From e5a5fe1b83088ceb7bddcfeea8d1d9c0d450c49a Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Fri, 6 Oct 2006 23:29:29 +0000 Subject: [PATCH] schema info git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18656 dc483132-0cff-0310-8789-dd5450dbe970 --- src/plugins/kdb/ldap/kerberos.ldif | 763 +++++++++++++++++++++++++++ src/plugins/kdb/ldap/kerberos.schema | 618 ++++++++++++++++++++++ 2 files changed, 1381 insertions(+) create mode 100644 src/plugins/kdb/ldap/kerberos.ldif create mode 100644 src/plugins/kdb/ldap/kerberos.schema diff --git a/src/plugins/kdb/ldap/kerberos.ldif b/src/plugins/kdb/ldap/kerberos.ldif new file mode 100644 index 000000000..4b4f70a1a --- /dev/null +++ b/src/plugins/kdb/ldap/kerberos.ldif @@ -0,0 +1,763 @@ +# Novell Kerberos Schema Definitions +# Novell Inc. +# 1800 South Novell Place +# Provo, UT 84606 +# +# VeRsIoN=1.0 +# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved +# +# OIDs: +# joint-iso-ccitt(2) +# country(16) +# us(840) +# organization(1) +# Novell(113719) +# applications(1) +# kerberos(301) +# Kerberos Attribute Type(4) attr# version# +# specific attribute definitions +# Kerberos Attribute Syntax(5) +# specific syntax definitions +# Kerberos Object Class(6) class# version# +# specific class definitions + +######################################################################## + + +######################################################################## +# Attribute Type Definitions # +######################################################################## + +##### This is the principal name in the RFC 1964 specified format + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.1.1 + NAME 'krbPrincipalName' + EQUALITY caseExactIA5Match + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) + + +##### This specifies the type of the principal, the types could be any of +##### the types mentioned in section 6.2 of RFC 4120 + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.3.1 + NAME 'krbPrincipalType' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### This flag is used to find whether directory User Password has to be used +##### as kerberos password. +##### TRUE, if User Password is to be used as the kerberos password. +##### FALSE, if User Password and the kerberos password are different. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.5.1 + NAME 'krbUPEnabled' + DESC 'Boolean' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE) + + +##### The time at which the principal expires + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.6.1 + NAME 'krbPrincipalExpiration' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### The krbTicketFlags attribute holds information about the kerberos flags for a principal +##### The values (0x00000001 - 0x00800000) are reserved for standards and +##### values (0x01000000 - 0x80000000) can be used for proprietary extensions. +##### The flags and values as per RFC 4120 and MIT implementation are, +##### DISALLOW_POSTDATED 0x00000001 +##### DISALLOW_FORWARDABLE 0x00000002 +##### DISALLOW_TGT_BASED 0x00000004 +##### DISALLOW_RENEWABLE 0x00000008 +##### DISALLOW_PROXIABLE 0x00000010 +##### DISALLOW_DUP_SKEY 0x00000020 +##### DISALLOW_ALL_TIX 0x00000040 +##### REQUIRES_PRE_AUTH 0x00000080 +##### REQUIRES_HW_AUTH 0x00000100 +##### REQUIRES_PWCHANGE 0x00000200 +##### DISALLOW_SVR 0x00001000 +##### PWCHANGE_SERVICE 0x00002000 + + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.8.1 + NAME 'krbTicketFlags' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### The maximum ticket lifetime for a principal in seconds + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.9.1 + NAME 'krbMaxTicketLife' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Maximum renewable lifetime for a principal's ticket in seconds + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.10.1 + NAME 'krbMaxRenewableAge' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Forward reference to the Realm object. +##### (FDN of the krbRealmContainer object). +##### Example: cn=ACME.COM, cn=Kerberos, cn=Security + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.14.1 + NAME 'krbRealmReferences' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### List of LDAP servers that kerberos servers can contact. +##### The attribute holds data in the ldap uri format, +##### Example: ldaps://acme.com:636 +##### +##### The values of this attribute need to be updated, when +##### the LDAP servers listed here are renamed, moved or deleted. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.15.1 + NAME 'krbLdapServers' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) + + +##### A set of forward references to the KDC Service objects. +##### (FDNs of the krbKdcService objects). +##### Example: cn=kdc - server 1, ou=uvw, o=xyz + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.17.1 + NAME 'krbKdcServers' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### A set of forward references to the Password Service objects. +##### (FDNs of the krbPwdService objects). +##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.18.1 + NAME 'krbPwdServers' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### This attribute holds the Host Name or the ip address, +##### transport protocol and ports of the kerberos service host +##### The format is host_name-or-ip_address#protocol#port +##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.24.1 + NAME 'krbHostServer' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) + + +##### This attribute holds the scope for searching the principals +##### under krbSubTree attribute of krbRealmContainer +##### The value can either be 1 (ONE) or 2 (SUB_TREE). + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.25.1 + NAME 'krbSearchScope' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### FDNs pointing to Kerberos principals + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.26.1 + NAME 'krbPrincipalReferences' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### This attribute specifies which attribute of the user objects +##### be used as the principal name component for Kerberos. +##### The allowed values are cn, sn, uid, givenname, fullname. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.28.1 + NAME 'krbPrincNamingAttr' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE) + + +##### A set of forward references to the Administration Service objects. +##### (FDNs of the krbAdmService objects). +##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.29.1 + NAME 'krbAdmServers' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### Maximum lifetime of a principal's password + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.30.1 + NAME 'krbMaxPwdLife' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Minimum lifetime of a principal's password + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.31.1 + NAME 'krbMinPwdLife' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Minimum number of character clases allowed in a password + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.32.1 + NAME 'krbPwdMinDiffChars' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Minimum length of the password + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.33.1 + NAME 'krbPwdMinLength' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Number of previous versions of passwords that are stored + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.34.1 + NAME 'krbPwdHistoryLength' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### FDN pointing to a Kerberos Password Policy object + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.36.1 + NAME 'krbPwdPolicyReference' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE) + + +##### The time at which the principal's password expires + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.37.1 + NAME 'krbPasswordExpiration' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with +##### the master key (krbMKey). +##### The attribute is ASN.1 encoded. +##### +##### The format of the value for this attribute is explained below, +##### KrbKeySet ::= SEQUENCE { +##### attribute-major-vno [0] UInt16, +##### attribute-minor-vno [1] UInt16, +##### kvno [2] UInt32, +##### mkvno [3] UInt32 OPTIONAL, +##### keys [4] SEQUENCE OF KrbKey, +##### ... +##### } +##### +##### KrbKey ::= SEQUENCE { +##### salt [0] KrbSalt OPTIONAL, +##### key [1] EncryptionKey, +##### s2kparams [2] OCTET STRING OPTIONAL, +##### ... +##### } +##### +##### KrbSalt ::= SEQUENCE { +##### type [0] Int32, +##### salt [1] OCTET STRING OPTIONAL +##### } +##### +##### EncryptionKey ::= SEQUENCE { +##### keytype [0] Int32, +##### keyvalue [1] OCTET STRING +##### } + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.39.1 + NAME 'krbPrincipalKey' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### FDN pointing to a Kerberos Ticket Policy object. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.40.1 + NAME 'krbTicketPolicyReference' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE) + + +##### Forward reference to an entry that starts sub-trees +##### where principals and other kerberos objects in the realm are configured. +##### Example: ou=acme, ou=pq, o=xyz + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.41.1 + NAME 'krbSubTrees' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### Holds the default encryption/salt type combinations of principals for +##### the Realm. Stores in the form of key:salt strings. +##### Example: des-cbc-crc:normal + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.42.1 + NAME 'krbDefaultEncSaltTypes' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) + + +##### Holds the Supported encryption/salt type combinations of principals for +##### the Realm. Stores in the form of key:salt strings. +##### The supported encryption types are mentioned in RFC 3961 +##### The supported salt types are, +##### NORMAL +##### V4 +##### NOREALM +##### ONLYREALM +##### SPECIAL +##### AFS3 +##### Example: des-cbc-crc:normal +##### +##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes +##### attributes. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.43.1 + NAME 'krbSupportedEncSaltTypes' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) + + +##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with +##### the kadmin/history key. +##### The attribute is ASN.1 encoded. +##### +##### The format of the value for this attribute is explained below, +##### KrbKeySet ::= SEQUENCE { +##### attribute-major-vno [0] UInt16, +##### attribute-minor-vno [1] UInt16, +##### kvno [2] UInt32, +##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key, +##### keys [4] SEQUENCE OF KrbKey, +##### ... +##### } +##### +##### KrbKey ::= SEQUENCE { +##### salt [0] KrbSalt OPTIONAL, +##### key [1] EncryptionKey, +##### s2kparams [2] OCTET STRING OPTIONAL, +##### ... +##### } +##### +##### KrbSalt ::= SEQUENCE { +##### type [0] Int32, +##### salt [1] OCTET STRING OPTIONAL +##### } +##### +##### EncryptionKey ::= SEQUENCE { +##### keytype [0] Int32, +##### keyvalue [1] OCTET STRING +##### } + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.44.1 + NAME 'krbPwdHistory' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### The time at which the principal's password last password change happened. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.45.1 + NAME 'krbLastPwdChange' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### This attribute holds the kerberos master key. +##### This can be used to encrypt principal keys. +##### This attribute has to be secured in directory. +##### +##### This attribute is ASN.1 encoded. +##### The format of the value for this attribute is explained below, +##### KrbMKey ::= SEQUENCE { +##### kvno [0] UInt32, +##### key [1] MasterKey +##### } +##### +##### MasterKey ::= SEQUENCE { +##### keytype [0] Int32, +##### keyvalue [1] OCTET STRING +##### } + + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.46.1 + NAME 'krbMKey' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### This stores the alternate principal names for the principal in the RFC 1961 specified format + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.47.1 + NAME 'krbPrincipalAliases' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) + + +##### The time at which the principal's last successful authentication happened. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.48.1 + NAME 'krbLastSuccessfulAuth' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### The time at which the principal's last failed authentication happened. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.49.1 + NAME 'krbLastFailedAuth' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### This attribute stores the number of failed authentication attempts +##### happened for the principal since the last successful authentication. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.50.1 + NAME 'krbLoginFailedCount' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + + +##### This attribute holds the application specific data. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.51.1 + NAME 'krbExtraData' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### This attributes holds references to the set of directory objects. +##### This stores the DNs of the directory objects to which the +##### principal object belongs to. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 + NAME 'krbObjectReferences' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### This attribute holds references to a Container object where +##### the additional principal objects and stand alone principal +##### objects (krbPrincipal) can be created. + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 + NAME 'krbPrincContainerRef' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +######################################################################## +######################################################################## +# Object Class Definitions # +######################################################################## + +#### This is a kerberos container for all the realms in a tree. + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.1.1 + NAME 'krbContainer' + SUP top + MUST ( cn ) ) + + +##### The krbRealmContainer is created per realm and holds realm specific data. + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.2.1 + NAME 'krbRealmContainer' + SUP top + MUST ( cn ) + MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) ) + + +##### An instance of a class derived from krbService is created per +##### kerberos authentication or administration server in an realm and holds +##### references to the realm objects. These references is used to further read +##### realm specific data to service AS/TGS requests. Additionally this object +##### contains some server specific data like pathnames and ports that the +##### server uses. This is the identity the kerberos server logs in with. A key +##### pair for the same is created and the kerberos server logs in with the same. +##### +##### krbKdcService, krbAdmService and krbPwdService derive from this class. + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.3.1 + NAME 'krbService' + ABSTRACT + SUP ( top ) + MUST ( cn ) + MAY ( krbHostServer $ krbRealmReferences ) ) + + +##### Representative object for the KDC server to bind into a LDAP directory +##### and have a connection to access Kerberos data with the required +##### access rights. + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 + NAME 'krbKdcService' + SUP ( krbService ) ) + + +##### Representative object for the Kerberos Password server to bind into a LDAP directory +##### and have a connection to access Kerberos data with the required +##### access rights. + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 + NAME 'krbPwdService' + SUP ( krbService ) ) + + +###### The principal data auxiliary class. Holds principal information +###### and is used to store principal information for Person, Service objects. + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 + NAME 'krbPrincipalAux' + AUXILIARY + MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) + + +###### This class is used to create additional principals and stand alone principals. + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 + NAME 'krbPrincipal' + SUP ( top ) + MUST ( krbPrincipalName ) + MAY ( krbObjectReferences ) ) + + +###### The principal references auxiliary class. Holds all principals referred +###### from a service + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.11.1 + NAME 'krbPrincRefAux' + SUP top + AUXILIARY + MAY krbPrincipalReferences ) + + +##### Representative object for the Kerberos Administration server to bind into a LDAP directory +##### and have a connection Id to access Kerberos data with the required access rights. + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 + NAME 'krbAdmService' + SUP ( krbService ) ) + + +##### The krbPwdPolicy object is a template password policy that +##### can be applied to principals when they are created. +##### These policy attributes will be in effect, when the Kerberos +##### passwords are different from users' passwords (UP). + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 + NAME 'krbPwdPolicy' + SUP top + MUST ( cn ) + MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) ) + + +##### The krbTicketPolicyAux holds Kerberos ticket policy attributes. +##### This class can be attached to a principal object or realm object. + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 + NAME 'krbTicketPolicyAux' + AUXILIARY + MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) + + +##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal + +dn: cn=schema +changetype: modify +add: objectclasses +objectClasses: ( 2.16.840.1.113719.1.301.6.17.1 + NAME 'krbTicketPolicy' + SUP top + MUST ( cn ) ) + diff --git a/src/plugins/kdb/ldap/kerberos.schema b/src/plugins/kdb/ldap/kerberos.schema new file mode 100644 index 000000000..851c23a92 --- /dev/null +++ b/src/plugins/kdb/ldap/kerberos.schema @@ -0,0 +1,618 @@ +# Novell Kerberos Schema Definitions +# Novell Inc. +# 1800 South Novell Place +# Provo, UT 84606 +# +# VeRsIoN=1.0 +# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved +# +# OIDs: +# joint-iso-ccitt(2) +# country(16) +# us(840) +# organization(1) +# Novell(113719) +# applications(1) +# kerberos(301) +# Kerberos Attribute Type(4) attr# version# +# specific attribute definitions +# Kerberos Attribute Syntax(5) +# specific syntax definitions +# Kerberos Object Class(6) class# version# +# specific class definitions + +######################################################################## + + +######################################################################## +# Attribute Type Definitions # +######################################################################## + +##### This is the principal name in the RFC 1964 specified format + +attributetype ( 2.16.840.1.113719.1.301.4.1.1 + NAME 'krbPrincipalName' + EQUALITY caseExactIA5Match + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) + + +##### This specifies the type of the principal, the types could be any of +##### the types mentioned in section 6.2 of RFC 4120 + +attributetype ( 2.16.840.1.113719.1.301.4.3.1 + NAME 'krbPrincipalType' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### This flag is used to find whether directory User Password has to be used +##### as kerberos password. +##### TRUE, if User Password is to be used as the kerberos password. +##### FALSE, if User Password and the kerberos password are different. + +attributetype ( 2.16.840.1.113719.1.301.4.5.1 + NAME 'krbUPEnabled' + DESC 'Boolean' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE) + + +##### The time at which the principal expires + +attributetype ( 2.16.840.1.113719.1.301.4.6.1 + NAME 'krbPrincipalExpiration' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### The krbTicketFlags attribute holds information about the kerberos flags for a principal +##### The values (0x00000001 - 0x00800000) are reserved for standards and +##### values (0x01000000 - 0x80000000) can be used for proprietary extensions. +##### The flags and values as per RFC 4120 and MIT implementation are, +##### DISALLOW_POSTDATED 0x00000001 +##### DISALLOW_FORWARDABLE 0x00000002 +##### DISALLOW_TGT_BASED 0x00000004 +##### DISALLOW_RENEWABLE 0x00000008 +##### DISALLOW_PROXIABLE 0x00000010 +##### DISALLOW_DUP_SKEY 0x00000020 +##### DISALLOW_ALL_TIX 0x00000040 +##### REQUIRES_PRE_AUTH 0x00000080 +##### REQUIRES_HW_AUTH 0x00000100 +##### REQUIRES_PWCHANGE 0x00000200 +##### DISALLOW_SVR 0x00001000 +##### PWCHANGE_SERVICE 0x00002000 + + +attributetype ( 2.16.840.1.113719.1.301.4.8.1 + NAME 'krbTicketFlags' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### The maximum ticket lifetime for a principal in seconds + +attributetype ( 2.16.840.1.113719.1.301.4.9.1 + NAME 'krbMaxTicketLife' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Maximum renewable lifetime for a principal's ticket in seconds + +attributetype ( 2.16.840.1.113719.1.301.4.10.1 + NAME 'krbMaxRenewableAge' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Forward reference to the Realm object. +##### (FDN of the krbRealmContainer object). +##### Example: cn=ACME.COM, cn=Kerberos, cn=Security + +attributetype ( 2.16.840.1.113719.1.301.4.14.1 + NAME 'krbRealmReferences' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### List of LDAP servers that kerberos servers can contact. +##### The attribute holds data in the ldap uri format, +##### Examples: acme.com#636, 164.164.164.164#1636, ldaps://acme.com:636 +##### +##### The values of this attribute need to be updated, when +##### the LDAP servers listed here are renamed, moved or deleted. + +attributetype ( 2.16.840.1.113719.1.301.4.15.1 + NAME 'krbLdapServers' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) + + +##### A set of forward references to the KDC Service objects. +##### (FDNs of the krbKdcService objects). +##### Example: cn=kdc - server 1, ou=uvw, o=xyz + +attributetype ( 2.16.840.1.113719.1.301.4.17.1 + NAME 'krbKdcServers' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### A set of forward references to the Password Service objects. +##### (FDNs of the krbPwdService objects). +##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz + +attributetype ( 2.16.840.1.113719.1.301.4.18.1 + NAME 'krbPwdServers' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### This attribute holds the Host Name or the ip address, +##### transport protocol and ports of the kerberos service host +##### The format is host_name-or-ip_address#protocol#port +##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. + +attributetype ( 2.16.840.1.113719.1.301.4.24.1 + NAME 'krbHostServer' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) + + +##### This attribute holds the scope for searching the principals +##### under krbSubTree attribute of krbRealmContainer +##### The value can either be 1 (ONE) or 2 (SUB_TREE). + +attributetype ( 2.16.840.1.113719.1.301.4.25.1 + NAME 'krbSearchScope' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### FDNs pointing to Kerberos principals + +attributetype ( 2.16.840.1.113719.1.301.4.26.1 + NAME 'krbPrincipalReferences' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### This attribute specifies which attribute of the user objects +##### be used as the principal name component for Kerberos. +##### The allowed values are cn, sn, uid, givenname, fullname. + +attributetype ( 2.16.840.1.113719.1.301.4.28.1 + NAME 'krbPrincNamingAttr' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE) + + +##### A set of forward references to the Administration Service objects. +##### (FDNs of the krbAdmService objects). +##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz + +attributetype ( 2.16.840.1.113719.1.301.4.29.1 + NAME 'krbAdmServers' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### Maximum lifetime of a principal's password + +attributetype ( 2.16.840.1.113719.1.301.4.30.1 + NAME 'krbMaxPwdLife' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Minimum lifetime of a principal's password + +attributetype ( 2.16.840.1.113719.1.301.4.31.1 + NAME 'krbMinPwdLife' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Minimum number of character clases allowed in a password + +attributetype ( 2.16.840.1.113719.1.301.4.32.1 + NAME 'krbPwdMinDiffChars' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Minimum length of the password + +attributetype ( 2.16.840.1.113719.1.301.4.33.1 + NAME 'krbPwdMinLength' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### Number of previous versions of passwords that are stored + +attributetype ( 2.16.840.1.113719.1.301.4.34.1 + NAME 'krbPwdHistoryLength' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + +##### FDN pointing to a Kerberos Password Policy object + +attributetype ( 2.16.840.1.113719.1.301.4.36.1 + NAME 'krbPwdPolicyReference' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE) + + +##### The time at which the principal's password expires + +attributetype ( 2.16.840.1.113719.1.301.4.37.1 + NAME 'krbPasswordExpiration' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with +##### the master key (krbMKey). +##### The attribute is ASN.1 encoded. +##### +##### The format of the value for this attribute is explained below, +##### KrbKeySet ::= SEQUENCE { +##### attribute-major-vno [0] UInt16, +##### attribute-minor-vno [1] UInt16, +##### kvno [2] UInt32, +##### mkvno [3] UInt32 OPTIONAL, +##### keys [4] SEQUENCE OF KrbKey, +##### ... +##### } +##### +##### KrbKey ::= SEQUENCE { +##### salt [0] KrbSalt OPTIONAL, +##### key [1] EncryptionKey, +##### s2kparams [2] OCTET STRING OPTIONAL, +##### ... +##### } +##### +##### KrbSalt ::= SEQUENCE { +##### type [0] Int32, +##### salt [1] OCTET STRING OPTIONAL +##### } +##### +##### EncryptionKey ::= SEQUENCE { +##### keytype [0] Int32, +##### keyvalue [1] OCTET STRING +##### } + +attributetype ( 2.16.840.1.113719.1.301.4.39.1 + NAME 'krbPrincipalKey' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### FDN pointing to a Kerberos Ticket Policy object. + +attributetype ( 2.16.840.1.113719.1.301.4.40.1 + NAME 'krbTicketPolicyReference' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE) + + +##### Forward reference to an entry that starts sub-trees +##### where principals and other kerberos objects in the realm are configured. +##### Example: ou=acme, ou=pq, o=xyz + +attributetype ( 2.16.840.1.113719.1.301.4.41.1 + NAME 'krbSubTrees' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### Holds the default encryption/salt type combinations of principals for +##### the Realm. Stores in the form of key:salt strings. This will be +##### subset of the supported encryption/salt types. +##### Example: des-cbc-crc:normal + +attributetype ( 2.16.840.1.113719.1.301.4.42.1 + NAME 'krbDefaultEncSaltTypes' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) + + +##### Holds the supported encryption/salt type combinations of principals for +##### the Realm. Stores in the form of key:salt strings. +##### The supported encryption types are mentioned in RFC 3961 +##### The supported salt types are, +##### NORMAL +##### V4 +##### NOREALM +##### ONLYREALM +##### SPECIAL +##### AFS3 +##### Example: des-cbc-crc:normal + +attributetype ( 2.16.840.1.113719.1.301.4.43.1 + NAME 'krbSupportedEncSaltTypes' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) + + +##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with +##### the kadmin/history key. +##### The attribute is ASN.1 encoded. +##### +##### The format of the value for this attribute is explained below, +##### KrbKeySet ::= SEQUENCE { +##### attribute-major-vno [0] UInt16, +##### attribute-minor-vno [1] UInt16, +##### kvno [2] UInt32, +##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key, +##### keys [4] SEQUENCE OF KrbKey, +##### ... +##### } +##### +##### KrbKey ::= SEQUENCE { +##### salt [0] KrbSalt OPTIONAL, +##### key [1] EncryptionKey, +##### s2kparams [2] OCTET STRING OPTIONAL, +##### ... +##### } +##### +##### KrbSalt ::= SEQUENCE { +##### type [0] Int32, +##### salt [1] OCTET STRING OPTIONAL +##### } +##### +##### EncryptionKey ::= SEQUENCE { +##### keytype [0] Int32, +##### keyvalue [1] OCTET STRING +##### } + +attributetype ( 2.16.840.1.113719.1.301.4.44.1 + NAME 'krbPwdHistory' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### The time at which the principal's password last password change happened. + +attributetype ( 2.16.840.1.113719.1.301.4.45.1 + NAME 'krbLastPwdChange' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### This attribute holds the kerberos master key. +##### This can be used to encrypt principal keys. +##### This attribute has to be secured in directory. +##### +##### This attribute is ASN.1 encoded. +##### The format of the value for this attribute is explained below, +##### KrbMKey ::= SEQUENCE { +##### kvno [0] UInt32, +##### key [1] MasterKey +##### } +##### +##### MasterKey ::= SEQUENCE { +##### keytype [0] Int32, +##### keyvalue [1] OCTET STRING +##### } + + +attributetype ( 2.16.840.1.113719.1.301.4.46.1 + NAME 'krbMKey' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### This stores the alternate principal names for the principal in the RFC 1961 specified format + +attributetype ( 2.16.840.1.113719.1.301.4.47.1 + NAME 'krbPrincipalAliases' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) + + +##### The time at which the principal's last successful authentication happened. + +attributetype ( 2.16.840.1.113719.1.301.4.48.1 + NAME 'krbLastSuccessfulAuth' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### The time at which the principal's last failed authentication happened. + +attributetype ( 2.16.840.1.113719.1.301.4.49.1 + NAME 'krbLastFailedAuth' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE) + + +##### This attribute stores the number of failed authentication attempts +##### happened for the principal since the last successful authentication. + +attributetype ( 2.16.840.1.113719.1.301.4.50.1 + NAME 'krbLoginFailedCount' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE) + + + +##### This attribute holds the application specific data. + +attributetype ( 2.16.840.1.113719.1.301.4.51.1 + NAME 'krbExtraData' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) + + +##### This attributes holds references to the set of directory objects. +##### This stores the DNs of the directory objects to which the +##### principal object belongs to. + +attributetype ( 2.16.840.1.113719.1.301.4.52.1 + NAME 'krbObjectReferences' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +##### This attribute holds references to a Container object where +##### the additional principal objects and stand alone principal +##### objects (krbPrincipal) can be created. + +attributetype ( 2.16.840.1.113719.1.301.4.53.1 + NAME 'krbPrincContainerRef' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) + + +######################################################################## +######################################################################## +# Object Class Definitions # +######################################################################## + +#### This is a kerberos container for all the realms in a tree. + +objectclass ( 2.16.840.1.113719.1.301.6.1.1 + NAME 'krbContainer' + SUP top + STRUCTURAL + MUST ( cn ) ) + + +##### The krbRealmContainer is created per realm and holds realm specific data. + +objectclass ( 2.16.840.1.113719.1.301.6.2.1 + NAME 'krbRealmContainer' + SUP top + STRUCTURAL + MUST ( cn ) + MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) ) + + +##### An instance of a class derived from krbService is created per +##### kerberos authentication or administration server in an realm and holds +##### references to the realm objects. These references is used to further read +##### realm specific data to service AS/TGS requests. Additionally this object +##### contains some server specific data like pathnames and ports that the +##### server uses. This is the identity the kerberos server logs in with. A key +##### pair for the same is created and the kerberos server logs in with the same. +##### +##### krbKdcService, krbAdmService and krbPwdService derive from this class. + +objectclass ( 2.16.840.1.113719.1.301.6.3.1 + NAME 'krbService' + SUP top + ABSTRACT + MUST ( cn ) + MAY ( krbHostServer $ krbRealmReferences ) ) + + +##### Representative object for the KDC server to bind into a LDAP directory +##### and have a connection to access Kerberos data with the required +##### access rights. + +objectclass ( 2.16.840.1.113719.1.301.6.4.1 + NAME 'krbKdcService' + SUP krbService + STRUCTURAL ) + + +##### Representative object for the Kerberos Password server to bind into a LDAP directory +##### and have a connection to access Kerberos data with the required +##### access rights. + +objectclass ( 2.16.840.1.113719.1.301.6.5.1 + NAME 'krbPwdService' + SUP krbService + STRUCTURAL ) + + +###### The principal data auxiliary class. Holds principal information +###### and is used to store principal information for Person, Service objects. + +objectclass ( 2.16.840.1.113719.1.301.6.8.1 + NAME 'krbPrincipalAux' + SUP top + AUXILIARY + MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) + + +###### This class is used to create additional principals and stand alone principals. + +objectclass ( 2.16.840.1.113719.1.301.6.9.1 + NAME 'krbPrincipal' + SUP top + MUST ( krbPrincipalName ) + MAY ( krbObjectReferences ) ) + + +###### The principal references auxiliary class. Holds all principals referred +###### from a service + +objectclass ( 2.16.840.1.113719.1.301.6.11.1 + NAME 'krbPrincRefAux' + SUP top + AUXILIARY + MAY krbPrincipalReferences ) + + +##### Representative object for the Kerberos Administration server to bind into a LDAP directory +##### and have a connection Id to access Kerberos data with the required access rights. + +objectclass ( 2.16.840.1.113719.1.301.6.13.1 + NAME 'krbAdmService' + SUP krbService + STRUCTURAL ) + + +##### The krbPwdPolicy object is a template password policy that +##### can be applied to principals when they are created. +##### These policy attributes will be in effect, when the Kerberos +##### passwords are different from users' passwords (UP). + +objectclass ( 2.16.840.1.113719.1.301.6.14.1 + NAME 'krbPwdPolicy' + SUP top + MUST ( cn ) + MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) ) + + +##### The krbTicketPolicyAux holds Kerberos ticket policy attributes. +##### This class can be attached to a principal object or realm object. + +objectclass ( 2.16.840.1.113719.1.301.6.16.1 + NAME 'krbTicketPolicyAux' + SUP top + AUXILIARY + MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) + + +##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal + +objectclass ( 2.16.840.1.113719.1.301.6.17.1 + NAME 'krbTicketPolicy' + SUP top + MUST ( cn ) ) + -- 2.26.2