1# Definitions for a Kerberos V KDC schema 2# 3# $Id$ 4# 5# This version is compatible with OpenLDAP 1.8 6# 7# OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) padl(5322) kdcSchema(10) 8# 9# Syntaxes are under 1.3.6.1.4.1.5322.10.0 10# Attributes types are under 1.3.6.1.4.1.5322.10.1 11# Object classes are under 1.3.6.1.4.1.5322.10.2 12 13# Syntax definitions 14 15#krb5KDCFlagsSyntax SYNTAX ::= { 16# WITH SYNTAX INTEGER 17#-- initial(0), -- require as-req 18#-- forwardable(1), -- may issue forwardable 19#-- proxiable(2), -- may issue proxiable 20#-- renewable(3), -- may issue renewable 21#-- postdate(4), -- may issue postdatable 22#-- server(5), -- may be server 23#-- client(6), -- may be client 24#-- invalid(7), -- entry is invalid 25#-- require-preauth(8), -- must use preauth 26#-- change-pw(9), -- change password service 27#-- require-hwauth(10), -- must use hwauth 28#-- ok-as-delegate(11), -- as in TicketFlags 29#-- user-to-user(12), -- may use user-to-user auth 30#-- immutable(13) -- may not be deleted 31# ID { 1.3.6.1.4.1.5322.10.0.1 } 32#} 33 34#krb5PrincipalNameSyntax SYNTAX ::= { 35# WITH SYNTAX OCTET STRING 36#-- String representations of distinguished names as per RFC1510 37# ID { 1.3.6.1.4.1.5322.10.0.2 } 38#} 39 40# Attribute type definitions 41 42attributetype ( 1.3.6.1.4.1.5322.10.1.1 43 NAME 'krb5PrincipalName' 44 DESC 'The unparsed Kerberos principal name' 45 EQUALITY caseExactIA5Match 46 SINGLE-VALUE 47 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 48 49attributetype ( 1.3.6.1.4.1.5322.10.1.2 50 NAME 'krb5KeyVersionNumber' 51 EQUALITY integerMatch 52 SINGLE-VALUE 53 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 54 55attributetype ( 1.3.6.1.4.1.5322.10.1.3 56 NAME 'krb5MaxLife' 57 EQUALITY integerMatch 58 SINGLE-VALUE 59 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 60 61attributetype ( 1.3.6.1.4.1.5322.10.1.4 62 NAME 'krb5MaxRenew' 63 EQUALITY integerMatch 64 SINGLE-VALUE 65 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 66 67attributetype ( 1.3.6.1.4.1.5322.10.1.5 68 NAME 'krb5KDCFlags' 69 EQUALITY integerMatch 70 SINGLE-VALUE 71 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 72 73attributetype ( 1.3.6.1.4.1.5322.10.1.6 74 NAME 'krb5EncryptionType' 75 EQUALITY integerMatch 76 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 77 78attributetype ( 1.3.6.1.4.1.5322.10.1.7 79 NAME 'krb5ValidStart' 80 EQUALITY generalizedTimeMatch 81 ORDERING generalizedTimeOrderingMatch 82 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 83 SINGLE-VALUE ) 84 85attributetype ( 1.3.6.1.4.1.5322.10.1.8 86 NAME 'krb5ValidEnd' 87 EQUALITY generalizedTimeMatch 88 ORDERING generalizedTimeOrderingMatch 89 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 90 SINGLE-VALUE ) 91 92attributetype ( 1.3.6.1.4.1.5322.10.1.9 93 NAME 'krb5PasswordEnd' 94 EQUALITY generalizedTimeMatch 95 ORDERING generalizedTimeOrderingMatch 96 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 97 SINGLE-VALUE ) 98 99# this is temporary; keys will eventually 100# be child entries or compound attributes. 101attributetype ( 1.3.6.1.4.1.5322.10.1.10 102 NAME 'krb5Key' 103 DESC 'Encoded ASN1 Key as an octet string' 104 SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) 105 106attributetype ( 1.3.6.1.4.1.5322.10.1.11 107 NAME 'krb5PrincipalRealm' 108 DESC 'Distinguished name of krb5Realm entry' 109 SUP distinguishedName ) 110 111attributetype ( 1.3.6.1.4.1.5322.10.1.12 112 NAME 'krb5RealmName' 113 EQUALITY octetStringMatch 114 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) 115 116# Object class definitions 117 118objectclass ( 1.3.6.1.4.1.5322.10.2.1 119 NAME 'krb5Principal' 120 SUP top 121 AUXILIARY 122 MUST ( krb5PrincipalName ) 123 MAY ( cn $ krb5PrincipalRealm ) ) 124 125objectclass ( 1.3.6.1.4.1.5322.10.2.2 126 NAME 'krb5KDCEntry' 127 SUP krb5Principal 128 AUXILIARY 129 MUST ( krb5KeyVersionNumber ) 130 MAY ( krb5ValidStart $ krb5ValidEnd $ krb5PasswordEnd $ 131 krb5MaxLife $ krb5MaxRenew $ krb5KDCFlags $ 132 krb5EncryptionType $ krb5Key ) ) 133 134objectclass ( 1.3.6.1.4.1.5322.10.2.3 135 NAME 'krb5Realm' 136 SUP top 137 AUXILIARY 138 MUST ( krb5RealmName ) ) 139 140