# 1800 South Novell Place
# Provo, UT 84606
#
-# VeRsIoN=1.3
+# VeRsIoN=1.0
# CoPyRiGhT=(c) Copyright 2005, Novell, Inc. All rights reserved
#
# OIDs:
# Kerberos LDAP Extensions (100)
# specific extensions
+########################################################################
+
+
########################################################################
# Attribute Type Definitions #
########################################################################
-##### This is the principal name in the RFC 1510 specified format
+##### This is the principal name in the RFC 1964 specified format
-attributetype (
- 2.16.840.1.113719.1.301.4.1
+attributetype ( 2.16.840.1.113719.1.301.4.1
NAME 'krbPrincipalName'
EQUALITY caseExactIA5Match
- SUBSTR caseExactSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- )
-
-##### This is the foreign principal name in the RFC 1510 specified format
-
-attributetype (
- 2.16.840.1.113719.1.301.4.2
- NAME 'krbForeignPrincipalName'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- )
+ SUBSTR caseExactSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
##### This specifies the type of the principal, the types could be any of
-##### the following, (refer RFC 1510)
-##### NT_UNKNOWN 0
-##### NT_PRINCIPAL 1
-##### NT_SRV_INST 2
-##### NT_SRV_HST 3
-##### NT_SRV_XHST 4
-##### NT_UID 5
-##### The following is a special principal type as explained,
-##### This is used for X.500 principal names, coded as a Base-64 encoding of the
-##### ASN.1 representation of the distinguished X.500 name. This Base-64 encoding
-##### should be the first element of the principal name (that has only one element)
-##### This constant corresponds to the NT-X500-PRINCIPAL principal type that is
-##### specified in the latest PK INIT IETF draft.
-##### X500_PRINCIPAL 6
-
-attributetype (
- 2.16.840.1.113719.1.301.4.3
+##### the types mentioned in section 6.2 of RFC 4120
+
+attributetype ( 2.16.840.1.113719.1.301.4.3
NAME 'krbPrincipalType'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
-
-
-##### This attribute holds the principal's secret key that is encrypted with
-##### the master key.
-##### The attribute holds data as follows,
-##### First 2 bytes Length of principal name (princNameLength)
-##### Next 2 bytes Current version of the principal key
-##### Next 2 bytes Version of the master key used to encrypt this principal key
-##### Next 4 bytes Time when password was last chaged
-##### Next 2 bytes Number of keys for the principal (noOfKeys)
-##### Next 2 bytes Key type of the first key
-##### Next 2 bytes Length of the first key (keyLength[1])
-##### Next 2 bytes Salt type of the first key
-##### Next 2 bytes Salt Length of the first key (saltLength[1])
-##### ... ... (other principals...)
-##### Next 2 bytes Key type of the last key (There will be "noOfKeys" keys)
-##### Next 2 bytes Length of the last key (keyLength[noOfKeys])
-##### Next 2 bytes Salt type of the last key (There will be "noOfKeys" keys)
-##### Next 2 bytes Salt Length of the last key (saltLength[noOfKeys])
-##### Principal name (of princNameLength)
-##### Principal's first key (of keyLength[1])
-##### Principal's first salt (of saltLength[1])
-##### ... ... (other principals...)
-##### Principal's last key (of keyLength[noOfKeys])
-##### Principal's last salt (saltLength[noOfKeys])
-##### The byte encoding is in the big endian format.
-
-attributetype (
- 2.16.840.1.113719.1.301.4.4
- NAME 'krbSecretKey'
- EQUALITY octetStringMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
- )
+ SINGLE-VALUE)
-##### This flag is used to find whether Universal Password is to be used
+##### This flag is used to find whether directory User Password has to be used
##### as kerberos password.
-##### TRUE, if UP is to be used as the kerberos password.
-##### FALSE, if UP and the kerberos password are different.
+##### TRUE, if User Password is to be used as the kerberos password.
+##### FALSE, if User Password and the kerberos password are different.
-attributetype (
- 2.16.840.1.113719.1.301.4.5
+attributetype ( 2.16.840.1.113719.1.301.4.5
NAME 'krbUPEnabled'
DESC 'Boolean'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
##### The time at which the principal expires
-attributetype (
- 2.16.840.1.113719.1.301.4.6
+attributetype ( 2.16.840.1.113719.1.301.4.6
NAME 'krbPrincipalExpiration'
EQUALITY generalizedTimeMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
- SINGLE-VALUE
- )
-
+ SINGLE-VALUE)
-##### FDN pointing to a Kerberos Policy object
-
-attributetype (
- 2.16.840.1.113719.1.301.4.7
- NAME 'krbPolicyReference'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE
- )
-
-##### The time at which the principal's password expires
-# should be moved to the end of the attributes' list
-
-attributetype (
- 2.16.840.1.113719.1.301.4.37
- NAME 'krbPasswordExpiration'
- EQUALITY generalizedTimeMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
- SINGLE-VALUE
- )
##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
-##### The flags as per RFC 1510 are,
+##### The flags and values as per RFC 4120 and MIT implementation are,
##### DISALLOW_POSTDATED 0x00000001
##### DISALLOW_FORWARDABLE 0x00000002
##### DISALLOW_TGT_BASED 0x00000004
##### PWCHANGE_SERVICE 0x00002000
-attributetype (
- 2.16.840.1.113719.1.301.4.8
+attributetype ( 2.16.840.1.113719.1.301.4.8
NAME 'krbTicketFlags'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
##### The maximum ticket lifetime for a principal in seconds
-attributetype (
- 2.16.840.1.113719.1.301.4.9
+attributetype ( 2.16.840.1.113719.1.301.4.9
NAME 'krbMaxTicketLife'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
##### Maximum renewable lifetime for a principal's ticket in seconds
-attributetype (
- 2.16.840.1.113719.1.301.4.10
+attributetype ( 2.16.840.1.113719.1.301.4.10
NAME 'krbMaxRenewableAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
-
-
-##### This is a set of flags that a Kerberos server requires to enable/disable
-##### support of certain features.
-##### The flags are as follows,
-##### AUTO_RESTART (1 << 0)
-##### CHECK_ADDRESSES (1 << 1)
-##### SUPPORT_V4 (1 << 2)
-##### USE_PRI_PORT (1 << 3)
-##### USE_SEC_PORT (1 << 4)
-##### USE_TCP (1 << 5)
-##### UNIXTIME_OLD_PATYPE (1 << 6)
-
-attributetype (
- 2.16.840.1.113719.1.301.4.11
- NAME 'krbServiceFlags'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
##### Forward reference to the Realm object.
##### (FDN of the krbRealmContainer object).
##### Example: cn=ACME.COM, cn=Kerberos, cn=Security
-attributetype (
- 2.16.840.1.113719.1.301.4.14
+attributetype ( 2.16.840.1.113719.1.301.4.14
NAME 'krbRealmReferences'
EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### List of LDAP servers that kerberos servers can contact.
-##### The attribute holds data in the following format,
-##### HostName-or-IPAddress#Port
-##### Where, "#" is a delimiter.
-##### Examples: acme.com#636, 164.164.164.164#1636
+##### The attribute holds data in the ldap uri format,
+##### Examples: acme.com#636, 164.164.164.164#1636, ldaps://acme.com:636
#####
##### The values of this attribute need to be updated, when
##### the LDAP servers listed here are renamed, moved or deleted.
-attributetype (
- 2.16.840.1.113719.1.301.4.15
+attributetype ( 2.16.840.1.113719.1.301.4.15
NAME 'krbLdapServers'
EQUALITY caseIgnoreMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
- )
-
-
-##### Forward reference to an entry that starts a sub-tree
-##### where principals and other kerberos objects in the realm are configured.
-##### Example: ou=acme, ou=pq, o=xyz
-
-attributetype (
- 2.16.840.1.113719.1.301.4.16
- NAME 'krbSubTree'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE
- )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
##### A set of forward references to the KDC Service objects.
##### (FDNs of the krbKdcService objects).
##### Example: cn=kdc - server 1, ou=uvw, o=xyz
-attributetype (
- 2.16.840.1.113719.1.301.4.17
+attributetype ( 2.16.840.1.113719.1.301.4.17
NAME 'krbKdcServers'
EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### A set of forward references to the Password Service objects.
##### (FDNs of the krbPwdService objects).
##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz
-attributetype (
- 2.16.840.1.113719.1.301.4.18
+attributetype ( 2.16.840.1.113719.1.301.4.18
NAME 'krbPwdServers'
EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- )
-
-
-##### List of encryption types supported by the Realm.
-##### The supported encryption types are,
-##### DES_CBC_CRC 0x0001
-##### DES_CBC_MD4 0x0002
-##### DES_CBC_MD5 0x0003
-##### DES_CBC_RAW 0x0004
-##### DES3_CBC_SHA 0x0005
-##### DES3_CBC_RAW 0x0006
-##### DES_HMAC_SHA1 0x0008
-##### DES3_CBC_SHA1 0x0010
-##### AES128_CTS_HMAC_SHA1_96 0x0011
-##### AES256_CTS_HMAC_SHA1_96 0x0012
-##### ARCFOUR_HMAC 0x0017
-##### ARCFOUR_HMAC_EXP 0x0018
-
-attributetype (
- 2.16.840.1.113719.1.301.4.19
- NAME 'krbSupportedEncTypes'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- )
-
-
-##### List of salt types supported by the Realm.
-##### The supported salt types are,
-##### NORMAL 0
-##### V4 1
-##### NOREALM 2
-##### ONLYREALM 3
-##### SPECIAL 4
-##### AFS3 5
-
-attributetype (
- 2.16.840.1.113719.1.301.4.20
- NAME 'krbSupportedSaltTypes'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- )
-
-
-##### Default encryption type supported by the Realm.
-
-attributetype (
- 2.16.840.1.113719.1.301.4.21
- NAME 'krbDefaultEncType'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
-
-
-##### Default salt type supported by the Realm.
-
-attributetype (
- 2.16.840.1.113719.1.301.4.22
- NAME 'krbDefaultSaltType'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
-
-
-##### This attribute holds the kerberos master key.
-##### The encryption type used for generating the key will be the strongest available with NICI.
-##### This attribute will be encrypted with Tree Key and stored.
-##### The attribute holds data as follows,
-##### First 2 bytes holds the version of the master key,
-##### Next 2 bytes holds the encryption type,
-##### Next 4 bytes holds the key length,
-##### Followed by the key.
-##### The byte encoding is in the big endian format.
-
-attributetype (
- 2.16.840.1.113719.1.301.4.23
- NAME 'krbMasterKey'
- EQUALITY octetStringMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
- )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### This attribute holds the Host Name or the ip address,
##### The format is host_name-or-ip_address#protocol#port
##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP.
-attributetype (
- 2.16.840.1.113719.1.301.4.24
+attributetype ( 2.16.840.1.113719.1.301.4.24
NAME 'krbHostServer'
EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
##### This attribute holds the scope for searching the principals
##### under krbSubTree attribute of krbRealmContainer
##### The value can either be 1 (ONE) or 2 (SUB_TREE).
-attributetype (
- 2.16.840.1.113719.1.301.4.25
+attributetype ( 2.16.840.1.113719.1.301.4.25
NAME 'krbSearchScope'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
-##### FDNs pointing to Kerberos Service principals
+##### FDNs pointing to Kerberos principals
-attributetype (
- 2.16.840.1.113719.1.301.4.26
+attributetype ( 2.16.840.1.113719.1.301.4.26
NAME 'krbPrincipalReferences'
EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- )
-
-
-##### FDN pointing to the Kerberos container in the tree
-##### If this attribute is not present, then the default
-##### value is cn=Kerberos,cn=Security
-
-attributetype (
- 2.16.840.1.113719.1.301.4.27
- NAME 'krbContainerReference'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE
- )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### This attribute specifies which attribute of the user objects
##### be used as the principal name component for Kerberos.
##### The allowed values are cn, sn, uid, givenname, fullname.
-attributetype (
- 2.16.840.1.113719.1.301.4.28
+attributetype ( 2.16.840.1.113719.1.301.4.28
NAME 'krbPrincNamingAttr'
- DESC 'String'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
##### A set of forward references to the Administration Service objects.
##### (FDNs of the krbAdmService objects).
##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz
-attributetype (
- 2.16.840.1.113719.1.301.4.29
+attributetype ( 2.16.840.1.113719.1.301.4.29
NAME 'krbAdmServers'
EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### Maximum lifetime of a principal's password
-attributetype (
- 2.16.840.1.113719.1.301.4.30
+attributetype ( 2.16.840.1.113719.1.301.4.30
NAME 'krbMaxPwdLife'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
##### Minimum lifetime of a principal's password
-attributetype (
- 2.16.840.1.113719.1.301.4.31
+attributetype ( 2.16.840.1.113719.1.301.4.31
NAME 'krbMinPwdLife'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
##### Minimum number of character clases allowed in a password
-attributetype (
- 2.16.840.1.113719.1.301.4.32
+attributetype ( 2.16.840.1.113719.1.301.4.32
NAME 'krbPwdMinDiffChars'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
##### Minimum length of the password
-attributetype (
- 2.16.840.1.113719.1.301.4.33
+attributetype ( 2.16.840.1.113719.1.301.4.33
NAME 'krbPwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
##### Number of previous versions of passwords that are stored
-attributetype (
- 2.16.840.1.113719.1.301.4.34
+attributetype ( 2.16.840.1.113719.1.301.4.34
NAME 'krbPwdHistoryLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
-##### Number of principals that refer to this policy
+##### FDN pointing to a Kerberos Password Policy object
-attributetype (
- 2.16.840.1.113719.1.301.4.35
- NAME 'krbPwdPolicyRefCount'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
+attributetype ( 2.16.840.1.113719.1.301.4.36
+ NAME 'krbPwdPolicyReference'
+ EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+ SINGLE-VALUE)
-##### FDN pointing to a Kerberos Password Policy object
+##### The time at which the principal's password expires
-attributetype (
- 2.16.840.1.113719.1.301.4.36
- NAME 'krbPwdPolicyReference'
+attributetype ( 2.16.840.1.113719.1.301.4.37
+ NAME 'krbPasswordExpiration'
+ EQUALITY generalizedTimeMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE-VALUE)
+
+
+##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with
+##### the master key (krbMKey).
+##### The attribute is ASN.1 encoded.
+#####
+##### The format of the value for this attribute is explained below,
+##### KrbKeySet ::= SEQUENCE {
+##### attribute-major-vno [0] UInt16,
+##### attribute-minor-vno [1] UInt16,
+##### kvno [2] UInt32,
+##### mkvno [3] UInt32 OPTIONAL,
+##### keys [4] SEQUENCE OF KrbKey,
+##### ...
+##### }
+#####
+##### KrbKey ::= SEQUENCE {
+##### salt [0] KrbSalt OPTIONAL,
+##### key [1] EncryptionKey,
+##### s2kparams [2] OCTET STRING OPTIONAL,
+##### ...
+##### }
+#####
+##### KrbSalt ::= SEQUENCE {
+##### type [0] Int32,
+##### salt [1] OCTET STRING OPTIONAL
+##### }
+#####
+##### EncryptionKey ::= SEQUENCE {
+##### keytype [0] Int32,
+##### keyvalue [1] OCTET STRING
+##### }
+
+attributetype ( 2.16.840.1.113719.1.301.4.39
+ NAME 'krbPrincipalKey'
+ EQUALITY octetStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
+
+
+##### FDN pointing to a Kerberos Ticket Policy object.
+
+attributetype ( 2.16.840.1.113719.1.301.4.40
+ NAME 'krbTicketPolicyReference'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE
- )
+ SINGLE-VALUE)
+
+
+##### Forward reference to an entry that starts sub-trees
+##### where principals and other kerberos objects in the realm are configured.
+##### Example: ou=acme, ou=pq, o=xyz
+
+attributetype ( 2.16.840.1.113719.1.301.4.41
+ NAME 'krbSubTrees'
+ EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+
-##### Ticket Policy Reference Count
+##### Holds the default encryption/salt type combinations of principals for
+##### the Realm. Stores in the form of key:salt strings. This will be
+##### subset of the supported encryption/salt types.
+##### Example: des-cbc-crc:normal
-attributetype ( 2.16.840.1.113719.1.301.4.38
- NAME 'krbPolicyRefCount'
+attributetype ( 2.16.840.1.113719.1.301.4.42
+ NAME 'krbDefaultEncSaltTypes'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+
+
+##### Holds the supported encryption/salt type combinations of principals for
+##### the Realm. Stores in the form of key:salt strings.
+##### The supported encryption types are mentioned in RFC 3961
+##### The supported salt types are,
+##### NORMAL
+##### V4
+##### NOREALM
+##### ONLYREALM
+##### SPECIAL
+##### AFS3
+##### Example: des-cbc-crc:normal
+
+attributetype ( 2.16.840.1.113719.1.301.4.43
+ NAME 'krbSupportedEncSaltTypes'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+
+
+##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with
+##### the kadmin/history key.
+##### The attribute is ASN.1 encoded.
+#####
+##### The format of the value for this attribute is explained below,
+##### KrbKeySet ::= SEQUENCE {
+##### attribute-major-vno [0] UInt16,
+##### attribute-minor-vno [1] UInt16,
+##### kvno [2] UInt32,
+##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key,
+##### keys [4] SEQUENCE OF KrbKey,
+##### ...
+##### }
+#####
+##### KrbKey ::= SEQUENCE {
+##### salt [0] KrbSalt OPTIONAL,
+##### key [1] EncryptionKey,
+##### s2kparams [2] OCTET STRING OPTIONAL,
+##### ...
+##### }
+#####
+##### KrbSalt ::= SEQUENCE {
+##### type [0] Int32,
+##### salt [1] OCTET STRING OPTIONAL
+##### }
+#####
+##### EncryptionKey ::= SEQUENCE {
+##### keytype [0] Int32,
+##### keyvalue [1] OCTET STRING
+##### }
+
+attributetype ( 2.16.840.1.113719.1.301.4.44
+ NAME 'krbPwdHistory'
+ EQUALITY octetStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
+
+
+##### The time at which the principal's password last password change happened.
+
+attributetype ( 2.16.840.1.113719.1.301.4.45
+ NAME 'krbLastPwdChange'
+ EQUALITY generalizedTimeMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE-VALUE)
+
+
+##### This attribute holds the kerberos master key.
+##### This can be used to encrypt principal keys.
+##### This attribute has to be secured in directory.
+#####
+##### This attribute is ASN.1 encoded.
+##### The format of the value for this attribute is explained below,
+##### KrbMKey ::= SEQUENCE {
+##### kvno [0] UInt32,
+##### key [1] MasterKey
+##### }
+#####
+##### MasterKey ::= SEQUENCE {
+##### keytype [0] Int32,
+##### keyvalue [1] OCTET STRING
+##### }
+
+
+attributetype ( 2.16.840.1.113719.1.301.4.46
+ NAME 'krbMKey'
+ EQUALITY octetStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
+
+
+##### This stores the alternate principal names for the principal in the RFC 1961 specified format
+
+attributetype ( 2.16.840.1.113719.1.301.4.47
+ NAME 'krbPrincipalAliases'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
+
+
+##### The time at which the principal's last successful authentication happened.
+
+attributetype ( 2.16.840.1.113719.1.301.4.48
+ NAME 'krbLastSuccessfulAuth'
+ EQUALITY generalizedTimeMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE-VALUE)
+
+
+##### The time at which the principal's last failed authentication happened.
+
+attributetype ( 2.16.840.1.113719.1.301.4.49
+ NAME 'krbLastFailedAuth'
+ EQUALITY generalizedTimeMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE-VALUE)
+
+
+##### This attribute stores the number of failed authentication attempts
+##### happened for the principal since the last successful authentication.
+
+attributetype ( 2.16.840.1.113719.1.301.4.50
+ NAME 'krbLoginFailedCount'
EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE
- )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE)
+
+
+
+##### This attribute holds the application specific data.
+
+attributetype ( 2.16.840.1.113719.1.301.4.51
+ NAME 'krbExtraData'
+ EQUALITY octetStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
+
+
+##### This attributes holds references to the set of directory objects.
+##### This stores the DNs of the directory objects to which the
+##### principal object belongs to.
+
+attributetype ( 2.16.840.1.113719.1.301.4.52
+ NAME 'krbObjectReferences'
+ EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+
+##### This attribute holds references to a Container object where
+##### the additional principal objects and stand alone principal
+##### objects (krbPrincipal) can be created.
+
+attributetype ( 2.16.840.1.113719.1.301.4.53
+ NAME 'krbPrincContainerRef'
+ EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+
+
+########################################################################
########################################################################
# Object Class Definitions #
########################################################################
#### This is a kerberos container for all the realms in a tree.
-objectClass (
- 2.16.840.1.113719.1.301.6.1
+objectclass ( 2.16.840.1.113719.1.301.6.1
NAME 'krbContainer'
SUP top
- MUST ( cn )
- MAY ( krbPolicyReference)
- )
+ STRUCTURAL
+ MUST ( cn ) )
+
##### The krbRealmContainer is created per realm and holds realm specific data.
-objectClass (
- 2.16.840.1.113719.1.301.6.2
+objectclass ( 2.16.840.1.113719.1.301.6.2
NAME 'krbRealmContainer'
SUP top
+ STRUCTURAL
MUST ( cn )
- MAY ( krbMasterKey $ krbUPEnabled $ krbSubTree $ krbSearchScope $ krbLdapServers $ krbSupportedEncTypes $ krbSupportedSaltTypes $ krbDefaultEncType $ krbDefaultSaltType $ krbPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr )
- )
+ MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) )
##### An instance of a class derived from krbService is created per
#####
##### krbKdcService, krbAdmService and krbPwdService derive from this class.
-objectClass (
- 2.16.840.1.113719.1.301.6.3
+objectclass ( 2.16.840.1.113719.1.301.6.3
NAME 'krbService'
+ SUP top
ABSTRACT
- SUP ( top )
MUST ( cn )
- MAY ( krbHostServer $ krbServiceFlags $ krbRealmReferences $ userPassword )
- )
+ MAY ( krbHostServer $ krbRealmReferences ) )
+
-##### Representative object for the KDC server to log onto eDirectory
-##### and have a connection Id to access Kerberos data and have the required ACL's
+##### Representative object for the KDC server to bind into a LDAP directory
+##### and have a connection to access Kerberos data with the required
+##### access rights.
-objectClass (
- 2.16.840.1.113719.1.301.6.4
+objectclass ( 2.16.840.1.113719.1.301.6.4
NAME 'krbKdcService'
- SUP ( krbService )
- )
+ SUP krbService
+ STRUCTURAL )
-##### Representative object for the Kerberos Password server to log into eDirectory
-##### and have a connection Id to access Kerberos data and have the required ACL's
+##### Representative object for the Kerberos Password server to bind into a LDAP directory
+##### and have a connection to access Kerberos data with the required
+##### access rights.
-objectClass (
- 2.16.840.1.113719.1.301.6.5
+objectclass ( 2.16.840.1.113719.1.301.6.5
NAME 'krbPwdService'
- SUP ( krbService )
- )
-
-##### The krbPolicyAux holds Kerberos ticket policy attributes.
-##### This class can be attached to a principal object or realm object.
+ SUP krbService
+ STRUCTURAL )
-objectClass (
- 2.16.840.1.113719.1.301.6.6
- NAME 'krbPolicyAux'
- AUXILIARY
- MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge )
- )
-
-
-##### The krbPolicy object is an effective policy that is associated with a realm or a principal
-
-objectClass (
- 2.16.840.1.113719.1.301.6.7
- NAME 'krbPolicy'
- SUP top
- MUST ( cn )
- MAY ( krbPolicyRefCount )
- )
###### The principal data auxiliary class. Holds principal information
-###### and is used to store principal information for Users and any services.
+###### and is used to store principal information for Person, Service objects.
-objectClass (
- 2.16.840.1.113719.1.301.6.8
+objectclass ( 2.16.840.1.113719.1.301.6.8
NAME 'krbPrincipalAux'
+ SUP top
AUXILIARY
- MAY ( krbPrincipalName $ krbUPEnabled $ krbSecretKey $ krbPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration )
- )
+ MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
-###### This object is created to hold principals of type other than USER.
+###### This class is used to create additional principals and stand alone principals.
-objectClass (
- 2.16.840.1.113719.1.301.6.9
+objectclass ( 2.16.840.1.113719.1.301.6.9
NAME 'krbPrincipal'
- SUP ( top )
+ SUP top
MUST ( krbPrincipalName )
- MAY ( krbPrincipalType )
- )
-
-###### The foreign principal data auxiliary class. Holds all foreign principal information
-###### and is used to store foreign principal information for Users.
+ MAY ( krbObjectReferences ) )
-objectClass (
- 2.16.840.1.113719.1.301.6.10
- NAME 'krbForeignPrincipalAux'
- AUXILIARY
- MAY krbForeignPrincipalName
- )
###### The principal references auxiliary class. Holds all principals referred
###### from a service
-objectClass (
- 2.16.840.1.113719.1.301.6.11
+objectclass ( 2.16.840.1.113719.1.301.6.11
NAME 'krbPrincRefAux'
+ SUP top
AUXILIARY
- MAY krbPrincipalReferences
- )
-
-
-###### Kerberos container references auxiliary class. Holds the location
-###### of the Kerberos container object within an eDirectory tree.
-
-objectClass (
- 2.16.840.1.113719.1.301.6.12
- NAME 'krbContainerRefAux'
- AUXILIARY
- MAY krbContainerReference
- )
+ MAY krbPrincipalReferences )
-##### Representative object for the Kerberos Administration server to log into eDirectory
-##### and have a connection Id to access Kerberos data and have the required ACL's
+##### Representative object for the Kerberos Administration server to bind into a LDAP directory
+##### and have a connection Id to access Kerberos data with the required access rights.
-objectClass (
- 2.16.840.1.113719.1.301.6.13
+objectclass ( 2.16.840.1.113719.1.301.6.13
NAME 'krbAdmService'
- SUP ( krbService )
- )
+ SUP krbService
+ STRUCTURAL )
+
##### The krbPwdPolicy object is a template password policy that
##### can be applied to principals when they are created.
##### These policy attributes will be in effect, when the Kerberos
##### passwords are different from users' passwords (UP).
-objectClass (
- 2.16.840.1.113719.1.301.6.14
+objectclass ( 2.16.840.1.113719.1.301.6.14
NAME 'krbPwdPolicy'
SUP top
MUST ( cn )
- MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdPolicyRefCount)
- )
+ MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) )
+
-###### The password policy reference auxiliary class.
-###### Holds the DN of the password policy object. This is to be attached to principals.
+##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
+##### This class can be attached to a principal object or realm object.
-objectClass (
- 2.16.840.1.113719.1.301.6.15
- NAME 'krbPwdPolicyRefAux'
+objectclass ( 2.16.840.1.113719.1.301.6.16
+ NAME 'krbTicketPolicyAux'
+ SUP top
AUXILIARY
- MAY ( krbPwdPolicyReference )
- )
+ MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
+
+
+##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal
+
+objectclass ( 2.16.840.1.113719.1.301.6.17
+ NAME 'krbTicketPolicy'
+ SUP top
+ MUST ( cn ) )
projects / krb5.git / commitdiff