From: Ken Raeburn Date: Fri, 6 Oct 2006 23:58:43 +0000 (+0000) Subject: 10/3 patch from Savitha R, part 2, patch-krb-schema.diff X-Git-Tag: krb5-1.6-alpha1~95 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=391fbbe2f9c016f65594472b3ab4c6ddb60e4535;p=krb5.git 10/3 patch from Savitha R, part 2, patch-krb-schema.diff git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18658 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema index 4f3a0fb9d..bacde5d1b 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema +++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema @@ -3,7 +3,7 @@ # 1800 South Novell Place # Provo, UT 84606 # -# VeRsIoN=1.3 +# VeRsIoN=1.0 # CoPyRiGhT=(c) Copyright 2005, Novell, Inc. All rights reserved # # OIDs: @@ -23,136 +23,55 @@ # Kerberos LDAP Extensions (100) # specific extensions +######################################################################## + + ######################################################################## # Attribute Type Definitions # ######################################################################## -##### This is the principal name in the RFC 1510 specified format +##### This is the principal name in the RFC 1964 specified format -attributetype ( - 2.16.840.1.113719.1.301.4.1 +attributetype ( 2.16.840.1.113719.1.301.4.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match - SUBSTR caseExactSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) - -##### This is the foreign principal name in the RFC 1510 specified format - -attributetype ( - 2.16.840.1.113719.1.301.4.2 - NAME 'krbForeignPrincipalName' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) ##### This specifies the type of the principal, the types could be any of -##### the following, (refer RFC 1510) -##### NT_UNKNOWN 0 -##### NT_PRINCIPAL 1 -##### NT_SRV_INST 2 -##### NT_SRV_HST 3 -##### NT_SRV_XHST 4 -##### NT_UID 5 -##### The following is a special principal type as explained, -##### This is used for X.500 principal names, coded as a Base-64 encoding of the -##### ASN.1 representation of the distinguished X.500 name. This Base-64 encoding -##### should be the first element of the principal name (that has only one element) -##### This constant corresponds to the NT-X500-PRINCIPAL principal type that is -##### specified in the latest PK INIT IETF draft. -##### X500_PRINCIPAL 6 - -attributetype ( - 2.16.840.1.113719.1.301.4.3 +##### the types mentioned in section 6.2 of RFC 4120 + +attributetype ( 2.16.840.1.113719.1.301.4.3 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) - - -##### This attribute holds the principal's secret key that is encrypted with -##### the master key. -##### The attribute holds data as follows, -##### First 2 bytes Length of principal name (princNameLength) -##### Next 2 bytes Current version of the principal key -##### Next 2 bytes Version of the master key used to encrypt this principal key -##### Next 4 bytes Time when password was last chaged -##### Next 2 bytes Number of keys for the principal (noOfKeys) -##### Next 2 bytes Key type of the first key -##### Next 2 bytes Length of the first key (keyLength[1]) -##### Next 2 bytes Salt type of the first key -##### Next 2 bytes Salt Length of the first key (saltLength[1]) -##### ... ... (other principals...) -##### Next 2 bytes Key type of the last key (There will be "noOfKeys" keys) -##### Next 2 bytes Length of the last key (keyLength[noOfKeys]) -##### Next 2 bytes Salt type of the last key (There will be "noOfKeys" keys) -##### Next 2 bytes Salt Length of the last key (saltLength[noOfKeys]) -##### Principal name (of princNameLength) -##### Principal's first key (of keyLength[1]) -##### Principal's first salt (of saltLength[1]) -##### ... ... (other principals...) -##### Principal's last key (of keyLength[noOfKeys]) -##### Principal's last salt (saltLength[noOfKeys]) -##### The byte encoding is in the big endian format. - -attributetype ( - 2.16.840.1.113719.1.301.4.4 - NAME 'krbSecretKey' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 - ) + SINGLE-VALUE) -##### This flag is used to find whether Universal Password is to be used +##### This flag is used to find whether directory User Password has to be used ##### as kerberos password. -##### TRUE, if UP is to be used as the kerberos password. -##### FALSE, if UP and the kerberos password are different. +##### TRUE, if User Password is to be used as the kerberos password. +##### FALSE, if User Password and the kerberos password are different. -attributetype ( - 2.16.840.1.113719.1.301.4.5 +attributetype ( 2.16.840.1.113719.1.301.4.5 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE - ) + SINGLE-VALUE) ##### The time at which the principal expires -attributetype ( - 2.16.840.1.113719.1.301.4.6 +attributetype ( 2.16.840.1.113719.1.301.4.6 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 - SINGLE-VALUE - ) - + SINGLE-VALUE) -##### FDN pointing to a Kerberos Policy object - -attributetype ( - 2.16.840.1.113719.1.301.4.7 - NAME 'krbPolicyReference' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - SINGLE-VALUE - ) - -##### The time at which the principal's password expires -# should be moved to the end of the attributes' list - -attributetype ( - 2.16.840.1.113719.1.301.4.37 - NAME 'krbPasswordExpiration' - EQUALITY generalizedTimeMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 - SINGLE-VALUE - ) ##### The krbTicketFlags attribute holds information about the kerberos flags for a principal -##### The flags as per RFC 1510 are, +##### The flags and values as per RFC 4120 and MIT implementation are, ##### DISALLOW_POSTDATED 0x00000001 ##### DISALLOW_FORWARDABLE 0x00000002 ##### DISALLOW_TGT_BASED 0x00000004 @@ -167,201 +86,72 @@ attributetype ( ##### PWCHANGE_SERVICE 0x00002000 -attributetype ( - 2.16.840.1.113719.1.301.4.8 +attributetype ( 2.16.840.1.113719.1.301.4.8 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) + SINGLE-VALUE) ##### The maximum ticket lifetime for a principal in seconds -attributetype ( - 2.16.840.1.113719.1.301.4.9 +attributetype ( 2.16.840.1.113719.1.301.4.9 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) + SINGLE-VALUE) ##### Maximum renewable lifetime for a principal's ticket in seconds -attributetype ( - 2.16.840.1.113719.1.301.4.10 +attributetype ( 2.16.840.1.113719.1.301.4.10 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) - - -##### This is a set of flags that a Kerberos server requires to enable/disable -##### support of certain features. -##### The flags are as follows, -##### AUTO_RESTART (1 << 0) -##### CHECK_ADDRESSES (1 << 1) -##### SUPPORT_V4 (1 << 2) -##### USE_PRI_PORT (1 << 3) -##### USE_SEC_PORT (1 << 4) -##### USE_TCP (1 << 5) -##### UNIXTIME_OLD_PATYPE (1 << 6) - -attributetype ( - 2.16.840.1.113719.1.301.4.11 - NAME 'krbServiceFlags' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) + SINGLE-VALUE) ##### Forward reference to the Realm object. ##### (FDN of the krbRealmContainer object). ##### Example: cn=ACME.COM, cn=Kerberos, cn=Security -attributetype ( - 2.16.840.1.113719.1.301.4.14 +attributetype ( 2.16.840.1.113719.1.301.4.14 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) ##### List of LDAP servers that kerberos servers can contact. -##### The attribute holds data in the following format, -##### HostName-or-IPAddress#Port -##### Where, "#" is a delimiter. -##### Examples: acme.com#636, 164.164.164.164#1636 +##### The attribute holds data in the ldap uri format, +##### Examples: acme.com#636, 164.164.164.164#1636, ldaps://acme.com:636 ##### ##### The values of this attribute need to be updated, when ##### the LDAP servers listed here are renamed, moved or deleted. -attributetype ( - 2.16.840.1.113719.1.301.4.15 +attributetype ( 2.16.840.1.113719.1.301.4.15 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - ) - - -##### Forward reference to an entry that starts a sub-tree -##### where principals and other kerberos objects in the realm are configured. -##### Example: ou=acme, ou=pq, o=xyz - -attributetype ( - 2.16.840.1.113719.1.301.4.16 - NAME 'krbSubTree' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - SINGLE-VALUE - ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) ##### A set of forward references to the KDC Service objects. ##### (FDNs of the krbKdcService objects). ##### Example: cn=kdc - server 1, ou=uvw, o=xyz -attributetype ( - 2.16.840.1.113719.1.301.4.17 +attributetype ( 2.16.840.1.113719.1.301.4.17 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) ##### A set of forward references to the Password Service objects. ##### (FDNs of the krbPwdService objects). ##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz -attributetype ( - 2.16.840.1.113719.1.301.4.18 +attributetype ( 2.16.840.1.113719.1.301.4.18 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - ) - - -##### List of encryption types supported by the Realm. -##### The supported encryption types are, -##### DES_CBC_CRC 0x0001 -##### DES_CBC_MD4 0x0002 -##### DES_CBC_MD5 0x0003 -##### DES_CBC_RAW 0x0004 -##### DES3_CBC_SHA 0x0005 -##### DES3_CBC_RAW 0x0006 -##### DES_HMAC_SHA1 0x0008 -##### DES3_CBC_SHA1 0x0010 -##### AES128_CTS_HMAC_SHA1_96 0x0011 -##### AES256_CTS_HMAC_SHA1_96 0x0012 -##### ARCFOUR_HMAC 0x0017 -##### ARCFOUR_HMAC_EXP 0x0018 - -attributetype ( - 2.16.840.1.113719.1.301.4.19 - NAME 'krbSupportedEncTypes' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - ) - - -##### List of salt types supported by the Realm. -##### The supported salt types are, -##### NORMAL 0 -##### V4 1 -##### NOREALM 2 -##### ONLYREALM 3 -##### SPECIAL 4 -##### AFS3 5 - -attributetype ( - 2.16.840.1.113719.1.301.4.20 - NAME 'krbSupportedSaltTypes' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - ) - - -##### Default encryption type supported by the Realm. - -attributetype ( - 2.16.840.1.113719.1.301.4.21 - NAME 'krbDefaultEncType' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) - - -##### Default salt type supported by the Realm. - -attributetype ( - 2.16.840.1.113719.1.301.4.22 - NAME 'krbDefaultSaltType' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) - - -##### This attribute holds the kerberos master key. -##### The encryption type used for generating the key will be the strongest available with NICI. -##### This attribute will be encrypted with Tree Key and stored. -##### The attribute holds data as follows, -##### First 2 bytes holds the version of the master key, -##### Next 2 bytes holds the encryption type, -##### Next 4 bytes holds the key length, -##### Followed by the key. -##### The byte encoding is in the big endian format. - -attributetype ( - 2.16.840.1.113719.1.301.4.23 - NAME 'krbMasterKey' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 - ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) ##### This attribute holds the Host Name or the ip address, @@ -369,184 +159,356 @@ attributetype ( ##### The format is host_name-or-ip_address#protocol#port ##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. -attributetype ( - 2.16.840.1.113719.1.301.4.24 +attributetype ( 2.16.840.1.113719.1.301.4.24 NAME 'krbHostServer' EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) ##### This attribute holds the scope for searching the principals ##### under krbSubTree attribute of krbRealmContainer ##### The value can either be 1 (ONE) or 2 (SUB_TREE). -attributetype ( - 2.16.840.1.113719.1.301.4.25 +attributetype ( 2.16.840.1.113719.1.301.4.25 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) + SINGLE-VALUE) -##### FDNs pointing to Kerberos Service principals +##### FDNs pointing to Kerberos principals -attributetype ( - 2.16.840.1.113719.1.301.4.26 +attributetype ( 2.16.840.1.113719.1.301.4.26 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - ) - - -##### FDN pointing to the Kerberos container in the tree -##### If this attribute is not present, then the default -##### value is cn=Kerberos,cn=Security - -attributetype ( - 2.16.840.1.113719.1.301.4.27 - NAME 'krbContainerReference' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - SINGLE-VALUE - ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) ##### This attribute specifies which attribute of the user objects ##### be used as the principal name component for Kerberos. ##### The allowed values are cn, sn, uid, givenname, fullname. -attributetype ( - 2.16.840.1.113719.1.301.4.28 +attributetype ( 2.16.840.1.113719.1.301.4.28 NAME 'krbPrincNamingAttr' - DESC 'String' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - SINGLE-VALUE - ) + SINGLE-VALUE) ##### A set of forward references to the Administration Service objects. ##### (FDNs of the krbAdmService objects). ##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz -attributetype ( - 2.16.840.1.113719.1.301.4.29 +attributetype ( 2.16.840.1.113719.1.301.4.29 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) ##### Maximum lifetime of a principal's password -attributetype ( - 2.16.840.1.113719.1.301.4.30 +attributetype ( 2.16.840.1.113719.1.301.4.30 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) + SINGLE-VALUE) ##### Minimum lifetime of a principal's password -attributetype ( - 2.16.840.1.113719.1.301.4.31 +attributetype ( 2.16.840.1.113719.1.301.4.31 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) + SINGLE-VALUE) ##### Minimum number of character clases allowed in a password -attributetype ( - 2.16.840.1.113719.1.301.4.32 +attributetype ( 2.16.840.1.113719.1.301.4.32 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) + SINGLE-VALUE) ##### Minimum length of the password -attributetype ( - 2.16.840.1.113719.1.301.4.33 +attributetype ( 2.16.840.1.113719.1.301.4.33 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) + SINGLE-VALUE) ##### Number of previous versions of passwords that are stored -attributetype ( - 2.16.840.1.113719.1.301.4.34 +attributetype ( 2.16.840.1.113719.1.301.4.34 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) + SINGLE-VALUE) -##### Number of principals that refer to this policy +##### FDN pointing to a Kerberos Password Policy object -attributetype ( - 2.16.840.1.113719.1.301.4.35 - NAME 'krbPwdPolicyRefCount' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) +attributetype ( 2.16.840.1.113719.1.301.4.36 + NAME 'krbPwdPolicyReference' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE) -##### FDN pointing to a Kerberos Password Policy object +##### The time at which the principal's password expires -attributetype ( - 2.16.840.1.113719.1.301.4.36 - NAME 'krbPwdPolicyReference' +attributetype ( 2.16.840.1.113719.1.301.4.37 + NAME 'krbPasswordExpiration' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with +##### the master key (krbMKey). +##### The attribute is ASN.1 encoded. +##### +##### The format of the value for this attribute is explained below, +##### KrbKeySet ::= SEQUENCE { +##### attribute-major-vno [0] UInt16, +##### attribute-minor-vno [1] UInt16, +##### kvno [2] UInt32, +##### mkvno [3] UInt32 OPTIONAL, +##### keys [4] SEQUENCE OF KrbKey, +##### ... +##### } +##### +##### KrbKey ::= SEQUENCE { +##### salt [0] KrbSalt OPTIONAL, +##### key [1] EncryptionKey, +##### s2kparams [2] OCTET STRING OPTIONAL, +##### ... +##### } +##### +##### KrbSalt ::= SEQUENCE { +##### type [0] Int32, +##### salt [1] OCTET STRING OPTIONAL +##### } +##### +##### EncryptionKey ::= SEQUENCE { +##### keytype [0] Int32, +##### keyvalue [1] OCTET STRING +##### } + +attributetype ( 2.16.840.1.113719.1.301.4.39 + NAME 'krbPrincipalKey' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### FDN pointing to a Kerberos Ticket Policy object. + +attributetype ( 2.16.840.1.113719.1.301.4.40 + NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - SINGLE-VALUE - ) + SINGLE-VALUE) + + +##### Forward reference to an entry that starts sub-trees +##### where principals and other kerberos objects in the realm are configured. +##### Example: ou=acme, ou=pq, o=xyz + +attributetype ( 2.16.840.1.113719.1.301.4.41 + NAME 'krbSubTrees' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + -##### Ticket Policy Reference Count +##### Holds the default encryption/salt type combinations of principals for +##### the Realm. Stores in the form of key:salt strings. This will be +##### subset of the supported encryption/salt types. +##### Example: des-cbc-crc:normal -attributetype ( 2.16.840.1.113719.1.301.4.38 - NAME 'krbPolicyRefCount' +attributetype ( 2.16.840.1.113719.1.301.4.42 + NAME 'krbDefaultEncSaltTypes' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) + + +##### Holds the supported encryption/salt type combinations of principals for +##### the Realm. Stores in the form of key:salt strings. +##### The supported encryption types are mentioned in RFC 3961 +##### The supported salt types are, +##### NORMAL +##### V4 +##### NOREALM +##### ONLYREALM +##### SPECIAL +##### AFS3 +##### Example: des-cbc-crc:normal + +attributetype ( 2.16.840.1.113719.1.301.4.43 + NAME 'krbSupportedEncSaltTypes' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) + + +##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with +##### the kadmin/history key. +##### The attribute is ASN.1 encoded. +##### +##### The format of the value for this attribute is explained below, +##### KrbKeySet ::= SEQUENCE { +##### attribute-major-vno [0] UInt16, +##### attribute-minor-vno [1] UInt16, +##### kvno [2] UInt32, +##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key, +##### keys [4] SEQUENCE OF KrbKey, +##### ... +##### } +##### +##### KrbKey ::= SEQUENCE { +##### salt [0] KrbSalt OPTIONAL, +##### key [1] EncryptionKey, +##### s2kparams [2] OCTET STRING OPTIONAL, +##### ... +##### } +##### +##### KrbSalt ::= SEQUENCE { +##### type [0] Int32, +##### salt [1] OCTET STRING OPTIONAL +##### } +##### +##### EncryptionKey ::= SEQUENCE { +##### keytype [0] Int32, +##### keyvalue [1] OCTET STRING +##### } + +attributetype ( 2.16.840.1.113719.1.301.4.44 + NAME 'krbPwdHistory' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### The time at which the principal's password last password change happened. + +attributetype ( 2.16.840.1.113719.1.301.4.45 + NAME 'krbLastPwdChange' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### This attribute holds the kerberos master key. +##### This can be used to encrypt principal keys. +##### This attribute has to be secured in directory. +##### +##### This attribute is ASN.1 encoded. +##### The format of the value for this attribute is explained below, +##### KrbMKey ::= SEQUENCE { +##### kvno [0] UInt32, +##### key [1] MasterKey +##### } +##### +##### MasterKey ::= SEQUENCE { +##### keytype [0] Int32, +##### keyvalue [1] OCTET STRING +##### } + + +attributetype ( 2.16.840.1.113719.1.301.4.46 + NAME 'krbMKey' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### This stores the alternate principal names for the principal in the RFC 1961 specified format + +attributetype ( 2.16.840.1.113719.1.301.4.47 + NAME 'krbPrincipalAliases' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) + + +##### The time at which the principal's last successful authentication happened. + +attributetype ( 2.16.840.1.113719.1.301.4.48 + NAME 'krbLastSuccessfulAuth' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### The time at which the principal's last failed authentication happened. + +attributetype ( 2.16.840.1.113719.1.301.4.49 + NAME 'krbLastFailedAuth' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### This attribute stores the number of failed authentication attempts +##### happened for the principal since the last successful authentication. + +attributetype ( 2.16.840.1.113719.1.301.4.50 + NAME 'krbLoginFailedCount' EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + + +##### This attribute holds the application specific data. + +attributetype ( 2.16.840.1.113719.1.301.4.51 + NAME 'krbExtraData' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### This attributes holds references to the set of directory objects. +##### This stores the DNs of the directory objects to which the +##### principal object belongs to. + +attributetype ( 2.16.840.1.113719.1.301.4.52 + NAME 'krbObjectReferences' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + +##### This attribute holds references to a Container object where +##### the additional principal objects and stand alone principal +##### objects (krbPrincipal) can be created. + +attributetype ( 2.16.840.1.113719.1.301.4.53 + NAME 'krbPrincContainerRef' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +######################################################################## ######################################################################## # Object Class Definitions # ######################################################################## #### This is a kerberos container for all the realms in a tree. -objectClass ( - 2.16.840.1.113719.1.301.6.1 +objectclass ( 2.16.840.1.113719.1.301.6.1 NAME 'krbContainer' SUP top - MUST ( cn ) - MAY ( krbPolicyReference) - ) + STRUCTURAL + MUST ( cn ) ) + ##### The krbRealmContainer is created per realm and holds realm specific data. -objectClass ( - 2.16.840.1.113719.1.301.6.2 +objectclass ( 2.16.840.1.113719.1.301.6.2 NAME 'krbRealmContainer' SUP top + STRUCTURAL MUST ( cn ) - MAY ( krbMasterKey $ krbUPEnabled $ krbSubTree $ krbSearchScope $ krbLdapServers $ krbSupportedEncTypes $ krbSupportedSaltTypes $ krbDefaultEncType $ krbDefaultSaltType $ krbPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr ) - ) + MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) ) ##### An instance of a class derived from krbService is created per @@ -559,137 +521,98 @@ objectClass ( ##### ##### krbKdcService, krbAdmService and krbPwdService derive from this class. -objectClass ( - 2.16.840.1.113719.1.301.6.3 +objectclass ( 2.16.840.1.113719.1.301.6.3 NAME 'krbService' + SUP top ABSTRACT - SUP ( top ) MUST ( cn ) - MAY ( krbHostServer $ krbServiceFlags $ krbRealmReferences $ userPassword ) - ) + MAY ( krbHostServer $ krbRealmReferences ) ) + -##### Representative object for the KDC server to log onto eDirectory -##### and have a connection Id to access Kerberos data and have the required ACL's +##### Representative object for the KDC server to bind into a LDAP directory +##### and have a connection to access Kerberos data with the required +##### access rights. -objectClass ( - 2.16.840.1.113719.1.301.6.4 +objectclass ( 2.16.840.1.113719.1.301.6.4 NAME 'krbKdcService' - SUP ( krbService ) - ) + SUP krbService + STRUCTURAL ) -##### Representative object for the Kerberos Password server to log into eDirectory -##### and have a connection Id to access Kerberos data and have the required ACL's +##### Representative object for the Kerberos Password server to bind into a LDAP directory +##### and have a connection to access Kerberos data with the required +##### access rights. -objectClass ( - 2.16.840.1.113719.1.301.6.5 +objectclass ( 2.16.840.1.113719.1.301.6.5 NAME 'krbPwdService' - SUP ( krbService ) - ) - -##### The krbPolicyAux holds Kerberos ticket policy attributes. -##### This class can be attached to a principal object or realm object. + SUP krbService + STRUCTURAL ) -objectClass ( - 2.16.840.1.113719.1.301.6.6 - NAME 'krbPolicyAux' - AUXILIARY - MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) - ) - - -##### The krbPolicy object is an effective policy that is associated with a realm or a principal - -objectClass ( - 2.16.840.1.113719.1.301.6.7 - NAME 'krbPolicy' - SUP top - MUST ( cn ) - MAY ( krbPolicyRefCount ) - ) ###### The principal data auxiliary class. Holds principal information -###### and is used to store principal information for Users and any services. +###### and is used to store principal information for Person, Service objects. -objectClass ( - 2.16.840.1.113719.1.301.6.8 +objectclass ( 2.16.840.1.113719.1.301.6.8 NAME 'krbPrincipalAux' + SUP top AUXILIARY - MAY ( krbPrincipalName $ krbUPEnabled $ krbSecretKey $ krbPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration ) - ) + MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) -###### This object is created to hold principals of type other than USER. +###### This class is used to create additional principals and stand alone principals. -objectClass ( - 2.16.840.1.113719.1.301.6.9 +objectclass ( 2.16.840.1.113719.1.301.6.9 NAME 'krbPrincipal' - SUP ( top ) + SUP top MUST ( krbPrincipalName ) - MAY ( krbPrincipalType ) - ) - -###### The foreign principal data auxiliary class. Holds all foreign principal information -###### and is used to store foreign principal information for Users. + MAY ( krbObjectReferences ) ) -objectClass ( - 2.16.840.1.113719.1.301.6.10 - NAME 'krbForeignPrincipalAux' - AUXILIARY - MAY krbForeignPrincipalName - ) ###### The principal references auxiliary class. Holds all principals referred ###### from a service -objectClass ( - 2.16.840.1.113719.1.301.6.11 +objectclass ( 2.16.840.1.113719.1.301.6.11 NAME 'krbPrincRefAux' + SUP top AUXILIARY - MAY krbPrincipalReferences - ) - - -###### Kerberos container references auxiliary class. Holds the location -###### of the Kerberos container object within an eDirectory tree. - -objectClass ( - 2.16.840.1.113719.1.301.6.12 - NAME 'krbContainerRefAux' - AUXILIARY - MAY krbContainerReference - ) + MAY krbPrincipalReferences ) -##### Representative object for the Kerberos Administration server to log into eDirectory -##### and have a connection Id to access Kerberos data and have the required ACL's +##### Representative object for the Kerberos Administration server to bind into a LDAP directory +##### and have a connection Id to access Kerberos data with the required access rights. -objectClass ( - 2.16.840.1.113719.1.301.6.13 +objectclass ( 2.16.840.1.113719.1.301.6.13 NAME 'krbAdmService' - SUP ( krbService ) - ) + SUP krbService + STRUCTURAL ) + ##### The krbPwdPolicy object is a template password policy that ##### can be applied to principals when they are created. ##### These policy attributes will be in effect, when the Kerberos ##### passwords are different from users' passwords (UP). -objectClass ( - 2.16.840.1.113719.1.301.6.14 +objectclass ( 2.16.840.1.113719.1.301.6.14 NAME 'krbPwdPolicy' SUP top MUST ( cn ) - MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdPolicyRefCount) - ) + MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) ) + -###### The password policy reference auxiliary class. -###### Holds the DN of the password policy object. This is to be attached to principals. +##### The krbTicketPolicyAux holds Kerberos ticket policy attributes. +##### This class can be attached to a principal object or realm object. -objectClass ( - 2.16.840.1.113719.1.301.6.15 - NAME 'krbPwdPolicyRefAux' +objectclass ( 2.16.840.1.113719.1.301.6.16 + NAME 'krbTicketPolicyAux' + SUP top AUXILIARY - MAY ( krbPwdPolicyReference ) - ) + MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) + + +##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal + +objectclass ( 2.16.840.1.113719.1.301.6.17 + NAME 'krbTicketPolicy' + SUP top + MUST ( cn ) )