1*4960Swillf# ident "%Z%%M% %I% %E% SMI" 2*4960Swillf# 3*4960Swillf# Novell Kerberos Schema Definitions 4*4960Swillf# Novell Inc. 5*4960Swillf# 1800 South Novell Place 6*4960Swillf# Provo, UT 84606 7*4960Swillf# 8*4960Swillf# VeRsIoN=1.0 9*4960Swillf# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved 10*4960Swillf# 11*4960Swillf# OIDs: 12*4960Swillf# joint-iso-ccitt(2) 13*4960Swillf# country(16) 14*4960Swillf# us(840) 15*4960Swillf# organization(1) 16*4960Swillf# Novell(113719) 17*4960Swillf# applications(1) 18*4960Swillf# kerberos(301) 19*4960Swillf# Kerberos Attribute Type(4) attr# version# 20*4960Swillf# specific attribute definitions 21*4960Swillf# Kerberos Attribute Syntax(5) 22*4960Swillf# specific syntax definitions 23*4960Swillf# Kerberos Object Class(6) class# version# 24*4960Swillf# specific class definitions 25*4960Swillf 26*4960Swillf######################################################################## 27*4960Swillf 28*4960Swillf 29*4960Swillf######################################################################## 30*4960Swillf# Attribute Type Definitions # 31*4960Swillf######################################################################## 32*4960Swillf 33*4960Swillf##### This is the principal name in the RFC 1964 specified format 34*4960Swillf 35*4960Swillfdn: cn=schema 36*4960Swillfchangetype: modify 37*4960Swillfadd: attributetypes 38*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.1.1 39*4960Swillf NAME 'krbPrincipalName' 40*4960Swillf EQUALITY caseExactIA5Match 41*4960Swillf SUBSTR caseExactSubstringsMatch 42*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) 43*4960Swillf 44*4960Swillf 45*4960Swillf##### This specifies the type of the principal, the types could be any of 46*4960Swillf##### the types mentioned in section 6.2 of RFC 4120 47*4960Swillf 48*4960Swillfdn: cn=schema 49*4960Swillfchangetype: modify 50*4960Swillfadd: attributetypes 51*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.3.1 52*4960Swillf NAME 'krbPrincipalType' 53*4960Swillf EQUALITY integerMatch 54*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 55*4960Swillf SINGLE-VALUE) 56*4960Swillf 57*4960Swillf 58*4960Swillf##### This flag is used to find whether directory User Password has to be used 59*4960Swillf##### as kerberos password. 60*4960Swillf##### TRUE, if User Password is to be used as the kerberos password. 61*4960Swillf##### FALSE, if User Password and the kerberos password are different. 62*4960Swillf 63*4960Swillfdn: cn=schema 64*4960Swillfchangetype: modify 65*4960Swillfadd: attributetypes 66*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.5.1 67*4960Swillf NAME 'krbUPEnabled' 68*4960Swillf DESC 'Boolean' 69*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 70*4960Swillf SINGLE-VALUE) 71*4960Swillf 72*4960Swillf 73*4960Swillf##### The time at which the principal expires 74*4960Swillf 75*4960Swillfdn: cn=schema 76*4960Swillfchangetype: modify 77*4960Swillfadd: attributetypes 78*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.6.1 79*4960Swillf NAME 'krbPrincipalExpiration' 80*4960Swillf EQUALITY generalizedTimeMatch 81*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 82*4960Swillf SINGLE-VALUE) 83*4960Swillf 84*4960Swillf 85*4960Swillf##### The krbTicketFlags attribute holds information about the kerberos flags for a principal 86*4960Swillf##### The values (0x00000001 - 0x00800000) are reserved for standards and 87*4960Swillf##### values (0x01000000 - 0x80000000) can be used for proprietary extensions. 88*4960Swillf##### The flags and values as per RFC 4120 and MIT implementation are, 89*4960Swillf##### DISALLOW_POSTDATED 0x00000001 90*4960Swillf##### DISALLOW_FORWARDABLE 0x00000002 91*4960Swillf##### DISALLOW_TGT_BASED 0x00000004 92*4960Swillf##### DISALLOW_RENEWABLE 0x00000008 93*4960Swillf##### DISALLOW_PROXIABLE 0x00000010 94*4960Swillf##### DISALLOW_DUP_SKEY 0x00000020 95*4960Swillf##### DISALLOW_ALL_TIX 0x00000040 96*4960Swillf##### REQUIRES_PRE_AUTH 0x00000080 97*4960Swillf##### REQUIRES_HW_AUTH 0x00000100 98*4960Swillf##### REQUIRES_PWCHANGE 0x00000200 99*4960Swillf##### DISALLOW_SVR 0x00001000 100*4960Swillf##### PWCHANGE_SERVICE 0x00002000 101*4960Swillf 102*4960Swillf 103*4960Swillfdn: cn=schema 104*4960Swillfchangetype: modify 105*4960Swillfadd: attributetypes 106*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.8.1 107*4960Swillf NAME 'krbTicketFlags' 108*4960Swillf EQUALITY integerMatch 109*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 110*4960Swillf SINGLE-VALUE) 111*4960Swillf 112*4960Swillf 113*4960Swillf##### The maximum ticket lifetime for a principal in seconds 114*4960Swillf 115*4960Swillfdn: cn=schema 116*4960Swillfchangetype: modify 117*4960Swillfadd: attributetypes 118*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.9.1 119*4960Swillf NAME 'krbMaxTicketLife' 120*4960Swillf EQUALITY integerMatch 121*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 122*4960Swillf SINGLE-VALUE) 123*4960Swillf 124*4960Swillf 125*4960Swillf##### Maximum renewable lifetime for a principal's ticket in seconds 126*4960Swillf 127*4960Swillfdn: cn=schema 128*4960Swillfchangetype: modify 129*4960Swillfadd: attributetypes 130*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.10.1 131*4960Swillf NAME 'krbMaxRenewableAge' 132*4960Swillf EQUALITY integerMatch 133*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 134*4960Swillf SINGLE-VALUE) 135*4960Swillf 136*4960Swillf 137*4960Swillf##### Forward reference to the Realm object. 138*4960Swillf##### (FDN of the krbRealmContainer object). 139*4960Swillf##### Example: cn=ACME.COM, cn=Kerberos, cn=Security 140*4960Swillf 141*4960Swillfdn: cn=schema 142*4960Swillfchangetype: modify 143*4960Swillfadd: attributetypes 144*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.14.1 145*4960Swillf NAME 'krbRealmReferences' 146*4960Swillf EQUALITY distinguishedNameMatch 147*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 148*4960Swillf 149*4960Swillf 150*4960Swillf##### List of LDAP servers that kerberos servers can contact. 151*4960Swillf##### The attribute holds data in the ldap uri format, 152*4960Swillf##### Example: ldaps://acme.com:636 153*4960Swillf##### 154*4960Swillf##### The values of this attribute need to be updated, when 155*4960Swillf##### the LDAP servers listed here are renamed, moved or deleted. 156*4960Swillf 157*4960Swillfdn: cn=schema 158*4960Swillfchangetype: modify 159*4960Swillfadd: attributetypes 160*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.15.1 161*4960Swillf NAME 'krbLdapServers' 162*4960Swillf EQUALITY caseIgnoreMatch 163*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) 164*4960Swillf 165*4960Swillf 166*4960Swillf##### A set of forward references to the KDC Service objects. 167*4960Swillf##### (FDNs of the krbKdcService objects). 168*4960Swillf##### Example: cn=kdc - server 1, ou=uvw, o=xyz 169*4960Swillf 170*4960Swillfdn: cn=schema 171*4960Swillfchangetype: modify 172*4960Swillfadd: attributetypes 173*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.17.1 174*4960Swillf NAME 'krbKdcServers' 175*4960Swillf EQUALITY distinguishedNameMatch 176*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 177*4960Swillf 178*4960Swillf 179*4960Swillf##### A set of forward references to the Password Service objects. 180*4960Swillf##### (FDNs of the krbPwdService objects). 181*4960Swillf##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz 182*4960Swillf 183*4960Swillfdn: cn=schema 184*4960Swillfchangetype: modify 185*4960Swillfadd: attributetypes 186*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.18.1 187*4960Swillf NAME 'krbPwdServers' 188*4960Swillf EQUALITY distinguishedNameMatch 189*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 190*4960Swillf 191*4960Swillf 192*4960Swillf##### This attribute holds the Host Name or the ip address, 193*4960Swillf##### transport protocol and ports of the kerberos service host 194*4960Swillf##### The format is host_name-or-ip_address#protocol#port 195*4960Swillf##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. 196*4960Swillf 197*4960Swillfdn: cn=schema 198*4960Swillfchangetype: modify 199*4960Swillfadd: attributetypes 200*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.24.1 201*4960Swillf NAME 'krbHostServer' 202*4960Swillf EQUALITY caseExactIA5Match 203*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) 204*4960Swillf 205*4960Swillf 206*4960Swillf##### This attribute holds the scope for searching the principals 207*4960Swillf##### under krbSubTree attribute of krbRealmContainer 208*4960Swillf##### The value can either be 1 (ONE) or 2 (SUB_TREE). 209*4960Swillf 210*4960Swillfdn: cn=schema 211*4960Swillfchangetype: modify 212*4960Swillfadd: attributetypes 213*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.25.1 214*4960Swillf NAME 'krbSearchScope' 215*4960Swillf EQUALITY integerMatch 216*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 217*4960Swillf SINGLE-VALUE) 218*4960Swillf 219*4960Swillf 220*4960Swillf##### FDNs pointing to Kerberos principals 221*4960Swillf 222*4960Swillfdn: cn=schema 223*4960Swillfchangetype: modify 224*4960Swillfadd: attributetypes 225*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.26.1 226*4960Swillf NAME 'krbPrincipalReferences' 227*4960Swillf EQUALITY distinguishedNameMatch 228*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 229*4960Swillf 230*4960Swillf 231*4960Swillf##### This attribute specifies which attribute of the user objects 232*4960Swillf##### be used as the principal name component for Kerberos. 233*4960Swillf##### The allowed values are cn, sn, uid, givenname, fullname. 234*4960Swillf 235*4960Swillfdn: cn=schema 236*4960Swillfchangetype: modify 237*4960Swillfadd: attributetypes 238*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.28.1 239*4960Swillf NAME 'krbPrincNamingAttr' 240*4960Swillf EQUALITY caseIgnoreMatch 241*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 242*4960Swillf SINGLE-VALUE) 243*4960Swillf 244*4960Swillf 245*4960Swillf##### A set of forward references to the Administration Service objects. 246*4960Swillf##### (FDNs of the krbAdmService objects). 247*4960Swillf##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz 248*4960Swillf 249*4960Swillfdn: cn=schema 250*4960Swillfchangetype: modify 251*4960Swillfadd: attributetypes 252*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.29.1 253*4960Swillf NAME 'krbAdmServers' 254*4960Swillf EQUALITY distinguishedNameMatch 255*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 256*4960Swillf 257*4960Swillf 258*4960Swillf##### Maximum lifetime of a principal's password 259*4960Swillf 260*4960Swillfdn: cn=schema 261*4960Swillfchangetype: modify 262*4960Swillfadd: attributetypes 263*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.30.1 264*4960Swillf NAME 'krbMaxPwdLife' 265*4960Swillf EQUALITY integerMatch 266*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 267*4960Swillf SINGLE-VALUE) 268*4960Swillf 269*4960Swillf 270*4960Swillf##### Minimum lifetime of a principal's password 271*4960Swillf 272*4960Swillfdn: cn=schema 273*4960Swillfchangetype: modify 274*4960Swillfadd: attributetypes 275*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.31.1 276*4960Swillf NAME 'krbMinPwdLife' 277*4960Swillf EQUALITY integerMatch 278*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 279*4960Swillf SINGLE-VALUE) 280*4960Swillf 281*4960Swillf 282*4960Swillf##### Minimum number of character clases allowed in a password 283*4960Swillf 284*4960Swillfdn: cn=schema 285*4960Swillfchangetype: modify 286*4960Swillfadd: attributetypes 287*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.32.1 288*4960Swillf NAME 'krbPwdMinDiffChars' 289*4960Swillf EQUALITY integerMatch 290*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 291*4960Swillf SINGLE-VALUE) 292*4960Swillf 293*4960Swillf 294*4960Swillf##### Minimum length of the password 295*4960Swillf 296*4960Swillfdn: cn=schema 297*4960Swillfchangetype: modify 298*4960Swillfadd: attributetypes 299*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.33.1 300*4960Swillf NAME 'krbPwdMinLength' 301*4960Swillf EQUALITY integerMatch 302*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 303*4960Swillf SINGLE-VALUE) 304*4960Swillf 305*4960Swillf 306*4960Swillf##### Number of previous versions of passwords that are stored 307*4960Swillf 308*4960Swillfdn: cn=schema 309*4960Swillfchangetype: modify 310*4960Swillfadd: attributetypes 311*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.34.1 312*4960Swillf NAME 'krbPwdHistoryLength' 313*4960Swillf EQUALITY integerMatch 314*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 315*4960Swillf SINGLE-VALUE) 316*4960Swillf 317*4960Swillf 318*4960Swillf##### FDN pointing to a Kerberos Password Policy object 319*4960Swillf 320*4960Swillfdn: cn=schema 321*4960Swillfchangetype: modify 322*4960Swillfadd: attributetypes 323*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.36.1 324*4960Swillf NAME 'krbPwdPolicyReference' 325*4960Swillf EQUALITY distinguishedNameMatch 326*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 327*4960Swillf SINGLE-VALUE) 328*4960Swillf 329*4960Swillf 330*4960Swillf##### The time at which the principal's password expires 331*4960Swillf 332*4960Swillfdn: cn=schema 333*4960Swillfchangetype: modify 334*4960Swillfadd: attributetypes 335*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.37.1 336*4960Swillf NAME 'krbPasswordExpiration' 337*4960Swillf EQUALITY generalizedTimeMatch 338*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 339*4960Swillf SINGLE-VALUE) 340*4960Swillf 341*4960Swillf 342*4960Swillf##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with 343*4960Swillf##### the master key (krbMKey). 344*4960Swillf##### The attribute is ASN.1 encoded. 345*4960Swillf##### 346*4960Swillf##### The format of the value for this attribute is explained below, 347*4960Swillf##### KrbKeySet ::= SEQUENCE { 348*4960Swillf##### attribute-major-vno [0] UInt16, 349*4960Swillf##### attribute-minor-vno [1] UInt16, 350*4960Swillf##### kvno [2] UInt32, 351*4960Swillf##### mkvno [3] UInt32 OPTIONAL, 352*4960Swillf##### keys [4] SEQUENCE OF KrbKey, 353*4960Swillf##### ... 354*4960Swillf##### } 355*4960Swillf##### 356*4960Swillf##### KrbKey ::= SEQUENCE { 357*4960Swillf##### salt [0] KrbSalt OPTIONAL, 358*4960Swillf##### key [1] EncryptionKey, 359*4960Swillf##### s2kparams [2] OCTET STRING OPTIONAL, 360*4960Swillf##### ... 361*4960Swillf##### } 362*4960Swillf##### 363*4960Swillf##### KrbSalt ::= SEQUENCE { 364*4960Swillf##### type [0] Int32, 365*4960Swillf##### salt [1] OCTET STRING OPTIONAL 366*4960Swillf##### } 367*4960Swillf##### 368*4960Swillf##### EncryptionKey ::= SEQUENCE { 369*4960Swillf##### keytype [0] Int32, 370*4960Swillf##### keyvalue [1] OCTET STRING 371*4960Swillf##### } 372*4960Swillf 373*4960Swillfdn: cn=schema 374*4960Swillfchangetype: modify 375*4960Swillfadd: attributetypes 376*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.39.1 377*4960Swillf NAME 'krbPrincipalKey' 378*4960Swillf EQUALITY octetStringMatch 379*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) 380*4960Swillf 381*4960Swillf 382*4960Swillf##### FDN pointing to a Kerberos Ticket Policy object. 383*4960Swillf 384*4960Swillfdn: cn=schema 385*4960Swillfchangetype: modify 386*4960Swillfadd: attributetypes 387*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.40.1 388*4960Swillf NAME 'krbTicketPolicyReference' 389*4960Swillf EQUALITY distinguishedNameMatch 390*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 391*4960Swillf SINGLE-VALUE) 392*4960Swillf 393*4960Swillf 394*4960Swillf##### Forward reference to an entry that starts sub-trees 395*4960Swillf##### where principals and other kerberos objects in the realm are configured. 396*4960Swillf##### Example: ou=acme, ou=pq, o=xyz 397*4960Swillf 398*4960Swillfdn: cn=schema 399*4960Swillfchangetype: modify 400*4960Swillfadd: attributetypes 401*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.41.1 402*4960Swillf NAME 'krbSubTrees' 403*4960Swillf EQUALITY distinguishedNameMatch 404*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 405*4960Swillf 406*4960Swillf 407*4960Swillf##### Holds the default encryption/salt type combinations of principals for 408*4960Swillf##### the Realm. Stores in the form of key:salt strings. 409*4960Swillf##### Example: des-cbc-crc:normal 410*4960Swillf 411*4960Swillfdn: cn=schema 412*4960Swillfchangetype: modify 413*4960Swillfadd: attributetypes 414*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.42.1 415*4960Swillf NAME 'krbDefaultEncSaltTypes' 416*4960Swillf EQUALITY caseIgnoreMatch 417*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) 418*4960Swillf 419*4960Swillf 420*4960Swillf##### Holds the Supported encryption/salt type combinations of principals for 421*4960Swillf##### the Realm. Stores in the form of key:salt strings. 422*4960Swillf##### The supported encryption types are mentioned in RFC 3961 423*4960Swillf##### The supported salt types are, 424*4960Swillf##### NORMAL 425*4960Swillf##### V4 426*4960Swillf##### NOREALM 427*4960Swillf##### ONLYREALM 428*4960Swillf##### SPECIAL 429*4960Swillf##### AFS3 430*4960Swillf##### Example: des-cbc-crc:normal 431*4960Swillf##### 432*4960Swillf##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes 433*4960Swillf##### attributes. 434*4960Swillf 435*4960Swillfdn: cn=schema 436*4960Swillfchangetype: modify 437*4960Swillfadd: attributetypes 438*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.43.1 439*4960Swillf NAME 'krbSupportedEncSaltTypes' 440*4960Swillf EQUALITY caseIgnoreMatch 441*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) 442*4960Swillf 443*4960Swillf 444*4960Swillf##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with 445*4960Swillf##### the kadmin/history key. 446*4960Swillf##### The attribute is ASN.1 encoded. 447*4960Swillf##### 448*4960Swillf##### The format of the value for this attribute is explained below, 449*4960Swillf##### KrbKeySet ::= SEQUENCE { 450*4960Swillf##### attribute-major-vno [0] UInt16, 451*4960Swillf##### attribute-minor-vno [1] UInt16, 452*4960Swillf##### kvno [2] UInt32, 453*4960Swillf##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key, 454*4960Swillf##### keys [4] SEQUENCE OF KrbKey, 455*4960Swillf##### ... 456*4960Swillf##### } 457*4960Swillf##### 458*4960Swillf##### KrbKey ::= SEQUENCE { 459*4960Swillf##### salt [0] KrbSalt OPTIONAL, 460*4960Swillf##### key [1] EncryptionKey, 461*4960Swillf##### s2kparams [2] OCTET STRING OPTIONAL, 462*4960Swillf##### ... 463*4960Swillf##### } 464*4960Swillf##### 465*4960Swillf##### KrbSalt ::= SEQUENCE { 466*4960Swillf##### type [0] Int32, 467*4960Swillf##### salt [1] OCTET STRING OPTIONAL 468*4960Swillf##### } 469*4960Swillf##### 470*4960Swillf##### EncryptionKey ::= SEQUENCE { 471*4960Swillf##### keytype [0] Int32, 472*4960Swillf##### keyvalue [1] OCTET STRING 473*4960Swillf##### } 474*4960Swillf 475*4960Swillfdn: cn=schema 476*4960Swillfchangetype: modify 477*4960Swillfadd: attributetypes 478*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.44.1 479*4960Swillf NAME 'krbPwdHistory' 480*4960Swillf EQUALITY octetStringMatch 481*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) 482*4960Swillf 483*4960Swillf 484*4960Swillf##### The time at which the principal's password last password change happened. 485*4960Swillf 486*4960Swillfdn: cn=schema 487*4960Swillfchangetype: modify 488*4960Swillfadd: attributetypes 489*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.45.1 490*4960Swillf NAME 'krbLastPwdChange' 491*4960Swillf EQUALITY generalizedTimeMatch 492*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 493*4960Swillf SINGLE-VALUE) 494*4960Swillf 495*4960Swillf 496*4960Swillf##### This attribute holds the kerberos master key. 497*4960Swillf##### This can be used to encrypt principal keys. 498*4960Swillf##### This attribute has to be secured in directory. 499*4960Swillf##### 500*4960Swillf##### This attribute is ASN.1 encoded. 501*4960Swillf##### The format of the value for this attribute is explained below, 502*4960Swillf##### KrbMKey ::= SEQUENCE { 503*4960Swillf##### kvno [0] UInt32, 504*4960Swillf##### key [1] MasterKey 505*4960Swillf##### } 506*4960Swillf##### 507*4960Swillf##### MasterKey ::= SEQUENCE { 508*4960Swillf##### keytype [0] Int32, 509*4960Swillf##### keyvalue [1] OCTET STRING 510*4960Swillf##### } 511*4960Swillf 512*4960Swillf 513*4960Swillfdn: cn=schema 514*4960Swillfchangetype: modify 515*4960Swillfadd: attributetypes 516*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.46.1 517*4960Swillf NAME 'krbMKey' 518*4960Swillf EQUALITY octetStringMatch 519*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) 520*4960Swillf 521*4960Swillf 522*4960Swillf##### This stores the alternate principal names for the principal in the RFC 1961 specified format 523*4960Swillf 524*4960Swillfdn: cn=schema 525*4960Swillfchangetype: modify 526*4960Swillfadd: attributetypes 527*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.47.1 528*4960Swillf NAME 'krbPrincipalAliases' 529*4960Swillf EQUALITY caseExactIA5Match 530*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) 531*4960Swillf 532*4960Swillf 533*4960Swillf##### The time at which the principal's last successful authentication happened. 534*4960Swillf 535*4960Swillfdn: cn=schema 536*4960Swillfchangetype: modify 537*4960Swillfadd: attributetypes 538*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.48.1 539*4960Swillf NAME 'krbLastSuccessfulAuth' 540*4960Swillf EQUALITY generalizedTimeMatch 541*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 542*4960Swillf SINGLE-VALUE) 543*4960Swillf 544*4960Swillf 545*4960Swillf##### The time at which the principal's last failed authentication happened. 546*4960Swillf 547*4960Swillfdn: cn=schema 548*4960Swillfchangetype: modify 549*4960Swillfadd: attributetypes 550*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.49.1 551*4960Swillf NAME 'krbLastFailedAuth' 552*4960Swillf EQUALITY generalizedTimeMatch 553*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 554*4960Swillf SINGLE-VALUE) 555*4960Swillf 556*4960Swillf 557*4960Swillf##### This attribute stores the number of failed authentication attempts 558*4960Swillf##### happened for the principal since the last successful authentication. 559*4960Swillf 560*4960Swillfdn: cn=schema 561*4960Swillfchangetype: modify 562*4960Swillfadd: attributetypes 563*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.50.1 564*4960Swillf NAME 'krbLoginFailedCount' 565*4960Swillf EQUALITY integerMatch 566*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 567*4960Swillf SINGLE-VALUE) 568*4960Swillf 569*4960Swillf 570*4960Swillf 571*4960Swillf##### This attribute holds the application specific data. 572*4960Swillf 573*4960Swillfdn: cn=schema 574*4960Swillfchangetype: modify 575*4960Swillfadd: attributetypes 576*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.51.1 577*4960Swillf NAME 'krbExtraData' 578*4960Swillf EQUALITY octetStringMatch 579*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) 580*4960Swillf 581*4960Swillf 582*4960Swillf##### This attributes holds references to the set of directory objects. 583*4960Swillf##### This stores the DNs of the directory objects to which the 584*4960Swillf##### principal object belongs to. 585*4960Swillf 586*4960Swillfdn: cn=schema 587*4960Swillfchangetype: modify 588*4960Swillfadd: attributetypes 589*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.52.1 590*4960Swillf NAME 'krbObjectReferences' 591*4960Swillf EQUALITY distinguishedNameMatch 592*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 593*4960Swillf 594*4960Swillf 595*4960Swillf##### This attribute holds references to a Container object where 596*4960Swillf##### the additional principal objects and stand alone principal 597*4960Swillf##### objects (krbPrincipal) can be created. 598*4960Swillf 599*4960Swillfdn: cn=schema 600*4960Swillfchangetype: modify 601*4960Swillfadd: attributetypes 602*4960Swillfattributetypes: ( 2.16.840.1.113719.1.301.4.53.1 603*4960Swillf NAME 'krbPrincContainerRef' 604*4960Swillf EQUALITY distinguishedNameMatch 605*4960Swillf SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) 606*4960Swillf 607*4960Swillf 608*4960Swillf######################################################################## 609*4960Swillf######################################################################## 610*4960Swillf# Object Class Definitions # 611*4960Swillf######################################################################## 612*4960Swillf 613*4960Swillf#### This is a kerberos container for all the realms in a tree. 614*4960Swillf 615*4960Swillfdn: cn=schema 616*4960Swillfchangetype: modify 617*4960Swillfadd: objectclasses 618*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.1.1 619*4960Swillf NAME 'krbContainer' 620*4960Swillf SUP top 621*4960Swillf MUST ( cn ) ) 622*4960Swillf 623*4960Swillf 624*4960Swillf##### The krbRealmContainer is created per realm and holds realm specific data. 625*4960Swillf 626*4960Swillfdn: cn=schema 627*4960Swillfchangetype: modify 628*4960Swillfadd: objectclasses 629*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.2.1 630*4960Swillf NAME 'krbRealmContainer' 631*4960Swillf SUP top 632*4960Swillf MUST ( cn ) 633*4960Swillf MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) ) 634*4960Swillf 635*4960Swillf 636*4960Swillf##### An instance of a class derived from krbService is created per 637*4960Swillf##### kerberos authentication or administration server in an realm and holds 638*4960Swillf##### references to the realm objects. These references is used to further read 639*4960Swillf##### realm specific data to service AS/TGS requests. Additionally this object 640*4960Swillf##### contains some server specific data like pathnames and ports that the 641*4960Swillf##### server uses. This is the identity the kerberos server logs in with. A key 642*4960Swillf##### pair for the same is created and the kerberos server logs in with the same. 643*4960Swillf##### 644*4960Swillf##### krbKdcService, krbAdmService and krbPwdService derive from this class. 645*4960Swillf 646*4960Swillfdn: cn=schema 647*4960Swillfchangetype: modify 648*4960Swillfadd: objectclasses 649*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.3.1 650*4960Swillf NAME 'krbService' 651*4960Swillf ABSTRACT 652*4960Swillf SUP ( top ) 653*4960Swillf MUST ( cn ) 654*4960Swillf MAY ( krbHostServer $ krbRealmReferences ) ) 655*4960Swillf 656*4960Swillf 657*4960Swillf##### Representative object for the KDC server to bind into a LDAP directory 658*4960Swillf##### and have a connection to access Kerberos data with the required 659*4960Swillf##### access rights. 660*4960Swillf 661*4960Swillfdn: cn=schema 662*4960Swillfchangetype: modify 663*4960Swillfadd: objectclasses 664*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.4.1 665*4960Swillf NAME 'krbKdcService' 666*4960Swillf SUP ( krbService ) ) 667*4960Swillf 668*4960Swillf 669*4960Swillf##### Representative object for the Kerberos Password server to bind into a LDAP directory 670*4960Swillf##### and have a connection to access Kerberos data with the required 671*4960Swillf##### access rights. 672*4960Swillf 673*4960Swillfdn: cn=schema 674*4960Swillfchangetype: modify 675*4960Swillfadd: objectclasses 676*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.5.1 677*4960Swillf NAME 'krbPwdService' 678*4960Swillf SUP ( krbService ) ) 679*4960Swillf 680*4960Swillf 681*4960Swillf###### The principal data auxiliary class. Holds principal information 682*4960Swillf###### and is used to store principal information for Person, Service objects. 683*4960Swillf 684*4960Swillfdn: cn=schema 685*4960Swillfchangetype: modify 686*4960Swillfadd: objectclasses 687*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.8.1 688*4960Swillf NAME 'krbPrincipalAux' 689*4960Swillf AUXILIARY 690*4960Swillf MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) 691*4960Swillf 692*4960Swillf 693*4960Swillf###### This class is used to create additional principals and stand alone principals. 694*4960Swillf 695*4960Swillfdn: cn=schema 696*4960Swillfchangetype: modify 697*4960Swillfadd: objectclasses 698*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.9.1 699*4960Swillf NAME 'krbPrincipal' 700*4960Swillf SUP ( top ) 701*4960Swillf MUST ( krbPrincipalName ) 702*4960Swillf MAY ( krbObjectReferences ) ) 703*4960Swillf 704*4960Swillf 705*4960Swillf###### The principal references auxiliary class. Holds all principals referred 706*4960Swillf###### from a service 707*4960Swillf 708*4960Swillfdn: cn=schema 709*4960Swillfchangetype: modify 710*4960Swillfadd: objectclasses 711*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.11.1 712*4960Swillf NAME 'krbPrincRefAux' 713*4960Swillf SUP top 714*4960Swillf AUXILIARY 715*4960Swillf MAY krbPrincipalReferences ) 716*4960Swillf 717*4960Swillf 718*4960Swillf##### Representative object for the Kerberos Administration server to bind into a LDAP directory 719*4960Swillf##### and have a connection Id to access Kerberos data with the required access rights. 720*4960Swillf 721*4960Swillfdn: cn=schema 722*4960Swillfchangetype: modify 723*4960Swillfadd: objectclasses 724*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.13.1 725*4960Swillf NAME 'krbAdmService' 726*4960Swillf SUP ( krbService ) ) 727*4960Swillf 728*4960Swillf 729*4960Swillf##### The krbPwdPolicy object is a template password policy that 730*4960Swillf##### can be applied to principals when they are created. 731*4960Swillf##### These policy attributes will be in effect, when the Kerberos 732*4960Swillf##### passwords are different from users' passwords (UP). 733*4960Swillf 734*4960Swillfdn: cn=schema 735*4960Swillfchangetype: modify 736*4960Swillfadd: objectclasses 737*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.14.1 738*4960Swillf NAME 'krbPwdPolicy' 739*4960Swillf SUP top 740*4960Swillf MUST ( cn ) 741*4960Swillf MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) ) 742*4960Swillf 743*4960Swillf 744*4960Swillf##### The krbTicketPolicyAux holds Kerberos ticket policy attributes. 745*4960Swillf##### This class can be attached to a principal object or realm object. 746*4960Swillf 747*4960Swillfdn: cn=schema 748*4960Swillfchangetype: modify 749*4960Swillfadd: objectclasses 750*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.16.1 751*4960Swillf NAME 'krbTicketPolicyAux' 752*4960Swillf AUXILIARY 753*4960Swillf MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) 754*4960Swillf 755*4960Swillf 756*4960Swillf##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal 757*4960Swillf 758*4960Swillfdn: cn=schema 759*4960Swillfchangetype: modify 760*4960Swillfadd: objectclasses 761*4960SwillfobjectClasses: ( 2.16.840.1.113719.1.301.6.17.1 762*4960Swillf NAME 'krbTicketPolicy' 763*4960Swillf SUP top 764*4960Swillf MUST ( cn ) ) 765*4960Swillf 766