1# ident "%Z%%M% %I% %E% SMI" 2# 3# Novell Kerberos Schema Definitions 4# Novell Inc. 5# 1800 South Novell Place 6# Provo, UT 84606 7# 8# VeRsIoN=1.0 9# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved 10# 11# OIDs: 12# joint-iso-ccitt(2) 13# country(16) 14# us(840) 15# organization(1) 16# Novell(113719) 17# applications(1) 18# kerberos(301) 19# Kerberos Attribute Type(4) attr# version# 20# specific attribute definitions 21# Kerberos Attribute Syntax(5) 22# specific syntax definitions 23# Kerberos Object Class(6) class# version# 24# specific class definitions 25 26######################################################################## 27 28 29######################################################################## 30# Attribute Type Definitions # 31######################################################################## 32 33##### This is the principal name in the RFC 1964 specified format 34 35dn: cn=schema 36changetype: modify 37add: attributetypes 38attributetypes: ( 2.16.840.1.113719.1.301.4.1.1 39 NAME 'krbPrincipalName' 40 EQUALITY caseExactIA5Match 41 SUBSTR caseExactSubstringsMatch 42 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) 43 44 45##### This specifies the type of the principal, the types could be any of 46##### the types mentioned in section 6.2 of RFC 4120 47 48dn: cn=schema 49changetype: modify 50add: attributetypes 51attributetypes: ( 2.16.840.1.113719.1.301.4.3.1 52 NAME 'krbPrincipalType' 53 EQUALITY integerMatch 54 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 55 SINGLE-VALUE) 56 57 58##### This flag is used to find whether directory User Password has to be used 59##### as kerberos password. 60##### TRUE, if User Password is to be used as the kerberos password. 61##### FALSE, if User Password and the kerberos password are different. 62 63dn: cn=schema 64changetype: modify 65add: attributetypes 66attributetypes: ( 2.16.840.1.113719.1.301.4.5.1 67 NAME 'krbUPEnabled' 68 DESC 'Boolean' 69 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 70 SINGLE-VALUE) 71 72 73##### The time at which the principal expires 74 75dn: cn=schema 76changetype: modify 77add: attributetypes 78attributetypes: ( 2.16.840.1.113719.1.301.4.6.1 79 NAME 'krbPrincipalExpiration' 80 EQUALITY generalizedTimeMatch 81 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 82 SINGLE-VALUE) 83 84 85##### The krbTicketFlags attribute holds information about the kerberos flags for a principal 86##### The values (0x00000001 - 0x00800000) are reserved for standards and 87##### values (0x01000000 - 0x80000000) can be used for proprietary extensions. 88##### The flags and values as per RFC 4120 and MIT implementation are, 89##### DISALLOW_POSTDATED 0x00000001 90##### DISALLOW_FORWARDABLE 0x00000002 91##### DISALLOW_TGT_BASED 0x00000004 92##### DISALLOW_RENEWABLE 0x00000008 93##### DISALLOW_PROXIABLE 0x00000010 94##### DISALLOW_DUP_SKEY 0x00000020 95##### DISALLOW_ALL_TIX 0x00000040 96##### REQUIRES_PRE_AUTH 0x00000080 97##### REQUIRES_HW_AUTH 0x00000100 98##### REQUIRES_PWCHANGE 0x00000200 99##### DISALLOW_SVR 0x00001000 100##### PWCHANGE_SERVICE 0x00002000 101 102 103dn: cn=schema 104changetype: modify 105add: attributetypes 106attributetypes: ( 2.16.840.1.113719.1.301.4.8.1 107 NAME 'krbTicketFlags' 108 EQUALITY integerMatch 109 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 110 SINGLE-VALUE) 111 112 113##### The maximum ticket lifetime for a principal in seconds 114 115dn: cn=schema 116changetype: modify 117add: attributetypes 118attributetypes: ( 2.16.840.1.113719.1.301.4.9.1 119 NAME 'krbMaxTicketLife' 120 EQUALITY integerMatch 121 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 122 SINGLE-VALUE) 123 124 125##### Maximum renewable lifetime for a principal's ticket in seconds 126 127dn: cn=schema 128changetype: modify 129add: attributetypes 130attributetypes: ( 2.16.840.1.113719.1.301.4.10.1 131 NAME 'krbMaxRenewableAge' 132 EQUALITY integerMatch 133 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 134 SINGLE-VALUE) 135 136 137##### Forward reference to the Realm object. 138##### (FDN of the krbRealmContainer object). 139##### Example: cn=ACME.COM, cn=Kerberos, cn=Security 140 141dn: cn=schema 142changetype: modify 143add: attributetypes 144attributetypes: ( 2.16.840.1.113719.1.301.4.14.1 145 NAME 'krbRealmReferences' 146 EQUALITY distinguishedNameMatch 147 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 148 149 150##### List of LDAP servers that kerberos servers can contact. 151##### The attribute holds data in the ldap uri format, 152##### Example: ldaps://acme.com:636 153##### 154##### The values of this attribute need to be updated, when 155##### the LDAP servers listed here are renamed, moved or deleted. 156 157dn: cn=schema 158changetype: modify 159add: attributetypes 160attributetypes: ( 2.16.840.1.113719.1.301.4.15.1 161 NAME 'krbLdapServers' 162 EQUALITY caseIgnoreMatch 163 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) 164 165 166##### A set of forward references to the KDC Service objects. 167##### (FDNs of the krbKdcService objects). 168##### Example: cn=kdc - server 1, ou=uvw, o=xyz 169 170dn: cn=schema 171changetype: modify 172add: attributetypes 173attributetypes: ( 2.16.840.1.113719.1.301.4.17.1 174 NAME 'krbKdcServers' 175 EQUALITY distinguishedNameMatch 176 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 177 178 179##### A set of forward references to the Password Service objects. 180##### (FDNs of the krbPwdService objects). 181##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz 182 183dn: cn=schema 184changetype: modify 185add: attributetypes 186attributetypes: ( 2.16.840.1.113719.1.301.4.18.1 187 NAME 'krbPwdServers' 188 EQUALITY distinguishedNameMatch 189 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 190 191 192##### This attribute holds the Host Name or the ip address, 193##### transport protocol and ports of the kerberos service host 194##### The format is host_name-or-ip_address#protocol#port 195##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. 196 197dn: cn=schema 198changetype: modify 199add: attributetypes 200attributetypes: ( 2.16.840.1.113719.1.301.4.24.1 201 NAME 'krbHostServer' 202 EQUALITY caseExactIA5Match 203 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) 204 205 206##### This attribute holds the scope for searching the principals 207##### under krbSubTree attribute of krbRealmContainer 208##### The value can either be 1 (ONE) or 2 (SUB_TREE). 209 210dn: cn=schema 211changetype: modify 212add: attributetypes 213attributetypes: ( 2.16.840.1.113719.1.301.4.25.1 214 NAME 'krbSearchScope' 215 EQUALITY integerMatch 216 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 217 SINGLE-VALUE) 218 219 220##### FDNs pointing to Kerberos principals 221 222dn: cn=schema 223changetype: modify 224add: attributetypes 225attributetypes: ( 2.16.840.1.113719.1.301.4.26.1 226 NAME 'krbPrincipalReferences' 227 EQUALITY distinguishedNameMatch 228 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 229 230 231##### This attribute specifies which attribute of the user objects 232##### be used as the principal name component for Kerberos. 233##### The allowed values are cn, sn, uid, givenname, fullname. 234 235dn: cn=schema 236changetype: modify 237add: attributetypes 238attributetypes: ( 2.16.840.1.113719.1.301.4.28.1 239 NAME 'krbPrincNamingAttr' 240 EQUALITY caseIgnoreMatch 241 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 242 SINGLE-VALUE) 243 244 245##### A set of forward references to the Administration Service objects. 246##### (FDNs of the krbAdmService objects). 247##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz 248 249dn: cn=schema 250changetype: modify 251add: attributetypes 252attributetypes: ( 2.16.840.1.113719.1.301.4.29.1 253 NAME 'krbAdmServers' 254 EQUALITY distinguishedNameMatch 255 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 256 257 258##### Maximum lifetime of a principal's password 259 260dn: cn=schema 261changetype: modify 262add: attributetypes 263attributetypes: ( 2.16.840.1.113719.1.301.4.30.1 264 NAME 'krbMaxPwdLife' 265 EQUALITY integerMatch 266 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 267 SINGLE-VALUE) 268 269 270##### Minimum lifetime of a principal's password 271 272dn: cn=schema 273changetype: modify 274add: attributetypes 275attributetypes: ( 2.16.840.1.113719.1.301.4.31.1 276 NAME 'krbMinPwdLife' 277 EQUALITY integerMatch 278 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 279 SINGLE-VALUE) 280 281 282##### Minimum number of character clases allowed in a password 283 284dn: cn=schema 285changetype: modify 286add: attributetypes 287attributetypes: ( 2.16.840.1.113719.1.301.4.32.1 288 NAME 'krbPwdMinDiffChars' 289 EQUALITY integerMatch 290 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 291 SINGLE-VALUE) 292 293 294##### Minimum length of the password 295 296dn: cn=schema 297changetype: modify 298add: attributetypes 299attributetypes: ( 2.16.840.1.113719.1.301.4.33.1 300 NAME 'krbPwdMinLength' 301 EQUALITY integerMatch 302 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 303 SINGLE-VALUE) 304 305 306##### Number of previous versions of passwords that are stored 307 308dn: cn=schema 309changetype: modify 310add: attributetypes 311attributetypes: ( 2.16.840.1.113719.1.301.4.34.1 312 NAME 'krbPwdHistoryLength' 313 EQUALITY integerMatch 314 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 315 SINGLE-VALUE) 316 317 318##### FDN pointing to a Kerberos Password Policy object 319 320dn: cn=schema 321changetype: modify 322add: attributetypes 323attributetypes: ( 2.16.840.1.113719.1.301.4.36.1 324 NAME 'krbPwdPolicyReference' 325 EQUALITY distinguishedNameMatch 326 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 327 SINGLE-VALUE) 328 329 330##### The time at which the principal's password expires 331 332dn: cn=schema 333changetype: modify 334add: attributetypes 335attributetypes: ( 2.16.840.1.113719.1.301.4.37.1 336 NAME 'krbPasswordExpiration' 337 EQUALITY generalizedTimeMatch 338 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 339 SINGLE-VALUE) 340 341 342##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with 343##### the master key (krbMKey). 344##### The attribute is ASN.1 encoded. 345##### 346##### The format of the value for this attribute is explained below, 347##### KrbKeySet ::= SEQUENCE { 348##### attribute-major-vno [0] UInt16, 349##### attribute-minor-vno [1] UInt16, 350##### kvno [2] UInt32, 351##### mkvno [3] UInt32 OPTIONAL, 352##### keys [4] SEQUENCE OF KrbKey, 353##### ... 354##### } 355##### 356##### KrbKey ::= SEQUENCE { 357##### salt [0] KrbSalt OPTIONAL, 358##### key [1] EncryptionKey, 359##### s2kparams [2] OCTET STRING OPTIONAL, 360##### ... 361##### } 362##### 363##### KrbSalt ::= SEQUENCE { 364##### type [0] Int32, 365##### salt [1] OCTET STRING OPTIONAL 366##### } 367##### 368##### EncryptionKey ::= SEQUENCE { 369##### keytype [0] Int32, 370##### keyvalue [1] OCTET STRING 371##### } 372 373dn: cn=schema 374changetype: modify 375add: attributetypes 376attributetypes: ( 2.16.840.1.113719.1.301.4.39.1 377 NAME 'krbPrincipalKey' 378 EQUALITY octetStringMatch 379 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) 380 381 382##### FDN pointing to a Kerberos Ticket Policy object. 383 384dn: cn=schema 385changetype: modify 386add: attributetypes 387attributetypes: ( 2.16.840.1.113719.1.301.4.40.1 388 NAME 'krbTicketPolicyReference' 389 EQUALITY distinguishedNameMatch 390 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 391 SINGLE-VALUE) 392 393 394##### Forward reference to an entry that starts sub-trees 395##### where principals and other kerberos objects in the realm are configured. 396##### Example: ou=acme, ou=pq, o=xyz 397 398dn: cn=schema 399changetype: modify 400add: attributetypes 401attributetypes: ( 2.16.840.1.113719.1.301.4.41.1 402 NAME 'krbSubTrees' 403 EQUALITY distinguishedNameMatch 404 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 405 406 407##### Holds the default encryption/salt type combinations of principals for 408##### the Realm. Stores in the form of key:salt strings. 409##### Example: des-cbc-crc:normal 410 411dn: cn=schema 412changetype: modify 413add: attributetypes 414attributetypes: ( 2.16.840.1.113719.1.301.4.42.1 415 NAME 'krbDefaultEncSaltTypes' 416 EQUALITY caseIgnoreMatch 417 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) 418 419 420##### Holds the Supported encryption/salt type combinations of principals for 421##### the Realm. Stores in the form of key:salt strings. 422##### The supported encryption types are mentioned in RFC 3961 423##### The supported salt types are, 424##### NORMAL 425##### V4 426##### NOREALM 427##### ONLYREALM 428##### SPECIAL 429##### AFS3 430##### Example: des-cbc-crc:normal 431##### 432##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes 433##### attributes. 434 435dn: cn=schema 436changetype: modify 437add: attributetypes 438attributetypes: ( 2.16.840.1.113719.1.301.4.43.1 439 NAME 'krbSupportedEncSaltTypes' 440 EQUALITY caseIgnoreMatch 441 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) 442 443 444##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with 445##### the kadmin/history key. 446##### The attribute is ASN.1 encoded. 447##### 448##### The format of the value for this attribute is explained below, 449##### KrbKeySet ::= SEQUENCE { 450##### attribute-major-vno [0] UInt16, 451##### attribute-minor-vno [1] UInt16, 452##### kvno [2] UInt32, 453##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key, 454##### keys [4] SEQUENCE OF KrbKey, 455##### ... 456##### } 457##### 458##### KrbKey ::= SEQUENCE { 459##### salt [0] KrbSalt OPTIONAL, 460##### key [1] EncryptionKey, 461##### s2kparams [2] OCTET STRING OPTIONAL, 462##### ... 463##### } 464##### 465##### KrbSalt ::= SEQUENCE { 466##### type [0] Int32, 467##### salt [1] OCTET STRING OPTIONAL 468##### } 469##### 470##### EncryptionKey ::= SEQUENCE { 471##### keytype [0] Int32, 472##### keyvalue [1] OCTET STRING 473##### } 474 475dn: cn=schema 476changetype: modify 477add: attributetypes 478attributetypes: ( 2.16.840.1.113719.1.301.4.44.1 479 NAME 'krbPwdHistory' 480 EQUALITY octetStringMatch 481 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) 482 483 484##### The time at which the principal's password last password change happened. 485 486dn: cn=schema 487changetype: modify 488add: attributetypes 489attributetypes: ( 2.16.840.1.113719.1.301.4.45.1 490 NAME 'krbLastPwdChange' 491 EQUALITY generalizedTimeMatch 492 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 493 SINGLE-VALUE) 494 495 496##### This attribute holds the kerberos master key. 497##### This can be used to encrypt principal keys. 498##### This attribute has to be secured in directory. 499##### 500##### This attribute is ASN.1 encoded. 501##### The format of the value for this attribute is explained below, 502##### KrbMKey ::= SEQUENCE { 503##### kvno [0] UInt32, 504##### key [1] MasterKey 505##### } 506##### 507##### MasterKey ::= SEQUENCE { 508##### keytype [0] Int32, 509##### keyvalue [1] OCTET STRING 510##### } 511 512 513dn: cn=schema 514changetype: modify 515add: attributetypes 516attributetypes: ( 2.16.840.1.113719.1.301.4.46.1 517 NAME 'krbMKey' 518 EQUALITY octetStringMatch 519 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) 520 521 522##### This stores the alternate principal names for the principal in the RFC 1961 specified format 523 524dn: cn=schema 525changetype: modify 526add: attributetypes 527attributetypes: ( 2.16.840.1.113719.1.301.4.47.1 528 NAME 'krbPrincipalAliases' 529 EQUALITY caseExactIA5Match 530 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) 531 532 533##### The time at which the principal's last successful authentication happened. 534 535dn: cn=schema 536changetype: modify 537add: attributetypes 538attributetypes: ( 2.16.840.1.113719.1.301.4.48.1 539 NAME 'krbLastSuccessfulAuth' 540 EQUALITY generalizedTimeMatch 541 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 542 SINGLE-VALUE) 543 544 545##### The time at which the principal's last failed authentication happened. 546 547dn: cn=schema 548changetype: modify 549add: attributetypes 550attributetypes: ( 2.16.840.1.113719.1.301.4.49.1 551 NAME 'krbLastFailedAuth' 552 EQUALITY generalizedTimeMatch 553 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 554 SINGLE-VALUE) 555 556 557##### This attribute stores the number of failed authentication attempts 558##### happened for the principal since the last successful authentication. 559 560dn: cn=schema 561changetype: modify 562add: attributetypes 563attributetypes: ( 2.16.840.1.113719.1.301.4.50.1 564 NAME 'krbLoginFailedCount' 565 EQUALITY integerMatch 566 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 567 SINGLE-VALUE) 568 569 570 571##### This attribute holds the application specific data. 572 573dn: cn=schema 574changetype: modify 575add: attributetypes 576attributetypes: ( 2.16.840.1.113719.1.301.4.51.1 577 NAME 'krbExtraData' 578 EQUALITY octetStringMatch 579 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) 580 581 582##### This attributes holds references to the set of directory objects. 583##### This stores the DNs of the directory objects to which the 584##### principal object belongs to. 585 586dn: cn=schema 587changetype: modify 588add: attributetypes 589attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 590 NAME 'krbObjectReferences' 591 EQUALITY distinguishedNameMatch 592 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 593 594 595##### This attribute holds references to a Container object where 596##### the additional principal objects and stand alone principal 597##### objects (krbPrincipal) can be created. 598 599dn: cn=schema 600changetype: modify 601add: attributetypes 602attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 603 NAME 'krbPrincContainerRef' 604 EQUALITY distinguishedNameMatch 605 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 606 607 608######################################################################## 609######################################################################## 610# Object Class Definitions # 611######################################################################## 612 613#### This is a kerberos container for all the realms in a tree. 614 615dn: cn=schema 616changetype: modify 617add: objectclasses 618objectClasses: ( 2.16.840.1.113719.1.301.6.1.1 619 NAME 'krbContainer' 620 SUP top 621 MUST ( cn ) ) 622 623 624##### The krbRealmContainer is created per realm and holds realm specific data. 625 626dn: cn=schema 627changetype: modify 628add: objectclasses 629objectClasses: ( 2.16.840.1.113719.1.301.6.2.1 630 NAME 'krbRealmContainer' 631 SUP top 632 MUST ( cn ) 633 MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) ) 634 635 636##### An instance of a class derived from krbService is created per 637##### kerberos authentication or administration server in an realm and holds 638##### references to the realm objects. These references is used to further read 639##### realm specific data to service AS/TGS requests. Additionally this object 640##### contains some server specific data like pathnames and ports that the 641##### server uses. This is the identity the kerberos server logs in with. A key 642##### pair for the same is created and the kerberos server logs in with the same. 643##### 644##### krbKdcService, krbAdmService and krbPwdService derive from this class. 645 646dn: cn=schema 647changetype: modify 648add: objectclasses 649objectClasses: ( 2.16.840.1.113719.1.301.6.3.1 650 NAME 'krbService' 651 ABSTRACT 652 SUP ( top ) 653 MUST ( cn ) 654 MAY ( krbHostServer $ krbRealmReferences ) ) 655 656 657##### Representative object for the KDC server to bind into a LDAP directory 658##### and have a connection to access Kerberos data with the required 659##### access rights. 660 661dn: cn=schema 662changetype: modify 663add: objectclasses 664objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 665 NAME 'krbKdcService' 666 SUP ( krbService ) ) 667 668 669##### Representative object for the Kerberos Password server to bind into a LDAP directory 670##### and have a connection to access Kerberos data with the required 671##### access rights. 672 673dn: cn=schema 674changetype: modify 675add: objectclasses 676objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 677 NAME 'krbPwdService' 678 SUP ( krbService ) ) 679 680 681###### The principal data auxiliary class. Holds principal information 682###### and is used to store principal information for Person, Service objects. 683 684dn: cn=schema 685changetype: modify 686add: objectclasses 687objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 688 NAME 'krbPrincipalAux' 689 AUXILIARY 690 MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) 691 692 693###### This class is used to create additional principals and stand alone principals. 694 695dn: cn=schema 696changetype: modify 697add: objectclasses 698objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 699 NAME 'krbPrincipal' 700 SUP ( top ) 701 MUST ( krbPrincipalName ) 702 MAY ( krbObjectReferences ) ) 703 704 705###### The principal references auxiliary class. Holds all principals referred 706###### from a service 707 708dn: cn=schema 709changetype: modify 710add: objectclasses 711objectClasses: ( 2.16.840.1.113719.1.301.6.11.1 712 NAME 'krbPrincRefAux' 713 SUP top 714 AUXILIARY 715 MAY krbPrincipalReferences ) 716 717 718##### Representative object for the Kerberos Administration server to bind into a LDAP directory 719##### and have a connection Id to access Kerberos data with the required access rights. 720 721dn: cn=schema 722changetype: modify 723add: objectclasses 724objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 725 NAME 'krbAdmService' 726 SUP ( krbService ) ) 727 728 729##### The krbPwdPolicy object is a template password policy that 730##### can be applied to principals when they are created. 731##### These policy attributes will be in effect, when the Kerberos 732##### passwords are different from users' passwords (UP). 733 734dn: cn=schema 735changetype: modify 736add: objectclasses 737objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 738 NAME 'krbPwdPolicy' 739 SUP top 740 MUST ( cn ) 741 MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) ) 742 743 744##### The krbTicketPolicyAux holds Kerberos ticket policy attributes. 745##### This class can be attached to a principal object or realm object. 746 747dn: cn=schema 748changetype: modify 749add: objectclasses 750objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 751 NAME 'krbTicketPolicyAux' 752 AUXILIARY 753 MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) 754 755 756##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal 757 758dn: cn=schema 759changetype: modify 760add: objectclasses 761objectClasses: ( 2.16.840.1.113719.1.301.6.17.1 762 NAME 'krbTicketPolicy' 763 SUP top 764 MUST ( cn ) ) 765 766