xref: /freebsd/crypto/krb5/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1# Novell Kerberos Schema Definitions
2# Novell Inc.
3# 1800 South Novell Place
4# Provo, UT 84606
5#
6# VeRsIoN=1.0
7# CoPyRiGhT=(c) Copyright 2006, Novell, Inc.  All rights reserved
8#
9# OIDs:
10#    joint-iso-ccitt(2)
11#      country(16)
12#        us(840)
13#          organization(1)
14#            Novell(113719)
15#              applications(1)
16#                kerberos(301)
17#                 Kerberos Attribute Type(4) attr# version#
18#                    specific attribute definitions
19#                 Kerberos Attribute Syntax(5)
20#                    specific syntax definitions
21#                 Kerberos Object Class(6) class# version#
22#                    specific class definitions
23#
24#    iso(1)
25#      member-body(2)
26#        United States(840)
27#          mit (113554)
28#            infosys(1)
29#              ldap(4)
30#                attributeTypes(1)
31#                  Kerberos(6)
32
33########################################################################
34
35
36########################################################################
37#                     Attribute Type Definitions                       #
38########################################################################
39
40##### This is the principal name in the RFC 1964 specified format
41
42attributetype ( 2.16.840.1.113719.1.301.4.1.1
43                NAME 'krbPrincipalName'
44                EQUALITY caseExactIA5Match
45                SUBSTR caseExactSubstringsMatch
46                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
47
48##### If there are multiple krbPrincipalName values for an entry, this
49##### is the canonical principal name in the RFC 1964 specified
50##### format.  (If this attribute does not exist, then all
51##### krbPrincipalName values are treated as canonical.)
52
53attributetype ( 1.2.840.113554.1.4.1.6.1
54                NAME 'krbCanonicalName'
55                EQUALITY caseExactIA5Match
56                SUBSTR caseExactSubstringsMatch
57                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
58                SINGLE-VALUE)
59
60##### This specifies the type of the principal, the types could be any of
61##### the types mentioned in section 6.2 of RFC 4120
62
63attributetype ( 2.16.840.1.113719.1.301.4.3.1
64                NAME 'krbPrincipalType'
65                EQUALITY integerMatch
66                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
67                SINGLE-VALUE)
68
69
70##### This flag is used to find whether directory User Password has to be used
71##### as kerberos password.
72##### TRUE, if User Password is to be used as the kerberos password.
73##### FALSE, if User Password and the kerberos password are different.
74
75attributetype ( 2.16.840.1.113719.1.301.4.5.1
76                NAME 'krbUPEnabled'
77                DESC 'Boolean'
78                SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
79                SINGLE-VALUE)
80
81
82##### The time at which the principal expires
83
84attributetype ( 2.16.840.1.113719.1.301.4.6.1
85                NAME 'krbPrincipalExpiration'
86                EQUALITY generalizedTimeMatch
87                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
88                SINGLE-VALUE)
89
90
91##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
92##### The values (0x00000001 - 0x00800000) are reserved for standards and
93##### values (0x01000000 - 0x80000000) can be used for proprietary extensions.
94##### The flags and values as per RFC 4120 and MIT implementation are,
95##### DISALLOW_POSTDATED        0x00000001
96##### DISALLOW_FORWARDABLE      0x00000002
97##### DISALLOW_TGT_BASED        0x00000004
98##### DISALLOW_RENEWABLE        0x00000008
99##### DISALLOW_PROXIABLE        0x00000010
100##### DISALLOW_DUP_SKEY         0x00000020
101##### DISALLOW_ALL_TIX          0x00000040
102##### REQUIRES_PRE_AUTH         0x00000080
103##### REQUIRES_HW_AUTH          0x00000100
104##### REQUIRES_PWCHANGE         0x00000200
105##### DISALLOW_SVR              0x00001000
106##### PWCHANGE_SERVICE          0x00002000
107
108
109attributetype ( 2.16.840.1.113719.1.301.4.8.1
110                NAME 'krbTicketFlags'
111                EQUALITY integerMatch
112                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
113                SINGLE-VALUE)
114
115
116##### The maximum ticket lifetime for a principal in seconds
117
118attributetype ( 2.16.840.1.113719.1.301.4.9.1
119                NAME 'krbMaxTicketLife'
120                EQUALITY integerMatch
121                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
122                SINGLE-VALUE)
123
124
125##### Maximum renewable lifetime for a principal's ticket in seconds
126
127attributetype ( 2.16.840.1.113719.1.301.4.10.1
128                NAME 'krbMaxRenewableAge'
129                EQUALITY integerMatch
130                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
131                SINGLE-VALUE)
132
133
134##### Forward reference to the Realm object.
135##### (FDN of the krbRealmContainer object).
136##### Example:   cn=ACME.COM, cn=Kerberos, cn=Security
137
138attributetype ( 2.16.840.1.113719.1.301.4.14.1
139                NAME 'krbRealmReferences'
140                EQUALITY distinguishedNameMatch
141                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
142
143
144##### List of LDAP servers that kerberos servers can contact.
145##### The attribute holds data in the ldap uri format,
146##### Examples: acme.com#636, 164.164.164.164#1636, ldaps://acme.com:636
147#####
148##### The values of this attribute need to be updated, when
149##### the LDAP servers listed here are renamed, moved or deleted.
150
151attributetype ( 2.16.840.1.113719.1.301.4.15.1
152                NAME 'krbLdapServers'
153                EQUALITY caseIgnoreMatch
154                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
155
156
157##### A set of forward references to the KDC Service objects.
158##### (FDNs of the krbKdcService objects).
159##### Example:   cn=kdc - server 1, ou=uvw, o=xyz
160
161attributetype ( 2.16.840.1.113719.1.301.4.17.1
162                NAME 'krbKdcServers'
163                EQUALITY distinguishedNameMatch
164                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
165
166
167##### A set of forward references to the Password Service objects.
168##### (FDNs of the krbPwdService objects).
169##### Example:   cn=kpasswdd - server 1, ou=uvw, o=xyz
170
171attributetype ( 2.16.840.1.113719.1.301.4.18.1
172                NAME 'krbPwdServers'
173                EQUALITY distinguishedNameMatch
174                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
175
176
177##### This attribute holds the Host Name or the ip address,
178##### transport protocol and ports of the kerberos service host
179##### The format is host_name-or-ip_address#protocol#port
180##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP.
181
182attributetype ( 2.16.840.1.113719.1.301.4.24.1
183                NAME 'krbHostServer'
184                EQUALITY caseExactIA5Match
185                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
186
187
188##### This attribute holds the scope for searching the principals
189##### under krbSubTree attribute of krbRealmContainer
190##### The value can either be 1 (ONE) or 2 (SUB_TREE).
191
192attributetype ( 2.16.840.1.113719.1.301.4.25.1
193                NAME 'krbSearchScope'
194                EQUALITY integerMatch
195                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
196                SINGLE-VALUE)
197
198
199##### FDNs pointing to Kerberos principals
200
201attributetype ( 2.16.840.1.113719.1.301.4.26.1
202                NAME 'krbPrincipalReferences'
203                EQUALITY distinguishedNameMatch
204                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
205
206
207##### This attribute specifies which attribute of the user objects
208##### be used as the principal name component for Kerberos.
209##### The allowed values are cn, sn, uid, givenname, fullname.
210
211attributetype ( 2.16.840.1.113719.1.301.4.28.1
212                NAME 'krbPrincNamingAttr'
213                EQUALITY caseIgnoreMatch
214                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
215                SINGLE-VALUE)
216
217
218##### A set of forward references to the Administration Service objects.
219##### (FDNs of the krbAdmService objects).
220##### Example:   cn=kadmindd - server 1, ou=uvw, o=xyz
221
222attributetype ( 2.16.840.1.113719.1.301.4.29.1
223                NAME 'krbAdmServers'
224                EQUALITY distinguishedNameMatch
225                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
226
227
228##### Maximum lifetime of a principal's password
229
230attributetype ( 2.16.840.1.113719.1.301.4.30.1
231                NAME 'krbMaxPwdLife'
232                EQUALITY integerMatch
233                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
234                SINGLE-VALUE)
235
236
237##### Minimum lifetime of a principal's password
238
239attributetype ( 2.16.840.1.113719.1.301.4.31.1
240                NAME 'krbMinPwdLife'
241                EQUALITY integerMatch
242                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
243                SINGLE-VALUE)
244
245
246##### Minimum number of character clases allowed in a password
247
248attributetype ( 2.16.840.1.113719.1.301.4.32.1
249                NAME 'krbPwdMinDiffChars'
250                EQUALITY integerMatch
251                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
252                SINGLE-VALUE)
253
254
255##### Minimum length of the password
256
257attributetype ( 2.16.840.1.113719.1.301.4.33.1
258                NAME 'krbPwdMinLength'
259                EQUALITY integerMatch
260                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
261                SINGLE-VALUE)
262
263
264##### Number of previous versions of passwords that are stored
265
266attributetype ( 2.16.840.1.113719.1.301.4.34.1
267                NAME 'krbPwdHistoryLength'
268                EQUALITY integerMatch
269                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
270                SINGLE-VALUE)
271
272
273##### Number of consecutive pre-authentication failures before lockout
274
275attributetype ( 1.3.6.1.4.1.5322.21.2.1
276                NAME 'krbPwdMaxFailure'
277                EQUALITY integerMatch
278                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
279                SINGLE-VALUE)
280
281
282##### Period after which bad preauthentication count will be reset
283
284attributetype ( 1.3.6.1.4.1.5322.21.2.2
285                NAME 'krbPwdFailureCountInterval'
286                EQUALITY integerMatch
287                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
288                SINGLE-VALUE)
289
290
291##### Period in which lockout is enforced
292
293attributetype ( 1.3.6.1.4.1.5322.21.2.3
294                NAME 'krbPwdLockoutDuration'
295                EQUALITY integerMatch
296                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
297                SINGLE-VALUE)
298
299
300##### Policy attribute flags
301
302attributetype ( 1.2.840.113554.1.4.1.6.2
303                NAME 'krbPwdAttributes'
304                EQUALITY integerMatch
305                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
306                SINGLE-VALUE)
307
308
309##### Policy maximum ticket lifetime
310
311attributetype ( 1.2.840.113554.1.4.1.6.3
312                NAME 'krbPwdMaxLife'
313                EQUALITY integerMatch
314                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
315                SINGLE-VALUE)
316
317
318##### Policy maximum ticket renewable lifetime
319
320attributetype ( 1.2.840.113554.1.4.1.6.4
321                NAME 'krbPwdMaxRenewableLife'
322                EQUALITY integerMatch
323                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
324                SINGLE-VALUE)
325
326
327##### Allowed enctype:salttype combinations for key changes
328
329attributetype ( 1.2.840.113554.1.4.1.6.5
330                NAME 'krbPwdAllowedKeysalts'
331                EQUALITY caseIgnoreIA5Match
332                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
333                SINGLE-VALUE)
334
335
336##### FDN pointing to a Kerberos Password Policy object
337
338attributetype ( 2.16.840.1.113719.1.301.4.36.1
339                NAME 'krbPwdPolicyReference'
340                EQUALITY distinguishedNameMatch
341                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
342                SINGLE-VALUE)
343
344
345##### The time at which the principal's password expires
346
347attributetype ( 2.16.840.1.113719.1.301.4.37.1
348                NAME 'krbPasswordExpiration'
349                EQUALITY generalizedTimeMatch
350                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
351                SINGLE-VALUE)
352
353
354##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with
355##### the master key (krbMKey).
356##### The attribute is ASN.1 encoded.
357#####
358##### The format of the value for this attribute is explained below,
359##### KrbKeySet ::= SEQUENCE {
360##### attribute-major-vno       [0] UInt16,
361##### attribute-minor-vno       [1] UInt16,
362##### kvno                      [2] UInt32,
363##### mkvno                     [3] UInt32 OPTIONAL,
364##### keys                      [4] SEQUENCE OF KrbKey,
365##### ...
366##### }
367#####
368##### KrbKey ::= SEQUENCE {
369##### salt      [0] KrbSalt OPTIONAL,
370##### key       [1] EncryptionKey,
371##### s2kparams [2] OCTET STRING OPTIONAL,
372##### ...
373##### }
374#####
375##### KrbSalt ::= SEQUENCE {
376##### type      [0] Int32,
377##### salt      [1] OCTET STRING OPTIONAL
378##### }
379#####
380##### EncryptionKey ::= SEQUENCE {
381##### keytype   [0] Int32,
382##### keyvalue  [1] OCTET STRING
383##### }
384
385attributetype ( 2.16.840.1.113719.1.301.4.39.1
386                NAME 'krbPrincipalKey'
387                EQUALITY octetStringMatch
388                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
389
390
391##### FDN pointing to a Kerberos Ticket Policy object.
392
393attributetype ( 2.16.840.1.113719.1.301.4.40.1
394                NAME 'krbTicketPolicyReference'
395                EQUALITY distinguishedNameMatch
396                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
397                SINGLE-VALUE)
398
399
400##### Forward reference to an entry that starts sub-trees
401##### where principals and other kerberos objects in the realm are configured.
402##### Example:   ou=acme, ou=pq, o=xyz
403
404attributetype ( 2.16.840.1.113719.1.301.4.41.1
405                NAME 'krbSubTrees'
406                EQUALITY distinguishedNameMatch
407                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
408
409
410##### Holds the default encryption/salt type combinations of principals for
411##### the Realm. Stores in the form of key:salt strings. This will be
412##### subset of the supported encryption/salt types.
413##### Example: aes256-cts-hmac-sha384-192:normal
414
415attributetype ( 2.16.840.1.113719.1.301.4.42.1
416                NAME 'krbDefaultEncSaltTypes'
417                EQUALITY caseIgnoreMatch
418                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
419
420
421##### Holds the supported encryption/salt type combinations of principals for
422##### the Realm. Stores in the form of key:salt strings.
423##### The supported encryption types are mentioned in RFC 3961
424##### The supported salt types are,
425##### NORMAL
426##### V4
427##### NOREALM
428##### ONLYREALM
429##### SPECIAL
430##### AFS3
431##### Example: aes256-cts-hmac-sha384-192:normal
432
433attributetype ( 2.16.840.1.113719.1.301.4.43.1
434                NAME 'krbSupportedEncSaltTypes'
435                EQUALITY caseIgnoreMatch
436                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
437
438
439##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with
440##### the kadmin/history key.
441##### The attribute is ASN.1 encoded.
442#####
443##### The format of the value for this attribute is explained below,
444##### KrbKeySet ::= SEQUENCE {
445##### attribute-major-vno       [0] UInt16,
446##### attribute-minor-vno       [1] UInt16,
447##### kvno                      [2] UInt32,
448##### mkvno                     [3] UInt32 OPTIONAL -- actually kadmin/history key,
449##### keys                      [4] SEQUENCE OF KrbKey,
450##### ...
451##### }
452#####
453##### KrbKey ::= SEQUENCE {
454##### salt      [0] KrbSalt OPTIONAL,
455##### key       [1] EncryptionKey,
456##### s2kparams [2] OCTET STRING OPTIONAL,
457##### ...
458##### }
459#####
460##### KrbSalt ::= SEQUENCE {
461##### type      [0] Int32,
462##### salt      [1] OCTET STRING OPTIONAL
463##### }
464#####
465##### EncryptionKey ::= SEQUENCE {
466##### keytype   [0] Int32,
467##### keyvalue  [1] OCTET STRING
468##### }
469
470attributetype ( 2.16.840.1.113719.1.301.4.44.1
471                NAME 'krbPwdHistory'
472                EQUALITY octetStringMatch
473                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
474
475
476##### The time at which the principal's password last password change happened.
477
478attributetype ( 2.16.840.1.113719.1.301.4.45.1
479                NAME 'krbLastPwdChange'
480                EQUALITY generalizedTimeMatch
481                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
482                SINGLE-VALUE)
483
484##### The time at which the principal was last administratively unlocked.
485
486attributetype ( 1.3.6.1.4.1.5322.21.2.5
487                NAME 'krbLastAdminUnlock'
488                EQUALITY generalizedTimeMatch
489                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
490                SINGLE-VALUE)
491
492##### This attribute holds the kerberos master key.
493##### This can be used to encrypt principal keys.
494##### This attribute has to be secured in directory.
495#####
496##### This attribute is ASN.1 encoded.
497##### The format of the value for this attribute is explained below,
498##### KrbMKey ::= SEQUENCE {
499##### kvno    [0] UInt32,
500##### key     [1] MasterKey
501##### }
502#####
503##### MasterKey ::= SEQUENCE {
504##### keytype         [0] Int32,
505##### keyvalue        [1] OCTET STRING
506##### }
507
508
509attributetype ( 2.16.840.1.113719.1.301.4.46.1
510                NAME 'krbMKey'
511                EQUALITY octetStringMatch
512                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
513
514
515##### This stores the alternate principal names for the principal in the RFC 1964 specified format
516
517attributetype ( 2.16.840.1.113719.1.301.4.47.1
518                NAME 'krbPrincipalAliases'
519                EQUALITY caseExactIA5Match
520                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
521
522
523##### The time at which the principal's last successful authentication happened.
524
525attributetype ( 2.16.840.1.113719.1.301.4.48.1
526                NAME 'krbLastSuccessfulAuth'
527                EQUALITY generalizedTimeMatch
528                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
529                SINGLE-VALUE)
530
531
532##### The time at which the principal's last failed authentication happened.
533
534attributetype ( 2.16.840.1.113719.1.301.4.49.1
535                NAME 'krbLastFailedAuth'
536                EQUALITY generalizedTimeMatch
537                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
538                SINGLE-VALUE)
539
540
541##### This attribute stores the number of failed authentication attempts
542##### happened for the principal since the last successful authentication.
543
544attributetype ( 2.16.840.1.113719.1.301.4.50.1
545                NAME 'krbLoginFailedCount'
546                EQUALITY integerMatch
547                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
548                SINGLE-VALUE)
549
550
551
552##### This attribute holds the application specific data.
553
554attributetype ( 2.16.840.1.113719.1.301.4.51.1
555                NAME 'krbExtraData'
556                EQUALITY octetStringMatch
557                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
558
559
560##### This attributes holds references to the set of directory objects.
561##### This stores the DNs of the directory objects to which the
562##### principal object belongs to.
563
564attributetype ( 2.16.840.1.113719.1.301.4.52.1
565                NAME 'krbObjectReferences'
566                EQUALITY distinguishedNameMatch
567                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
568
569
570##### This attribute holds references to a Container object where
571##### the additional principal objects and stand alone principal
572##### objects (krbPrincipal) can be created.
573
574attributetype ( 2.16.840.1.113719.1.301.4.53.1
575                NAME 'krbPrincContainerRef'
576                EQUALITY distinguishedNameMatch
577                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
578
579
580##### A list of authentication indicator strings, one of which must be satisfied
581##### to authenticate to the principal as a service.
582##### FreeIPA OID:
583#####  joint-iso-ccitt(3) country(16) us(840) organization(1) netscape(113730)
584#####  ldap(3) freeipa(8) krb5(15) attributes(2)
585attributetype ( 2.16.840.1.113730.3.8.15.2.1
586                NAME 'krbPrincipalAuthInd'
587                EQUALITY caseExactMatch
588                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
589
590
591##### A list of services to which a service principal can delegate.
592attributetype ( 1.3.6.1.4.1.5322.21.2.4
593                NAME 'krbAllowedToDelegateTo'
594                EQUALITY caseExactIA5Match
595                SUBSTR caseExactSubstringsMatch
596                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
597
598########################################################################
599########################################################################
600#                       Object Class Definitions                       #
601########################################################################
602
603#### This is a kerberos container for all the realms in a tree.
604
605objectclass ( 2.16.840.1.113719.1.301.6.1.1
606                NAME 'krbContainer'
607                SUP top
608                STRUCTURAL
609                MUST ( cn ) )
610
611
612##### The krbRealmContainer is created per realm and holds realm specific data.
613
614objectclass ( 2.16.840.1.113719.1.301.6.2.1
615                NAME 'krbRealmContainer'
616                SUP top
617                STRUCTURAL
618                MUST ( cn )
619                MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) )
620
621
622##### An instance of a class derived from krbService is created per
623##### kerberos authentication or administration server in an realm and holds
624##### references to the realm objects. These references is used to further read
625##### realm specific data to service AS/TGS requests. Additionally this object
626##### contains some server specific data like pathnames and ports that the
627##### server uses. This is the identity the kerberos server logs in with. A key
628##### pair for the same is created and the kerberos server logs in with the same.
629#####
630##### krbKdcService, krbAdmService and krbPwdService derive from this class.
631
632objectclass ( 2.16.840.1.113719.1.301.6.3.1
633                NAME 'krbService'
634                SUP top
635                ABSTRACT
636                MUST ( cn )
637                MAY ( krbHostServer $ krbRealmReferences ) )
638
639
640##### Representative object for the KDC server to bind into a LDAP directory
641##### and have a connection to access Kerberos data with the required
642##### access rights.
643
644objectclass ( 2.16.840.1.113719.1.301.6.4.1
645                NAME 'krbKdcService'
646                SUP krbService
647                STRUCTURAL )
648
649
650##### Representative object for the Kerberos Password server to bind into a LDAP directory
651##### and have a connection to access Kerberos data with the required
652##### access rights.
653
654objectclass ( 2.16.840.1.113719.1.301.6.5.1
655                NAME 'krbPwdService'
656                SUP krbService
657                STRUCTURAL )
658
659
660###### The principal data auxiliary class. Holds principal information
661###### and is used to store principal information for Person, Service objects.
662
663objectclass ( 2.16.840.1.113719.1.301.6.8.1
664                NAME 'krbPrincipalAux'
665                SUP top
666                AUXILIARY
667                MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) )
668
669
670###### This class is used to create additional principals and stand alone principals.
671
672objectclass ( 2.16.840.1.113719.1.301.6.9.1
673                NAME 'krbPrincipal'
674                SUP top
675                MUST ( krbPrincipalName )
676                MAY ( krbObjectReferences ) )
677
678
679###### The principal references auxiliary class. Holds all principals referred
680###### from a service
681
682objectclass ( 2.16.840.1.113719.1.301.6.11.1
683                NAME 'krbPrincRefAux'
684                SUP top
685                AUXILIARY
686                MAY krbPrincipalReferences )
687
688
689##### Representative object for the Kerberos Administration server to bind into a LDAP directory
690##### and have a connection Id to access Kerberos data with the required access rights.
691
692objectclass ( 2.16.840.1.113719.1.301.6.13.1
693                NAME 'krbAdmService'
694                SUP krbService
695                STRUCTURAL )
696
697
698##### The krbPwdPolicy object is a template password policy that
699##### can be applied to principals when they are created.
700##### These policy attributes will be in effect, when the Kerberos
701##### passwords are different from users' passwords (UP).
702
703objectclass ( 2.16.840.1.113719.1.301.6.14.1
704                NAME 'krbPwdPolicy'
705                SUP top
706                MUST ( cn )
707                MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
708
709
710##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
711##### This class can be attached to a principal object or realm object.
712
713objectclass ( 2.16.840.1.113719.1.301.6.16.1
714                NAME 'krbTicketPolicyAux'
715                SUP top
716                AUXILIARY
717                MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
718
719
720##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal
721
722objectclass ( 2.16.840.1.113719.1.301.6.17.1
723                NAME 'krbTicketPolicy'
724                SUP top
725                MUST ( cn ) )
726
727