESC 'RFC3280: legacy attribute for email addresses in DNs' 664 | EQUALITY caseIgnoreIA5Match 665 | SUBSTR caseIgnoreIA5SubstringsMatch 666 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) 667 | 668 | -------------------------------------------------------------------------------- /schema/duaconf.schema: -------------------------------------------------------------------------------- 1 | # $OpenLDAP$ 2 | ## This work is part of OpenLDAP Software . 3 | ## 4 | ## Copyright 1998-2014 The OpenLDAP Foundation. 5 | ## All rights reserved. 6 | ## 7 | ## Redistribution and use in source and binary forms, with or without 8 | ## modification, are permitted only as authorized by the OpenLDAP 9 | ## Public License. 10 | ## 11 | ## A copy of this license is available in the file LICENSE in the 12 | ## top-level directory of the distribution or, alternatively, at 13 | ## . 14 | 15 | # DUA schema from draft-joslin-config-schema (a work in progress) 16 | 17 | # Contents of this file are subject to change (including deletion) 18 | # without notice. 19 | # 20 | # Not recommended for production use! 21 | # Use with extreme caution! 22 | 23 | ## Notes: 24 | ## - The matching rule for attributes followReferrals and dereferenceAliases 25 | ## has been changed to booleanMatch since their syntax is boolean 26 | ## - There was a typo in the name of the dereferenceAliases attributeType 27 | ## in the DUAConfigProfile objectClass definition 28 | ## - Credit goes to the original Authors 29 | 30 | # 31 | # Application Working Group M. Ansari 32 | # INTERNET-DRAFT Sun Microsystems, Inc. 33 | # Expires Febuary 2003 L. Howard 34 | # PADL Software Pty. Ltd. 35 | # B. Joslin [ed.] 36 | # Hewlett-Packard Company 37 | # 38 | # September 15th, 2003 39 | # Intended Category: Informational 40 | # 41 | # 42 | # A Configuration Schema for LDAP Based 43 | # Directory User Agents 44 | # 45 | # 46 | #Status of this Memo 47 | # 48 | # This memo provides information for the Internet community. This 49 | # memo does not specify an Internet standard of any kind. Distribu- 50 | # tion of this memo is unlimited. 51 | # 52 | # This document is an Internet-Draft and is in full conformance with 53 | # all provisions of Section 10 of RFC2026. 54 | # 55 | # This document is an Internet-Draft. Internet-Drafts are working 56 | # documents of the Internet Engineering Task Force (IETF), its areas, 57 | # and its working groups. Note that other groups may also distribute 58 | # working documents as Internet-Drafts. 59 | # 60 | # Internet-Drafts are draft documents valid for a maximum of six 61 | # months. Internet-Drafts may be updated, replaced, or made obsolete 62 | # by other documents at any time. It is not appropriate to use 63 | # Internet-Drafts as reference material or to cite them other than as 64 | # a "working draft" or "work in progress". 65 | # 66 | # To learn the current status of any Internet-Draft, please check the 67 | # 1id-abstracts.txt listing contained in the Internet-Drafts Shadow 68 | # Directories on ds.internic.net (US East Coast), nic.nordu.net 69 | # (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific 70 | # Rim). 71 | # 72 | # Distribution of this document is unlimited. 73 | # 74 | # 75 | # Abstract 76 | # 77 | # This document describes a mechanism for global configuration of 78 | # similar directory user agents. This document defines a schema for 79 | # configuration of these DUAs that may be discovered using the Light- 80 | # weight Directory Access Protocol in RFC 2251[17]. A set of attri- 81 | # bute types and an objectclass are proposed, along with specific 82 | # guidelines for interpreting them. A significant feature of the 83 | # global configuration policy for DUAs is a mechanism that allows 84 | # DUAs to re-configure their schema to that of the end user's 85 | # environment. This configuration is achieved through attribute and 86 | # objectclass mapping. This document is intended to be a skeleton 87 | # for future documents that describe configuration of specific DUA 88 | # services. 89 | # 90 | # 91 | # [trimmed] 92 | # 93 | # 94 | # 2. General Issues 95 | # 96 | # The schema defined by this document is defined under the "DUA Con- 97 | # figuration Schema." This schema is derived from the OID: iso (1) 98 | # org (3) dod (6) internet (1) private (4) enterprises (1) Hewlett- 99 | # Packard Company (11) directory (1) LDAP-UX Integration Project (3) 100 | # DUA Configuration Schema (1). This OID is represented in this 101 | # document by the keystring "DUAConfSchemaOID" 102 | # (1.3.6.1.4.1.11.1.3.1). 103 | objectidentifier DUAConfSchemaOID 1.3.6.1.4.1.11.1.3.1 104 | # 105 | # 2.2 Attributes 106 | # 107 | # The attributes and classes defined in this document are summarized 108 | # below. 109 | # 110 | # The following attributes are defined in this document: 111 | # 112 | # preferredServerList 113 | # defaultServerList 114 | # defaultSearchBase 115 | # defaultSearchScope 116 | # authenticationMethod 117 | # credentialLevel 118 | # serviceSearchDescriptor 119 | # 120 | # 121 | # 122 | # Joslin [Page 3] 123 | # Internet-Draft DUA Configuration Schema October 2002 124 | # 125 | # 126 | # serviceCredentialLevel 127 | # serviceAuthenticationMethod 128 | # attributeMap 129 | # objectclassMap 130 | # searchTimeLimit 131 | # bindTimeLimit 132 | # followReferrals 133 | # dereferenceAliases 134 | # profileTTL 135 | # 136 | # 2.3 Object Classes 137 | # 138 | # The following object class is defined in this document: 139 | # 140 | # DUAConfigProfile 141 | # 142 | # 143 | attributeType ( DUAConfSchemaOID:1.0 NAME 'defaultServerList' 144 | DESC 'Default LDAP server host address used by a DUA' 145 | EQUALITY caseIgnoreMatch 146 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 147 | SINGLE-VALUE ) 148 | 149 | attributeType ( DUAConfSchemaOID:1.1 NAME 'defaultSearchBase' 150 | DESC 'Default LDAP base DN used by a DUA' 151 | EQUALITY distinguishedNameMatch 152 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 153 | SINGLE-VALUE ) 154 | 155 | attributeType ( DUAConfSchemaOID:1.2 NAME 'preferredServerList' 156 | DESC 'Preferred LDAP server host addresses to be used by a 157 | DUA' 158 | EQUALITY caseIgnoreMatch 159 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 160 | SINGLE-VALUE ) 161 | 162 | attributeType ( DUAConfSchemaOID:1.3 NAME 'searchTimeLimit' 163 | DESC 'Maximum time in seconds a DUA should allow for a 164 | search to complete' 165 | EQUALITY integerMatch 166 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 167 | SINGLE-VALUE ) 168 | 169 | attributeType ( DUAConfSchemaOID:1.4 NAME 'bindTimeLimit' 170 | DESC 'Maximum time in seconds a DUA should allow for the 171 | bind operation to complete' 172 | EQUALITY integerMatch 173 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 174 | SINGLE-VALUE ) 175 | 176 | attributeType ( DUAConfSchemaOID:1.5 NAME 'followReferrals' 177 | DESC 'Tells DUA if it should follow referrals 178 | returned by a DSA search result' 179 | EQUALITY booleanMatch 180 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 181 | SINGLE-VALUE ) 182 | 183 | attributeType ( DUAConfSchemaOID:1.16 NAME 'dereferenceAliases' 184 | DESC 'Tells DUA if it should dereference aliases' 185 | EQUALITY booleanMatch 186 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 187 | SINGLE-VALUE ) 188 | 189 | attributeType ( DUAConfSchemaOID:1.6 NAME 'authenticationMethod' 190 | DESC 'A keystring which identifies the type of 191 | authentication method used to contact the DSA' 192 | EQUALITY caseIgnoreMatch 193 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 194 | SINGLE-VALUE ) 195 | 196 | attributeType ( DUAConfSchemaOID:1.7 NAME 'profileTTL' 197 | DESC 'Time to live, in seconds, before a client DUA 198 | should re-read this configuration profile' 199 | EQUALITY integerMatch 200 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 201 | SINGLE-VALUE ) 202 | 203 | attributeType ( DUAConfSchemaOID:1.14 NAME 'serviceSearchDescriptor' 204 | DESC 'LDAP search descriptor list used by a DUA' 205 | EQUALITY caseExactMatch 206 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 207 | 208 | attributeType ( DUAConfSchemaOID:1.9 NAME 'attributeMap' 209 | DESC 'Attribute mappings used by a DUA' 210 | EQUALITY caseIgnoreIA5Match 211 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 212 | 213 | attributeType ( DUAConfSchemaOID:1.10 NAME 'credentialLevel' 214 | DESC 'Identifies type of credentials a DUA should 215 | use when binding to the LDAP server' 216 | EQUALITY caseIgnoreIA5Match 217 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 218 | SINGLE-VALUE ) 219 | 220 | attributeType ( DUAConfSchemaOID:1.11 NAME 'objectclassMap' 221 | DESC 'Objectclass mappings used by a DUA' 222 | EQUALITY caseIgnoreIA5Match 223 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 224 | 225 | attributeType ( DUAConfSchemaOID:1.12 NAME 'defaultSearchScope' 226 | DESC 'Default search scope used by a DUA' 227 | EQUALITY caseIgnoreIA5Match 228 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 229 | SINGLE-VALUE ) 230 | 231 | attributeType ( DUAConfSchemaOID:1.13 NAME 'serviceCredentialLevel' 232 | DESC 'Identifies type of credentials a DUA 233 | should use when binding to the LDAP server for a 234 | specific service' 235 | EQUALITY caseIgnoreIA5Match 236 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 237 | 238 | attributeType ( DUAConfSchemaOID:1.15 NAME 'serviceAuthenticationMethod' 239 | DESC 'Authentication method used by a service of the DUA' 240 | EQUALITY caseIgnoreMatch 241 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 242 | # 243 | # 4. Class Definition 244 | # 245 | # The objectclass below is constructed from the attributes defined in 246 | # 3, with the exception of the cn attribute, which is defined in RFC 247 | # 2256 [8]. cn is used to represent the name of the DUA configura- 248 | # tion profile. 249 | # 250 | objectClass ( DUAConfSchemaOID:2.5 NAME 'DUAConfigProfile' 251 | SUP top STRUCTURAL 252 | DESC 'Abstraction of a base configuration for a DUA' 253 | MUST ( cn ) 254 | MAY ( defaultServerList $ preferredServerList $ 255 | defaultSearchBase $ defaultSearchScope $ 256 | searchTimeLimit $ bindTimeLimit $ 257 | credentialLevel $ authenticationMethod $ 258 | followReferrals $ dereferenceAliases $ 259 | serviceSearchDescriptor $ serviceCredentialLevel $ 260 | serviceAuthenticationMethod $ objectclassMap $ 261 | attributeMap $ profileTTL ) ) 262 | -------------------------------------------------------------------------------- /schema/dyngroup.schema: -------------------------------------------------------------------------------- 1 | # dyngroup.schema -- Dynamic Group schema 2 | # $OpenLDAP$ 3 | ## This work is part of OpenLDAP Software . 4 | ## 5 | ## Copyright 1998-2014 The OpenLDAP Foundation. 6 | ## All rights reserved. 7 | ## 8 | ## Redistribution and use in source and binary forms, with or without 9 | ## modification, are permitted only as authorized by the OpenLDAP 10 | ## Public License. 11 | ## 12 | ## A copy of this license is available in the file LICENSE in the 13 | ## top-level directory of the distribution or, alternatively, at 14 | ## . 15 | # 16 | # Dynamic Group schema (experimental), as defined by Netscape. See 17 | # http://www.redhat.com/docs/manuals/ent-server/pdf/esadmin611.pdf 18 | # page 70 for details on how these groups were used. 19 | # 20 | # A description of the objectclass definition is available here: 21 | # http://www.redhat.com/docs/manuals/dir-server/schema/7.1/oc_dir.html#1303745 22 | # 23 | # depends upon: 24 | # core.schema 25 | # 26 | # These definitions are considered experimental due to the lack of 27 | # a formal specification (e.g., RFC). 28 | # 29 | # NOT RECOMMENDED FOR PRODUCTION USE! USE WITH CAUTION! 30 | # 31 | # The Netscape documentation describes this as an auxiliary objectclass 32 | # but their implementations have always defined it as a structural class. 33 | # The sloppiness here is because Netscape-derived servers don't actually 34 | # implement the X.500 data model, and they don't honor the distinction 35 | # between structural and auxiliary classes. This fact is noted here: 36 | # http://forum.java.sun.com/thread.jspa?threadID=5016864&messageID=9034636 37 | # 38 | # In accordance with other existing implementations, we define it as a 39 | # structural class. 40 | # 41 | # Our definition of memberURL also does not match theirs but again 42 | # their published definition and what works in practice do not agree. 43 | # In other words, the Netscape definitions are broken and interoperability 44 | # is not guaranteed. 45 | # 46 | # Also see the new DynGroup proposed spec at 47 | # http://tools.ietf.org/html/draft-haripriya-dynamicgroup-02 48 | 49 | objectIdentifier NetscapeRoot 2.16.840.1.113730 50 | 51 | objectIdentifier NetscapeLDAP NetscapeRoot:3 52 | objectIdentifier NetscapeLDAPattributeType NetscapeLDAP:1 53 | objectIdentifier NetscapeLDAPobjectClass NetscapeLDAP:2 54 | 55 | objectIdentifier OpenLDAPExp11 1.3.6.1.4.1.4203.666.11 56 | objectIdentifier DynGroupBase OpenLDAPExp11:8 57 | objectIdentifier DynGroupAttr DynGroupBase:1 58 | objectIdentifier DynGroupOC DynGroupBase:2 59 | 60 | attributetype ( NetscapeLDAPattributeType:198 61 | NAME 'memberURL' 62 | DESC 'Identifies an URL associated with each member of a group. Any type of labeled URL can be used.' 63 | SUP labeledURI ) 64 | 65 | attributetype ( DynGroupAttr:1 66 | NAME 'dgIdentity' 67 | DESC 'Identity to use when processing the memberURL' 68 | SUP distinguishedName SINGLE-VALUE ) 69 | 70 | attributeType ( DynGroupAttr:2 71 | NAME 'dgAuthz' 72 | DESC 'Optional authorization rules that determine who is allowed to assume the dgIdentity' 73 | EQUALITY authzMatch 74 | SYNTAX 1.3.6.1.4.1.4203.666.2.7 75 | X-ORDERED 'VALUES' ) 76 | 77 | objectClass ( NetscapeLDAPobjectClass:33 78 | NAME 'groupOfURLs' 79 | SUP top STRUCTURAL 80 | MUST cn 81 | MAY ( memberURL $ businessCategory $ description $ o $ ou $ 82 | owner $ seeAlso ) ) 83 | 84 | # The Haripriya dyngroup schema still needs a lot of work. 85 | # We're just adding support for the dgIdentity attribute for now... 86 | objectClass ( DynGroupOC:1 87 | NAME 'dgIdentityAux' 88 | SUP top AUXILIARY 89 | MAY ( dgIdentity $ dgAuthz ) ) 90 | 91 | 92 | -------------------------------------------------------------------------------- /schema/inetorgperson.schema: -------------------------------------------------------------------------------- 1 | # inetorgperson.schema -- InetOrgPerson (RFC2798) 2 | # $OpenLDAP$ 3 | ## This work is part of OpenLDAP Software . 4 | ## 5 | ## Copyright 1998-2014 The OpenLDAP Foundation. 6 | ## All rights reserved. 7 | ## 8 | ## Redistribution and use in source and binary forms, with or without 9 | ## modification, are permitted only as authorized by the OpenLDAP 10 | ## Public License. 11 | ## 12 | ## A copy of this license is available in the file LICENSE in the 13 | ## top-level directory of the distribution or, alternatively, at 14 | ## . 15 | # 16 | # InetOrgPerson (RFC2798) 17 | # 18 | # Depends upon 19 | # Definition of an X.500 Attribute Type and an Object Class to Hold 20 | # Uniform Resource Identifiers (URIs) [RFC2079] 21 | # (core.schema) 22 | # 23 | # A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256] 24 | # (core.schema) 25 | # 26 | # The COSINE and Internet X.500 Schema [RFC1274] (cosine.schema) 27 | 28 | # carLicense 29 | # This multivalued field is used to record the values of the license or 30 | # registration plate associated with an individual. 31 | attributetype ( 2.16.840.1.113730.3.1.1 32 | NAME 'carLicense' 33 | DESC 'RFC2798: vehicle license or registration plate' 34 | EQUALITY caseIgnoreMatch 35 | SUBSTR caseIgnoreSubstringsMatch 36 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 37 | 38 | # departmentNumber 39 | # Code for department to which a person belongs. This can also be 40 | # strictly numeric (e.g., 1234) or alphanumeric (e.g., ABC/123). 41 | attributetype ( 2.16.840.1.113730.3.1.2 42 | NAME 'departmentNumber' 43 | DESC 'RFC2798: identifies a department within an organization' 44 | EQUALITY caseIgnoreMatch 45 | SUBSTR caseIgnoreSubstringsMatch 46 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 47 | 48 | # displayName 49 | # When displaying an entry, especially within a one-line summary list, it 50 | # is useful to be able to identify a name to be used. Since other attri- 51 | # bute types such as 'cn' are multivalued, an additional attribute type is 52 | # needed. Display name is defined for this purpose. 53 | attributetype ( 2.16.840.1.113730.3.1.241 54 | NAME 'displayName' 55 | DESC 'RFC2798: preferred name to be used when displaying entries' 56 | EQUALITY caseIgnoreMatch 57 | SUBSTR caseIgnoreSubstringsMatch 58 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 59 | SINGLE-VALUE ) 60 | 61 | # employeeNumber 62 | # Numeric or alphanumeric identifier assigned to a person, typically based 63 | # on order of hire or association with an organization. Single valued. 64 | attributetype ( 2.16.840.1.113730.3.1.3 65 | NAME 'employeeNumber' 66 | DESC 'RFC2798: numerically identifies an employee within an organization' 67 | EQUALITY caseIgnoreMatch 68 | SUBSTR caseIgnoreSubstringsMatch 69 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 70 | SINGLE-VALUE ) 71 | 72 | # employeeType 73 | # Used to identify the employer to employee relationship. Typical values 74 | # used will be "Contractor", "Employee", "Intern", "Temp", "External", and 75 | # "Unknown" but any value may be used. 76 | attributetype ( 2.16.840.1.113730.3.1.4 77 | NAME 'employeeType' 78 | DESC 'RFC2798: type of employment for a person' 79 | EQUALITY caseIgnoreMatch 80 | SUBSTR caseIgnoreSubstringsMatch 81 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 82 | 83 | # jpegPhoto 84 | # Used to store one or more images of a person using the JPEG File 85 | # Interchange Format [JFIF]. 86 | # Note that the jpegPhoto attribute type was defined for use in the 87 | # Internet X.500 pilots but no referencable definition for it could be 88 | # located. 89 | attributetype ( 0.9.2342.19200300.100.1.60 90 | NAME 'jpegPhoto' 91 | DESC 'RFC2798: a JPEG image' 92 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 ) 93 | 94 | # preferredLanguage 95 | # Used to indicate an individual's preferred written or spoken 96 | # language. This is useful for international correspondence or human- 97 | # computer interaction. Values for this attribute type MUST conform to 98 | # the definition of the Accept-Language header field defined in 99 | # [RFC2068] with one exception: the sequence "Accept-Language" ":" 100 | # should be omitted. This is a single valued attribute type. 101 | attributetype ( 2.16.840.1.113730.3.1.39 102 | NAME 'preferredLanguage' 103 | DESC 'RFC2798: preferred written or spoken language for a person' 104 | EQUALITY caseIgnoreMatch 105 | SUBSTR caseIgnoreSubstringsMatch 106 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 107 | SINGLE-VALUE ) 108 | 109 | # userSMIMECertificate 110 | # A PKCS#7 [RFC2315] SignedData, where the content that is signed is 111 | # ignored by consumers of userSMIMECertificate values. It is 112 | # recommended that values have a `contentType' of data with an absent 113 | # `content' field. Values of this attribute contain a person's entire 114 | # certificate chain and an smimeCapabilities field [RFC2633] that at a 115 | # minimum describes their SMIME algorithm capabilities. Values for 116 | # this attribute are to be stored and requested in binary form, as 117 | # 'userSMIMECertificate;binary'. If available, this attribute is 118 | # preferred over the userCertificate attribute for S/MIME applications. 119 | ## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary 120 | attributetype ( 2.16.840.1.113730.3.1.40 121 | NAME 'userSMIMECertificate' 122 | DESC 'RFC2798: PKCS#7 SignedData used to support S/MIME' 123 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) 124 | 125 | # userPKCS12 126 | # PKCS #12 [PKCS12] provides a format for exchange of personal identity 127 | # information. When such information is stored in a directory service, 128 | # the userPKCS12 attribute should be used. This attribute is to be stored 129 | # and requested in binary form, as 'userPKCS12;binary'. The attribute 130 | # values are PFX PDUs stored as binary data. 131 | ## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary 132 | attributetype ( 2.16.840.1.113730.3.1.216 133 | NAME 'userPKCS12' 134 | DESC 'RFC2798: personal identity information, a PKCS #12 PFX' 135 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) 136 | 137 | 138 | # inetOrgPerson 139 | # The inetOrgPerson represents people who are associated with an 140 | # organization in some way. It is a structural class and is derived 141 | # from the organizationalPerson which is defined in X.521 [X521]. 142 | objectclass ( 2.16.840.1.113730.3.2.2 143 | NAME 'inetOrgPerson' 144 | DESC 'RFC2798: Internet Organizational Person' 145 | SUP organizationalPerson 146 | STRUCTURAL 147 | MAY ( 148 | audio $ businessCategory $ carLicense $ departmentNumber $ 149 | displayName $ employeeNumber $ employeeType $ givenName $ 150 | homePhone $ homePostalAddress $ initials $ jpegPhoto $ 151 | labeledURI $ mail $ manager $ mobile $ o $ pager $ 152 | photo $ roomNumber $ secretary $ uid $ userCertificate $ 153 | x500uniqueIdentifier $ preferredLanguage $ 154 | userSMIMECertificate $ userPKCS12 $ proxyAddresses $ 155 | department $ company $ mailNickname ) 156 | ) 157 | -------------------------------------------------------------------------------- /schema/java.schema: -------------------------------------------------------------------------------- 1 | # java.schema -- Java Object Schema 2 | # $OpenLDAP$ 3 | ## This work is part of OpenLDAP Software . 4 | ## 5 | ## Copyright 1998-2014 The OpenLDAP Foundation. 6 | ## All rights reserved. 7 | ## 8 | ## Redistribution and use in source and binary forms, with or without 9 | ## modification, are permitted only as authorized by the OpenLDAP 10 | ## Public License. 11 | ## 12 | ## A copy of this license is available in the file LICENSE in the 13 | ## top-level directory of the distribution or, alternatively, at 14 | ## . 15 | # 16 | # Java Object Schema (defined in RFC 2713) 17 | # depends upon core.schema 18 | # 19 | 20 | # Network Working Group V. Ryan 21 | # Request for Comments: 2713 S. Seligman 22 | # Category: Informational R. Lee 23 | # Sun Microsystems, Inc. 24 | # October 1999 25 | # 26 | # 27 | # Schema for Representing Java(tm) Objects in an LDAP Directory 28 | # 29 | # Status of this Memo 30 | # 31 | # This memo provides information for the Internet community. It does 32 | # not specify an Internet standard of any kind. Distribution of this 33 | # memo is unlimited. 34 | # 35 | # Copyright Notice 36 | # 37 | # Copyright (C) The Internet Society (1999). All Rights Reserved. 38 | # 39 | # Abstract 40 | # 41 | # This document defines the schema for representing Java(tm) objects in 42 | # an LDAP directory [LDAPv3]. It defines schema elements to represent 43 | # a Java serialized object [Serial], a Java marshalled object [RMI], a 44 | # Java remote object [RMI], and a JNDI reference [JNDI]. 45 | # 46 | 47 | # [trimmed] 48 | 49 | # 3 Attribute Type Definitions 50 | # 51 | # The following attribute types are defined in this document: 52 | # 53 | # javaClassName 54 | # javaClassNames 55 | # javaCodebase 56 | # javaSerializedData 57 | # javaFactory 58 | # javaReferenceAddress 59 | # javaDoc 60 | # 61 | # 3.1 javaClassName 62 | # 63 | # This attribute stores the fully qualified name of the Java object's 64 | # "distinguished" class or interface (for example, "java.lang.String"). 65 | # It is a single-valued attribute. This attribute's syntax is ' 66 | # Directory String' and its case is significant. 67 | # 68 | # ( 1.3.6.1.4.1.42.2.27.4.1.6 69 | # NAME 'javaClassName' 70 | # DESC 'Fully qualified name of distinguished Java class or 71 | # interface' 72 | # EQUALITY caseExactMatch 73 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 74 | # SINGLE-VALUE 75 | # ) 76 | # 77 | attributetype ( 1.3.6.1.4.1.42.2.27.4.1.6 78 | NAME 'javaClassName' 79 | DESC 'Fully qualified name of distinguished Java class or interface' 80 | EQUALITY caseExactMatch 81 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 82 | SINGLE-VALUE ) 83 | 84 | # 3.2 javaCodebase 85 | # 86 | # This attribute stores the Java class definition's locations. It 87 | # specifies the locations from which to load the class definition for 88 | # the class specified by the javaClassName attribute. Each value of 89 | # the attribute contains an ordered list of URLs, separated by spaces. 90 | # For example, a value of "url1 url2 url3" means that the three 91 | # (possibly interdependent) URLs (url1, url2, and url3) form the 92 | # codebase for loading in the Java class definition. 93 | # 94 | # If the javaCodebase attribute contains more than one value, each 95 | # value is an independent codebase. That is, there is no relationship 96 | # between the URLs in one value and those in another; each value can be 97 | # viewed as an alternate source for loading the Java class definition. 98 | # See [Java] for information regarding class loading. 99 | # 100 | # This attribute's syntax is 'IA5 String' and its case is significant. 101 | # 102 | # ( 1.3.6.1.4.1.42.2.27.4.1.7 103 | # NAME 'javaCodebase' 104 | # DESC 'URL(s) specifying the location of class definition' 105 | # EQUALITY caseExactIA5Match 106 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 107 | # ) 108 | # 109 | attributetype ( 1.3.6.1.4.1.42.2.27.4.1.7 110 | NAME 'javaCodebase' 111 | DESC 'URL(s) specifying the location of class definition' 112 | EQUALITY caseExactIA5Match 113 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 114 | 115 | # 3.3 javaClassNames 116 | # 117 | # This attribute stores the Java object's fully qualified class or 118 | # interface names (for example, "java.lang.String"). It is a 119 | # multivalued attribute. When more than one value is present, each is 120 | # the name of a class or interface, or ancestor class or interface, of 121 | # this object. 122 | # 123 | # This attribute's syntax is 'Directory String' and its case is 124 | # significant. 125 | # 126 | # ( 1.3.6.1.4.1.42.2.27.4.1.13 127 | # NAME 'javaClassNames' 128 | # DESC 'Fully qualified Java class or interface name' 129 | # EQUALITY caseExactMatch 130 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 131 | # ) 132 | # 133 | # 134 | attributetype ( 1.3.6.1.4.1.42.2.27.4.1.13 135 | NAME 'javaClassNames' 136 | DESC 'Fully qualified Java class or interface name' 137 | EQUALITY caseExactMatch 138 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 139 | 140 | # 3.4 javaSerializedData 141 | # 142 | # This attribute stores the serialized form of a Java object. The 143 | # serialized form is described in [Serial]. 144 | # 145 | # This attribute's syntax is 'Octet String'. 146 | # 147 | # ( 1.3.6.1.4.1.42.2.27.4.1.8 148 | # NAME 'javaSerializedData 149 | # DESC 'Serialized form of a Java object' 150 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 151 | # SINGLE-VALUE 152 | # ) 153 | # 154 | attributetype ( 1.3.6.1.4.1.42.2.27.4.1.8 155 | NAME 'javaSerializedData' 156 | DESC 'Serialized form of a Java object' 157 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 158 | SINGLE-VALUE ) 159 | 160 | # 3.5 javaFactory 161 | # 162 | # This attribute stores the fully qualified class name of the object 163 | # factory (for example, "com.wiz.jndi.WizObjectFactory") that can be 164 | # used to create an instance of the object identified by the 165 | # javaClassName attribute. 166 | # 167 | # This attribute's syntax is 'Directory String' and its case is 168 | # significant. 169 | # 170 | # ( 1.3.6.1.4.1.42.2.27.4.1.10 171 | # NAME 'javaFactory' 172 | # DESC 'Fully qualified Java class name of a JNDI object factory' 173 | # EQUALITY caseExactMatch 174 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 175 | # SINGLE-VALUE 176 | # ) 177 | # 178 | attributetype ( 1.3.6.1.4.1.42.2.27.4.1.10 179 | NAME 'javaFactory' 180 | DESC 'Fully qualified Java class name of a JNDI object factory' 181 | EQUALITY caseExactMatch 182 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 183 | SINGLE-VALUE ) 184 | 185 | # 3.6 javaReferenceAddress 186 | # 187 | # This attribute represents the sequence of addresses of a JNDI 188 | # reference. Each of its values represents one address, a Java object 189 | # of type javax.naming.RefAddr. Its value is a concatenation of the 190 | # address type and address contents, preceded by a sequence number (the 191 | # order of addresses in a JNDI reference is significant). For example: 192 | # 193 | # #0#TypeA#ValA 194 | # #1#TypeB#ValB 195 | # #2#TypeC##rO0ABXNyABpq... 196 | # 197 | # In more detail, the value is encoded as follows: 198 | # 199 | # The delimiter is the first character of the value. For readability 200 | # the character '#' is recommended when it is not otherwise used 201 | # anywhere in the value, but any character may be used subject to 202 | # restrictions given below. 203 | # 204 | # The first delimiter is followed by the sequence number. The sequence 205 | # number of an address is its position in the JNDI reference, with the 206 | # first address being numbered 0. It is represented by its shortest 207 | # string form, in decimal notation. 208 | # 209 | # The sequence number is followed by a delimiter, then by the address 210 | # type, and then by another delimiter. If the address is of Java class 211 | # javax.naming.StringRefAddr, then this delimiter is followed by the 212 | # value of the address contents (which is a string). Otherwise, this 213 | # delimiter is followed immediately by another delimiter, and then by 214 | # the Base64 encoding of the serialized form of the entire address. 215 | # 216 | # The delimiter may be any character other than a digit or a character 217 | # contained in the address type. In addition, if the address contents 218 | # is a string, the delimiter may not be the first character of that 219 | # string. 220 | # 221 | # This attribute's syntax is 'Directory String' and its case is 222 | # significant. It can contain multiple values. 223 | # 224 | # ( 1.3.6.1.4.1.42.2.27.4.1.11 225 | # NAME 'javaReferenceAddress' 226 | # DESC 'Addresses associated with a JNDI Reference' 227 | # EQUALITY caseExactMatch 228 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 229 | # ) 230 | # 231 | attributetype ( 1.3.6.1.4.1.42.2.27.4.1.11 232 | NAME 'javaReferenceAddress' 233 | DESC 'Addresses associated with a JNDI Reference' 234 | EQUALITY caseExactMatch 235 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 236 | 237 | # 3.7 javaDoc 238 | # 239 | # This attribute stores a pointer to the Java documentation for the 240 | # class. It's value is a URL. For example, the following URL points to 241 | # the specification of the java.lang.String class: 242 | # http://java.sun.com/products/jdk/1.2/docs/api/java/lang/String.html 243 | # 244 | # This attribute's syntax is 'IA5 String' and its case is significant. 245 | # 246 | # ( 1.3.6.1.4.1.42.2.27.4.1.12 247 | # NAME 'javaDoc' 248 | # DESC 'The Java documentation for the class' 249 | # EQUALITY caseExactIA5Match 250 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 251 | # ) 252 | # 253 | attributetype ( 1.3.6.1.4.1.42.2.27.4.1.12 254 | NAME 'javaDoc' 255 | DESC 'The Java documentation for the class' 256 | EQUALITY caseExactIA5Match 257 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 258 | 259 | # 4 Object Class Definitions 260 | # 261 | # The following object classes are defined in this document: 262 | # 263 | # javaContainer 264 | # javaObject 265 | # javaSerializedObject 266 | # javaMarshalledObject 267 | # javaNamingReference 268 | # 269 | # 4.1 javaContainer 270 | # 271 | # This structural object class represents a container for a Java 272 | # object. 273 | # 274 | # ( 1.3.6.1.4.1.42.2.27.4.2.1 275 | # NAME 'javaContainer' 276 | # DESC 'Container for a Java object' 277 | # SUP top 278 | # STRUCTURAL 279 | # MUST ( cn ) 280 | # ) 281 | # 282 | objectclass ( 1.3.6.1.4.1.42.2.27.4.2.1 283 | NAME 'javaContainer' 284 | DESC 'Container for a Java object' 285 | SUP top 286 | STRUCTURAL 287 | MUST cn ) 288 | 289 | # 4.2 javaObject 290 | # 291 | # This abstract object class represents a Java object. A javaObject 292 | # cannot exist in the directory; only auxiliary or structural 293 | # subclasses of it can exist in the directory. 294 | # 295 | # ( 1.3.6.1.4.1.42.2.27.4.2.4 296 | # NAME 'javaObject' 297 | # DESC 'Java object representation' 298 | # SUP top 299 | # ABSTRACT 300 | # MUST ( javaClassName ) 301 | # MAY ( javaClassNames $ 302 | # javaCodebase $ 303 | # javaDoc $ 304 | # description ) 305 | # ) 306 | # 307 | objectclass ( 1.3.6.1.4.1.42.2.27.4.2.4 308 | NAME 'javaObject' 309 | DESC 'Java object representation' 310 | SUP top 311 | ABSTRACT 312 | MUST javaClassName 313 | MAY ( javaClassNames $ javaCodebase $ 314 | javaDoc $ description ) ) 315 | 316 | # 4.3 javaSerializedObject 317 | # 318 | # This auxiliary object class represents a Java serialized object. It 319 | # must be mixed in with a structural object class. 320 | # 321 | # ( 1.3.6.1.4.1.42.2.27.4.2.5 322 | # NAME 'javaSerializedObject' 323 | # DESC 'Java serialized object' 324 | # SUP javaObject 325 | # AUXILIARY 326 | # MUST ( javaSerializedData ) 327 | # ) 328 | # 329 | objectclass ( 1.3.6.1.4.1.42.2.27.4.2.5 330 | NAME 'javaSerializedObject' 331 | DESC 'Java serialized object' 332 | SUP javaObject 333 | AUXILIARY 334 | MUST javaSerializedData ) 335 | 336 | # 4.4 javaMarshalledObject 337 | # 338 | # This auxiliary object class represents a Java marshalled object. It 339 | # must be mixed in with a structural object class. 340 | # 341 | # ( 1.3.6.1.4.1.42.2.27.4.2.8 342 | # NAME 'javaMarshalledObject' 343 | # DESC 'Java marshalled object' 344 | # SUP javaObject 345 | # AUXILIARY 346 | # MUST ( javaSerializedData ) 347 | # ) 348 | # 349 | objectclass ( 1.3.6.1.4.1.42.2.27.4.2.8 350 | NAME 'javaMarshalledObject' 351 | DESC 'Java marshalled object' 352 | SUP javaObject 353 | AUXILIARY 354 | MUST javaSerializedData ) 355 | 356 | # 4.5 javaNamingReference 357 | # 358 | # This auxiliary object class represents a JNDI reference. It must be 359 | # mixed in with a structural object class. 360 | # 361 | # ( 1.3.6.1.4.1.42.2.27.4.2.7 362 | # NAME 'javaNamingReference' 363 | # DESC 'JNDI reference' 364 | # SUP javaObject 365 | # AUXILIARY 366 | # MAY ( javaReferenceAddress $ 367 | # javaFactory ) 368 | # ) 369 | # 370 | objectclass ( 1.3.6.1.4.1.42.2.27.4.2.7 371 | NAME 'javaNamingReference' 372 | DESC 'JNDI reference' 373 | SUP javaObject 374 | AUXILIARY 375 | MAY ( javaReferenceAddress $ javaFactory ) ) 376 | 377 | # Full Copyright Statement 378 | # 379 | # Copyright (C) The Internet Society (1999). All Rights Reserved. 380 | # 381 | # This document and translations of it may be copied and furnished to 382 | # others, and derivative works that comment on or otherwise explain it 383 | # or assist in its implementation may be prepared, copied, published 384 | # and distributed, in whole or in part, without restriction of any 385 | # kind, provided that the above copyright notice and this paragraph are 386 | # included on all such copies and derivative works. However, this 387 | # document itself may not be modified in any way, such as by removing 388 | # the copyright notice or references to the Internet Society or other 389 | # Internet organizations, except as needed for the purpose of 390 | # developing Internet standards in which case the procedures for 391 | # copyrights defined in the Internet Standards process must be 392 | # followed, or as required to translate it into languages other than 393 | # English. 394 | # 395 | # The limited permissions granted above are perpetual and will not be 396 | # revoked by the Internet Society or its successors or assigns. 397 | # 398 | # This document and the information contained herein is provided on an 399 | # "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 400 | # TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 401 | # BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 402 | # HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 403 | # MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 404 | -------------------------------------------------------------------------------- /schema/microsoftattributetypestd.schema: -------------------------------------------------------------------------------- 1 | ##################################################### 2 | 3 | #attributetype ( 2.5.4.0 4 | # NAME 'objectClass' 5 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.38' 6 | # ) 7 | 8 | #attributetype ( 2.5.4.2 9 | # NAME 'knowledgeInformation' 10 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.44' ) 11 | 12 | #attributetype ( 2.5.4.3 13 | # NAME 'cn' 14 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 15 | # SINGLE-VALUE ) 16 | 17 | #attributetype ( 2.5.4.4 18 | # NAME 'sn' 19 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 20 | # SINGLE-VALUE ) 21 | 22 | #attributetype ( 2.5.4.5 23 | # NAME 'serialNumber' 24 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.44' ) 25 | 26 | #attributetype ( 2.5.4.6 27 | # NAME 'c' 28 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 29 | # SINGLE-VALUE ) 30 | 31 | #attributetype ( 2.5.4.7 32 | # NAME 'l' 33 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 34 | # SINGLE-VALUE ) 35 | 36 | #attributetype ( 2.5.4.8 37 | # NAME 'st' 38 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 39 | # SINGLE-VALUE ) 40 | 41 | #attributetype ( 2.5.4.9 42 | # NAME 'street' 43 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 44 | # SINGLE-VALUE ) 45 | 46 | #attributetype ( 2.5.4.10 47 | # NAME 'o' 48 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 49 | 50 | #attributetype ( 2.5.4.11 51 | # NAME 'ou' 52 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 53 | 54 | #attributetype ( 2.5.4.12 55 | # NAME 'title' 56 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 57 | # SINGLE-VALUE ) 58 | 59 | #attributetype ( 2.5.4.13 60 | # NAME 'description' 61 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 62 | 63 | #attributetype ( 2.5.4.14 64 | # NAME 'searchGuide' 65 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 66 | 67 | #attributetype ( 2.5.4.15 68 | # NAME 'businessCategory' 69 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 70 | 71 | #attributetype ( 2.5.4.16 72 | # NAME 'postalAddress' 73 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 74 | 75 | #attributetype ( 2.5.4.17 76 | # NAME 'postalCode' 77 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 78 | # SINGLE-VALUE ) 79 | 80 | #attributetype ( 2.5.4.18 81 | # NAME 'postOfficeBox' 82 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 83 | 84 | #attributetype ( 2.5.4.19 85 | # NAME 'physicalDeliveryOfficeName' 86 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 87 | # SINGLE-VALUE ) 88 | 89 | #attributetype ( 2.5.4.20 90 | # NAME 'telephoneNumber' 91 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 92 | # SINGLE-VALUE ) 93 | 94 | #attributetype ( 2.5.4.21 95 | # NAME 'telexNumber' 96 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 97 | 98 | #attributetype ( 2.5.4.22 99 | # NAME 'teletexTerminalIdentifier' 100 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 101 | 102 | #attributetype ( 2.5.4.23 103 | # NAME 'facsimileTelephoneNumber' 104 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 105 | # SINGLE-VALUE ) 106 | 107 | #attributetype ( 2.5.4.24 108 | # NAME 'x121Address' 109 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' ) 110 | 111 | #attributetype ( 2.5.4.25 112 | # NAME 'internationalISDNNumber' 113 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' ) 114 | 115 | #attributetype ( 2.5.4.26 116 | # NAME 'registeredAddress' 117 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 118 | 119 | #attributetype ( 2.5.4.27 120 | # NAME 'destinationIndicator' 121 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.44' ) 122 | 123 | #attributetype ( 2.5.4.28 124 | # NAME 'preferredDeliveryMethod' 125 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' ) 126 | 127 | #attributetype ( 2.5.4.29 128 | # NAME 'presentationAddress' 129 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.43' 130 | # SINGLE-VALUE ) 131 | 132 | #attributetype ( 2.5.4.30 133 | # NAME 'supportedApplicationContext' 134 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 135 | 136 | #attributetype ( 2.5.4.31 137 | # NAME 'member' 138 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' ) 139 | 140 | #attributetype ( 2.5.4.32 141 | # NAME 'owner' 142 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' 143 | # SINGLE-VALUE ) 144 | 145 | #attributetype ( 2.5.4.33 146 | # NAME 'roleOccupant' 147 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' ) 148 | 149 | #attributetype ( 2.5.4.34 150 | # NAME 'seeAlso' 151 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' ) 152 | 153 | #attributetype ( 2.5.4.35 154 | # NAME 'userPassword' 155 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 156 | 157 | #attributetype ( 2.5.4.36 158 | # NAME 'userCertificate' 159 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 160 | 161 | #attributetype ( 2.5.4.37 162 | # NAME 'cACertificate' 163 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 164 | 165 | #attributetype ( 2.5.4.38 166 | # NAME 'authorityRevocationList' 167 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 168 | 169 | #attributetype ( 2.5.4.39 170 | # NAME 'certificateRevocationList' 171 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' 172 | # SINGLE-VALUE ) 173 | 174 | #attributetype ( 2.5.4.40 175 | # NAME 'crossCertificatePair' 176 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 177 | 178 | #attributetype ( 2.5.4.42 179 | # NAME 'givenName' 180 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 181 | # SINGLE-VALUE ) 182 | 183 | #attributetype ( 2.5.4.43 184 | # NAME 'initials' 185 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 186 | # SINGLE-VALUE ) 187 | 188 | #attributetype ( 2.5.4.44 189 | # NAME 'generationQualifier' 190 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 191 | # SINGLE-VALUE ) 192 | 193 | #attributetype ( 2.5.4.49 194 | # NAME 'distinguishedName' 195 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' 196 | # SINGLE-VALUE 197 | # ) 198 | 199 | #attributetype ( 2.5.4.53 200 | # NAME 'deltaRevocationList' 201 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 202 | 203 | #attributetype ( 2.5.18.1 204 | # NAME 'createTimeStamp' 205 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.24' 206 | # SINGLE-VALUE 207 | # ) 208 | 209 | #attributetype ( 2.5.18.2 210 | # NAME 'modifyTimeStamp' 211 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.24' 212 | # SINGLE-VALUE 213 | # ) 214 | 215 | #attributetype ( 2.5.18.10 216 | # NAME 'subSchemaSubEntry' 217 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' 218 | # ) 219 | 220 | #attributetype ( 2.5.21.2 221 | # NAME 'dITContentRules' 222 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 223 | # ) 224 | 225 | #attributetype ( 2.5.21.5 226 | # NAME 'attributeTypes' 227 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 228 | # ) 229 | 230 | #attributetype ( 2.5.21.6 231 | # NAME 'objectClasses' 232 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 233 | # ) 234 | 235 | # Clash with OpenLdap: 2.16.840.1.113730.3.1.34 NAME 'ref' 236 | attributetype ( 2.16.840.1.113730.3.1.34.0 237 | NAME 'middleName' 238 | SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 239 | SINGLE-VALUE ) 240 | 241 | attributetype ( 2.16.840.1.113730.3.1.35 242 | NAME 'thumbnailPhoto' 243 | SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' 244 | SINGLE-VALUE ) 245 | 246 | attributetype ( 2.16.840.1.113730.3.1.36 247 | NAME 'thumbnailLogo' 248 | SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' 249 | SINGLE-VALUE ) 250 | 251 | #attributetype ( 2.16.840.1.113730.3.140 252 | # NAME 'userSMIMECertificate' 253 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) 254 | 255 | ##################################################### 256 | 257 | #attributetype ( 0.9.2342.19200300.100.1.2 258 | # NAME 'textEncodedORAddress' 259 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 260 | # SINGLE-VALUE ) 261 | 262 | #attributetype ( 0.9.2342.19200300.100.1.3 263 | # NAME 'mail' 264 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 265 | # SINGLE-VALUE ) 266 | 267 | #attributetype ( 0.9.2342.19200300.100.1.10 268 | # NAME 'manager' 269 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' 270 | # SINGLE-VALUE ) 271 | # 272 | # Moved to microsoftattributetypestd.schema to satisfy 273 | # organizationalPerson objectclass 274 | # 275 | # 9.3.10. Manager 276 | # 277 | # The Manager attribute type specifies the manager of an object 278 | # represented by an entry. 279 | # 280 | # manager ATTRIBUTE 281 | # WITH ATTRIBUTE-SYNTAX 282 | # distinguishedNameSyntax 283 | # ::= {pilotAttributeType 10} 284 | # 285 | attributetype ( 0.9.2342.19200300.100.1.10 NAME 'manager' 286 | DESC 'RFC1274: DN of manager' 287 | EQUALITY distinguishedNameMatch 288 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 289 | 290 | # Moved to microsoftattributetypestd.schema to satisfy 291 | # organizationalPerson objectclass 292 | # 293 | # 9.3.16. Home Telephone Number 294 | # 295 | # The Home Telephone Number attribute type specifies a home telephone 296 | # number associated with a person. Attribute values should follow the 297 | # agreed format for international telephone numbers: i.e., "+44 71 123 298 | # 4567". 299 | # 300 | # homeTelephoneNumber ATTRIBUTE 301 | # WITH ATTRIBUTE-SYNTAX 302 | # telephoneNumberSyntax 303 | # ::= {pilotAttributeType 20} 304 | # 305 | #attributetype ( 0.9.2342.19200300.100.1.20 306 | # NAME ( 'homePhone' 'homeTelephoneNumber' ) 307 | # DESC 'RFC1274: home telephone number' 308 | # EQUALITY telephoneNumberMatch 309 | # SUBSTR telephoneNumberSubstringsMatch 310 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) 311 | # 312 | # 313 | # MS 0.9.2342.19200300.100.1.20 can contain any kind of string 314 | attributetype ( 0.9.2342.19200300.100.1.20 315 | NAME ( 'homePhone' 'homeTelephoneNumber' ) 316 | SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 317 | SINGLE-VALUE ) 318 | 319 | #attributetype ( 0.9.2342.19200300.100.1.25 320 | # NAME 'dc' 321 | # SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 322 | # SINGLE-VALUE ) 323 | 324 | # Moved to microsoftattributetypestd.schema to satisfy 325 | # organizationalPerson objectclass 326 | # 327 | # 9.3.31. Mobile Telephone Number 328 | # 329 | # The Mobile Telephone Number attribute type specifies a mobile 330 | # telephone number associated with a person. Attribute values should 331 | # follow the agreed format for international telephone numbers: i.e., 332 | # "+44 71 123 4567". 333 | # 334 | # mobileTelephoneNumber ATTRIBUTE 335 | # WITH ATTRIBUTE-SYNTAX 336 | # telephoneNumberSyntax 337 | # ::= {pilotAttributeType 41} 338 | # 339 | #attributetype ( 0.9.2342.19200300.100.1.41 340 | # NAME ( 'mobile' 'mobileTelephoneNumber' ) 341 | # DESC 'RFC1274: mobile telephone number' 342 | # EQUALITY telephoneNumberMatch 343 | # SUBSTR telephoneNumberSubstringsMatch 344 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) 345 | # 346 | # 347 | # MS 0.9.2342.19200300.100.1.41 can contain any kind of string 348 | attributetype ( 0.9.2342.19200300.100.1.41 349 | NAME ( 'mobile' 'mobileTelephoneNumber' ) 350 | SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 351 | SINGLE-VALUE ) 352 | 353 | 354 | # Moved to microsoftattributetypestd.schema to satisfy 355 | # organizationalPerson objectclass 356 | # 357 | # 9.3.32. Pager Telephone Number 358 | # 359 | # The Pager Telephone Number attribute type specifies a pager telephone 360 | # number for an object. Attribute values should follow the agreed 361 | # format for international telephone numbers: i.e., "+44 71 123 4567". 362 | # 363 | # pagerTelephoneNumber ATTRIBUTE 364 | # WITH ATTRIBUTE-SYNTAX 365 | # telephoneNumberSyntax 366 | # ::= {pilotAttributeType 42} 367 | # 368 | #attributetype ( 0.9.2342.19200300.100.1.42 369 | # NAME ( 'pager' 'pagerTelephoneNumber' ) 370 | # DESC 'RFC1274: pager telephone number' 371 | # EQUALITY telephoneNumberMatch 372 | # SUBSTR telephoneNumberSubstringsMatch 373 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) 374 | # 375 | # 376 | # MS 0.9.2342.19200300.100.1.42 can contain any kind of string 377 | attributetype ( 0.9.2342.19200300.100.1.42 378 | NAME ( 'pager' 'pagerTelephoneNumber' ) 379 | SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 380 | SINGLE-VALUE ) 381 | 382 | 383 | -------------------------------------------------------------------------------- /schema/microsoftobjectclass.schema: -------------------------------------------------------------------------------- 1 | objectclass ( 1.2.840.113556.1.3.23 2 | NAME 'container' 3 | SUP 'top' 4 | STRUCTURAL 5 | MUST ( cn ) 6 | MAY ( schemaVersion $ defaultClassStore ) 7 | ) 8 | 9 | objectclass ( 1.2.840.113556.1.5.67 10 | NAME 'domainDNS' 11 | SUP domain 12 | STRUCTURAL 13 | MAY (managedBy $ msDS-AllowedDNSSuffixes $ msDS-Behavior-Version $ msDS-EnabledFeature $ msDS-USNLastSyncSuccess $ msExchPolicyList ) ) 14 | 15 | objectclass ( 1.2.840.113556.1.5.8 16 | NAME 'group' 17 | SUP top 18 | STRUCTURAL 19 | MUST ( groupType ) 20 | MAY ( adminCount $ controlAccessRights $ dLMemberRule $ desktopProfile $ groupAttributes $ groupMembershipSAM $ hideDLMembership $ 21 | location $ mail $ managedBy $ member $ msDS-AzApplicationData $ msDS-AzBizRule $ msDS-AzBizRuleLanguage $ msDS-AzGenericData $ 22 | msDS-AzLDAPQuery $ msDS-AzLastImportedBizRulePath $ msDS-AzObjectGuid $ msDS-HABSeniorityIndex $ msDS-NonMembers $ msDS-PhoneticDisplayName $ 23 | msExchArbitrationMailbox $ msExchCoManagedByLink $ msExchGroupDepartRestriction $ msExchGroupJoinRestriction $ msExchMasterAccountHistory $ 24 | msExchOriginatingForest $ msExchServerAdminDelegationBL $ msOrg-GroupSubtypeName $ msOrg-IsOrganizational $ msOrg-Leaders $ 25 | msOrg-OtherDisplayNames $ msSFU30Name $ msSFU30NisDomain $ msSFU30PosixMember $ nTGroupMembers $ nonSecurityMember $ oOFReplyToOriginator $ 26 | operatorCount $ owner $ primaryGroupToken $ reportToOriginator $ reportToOwner $ thumbnailPhoto 27 | ) ) 28 | 29 | objectclass ( 1.2.840.113556.1.5.15 30 | NAME 'contact' 31 | SUP organizationalPerson 32 | STRUCTURAL 33 | MUST ( cn ) 34 | MAY ( msDS-SourceObjectDN $ msExchMasterAccountHistory $ msExchOriginatingForest $ notes 35 | ) ) 36 | 37 | #--- 38 | 39 | # mstop is the new root objectclass for all MS entries. 40 | # The origin OpenLdap top objectclass cannot be modified as 41 | # it is hardcoded in the OpenLdap source code. 42 | # OID must be changed together as it causes OID clash. 43 | # 44 | # The data etries must be converted to use 'mstop' instead of 'top' 45 | objectclass ( 666.666.666.666.666.666.1 46 | NAME 'mstop' 47 | SUP top 48 | AUXILIARY 49 | MUST (objectClass $ instanceType $ objectCategory ) 50 | MAY (cn $ description $ distinguishedName $ whenCreated $ 51 | whenChanged $ subRefs $ displayName $ uSNCreated $ isDeleted $ 52 | dSASignature $ objectVersion $ repsTo $ repsFrom $ memberOf $ 53 | uSNChanged $ uSNLastObjRem $ showInAdvancedViewOnly $ 54 | adminDisplayName $ proxyAddresses $ adminDescription $ 55 | extensionName $ uSNDSALastObjRemoved $ displayNamePrintable $ 56 | directReports $ wWWHomePage $ USNIntersite $ name $ objectGUID $ 57 | replPropertyMetaData $ replUpToDateVector $ flags $ revision $ 58 | wbemPath $ fSMORoleOwner $ systemFlags $ siteObjectBL $ 59 | serverReferenceBL $ nonSecurityMemberBL $ queryPolicyBL $ 60 | wellKnownObjects $ isPrivilegeHolder $ partialAttributeSet $ 61 | managedObjects $ partialAttributeDeletionList $ url $ 62 | lastKnownParent $ bridgeheadServerListBL $ netbootSCPBL $ 63 | isCriticalSystemObject $ frsComputerReferenceBL $ 64 | fRSMemberReferenceBL $ uSNSource $ fromEntry $ 65 | allowedChildClasses $ allowedChildClassesEffective $ 66 | allowedAttributes $ allowedAttributesEffective $ 67 | possibleInferiors $ canonicalName $ proxiedObjectName $ 68 | sDRightsEffective $ dSCorePropagationData $ 69 | otherWellKnownObjects $ mS-DS-ConsistencyGuid $ 70 | mS-DS-ConsistencyChildCount $ nTSecurityDescriptor $ masteredBy ) ) 71 | 72 | objectclass ( 1.2.840.113556.1.5.9 73 | NAME 'user' 74 | SUP organizationalPerson 75 | STRUCTURAL 76 | MAY (userCertificate $ networkAddress $ userAccountControl $ 77 | badPwdCount $ codePage $ homeDirectory $ homeDrive $ 78 | badPasswordTime $ lastLogoff $ lastLogon $ dBCSPwd $ 79 | localeID $ scriptPath $ logonHours $ logonWorkstation $ 80 | maxStorage $ userWorkstations $ unicodePwd $ 81 | otherLoginWorkstations $ ntPwdHistory $ pwdLastSet $ 82 | preferredOU $ primaryGroupID $ userParameters $ 83 | profilePath $ operatorCount $ adminCount $ accountExpires $ 84 | lmPwdHistory $ groupMembershipSAM $ logonCount $ 85 | controlAccessRights $ defaultClassStore $ groupsToIgnore $ 86 | groupPriority $ desktopProfile $ dynamicLDAPServer $ 87 | userPrincipalName $ lockoutTime $ userSharedFolder $ 88 | userSharedFolderOther $ servicePrincipalName $ 89 | aCSPolicyName $ terminalServer $ mSMQSignCertificates $ 90 | mSMQDigests $ mSMQDigestsMig $ mSMQSignCertificatesMig $ 91 | msNPAllowDialin $ msNPCallingStationID $ 92 | msNPSavedCallingStationID $ msRADIUSCallbackNumber $ 93 | msRADIUSFramedIPAddress $ msRADIUSFramedRoute $ 94 | msRADIUSServiceType $ msRASSavedCallbackNumber $ 95 | msRASSavedFramedIPAddress $ msRASSavedFramedRoute $ 96 | mS-DS-CreatorSID 97 | ) ) 98 | 99 | #--- 100 | 101 | # Custom user objectclass containing all Microsoft attributes 102 | # used by Active Directory user 103 | objectclass ( 666.666.666.666.666.666.2 104 | NAME 'customActiveDirectoryUser' 105 | SUP user 106 | STRUCTURAL 107 | MUST (objectSid $ sAMAccountName $ sAMAccountType 108 | ) 109 | MAY (homeMTA $ homeMDB $ mDBUseDefaults $ msExchSafeSendersHash $ msExchMobileMailboxFlags $ msExchObjectsDeletedThisPeriod $ 110 | legacyExchangeDN $ lastLogonTimestamp $ internetEncoding $ protocolSettings $ garbageCollPeriod $ altRecipientBL $ 111 | textEncodedORAddress $ msExchUMEnabledFlags2 $ msExchUserCulture $ msExchMDBRulesQuota $ msExchUMDtmfMap $ authOrigBL $ 112 | msExchHomeServerName $ msExchProvisioningFlags $ msExchTransportRecipientSettingsFlags $ msExchModerationFlags $ 113 | msExchMailboxSecurityDescriptor $ msExchDumpsterWarningQuota $ msExchDumpsterQuota $ msExchArchiveWarnQuota $ msExchArchiveQuota $ 114 | msExchUserAccountControl $ msExchMailboxAuditLogAgeLimit $ msExchMailboxAuditEnable $ msExchBypassAudit $ msExchAddressBookFlags $ 115 | msExchALObjectVersion $ msExchMailboxMoveBatchName $ msExchMailboxMoveFlags $ msExchMailboxMoveStatus $ 116 | msExchMailboxMoveTargetMDBLink $ msExchBlockedSendersHash $ msExchPoliciesExcluded $ msExchPoliciesIncluded $ 117 | msExchTextMessagingState $ msExchDelegateListBL $ altRecipient $ msExchHideFromAddressLists $ 118 | msExchOmaAdminWirelessEnable $ showInAddressBook $ msExchShadowProxyAddresses $ msExchCoManagedObjectsBL $ 119 | extensionAttribute1 $ mDBOverQuotaLimit $ msDS-SupportedEncryptionTypes $ mDBOverHardQuotaLimit $ 120 | mDBStorageQuota $ msExchSafeRecipientsHash $ msExchBypassModerationBL $ msExchShadowMailNickname $ 121 | publicDelegates $ publicDelegatesBL $ msExchLastExchangeChangedTime $ msExchShadowGivenName $ 122 | msExchMailboxGuid $ msExchRecipientDisplayType $ msExchShadowManagerLink $ msExchRequireAuthToSendTo $ 123 | msExchRBACPolicyLink $ msExchVersion $ msExchRecipientTypeDetails $ msExchWhenMailboxCreated $ 124 | extensionAttribute10 $ msExchMasterAccountSid $ securityProtocol $ dLMemDefault $ delivContLength $ 125 | extensionAttribute2 $ extensionAttribute3 $ extensionAttribute4 $ extensionAttribute5 $ extensionAttribute6 $ 126 | extensionAttribute7 $ extensionAttribute8 $ extensionAttribute9 $ mAPIRecipient $ msExchADCGlobalNames $ 127 | msExchAssistantName $ replicatedObjectVersion $ replicationSignature $ submissionContLength $ telephoneAssistant $ 128 | msExchShadowDisplayName $ msExchShadowSn $ deliverAndRedirect $ msExchDelegateListLink $ deletedItemFlags $ 129 | msExchShadowCompany $ msExchShadowDepartment $ msExchShadowTitle $ msExchShadowPhysicalDeliveryOfficeName $ 130 | msTSExpireDate $ msTSLicenseVersion $ msTSManagingLS $ msExchShadowCountryCode $ autoReplyMessage $ msExchELCMailboxFlags $ 131 | msExchShadowInitials $ msExchShadowMobile $ msExchModeratedObjectsBL $ msExchUserBL $ msExchMailboxTemplateLink $ 132 | msExchIMACL $ msExchIMAddress $ msExchIMMetaPhysicalURL $ msExchIMPhysicalURL $ msExchIMVirtualServer $ 133 | msExchMobileMailboxPolicyLink $ msExchMailboxMoveSourceMDBLink $ apple-mcxsettings $ msExchResourceDisplay $ 134 | msExchResourceMetaData $ msExchResourceSearchProperties $ msExchRemoteRecipientType $ targetAddress $ 135 | msExchMailboxMoveRemoteHostName $ msExchMobileAllowedDeviceIDs $ msExchSharingPartnerIdentities 136 | ) ) 137 | 138 | # Support for ExchangeActiveSyncDevices entries (sub-entry of customActiveDirectoryUser/user) 139 | objectclass ( 666.666.666.666.666.666.3 140 | NAME 'exchangeActiveSyncDevices' 141 | SUP top 142 | STRUCTURAL 143 | MUST (msExchVersion 144 | ) 145 | MAY ( cn $ msExchObjectsDeletedThisPeriod 146 | ) ) 147 | 148 | objectclass ( 666.666.666.666.666.666.4 149 | NAME 'customActiveDirectoryUserTemplate' 150 | SUP user 151 | STRUCTURAL 152 | MUST (objectSid $ sAMAccountName $ sAMAccountType 153 | ) 154 | MAY ( msDS-SupportedEncryptionTypes $ msExchUserAccountControl $ legacyExchangeDN $ msExchALObjectVersion $ msExchPoliciesIncluded $ 155 | textEncodedORAddress 156 | ) ) 157 | 158 | # Fake object class simulating attributes used by 'group' entries coming from 159 | # inetOrgPerson 160 | objectclass ( 666.666.666.666.666.666.5 161 | NAME 'inetOrgGroup' 162 | SUP group 163 | STRUCTURAL 164 | MAY ( 165 | audio $ businessCategory $ carLicense $ departmentNumber $ 166 | displayName $ employeeNumber $ employeeType $ givenName $ 167 | homePhone $ homePostalAddress $ initials $ jpegPhoto $ 168 | labeledURI $ mail $ manager $ mobile $ o $ pager $ 169 | photo $ roomNumber $ secretary $ uid $ userCertificate $ 170 | x500uniqueIdentifier $ preferredLanguage $ 171 | userSMIMECertificate $ userPKCS12 $ proxyAddresses $ 172 | department $ company $ mailNickname ) 173 | ) 174 | 175 | # Fake object class simulating attributes used by 'group' entries coming from 176 | # organizationalPerson 177 | objectclass ( 666.666.666.666.666.666.6 178 | NAME 'organizationalGroup' 179 | SUP inetOrgGroup 180 | STRUCTURAL 181 | MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ 182 | preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 183 | telephoneNumber $ internationaliSDNNumber $ 184 | facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ 185 | postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ c $ co $ info $ mailNickname $ 186 | o $ internationalISDNNumber $ givenName $ initials $ generationQualifier $ 187 | otherTelephone $ otherPager $ department $ company $ streetAddress $ otherHomePhone $ 188 | personalTitle $ homePostalAddress $ countryCode $ employeeID $ comment $ division $ 189 | otherFacsimileTelephoneNumber $ otherMobile $ primaryTelexNumber $ 190 | primaryInternationalISDNNumber $ mhsORAddress $ otherMailbox $ assistant $ 191 | ipPhone $ otherIpPhone $ mail $ manager $ homePhone $ mobile $ pager $ middleName $ 192 | thumbnailPhoto $ thumbnailLogo 193 | ) ) 194 | 195 | # Custom group objectclass containing all Microsoft attributes 196 | # used by Active Directory group 197 | objectclass ( 666.666.666.666.666.666.7 198 | NAME 'customActiveDirectoryGroup' 199 | SUP organizationalGroup 200 | STRUCTURAL 201 | MUST (objectSid $ sAMAccountName $ sAMAccountType 202 | ) 203 | MAY (homeMTA $ homeMDB $ mDBUseDefaults $ msExchSafeSendersHash $ msExchMobileMailboxFlags $ msExchObjectsDeletedThisPeriod $ 204 | legacyExchangeDN $ lastLogonTimestamp $ internetEncoding $ protocolSettings $ garbageCollPeriod $ altRecipientBL $ 205 | textEncodedORAddress $ msExchUMEnabledFlags2 $ msExchUserCulture $ msExchMDBRulesQuota $ msExchUMDtmfMap $ authOrigBL $ 206 | msExchHomeServerName $ msExchProvisioningFlags $ msExchTransportRecipientSettingsFlags $ msExchModerationFlags $ 207 | msExchMailboxSecurityDescriptor $ msExchDumpsterWarningQuota $ msExchDumpsterQuota $ msExchArchiveWarnQuota $ msExchArchiveQuota $ 208 | msExchUserAccountControl $ msExchMailboxAuditLogAgeLimit $ msExchMailboxAuditEnable $ msExchBypassAudit $ msExchAddressBookFlags $ 209 | msExchALObjectVersion $ msExchMailboxMoveBatchName $ msExchMailboxMoveFlags $ msExchMailboxMoveStatus $ 210 | msExchMailboxMoveTargetMDBLink $ msExchBlockedSendersHash $ msExchPoliciesExcluded $ msExchPoliciesIncluded $ 211 | msExchTextMessagingState $ msExchDelegateListBL $ altRecipient $ msExchHideFromAddressLists $ 212 | msExchOmaAdminWirelessEnable $ showInAddressBook $ msExchShadowProxyAddresses $ msExchCoManagedObjectsBL $ 213 | extensionAttribute1 $ mDBOverQuotaLimit $ msDS-SupportedEncryptionTypes $ mDBOverHardQuotaLimit $ 214 | mDBStorageQuota $ msExchSafeRecipientsHash $ msExchBypassModerationBL $ msExchShadowMailNickname $ 215 | publicDelegates $ publicDelegatesBL $ msExchLastExchangeChangedTime $ msExchShadowGivenName $ 216 | msExchMailboxGuid $ msExchRecipientDisplayType $ msExchShadowManagerLink $ msExchRequireAuthToSendTo $ 217 | msExchRBACPolicyLink $ msExchVersion $ msExchRecipientTypeDetails $ msExchWhenMailboxCreated $ 218 | extensionAttribute10 $ msExchMasterAccountSid $ securityProtocol $ dLMemDefault $ delivContLength $ 219 | extensionAttribute2 $ extensionAttribute3 $ extensionAttribute4 $ extensionAttribute5 $ extensionAttribute6 $ 220 | extensionAttribute7 $ extensionAttribute8 $ extensionAttribute9 $ mAPIRecipient $ msExchADCGlobalNames $ 221 | msExchAssistantName $ replicatedObjectVersion $ replicationSignature $ submissionContLength $ telephoneAssistant $ 222 | msExchShadowDisplayName $ msExchShadowSn $ deliverAndRedirect $ msExchDelegateListLink $ deletedItemFlags $ 223 | msExchShadowCompany $ msExchShadowDepartment $ msExchShadowTitle $ msExchShadowPhysicalDeliveryOfficeName $ 224 | msTSExpireDate $ msTSLicenseVersion $ msTSManagingLS $ msExchShadowCountryCode $ autoReplyMessage $ msExchELCMailboxFlags $ 225 | msExchShadowInitials $ msExchShadowMobile $ msExchModeratedObjectsBL $ msExchUserBL $ dLMemSubmitPerms $ authOrig $ 226 | dLMemSubmitPermsBL $ msExchBypassModerationLink $ msExchEnableModeration $ msExchModeratedByLink $ msExchSenderHintTranslations $ 227 | msExchExpansionServerName $ unmergedAtts 228 | ) ) 229 | 230 | # Custom group objectclass containing all Microsoft attributes 231 | # used by Active Directory contact 232 | objectclass ( 666.666.666.666.666.666.8 233 | NAME 'customActiveDirectoryContact' 234 | SUP contact 235 | STRUCTURAL 236 | MAY ( DUP-labeledURI-e20b3d32-5a2b-4f6c-84c0-65c94ba52437 $ DUP-secretary-00efea41-cee1-4f20-b9c3-a2a93ec60616 $ 237 | altRecipient $ altRecipientBL $ assistant $ authOrig $ authOrigBL $ autoReplyMessage $ company $ dLMemDefault $ 238 | dLMemRejectPerms $ dLMemRejectPermsBL $ dLMemSubmitPerms $ dLMemSubmitPermsBL $ delivContLength $ delivExtContTypes $ 239 | deliverAndRedirect $ deliveryMechanism $ department $ dnQualifier $ enabledProtocols $ expirationTime $ extensionData $ 240 | folderPathname $ formData $ forwardingAddress $ garbageCollPeriod $ homeMTA $ importedFrom $ info $ internetEncoding $ 241 | language $ languageCode $ legacyExchangeDN $ mAPIRecipient $ mail $ mailNickname $ msDS-HABSeniorityIndex $ 242 | msDS-PhoneticDisplayName $ msExchAddressBookFlags $ msExchAggregationSubscriptionCredential $ msExchArbitrationMailbox $ 243 | msExchAssistantName $ msExchAuditAdmin $ msExchAuditDelegate $ msExchAuditDelegateAdmin $ msExchAuditOwner $ 244 | msExchBlockedSendersHash $ msExchBypassAudit $ msExchBypassModerationBL $ msExchBypassModerationFromDLMembersBL $ 245 | msExchBypassModerationFromDLMembersLink $ msExchBypassModerationLink $ msExchCalculatedTargetAddress $ 246 | msExchCalendarRepairDisabled $ msExchCapabilityIdentifiers $ msExchCoManagedObjectsBL $ msExchCustomProxyAddresses $ 247 | msExchDirsyncID $ msExchDirsyncSourceObjectClass $ msExchEdgeSyncRetryCount $ msExchEnableModeration $ 248 | msExchEwsApplicationAccessPolicy $ msExchEwsEnabled $ msExchEwsExceptions $ msExchEwsWellKnownApplicationPolicies $ 249 | msExchExpansionServerName $ msExchExternalSyncState $ msExchFBURL $ msExchForeignGroupSID $ msExchGenericForwardingAddress $ 250 | msExchHABShowInDepartments $ msExchImmutableId $ msExchIntendedMailboxPlanLink $ msExchInterruptUserOnAuditFailure $ 251 | msExchLabeledURI $ msExchLicenseToken $ msExchLitigationHoldDate $ msExchLitigationHoldOwner $ msExchMailboxAuditEnable $ 252 | msExchMailboxAuditLastAdminAccess $ msExchMailboxAuditLastDelegateAccess $ msExchMailboxAuditLastExternalAccess $ 253 | msExchMailboxAuditLogAgeLimit $ msExchMailboxFolderSet $ msExchMailboxFolderSet2 $ msExchMailboxMoveBatchName $ 254 | msExchMailboxMoveFlags $ msExchMailboxMoveRemoteHostName $ msExchMailboxMoveSourceArchiveMDBLink $ 255 | msExchMailboxMoveSourceMDBLink $ msExchMailboxMoveStatus $ msExchMailboxMoveTargetArchiveMDBLink $ 256 | msExchMailboxMoveTargetMDBLink $ msExchMailboxPlanType $ msExchMailboxSecurityDescriptor $ msExchMasterAccountSid $ 257 | msExchMessageHygieneFlags $ msExchMessageHygieneSCLDeleteThreshold $ msExchMessageHygieneSCLJunkThreshold $ 258 | msExchMessageHygieneSCLQuarantineThreshold $ msExchMessageHygieneSCLRejectThreshold $ msExchModeratedByLink $ 259 | msExchModeratedObjectsBL $ msExchModerationFlags $ msExchOWAPolicy $ msExchObjectID $ msExchParentPlanLink $ 260 | msExchPartnerGroupID $ msExchPoliciesExcluded $ msExchPoliciesIncluded $ msExchPolicyEnabled $ msExchPolicyOptionList $ 261 | msExchPreviousAccountSid $ msExchProvisioningFlags $ msExchProxyCustomProxy $ msExchRBACPolicyLink $ 262 | msExchRMSComputerAccountsLink $ msExchRecipLimit $ msExchRecipientDisplayType $ msExchRecipientTypeDetails $ 263 | msExchRemoteRecipientType $ msExchRequireAuthToSendTo $ msExchResourceCapacity $ msExchResourceDisplay $ 264 | msExchResourceMetaData $ msExchResourceSearchProperties $ msExchRetentionComment $ msExchRetentionURL $ 265 | msExchSafeRecipientsHash $ msExchSafeSendersHash $ msExchSendAsAddresses $ msExchSenderHintTranslations $ 266 | msExchSharingAnonymousIdentities $ msExchSharingPartnerIdentities $ msExchSharingPolicyLink $ msExchSignupAddresses $ 267 | msExchSupervisionDLLink $ msExchSupervisionOneOffLink $ msExchSupervisionUserLink $ msExchSyncAccountsPolicyDN $ 268 | msExchTextMessagingState $ msExchThrottlingPolicyDN $ msExchTransportRecipientSettingsFlags $ msExchUCVoiceMailSettings $ 269 | msExchUMAddresses $ msExchUMCallingLineIDs $ msExchUMDtmfMap $ msExchUMListInDirectorySearch $ msExchUMRecipientDialPlanLink $ 270 | msExchUMSpokenName $ msExchUsageLocation $ msExchUserAccountControl $ msExchWhenMailboxCreated $ msExchWindowsLiveID $ 271 | pOPCharacterSet $ pOPContentFormat $ protocolSettings $ publicDelegates $ publicDelegatesBL $ replicationSensitivity $ 272 | securityProtocol $ showInAddressBook $ submissionContLength $ targetAddress $ telephoneNumber $ textEncodedORAddress $ 273 | unauthOrig $ unauthOrigBL $ userCert $ userCertificate $ userSMIMECertificate $ versionNumber $ 274 | msExchVersion $ msExchALObjectVersion $ msExchHideFromAddressLists $ msExchADCGlobalNames $ replicatedObjectVersion $ 275 | replicationSignature 276 | ) ) 277 | 278 | # Custom computer objectclass representing computer account 279 | objectclass ( 1.2.840.113556.1.3.30 280 | NAME 'computer' 281 | SUP customActiveDirectoryUser 282 | STRUCTURAL 283 | MAY ( catalogs $ cn $ dNSHostName $ defaultLocalPolicyObject $ localPolicyFlags $ location $ logRolloverInterval $ 284 | machineRole $ managedBy $ monitoredConfigurations $ monitoredServices $ monitoringAvailabilityStyle $ 285 | monitoringAvailabilityWindow $ monitoringCachedViaMail $ monitoringCachedViaRPC $ monitoringMailUpdateInterval $ 286 | monitoringMailUpdateUnits $ monitoringRPCUpdateInterval $ monitoringRPCUpdateUnits $ msDS-AdditionalDnsHostName $ 287 | msDS-AdditionalSamAccountName $ msDS-AuthenticatedAtDC $ msDS-ExecuteScriptPassword $ msDS-HostServiceAccount $ 288 | msDS-IsUserCachableAtRodc $ msDS-KrbTgtLink $ msDS-NeverRevealGroup $ msDS-PromotionSettings $ msDS-RevealOnDemandGroup $ 289 | msDS-RevealedList $ msDS-RevealedUsers $ msDS-SiteName $ msDS-isGC $ msDS-isRODC $ msExchExchangeServerLink $ 290 | msExchPolicyList $ msExchPolicyOptionList $ msSFU30Aliases $ msSFU30Name $ msSFU30NisDomain $ msTPM-OwnerInformation $ 291 | msTSEndpointData $ msTSEndpointPlugin $ msTSEndpointType $ msTSPrimaryDesktopBL $ msTSProperty01 $ msTSProperty02 $ 292 | msTSSecondaryDesktopBL $ netbootGUID $ netbootInitialization $ netbootMachineFilePath $ netbootMirrorDataFile $ 293 | netbootSIFFile $ networkAddress $ nisMapName $ operatingSystem $ operatingSystemHotfix $ operatingSystemServicePack $ 294 | operatingSystemVersion $ physicalLocationObject $ policyReplicationFlags $ promoExpiration $ rIDSetReferences $ 295 | securityProtocol $ siteGUID $ trackingLogPathName $ type $ volumeCount 296 | ) ) 297 | 298 | 299 | -------------------------------------------------------------------------------- /schema/misc.schema: -------------------------------------------------------------------------------- 1 | # misc.schema -- assorted schema definitions 2 | # $OpenLDAP$ 3 | ## This work is part of OpenLDAP Software . 4 | ## 5 | ## Copyright 1998-2014 The OpenLDAP Foundation. 6 | ## All rights reserved. 7 | ## 8 | ## Redistribution and use in source and binary forms, with or without 9 | ## modification, are permitted only as authorized by the OpenLDAP 10 | ## Public License. 11 | ## 12 | ## A copy of this license is available in the file LICENSE in the 13 | ## top-level directory of the distribution or, alternatively, at 14 | ## . 15 | # 16 | # Assorted definitions from several sources, including 17 | # ''works in progress''. Contents of this file are 18 | # subject to change (including deletion) without notice. 19 | # 20 | # Not recommended for production use! 21 | # Use with extreme caution! 22 | 23 | #----------------------------------------------------------- 24 | # draft-lachman-laser-ldap-mail-routing-02.txt !!!EXPIRED!!! 25 | # (a work in progress) 26 | # 27 | attributetype ( 2.16.840.1.113730.3.1.13 28 | NAME 'mailLocalAddress' 29 | DESC 'RFC822 email address of this recipient' 30 | EQUALITY caseIgnoreIA5Match 31 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) 32 | 33 | attributetype ( 2.16.840.1.113730.3.1.18 34 | NAME 'mailHost' 35 | DESC 'FQDN of the SMTP/MTA of this recipient' 36 | EQUALITY caseIgnoreIA5Match 37 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} 38 | SINGLE-VALUE ) 39 | 40 | attributetype ( 2.16.840.1.113730.3.1.47 41 | NAME 'mailRoutingAddress' 42 | DESC 'RFC822 routing address of this recipient' 43 | EQUALITY caseIgnoreIA5Match 44 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} 45 | SINGLE-VALUE ) 46 | 47 | # I-D leaves this OID TBD. 48 | # iPlanet uses 2.16.840.1.113.730.3.2.147 but that is an 49 | # improperly delegated OID. A typo is likely. 50 | objectclass ( 2.16.840.1.113730.3.2.147 51 | NAME 'inetLocalMailRecipient' 52 | DESC 'Internet local mail recipient' 53 | SUP top AUXILIARY 54 | MAY ( mailLocalAddress $ mailHost $ mailRoutingAddress ) ) 55 | 56 | #----------------------------------------------------------- 57 | # draft-srivastava-ldap-mail-00.txt !!!EXPIRED!!! 58 | # (a work in progress) 59 | # 60 | attributetype ( 1.3.6.1.4.1.42.2.27.2.1.15 61 | NAME 'rfc822MailMember' 62 | DESC 'rfc822 mail address of group member(s)' 63 | EQUALITY caseIgnoreIA5Match 64 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 65 | 66 | #----------------------------------------------------------- 67 | # !!!no I-D!!! 68 | # (a work in progress) 69 | # 70 | objectclass ( 1.3.6.1.4.1.42.2.27.1.2.5 71 | NAME 'nisMailAlias' 72 | DESC 'NIS mail alias' 73 | SUP top STRUCTURAL 74 | MUST cn 75 | MAY rfc822MailMember ) 76 | -------------------------------------------------------------------------------- /schema/nis.schema: -------------------------------------------------------------------------------- 1 | # $OpenLDAP$ 2 | ## This work is part of OpenLDAP Software . 3 | ## 4 | ## Copyright 1998-2014 The OpenLDAP Foundation. 5 | ## All rights reserved. 6 | ## 7 | ## Redistribution and use in source and binary forms, with or without 8 | ## modification, are permitted only as authorized by the OpenLDAP 9 | ## Public License. 10 | ## 11 | ## A copy of this license is available in the file LICENSE in the 12 | ## top-level directory of the distribution or, alternatively, at 13 | ## . 14 | 15 | # Definitions from RFC2307 (Experimental) 16 | # An Approach for Using LDAP as a Network Information Service 17 | 18 | # Depends upon core.schema and cosine.schema 19 | 20 | # Note: The definitions in RFC2307 are given in syntaxes closely related 21 | # to those in RFC2252, however, some liberties are taken that are not 22 | # supported by RFC2252. This file has been written following RFC2252 23 | # strictly. 24 | 25 | # OID Base is iso(1) org(3) dod(6) internet(1) directory(1) nisSchema(1). 26 | # i.e. nisSchema in RFC2307 is 1.3.6.1.1.1 27 | # 28 | # Syntaxes are under 1.3.6.1.1.1.0 (two new syntaxes are defined) 29 | # validaters for these syntaxes are incomplete, they only 30 | # implement printable string validation (which is good as the 31 | # common use of these syntaxes violates the specification). 32 | # Attribute types are under 1.3.6.1.1.1.1 33 | # Object classes are under 1.3.6.1.1.1.2 34 | 35 | # Attribute Type Definitions 36 | 37 | # builtin 38 | #attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' 39 | # DESC 'An integer uniquely identifying a user in an administrative domain' 40 | # EQUALITY integerMatch 41 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42 | 43 | # builtin 44 | #attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' 45 | # DESC 'An integer uniquely identifying a group in an administrative domain' 46 | # EQUALITY integerMatch 47 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 48 | 49 | attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos' 50 | DESC 'The GECOS field; the common name' 51 | EQUALITY caseIgnoreIA5Match 52 | SUBSTR caseIgnoreIA5SubstringsMatch 53 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 54 | 55 | attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' 56 | DESC 'The absolute path to the home directory' 57 | EQUALITY caseExactIA5Match 58 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 59 | 60 | attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell' 61 | DESC 'The path to the login shell' 62 | EQUALITY caseExactIA5Match 63 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 64 | 65 | attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' 66 | EQUALITY integerMatch 67 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 68 | 69 | attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' 70 | EQUALITY integerMatch 71 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 72 | 73 | attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' 74 | EQUALITY integerMatch 75 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 76 | 77 | attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' 78 | EQUALITY integerMatch 79 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 80 | 81 | attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' 82 | EQUALITY integerMatch 83 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 84 | 85 | attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' 86 | EQUALITY integerMatch 87 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 88 | 89 | attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' 90 | EQUALITY integerMatch 91 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 92 | 93 | attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' 94 | EQUALITY caseExactIA5Match 95 | SUBSTR caseExactIA5SubstringsMatch 96 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 97 | 98 | attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' 99 | EQUALITY caseExactIA5Match 100 | SUBSTR caseExactIA5SubstringsMatch 101 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 102 | 103 | attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' 104 | DESC 'Netgroup triple' 105 | SYNTAX 1.3.6.1.1.1.0.0 ) 106 | 107 | attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' 108 | EQUALITY integerMatch 109 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 110 | 111 | attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' 112 | SUP name ) 113 | 114 | attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' 115 | EQUALITY integerMatch 116 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 117 | 118 | attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' 119 | EQUALITY integerMatch 120 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 121 | 122 | attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' 123 | DESC 'IP address' 124 | EQUALITY caseIgnoreIA5Match 125 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) 126 | 127 | attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' 128 | DESC 'IP network' 129 | EQUALITY caseIgnoreIA5Match 130 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE ) 131 | 132 | attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' 133 | DESC 'IP netmask' 134 | EQUALITY caseIgnoreIA5Match 135 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE ) 136 | 137 | attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress' 138 | DESC 'MAC address' 139 | EQUALITY caseIgnoreIA5Match 140 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) 141 | 142 | attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' 143 | DESC 'rpc.bootparamd parameter' 144 | SYNTAX 1.3.6.1.1.1.0.1 ) 145 | 146 | attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile' 147 | DESC 'Boot image name' 148 | EQUALITY caseExactIA5Match 149 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 150 | 151 | attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' 152 | SUP name ) 153 | 154 | attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' 155 | EQUALITY caseExactIA5Match 156 | SUBSTR caseExactIA5SubstringsMatch 157 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} SINGLE-VALUE ) 158 | 159 | # Object Class Definitions 160 | 161 | objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' 162 | DESC 'Abstraction of an account with POSIX attributes' 163 | SUP top AUXILIARY 164 | MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) 165 | MAY ( userPassword $ loginShell $ gecos $ description ) ) 166 | 167 | objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' 168 | DESC 'Additional attributes for shadow passwords' 169 | SUP top AUXILIARY 170 | MUST uid 171 | MAY ( userPassword $ shadowLastChange $ shadowMin $ 172 | shadowMax $ shadowWarning $ shadowInactive $ 173 | shadowExpire $ shadowFlag $ description ) ) 174 | 175 | objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' 176 | DESC 'Abstraction of a group of accounts' 177 | SUP top STRUCTURAL 178 | MUST ( cn $ gidNumber ) 179 | MAY ( userPassword $ memberUid $ description ) ) 180 | 181 | objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' 182 | DESC 'Abstraction an Internet Protocol service' 183 | SUP top STRUCTURAL 184 | MUST ( cn $ ipServicePort $ ipServiceProtocol ) 185 | MAY ( description ) ) 186 | 187 | objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' 188 | DESC 'Abstraction of an IP protocol' 189 | SUP top STRUCTURAL 190 | MUST ( cn $ ipProtocolNumber $ description ) 191 | MAY description ) 192 | 193 | objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' 194 | DESC 'Abstraction of an ONC/RPC binding' 195 | SUP top STRUCTURAL 196 | MUST ( cn $ oncRpcNumber $ description ) 197 | MAY description ) 198 | 199 | objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' 200 | DESC 'Abstraction of a host, an IP device' 201 | SUP top AUXILIARY 202 | MUST ( cn $ ipHostNumber ) 203 | MAY ( l $ description $ manager ) ) 204 | 205 | objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' 206 | DESC 'Abstraction of an IP network' 207 | SUP top STRUCTURAL 208 | MUST ( cn $ ipNetworkNumber ) 209 | MAY ( ipNetmaskNumber $ l $ description $ manager ) ) 210 | 211 | objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' 212 | DESC 'Abstraction of a netgroup' 213 | SUP top STRUCTURAL 214 | MUST cn 215 | MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) 216 | 217 | objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' 218 | DESC 'A generic abstraction of a NIS map' 219 | SUP top STRUCTURAL 220 | MUST nisMapName 221 | MAY description ) 222 | 223 | objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' 224 | DESC 'An entry in a NIS map' 225 | SUP top STRUCTURAL 226 | MUST ( cn $ nisMapEntry $ nisMapName ) 227 | MAY description ) 228 | 229 | objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' 230 | DESC 'A device with a MAC address' 231 | SUP top AUXILIARY 232 | MAY macAddress ) 233 | 234 | objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' 235 | DESC 'A device with boot parameters' 236 | SUP top AUXILIARY 237 | MAY ( bootFile $ bootParameter ) ) 238 | -------------------------------------------------------------------------------- /schema/openldap.schema: -------------------------------------------------------------------------------- 1 | # $OpenLDAP$ 2 | ## This work is part of OpenLDAP Software . 3 | ## 4 | ## Copyright 1998-2014 The OpenLDAP Foundation. 5 | ## All rights reserved. 6 | ## 7 | ## Redistribution and use in source and binary forms, with or without 8 | ## modification, are permitted only as authorized by the OpenLDAP 9 | ## Public License. 10 | ## 11 | ## A copy of this license is available in the file LICENSE in the 12 | ## top-level directory of the distribution or, alternatively, at 13 | ## . 14 | 15 | # 16 | # OpenLDAP Project's directory schema items 17 | # 18 | # depends upon: 19 | # core.schema 20 | # cosine.schema 21 | # inetorgperson.schema 22 | # 23 | # These are provided for informational purposes only. 24 | 25 | objectIdentifier OpenLDAProot 1.3.6.1.4.1.4203 26 | 27 | objectIdentifier OpenLDAP OpenLDAProot:1 28 | objectIdentifier OpenLDAPattributeType OpenLDAP:3 29 | objectIdentifier OpenLDAPobjectClass OpenLDAP:4 30 | 31 | objectClass ( OpenLDAPobjectClass:3 32 | NAME 'OpenLDAPorg' 33 | DESC 'OpenLDAP Organizational Object' 34 | SUP organization 35 | MAY ( buildingName $ displayName $ labeledURI ) ) 36 | 37 | objectClass ( OpenLDAPobjectClass:4 38 | NAME 'OpenLDAPou' 39 | DESC 'OpenLDAP Organizational Unit Object' 40 | SUP organizationalUnit 41 | MAY ( buildingName $ displayName $ labeledURI $ o ) ) 42 | 43 | objectClass ( OpenLDAPobjectClass:5 44 | NAME 'OpenLDAPperson' 45 | DESC 'OpenLDAP Person' 46 | SUP ( pilotPerson $ inetOrgPerson ) 47 | MUST ( uid $ cn ) 48 | MAY ( givenName $ labeledURI $ o ) ) 49 | 50 | objectClass ( OpenLDAPobjectClass:6 51 | NAME 'OpenLDAPdisplayableObject' 52 | DESC 'OpenLDAP Displayable Object' 53 | AUXILIARY 54 | MAY displayName ) 55 | -------------------------------------------------------------------------------- /schema/pmi.schema: -------------------------------------------------------------------------------- 1 | # OpenLDAP X.509 PMI schema 2 | # $OpenLDAP$ 3 | ## This work is part of OpenLDAP Software . 4 | ## 5 | ## Copyright 1998-2014 The OpenLDAP Foundation. 6 | ## All rights reserved. 7 | ## 8 | ## Redistribution and use in source and binary forms, with or without 9 | ## modification, are permitted only as authorized by the OpenLDAP 10 | ## Public License. 11 | ## 12 | ## A copy of this license is available in the file LICENSE in the 13 | ## top-level directory of the distribution or, alternatively, at 14 | ## . 15 | # 16 | ## Portions Copyright (C) The Internet Society (1997-2006). 17 | ## All Rights Reserved. 18 | ## 19 | ## This document and translations of it may be copied and furnished to 20 | ## others, and derivative works that comment on or otherwise explain it 21 | ## or assist in its implementation may be prepared, copied, published 22 | ## and distributed, in whole or in part, without restriction of any 23 | ## kind, provided that the above copyright notice and this paragraph are 24 | ## included on all such copies and derivative works. However, this 25 | ## document itself may not be modified in any way, such as by removing 26 | ## the copyright notice or references to the Internet Society or other 27 | ## Internet organizations, except as needed for the purpose of 28 | ## developing Internet standards in which case the procedures for 29 | ## copyrights defined in the Internet Standards process must be 30 | ## followed, or as required to translate it into languages other than 31 | ## English. 32 | ## 33 | ## The limited permissions granted above are perpetual and will not be 34 | ## revoked by the Internet Society or its successors or assigns. 35 | ## 36 | ## This document and the information contained herein is provided on an 37 | ## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 38 | ## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 39 | ## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 40 | ## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 41 | ## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 42 | 43 | # 44 | # 45 | # Includes LDAPv3 schema items from: 46 | # ITU X.509 (08/2005) 47 | # 48 | ## X.509 (08/2005) pp. 120-121 49 | ## 50 | ## -- object identifier assignments -- 51 | ## -- object classes -- 52 | ## id-oc-pmiUser OBJECT IDENTIFIER ::= {id-oc 24} 53 | ## id-oc-pmiAA OBJECT IDENTIFIER ::= {id-oc 25} 54 | ## id-oc-pmiSOA OBJECT IDENTIFIER ::= {id-oc 26} 55 | ## id-oc-attCertCRLDistributionPts OBJECT IDENTIFIER ::= {id-oc 27} 56 | ## id-oc-privilegePolicy OBJECT IDENTIFIER ::= {id-oc 32} 57 | ## id-oc-pmiDelegationPath OBJECT IDENTIFIER ::= {id-oc 33} 58 | ## id-oc-protectedPrivilegePolicy OBJECT IDENTIFIER ::= {id-oc 34} 59 | ## -- directory attributes -- 60 | ## id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58} 61 | ## id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59} 62 | ## id-at-aACertificate OBJECT IDENTIFIER ::= {id-at 61} 63 | ## id-at-attributeDescriptorCertificate OBJECT IDENTIFIER ::= {id-at 62} 64 | ## id-at-attributeAuthorityRevocationList OBJECT IDENTIFIER ::= {id-at 63} 65 | ## id-at-privPolicy OBJECT IDENTIFIER ::= {id-at 71} 66 | ## id-at-role OBJECT IDENTIFIER ::= {id-at 72} 67 | ## id-at-delegationPath OBJECT IDENTIFIER ::= {id-at 73} 68 | ## id-at-protPrivPolicy OBJECT IDENTIFIER ::= {id-at 74} 69 | ## id-at-xMLPrivilegeInfo OBJECT IDENTIFIER ::= {id-at 75} 70 | ## id-at-xMLPprotPrivPolicy OBJECT IDENTIFIER ::= {id-at 76} 71 | ## -- attribute certificate extensions -- 72 | ## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38} 73 | ## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39} 74 | ## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41} 75 | ## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42} 76 | ## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43} 77 | ## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48} 78 | ## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49} 79 | ## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50} 80 | ## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52} 81 | ## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55} 82 | ## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56} 83 | ## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57} 84 | ## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61} 85 | ## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62} 86 | ## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64} 87 | ## -- PMI matching rules -- 88 | ## id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42} 89 | ## id-mr-attributeCertificateExactMatch OBJECT IDENTIFIER ::= {id-mr 45} 90 | ## id-mr-holderIssuerMatch OBJECT IDENTIFIER ::= {id-mr 46} 91 | ## id-mr-authAttIdMatch OBJECT IDENTIFIER ::= {id-mr 53} 92 | ## id-mr-roleSpecCertIdMatch OBJECT IDENTIFIER ::= {id-mr 54} 93 | ## id-mr-basicAttConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 55} 94 | ## id-mr-delegatedNameConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 56} 95 | ## id-mr-timeSpecMatch OBJECT IDENTIFIER ::= {id-mr 57} 96 | ## id-mr-attDescriptorMatch OBJECT IDENTIFIER ::= {id-mr 58} 97 | ## id-mr-acceptableCertPoliciesMatch OBJECT IDENTIFIER ::= {id-mr 59} 98 | ## id-mr-delegationPathMatch OBJECT IDENTIFIER ::= {id-mr 61} 99 | ## id-mr-sOAIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 66} 100 | ## id-mr-indirectIssuerMatch OBJECT IDENTIFIER ::= {id-mr 67} 101 | ## 102 | ## 103 | ## X.509 (08/2005) pp. 71, 86-89 104 | ## 105 | ## 14.4.1 Role attribute 106 | ## role ATTRIBUTE ::= { 107 | ## WITH SYNTAX RoleSyntax 108 | ## ID id-at-role } 109 | ## RoleSyntax ::= SEQUENCE { 110 | ## roleAuthority [0] GeneralNames OPTIONAL, 111 | ## roleName [1] GeneralName } 112 | ## 113 | ## 14.5 XML privilege information attribute 114 | ## xmlPrivilegeInfo ATTRIBUTE ::= { 115 | ## WITH SYNTAX UTF8String -- contains XML-encoded privilege information 116 | ## ID id-at-xMLPrivilegeInfo } 117 | ## 118 | ## 17.1 PMI directory object classes 119 | ## 120 | ## 17.1.1 PMI user object class 121 | ## pmiUser OBJECT-CLASS ::= { 122 | ## -- a PMI user (i.e., a "holder") 123 | ## SUBCLASS OF {top} 124 | ## KIND auxiliary 125 | ## MAY CONTAIN {attributeCertificateAttribute} 126 | ## ID id-oc-pmiUser } 127 | ## 128 | ## 17.1.2 PMI AA object class 129 | ## pmiAA OBJECT-CLASS ::= { 130 | ## -- a PMI AA 131 | ## SUBCLASS OF {top} 132 | ## KIND auxiliary 133 | ## MAY CONTAIN {aACertificate | 134 | ## attributeCertificateRevocationList | 135 | ## attributeAuthorityRevocationList} 136 | ## ID id-oc-pmiAA } 137 | ## 138 | ## 17.1.3 PMI SOA object class 139 | ## pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority 140 | ## SUBCLASS OF {top} 141 | ## KIND auxiliary 142 | ## MAY CONTAIN {attributeCertificateRevocationList | 143 | ## attributeAuthorityRevocationList | 144 | ## attributeDescriptorCertificate} 145 | ## ID id-oc-pmiSOA } 146 | ## 147 | ## 17.1.4 Attribute certificate CRL distribution point object class 148 | ## attCertCRLDistributionPt OBJECT-CLASS ::= { 149 | ## SUBCLASS OF {top} 150 | ## KIND auxiliary 151 | ## MAY CONTAIN { attributeCertificateRevocationList | 152 | ## attributeAuthorityRevocationList } 153 | ## ID id-oc-attCertCRLDistributionPts } 154 | ## 155 | ## 17.1.5 PMI delegation path 156 | ## pmiDelegationPath OBJECT-CLASS ::= { 157 | ## SUBCLASS OF {top} 158 | ## KIND auxiliary 159 | ## MAY CONTAIN { delegationPath } 160 | ## ID id-oc-pmiDelegationPath } 161 | ## 162 | ## 17.1.6 Privilege policy object class 163 | ## privilegePolicy OBJECT-CLASS ::= { 164 | ## SUBCLASS OF {top} 165 | ## KIND auxiliary 166 | ## MAY CONTAIN {privPolicy } 167 | ## ID id-oc-privilegePolicy } 168 | ## 169 | ## 17.1.7 Protected privilege policy object class 170 | ## protectedPrivilegePolicy OBJECT-CLASS ::= { 171 | ## SUBCLASS OF {top} 172 | ## KIND auxiliary 173 | ## MAY CONTAIN {protPrivPolicy } 174 | ## ID id-oc-protectedPrivilegePolicy } 175 | ## 176 | ## 17.2 PMI Directory attributes 177 | ## 178 | ## 17.2.1 Attribute certificate attribute 179 | ## attributeCertificateAttribute ATTRIBUTE ::= { 180 | ## WITH SYNTAX AttributeCertificate 181 | ## EQUALITY MATCHING RULE attributeCertificateExactMatch 182 | ## ID id-at-attributeCertificate } 183 | ## 184 | ## 17.2.2 AA certificate attribute 185 | ## aACertificate ATTRIBUTE ::= { 186 | ## WITH SYNTAX AttributeCertificate 187 | ## EQUALITY MATCHING RULE attributeCertificateExactMatch 188 | ## ID id-at-aACertificate } 189 | ## 190 | ## 17.2.3 Attribute descriptor certificate attribute 191 | ## attributeDescriptorCertificate ATTRIBUTE ::= { 192 | ## WITH SYNTAX AttributeCertificate 193 | ## EQUALITY MATCHING RULE attributeCertificateExactMatch 194 | ## ID id-at-attributeDescriptorCertificate } 195 | ## 196 | ## 17.2.4 Attribute certificate revocation list attribute 197 | ## attributeCertificateRevocationList ATTRIBUTE ::= { 198 | ## WITH SYNTAX CertificateList 199 | ## EQUALITY MATCHING RULE certificateListExactMatch 200 | ## ID id-at-attributeCertificateRevocationList} 201 | ## 202 | ## 17.2.5 AA certificate revocation list attribute 203 | ## attributeAuthorityRevocationList ATTRIBUTE ::= { 204 | ## WITH SYNTAX CertificateList 205 | ## EQUALITY MATCHING RULE certificateListExactMatch 206 | ## ID id-at-attributeAuthorityRevocationList } 207 | ## 208 | ## 17.2.6 Delegation path attribute 209 | ## delegationPath ATTRIBUTE ::= { 210 | ## WITH SYNTAX AttCertPath 211 | ## ID id-at-delegationPath } 212 | ## AttCertPath ::= SEQUENCE OF AttributeCertificate 213 | ## 214 | ## 17.2.7 Privilege policy attribute 215 | ## privPolicy ATTRIBUTE ::= { 216 | ## WITH SYNTAX PolicySyntax 217 | ## ID id-at-privPolicy } 218 | ## 219 | ## 17.2.8 Protected privilege policy attribute 220 | ## protPrivPolicy ATTRIBUTE ::= { 221 | ## WITH SYNTAX AttributeCertificate 222 | ## EQUALITY MATCHING RULE attributeCertificateExactMatch 223 | ## ID id-at-protPrivPolicy } 224 | ## 225 | ## 17.2.9 XML Protected privilege policy attribute 226 | ## xmlPrivPolicy ATTRIBUTE ::= { 227 | ## WITH SYNTAX UTF8String -- contains XML-encoded privilege policy information 228 | ## ID id-at-xMLPprotPrivPolicy } 229 | ## 230 | 231 | ## -- object identifier assignments -- 232 | ## -- object classes -- 233 | objectidentifier id-oc-pmiUser 2.5.6.24 234 | objectidentifier id-oc-pmiAA 2.5.6.25 235 | objectidentifier id-oc-pmiSOA 2.5.6.26 236 | objectidentifier id-oc-attCertCRLDistributionPts 2.5.6.27 237 | objectidentifier id-oc-privilegePolicy 2.5.6.32 238 | objectidentifier id-oc-pmiDelegationPath 2.5.6.33 239 | objectidentifier id-oc-protectedPrivilegePolicy 2.5.6.34 240 | ## -- directory attributes -- 241 | objectidentifier id-at-attributeCertificate 2.5.4.58 242 | objectidentifier id-at-attributeCertificateRevocationList 2.5.4.59 243 | objectidentifier id-at-aACertificate 2.5.4.61 244 | objectidentifier id-at-attributeDescriptorCertificate 2.5.4.62 245 | objectidentifier id-at-attributeAuthorityRevocationList 2.5.4.63 246 | objectidentifier id-at-privPolicy 2.5.4.71 247 | objectidentifier id-at-role 2.5.4.72 248 | objectidentifier id-at-delegationPath 2.5.4.73 249 | objectidentifier id-at-protPrivPolicy 2.5.4.74 250 | objectidentifier id-at-xMLPrivilegeInfo 2.5.4.75 251 | objectidentifier id-at-xMLPprotPrivPolicy 2.5.4.76 252 | ## -- attribute certificate extensions -- 253 | ## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38} 254 | ## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39} 255 | ## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41} 256 | ## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42} 257 | ## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43} 258 | ## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48} 259 | ## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49} 260 | ## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50} 261 | ## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52} 262 | ## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55} 263 | ## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56} 264 | ## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57} 265 | ## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61} 266 | ## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62} 267 | ## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64} 268 | ## -- PMI matching rules -- 269 | objectidentifier id-mr 2.5.13 270 | objectidentifier id-mr-attributeCertificateMatch id-mr:42 271 | objectidentifier id-mr-attributeCertificateExactMatch id-mr:45 272 | objectidentifier id-mr-holderIssuerMatch id-mr:46 273 | objectidentifier id-mr-authAttIdMatch id-mr:53 274 | objectidentifier id-mr-roleSpecCertIdMatch id-mr:54 275 | objectidentifier id-mr-basicAttConstraintsMatch id-mr:55 276 | objectidentifier id-mr-delegatedNameConstraintsMatch id-mr:56 277 | objectidentifier id-mr-timeSpecMatch id-mr:57 278 | objectidentifier id-mr-attDescriptorMatch id-mr:58 279 | objectidentifier id-mr-acceptableCertPoliciesMatch id-mr:59 280 | objectidentifier id-mr-delegationPathMatch id-mr:61 281 | objectidentifier id-mr-sOAIdentifierMatch id-mr:66 282 | objectidentifier id-mr-indirectIssuerMatch id-mr:67 283 | ## -- syntaxes -- 284 | ## NOTE: 1.3.6.1.4.1.4203.666.11.10 is the oid arc assigned by OpenLDAP 285 | ## to this work in progress 286 | objectidentifier AttributeCertificate 1.3.6.1.4.1.4203.666.11.10.2.1 287 | objectidentifier CertificateList 1.3.6.1.4.1.1466.115.121.1.9 288 | objectidentifier AttCertPath 1.3.6.1.4.1.4203.666.11.10.2.4 289 | objectidentifier PolicySyntax 1.3.6.1.4.1.4203.666.11.10.2.5 290 | objectidentifier RoleSyntax 1.3.6.1.4.1.4203.666.11.10.2.6 291 | # NOTE: OIDs from (expired) 292 | #objectidentifier AttributeCertificate 1.2.826.0.1.3344810.7.5 293 | #objectidentifier AttCertPath 1.2.826.0.1.3344810.7.10 294 | #objectidentifier PolicySyntax 1.2.826.0.1.3344810.7.17 295 | #objectidentifier RoleSyntax 1.2.826.0.1.3344810.7.13 296 | ## 297 | ## Substitute syntaxes 298 | ## 299 | ## AttCertPath 300 | ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.4 301 | NAME 'AttCertPath' 302 | DESC 'X.509 PMI attribute cartificate path: SEQUENCE OF AttributeCertificate' 303 | X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' ) 304 | ## 305 | ## PolicySyntax 306 | ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.5 307 | NAME 'PolicySyntax' 308 | DESC 'X.509 PMI policy syntax' 309 | X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' ) 310 | ## 311 | ## RoleSyntax 312 | ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.6 313 | NAME 'RoleSyntax' 314 | DESC 'X.509 PMI role syntax' 315 | X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' ) 316 | ## 317 | ## X.509 (08/2005) pp. 71, 86-89 318 | ## 319 | ## 14.4.1 Role attribute 320 | attributeType ( id-at-role 321 | NAME 'role' 322 | DESC 'X.509 Role attribute, use ;binary' 323 | SYNTAX RoleSyntax ) 324 | ## 325 | ## 14.5 XML privilege information attribute 326 | ## -- contains XML-encoded privilege information 327 | attributeType ( id-at-xMLPrivilegeInfo 328 | NAME 'xmlPrivilegeInfo' 329 | DESC 'X.509 XML privilege information attribute' 330 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 331 | ## 332 | ## 17.2 PMI Directory attributes 333 | ## 334 | ## 17.2.1 Attribute certificate attribute 335 | attributeType ( id-at-attributeCertificate 336 | NAME 'attributeCertificateAttribute' 337 | DESC 'X.509 Attribute certificate attribute, use ;binary' 338 | SYNTAX AttributeCertificate 339 | EQUALITY attributeCertificateExactMatch ) 340 | ## 341 | ## 17.2.2 AA certificate attribute 342 | attributeType ( id-at-aACertificate 343 | NAME 'aACertificate' 344 | DESC 'X.509 AA certificate attribute, use ;binary' 345 | SYNTAX AttributeCertificate 346 | EQUALITY attributeCertificateExactMatch ) 347 | ## 348 | ## 17.2.3 Attribute descriptor certificate attribute 349 | attributeType ( id-at-attributeDescriptorCertificate 350 | NAME 'attributeDescriptorCertificate' 351 | DESC 'X.509 Attribute descriptor certificate attribute, use ;binary' 352 | SYNTAX AttributeCertificate 353 | EQUALITY attributeCertificateExactMatch ) 354 | ## 355 | ## 17.2.4 Attribute certificate revocation list attribute 356 | attributeType ( id-at-attributeCertificateRevocationList 357 | NAME 'attributeCertificateRevocationList' 358 | DESC 'X.509 Attribute certificate revocation list attribute, use ;binary' 359 | SYNTAX CertificateList 360 | X-EQUALITY 'certificateListExactMatch, not implemented yet' ) 361 | ## 362 | ## 17.2.5 AA certificate revocation list attribute 363 | attributeType ( id-at-attributeAuthorityRevocationList 364 | NAME 'attributeAuthorityRevocationList' 365 | DESC 'X.509 AA certificate revocation list attribute, use ;binary' 366 | SYNTAX CertificateList 367 | X-EQUALITY 'certificateListExactMatch, not implemented yet' ) 368 | ## 369 | ## 17.2.6 Delegation path attribute 370 | attributeType ( id-at-delegationPath 371 | NAME 'delegationPath' 372 | DESC 'X.509 Delegation path attribute, use ;binary' 373 | SYNTAX AttCertPath ) 374 | ## AttCertPath ::= SEQUENCE OF AttributeCertificate 375 | ## 376 | ## 17.2.7 Privilege policy attribute 377 | attributeType ( id-at-privPolicy 378 | NAME 'privPolicy' 379 | DESC 'X.509 Privilege policy attribute, use ;binary' 380 | SYNTAX PolicySyntax ) 381 | ## 382 | ## 17.2.8 Protected privilege policy attribute 383 | attributeType ( id-at-protPrivPolicy 384 | NAME 'protPrivPolicy' 385 | DESC 'X.509 Protected privilege policy attribute, use ;binary' 386 | SYNTAX AttributeCertificate 387 | EQUALITY attributeCertificateExactMatch ) 388 | ## 389 | ## 17.2.9 XML Protected privilege policy attribute 390 | ## -- contains XML-encoded privilege policy information 391 | attributeType ( id-at-xMLPprotPrivPolicy 392 | NAME 'xmlPrivPolicy' 393 | DESC 'X.509 XML Protected privilege policy attribute' 394 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 395 | ## 396 | ## 17.1 PMI directory object classes 397 | ## 398 | ## 17.1.1 PMI user object class 399 | ## -- a PMI user (i.e., a "holder") 400 | objectClass ( id-oc-pmiUser 401 | NAME 'pmiUser' 402 | DESC 'X.509 PMI user object class' 403 | SUP top 404 | AUXILIARY 405 | MAY ( attributeCertificateAttribute ) ) 406 | ## 407 | ## 17.1.2 PMI AA object class 408 | ## -- a PMI AA 409 | objectClass ( id-oc-pmiAA 410 | NAME 'pmiAA' 411 | DESC 'X.509 PMI AA object class' 412 | SUP top 413 | AUXILIARY 414 | MAY ( aACertificate $ 415 | attributeCertificateRevocationList $ 416 | attributeAuthorityRevocationList 417 | ) ) 418 | ## 419 | ## 17.1.3 PMI SOA object class 420 | ## -- a PMI Source of Authority 421 | objectClass ( id-oc-pmiSOA 422 | NAME 'pmiSOA' 423 | DESC 'X.509 PMI SOA object class' 424 | SUP top 425 | AUXILIARY 426 | MAY ( attributeCertificateRevocationList $ 427 | attributeAuthorityRevocationList $ 428 | attributeDescriptorCertificate 429 | ) ) 430 | ## 431 | ## 17.1.4 Attribute certificate CRL distribution point object class 432 | objectClass ( id-oc-attCertCRLDistributionPts 433 | NAME 'attCertCRLDistributionPt' 434 | DESC 'X.509 Attribute certificate CRL distribution point object class' 435 | SUP top 436 | AUXILIARY 437 | MAY ( attributeCertificateRevocationList $ 438 | attributeAuthorityRevocationList 439 | ) ) 440 | ## 441 | ## 17.1.5 PMI delegation path 442 | objectClass ( id-oc-pmiDelegationPath 443 | NAME 'pmiDelegationPath' 444 | DESC 'X.509 PMI delegation path' 445 | SUP top 446 | AUXILIARY 447 | MAY ( delegationPath ) ) 448 | ## 449 | ## 17.1.6 Privilege policy object class 450 | objectClass ( id-oc-privilegePolicy 451 | NAME 'privilegePolicy' 452 | DESC 'X.509 Privilege policy object class' 453 | SUP top 454 | AUXILIARY 455 | MAY ( privPolicy ) ) 456 | ## 457 | ## 17.1.7 Protected privilege policy object class 458 | objectClass ( id-oc-protectedPrivilegePolicy 459 | NAME 'protectedPrivilegePolicy' 460 | DESC 'X.509 Protected privilege policy object class' 461 | SUP top 462 | AUXILIARY 463 | MAY ( protPrivPolicy ) ) 464 | 465 | -------------------------------------------------------------------------------- /schema/ppolicy.schema: -------------------------------------------------------------------------------- 1 | # $OpenLDAP$ 2 | ## This work is part of OpenLDAP Software . 3 | ## 4 | ## Copyright 2004-2014 The OpenLDAP Foundation. 5 | ## All rights reserved. 6 | ## 7 | ## Redistribution and use in source and binary forms, with or without 8 | ## modification, are permitted only as authorized by the OpenLDAP 9 | ## Public License. 10 | ## 11 | ## A copy of this license is available in the file LICENSE in the 12 | ## top-level directory of the distribution or, alternatively, at 13 | ## . 14 | # 15 | ## Portions Copyright (C) The Internet Society (2004). 16 | ## Please see full copyright statement below. 17 | 18 | # Definitions from Draft behera-ldap-password-policy-07 (a work in progress) 19 | # Password Policy for LDAP Directories 20 | # With extensions from Hewlett-Packard: 21 | # pwdCheckModule etc. 22 | 23 | # Contents of this file are subject to change (including deletion) 24 | # without notice. 25 | # 26 | # Not recommended for production use! 27 | # Use with extreme caution! 28 | 29 | #Network Working Group J. Sermersheim 30 | #Internet-Draft Novell, Inc 31 | #Expires: April 24, 2005 L. Poitou 32 | # Sun Microsystems 33 | # October 24, 2004 34 | # 35 | # 36 | # Password Policy for LDAP Directories 37 | # draft-behera-ldap-password-policy-08.txt 38 | # 39 | #Status of this Memo 40 | # 41 | # This document is an Internet-Draft and is subject to all provisions 42 | # of section 3 of RFC 3667. By submitting this Internet-Draft, each 43 | # author represents that any applicable patent or other IPR claims of 44 | # which he or she is aware have been or will be disclosed, and any of 45 | # which he or she become aware will be disclosed, in accordance with 46 | # RFC 3668. 47 | # 48 | # Internet-Drafts are working documents of the Internet Engineering 49 | # Task Force (IETF), its areas, and its working groups. Note that 50 | # other groups may also distribute working documents as 51 | # Internet-Drafts. 52 | # 53 | # Internet-Drafts are draft documents valid for a maximum of six months 54 | # and may be updated, replaced, or obsoleted by other documents at any 55 | # time. It is inappropriate to use Internet-Drafts as reference 56 | # material or to cite them other than as "work in progress." 57 | # 58 | # The list of current Internet-Drafts can be accessed at 59 | # http://www.ietf.org/ietf/1id-abstracts.txt. 60 | # 61 | # The list of Internet-Draft Shadow Directories can be accessed at 62 | # http://www.ietf.org/shadow.html. 63 | # 64 | # This Internet-Draft will expire on April 24, 2005. 65 | # 66 | #Copyright Notice 67 | # 68 | # Copyright (C) The Internet Society (2004). 69 | # 70 | #Abstract 71 | # 72 | # Password policy as described in this document is a set of rules that 73 | # controls how passwords are used and administered in Lightweight 74 | # Directory Access Protocol (LDAP) based directories. In order to 75 | # improve the security of LDAP directories and make it difficult for 76 | # password cracking programs to break into directories, it is desirable 77 | # to enforce a set of rules on password usage. These rules are made to 78 | # 79 | # [trimmed] 80 | # 81 | #5. Schema used for Password Policy 82 | # 83 | # The schema elements defined here fall into two general categories. A 84 | # password policy object class is defined which contains a set of 85 | # administrative password policy attributes, and a set of operational 86 | # attributes are defined that hold general password policy state 87 | # information for each user. 88 | # 89 | #5.2 Attribute Types used in the pwdPolicy ObjectClass 90 | # 91 | # Following are the attribute types used by the pwdPolicy object class. 92 | # 93 | #5.2.1 pwdAttribute 94 | # 95 | # This holds the name of the attribute to which the password policy is 96 | # applied. For example, the password policy may be applied to the 97 | # userPassword attribute. 98 | 99 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 100 | NAME 'pwdAttribute' 101 | EQUALITY objectIdentifierMatch 102 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 103 | 104 | #5.2.2 pwdMinAge 105 | # 106 | # This attribute holds the number of seconds that must elapse between 107 | # modifications to the password. If this attribute is not present, 0 108 | # seconds is assumed. 109 | 110 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 111 | NAME 'pwdMinAge' 112 | EQUALITY integerMatch 113 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 114 | SINGLE-VALUE ) 115 | 116 | #5.2.3 pwdMaxAge 117 | # 118 | # This attribute holds the number of seconds after which a modified 119 | # password will expire. 120 | # 121 | # If this attribute is not present, or if the value is 0 the password 122 | # does not expire. If not 0, the value must be greater than or equal 123 | # to the value of the pwdMinAge. 124 | 125 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 126 | NAME 'pwdMaxAge' 127 | EQUALITY integerMatch 128 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 129 | SINGLE-VALUE ) 130 | 131 | #5.2.4 pwdInHistory 132 | # 133 | # This attribute specifies the maximum number of used passwords stored 134 | # in the pwdHistory attribute. 135 | # 136 | # If this attribute is not present, or if the value is 0, used 137 | # passwords are not stored in the pwdHistory attribute and thus may be 138 | # reused. 139 | 140 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 141 | NAME 'pwdInHistory' 142 | EQUALITY integerMatch 143 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 144 | SINGLE-VALUE ) 145 | 146 | #5.2.5 pwdCheckQuality 147 | # 148 | # {TODO: Consider changing the syntax to OID. Each OID will list a 149 | # quality rule (like min len, # of special characters, etc). These 150 | # rules can be specified outsid ethis document.} 151 | # 152 | # {TODO: Note that even though this is meant to be a check that happens 153 | # during password modification, it may also be allowed to happen during 154 | # authN. This is useful for situations where the password is encrypted 155 | # when modified, but decrypted when used to authN.} 156 | # 157 | # This attribute indicates how the password quality will be verified 158 | # while being modified or added. If this attribute is not present, or 159 | # if the value is '0', quality checking will not be enforced. A value 160 | # of '1' indicates that the server will check the quality, and if the 161 | # server is unable to check it (due to a hashed password or other 162 | # reasons) it will be accepted. A value of '2' indicates that the 163 | # server will check the quality, and if the server is unable to verify 164 | # it, it will return an error refusing the password. 165 | 166 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 167 | NAME 'pwdCheckQuality' 168 | EQUALITY integerMatch 169 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 170 | SINGLE-VALUE ) 171 | 172 | #5.2.6 pwdMinLength 173 | # 174 | # When quality checking is enabled, this attribute holds the minimum 175 | # number of characters that must be used in a password. If this 176 | # attribute is not present, no minimum password length will be 177 | # enforced. If the server is unable to check the length (due to a 178 | # hashed password or otherwise), the server will, depending on the 179 | # value of the pwdCheckQuality attribute, either accept the password 180 | # without checking it ('0' or '1') or refuse it ('2'). 181 | 182 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 183 | NAME 'pwdMinLength' 184 | EQUALITY integerMatch 185 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 186 | SINGLE-VALUE ) 187 | 188 | #5.2.7 pwdExpireWarning 189 | # 190 | # This attribute specifies the maximum number of seconds before a 191 | # password is due to expire that expiration warning messages will be 192 | # returned to an authenticating user. 193 | # 194 | # If this attribute is not present, or if the value is 0 no warnings 195 | # will be returned. If not 0, the value must be smaller than the value 196 | # of the pwdMaxAge attribute. 197 | 198 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 199 | NAME 'pwdExpireWarning' 200 | EQUALITY integerMatch 201 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 202 | SINGLE-VALUE ) 203 | 204 | #5.2.8 pwdGraceAuthNLimit 205 | # 206 | # This attribute specifies the number of times an expired password can 207 | # be used to authenticate. If this attribute is not present or if the 208 | # value is 0, authentication will fail. 209 | 210 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8 211 | NAME 'pwdGraceAuthNLimit' 212 | EQUALITY integerMatch 213 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 214 | SINGLE-VALUE ) 215 | 216 | #5.2.9 pwdLockout 217 | # 218 | # This attribute indicates, when its value is "TRUE", that the password 219 | # may not be used to authenticate after a specified number of 220 | # consecutive failed bind attempts. The maximum number of consecutive 221 | # failed bind attempts is specified in pwdMaxFailure. 222 | # 223 | # If this attribute is not present, or if the value is "FALSE", the 224 | # password may be used to authenticate when the number of failed bind 225 | # attempts has been reached. 226 | 227 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9 228 | NAME 'pwdLockout' 229 | EQUALITY booleanMatch 230 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 231 | SINGLE-VALUE ) 232 | 233 | #5.2.10 pwdLockoutDuration 234 | # 235 | # This attribute holds the number of seconds that the password cannot 236 | # be used to authenticate due to too many failed bind attempts. If 237 | # this attribute is not present, or if the value is 0 the password 238 | # cannot be used to authenticate until reset by a password 239 | # administrator. 240 | 241 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 242 | NAME 'pwdLockoutDuration' 243 | EQUALITY integerMatch 244 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 245 | SINGLE-VALUE ) 246 | 247 | #5.2.11 pwdMaxFailure 248 | # 249 | # This attribute specifies the number of consecutive failed bind 250 | # attempts after which the password may not be used to authenticate. 251 | # If this attribute is not present, or if the value is 0, this policy 252 | # is not checked, and the value of pwdLockout will be ignored. 253 | 254 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 255 | NAME 'pwdMaxFailure' 256 | EQUALITY integerMatch 257 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 258 | SINGLE-VALUE ) 259 | 260 | #5.2.12 pwdFailureCountInterval 261 | # 262 | # This attribute holds the number of seconds after which the password 263 | # failures are purged from the failure counter, even though no 264 | # successful authentication occurred. 265 | # 266 | # If this attribute is not present, or if its value is 0, the failure 267 | # counter is only reset by a successful authentication. 268 | 269 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12 270 | NAME 'pwdFailureCountInterval' 271 | EQUALITY integerMatch 272 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 273 | SINGLE-VALUE ) 274 | 275 | #5.2.13 pwdMustChange 276 | # 277 | # This attribute specifies with a value of "TRUE" that users must 278 | # change their passwords when they first bind to the directory after a 279 | # password is set or reset by a password administrator. If this 280 | # attribute is not present, or if the value is "FALSE", users are not 281 | # required to change their password upon binding after the password 282 | # administrator sets or resets the password. This attribute is not set 283 | # due to any actions specified by this document, it is typically set by 284 | # a password administrator after resetting a user's password. 285 | 286 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13 287 | NAME 'pwdMustChange' 288 | EQUALITY booleanMatch 289 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 290 | SINGLE-VALUE ) 291 | 292 | #5.2.14 pwdAllowUserChange 293 | # 294 | # This attribute indicates whether users can change their own 295 | # passwords, although the change operation is still subject to access 296 | # control. If this attribute is not present, a value of "TRUE" is 297 | # assumed. This attribute is intended to be used in the absense of an 298 | # access control mechanism. 299 | 300 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14 301 | NAME 'pwdAllowUserChange' 302 | EQUALITY booleanMatch 303 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 304 | SINGLE-VALUE ) 305 | 306 | #5.2.15 pwdSafeModify 307 | # 308 | # This attribute specifies whether or not the existing password must be 309 | # sent along with the new password when being changed. If this 310 | # attribute is not present, a "FALSE" value is assumed. 311 | 312 | attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15 313 | NAME 'pwdSafeModify' 314 | EQUALITY booleanMatch 315 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 316 | SINGLE-VALUE ) 317 | 318 | # HP extensions 319 | # 320 | # pwdCheckModule 321 | # 322 | # This attribute names a user-defined loadable module that provides 323 | # a check_password() function. If pwdCheckQuality is set to '1' or '2' 324 | # this function will be called after all of the internal password 325 | # quality checks have been passed. The function has this prototype: 326 | # 327 | # int check_password( char *password, char **errormessage, void *arg ) 328 | # 329 | # The function should return LDAP_SUCCESS for a valid password. 330 | 331 | attributetype ( 1.3.6.1.4.1.4754.1.99.1 332 | NAME 'pwdCheckModule' 333 | EQUALITY caseExactIA5Match 334 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 335 | DESC 'Loadable module that instantiates "check_password() function' 336 | SINGLE-VALUE ) 337 | 338 | objectclass ( 1.3.6.1.4.1.4754.2.99.1 339 | NAME 'pwdPolicyChecker' 340 | SUP top 341 | AUXILIARY 342 | MAY ( pwdCheckModule ) ) 343 | 344 | #5.1 The pwdPolicy Object Class 345 | # 346 | # This object class contains the attributes defining a password policy 347 | # in effect for a set of users. Section 10 describes the 348 | # administration of this object, and the relationship between it and 349 | # particular objects. 350 | # 351 | objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1 352 | NAME 'pwdPolicy' 353 | SUP top 354 | AUXILIARY 355 | MUST ( pwdAttribute ) 356 | MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ 357 | pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout 358 | $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ 359 | pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) 360 | 361 | #5.3 Attribute Types for Password Policy State Information 362 | # 363 | # Password policy state information must be maintained for each user. 364 | # The information is located in each user entry as a set of operational 365 | # attributes. These operational attributes are: pwdChangedTime, 366 | # pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime, 367 | # pwdReset, pwdPolicySubEntry. 368 | # 369 | #5.3.1 Password Policy State Attribute Option 370 | # 371 | # Since the password policy could apply to several attributes used to 372 | # store passwords, each of the above operational attributes must have 373 | # an option to specify which pwdAttribute it applies to. The password 374 | # policy option is defined as the following: 375 | # 376 | # pwd- 377 | # 378 | # where passwordAttribute a string following the OID syntax 379 | # (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor 380 | # (short name) MUST be used. 381 | # 382 | # For example, if the pwdPolicy object has for pwdAttribute 383 | # "userPassword" then the pwdChangedTime operational attribute, in a 384 | # user entry, will be: 385 | # 386 | # pwdChangedTime;pwd-userPassword: 20000103121520Z 387 | # 388 | # This attribute option follows sub-typing semantics. If a client 389 | # requests a password policy state attribute to be returned in a search 390 | # operation, and does not specify an option, all subtypes of that 391 | # policy state attribute are returned. 392 | # 393 | #5.3.2 pwdChangedTime 394 | # 395 | # This attribute specifies the last time the entry's password was 396 | # changed. This is used by the password expiration policy. If this 397 | # attribute does not exist, the password will never expire. 398 | # 399 | # ( 1.3.6.1.4.1.42.2.27.8.1.16 400 | # NAME 'pwdChangedTime' 401 | # DESC 'The time the password was last changed' 402 | # EQUALITY generalizedTimeMatch 403 | # ORDERING generalizedTimeOrderingMatch 404 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 405 | # SINGLE-VALUE 406 | # USAGE directoryOperation ) 407 | # 408 | #5.3.3 pwdAccountLockedTime 409 | # 410 | # This attribute holds the time that the user's account was locked. A 411 | # locked account means that the password may no longer be used to 412 | # authenticate. A 000001010000Z value means that the account has been 413 | # locked permanently, and that only a password administrator can unlock 414 | # the account. 415 | # 416 | # ( 1.3.6.1.4.1.42.2.27.8.1.17 417 | # NAME 'pwdAccountLockedTime' 418 | # DESC 'The time an user account was locked' 419 | # EQUALITY generalizedTimeMatch 420 | # ORDERING generalizedTimeOrderingMatch 421 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 422 | # SINGLE-VALUE 423 | # USAGE directoryOperation ) 424 | # 425 | #5.3.4 pwdFailureTime 426 | # 427 | # This attribute holds the timestamps of the consecutive authentication 428 | # failures. 429 | # 430 | # ( 1.3.6.1.4.1.42.2.27.8.1.19 431 | # NAME 'pwdFailureTime' 432 | # DESC 'The timestamps of the last consecutive authentication 433 | # failures' 434 | # EQUALITY generalizedTimeMatch 435 | # ORDERING generalizedTimeOrderingMatch 436 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 437 | # USAGE directoryOperation ) 438 | # 439 | #5.3.5 pwdHistory 440 | # 441 | # This attribute holds a history of previously used passwords. Values 442 | # of this attribute are transmitted in string format as given by the 443 | # following ABNF: 444 | # 445 | # pwdHistory = time "#" syntaxOID "#" length "#" data 446 | # 447 | # time = 449 | # 450 | # syntaxOID = numericoid ; the string representation of the 451 | # ; dotted-decimal OID that defines the 452 | # ; syntax used to store the password. 453 | # ; numericoid is described in 4.1 454 | # ; of [RFC2252]. 455 | # 456 | # length = numericstring ; the number of octets in data. 457 | # ; numericstring is described in 4.1 458 | # ; of [RFC2252]. 459 | # 460 | # data = . 462 | # 463 | # This format allows the server to store, and transmit a history of 464 | # passwords that have been used. In order for equality matching to 465 | # function properly, the time field needs to adhere to a consistent 466 | # format. For this purpose, the time field MUST be in GMT format. 467 | # 468 | # ( 1.3.6.1.4.1.42.2.27.8.1.20 469 | # NAME 'pwdHistory' 470 | # DESC 'The history of user s passwords' 471 | # EQUALITY octetStringMatch 472 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 473 | # USAGE directoryOperation ) 474 | # 475 | #5.3.6 pwdGraceUseTime 476 | # 477 | # This attribute holds the timestamps of grace authentications after a 478 | # password has expired. 479 | # 480 | # ( 1.3.6.1.4.1.42.2.27.8.1.21 481 | # NAME 'pwdGraceUseTime' 482 | # DESC 'The timestamps of the grace authentication after the 483 | # password has expired' 484 | # EQUALITY generalizedTimeMatch 485 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 486 | # 487 | #5.3.7 pwdReset 488 | # 489 | # This attribute holds a flag to indicate (when TRUE) that the password 490 | # has been updated by the password administrator and must be changed by 491 | # the user on first authentication. 492 | # 493 | # ( 1.3.6.1.4.1.42.2.27.8.1.22 494 | # NAME 'pwdReset' 495 | # DESC 'The indication that the password has been reset' 496 | # EQUALITY booleanMatch 497 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 498 | # SINGLE-VALUE 499 | # USAGE directoryOperation ) 500 | # 501 | #5.3.8 pwdPolicySubentry 502 | # 503 | # This attribute points to the pwdPolicy subentry in effect for this 504 | # object. 505 | # 506 | # ( 1.3.6.1.4.1.42.2.27.8.1.23 507 | # NAME 'pwdPolicySubentry' 508 | # DESC 'The pwdPolicy subentry in effect for this object' 509 | # EQUALITY distinguishedNameMatch 510 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 511 | # SINGLE-VALUE 512 | # USAGE directoryOperation ) 513 | # 514 | # 515 | #Disclaimer of Validity 516 | # 517 | # This document and the information contained herein are provided on an 518 | # "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 519 | # OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 520 | # ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 521 | # INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 522 | # INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 523 | # WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 524 | # 525 | # 526 | #Copyright Statement 527 | # 528 | # Copyright (C) The Internet Society (2004). This document is subject 529 | # to the rights, licenses and restrictions contained in BCP 78, and 530 | # except as set forth therein, the authors retain all their rights. 531 | 532 | -------------------------------------------------------------------------------- /scripts/ad-schema-to-open-ldap.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import argparse 4 | import sys 5 | from ldif import LDIFParser, LDIFWriter 6 | 7 | class OpenLdapSchemaWriter: 8 | # Resources: 9 | # https://technet.microsoft.com/en-us/library/cc961740.aspx 10 | # https://github.com/jelmer/samba/blob/master/source4/setup/schema-map-openldap-2.3 11 | mapMSSyntaxToOpenLdap = { 12 | '2.5.5.1' : '1.3.6.1.4.1.1466.115.121.1.12', # DN 13 | '2.5.5.2' : '1.3.6.1.4.1.1466.115.121.1.44', # OID -> Printable String 14 | '2.5.5.3' : '1.3.6.1.4.1.1466.115.121.1.44', # Case-sensitive string (a.k.a. case-exact string) -> Printable String 15 | '2.5.5.4' : '1.3.6.1.4.1.1466.115.121.1.44', # Case-ignore string (teletex) -> Printable String 16 | '2.5.5.5' : '1.3.6.1.4.1.1466.115.121.1.15', # Printable String -> Directory String 17 | '2.5.5.6' : '1.3.6.1.4.1.1466.115.121.1.36', # Numeric String 18 | '2.5.5.7' : '1.3.6.1.4.1.1466.115.121.1.15', # OR Name -> Directory String 19 | '2.5.5.8' : '1.3.6.1.4.1.1466.115.121.1.7', # Boolean 20 | '2.5.5.9' : '1.3.6.1.4.1.1466.115.121.1.27', # INTEGER 21 | '2.5.5.10' : '1.3.6.1.4.1.1466.115.121.1.40', # Octet String 22 | '2.5.5.11' : '1.3.6.1.4.1.1466.115.121.1.24', # UTC TIME -> General Time 23 | '2.5.5.12' : '1.3.6.1.4.1.1466.115.121.1.15', # Directory String 24 | '2.5.5.13' : '1.3.6.1.4.1.1466.115.121.1.43', # Presentation Address 25 | '2.5.5.14' : '1.3.6.1.4.1.1466.115.121.1.40', # DN with Unicode string -> Octet String 26 | '2.5.5.15' : '1.3.6.1.4.1.1466.115.121.1.40', # Windows NT security descriptor -> Octet String 27 | '2.5.5.16' : '1.3.6.1.4.1.1466.115.121.1.27', # Large integer (a.k.a. INTEGER8) -> INTEGER 28 | '2.5.5.17' : '1.3.6.1.4.1.1466.115.121.1.40' # Octet String (again) 29 | } 30 | 31 | # Resources: 32 | # https://msdn.microsoft.com/en-us/library/ms679014%28v=vs.85%29.aspx 33 | mapMSObjectClassCategoryToOpenLdapKind = { 34 | '0' : 'STRUCTURAL', # Class 88 -> STRUCTURAL 35 | '1' : 'STRUCTURAL', # Structural 36 | '2' : 'ABSTRACT', # Abstract 37 | '3' : 'AUXILIARY' # Auxiliary 38 | } 39 | 40 | def __init__(self, output): 41 | self.output = output 42 | 43 | def __mapSyntax(self, syntax): 44 | return self.mapMSSyntaxToOpenLdap[syntax] 45 | 46 | def __mapClassCategory(self, category): 47 | return self.mapMSObjectClassCategoryToOpenLdapKind[category] 48 | 49 | def __writeAttributeType(self, dn, entry): 50 | singlevalue = 'SINGLE-VALUE' if str(entry['isSingleValued'][0]).lower() == 'true' else '' 51 | syntax = self.__mapSyntax(entry['attributeSyntax'][0]) 52 | atributetype = 'attributetype ( %s\n NAME \'%s\'\n DESC \'%s\'\n SYNTAX %s\n %s )\n\n' % ( 53 | entry['attributeID'][0], entry['lDAPDisplayName'][0], entry['lDAPDisplayName'][0], syntax, singlevalue) 54 | self.output.write(atributetype) 55 | return 56 | 57 | def __writeObjectclassType(self, dn, entry): 58 | must = '' 59 | may = '' 60 | if 'systemMustContain' in entry.keys(): 61 | for index, mustAttribute in enumerate(entry['systemMustContain']): 62 | if index < 1: 63 | must = 'MUST ( ' + mustAttribute 64 | elif (index % 4) == 0: 65 | must = must + " $\n " + mustAttribute 66 | else: 67 | must = must + " $ " + mustAttribute 68 | must = must + ' )\n' 69 | if 'systemMayContain' in entry.keys(): 70 | for index, mayAttribute in enumerate(entry['systemMayContain']): 71 | if index < 1: 72 | may = 'MAY ( ' + mayAttribute 73 | elif (index % 4) == 0: 74 | may = may + " $\n " + mayAttribute 75 | else: 76 | may = may + " $ " + mayAttribute 77 | may = may + ' )\n' 78 | category = self.__mapClassCategory(entry['objectClassCategory'][0]) 79 | objectclass = 'objectclass ( %s\n NAME \'%s\'\n SUP \'%s\'\n %s\n %s %s )\n\n' % ( 80 | entry['governsID'][0], entry['lDAPDisplayName'][0], entry['subClassOf'][0], category, must, may ) 81 | self.output.write(objectclass) 82 | return 83 | 84 | def construct(self, dn, entry): 85 | if 'objectClass' not in entry.keys(): 86 | print 'DN without objectClass: ' + dn 87 | return 88 | if 'attributeSchema' in entry['objectClass']: 89 | self.__writeAttributeType(dn, entry) 90 | elif 'classSchema' in entry['objectClass']: 91 | self.__writeObjectclassType(dn, entry) 92 | 93 | class ActiveDirectorySchemaLdifExportToOpenLdapSchema(LDIFParser): 94 | 95 | def __init__(self, input, output): 96 | LDIFParser.__init__(self, input) 97 | self.writer = OpenLdapSchemaWriter(output) 98 | 99 | def handle(self, dn, entry): 100 | self.writer.construct(dn, entry) 101 | 102 | if __name__ == '__main__': 103 | parser = argparse.ArgumentParser( 104 | formatter_class=argparse.RawDescriptionHelpFormatter, 105 | description='', 106 | ) 107 | parser.add_argument('--src', metavar='SOURCE', help='Source ldif') 108 | parser.add_argument('--dst', metavar='DESTINATION', help='Destination ldif') 109 | args = parser.parse_args() 110 | 111 | adparser = ActiveDirectorySchemaLdifExportToOpenLdapSchema(open(args.src, 'rb'), open(args.dst, 'wb')) 112 | adparser.parse() 113 | 114 | -------------------------------------------------------------------------------- /scripts/add-default-user-password.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import argparse 4 | import sys 5 | from ldif import LDIFParser, LDIFWriter 6 | 7 | 8 | class ActiveDirectoryDefaultUserSetup(LDIFParser): 9 | password = "" 10 | 11 | def __init__(self, input, output, password): 12 | LDIFParser.__init__(self, input) 13 | self.writer = LDIFWriter(output) 14 | self.password = password 15 | 16 | def setUserDefaultPassword(self, dn, entry): 17 | if 'objectClass' not in entry.keys(): 18 | return 19 | if 'user' in entry['objectClass']: 20 | entry['userPassword'] = [ self.password ] 21 | 22 | 23 | def handle(self, dn, entry): 24 | self.setUserDefaultPassword(dn, entry) 25 | self.writer.unparse(dn, entry) 26 | 27 | if __name__ == '__main__': 28 | parser = argparse.ArgumentParser( 29 | formatter_class=argparse.RawDescriptionHelpFormatter, 30 | description='', 31 | ) 32 | parser.add_argument('--src', metavar='SOURCE', help='Source ldif') 33 | parser.add_argument('--dst', metavar='DESTINATION', help='Destination ldif') 34 | parser.add_argument('--password', metavar='PASSWORD', help='Default User Password') 35 | args = parser.parse_args() 36 | 37 | adparser = ActiveDirectoryDefaultUserSetup(open(args.src, 'rb'), open(args.dst, 'wb'), args.password) 38 | adparser.parse() 39 | 40 | -------------------------------------------------------------------------------- /scripts/ldif-convertor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import argparse 4 | import sys 5 | from ldif import LDIFParser, LDIFWriter 6 | 7 | 8 | class ActiveDirectoryToOpenLdapLDIFConvertor(LDIFParser): 9 | objectclassAddsBasedOnDN = { 'CN=ExchangeActiveSyncDevices' : 'exchangeActiveSyncDevices' 10 | } 11 | 12 | objectclassChangesBasedOnDN = { 'CN=_Template ': { 'user': 'customActiveDirectoryUserTemplate' }, 13 | 'CN=_Template_': { 'user': 'customActiveDirectoryUserTemplate' }, 14 | 'CN=_Template\, ': { 'user': 'customActiveDirectoryUserTemplate' } 15 | } 16 | 17 | objectclassMappings = { 'top' : 'mstop', 'user' : 'customActiveDirectoryUser', 'group' : 'customActiveDirectoryGroup', 18 | 'contact' : 'customActiveDirectoryContact' } 19 | 20 | attributetypesValuesDuplicates = [ 'dSCorePropagationData' ] 21 | 22 | def __init__(self, input, output): 23 | LDIFParser.__init__(self, input) 24 | self.writer = LDIFWriter(output) 25 | 26 | def addObjectclassesBasedOnDN(self, dn, entry): 27 | for objAdd in self.objectclassAddsBasedOnDN: 28 | if objAdd.lower() in dn.lower(): # case insensitive match 29 | if 'objectClass' not in entry.keys(): 30 | entry['objectClass'] = [ ] 31 | entry['objectClass'].append(self.objectclassAddsBasedOnDN[objAdd]); 32 | 33 | def changeObjectclassesBasedOnDN(self, dn, entry): 34 | if 'objectClass' not in entry.keys(): 35 | return 36 | for objChange in self.objectclassChangesBasedOnDN: 37 | if objChange.lower() in dn.lower(): # case insensitive match 38 | for objSource in self.objectclassChangesBasedOnDN[objChange]: 39 | index = 0 40 | for objTarget in entry['objectClass']: 41 | if objSource == objTarget: 42 | entry['objectClass'][index] = self.objectclassChangesBasedOnDN[objChange][objSource] 43 | index += 1 44 | 45 | def changeObjectclasses(self, dn, entry): 46 | if 'objectClass' in entry.keys(): 47 | index = 0 48 | for objectclass in entry['objectClass']: 49 | for objMap in self.objectclassMappings: 50 | if objMap == objectclass: 51 | entry['objectClass'][index] = self.objectclassMappings[objMap] 52 | index += 1 53 | 54 | def removeDuplicateAttributeValues(self, dn, entry): 55 | for attributetype in self.attributetypesValuesDuplicates: 56 | if attributetype in entry.keys(): 57 | entry[attributetype] = list(set(entry[attributetype])) 58 | 59 | 60 | def handle(self, dn, entry): 61 | self.addObjectclassesBasedOnDN(dn, entry) 62 | self.changeObjectclassesBasedOnDN(dn, entry) 63 | self.changeObjectclasses(dn, entry) 64 | self.removeDuplicateAttributeValues(dn, entry) 65 | self.writer.unparse(dn, entry) 66 | 67 | if __name__ == '__main__': 68 | parser = argparse.ArgumentParser( 69 | formatter_class=argparse.RawDescriptionHelpFormatter, 70 | description='', 71 | ) 72 | parser.add_argument('--src', metavar='SOURCE', help='Source ldif') 73 | parser.add_argument('--dst', metavar='DESTINATION', help='Destination ldif') 74 | args = parser.parse_args() 75 | 76 | adparser = ActiveDirectoryToOpenLdapLDIFConvertor(open(args.src, 'rb'), open(args.dst, 'wb')) 77 | adparser.parse() 78 | 79 | -------------------------------------------------------------------------------- /scripts/set-content.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SLAPDENV=`dirname $0`/../config/slapdenv.config 4 | D=`dirname $0`/.. 5 | DATALDIFS="${D}/ldif/*.ldif" 6 | 7 | source ${SLAPDENV} 8 | 9 | for DATALDIF in ${DATALDIFS}; 10 | do 11 | DATALDIFABS=`readlink -f ${DATALDIF} ` 12 | echo "Processing begin: ${DATALDIFABS}" 13 | if [ ${ADDADUSERPW} == true ]; then 14 | echo "Adding user passwords: ${DATALDIFABS}" 15 | python ${D}/scripts/add-default-user-password.py --src=${DATALDIF} --dst=${DATALDIF}.tmp --password=${DEFAULTADUSERPW} 16 | else 17 | cp ${DATALDIF} ${DATALDIF}.tmp 18 | fi 19 | echo "Converting: ${DATALDIFABS}" 20 | python ${D}/scripts/ldif-convertor.py --src=${DATALDIF}.tmp --dst=${DATALDIF}.tmp.tmp 21 | echo "Importing: ${DATALDIFABS}" 22 | time ldapadd -D "cn=Manager,${ROOTDN}" -y ${D}/passwdfile.conf -f ${DATALDIF}.tmp.tmp 23 | rm -f ${DATALDIF}.tmp* 24 | echo "Processing done: ${DATALDIFABS}" 25 | done 26 | 27 | -------------------------------------------------------------------------------- /scripts/set-default-slapd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | D=`dirname $0`/.. 4 | SLAPDCONFTEMPLATE=${D}/config/slapd.conf.template 5 | DBCONFIG=${D}/config/DB_CONFIG 6 | SLAPDCONF=${D}/slapd.conf 7 | SCHEMADIRREL=${D}/schema 8 | SCHEMADIR=`readlink -f $SCHEMADIRREL` 9 | SLAPDENV=${D}/config/slapdenv.config 10 | PASSWDFILE=${D}/passwdfile.conf 11 | 12 | # Generate config files from templates 13 | source ${SLAPDENV} 14 | sed "s/dc=example,dc=com/$ROOTDN/g;s|__SCHEMADIR__|$SCHEMADIR|g;s/^rootpw.*$/rootpw $ROOTPW/g;s/^acl-passwd.*$/acl-passwd $ROOTPW/g" ${SLAPDCONFTEMPLATE} >${SLAPDCONF} 15 | printf "${ROOTPW}" > ${PASSWDFILE} 16 | 17 | DATABASEDIR=`sed -n 's/^directory[ \t]*\(.*\)/\1/p' ${SLAPDCONF} ` 18 | 19 | # Stop the LDAP service 20 | service slapd stop 21 | 22 | # Clean the LDAP database 23 | rm -f ${DATABASEDIR}/* 24 | cp ${DBCONFIG} ${DATABASEDIR} 25 | slapd 26 | killall `which slapd` 27 | sudo chown -R ldap:ldap ${DATABASEDIR} 28 | 29 | # Setup the LDAP schema 30 | mkdir -p /etc/openldap/slapd.d.new 31 | slaptest -f ${SLAPDCONF} -F /etc/openldap/slapd.d.new 32 | chown ldap:ldap /etc/openldap/slapd.d.new -R 33 | chmod 700 /etc/openldap/slapd.d.new 34 | rm -Rf /etc/openldap/slapd.d 35 | mv /etc/openldap/slapd.d.new /etc/openldap/slapd.d 36 | 37 | # Start the LDAP service 38 | service slapd start 39 | 40 | --------------------------------------------------------------------------------