| 1 | # Definitions for a Kerberos V KDC schema
|
|---|
| 2 | #
|
|---|
| 3 | # $Id$
|
|---|
| 4 | #
|
|---|
| 5 | # This version is compatible with OpenLDAP 1.8
|
|---|
| 6 | #
|
|---|
| 7 | # OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) padl(5322) kdcSchema(10)
|
|---|
| 8 | #
|
|---|
| 9 | # Syntaxes are under 1.3.6.1.4.1.5322.10.0
|
|---|
| 10 | # Attributes types are under 1.3.6.1.4.1.5322.10.1
|
|---|
| 11 | # Object classes are under 1.3.6.1.4.1.5322.10.2
|
|---|
| 12 |
|
|---|
| 13 | # Syntax definitions
|
|---|
| 14 |
|
|---|
| 15 | #krb5KDCFlagsSyntax SYNTAX ::= {
|
|---|
| 16 | # WITH SYNTAX INTEGER
|
|---|
| 17 | #-- initial(0), -- require as-req
|
|---|
| 18 | #-- forwardable(1), -- may issue forwardable
|
|---|
| 19 | #-- proxiable(2), -- may issue proxiable
|
|---|
| 20 | #-- renewable(3), -- may issue renewable
|
|---|
| 21 | #-- postdate(4), -- may issue postdatable
|
|---|
| 22 | #-- server(5), -- may be server
|
|---|
| 23 | #-- client(6), -- may be client
|
|---|
| 24 | #-- invalid(7), -- entry is invalid
|
|---|
| 25 | #-- require-preauth(8), -- must use preauth
|
|---|
| 26 | #-- change-pw(9), -- change password service
|
|---|
| 27 | #-- require-hwauth(10), -- must use hwauth
|
|---|
| 28 | #-- ok-as-delegate(11), -- as in TicketFlags
|
|---|
| 29 | #-- user-to-user(12), -- may use user-to-user auth
|
|---|
| 30 | #-- immutable(13) -- may not be deleted
|
|---|
| 31 | # ID { 1.3.6.1.4.1.5322.10.0.1 }
|
|---|
| 32 | #}
|
|---|
| 33 |
|
|---|
| 34 | #krb5PrincipalNameSyntax SYNTAX ::= {
|
|---|
| 35 | # WITH SYNTAX OCTET STRING
|
|---|
| 36 | #-- String representations of distinguished names as per RFC1510
|
|---|
| 37 | # ID { 1.3.6.1.4.1.5322.10.0.2 }
|
|---|
| 38 | #}
|
|---|
| 39 |
|
|---|
| 40 | # Attribute type definitions
|
|---|
| 41 |
|
|---|
| 42 | attributetype ( 1.3.6.1.4.1.5322.10.1.1
|
|---|
| 43 | NAME 'krb5PrincipalName'
|
|---|
| 44 | DESC 'The unparsed Kerberos principal name'
|
|---|
| 45 | EQUALITY caseExactIA5Match
|
|---|
| 46 | SINGLE-VALUE
|
|---|
| 47 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|---|
| 48 |
|
|---|
| 49 | attributetype ( 1.3.6.1.4.1.5322.10.1.2
|
|---|
| 50 | NAME 'krb5KeyVersionNumber'
|
|---|
| 51 | EQUALITY integerMatch
|
|---|
| 52 | SINGLE-VALUE
|
|---|
| 53 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
|
|---|
| 54 |
|
|---|
| 55 | attributetype ( 1.3.6.1.4.1.5322.10.1.3
|
|---|
| 56 | NAME 'krb5MaxLife'
|
|---|
| 57 | EQUALITY integerMatch
|
|---|
| 58 | SINGLE-VALUE
|
|---|
| 59 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
|
|---|
| 60 |
|
|---|
| 61 | attributetype ( 1.3.6.1.4.1.5322.10.1.4
|
|---|
| 62 | NAME 'krb5MaxRenew'
|
|---|
| 63 | EQUALITY integerMatch
|
|---|
| 64 | SINGLE-VALUE
|
|---|
| 65 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
|
|---|
| 66 |
|
|---|
| 67 | attributetype ( 1.3.6.1.4.1.5322.10.1.5
|
|---|
| 68 | NAME 'krb5KDCFlags'
|
|---|
| 69 | EQUALITY integerMatch
|
|---|
| 70 | SINGLE-VALUE
|
|---|
| 71 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
|
|---|
| 72 |
|
|---|
| 73 | attributetype ( 1.3.6.1.4.1.5322.10.1.6
|
|---|
| 74 | NAME 'krb5EncryptionType'
|
|---|
| 75 | EQUALITY integerMatch
|
|---|
| 76 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
|
|---|
| 77 |
|
|---|
| 78 | attributetype ( 1.3.6.1.4.1.5322.10.1.7
|
|---|
| 79 | NAME 'krb5ValidStart'
|
|---|
| 80 | EQUALITY generalizedTimeMatch
|
|---|
| 81 | ORDERING generalizedTimeOrderingMatch
|
|---|
| 82 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
|---|
| 83 | SINGLE-VALUE )
|
|---|
| 84 |
|
|---|
| 85 | attributetype ( 1.3.6.1.4.1.5322.10.1.8
|
|---|
| 86 | NAME 'krb5ValidEnd'
|
|---|
| 87 | EQUALITY generalizedTimeMatch
|
|---|
| 88 | ORDERING generalizedTimeOrderingMatch
|
|---|
| 89 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
|---|
| 90 | SINGLE-VALUE )
|
|---|
| 91 |
|
|---|
| 92 | attributetype ( 1.3.6.1.4.1.5322.10.1.9
|
|---|
| 93 | NAME 'krb5PasswordEnd'
|
|---|
| 94 | EQUALITY generalizedTimeMatch
|
|---|
| 95 | ORDERING generalizedTimeOrderingMatch
|
|---|
| 96 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
|---|
| 97 | SINGLE-VALUE )
|
|---|
| 98 |
|
|---|
| 99 | # this is temporary; keys will eventually
|
|---|
| 100 | # be child entries or compound attributes.
|
|---|
| 101 | attributetype ( 1.3.6.1.4.1.5322.10.1.10
|
|---|
| 102 | NAME 'krb5Key'
|
|---|
| 103 | DESC 'Encoded ASN1 Key as an octet string'
|
|---|
| 104 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
|
|---|
| 105 |
|
|---|
| 106 | attributetype ( 1.3.6.1.4.1.5322.10.1.11
|
|---|
| 107 | NAME 'krb5PrincipalRealm'
|
|---|
| 108 | DESC 'Distinguished name of krb5Realm entry'
|
|---|
| 109 | SUP distinguishedName )
|
|---|
| 110 |
|
|---|
| 111 | attributetype ( 1.3.6.1.4.1.5322.10.1.12
|
|---|
| 112 | NAME 'krb5RealmName'
|
|---|
| 113 | EQUALITY octetStringMatch
|
|---|
| 114 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
|
|---|
| 115 |
|
|---|
| 116 | # Object class definitions
|
|---|
| 117 |
|
|---|
| 118 | objectclass ( 1.3.6.1.4.1.5322.10.2.1
|
|---|
| 119 | NAME 'krb5Principal'
|
|---|
| 120 | SUP top
|
|---|
| 121 | AUXILIARY
|
|---|
| 122 | MUST ( krb5PrincipalName )
|
|---|
| 123 | MAY ( cn $ krb5PrincipalRealm ) )
|
|---|
| 124 |
|
|---|
| 125 | objectclass ( 1.3.6.1.4.1.5322.10.2.2
|
|---|
| 126 | NAME 'krb5KDCEntry'
|
|---|
| 127 | SUP krb5Principal
|
|---|
| 128 | AUXILIARY
|
|---|
| 129 | MUST ( krb5KeyVersionNumber )
|
|---|
| 130 | MAY ( krb5ValidStart $ krb5ValidEnd $ krb5PasswordEnd $
|
|---|
| 131 | krb5MaxLife $ krb5MaxRenew $ krb5KDCFlags $
|
|---|
| 132 | krb5EncryptionType $ krb5Key ) )
|
|---|
| 133 |
|
|---|
| 134 | objectclass ( 1.3.6.1.4.1.5322.10.2.3
|
|---|
| 135 | NAME 'krb5Realm'
|
|---|
| 136 | SUP top
|
|---|
| 137 | AUXILIARY
|
|---|
| 138 | MUST ( krb5RealmName ) )
|
|---|
| 139 |
|
|---|
