Merge lp:~asommer/openldap-dit/openldap-dit-split into lp:openldap-dit
- openldap-dit-split
- Merge into trunk
Status: | Needs review |
---|---|
Proposed branch: | lp:~asommer/openldap-dit/openldap-dit-split |
Merge into: | lp:openldap-dit |
Diff against target: |
6285 lines (+3036/-2712) 91 files modified
Makefile (+10/-17) acls/config-acl.ldif (+0/-6) acls/frontend-acl.ldif (+0/-7) autofs/autofs.ldif (+11/-0) contents/dit.ldif (+0/-270) core/README (+321/-0) core/acl.ldif (+16/-0) core/cosine.schema.ldif (+200/-0) core/database.ldif (+13/-0) core/dit.ldif (+19/-0) core/inetorgperson.schema.ldif (+69/-0) core/misc.schema.ldif (+25/-0) core/modules.ldif (+4/-0) core/namedObject.schema.ldif (+5/-0) databases/add-hdb.ldif (+0/-152) databases/add-monitor.ldif (+0/-10) debian/changelog (+44/-1) debian/control (+18/-7) debian/copyright (+2/-0) debian/dirs (+0/-1) debian/docs (+0/-10) debian/files (+0/-1) debian/openldap-dit-core.config (+79/-0) debian/openldap-dit-core.dirs (+1/-0) debian/openldap-dit-core.docs (+3/-0) debian/openldap-dit-core.postinst.in (+59/-0) debian/openldap-dit-core.postrm (+15/-0) debian/openldap-dit-core.templates (+28/-0) debian/openldap-dit-usersandgroups.dirs (+1/-0) debian/openldap-dit-usersandgroups.docs (+1/-0) debian/openldap-dit-usersandgroups.postinst.in (+50/-0) debian/openldap-dit.scripts-common (+217/-0) debian/po/POTFILES.in (+1/-0) debian/po/templates.pot (+82/-0) debian/rules (+6/-3) debian/source/format (+1/-0) dhcp/dhcp-acl.ldif (+21/-0) dhcp/dhcp-dit.ldif (+33/-0) dhcp/dhcp-schema.ldif (+224/-0) dns/dns-acl.ldif (+26/-0) dns/dns-dit.ldif (+33/-0) dns/dnszone-schema.ldif (+67/-0) doc/README (+0/-321) mit-kerberos/mit-kerberos-acl.ldif (+29/-0) mit-kerberos/mit-kerberos-dit.ldif (+19/-0) mit-kerberos/mit-kerberos-schema.ldif (+473/-0) mit-kerberos/mit-refint-overlay.ldif (+7/-0) modules/add-modules.ldif (+0/-10) monitor/README (+1/-0) monitor/acl.ldif (+12/-0) monitor/database.ldif (+7/-0) monitor/modules.ldif (+4/-0) openldap-dit-setup.sh (+0/-394) overlays/1_add-ppolicy-overlay.ldif (+0/-6) overlays/2_add-unique-overlay.ldif (+0/-11) overlays/3_add-syncprov-overlay.ldif (+0/-9) overlays/4_add-refint-overlay.ldif (+0/-10) replication/replication-acl.ldif (+7/-0) replication/replication-dit.ldif (+14/-0) replication/replication-modules.ldif (+4/-0) replication/syncprov-overlay.ldif (+9/-0) samba/samba-acl.ldif (+47/-0) samba/samba-dit.ldif (+19/-0) samba/samba-schema.ldif (+175/-0) schemas/autofs.ldif (+0/-11) schemas/cosine.ldif (+0/-200) schemas/dhcp.ldif (+0/-224) schemas/dnszone.ldif (+0/-67) schemas/dyngroup.ldif (+0/-24) schemas/inetorgperson.ldif (+0/-69) schemas/misc.ldif (+0/-25) schemas/mit-kerberos.ldif (+0/-473) schemas/namedObject.ldif (+0/-5) schemas/ppolicy.ldif (+0/-44) schemas/rfc2307bis.ldif (+0/-128) schemas/samba.ldif (+0/-175) schemas/sudo.ldif (+0/-21) sudo/sudo-acl.ldif (+16/-0) sudo/sudo-dit.ldif (+24/-0) sudo/sudo-schema.ldif (+21/-0) usersandgroups/README (+1/-0) usersandgroups/acl.ldif (+81/-0) usersandgroups/dit.ldif (+88/-0) usersandgroups/dyngroup-schema.ldif (+24/-0) usersandgroups/indexes.ldif (+42/-0) usersandgroups/modules.ldif (+10/-0) usersandgroups/ppolicy.overlay.ldif (+6/-0) usersandgroups/ppolicy.schema.ldif (+44/-0) usersandgroups/refint.overlay.ldif (+8/-0) usersandgroups/rfc2307bis.schema.ldif (+128/-0) usersandgroups/unique.overlay.ldif (+11/-0) |
To merge this branch: | bzr merge lp:~asommer/openldap-dit/openldap-dit-split |
Related bugs: | |
Related blueprints: |
OpenLDAP Base DIT
(Medium)
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Mathias Gug (community) | Needs Fixing | ||
Andreas Hasenack | Pending | ||
Review via email: mp+24321@code.launchpad.net |
Commit message
Description of the change
My attempt to solve the split-dit-package blueprint: https:/
Created subdirectories in the schemas, acls, databases, contents, modules, and overlays directories for the various "services" that can be added to the DIT. Doing this also allows users to easily create a base DIT if that is all they desire.
Code is also updated for latest slapd package which makes changes to the cn=localroot,
Bruce Edge (bruce-edge) wrote : | # |
Adam Sommer (asommer) wrote : | # |
On Wed, Apr 28, 2010 at 10:30 PM, Thag <email address hidden> wrote:
> Is this available as a pre-built package?
>
> -Bruce
>
Not at this time that I know of, but it should be pretty simple to setup a
PPA for the package or to create a local build using pbuilder.
Thanks.
--
Party On,
Adam
- 68. By Adam Sommer
-
Reorganizing files into minimal core scheme.
- 69. By Adam Sommer
-
Moved syncprov overlay into it's own directory.
- 70. By Adam Sommer
-
Moved syncrepl module out of core-modules.ldif
- 71. By Adam Sommer
-
Updated package for new modular approach.
- 72. By Adam Sommer
-
More Makefile updates to implement the new directory layout.
- 73. By Adam Sommer
-
Finally have the correct loop to install the ldifs.
- 74. By Adam Sommer
-
Got package working under openldap-dit-core directories.
- 75. By Adam Sommer
-
Reorganizing into simple service directories with service-
LDIFTYPE. ldif files. - 76. By Adam Sommer
-
Creation of openldap-
dit-usersandgro ups package. - 77. By Adam Sommer
-
Finished second directory reorganization.
- 78. By Adam Sommer
-
Cleaning up postinst scripts.
- 79. By Adam Sommer
-
Working toward using debconf to get suffix (from domain) and admin password.
- 80. By Adam Sommer
-
Using openldap-
dit.sripts- common to hold common postinst functions that will be added using openldap- dit-.postinst. in for earch package. - 81. By Adam Sommer
-
Get domain and admin password from debconf, but still need to do sanity checks on password.
- 82. By Adam Sommer
-
New while loop to check password confirmation.
- 83. By Adam Sommer
-
* Fixed ACL replacement code.
* Updated usersandgroups postinst.in working on checking for previous DIT. - 84. By Adam Sommer
-
Removed unused functions and cleaned up comments.
- 85. By Adam Sommer
-
Adjusted ACL to allow LDAP Admin full control.
- 86. By Adam Sommer
-
More ACL adjustments, groups should now work as advertised.
- 87. By Adam Sommer
-
* Fixed dsc lintian errors by using pot files for the templates,
creating the debian/source/ format file, updated standards version,
and changed version number.
* Removed openldap-dit-setup. sh. - 88. By Adam Sommer
-
Fixing lintian errors in .deb file.
- 89. By Adam Sommer
-
Removed LICENSE install to fix lintian error.
- 90. By Adam Sommer
-
Created Lucid package.
- 91. By Adam Sommer
-
Forgot to remove comments.
Mathias Gug (mathiaz) wrote : | # |
Hi Adam,
Thanks for working on this. As this is a big diff I'll split the review in multiple passes.
Here are a few comments about the upstream code changes (ie outside the debian/ directory):
> === modified file 'Makefile'
> --- Makefile 2009-12-02 21:04:38 +0000
> +++ Makefile 2010-06-17 16:58:16 +0000
> @@ -43,7 +36,7 @@
>
> tarball: clean
> mkdir $(NAME)-$(VERSION)
> - cp -a Makefile *.sh schemas doc TODO LICENSE COPYRIGHT acls databases overlays modules contents $(NAME)-$(VERSION)
> + cp -a Makefile *.sh schemas doc TODO COPYRIGHT acls databases overlays modules contents $(NAME)-$(VERSION)
Why is the LICENSE file removed from the tarball?
> === added directory 'core'
> === added file 'core/core-
> --- core/core-acl.ldif 1970-01-01 00:00:00 +0000
> +++ core/core-acl.ldif 2010-06-17 16:58:16 +0000
> @@ -0,0 +1,34 @@
I would split the acl parts from the database defintion. Every parts that other
modules (eg usersandgruops) could define should be part of their own file.
The actual database definition could be put in core/database.ldif.
> +olcDbDirectory: /var/lib/ldap
I would use a sub-directory of /var/lib/ldap/ such as openldap-dit/ so that
other packages could also use /var/lib/ldap/ for their own database backend.
> +olcDbIndex: objectClass eq
> +olcDbIndex: entryUUID eq
> +olcDbIndex: entryCSN eq
> +olcDbIndex: cn eq,subinitial
I would suggest to put all the indexes definition in an core/indexes.ldif file.
> +olcDbIndex: uid eq,subinitial
> +olcDbIndex: uidNumber eq
> +olcDbIndex: gidNumber eq
> +olcDbIndex: sn eq,subinitial
> +olcDbIndex: member eq
> +olcDbIndex: mail eq,subinitial
> +olcDbIndex: givenName eq,subinitial
> +olcDbIndex: displayName eq
> +olcDbIndex: uniqueMember pres,eq
All of these indexes are actually related to the user and group module. So move them to usersandgroups/
> +olcAccess: {0}to dn.subtree=
> + by dn.exact="uid=LDAP Admin,ou=System Accounts,@SUFFIX@" manage
> + by * break
> +olcAccess: {1}to dn.subtree=
> + by * read
I'd suggest that all the acl definition should go in the core/acl.ldif file.
> +olcAddContentAcl: TRUE
> +olcLastMod: TRUE
These should be part of the core database configuration in core/database.ldif.
> === added file 'core/core-
> --- core/core-dit.ldif 1970-01-01 00:00:00 +0000
> +++ core/core-dit.ldif 2010-06-17 16:58:16 +0000
I would name the file dit.ldif instead of core-dit.ldif since core is already in the directory name.
> === added file 'core/core-
> --- core/core-
> +++ core/core-
I would rename core-modules to modules.ldif since core is already part of the directory name.
> @@ -0,0 +1,9 @@
> +dn: cn=module,cn=config
[...]
> +olcModuleLoad: back_bdb.la
You don't need back_bdb as long as you're using back_hdb only.
> +olcModuleLoad: ppolicy.la
> +olcModuleLoad: unique.la
These two modules are part of usersandgroups. I'd move them to usersandgroups/
[...]
> +olcModuleLoad: refint.la
I think this module should also be part of userandgroups.
> === added file 'core/cosine-
> === added file ...
- 92. By Adam Sommer
-
Adjusted file content and naming per Mathias good suggestions.
- 93. By Adam Sommer
-
New check to find suffix database to add LDIFs to.
- 94. By Adam Sommer
-
Finished changes to dynamically find suffix database.
- 95. By Adam Sommer
-
Find index of module suffix.
Adam Sommer (asommer) wrote : | # |
Hello Mathias,
Sorry for taking so long to get back to you... got jammed up in the day job,
but should have a lot of time to focus on this. Thank you very much for
reviewing my submission.
> > === modified file 'Makefile'
> > --- Makefile 2009-12-02 21:04:38 +0000
> > +++ Makefile 2010-06-17 16:58:16 +0000
> > @@ -43,7 +36,7 @@
> >
> > tarball: clean
> > mkdir $(NAME)-$(VERSION)
> > - cp -a Makefile *.sh schemas doc TODO LICENSE COPYRIGHT acls
> databases overlays modules contents $(NAME)-$(VERSION)
> > + cp -a Makefile *.sh schemas doc TODO COPYRIGHT acls databases
> overlays modules contents $(NAME)-$(VERSION)
>
> Why is the LICENSE file removed from the tarball?
>
It was removed to fix a lintian error... this was probably the wrong way to
fix that, so I'll revisit and come up with the correct solution.
>
> I would use a sub-directory of /var/lib/ldap/ such as openldap-dit/ so that
> other packages could also use /var/lib/ldap/ for their own database
> backend.
>
Not sure I agree with this point. What other packages use /var/lib/ldap?
Besides slapd that is (which doesn't actually add anything by default)?
Just wondering why it'd be better to use a subdirectory... my impression of
openldap-dit was for it to configure the main LDAP directory tree for an
organizations server/network.
Also, doing so would require adjusting the AppArmor profile... I'm sure that
isn't a big deal, but something else to keep in mind.
>
> I'd try not to use indexes here as we're not sure the index number of the
> database. Computing the actual index should be left to the script that is
> actually responsible for loading these overlays in the correct database.
>
>
Renamed the directories as you suggested... I like it better too. Coded a
way to find the database that contains the suffix. Also, added a check to
find the cn=module suffix.
I think that covers everything, but if not just let me know.
Thanks again Mathias.
--
Party On,
Adam
Unmerged revisions
- 95. By Adam Sommer
-
Find index of module suffix.
- 94. By Adam Sommer
-
Finished changes to dynamically find suffix database.
- 93. By Adam Sommer
-
New check to find suffix database to add LDIFs to.
- 92. By Adam Sommer
-
Adjusted file content and naming per Mathias good suggestions.
- 91. By Adam Sommer
-
Forgot to remove comments.
- 90. By Adam Sommer
-
Created Lucid package.
- 89. By Adam Sommer
-
Removed LICENSE install to fix lintian error.
- 88. By Adam Sommer
-
Fixing lintian errors in .deb file.
- 87. By Adam Sommer
-
* Fixed dsc lintian errors by using pot files for the templates,
creating the debian/source/ format file, updated standards version,
and changed version number.
* Removed openldap-dit-setup. sh. - 86. By Adam Sommer
-
More ACL adjustments, groups should now work as advertised.
Preview Diff
1 | === modified file 'Makefile' |
2 | --- Makefile 2009-12-02 21:04:38 +0000 |
3 | +++ Makefile 2010-07-19 21:25:56 +0000 |
4 | @@ -1,7 +1,7 @@ |
5 | # Makefile for openldap-dit |
6 | |
7 | NAME = openldap-dit |
8 | -VERSION = 0.21 |
9 | +VERSION = 0.22 |
10 | DESTDIR = |
11 | prefix = /usr |
12 | bindir = $(prefix)/bin |
13 | @@ -14,24 +14,17 @@ |
14 | mydir = $(ldapdatadir)/$(NAME) |
15 | ldapscriptdir = $(ldapdatadir) |
16 | |
17 | -install: |
18 | +install-core: |
19 | mkdir -p $(DESTDIR)$(mydir) |
20 | mkdir -p $(DESTDIR)$(docdir) |
21 | mkdir -p $(DESTDIR)$(ldapscriptdir) |
22 | - mkdir -p $(DESTDIR)$(mydir)/acls |
23 | - mkdir -p $(DESTDIR)$(mydir)/databases |
24 | - mkdir -p $(DESTDIR)$(mydir)/overlays |
25 | - mkdir -p $(DESTDIR)$(mydir)/schemas |
26 | - mkdir -p $(DESTDIR)$(mydir)/modules |
27 | - mkdir -p $(DESTDIR)$(mydir)/contents |
28 | - install -m 0755 *.sh $(DESTDIR)$(ldapscriptdir) |
29 | - install -m 0644 schemas/* $(DESTDIR)$(mydir)/schemas |
30 | - install -m 0644 doc/* TODO LICENSE COPYRIGHT $(DESTDIR)$(docdir) |
31 | - install -m 0644 acls/* $(DESTDIR)$(mydir)/acls/ |
32 | - install -m 0644 databases/* $(DESTDIR)$(mydir)/databases/ |
33 | - install -m 0644 overlays/* $(DESTDIR)$(mydir)/overlays/ |
34 | - install -m 0644 modules/* $(DESTDIR)$(mydir)/modules/ |
35 | - install -m 0644 contents/* $(DESTDIR)$(mydir)/contents/ |
36 | + install -m 0644 TODO COPYRIGHT $(DESTDIR)$(docdir) |
37 | + mkdir -p $(DESTDIR)$(mydir)/core |
38 | + install -m 0644 core/* $(DESTDIR)$(mydir)/core |
39 | + |
40 | +install-usersandgroups: |
41 | + mkdir -p $(DESTDIR)$(mydir)/usersandgroups |
42 | + install -m 0644 usersandgroups/* $(DESTDIR)$(mydir)/usersandgroups |
43 | |
44 | clean: |
45 | rm -rf *~ $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.bz2 debian/$(NAME) |
46 | @@ -43,7 +36,7 @@ |
47 | |
48 | tarball: clean |
49 | mkdir $(NAME)-$(VERSION) |
50 | - cp -a Makefile *.sh schemas doc TODO LICENSE COPYRIGHT acls databases overlays modules contents $(NAME)-$(VERSION) |
51 | + cp -a Makefile *.sh schemas doc TODO COPYRIGHT acls databases overlays modules contents $(NAME)-$(VERSION) |
52 | cp -a debian $(NAME)-$(VERSION) |
53 | tar czf $(NAME)-$(VERSION).tar.gz $(NAME)-$(VERSION) |
54 | rm -rf $(NAME)-$(VERSION) |
55 | |
56 | === removed directory 'acls' |
57 | === removed file 'acls/config-acl.ldif' |
58 | --- acls/config-acl.ldif 2009-09-17 13:38:20 +0000 |
59 | +++ acls/config-acl.ldif 1970-01-01 00:00:00 +0000 |
60 | @@ -1,6 +0,0 @@ |
61 | -dn: olcDatabase={0}config,cn=config |
62 | -changetype: modify |
63 | -add: olcAccess |
64 | -olcAccess: to * |
65 | - by group/groupOfMembers/member.exact="cn=LDAP Admins,ou=System Groups,@SUFFIX@" manage |
66 | - by * break |
67 | |
68 | === removed file 'acls/frontend-acl.ldif' |
69 | --- acls/frontend-acl.ldif 2009-09-14 20:38:42 +0000 |
70 | +++ acls/frontend-acl.ldif 1970-01-01 00:00:00 +0000 |
71 | @@ -1,7 +0,0 @@ |
72 | -# see bug #427842 |
73 | -dn: olcDatabase={-1}frontend,cn=config |
74 | -changetype: modify |
75 | -add: olcAccess |
76 | -olcAccess: to dn.base="" by * read |
77 | -olcAccess: to dn.base="cn=subschema" by * read |
78 | - |
79 | |
80 | === added directory 'autofs' |
81 | === added file 'autofs/autofs.ldif' |
82 | --- autofs/autofs.ldif 1970-01-01 00:00:00 +0000 |
83 | +++ autofs/autofs.ldif 2010-07-19 21:25:56 +0000 |
84 | @@ -0,0 +1,11 @@ |
85 | +dn: cn=autofs,cn=schema,cn=config |
86 | +objectClass: olcSchemaConfig |
87 | +cn: autofs |
88 | +olcAttributeTypes: {0}( 1.3.6.1.1.1.1.25 NAME 'automountInformation' DESC 'Inf |
89 | + ormation used by the autofs automounter' EQUALITY caseExactIA5Match SYNTAX 1. |
90 | + 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
91 | +olcObjectClasses: {0}( 1.3.6.1.1.1.1.13 NAME 'automount' DESC 'An entry in an |
92 | + automounter map' SUP top STRUCTURAL MUST ( cn $ automountInformation ) MAY de |
93 | + scription ) |
94 | +olcObjectClasses: {1}( 1.3.6.1.4.1.2312.4.2.2 NAME 'automountMap' DESC 'An gro |
95 | + up of related automount objects' SUP top STRUCTURAL MUST ou ) |
96 | |
97 | === removed directory 'contents' |
98 | === removed file 'contents/dit.ldif' |
99 | --- contents/dit.ldif 2009-10-06 18:58:32 +0000 |
100 | +++ contents/dit.ldif 1970-01-01 00:00:00 +0000 |
101 | @@ -1,270 +0,0 @@ |
102 | -# base tree |
103 | -dn: @SUFFIX@ |
104 | -dc: @DC@ |
105 | -objectClass: domain |
106 | -objectClass: domainRelatedObject |
107 | -associatedDomain: @DOMAIN@ |
108 | - |
109 | -dn: ou=People,@SUFFIX@ |
110 | -ou: People |
111 | -objectClass: organizationalUnit |
112 | - |
113 | -dn: ou=Group,@SUFFIX@ |
114 | -ou: Group |
115 | -objectClass: organizationalUnit |
116 | -description: Container for user accounts |
117 | - |
118 | -dn: ou=System Accounts,@SUFFIX@ |
119 | -ou: System Accounts |
120 | -objectClass: organizationalUnit |
121 | -description: Container for System and Services privileged accounts |
122 | - |
123 | -dn: ou=System Groups,@SUFFIX@ |
124 | -ou: System Groups |
125 | -objectClass: organizationalUnit |
126 | -description: Container for System and Services privileged groups |
127 | - |
128 | -dn: ou=Hosts,@SUFFIX@ |
129 | -ou: Hosts |
130 | -objectClass: organizationalUnit |
131 | -description: Container for Samba machine accounts |
132 | - |
133 | -dn: ou=Idmap,@SUFFIX@ |
134 | -ou: Idmap |
135 | -objectClass: organizationalUnit |
136 | -description: Container for Samba Winbind ID mappings |
137 | - |
138 | -dn: ou=Address Book,@SUFFIX@ |
139 | -ou: Address Book |
140 | -objectClass: organizationalUnit |
141 | -description: Container for global address book entries |
142 | - |
143 | -dn: ou=sudoers,@SUFFIX@ |
144 | -ou: sudoers |
145 | -objectClass: organizationalUnit |
146 | -description: Container for sudo related entries |
147 | - |
148 | -dn: cn=defaults,ou=sudoers,@SUFFIX@ |
149 | -cn: defaults |
150 | -objectClass: sudoRole |
151 | -sudoOption: authenticate |
152 | -description: Default options for sudo roles |
153 | - |
154 | -dn: ou=dhcp,@SUFFIX@ |
155 | -ou: dhcp |
156 | -objectClass: organizationalUnit |
157 | -description: Container for DHCP related entries |
158 | - |
159 | -dn: ou=dns,@SUFFIX@ |
160 | -ou: dns |
161 | -objectClass: organizationalUnit |
162 | -description: Container for DNS related entries |
163 | - |
164 | -dn: ou=Kerberos Realms,@SUFFIX@ |
165 | -ou: Kerberos Realms |
166 | -objectClass: organizationalUnit |
167 | -description: Container for Kerberos Realms |
168 | - |
169 | -dn: ou=Password Policies,@SUFFIX@ |
170 | -ou: Password Policies |
171 | -objectClass: organizationalUnit |
172 | -description: Container for OpenLDAP password policies |
173 | - |
174 | -dn: cn=default,ou=Password Policies,@SUFFIX@ |
175 | -cn: default |
176 | -objectClass: pwdPolicy |
177 | -objectClass: namedObject |
178 | -pwdAttribute: userPassword |
179 | -pwdCheckQuality: 1 |
180 | - |
181 | -# System Accounts |
182 | -dn: uid=Account Admin,ou=System Accounts,@SUFFIX@ |
183 | -uid: Account Admin |
184 | -objectClass: account |
185 | -objectClass: simpleSecurityObject |
186 | -userPassword: {CRYPT}x |
187 | -description: Account used to administer all users, groups, machines and general accounts |
188 | - |
189 | -dn: uid=nssldap,ou=System Accounts,@SUFFIX@ |
190 | -uid: nssldap |
191 | -objectClass: account |
192 | -objectClass: simpleSecurityObject |
193 | -userPassword: {CRYPT}x |
194 | -description: Unprivileged account which can be used by nss_ldap for when anonymous searches are disabled |
195 | - |
196 | -dn: uid=MTA Admin,ou=System Accounts,@SUFFIX@ |
197 | -uid: MTA Admin |
198 | -objectClass: account |
199 | -objectClass: simpleSecurityObject |
200 | -userPassword: {CRYPT}x |
201 | -description: Account used to administer email related attributes |
202 | - |
203 | -dn: uid=DHCP Admin,ou=System Accounts,@SUFFIX@ |
204 | -uid: DHCP Admin |
205 | -objectClass: account |
206 | -objectClass: simpleSecurityObject |
207 | -userPassword: {CRYPT}x |
208 | -description: Account used to administer DHCP related entries and attributes |
209 | - |
210 | -dn: uid=DHCP Reader,ou=System Accounts,@SUFFIX@ |
211 | -uid: DHCP Reader |
212 | -objectClass: account |
213 | -objectClass: simpleSecurityObject |
214 | -userPassword: {CRYPT}x |
215 | -description: Account used to read entries and attributes under ou=dhcp |
216 | - |
217 | -dn: uid=DNS Admin,ou=System Accounts,@SUFFIX@ |
218 | -uid: DNS Admin |
219 | -objectClass: account |
220 | -objectClass: simpleSecurityObject |
221 | -userPassword: {CRYPT}x |
222 | -description: Account used to administer DNS related entries and attributes |
223 | - |
224 | -dn: uid=DNS Reader,ou=System Accounts,@SUFFIX@ |
225 | -uid: DNS Reader |
226 | -objectClass: account |
227 | -objectClass: simpleSecurityObject |
228 | -userPassword: {CRYPT}x |
229 | -description: Account used to read entries and attributes under ou=dns |
230 | - |
231 | -dn: uid=Sudo Admin,ou=System Accounts,@SUFFIX@ |
232 | -uid: Sudo Admin |
233 | -objectClass: account |
234 | -objectClass: simpleSecurityObject |
235 | -userPassword: {CRYPT}x |
236 | -description: Account used to administer Sudo related entries and attributes |
237 | - |
238 | -dn: uid=Address Book Admin,ou=System Accounts,@SUFFIX@ |
239 | -uid: Address Book Admin |
240 | -objectClass: account |
241 | -objectClass: simpleSecurityObject |
242 | -userPassword: {CRYPT}x |
243 | -description: Account used to administer global Address Book related entries and attributes |
244 | - |
245 | -dn: uid=LDAP Admin,ou=System Accounts,@SUFFIX@ |
246 | -uid: LDAP Admin |
247 | -objectClass: account |
248 | -objectClass: simpleSecurityObject |
249 | -userPassword: {CRYPT}x |
250 | -description: Account used to administer all parts of the Directory |
251 | - |
252 | -dn: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@ |
253 | -uid: LDAP Replicator |
254 | -objectClass: account |
255 | -objectClass: simpleSecurityObject |
256 | -userPassword: {CRYPT}x |
257 | -description: Account used by consumer servers for replication |
258 | - |
259 | -dn: uid=LDAP Monitor,ou=System Accounts,@SUFFIX@ |
260 | -uid: LDAP Monitor |
261 | -objectClass: account |
262 | -objectClass: simpleSecurityObject |
263 | -userPassword: {CRYPT}x |
264 | -description: Account used to read cn=monitor entries |
265 | - |
266 | -dn: uid=Idmap Admin,ou=System Accounts,@SUFFIX@ |
267 | -uid: Idmap Admin |
268 | -objectClass: account |
269 | -objectClass: simpleSecurityObject |
270 | -userPassword: {CRYPT}x |
271 | -description: Account used to administer Samba Winbind ID mapping related entries and attributes |
272 | - |
273 | -dn: uid=kdc-service,ou=System Accounts,@SUFFIX@ |
274 | -uid: kdc-service |
275 | -objectClass: account |
276 | -objectClass: simpleSecurityObject |
277 | -userPassword: {CRYPT}x |
278 | -description: Account used for the Kerberos KDC |
279 | - |
280 | -dn: uid=kadmin-service,ou=System Accounts,@SUFFIX@ |
281 | -uid: kadmin-service |
282 | -objectClass: account |
283 | -objectClass: simpleSecurityObject |
284 | -userPassword: {CRYPT}x |
285 | -description: Account used for the Kerberos Admin server |
286 | - |
287 | -# Groups associated with system accounts |
288 | -dn: cn=LDAP Admins,ou=System Groups,@SUFFIX@ |
289 | -cn: LDAP Admins |
290 | -objectClass: groupOfMembers |
291 | -description: Members can administer all parts of the Directory |
292 | -owner: uid=LDAP Admin,ou=System Accounts,@SUFFIX@ |
293 | -member: uid=LDAP Admin,ou=System Accounts,@SUFFIX@ |
294 | - |
295 | -dn: cn=Account Admins,ou=System Groups,@SUFFIX@ |
296 | -cn: Account Admins |
297 | -objectClass: groupOfMembers |
298 | -description: Members can administer all user, group and machine accounts |
299 | -owner: uid=Account Admin,ou=System Accounts,@SUFFIX@ |
300 | -member: uid=Account Admin,ou=System Accounts,@SUFFIX@ |
301 | - |
302 | -dn: cn=Sudo Admins,ou=System Groups,@SUFFIX@ |
303 | -cn: Sudo Admins |
304 | -objectClass: groupOfMembers |
305 | -description: Members can administer ou=sudoers entries and attributes |
306 | -owner: uid=Sudo Admin,ou=System Accounts,@SUFFIX@ |
307 | -member: uid=Sudo Admin,ou=System Accounts,@SUFFIX@ |
308 | - |
309 | -dn: cn=DNS Admins,ou=System Groups,@SUFFIX@ |
310 | -cn: DNS Admins |
311 | -objectClass: groupOfMembers |
312 | -description: Members can administer ou=DNS entries and attributes |
313 | -owner: uid=DNS Admin,ou=System Accounts,@SUFFIX@ |
314 | -member: uid=DNS Admin,ou=System Accounts,@SUFFIX@ |
315 | - |
316 | -dn: cn=DNS Readers,ou=System Groups,@SUFFIX@ |
317 | -cn: DNS Readers |
318 | -objectClass: groupOfMembers |
319 | -description: Members can read entries and attributes under ou=dns |
320 | -owner: uid=DNS Admin,ou=System Accounts,@SUFFIX@ |
321 | -member: uid=DNS Reader,ou=System Accounts,@SUFFIX@ |
322 | - |
323 | -dn: cn=DHCP Admins,ou=System Groups,@SUFFIX@ |
324 | -cn: DHCP Admins |
325 | -objectClass: groupOfMembers |
326 | -description: Members can administer ou=DHCP entries and attributes |
327 | -owner: uid=DHCP Admin,ou=System Accounts,@SUFFIX@ |
328 | -member: uid=DHCP Admin,ou=System Accounts,@SUFFIX@ |
329 | - |
330 | -dn: cn=DHCP Readers,ou=System Groups,@SUFFIX@ |
331 | -cn: DHCP Readers |
332 | -objectClass: groupOfMembers |
333 | -description: Members can read entries and attributes under ou=dhcp |
334 | -owner: uid=DHCP Admin,ou=System Accounts,@SUFFIX@ |
335 | -member: uid=DHCP Reader,ou=System Accounts,@SUFFIX@ |
336 | - |
337 | -dn: cn=Address Book Admins,ou=System Groups,@SUFFIX@ |
338 | -cn: Address Book Admins |
339 | -objectClass: groupOfMembers |
340 | -description: Members can administer ou=Address Book entries and attributes |
341 | -owner: uid=Address Book Admin,ou=System Accounts,@SUFFIX@ |
342 | -member: uid=Address Book Admin,ou=System Accounts,@SUFFIX@ |
343 | - |
344 | -dn: cn=LDAP Replicators,ou=System Groups,@SUFFIX@ |
345 | -cn: LDAP Replicators |
346 | -objectClass: groupOfMembers |
347 | -description: Members can be used for syncrepl replication |
348 | -owner: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@ |
349 | -member: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@ |
350 | - |
351 | -dn: cn=MTA Admins,ou=System Groups,@SUFFIX@ |
352 | -cn: MTA Admins |
353 | -objectClass: groupOfMembers |
354 | -description: Members can administer email related attributes |
355 | -owner: uid=MTA Admin,ou=System Accounts,@SUFFIX@ |
356 | -member: uid=MTA Admin,ou=System Accounts,@SUFFIX@ |
357 | - |
358 | -dn: cn=LDAP Monitors,ou=System Groups,@SUFFIX@ |
359 | -cn: LDAP Monitors |
360 | -objectClass: groupOfMembers |
361 | -description: Members can read the cn=monitor backend |
362 | -owner: uid=LDAP Monitor,ou=System Accounts,@SUFFIX@ |
363 | -member: uid=LDAP Monitor,ou=System Accounts,@SUFFIX@ |
364 | - |
365 | -dn: cn=Idmap Admins,ou=System Groups,@SUFFIX@ |
366 | -cn: Idmap Admins |
367 | -objectClass: groupOfMembers |
368 | -description: Members can administer ou=Idmap entries and attributes |
369 | -owner: uid=Idmap Admin,ou=System Accounts,@SUFFIX@ |
370 | -member: uid=Idmap Admin,ou=System Accounts,@SUFFIX@ |
371 | - |
372 | |
373 | === added directory 'core' |
374 | === added file 'core/README' |
375 | --- core/README 1970-01-01 00:00:00 +0000 |
376 | +++ core/README 2010-07-19 21:25:56 +0000 |
377 | @@ -0,0 +1,321 @@ |
378 | +Introduction |
379 | +============ |
380 | + |
381 | +This document aims to explain the Directory Information Tree (DIT) used in the |
382 | +openldap-dit-core package. |
383 | + |
384 | +The motivation for this new layout is the need for a better separation of |
385 | +privileges regarding access to the information stored in the directory. The |
386 | +super user account of the directory should be used rarely and delegation of |
387 | +privileges should be easier. |
388 | + |
389 | +We think this proposed layout accomplishes that by providing several groups |
390 | +which have distinctive access rules, providing a clear separation of |
391 | +privileges. In order to give an user a new privilege, all is needed is to add |
392 | +him/her to one of these specific groups. |
393 | + |
394 | +These are the characteristics of the proposed DIT: |
395 | +- several groups for common services |
396 | +- most access control rules based on group membership |
397 | +- several system accounts ready to use (just add a password) by many services |
398 | + such as: |
399 | + - sudo |
400 | + - dns |
401 | + - samba |
402 | + - etc |
403 | +- simple installation script which prepares the tree asking very few questions |
404 | + (just two, and one of them is just a password) |
405 | +- easy support for OpenLDAP's password policy overlay |
406 | + |
407 | +These accounts get their privileges by being associated to specific group(s). |
408 | + |
409 | +Administrators should note that we will probably find out that there are too |
410 | +few groups, or too many. Or that some ACLs are too restrictive, or too broad. |
411 | +It is difficult to come up with a one-size-fits-all DIT, but we can start here. |
412 | + |
413 | +By the way, there is no password set for the "rootdn" account as it (the |
414 | +account) is not used. |
415 | + |
416 | +If you just want to know how to use this DIT, skip to the end of the document |
417 | +to the section called "Enough with the theory: how to use this?". |
418 | + |
419 | + |
420 | +The Tree |
421 | +======== |
422 | + |
423 | + dc=example,dc=com |
424 | + |
425 | + ou=Hosts ou=System Groups ou=System Accounts |
426 | + ou=Idmap cn=LDAP Admins uid=Ldap Admin |
427 | + ou=Address Book cn=Sudo Admins uid=Sudo Admin |
428 | + ou=dhcp cn=DNS Admins uid=DNS Admin |
429 | + ou=dns cn=DNS Readers uid=DNS Reader |
430 | + ou=People cn=DHCP Admins uid=DHCP Admin |
431 | + ou=Group cn=Address Book Admins uid=Address Book Admin |
432 | + ou=Password Policies cn=LDAP Replicators uid=LDAP Replicator |
433 | + ou=Sudoers cn=Account Admins uid=Account Admin |
434 | + cn=MTA Admins uid=MTA Admin |
435 | + cn=LDAP Monitors uid=LDAP Monitor |
436 | + cn=Idmap Admins uid=Idmap Admin |
437 | + uid=smbldap-tools |
438 | + uid=nssldap |
439 | + |
440 | +The services |
441 | +============ |
442 | + |
443 | +We created some entries for a few services that can use LDAP to store their |
444 | +information. More will probably be added in the future. For now, we have |
445 | +branches for: |
446 | +- dns (ou=dns) |
447 | +- sudo (ou=sudoers) |
448 | +- dhcp (ou=dhcp) |
449 | + |
450 | +The respective administrative groups have read/write access to these branches |
451 | +for specific entries. |
452 | + |
453 | + |
454 | +The groups |
455 | +========== |
456 | + |
457 | +Groups are the core of this proposed DIT layout, because most ACLs are |
458 | +constructed via group membership to allow for greater flexibility and |
459 | +delegation. |
460 | + |
461 | +The current default groups that are born with the new DIT layout are as |
462 | +follows: |
463 | +- LDAP Admins |
464 | +- Sudo Admins |
465 | +- DNS Admins |
466 | +- DNS Readers |
467 | +- DHCP Admins |
468 | +- Address Book Admins |
469 | +- LDAP Replicators |
470 | +- Account Admins |
471 | +- MTA Admins |
472 | +- LDAP Monitors |
473 | +- Idmap Admins |
474 | + |
475 | +Each entry has a description attribute filled in with a brief text describing |
476 | +the purpose of the members of each group. For example: |
477 | + |
478 | +dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com |
479 | +description: Members can administer ou=sudoers entries and attributes |
480 | + |
481 | +In order to use groups in ACLs, the objectClass used for these entries has to |
482 | +use attributes where membership is indicated distinguished names and not just |
483 | +names. In other words, the membership attribute has to use a full DN to |
484 | +indicate its member. The standard object class used for this by OpenLDAP is |
485 | +groupOfNames, and this is what we used. For example: |
486 | + |
487 | +dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com |
488 | +member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com |
489 | + |
490 | +A side effect of using groupOfNames is that we *have* to have at least one |
491 | +member in each group. So we needed to create standard accounts, which proved to |
492 | +be usefull anyway. The previous example showed the standard account for |
493 | +adminstering sudo entries and attributes. |
494 | + |
495 | + |
496 | +The accounts |
497 | +============ |
498 | + |
499 | +As was the case with the groups, many standard system accounts were created. |
500 | +Each group has at least a corresponding system account as its membership. The |
501 | +current list is as follows: |
502 | + |
503 | +- Account Admin |
504 | +- smbldap-tools |
505 | +- nssldap |
506 | +- MTA Admin |
507 | +- DHCP Admin |
508 | +- DNS Admin |
509 | +- DNS Reader |
510 | +- Sudo Admin |
511 | +- Address Book Admin |
512 | +- LDAP Admin |
513 | +- LDAP Replicator |
514 | +- LDAP Monitor |
515 | +- Idmap Admin |
516 | + |
517 | + |
518 | +The privileges |
519 | +============== |
520 | + |
521 | +The idea is to give each group the needed privileges to complete its |
522 | +administration tasks. This usually means having access to the respective ou=foo |
523 | +branch of the directory. For example, the Sudo Admins group has rights over the |
524 | +ou=sudoers branch of the directory. |
525 | + |
526 | +Whenever possible, however, these rights are limited to that specific service, |
527 | +i.e., it's not any kind of entry that can be created but just those relevant to |
528 | +the service. For example, the Sudo Admins members can only create entries one |
529 | +level below ou=sudoers, and only with the attributes allowed by the sudoRole |
530 | +object class. |
531 | + |
532 | +Other cases, however, are more complicated. We will list them here and the |
533 | +reasoning behind the chosen ACLs. |
534 | + |
535 | + |
536 | +Monitoring access |
537 | +----------------- |
538 | +The "LDAP Monitors" group is the only grop besides "LDAP Admins" which can read |
539 | +entries under cn=monitor. This base dn contains statistics about the server, |
540 | +such as operations performed, backends and overlays being used, etc. So, if you |
541 | +need an user to have read access to this kind of information, just put him/her |
542 | +in this group. |
543 | + |
544 | + |
545 | +Samba, Unix and Kerberos admins |
546 | +------------------------------- |
547 | +Samba needs to have corresponding unix accounts for its users and machine |
548 | +accounts. It will not by itself create those, however. For example, when |
549 | +running "smbpasswd -a foo", the "foo" user account will only be created if |
550 | +samba can find the corresponding unix attributes. The same for group mappings |
551 | +and machine accounts. |
552 | + |
553 | +Earlier versions of openldap-dit had two separate privilege groups: |
554 | +one for Unix accounts and another for Samba accounts. This complicated ACLs, |
555 | +and it was worse when we later added Kerberos Admins to the mix because they |
556 | +also had to touch some of the account-related attributes. |
557 | + |
558 | +So, since version 0.11, we merged these groups into one called Account Admins |
559 | +(and the respective Account Admin account). This made the ACLs simplier and |
560 | +faster, at the expense of some granularity in privileges. |
561 | + |
562 | +The smbldap-tools account, uid=smbldap-tools,ou=System Accounts, still exists |
563 | +but is now a member of the Account Admins group. |
564 | + |
565 | + |
566 | +MTA |
567 | +--- |
568 | +As of this moment, there is no clear scenario for usage of this account. For |
569 | +now, it can administer just a few attributes: all the ones from the |
570 | +inetLocalMailRecipient object class plus the single mail attribute. |
571 | + |
572 | +As more usage scenarios appear, these ACLs should be incremented. |
573 | + |
574 | + |
575 | +DNS Readers |
576 | +----------- |
577 | +Members of this group are allowed read access to all attributes of the dNSZone |
578 | +object class under ou=dns. Besides them and the members of the DNS Admins |
579 | +group, no other entity can read these entries. This was done so to avoid the |
580 | +"zone transfer" vulnerability scenario, where anonymous users could gather the |
581 | +whole DNS database. |
582 | + |
583 | + |
584 | +LDAP Admins |
585 | +----------- |
586 | +Members of this group can write to and read from all entries and attributes of |
587 | +the directory and have no size or time limits. |
588 | + |
589 | + |
590 | +LDAP Replicators |
591 | +---------------- |
592 | +The members of the LDAP Replicators group have read access to all attributes |
593 | +and entries of the directory so that they can be used in a syncrepl replication |
594 | +setup. The bind dn used for the replication should be a member of this group. |
595 | +For example: |
596 | + |
597 | +syncrepl rid=100 |
598 | + provider=ldap://dirserv.example.com |
599 | + type=refreshAndPersist |
600 | + retry="60 +" |
601 | + searchbase="dc=example,dc=com" |
602 | + starttls=critical |
603 | + bindmethod=simple |
604 | + binddn="uid=LDAP Replicator,ou=System Accounts,dc=example,dc=com" |
605 | + credentials="secret" |
606 | + |
607 | +Here, "uid=LDAP Replicator,ou=System Accounts,dc=example,dc=com" is a member of |
608 | +the "LDAP Replicators" group and is automatically granted read rights to all |
609 | +entries of the directory (assuming the provider was also installed with this |
610 | +base DIT and ACLs). |
611 | + |
612 | + |
613 | +Generic directory read accounts |
614 | +------------------------------- |
615 | +A few accounts were created for specific read access. Some administrators |
616 | +prefer to block anonymous read access to the directory, in which case these |
617 | +accounts would then be used. For the moment we have: |
618 | +- nssldap: nss_ldap can bind to the directory either anonymously or with a |
619 | + specific account. The "uid=nssldap,ou=System Accounts" was created for this |
620 | + purpose. Currently no ACLs make use of this account. Were the administrator to |
621 | + use it, he/she would also have to block anonymous read access to many |
622 | + attributes. |
623 | + |
624 | +Currently anonymous read access is granted to many attributes. As of this |
625 | +moment, if the administrator wants to restrict anonymous access and use these |
626 | +accounts, the ACLs would have to be changed manually. |
627 | + |
628 | + |
629 | +The installation script |
630 | +======================= |
631 | + |
632 | +The openldap-dit package contains a shell script which can be used to |
633 | +install the accounts and ACLs described in this document. The script is |
634 | +installed at /usr/share/openldap/scripts/openldap-dit-setup.sh and performs the |
635 | +following: |
636 | +- asks the DNS domain (suggesting whatever was auto-detected) |
637 | +- constructs the top-level directory entry from this domain using dc style |
638 | + attributes |
639 | +- creates and imports an ldif file with the accounts and groups described here |
640 | +- installs new slapd.conf and openldap-dit-access.conf files (making backups of |
641 | + the previous ones) with the default ACLs and other useful configurations |
642 | + (like cache) |
643 | +- loads the ldif file, backing up the previous database directory |
644 | + |
645 | +Even though the script performs many tests and backups many files before |
646 | +overwriting them, administrators are advised to backup all data before running |
647 | +this script. |
648 | + |
649 | + |
650 | +Enough with the theory: how to use this? |
651 | +======================================== |
652 | + |
653 | +The installation script will overwrite some OpenLDAP files and directories. |
654 | +Specifically, it will backup and overwrite the following: |
655 | +- /etc/ldap/slapd.conf |
656 | +- /etc/ldap/ldap.conf |
657 | +- /etc/ldap/openldap-dit-access.conf (THIS ONE HAS NO BACKUP CURRENTLY) |
658 | +- /var/lib/ldap contents |
659 | + |
660 | +So, after you are satisfied that nothing important will be lost, run the |
661 | +script. Below is a sample run using the example.com domain: |
662 | + |
663 | +root@nsn2:~# /usr/share/slapd/openldap-dit-setup.sh |
664 | +Please enter your DNS domain name [example.com]: |
665 | + |
666 | + |
667 | +Administrator account |
668 | + |
669 | +The administrator account for this directory is |
670 | +uid=LDAP Admin,ou=System Accounts,dc=example,dc=com |
671 | + |
672 | +Please choose a password for this account: |
673 | +New password: |
674 | +Re-enter new password: |
675 | + |
676 | + |
677 | +Summary |
678 | +======= |
679 | + |
680 | +Domain: example.com |
681 | +LDAP suffix: dc=example,dc=com |
682 | +Administrator: uid=LDAP Admin,ou=System Accounts,dc=example,dc=com |
683 | + |
684 | +Confirm? (Y/n) |
685 | + |
686 | +config file testing succeeded |
687 | +Stopping ldap service |
688 | +Finished, starting ldap service |
689 | +Starting OpenLDAP: slapd. |
690 | + |
691 | +Your previous database directory has been backed up as /var/lib/ldap.1228858266 |
692 | +All files that were backed up got the suffix "1228858266". |
693 | + |
694 | + |
695 | +Now, fire up an LDAP browser and use the LDAP Admin account shown above to set |
696 | +up some passwords for the other less privileged accounts that you are going to |
697 | +use. Note that the "rootdn" account is not used. |
698 | + |
699 | |
700 | === added file 'core/acl.ldif' |
701 | --- core/acl.ldif 1970-01-01 00:00:00 +0000 |
702 | +++ core/acl.ldif 2010-07-19 21:25:56 +0000 |
703 | @@ -0,0 +1,16 @@ |
704 | +dn: olcDatabase=@DATABASE@,cn=config |
705 | +changetype: modify |
706 | +add: olcAccess |
707 | +olcAccess: to dn.subtree="@SUFFIX@" |
708 | + by dn.exact="uid=LDAP Admin,ou=System Accounts,@SUFFIX@" manage |
709 | + by * break |
710 | +- |
711 | +add: olcAccess |
712 | +olcAccess: {1}to dn.subtree="@SUFFIX@" |
713 | + by * read |
714 | +- |
715 | +add: olcAddContentAcl |
716 | +olcAddContentAcl: TRUE |
717 | +- |
718 | +add: olcLastMod |
719 | +olcLastMod: TRUE |
720 | |
721 | === added file 'core/cosine.schema.ldif' |
722 | --- core/cosine.schema.ldif 1970-01-01 00:00:00 +0000 |
723 | +++ core/cosine.schema.ldif 2010-07-19 21:25:56 +0000 |
724 | @@ -0,0 +1,200 @@ |
725 | +# RFC1274: Cosine and Internet X.500 schema |
726 | +# $OpenLDAP: pkg/ldap/servers/slapd/schema/cosine.ldif,v 1.1.2.4 2009/01/22 00:01:14 kurt Exp $ |
727 | +## This work is part of OpenLDAP Software <http://www.openldap.org/>. |
728 | +## |
729 | +## Copyright 1998-2009 The OpenLDAP Foundation. |
730 | +## All rights reserved. |
731 | +## |
732 | +## Redistribution and use in source and binary forms, with or without |
733 | +## modification, are permitted only as authorized by the OpenLDAP |
734 | +## Public License. |
735 | +## |
736 | +## A copy of this license is available in the file LICENSE in the |
737 | +## top-level directory of the distribution or, alternatively, at |
738 | +## <http://www.OpenLDAP.org/license.html>. |
739 | +# |
740 | +# RFC1274: Cosine and Internet X.500 schema |
741 | +# |
742 | +# This file contains LDAPv3 schema derived from X.500 COSINE "pilot" |
743 | +# schema. As this schema was defined for X.500(89), some |
744 | +# oddities were introduced in the mapping to LDAPv3. The |
745 | +# mappings were based upon: draft-ietf-asid-ldapv3-attributes-03.txt |
746 | +# (a work in progress) |
747 | +# |
748 | +# Note: It seems that the pilot schema evolved beyond what was |
749 | +# described in RFC1274. However, this document attempts to describes |
750 | +# RFC1274 as published. |
751 | +# |
752 | +# Depends on core.ldif |
753 | +# |
754 | +# This file was automatically generated from cosine.schema; see that |
755 | +# file for complete background. |
756 | +# |
757 | +dn: cn=cosine,cn=schema,cn=config |
758 | +objectClass: olcSchemaConfig |
759 | +cn: cosine |
760 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORAddress' |
761 | + EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1. |
762 | + 1466.115.121.1.15{256} ) |
763 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.4 NAME 'info' DESC 'RFC1274: g |
764 | + eneral information' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
765 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} ) |
766 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.5 NAME ( 'drink' 'favouriteDri |
767 | + nk' ) DESC 'RFC1274: favorite drink' EQUALITY caseIgnoreMatch SUBSTR caseIgno |
768 | + reSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
769 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' DESC 'RFC1 |
770 | + 274: room number' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch S |
771 | + YNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
772 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.7 NAME 'photo' DESC 'RFC1274: |
773 | + photo (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.23{25000} ) |
774 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.8 NAME 'userClass' DESC 'RFC12 |
775 | + 74: category of user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat |
776 | + ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
777 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.9 NAME 'host' DESC 'RFC1274: h |
778 | + ost computer' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTA |
779 | + X 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
780 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager' DESC 'RFC127 |
781 | + 4: DN of manager' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115 |
782 | + .121.1.12 ) |
783 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier' D |
784 | + ESC 'RFC1274: unique identifier of document' EQUALITY caseIgnoreMatch SUBSTR |
785 | + caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
786 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' DESC ' |
787 | + RFC1274: title of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstri |
788 | + ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
789 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' DES |
790 | + C 'RFC1274: version of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSu |
791 | + bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
792 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' DESC |
793 | + 'RFC1274: DN of author of document' EQUALITY distinguishedNameMatch SYNTAX 1 |
794 | + .3.6.1.4.1.1466.115.121.1.12 ) |
795 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' DE |
796 | + SC 'RFC1274: location of document original' EQUALITY caseIgnoreMatch SUBSTR c |
797 | + aseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
798 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.20 NAME ( 'homePhone' 'homeTe |
799 | + lephoneNumber' ) DESC 'RFC1274: home telephone number' EQUALITY telephoneNumb |
800 | + erMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 |
801 | + .1.50 ) |
802 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.21 NAME 'secretary' DESC 'RFC |
803 | + 1274: DN of secretary' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.146 |
804 | + 6.115.121.1.12 ) |
805 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNTAX |
806 | + 1.3.6.1.4.1.1466.115.121.1.39 ) |
807 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY ca |
808 | + seIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
809 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY c |
810 | + aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
811 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.28 NAME 'mXRecord' EQUALITY c |
812 | + aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
813 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY c |
814 | + aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
815 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.30 NAME 'sOARecord' EQUALITY |
816 | + caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
817 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALIT |
818 | + Y caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
819 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' DESC |
820 | + 'RFC1274: DN of entry associated with domain' EQUALITY distinguishedNameMatc |
821 | + h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
822 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' D |
823 | + ESC 'RFC1274: home postal address' EQUALITY caseIgnoreListMatch SUBSTR caseIg |
824 | + noreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) |
825 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' DESC |
826 | + 'RFC1274: personal title' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstring |
827 | + sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
828 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.41 NAME ( 'mobile' 'mobileTel |
829 | + ephoneNumber' ) DESC 'RFC1274: mobile telephone number' EQUALITY telephoneNum |
830 | + berMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 |
831 | + 1.1.50 ) |
832 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.42 NAME ( 'pager' 'pagerTelep |
833 | + honeNumber' ) DESC 'RFC1274: pager telephone number' EQUALITY telephoneNumber |
834 | + Match SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 |
835 | + .50 ) |
836 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.43 NAME ( 'co' 'friendlyCount |
837 | + ryName' ) DESC 'RFC1274: friendly country name' EQUALITY caseIgnoreMatch SUBS |
838 | + TR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
839 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' DE |
840 | + SC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.14 |
841 | + 66.115.121.1.15{256} ) |
842 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus |
843 | + ' DESC 'RFC1274: organizational status' EQUALITY caseIgnoreMatch SUBSTR caseI |
844 | + gnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
845 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox' DESC ' |
846 | + RFC1274: Janet mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst |
847 | + ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) |
848 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.47 NAME 'mailPreferenceOption |
849 | + ' DESC 'RFC1274: mail preference option' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
850 | + ) |
851 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.48 NAME 'buildingName' DESC ' |
852 | + RFC1274: name of building' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin |
853 | + gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
854 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality' DESC 'RF |
855 | + C1274: DSA Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.19 SINGLE-VALUE ) |
856 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality' |
857 | + DESC 'RFC1274: Single Level Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SIN |
858 | + GLE-VALUE ) |
859 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQualit |
860 | + y' DESC 'RFC1274: Subtree Mininum Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
861 | + 13 SINGLE-VALUE ) |
862 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQualit |
863 | + y' DESC 'RFC1274: Subtree Maximun Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
864 | + 13 SINGLE-VALUE ) |
865 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature' D |
866 | + ESC 'RFC1274: Personal Signature (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
867 | + 23 ) |
868 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' DESC 'R |
869 | + FC1274: DIT Redirect' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466 |
870 | + .115.121.1.12 ) |
871 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.55 NAME 'audio' DESC 'RFC1274 |
872 | + : audio (u-law)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.4{25000} ) |
873 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' D |
874 | + ESC 'RFC1274: publisher of document' EQUALITY caseIgnoreMatch SUBSTR caseIgno |
875 | + reSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
876 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilo |
877 | + tPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822 |
878 | + Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ hom |
879 | + ePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ busine |
880 | + ssCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelep |
881 | + honeNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature |
882 | + ) ) |
883 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCT |
884 | + URAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationNam |
885 | + e $ organizationalUnitName $ host ) ) |
886 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUC |
887 | + TURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ loca |
888 | + lityName $ organizationName $ organizationalUnitName $ documentTitle $ docume |
889 | + ntVersion $ documentAuthor $ documentLocation $ documentPublisher ) ) |
890 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURA |
891 | + L MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber |
892 | + ) ) |
893 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top |
894 | + STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ l |
895 | + ocalityName $ organizationName $ organizationalUnitName ) ) |
896 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCT |
897 | + URAL MUST domainComponent MAY ( associatedName $ organizationName $ descripti |
898 | + on $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $ |
899 | + stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAdd |
900 | + ress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber |
901 | + $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ tel |
902 | + exNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress |
903 | + $ x121Address ) ) |
904 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP d |
905 | + omain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telepho |
906 | + neNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOffi |
907 | + ceBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ |
908 | + telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDelivery |
909 | + Method $ destinationIndicator $ registeredAddress $ x121Address ) ) |
910 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain |
911 | + STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAME |
912 | + Record ) ) |
913 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' D |
914 | + ESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associat |
915 | + edDomain ) |
916 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP c |
917 | + ountry STRUCTURAL MUST friendlyCountryName ) |
918 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SU |
919 | + P ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName ) |
920 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STR |
921 | + UCTURAL MAY dSAQuality ) |
922 | +olcObjectClasses: ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' |
923 | + SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximu |
924 | + mQuality ) ) |
925 | |
926 | === added file 'core/database.ldif' |
927 | --- core/database.ldif 1970-01-01 00:00:00 +0000 |
928 | +++ core/database.ldif 2010-07-19 21:25:56 +0000 |
929 | @@ -0,0 +1,13 @@ |
930 | +dn: olcDatabase=hdb,cn=config |
931 | +olcDatabase: hdb |
932 | +objectClass: olcDatabaseConfig |
933 | +objectClass: olcHdbConfig |
934 | +olcSuffix: @SUFFIX@ |
935 | +olcDbDirectory: /var/lib/ldap |
936 | +olcDbCacheSize: 1000 |
937 | +olcDbCheckpoint: 1024 10 |
938 | +olcDbConfig: set_cachesize 0 10485760 0 |
939 | +olcDbConfig: set_lg_bsize 2097152 |
940 | +olcDbConfig: set_flags DB_LOG_AUTOREMOVE |
941 | +olcDbIDLcacheSize: 3000 |
942 | +olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
943 | |
944 | === added file 'core/dit.ldif' |
945 | --- core/dit.ldif 1970-01-01 00:00:00 +0000 |
946 | +++ core/dit.ldif 2010-07-19 21:25:56 +0000 |
947 | @@ -0,0 +1,19 @@ |
948 | +# base tree |
949 | +dn: @SUFFIX@ |
950 | +dc: @DC@ |
951 | +objectClass: domain |
952 | +objectClass: domainRelatedObject |
953 | +associatedDomain: @DOMAIN@ |
954 | + |
955 | +dn: ou=System Accounts,@SUFFIX@ |
956 | +ou: System Accounts |
957 | +objectClass: organizationalUnit |
958 | +description: Container for System and Services privileged accounts |
959 | + |
960 | +dn: uid=LDAP Admin,ou=System Accounts,@SUFFIX@ |
961 | +uid: LDAP Admin |
962 | +objectClass: account |
963 | +objectClass: simpleSecurityObject |
964 | +userPassword: @ADMINPASS@ |
965 | +description: Account used to administer all parts of the Directory |
966 | + |
967 | |
968 | === added file 'core/inetorgperson.schema.ldif' |
969 | --- core/inetorgperson.schema.ldif 1970-01-01 00:00:00 +0000 |
970 | +++ core/inetorgperson.schema.ldif 2010-07-19 21:25:56 +0000 |
971 | @@ -0,0 +1,69 @@ |
972 | +# InetOrgPerson (RFC2798) |
973 | +# $OpenLDAP: pkg/ldap/servers/slapd/schema/inetorgperson.ldif,v 1.1.2.4 2009/01/22 00:01:14 kurt Exp $ |
974 | +## This work is part of OpenLDAP Software <http://www.openldap.org/>. |
975 | +## |
976 | +## Copyright 1998-2009 The OpenLDAP Foundation. |
977 | +## All rights reserved. |
978 | +## |
979 | +## Redistribution and use in source and binary forms, with or without |
980 | +## modification, are permitted only as authorized by the OpenLDAP |
981 | +## Public License. |
982 | +## |
983 | +## A copy of this license is available in the file LICENSE in the |
984 | +## top-level directory of the distribution or, alternatively, at |
985 | +## <http://www.OpenLDAP.org/license.html>. |
986 | +# |
987 | +# InetOrgPerson (RFC2798) |
988 | +# |
989 | +# Depends upon |
990 | +# Definition of an X.500 Attribute Type and an Object Class to Hold |
991 | +# Uniform Resource Identifiers (URIs) [RFC2079] |
992 | +# (core.ldif) |
993 | +# |
994 | +# A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256] |
995 | +# (core.ldif) |
996 | +# |
997 | +# The COSINE and Internet X.500 Schema [RFC1274] (cosine.ldif) |
998 | +# |
999 | +# This file was automatically generated from inetorgperson.schema; see |
1000 | +# that file for complete references. |
1001 | +# |
1002 | +dn: cn=inetorgperson,cn=schema,cn=config |
1003 | +objectClass: olcSchemaConfig |
1004 | +cn: inetorgperson |
1005 | +olcAttributeTypes: ( 2.16.840.1.113730.3.1.1 NAME 'carLicense' DESC 'RFC279 |
1006 | + 8: vehicle license or registration plate' EQUALITY caseIgnoreMatch SUBSTR cas |
1007 | + eIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
1008 | +olcAttributeTypes: ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC ' |
1009 | + RFC2798: identifies a department within an organization' EQUALITY caseIgnoreM |
1010 | + atch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
1011 | +olcAttributeTypes: ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'RFC |
1012 | + 2798: preferred name to be used when displaying entries' EQUALITY caseIgnoreM |
1013 | + atch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI |
1014 | + NGLE-VALUE ) |
1015 | +olcAttributeTypes: ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'RF |
1016 | + C2798: numerically identifies an employee within an organization' EQUALITY ca |
1017 | + seIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 |
1018 | + 1.1.15 SINGLE-VALUE ) |
1019 | +olcAttributeTypes: ( 2.16.840.1.113730.3.1.4 NAME 'employeeType' DESC 'RFC2 |
1020 | + 798: type of employment for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgn |
1021 | + oreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
1022 | +olcAttributeTypes: ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' DESC 'RFC2 |
1023 | + 798: a JPEG image' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 ) |
1024 | +olcAttributeTypes: ( 2.16.840.1.113730.3.1.39 NAME 'preferredLanguage' DESC |
1025 | + 'RFC2798: preferred written or spoken language for a person' EQUALITY caseIg |
1026 | + noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
1027 | + 15 SINGLE-VALUE ) |
1028 | +olcAttributeTypes: ( 2.16.840.1.113730.3.1.40 NAME 'userSMIMECertificate' D |
1029 | + ESC 'RFC2798: PKCS#7 SignedData used to support S/MIME' SYNTAX 1.3.6.1.4.1.14 |
1030 | + 66.115.121.1.5 ) |
1031 | +olcAttributeTypes: ( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'RFC2 |
1032 | + 798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.1466.1 |
1033 | + 15.121.1.5 ) |
1034 | +olcObjectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2 |
1035 | + 798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY |
1036 | + ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ em |
1037 | + ployeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ ini |
1038 | + tials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo |
1039 | + $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ pre |
1040 | + ferredLanguage $ userSMIMECertificate $ userPKCS12 ) ) |
1041 | |
1042 | === added file 'core/misc.schema.ldif' |
1043 | --- core/misc.schema.ldif 1970-01-01 00:00:00 +0000 |
1044 | +++ core/misc.schema.ldif 2010-07-19 21:25:56 +0000 |
1045 | @@ -0,0 +1,25 @@ |
1046 | +# misc.ldif |
1047 | +# |
1048 | +# This is the ldif version of misc.schema to be used with cn=config. |
1049 | +# The nss overlay requires rfc822MailMember which is defined here. |
1050 | +# |
1051 | +dn: cn=misc,cn=schema,cn=config |
1052 | +objectClass: olcSchemaConfig |
1053 | +cn: misc |
1054 | +olcAttributeTypes: ( 2.16.840.1.113730.3.1.13 NAME 'mailLocalAddress' DESC |
1055 | + 'RFC822 email address of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1 |
1056 | + .3.6.1.4.1.1466.115.121.1.26{256} ) |
1057 | +olcAttributeTypes: ( 2.16.840.1.113730.3.1.18 NAME 'mailHost' DESC 'FQDN of |
1058 | + the SMTP/MTA of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 |
1059 | + .1.1466.115.121.1.26{256} SINGLE-VALUE ) |
1060 | +olcAttributeTypes: ( 2.16.840.1.113730.3.1.47 NAME 'mailRoutingAddress' DES |
1061 | + C 'RFC822 routing address of this recipient' EQUALITY caseIgnoreIA5Match SYNT |
1062 | + AX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) |
1063 | +olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822MailMember' DES |
1064 | + C 'rfc822 mail address of group member(s)' EQUALITY caseIgnoreIA5Match SYNTAX |
1065 | + 1.3.6.1.4.1.1466.115.121.1.26 ) |
1066 | +olcObjectClasses: ( 2.16.840.1.113730.3.2.147 NAME 'inetLocalMailRecipient' |
1067 | + DESC 'Internet local mail recipient' SUP top AUXILIARY MAY ( mailLocalAddres |
1068 | + s $ mailHost $ mailRoutingAddress ) ) |
1069 | +olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' DESC 'NIS |
1070 | + mail alias' SUP top STRUCTURAL MUST cn MAY rfc822MailMember ) |
1071 | |
1072 | === added file 'core/modules.ldif' |
1073 | --- core/modules.ldif 1970-01-01 00:00:00 +0000 |
1074 | +++ core/modules.ldif 2010-07-19 21:25:56 +0000 |
1075 | @@ -0,0 +1,4 @@ |
1076 | +dn: cn=module,cn=config |
1077 | +cn: module |
1078 | +objectClass: olcModuleList |
1079 | +olcModuleLoad: back_hdb.la |
1080 | |
1081 | === added file 'core/namedObject.schema.ldif' |
1082 | --- core/namedObject.schema.ldif 1970-01-01 00:00:00 +0000 |
1083 | +++ core/namedObject.schema.ldif 2010-07-19 21:25:56 +0000 |
1084 | @@ -0,0 +1,5 @@ |
1085 | +dn: cn=namedObject,cn=schema,cn=config |
1086 | +objectClass: olcSchemaConfig |
1087 | +cn: namedObject |
1088 | +olcObjectClasses: {0}( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top STRU |
1089 | + CTURAL MAY cn ) |
1090 | |
1091 | === removed directory 'databases' |
1092 | === removed file 'databases/add-hdb.ldif' |
1093 | --- databases/add-hdb.ldif 2009-10-06 23:18:47 +0000 |
1094 | +++ databases/add-hdb.ldif 1970-01-01 00:00:00 +0000 |
1095 | @@ -1,152 +0,0 @@ |
1096 | -dn: olcDatabase=hdb,cn=config |
1097 | -olcDatabase: hdb |
1098 | -objectClass: olcDatabaseConfig |
1099 | -objectClass: olcHdbConfig |
1100 | -olcSuffix: @SUFFIX@ |
1101 | -olcDbDirectory: /var/lib/ldap |
1102 | -olcDbCacheSize: 1000 |
1103 | -olcDbCheckpoint: 1024 10 |
1104 | -olcDbConfig: set_cachesize 0 10485760 0 |
1105 | -olcDbConfig: set_lg_bsize 2097152 |
1106 | -olcDbConfig: set_flags DB_LOG_AUTOREMOVE |
1107 | -olcDbIDLcacheSize: 3000 |
1108 | -olcRootDN: cn=localroot,cn=config |
1109 | -olcDbIndex: objectClass eq |
1110 | -olcDbIndex: entryUUID eq |
1111 | -olcDbIndex: entryCSN eq |
1112 | -olcDbIndex: cn eq,subinitial |
1113 | -olcDbIndex: uid eq,subinitial |
1114 | -olcDbIndex: uidNumber eq |
1115 | -olcDbIndex: gidNumber eq |
1116 | -olcDbIndex: sn eq,subinitial |
1117 | -olcDbIndex: member eq |
1118 | -olcDbIndex: memberUid eq |
1119 | -olcDbIndex: mail eq,subinitial |
1120 | -olcDbIndex: givenName eq,subinitial |
1121 | -olcDbIndex: sambaDomainName eq |
1122 | -olcDbIndex: sambaSID eq,sub |
1123 | -olcDbIndex: displayName eq |
1124 | -olcDbIndex: sambaGroupType eq |
1125 | -olcDbIndex: krbPrincipalName eq |
1126 | -olcDbIndex: krbPwdPolicyReference eq |
1127 | -olcDbIndex: sambaSIDList eq |
1128 | -olcDbIndex: uniqueMember pres,eq |
1129 | -olcDbIndex: zoneName eq |
1130 | -olcDbIndex: dhcpClassData eq |
1131 | -olcDbIndex: relativeDomainName eq |
1132 | -olcDbIndex: dhcpHWAddress eq |
1133 | -olcDbIndex: sudoUser eq,sub |
1134 | -olcAccess: {0}to dn.subtree="@SUFFIX@" |
1135 | - by group/groupOfMembers/member.exact="cn=ldap admins,ou=system groups,@SUFFIX@" manage |
1136 | - by group/groupOfMembers/member.exact="cn=ldap replicators,ou=system groups,@SUFFIX@" read |
1137 | - by * break |
1138 | -olcAccess: {1}to dn.subtree="ou=people,@SUFFIX@" |
1139 | - attrs=shadowLastChange |
1140 | - by self write |
1141 | - by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
1142 | - by * read |
1143 | -olcAccess: {2}to dn.subtree="ou=people,@SUFFIX@" |
1144 | - attrs=userPassword |
1145 | - by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
1146 | - by self write |
1147 | - by anonymous auth |
1148 | - by * none |
1149 | -olcAccess: {3}to dn.subtree="@SUFFIX@" |
1150 | - attrs=userPassword |
1151 | - by self write |
1152 | - by anonymous auth |
1153 | - by * none |
1154 | -olcAccess: {4}to dn.subtree="@SUFFIX@" |
1155 | - attrs=krbPrincipalKey |
1156 | - by self write |
1157 | - by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
1158 | - by dn.exact="uid=kdc-service,ou=System Accounts,@SUFFIX@" read |
1159 | - by dn.exact="uid=kadmin-service,ou=System Accounts,@SUFFIX@" write |
1160 | - by anonymous auth |
1161 | - by * none |
1162 | -olcAccess: {5}to dn.subtree="ou=password policies,@SUFFIX@" |
1163 | - by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
1164 | - by * read |
1165 | -olcAccess: {6}to dn.subtree="@SUFFIX@" |
1166 | - attrs=sambaLMPassword,sambaNTPassword |
1167 | - by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
1168 | - by anonymous auth |
1169 | - by self write |
1170 | - by * none |
1171 | -olcAccess: {7}to dn.subtree="@SUFFIX@" |
1172 | - attrs=sambaPasswordHistory,pwdHistory |
1173 | - by self read |
1174 | - by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
1175 | - by * none |
1176 | -olcAccess: {8}to dn.subtree="@SUFFIX@" |
1177 | - attrs=pwdReset |
1178 | - by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
1179 | - by * read |
1180 | -olcAccess: {9}to dn.regex="^cn=[^,]+,ou=(System Groups|Group),@SUFFIX@$" |
1181 | - attrs=member |
1182 | - by dnattr=owner write |
1183 | - by * break |
1184 | -olcAccess: {10}to dn.subtree="ou=people,@SUFFIX@" |
1185 | - attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber |
1186 | - by self write |
1187 | - by * break |
1188 | -olcAccess: {11}to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),@SUFFIX@$" |
1189 | - attrs=children,entry |
1190 | - by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
1191 | - by * break |
1192 | -olcAccess: {12}to dn.regex="^[^,]+,ou=(People|Hosts|Group),@SUFFIX@$" |
1193 | - by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
1194 | - by * break |
1195 | -olcAccess: {13}to dn.regex="^(sambaDomainName=[^,]+,)?@SUFFIX@$" |
1196 | - attrs=children,entry,@sambaDomain,@sambaUnixIdPool |
1197 | - by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
1198 | - by * read |
1199 | -olcAccess: {14}to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,@SUFFIX@$" |
1200 | - attrs=children,entry,@sambaIdmapEntry |
1201 | - by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
1202 | - by group/groupOfMembers/member.exact="cn=idmap admins,ou=system groups,@SUFFIX@" write |
1203 | - by * read |
1204 | -olcAccess: {15}to dn.regex="^(.*,)?ou=Address Book,@SUFFIX@" |
1205 | - attrs=children,entry,@inetOrgPerson |
1206 | - by group/groupOfMembers/member.exact="cn=address book admins,ou=system groups,@SUFFIX@" write |
1207 | - by * read |
1208 | -olcAccess: {16}to dn.subtree="ou=dhcp,@SUFFIX@" |
1209 | - attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool, |
1210 | - @dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog |
1211 | - by group/groupOfMembers/member.exact="cn=dhcp admins,ou=system groups,@SUFFIX@" write |
1212 | - by group/groupOfMembers/member.exact="cn=dhcp readers,ou=system groups,@SUFFIX@" read |
1213 | - by * read |
1214 | -olcAccess: {17}to dn.regex="^([^,]+,)?ou=sudoers,@SUFFIX@$" |
1215 | - attrs=children,entry,@sudoRole |
1216 | - by group/groupOfMembers/member.exact="cn=sudo admins,ou=system groups,@SUFFIX@" write |
1217 | - by * read |
1218 | -olcAccess: {18}to dn.base="ou=dns,@SUFFIX@" |
1219 | - attrs=entry,@extensibleObject |
1220 | - by group/groupOfMembers/member.exact="cn=dns admins,ou=system groups,@SUFFIX@" write |
1221 | - by * read |
1222 | -olcAccess: {19}to dn.subtree="ou=dns,@SUFFIX@" |
1223 | - attrs=children,entry,@dNSZone |
1224 | - by group/groupOfMembers/member.exact="cn=dns admins,ou=system groups,@SUFFIX@" write |
1225 | - by group/groupOfMembers/member.exact="cn=dns readers,ou=system groups,@SUFFIX@" read |
1226 | - by * none |
1227 | -olcAccess: {20}to dn.subtree="ou=Kerberos Realms,@SUFFIX@" |
1228 | - by dn.exact="uid=kdc-service,ou=System Accounts,@SUFFIX@" read |
1229 | - by dn.exact="uid=kadmin-service,ou=System Accounts,@SUFFIX@" write |
1230 | - by * none |
1231 | -olcAccess: {21}to dn.one="ou=people,@SUFFIX@" |
1232 | - attrs=@inetLocalMailRecipient,mail |
1233 | - by group/groupOfMembers/member.exact="cn=mta admins,ou=system groups,@SUFFIX@" write |
1234 | - by * read |
1235 | -olcAccess: {22}to dn.subtree="@SUFFIX@" |
1236 | - by * read |
1237 | -olcAddContentAcl: TRUE |
1238 | -olcLastMod: TRUE |
1239 | -olcLimits: {0}group/groupOfMembers/member="cn=ldap replicators,ou=system groups,@SUFFIX@" |
1240 | - size=unlimited |
1241 | - time=unlimited |
1242 | -olcLimits: {1}group/groupOfMembers/member="cn=ldap admins,ou=system groups,@SUFFIX@" |
1243 | - size=unlimited |
1244 | - time=unlimited |
1245 | -olcLimits: {2}group/groupOfMembers/member="cn=account admins,ou=system groups,@SUFFIX@" |
1246 | - size=unlimited |
1247 | - time=unlimited |
1248 | |
1249 | === removed file 'databases/add-monitor.ldif' |
1250 | --- databases/add-monitor.ldif 2009-09-17 14:09:01 +0000 |
1251 | +++ databases/add-monitor.ldif 1970-01-01 00:00:00 +0000 |
1252 | @@ -1,10 +0,0 @@ |
1253 | -dn: olcDatabase=monitor,cn=config |
1254 | -objectClass: olcMonitorConfig |
1255 | -objectClass: olcDatabaseConfig |
1256 | -objectClass: olcConfig |
1257 | -olcDatabase: monitor |
1258 | -olcRootDN: cn=localroot,cn=config |
1259 | -olcAccess: {0}to dn.subtree="" |
1260 | - by group/groupOfMembers/member.exact="cn=LDAP Admins,ou=System Groups,@SUFFIX@" read |
1261 | - by group/groupOfMembers/member.exact="cn=LDAP Monitors,ou=System Groups,@SUFFIX@" read |
1262 | - by * none |
1263 | |
1264 | === modified file 'debian/changelog' |
1265 | --- debian/changelog 2008-06-04 20:17:58 +0000 |
1266 | +++ debian/changelog 2010-07-19 21:25:56 +0000 |
1267 | @@ -1,4 +1,47 @@ |
1268 | -openldap-dit (0.19-1) unstable; urgency=low |
1269 | +openldap-dit (0.20-1) lucid; urgency=low |
1270 | + |
1271 | + * Using debconf to ask for domain and admin password. |
1272 | + * Will create openldap-dit-$service.postinst during build time |
1273 | + from openldap-dit.scripts-common. |
1274 | + * Remove last olcAccess and re-add at the end of ACL. |
1275 | + * Switch to dpkg-source 3.0 (quilt) format |
1276 | + * Updated standards-version. |
1277 | + * Changed version number, removed debian versions. |
1278 | + * Removed LICENSE from openldap-dit-core.docs because information |
1279 | + is covered in debian/copyright. |
1280 | + * Now using "invoke-rc.d slapd restart" to restart slapd. |
1281 | + * Removed path to slappasswd utility in debian/openldap-dit.scripts-common. |
1282 | + * Find index for main database, and index of module suffix. |
1283 | + |
1284 | + -- Adam Sommer <asommer@ubuntu.com> Tue, 01 Jun 2010 13:41:30 -0400 |
1285 | + |
1286 | +openldap-dit (0.19) unstable; urgency=low |
1287 | + |
1288 | + * Another directory reorganization. |
1289 | + * Created openldap-dit-usersandgroups package. |
1290 | + * Updated Makefile and debian/rules for new package. |
1291 | + |
1292 | + -- Adam Sommer <asommer@ubuntu.com> Mon, 24 May 2010 16:09:10 -0400 |
1293 | + |
1294 | +openldap-dit (0.19) unstable; urgency=low |
1295 | + |
1296 | + * Created openldap-dit-core package. |
1297 | + * Reorganized file structure to reflect core DIT. |
1298 | + * Changed openldap-dit-setup.sh to postinst scripts. |
1299 | + * Updated Makefile for subdirectory layout. |
1300 | + |
1301 | + -- Adam Sommer <asommer@ubuntu.com> Tue, 18 May 2010 11:29:38 -0400 |
1302 | + |
1303 | +openldap-dit (0.19) unstable; urgency=low |
1304 | + |
1305 | + * Adjusted README paths in debian/docs. |
1306 | + * Created empty doc/README.kde |
1307 | + * Changed "install-ubuntu" command in debian/rules to "install" |
1308 | + which allows package to build. |
1309 | + |
1310 | + -- Adam Sommer <asommer@ubuntu.com> Mon, 26 Apr 2010 15:35:42 -0400 |
1311 | + |
1312 | +openldap-dit (0.19) unstable; urgency=low |
1313 | |
1314 | * Initial release |
1315 | |
1316 | |
1317 | === modified file 'debian/control' |
1318 | --- debian/control 2008-06-04 20:30:39 +0000 |
1319 | +++ debian/control 2010-07-19 21:25:56 +0000 |
1320 | @@ -1,14 +1,25 @@ |
1321 | Source: openldap-dit |
1322 | Section: net |
1323 | Priority: extra |
1324 | -Maintainer: Andreas Hasenack <andreas@canonical.com> |
1325 | +Maintainer: Adam Sommer <asommer@ubuntu.com> |
1326 | Build-Depends: debhelper (>= 5) |
1327 | -Standards-Version: 3.7.3 |
1328 | +Homepage: https://launchpad.net/openldap-dit |
1329 | +Standards-Version: 3.8.4 |
1330 | |
1331 | -Package: openldap-dit |
1332 | +Package: openldap-dit-core |
1333 | +Section: net |
1334 | +Priority: extra |
1335 | Architecture: all |
1336 | Depends: ${shlibs:Depends}, ${misc:Depends}, slapd, ldap-utils |
1337 | -Description: Sample DIT for OpenLDAP |
1338 | - This package contains a sample DIT for OpenLDAP which can be |
1339 | - used together with many services and has a group based access |
1340 | - control. |
1341 | +Description: Simple DIT for OpenLDAP |
1342 | + This package contains a very simple DIT for OpenLDAP which can |
1343 | + be extened for many services. |
1344 | + |
1345 | +Package: openldap-dit-usersandgroups |
1346 | +Section: net |
1347 | +Priority: extra |
1348 | +Architecture: all |
1349 | +Depends: ${shlibs:Depends}, ${misc:Depends}, slapd, ldap-utils, openldap-dit-core |
1350 | +Description: Simple DIT Users and Groups |
1351 | + This package contains a simple DIT for OpenLDAP which can be |
1352 | + used for group based access control. |
1353 | |
1354 | === modified file 'debian/copyright' |
1355 | --- debian/copyright 2008-06-04 20:37:03 +0000 |
1356 | +++ debian/copyright 2010-07-19 21:25:56 +0000 |
1357 | @@ -4,9 +4,11 @@ |
1358 | Upstream Author: |
1359 | |
1360 | Andreas Hasenack <andreas@canonical.com> |
1361 | + Adam Sommer <asommer@ubuntu.com> |
1362 | |
1363 | Copyright: |
1364 | |
1365 | + Copyright (C) 2010 Adam Sommer |
1366 | Copyright (C) 2008 Andreas Hasenack |
1367 | Copyright (C) 2007 and before: Mandriva |
1368 | |
1369 | |
1370 | === removed file 'debian/dirs' |
1371 | --- debian/dirs 2008-06-04 20:30:39 +0000 |
1372 | +++ debian/dirs 1970-01-01 00:00:00 +0000 |
1373 | @@ -1,1 +0,0 @@ |
1374 | -usr/share/slapd/openldap-dit |
1375 | |
1376 | === removed file 'debian/docs' |
1377 | --- debian/docs 2008-06-04 20:17:58 +0000 |
1378 | +++ debian/docs 1970-01-01 00:00:00 +0000 |
1379 | @@ -1,10 +0,0 @@ |
1380 | -README |
1381 | -README.dhcp |
1382 | -README.dns |
1383 | -README.heimdal |
1384 | -README.kde |
1385 | -README.samba |
1386 | -README.sudo |
1387 | -TODO |
1388 | -COPYRIGHT |
1389 | -LICENSE |
1390 | |
1391 | === removed file 'debian/files' |
1392 | --- debian/files 2008-06-04 20:30:39 +0000 |
1393 | +++ debian/files 1970-01-01 00:00:00 +0000 |
1394 | @@ -1,1 +0,0 @@ |
1395 | -openldap-dit_0.19-1_all.deb net extra |
1396 | |
1397 | === added file 'debian/openldap-dit-core.config' |
1398 | --- debian/openldap-dit-core.config 1970-01-01 00:00:00 +0000 |
1399 | +++ debian/openldap-dit-core.config 2010-07-19 21:25:56 +0000 |
1400 | @@ -0,0 +1,79 @@ |
1401 | +#!/bin/bash |
1402 | + |
1403 | +set -e |
1404 | + |
1405 | +. /usr/share/debconf/confmodule |
1406 | + |
1407 | +get_domain() { |
1408 | +# Ask domain question. |
1409 | +# Usage: get_domain |
1410 | + local invalid |
1411 | + invalid="" |
1412 | + |
1413 | + db_input high openldap-dit-core/domain || true |
1414 | + db_go || true |
1415 | + |
1416 | + # Make sure the domain name is valid. |
1417 | + db_get openldap-dit-core/domain |
1418 | + if [ -z "$RET" ] || ! echo "$RET" | grep -q '^[a-zA-Z0-9.-]*$'; then |
1419 | + db_fset openldap-dit-core/domain seen false |
1420 | + invalid=true |
1421 | + fi |
1422 | + |
1423 | + if [ "$invalid" ]; then |
1424 | + return 1 |
1425 | + else |
1426 | + return 0 |
1427 | + fi |
1428 | +} |
1429 | + |
1430 | +crypt_admin_pass() { |
1431 | +# Store the encrypted admin password into the debconf db |
1432 | +# Usage: crypt_admin_pass |
1433 | + |
1434 | + db_get openldap-dit-core/password1 |
1435 | + if [ ! -z "$RET" ]; then |
1436 | + db_set openldap-dit-core/internal/adminpw $(slappasswd -n -s "$RET") |
1437 | + fi |
1438 | + db_go || true |
1439 | +} |
1440 | + |
1441 | +get_admin_password() { |
1442 | +# Ask for admin password and confirmation. |
1443 | +# Usage: get_admin_password |
1444 | + |
1445 | + while :; do |
1446 | + RET="" |
1447 | + db_input high openldap-dit-core/password1 || true |
1448 | + db_input high openldap-dit-core/password2 || true |
1449 | + db_go |
1450 | + |
1451 | + # Make sure the passwords match |
1452 | + local pass1 pass2 |
1453 | + db_get openldap-dit-core/password1 |
1454 | + pass1="$RET" |
1455 | + db_get openldap-dit-core/password2 |
1456 | + pass2="$RET" |
1457 | + if [ $pass1 == $pass2 ]; then |
1458 | + #ROOT_PW='' |
1459 | + break |
1460 | + fi |
1461 | + db_fset openldap-dit-core/password_mismatch seen false |
1462 | + db_input critical openldap-dit-core/password_mismatch |
1463 | + db_set openldap-dit-core/password1 "" |
1464 | + db_set openldap-dit-core/password2 "" |
1465 | + db_fset openldap-dit-core/password1 seen false |
1466 | + db_fset openldap-dit-core/password2 seen false |
1467 | + db_go |
1468 | + done |
1469 | + |
1470 | +} |
1471 | + |
1472 | + |
1473 | +get_domain |
1474 | +get_admin_password |
1475 | +crypt_admin_pass |
1476 | + |
1477 | +db_go || true |
1478 | + |
1479 | +exit 0 |
1480 | |
1481 | === added file 'debian/openldap-dit-core.dirs' |
1482 | --- debian/openldap-dit-core.dirs 1970-01-01 00:00:00 +0000 |
1483 | +++ debian/openldap-dit-core.dirs 2010-07-19 21:25:56 +0000 |
1484 | @@ -0,0 +1,1 @@ |
1485 | +usr/share/slapd/openldap-dit/core |
1486 | |
1487 | === added file 'debian/openldap-dit-core.docs' |
1488 | --- debian/openldap-dit-core.docs 1970-01-01 00:00:00 +0000 |
1489 | +++ debian/openldap-dit-core.docs 2010-07-19 21:25:56 +0000 |
1490 | @@ -0,0 +1,3 @@ |
1491 | +core/README |
1492 | +TODO |
1493 | +COPYRIGHT |
1494 | |
1495 | === added file 'debian/openldap-dit-core.postinst.in' |
1496 | --- debian/openldap-dit-core.postinst.in 1970-01-01 00:00:00 +0000 |
1497 | +++ debian/openldap-dit-core.postinst.in 2010-07-19 21:25:56 +0000 |
1498 | @@ -0,0 +1,59 @@ |
1499 | +#!/bin/bash |
1500 | + |
1501 | + |
1502 | +myservice="core" |
1503 | + |
1504 | +#COMMON-FUNCTIONS# |
1505 | + |
1506 | + |
1507 | +# steps: |
1508 | +# - add modules |
1509 | +# - add schema |
1510 | +# - add db + its acls |
1511 | +# - modify frontend acls |
1512 | +# - modify config acls |
1513 | +# - add overlays |
1514 | +# - populate db |
1515 | +# - set password for admin |
1516 | + |
1517 | +add_modules |
1518 | +check_result $? |
1519 | + |
1520 | +add_database |
1521 | +check_result $? |
1522 | + |
1523 | +add_schemas |
1524 | +check_result $? |
1525 | + |
1526 | +modify_acls |
1527 | +check_result $? |
1528 | + |
1529 | +add_overlays |
1530 | +check_result $? |
1531 | + |
1532 | +populate_dit |
1533 | +check_result $? |
1534 | + |
1535 | +echo |
1536 | +echo "Finished, doing one last restart..." |
1537 | +invoke-rc.d slapd restart |
1538 | +check_result $? |
1539 | + |
1540 | +echo |
1541 | +echo "Done, enjoy!" |
1542 | +echo |
1543 | +echo "Remember: this is your administrator bind dn:" |
1544 | +echo "uid=LDAP Admin,ou=System Accounts,$mysuffix" |
1545 | +echo |
1546 | +echo "You can use it in double quotes in the command line, like:" |
1547 | +echo "ldapwhoami -x -D \"uid=LDAP Admin,ou=System Accounts,$mysuffix\" -W " |
1548 | +echo |
1549 | + |
1550 | +wipe_admin_pass |
1551 | + |
1552 | +# dh_installdeb will replace this with shell code automatically |
1553 | +# generated by other debhelper scripts. |
1554 | + |
1555 | +#DEBHELPER# |
1556 | + |
1557 | +exit 0 |
1558 | |
1559 | === added file 'debian/openldap-dit-core.postrm' |
1560 | --- debian/openldap-dit-core.postrm 1970-01-01 00:00:00 +0000 |
1561 | +++ debian/openldap-dit-core.postrm 2010-07-19 21:25:56 +0000 |
1562 | @@ -0,0 +1,15 @@ |
1563 | +#! /bin/sh |
1564 | + |
1565 | +set -e |
1566 | + |
1567 | + . /usr/share/debconf/confmodule |
1568 | + |
1569 | +db_purge |
1570 | + |
1571 | +# dh_installdeb will replace this with shell code automatically |
1572 | +# generated by other debhelper scripts. |
1573 | + |
1574 | +#DEBHELPER# |
1575 | + |
1576 | +exit 0 |
1577 | + |
1578 | |
1579 | === added file 'debian/openldap-dit-core.templates' |
1580 | --- debian/openldap-dit-core.templates 1970-01-01 00:00:00 +0000 |
1581 | +++ debian/openldap-dit-core.templates 2010-07-19 21:25:56 +0000 |
1582 | @@ -0,0 +1,28 @@ |
1583 | +Template: openldap-dit-core/domain |
1584 | +Type: string |
1585 | +Description: DNS domain name: |
1586 | + The DNS domain name is used to construct the base DN of the LDAP directory. |
1587 | + For example, 'foo.example.org' will create the directory with |
1588 | + 'dc=foo, dc=example, dc=org' as base DN. |
1589 | + |
1590 | +Template: openldap-dit-core/password1 |
1591 | +Type: password |
1592 | +Description: Administrator password: |
1593 | + Please enter the password for the admin entry in your LDAP directory. |
1594 | + |
1595 | +Template: openldap-dit-core/password2 |
1596 | +Type: password |
1597 | +Description: Confirm password: |
1598 | + Please enter the admin password for your LDAP directory again to verify |
1599 | + that you have typed it correctly. |
1600 | + |
1601 | +Template: openldap-dit-core/password_mismatch |
1602 | +Type: note |
1603 | +Description: Password mismatch |
1604 | + The two passwords you entered were not the same. Please try again. |
1605 | + |
1606 | +Template: openldap-dit-core/internal/adminpw |
1607 | +Type: password |
1608 | +Description: Encrypted admin password: |
1609 | + Internal template, should never be displayed to users. |
1610 | + |
1611 | |
1612 | === added file 'debian/openldap-dit-usersandgroups.dirs' |
1613 | --- debian/openldap-dit-usersandgroups.dirs 1970-01-01 00:00:00 +0000 |
1614 | +++ debian/openldap-dit-usersandgroups.dirs 2010-07-19 21:25:56 +0000 |
1615 | @@ -0,0 +1,1 @@ |
1616 | +usr/share/slapd/openldap-dit/usersandgroups |
1617 | |
1618 | === added file 'debian/openldap-dit-usersandgroups.docs' |
1619 | --- debian/openldap-dit-usersandgroups.docs 1970-01-01 00:00:00 +0000 |
1620 | +++ debian/openldap-dit-usersandgroups.docs 2010-07-19 21:25:56 +0000 |
1621 | @@ -0,0 +1,1 @@ |
1622 | +usersandgroups/README |
1623 | |
1624 | === added file 'debian/openldap-dit-usersandgroups.postinst.in' |
1625 | --- debian/openldap-dit-usersandgroups.postinst.in 1970-01-01 00:00:00 +0000 |
1626 | +++ debian/openldap-dit-usersandgroups.postinst.in 2010-07-19 21:25:56 +0000 |
1627 | @@ -0,0 +1,50 @@ |
1628 | +#!/bin/bash |
1629 | + |
1630 | +myservice="usersandgroups" |
1631 | + |
1632 | +#COMMON-FUNCTIONS# |
1633 | + |
1634 | +# steps: |
1635 | +# - add modules |
1636 | +# - add schema |
1637 | +# - add db + its acls |
1638 | +# - modify frontend acls |
1639 | +# - modify config acls |
1640 | +# - add overlays |
1641 | +# - populate db |
1642 | +# - set password for admin |
1643 | + |
1644 | +check_dit |
1645 | +check_result $? |
1646 | + |
1647 | +echo "Adding modules..." |
1648 | +add_modules |
1649 | +check_result $? |
1650 | + |
1651 | +add_schemas |
1652 | +check_result $? |
1653 | + |
1654 | +add_overlays |
1655 | +check_result $? |
1656 | + |
1657 | +add_indexes |
1658 | +check_result $? |
1659 | + |
1660 | +populate_dit |
1661 | +check_result $? |
1662 | + |
1663 | +modify_acls |
1664 | +check_result $? |
1665 | + |
1666 | +echo |
1667 | +echo "Finished, doing one last restart..." |
1668 | +invoke-rc.d slapd restart |
1669 | +check_result $? |
1670 | + |
1671 | +# dh_installdeb will replace this with shell code automatically |
1672 | +# generated by other debhelper scripts. |
1673 | + |
1674 | +#DEBHELPER# |
1675 | + |
1676 | +exit 0 |
1677 | + |
1678 | |
1679 | === added file 'debian/openldap-dit.scripts-common' |
1680 | --- debian/openldap-dit.scripts-common 1970-01-01 00:00:00 +0000 |
1681 | +++ debian/openldap-dit.scripts-common 2010-07-19 21:25:56 +0000 |
1682 | @@ -0,0 +1,217 @@ |
1683 | + |
1684 | +set -e |
1685 | + |
1686 | +. /usr/share/debconf/confmodule |
1687 | + |
1688 | +LDAPWHOAMI="ldapwhoami -H ldapi:/// -Y EXTERNAL -Q" |
1689 | +LDAPADD="ldapadd -H ldapi:/// -Y EXTERNAL -Q" |
1690 | +LDAPMODIFY="ldapmodify -H ldapi:/// -Y EXTERNAL -Q" |
1691 | +LDAPPASSWD="ldappasswd -H ldapi:/// -Y EXTERNAL -Q" |
1692 | +LDAPSEARCH="ldapsearch -H ldapi:/// -Y EXTERNAL -Q -LLL" |
1693 | +LASTACL='olcAccess: to dn.subtree="@SUFFIX@" by * read' |
1694 | + |
1695 | +now=`date +%s` |
1696 | +myfqdn=`hostname -f` |
1697 | +if [ -z "$myfqdn" ]; then |
1698 | + myfqdn="localhost" |
1699 | +fi |
1700 | + |
1701 | +root="/usr/share/slapd/openldap-dit" |
1702 | + |
1703 | +# $1: domain |
1704 | +# returns standard dc=foo,dc=bar suffix on stdout |
1705 | +function calc_suffix() { |
1706 | + old_ifs=${IFS} |
1707 | + IFS="." |
1708 | + for component in $1; do |
1709 | + result="$result,dc=$component" |
1710 | + done |
1711 | + IFS="${old_ifs}" |
1712 | + echo "${result#,}" |
1713 | + return 0 |
1714 | +} |
1715 | + |
1716 | +function check_result() { |
1717 | + if [ "$1" -ne "0" ]; then |
1718 | + echo "ERROR, aborting" |
1719 | + exit 1 |
1720 | + else |
1721 | + echo "Succeeded!" |
1722 | + fi |
1723 | +} |
1724 | + |
1725 | +# $1: descriptive text of what is being added |
1726 | +# $2: directory where the files are |
1727 | +# $3: optional sed expression to use |
1728 | +function add_ldif() { |
1729 | + echo "Adding $2 $1..." |
1730 | + for n in $(ls $2/ | grep "$1"); do |
1731 | + if [ ! -e "$2/$n" ]; then |
1732 | + echo "No additional $1 needed for this service!" |
1733 | + return 0 |
1734 | + fi |
1735 | + if [ -z "$3" ]; then |
1736 | + cat "$2/$n" | $LDAPADD |
1737 | + else |
1738 | + cat "$2/$n" | sed -e "$3" | $LDAPADD |
1739 | + fi |
1740 | + if [ "$?" -ne "0" ]; then |
1741 | + echo "Error using \"$n\", aborting" |
1742 | + exit 1 |
1743 | + fi |
1744 | + done |
1745 | + return 0 |
1746 | +} |
1747 | + |
1748 | +# $1: descriptive text of what is being added |
1749 | +# $2: directory where the files are |
1750 | +function modify_ldif() { |
1751 | + echo "Modifying $2 $1..." |
1752 | + for n in $(ls $2/ | grep "$1"); do |
1753 | + if [ ! -e "$2/$n" ]; then |
1754 | + echo "No additional $1 needed for this service!" |
1755 | + return 0 |
1756 | + fi |
1757 | + if [ -z "$3" ]; then |
1758 | + cat "$2/$n" | $LDAPMODIFY |
1759 | + else |
1760 | + cat "$2/$n" | sed -e "$3" | $LDAPMODIFY |
1761 | + fi |
1762 | + if [ "$?" -ne "0" ]; then |
1763 | + echo "Error using \"$n\", aborting" |
1764 | + return 1 |
1765 | + fi |
1766 | + done |
1767 | + return 0 |
1768 | +} |
1769 | + |
1770 | +# $1: index of last olcAccess attribute. |
1771 | +function remove_last_acl() { |
1772 | +$LDAPMODIFY <<REMOVE |
1773 | +dn: olcDatabase={1}hdb,cn=config |
1774 | +changetype: modify |
1775 | +delete: olcAccess |
1776 | +olcAccess: {$1} |
1777 | +REMOVE |
1778 | +} |
1779 | + |
1780 | +# $1: olcAccess string to be inserted last. |
1781 | +function replace_last_acl() { |
1782 | + # Subfunction used for heredoc ldif. |
1783 | + echo "Replacing ACL..." |
1784 | + replace() { |
1785 | +sed -e "s/{.*}to/to/g" <<ADD |
1786 | +dn: olcDatabase={1}hdb,cn=config |
1787 | +changetype: modify |
1788 | +add: olcAccess |
1789 | +$1 |
1790 | +ADD |
1791 | +} |
1792 | + |
1793 | + replace "$1" | $LDAPMODIFY |
1794 | +} |
1795 | + |
1796 | +function add_database() { |
1797 | + add_ldif "database" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;" |
1798 | + return 0 |
1799 | +} |
1800 | + |
1801 | +function add_modules() { |
1802 | + if [ $myservice == 'core' ]; then |
1803 | + add_ldif "modules" "$root/$myservice" |
1804 | + return 0 |
1805 | + else |
1806 | + mymodules=`$LDAPSEARCH -b "cn=config" objectClass=olcModuleList dn | egrep -o 'module[{][0123456789][}]'` |
1807 | + modify_ldif "modules" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@MODULE@/$mymodules/g" |
1808 | + fi |
1809 | +} |
1810 | + |
1811 | +# $1: sub directory containing schema LDIF files. |
1812 | +function add_schemas() { |
1813 | + add_ldif "schema" "$root/$myservice" |
1814 | + return 0 |
1815 | +} |
1816 | + |
1817 | +function modify_acls() { |
1818 | + echo "Modifying ACLs..." |
1819 | + # Find database index number. |
1820 | + mydb=`find_main_db` |
1821 | + |
1822 | + if [ $myservice != "core" ]; then |
1823 | + # Get last olcAccess index number. |
1824 | + indexs=$($LDAPSEARCH -b cn=config olcDatabase=$mydb olcaccess | grep olcAccess -c) |
1825 | + last_index=$(($indexs - 1)) |
1826 | + |
1827 | + # Store the last olcAccess string. |
1828 | + last_olcaccess=$($LDAPSEARCH -b cn=config olcDatabase=$mydb olcaccess | grep -A5 "olcAccess:.*$last_index") |
1829 | + |
1830 | + remove_last_acl $last_index |
1831 | + |
1832 | + modify_ldif "acl" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DATABASE@/$mydb/g" |
1833 | + |
1834 | + replace_last_acl "$last_olcaccess" |
1835 | + else |
1836 | + modify_ldif "acl" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DATABASE@/$mydb/g" |
1837 | + fi |
1838 | + |
1839 | + return 0 |
1840 | +} |
1841 | + |
1842 | +function add_overlays() { |
1843 | + mydb=`find_main_db` |
1844 | + add_ldif "overlay" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DATABASE@/$mydb/g" |
1845 | + return 0 |
1846 | +} |
1847 | + |
1848 | +function add_indexes() { |
1849 | + mydb=`find_main_db` |
1850 | + add_ldif "indexes" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DATABASE@/$mydb/g" |
1851 | + return 0 |
1852 | +} |
1853 | + |
1854 | +function populate_dit() { |
1855 | + mydb=`find_main_db` |
1856 | + if [ $myservice == "core" ]; then |
1857 | + # Set the uid="LDAP Admin" password. |
1858 | + db_get openldap-dit-core/internal/adminpw |
1859 | + adminpass="$RET" |
1860 | + add_ldif "dit" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DC@/${mydomain%%.[a-zA-Z0-9]*}/g;s/@DOMAIN@/${mydomain}/g;s#@ADMINPASS@#$adminpass#g;s/@DATABASE@/$mydb/g" |
1861 | + else |
1862 | + add_ldif "dit" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DC@/${mydomain%%.[a-zA-Z0-9]*}/g;s/@DOMAIN@/${mydomain}/g;s/@DATABASE@/$mydb/g" |
1863 | + fi |
1864 | + return 0 |
1865 | +} |
1866 | + |
1867 | +wipe_admin_pass() { |
1868 | +# Remove passwords after creating the initial ldap database. |
1869 | +# Usage: wipe_admin_pass |
1870 | + db_set openldap-dit-core/password1 "" |
1871 | + db_set openldap-dit-core/password2 "" |
1872 | + db_set openldap-dit-core/internal/adminpw "" |
1873 | +} |
1874 | + |
1875 | +function find_main_db() { |
1876 | + if [ -z `$LDAPSEARCH -b "cn=config" olcSuffix="$mysuffix" dn | egrep -o '[{][0123456789][}]hdb'` ]; then |
1877 | + db='hdb' |
1878 | + else |
1879 | + db=`$LDAPSEARCH -b "cn=config" olcSuffix="$mysuffix" dn | egrep -o '[{][0123456789][}]hdb'` |
1880 | + fi |
1881 | + echo "$db" |
1882 | + return 0 |
1883 | +} |
1884 | + |
1885 | +function check_dit() { |
1886 | + base_dit=$($LDAPSEARCH -b $mysuffix associatedDomain=$mydomain dn 2>&1) |
1887 | + if [ "$base_dit" != "dn: $mysuffix" ]; then |
1888 | + return 1 |
1889 | + fi |
1890 | + |
1891 | +} |
1892 | + |
1893 | +if [ -z "$mydomain" ]; then |
1894 | + db_get openldap-dit-core/domain |
1895 | + mydomain=$RET |
1896 | +fi |
1897 | +mysuffix=`calc_suffix $mydomain` |
1898 | + |
1899 | + |
1900 | |
1901 | === added directory 'debian/po' |
1902 | === added file 'debian/po/POTFILES.in' |
1903 | --- debian/po/POTFILES.in 1970-01-01 00:00:00 +0000 |
1904 | +++ debian/po/POTFILES.in 2010-07-19 21:25:56 +0000 |
1905 | @@ -0,0 +1,1 @@ |
1906 | +[type: gettext/rfc822deb] openldap-dit-core.templates |
1907 | |
1908 | === added file 'debian/po/templates.pot' |
1909 | --- debian/po/templates.pot 1970-01-01 00:00:00 +0000 |
1910 | +++ debian/po/templates.pot 2010-07-19 21:25:56 +0000 |
1911 | @@ -0,0 +1,82 @@ |
1912 | +# SOME DESCRIPTIVE TITLE. |
1913 | +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER |
1914 | +# This file is distributed under the same license as the PACKAGE package. |
1915 | +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. |
1916 | +# |
1917 | +#, fuzzy |
1918 | +msgid "" |
1919 | +msgstr "" |
1920 | +"Project-Id-Version: PACKAGE VERSION\n" |
1921 | +"Report-Msgid-Bugs-To: openldap-dit@packages.debian.org\n" |
1922 | +"POT-Creation-Date: 2010-06-01 13:33-0400\n" |
1923 | +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" |
1924 | +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" |
1925 | +"Language-Team: LANGUAGE <LL@li.org>\n" |
1926 | +"MIME-Version: 1.0\n" |
1927 | +"Content-Type: text/plain; charset=CHARSET\n" |
1928 | +"Content-Transfer-Encoding: 8bit\n" |
1929 | + |
1930 | +#. Type: string |
1931 | +#. Description |
1932 | +#: ../openldap-dit-core.templates:1001 |
1933 | +msgid "DNS domain name:" |
1934 | +msgstr "" |
1935 | + |
1936 | +#. Type: string |
1937 | +#. Description |
1938 | +#: ../openldap-dit-core.templates:1001 |
1939 | +msgid "" |
1940 | +"The DNS domain name is used to construct the base DN of the LDAP directory. " |
1941 | +"For example, 'foo.example.org' will create the directory with 'dc=foo, " |
1942 | +"dc=example, dc=org' as base DN." |
1943 | +msgstr "" |
1944 | + |
1945 | +#. Type: password |
1946 | +#. Description |
1947 | +#: ../openldap-dit-core.templates:2001 |
1948 | +msgid "Administrator password:" |
1949 | +msgstr "" |
1950 | + |
1951 | +#. Type: password |
1952 | +#. Description |
1953 | +#: ../openldap-dit-core.templates:2001 |
1954 | +msgid "Please enter the password for the admin entry in your LDAP directory." |
1955 | +msgstr "" |
1956 | + |
1957 | +#. Type: password |
1958 | +#. Description |
1959 | +#: ../openldap-dit-core.templates:3001 |
1960 | +msgid "Confirm password:" |
1961 | +msgstr "" |
1962 | + |
1963 | +#. Type: password |
1964 | +#. Description |
1965 | +#: ../openldap-dit-core.templates:3001 |
1966 | +msgid "" |
1967 | +"Please enter the admin password for your LDAP directory again to verify that " |
1968 | +"you have typed it correctly." |
1969 | +msgstr "" |
1970 | + |
1971 | +#. Type: note |
1972 | +#. Description |
1973 | +#: ../openldap-dit-core.templates:4001 |
1974 | +msgid "Password mismatch" |
1975 | +msgstr "" |
1976 | + |
1977 | +#. Type: note |
1978 | +#. Description |
1979 | +#: ../openldap-dit-core.templates:4001 |
1980 | +msgid "The two passwords you entered were not the same. Please try again." |
1981 | +msgstr "" |
1982 | + |
1983 | +#. Type: password |
1984 | +#. Description |
1985 | +#: ../openldap-dit-core.templates:5001 |
1986 | +msgid "Encrypted admin password:" |
1987 | +msgstr "" |
1988 | + |
1989 | +#. Type: password |
1990 | +#. Description |
1991 | +#: ../openldap-dit-core.templates:5001 |
1992 | +msgid "Internal template, should never be displayed to users." |
1993 | +msgstr "" |
1994 | |
1995 | === modified file 'debian/rules' |
1996 | --- debian/rules 2008-06-04 20:49:11 +0000 |
1997 | +++ debian/rules 2010-07-19 21:25:56 +0000 |
1998 | @@ -21,6 +21,8 @@ |
1999 | |
2000 | |
2001 | build: build-stamp |
2002 | + perl -pe 's~#COMMON-FUNCTIONS#~qx{cat debian/openldap-dit.scripts-common}~eg' < debian/openldap-dit-core.postinst.in > debian/openldap-dit-core.postinst |
2003 | + perl -pe 's~#COMMON-FUNCTIONS#~qx{cat debian/openldap-dit.scripts-common}~eg' < debian/openldap-dit-usersandgroups.postinst.in > debian/openldap-dit-usersandgroups.postinst |
2004 | |
2005 | build-stamp: configure-stamp |
2006 | dh_testdir |
2007 | @@ -41,10 +43,12 @@ |
2008 | dh_testdir |
2009 | dh_testroot |
2010 | dh_clean -k |
2011 | - dh_installdirs |
2012 | + dh_installdirs |
2013 | + dh_installdebconf |
2014 | |
2015 | # Add here commands to install the package into debian/openldap-dit. |
2016 | - $(MAKE) DESTDIR=$(CURDIR)/debian/openldap-dit install-ubuntu |
2017 | + $(MAKE) DESTDIR=$(CURDIR)/debian/openldap-dit-core install-core |
2018 | + $(MAKE) DESTDIR=$(CURDIR)/debian/openldap-dit-usersandgroups install-usersandgroups |
2019 | |
2020 | |
2021 | # Build architecture-independent files here. |
2022 | @@ -56,7 +60,6 @@ |
2023 | dh_installexamples |
2024 | # dh_install |
2025 | # dh_installmenu |
2026 | -# dh_installdebconf |
2027 | # dh_installlogrotate |
2028 | # dh_installemacsen |
2029 | # dh_installpam |
2030 | |
2031 | === added directory 'debian/source' |
2032 | === added file 'debian/source/format' |
2033 | --- debian/source/format 1970-01-01 00:00:00 +0000 |
2034 | +++ debian/source/format 2010-07-19 21:25:56 +0000 |
2035 | @@ -0,0 +1,1 @@ |
2036 | +3.0 (quilt) |
2037 | |
2038 | === added directory 'dhcp' |
2039 | === added file 'dhcp/dhcp-acl.ldif' |
2040 | --- dhcp/dhcp-acl.ldif 1970-01-01 00:00:00 +0000 |
2041 | +++ dhcp/dhcp-acl.ldif 2010-07-19 21:25:56 +0000 |
2042 | @@ -0,0 +1,21 @@ |
2043 | +dn: olcDatabase={1}hdb,cn=config |
2044 | +changetype: modify |
2045 | +add: olcDbIndex |
2046 | +olcDbIndex: dhcpClassData eq |
2047 | +- |
2048 | +add: olcDbIndex |
2049 | +olcDbIndex: dhcpHWAddress eq |
2050 | +- |
2051 | +delete: olcAccess |
2052 | +olcAccess: to dn.subtree="@SUFFIX@" by * read |
2053 | +- |
2054 | +add: olcAccess |
2055 | +olcAccess: to dn.subtree="ou=dhcp,@SUFFIX@" |
2056 | + attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool, |
2057 | + @dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog |
2058 | + by group/groupOfMembers/member.exact="cn=dhcp admins,ou=system groups,@SUFFIX@" write |
2059 | + by group/groupOfMembers/member.exact="cn=dhcp readers,ou=system groups,@SUFFIX@" read |
2060 | + by * read |
2061 | +- |
2062 | +add: olcAccess |
2063 | +olcAccess: to dn.subtree="@SUFFIX@" by * read |
2064 | |
2065 | === added file 'dhcp/dhcp-dit.ldif' |
2066 | --- dhcp/dhcp-dit.ldif 1970-01-01 00:00:00 +0000 |
2067 | +++ dhcp/dhcp-dit.ldif 2010-07-19 21:25:56 +0000 |
2068 | @@ -0,0 +1,33 @@ |
2069 | +dn: ou=dhcp,@SUFFIX@ |
2070 | +ou: dhcp |
2071 | +objectClass: organizationalUnit |
2072 | +description: Container for DHCP related entries |
2073 | + |
2074 | +dn: uid=DHCP Admin,ou=System Accounts,@SUFFIX@ |
2075 | +uid: DHCP Admin |
2076 | +objectClass: account |
2077 | +objectClass: simpleSecurityObject |
2078 | +userPassword: {CRYPT}x |
2079 | +description: Account used to administer DHCP related entries and attributes |
2080 | + |
2081 | +dn: uid=DHCP Reader,ou=System Accounts,@SUFFIX@ |
2082 | +uid: DHCP Reader |
2083 | +objectClass: account |
2084 | +objectClass: simpleSecurityObject |
2085 | +userPassword: {CRYPT}x |
2086 | +description: Account used to read entries and attributes under ou=dhcp |
2087 | + |
2088 | +dn: cn=DHCP Admins,ou=System Groups,@SUFFIX@ |
2089 | +cn: DHCP Admins |
2090 | +objectClass: groupOfMembers |
2091 | +description: Members can administer ou=DHCP entries and attributes |
2092 | +owner: uid=DHCP Admin,ou=System Accounts,@SUFFIX@ |
2093 | +member: uid=DHCP Admin,ou=System Accounts,@SUFFIX@ |
2094 | + |
2095 | +dn: cn=DHCP Readers,ou=System Groups,@SUFFIX@ |
2096 | +cn: DHCP Readers |
2097 | +objectClass: groupOfMembers |
2098 | +description: Members can read entries and attributes under ou=dhcp |
2099 | +owner: uid=DHCP Admin,ou=System Accounts,@SUFFIX@ |
2100 | +member: uid=DHCP Reader,ou=System Accounts,@SUFFIX@ |
2101 | + |
2102 | |
2103 | === added file 'dhcp/dhcp-schema.ldif' |
2104 | --- dhcp/dhcp-schema.ldif 1970-01-01 00:00:00 +0000 |
2105 | +++ dhcp/dhcp-schema.ldif 2010-07-19 21:25:56 +0000 |
2106 | @@ -0,0 +1,224 @@ |
2107 | +dn: cn=dhcp,cn=schema,cn=config |
2108 | +objectClass: olcSchemaConfig |
2109 | +cn: dhcp |
2110 | +olcAttributeTypes: {0}( 2.16.840.1.113719.1.203.4.1 NAME 'dhcpPrimaryDN' DESC |
2111 | + 'The DN of the dhcpServer which is the primary server for the configuration.' |
2112 | + EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE- |
2113 | + VALUE ) |
2114 | +olcAttributeTypes: {1}( 2.16.840.1.113719.1.203.4.2 NAME 'dhcpSecondaryDN' DES |
2115 | + C 'The DN of dhcpServer(s) which provide backup service for the configuration |
2116 | + .' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
2117 | +olcAttributeTypes: {2}( 2.16.840.1.113719.1.203.4.3 NAME 'dhcpStatements' DESC |
2118 | + 'Flexible storage for specific data depending on what object this exists in. |
2119 | + Like conditional statements, server parameters, etc. This allows the standar |
2120 | + d to evolve without needing to adjust the schema.' EQUALITY caseIgnoreIA5Matc |
2121 | + h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2122 | +olcAttributeTypes: {3}( 2.16.840.1.113719.1.203.4.4 NAME 'dhcpRange' DESC 'The |
2123 | + starting & ending IP Addresses in the range (inclusive), separated by a hyph |
2124 | + en; if the range only contains one address, then just the address can be spec |
2125 | + ified with no hyphen. Each range is defined as a separate value.' EQUALITY c |
2126 | + aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2127 | +olcAttributeTypes: {4}( 2.16.840.1.113719.1.203.4.5 NAME 'dhcpPermitList' DESC |
2128 | + 'This attribute contains the permit lists associated with a pool. Each permi |
2129 | + t list is defined as a separate value.' EQUALITY caseIgnoreIA5Match SYNTAX 1. |
2130 | + 3.6.1.4.1.1466.115.121.1.26 ) |
2131 | +olcAttributeTypes: {5}( 2.16.840.1.113719.1.203.4.6 NAME 'dhcpNetMask' DESC 'T |
2132 | + he subnet mask length for the subnet. The mask can be easily computed from t |
2133 | + his length.' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL |
2134 | + E-VALUE ) |
2135 | +olcAttributeTypes: {6}( 2.16.840.1.113719.1.203.4.7 NAME 'dhcpOption' DESC 'En |
2136 | + coded option values to be sent to clients. Each value represents a single op |
2137 | + tion and contains (OptionTag, Length, OptionValue) encoded in the format used |
2138 | + by DHCP.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2139 | +olcAttributeTypes: {7}( 2.16.840.1.113719.1.203.4.8 NAME 'dhcpClassData' DESC |
2140 | + 'Encoded text string or list of bytes expressed in hexadecimal, separated by |
2141 | + colons. Clients match subclasses based on matching the class data with the r |
2142 | + esults of match or spawn with statements in the class name declarations.' EQU |
2143 | + ALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
2144 | +olcAttributeTypes: {8}( 2.16.840.1.113719.1.203.4.9 NAME 'dhcpOptionsDN' DESC |
2145 | + 'The distinguished name(s) of the dhcpOption objects containing the configura |
2146 | + tion options provided by the server.' EQUALITY distinguishedNameMatch SYNTAX |
2147 | + 1.3.6.1.4.1.1466.115.121.1.12 ) |
2148 | +olcAttributeTypes: {9}( 2.16.840.1.113719.1.203.4.10 NAME 'dhcpHostDN' DESC 't |
2149 | + he distinguished name(s) of the dhcpHost objects.' EQUALITY distinguishedName |
2150 | + Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
2151 | +olcAttributeTypes: {10}( 2.16.840.1.113719.1.203.4.11 NAME 'dhcpPoolDN' DESC ' |
2152 | + The distinguished name(s) of pools.' EQUALITY distinguishedNameMatch SYNTAX 1 |
2153 | + .3.6.1.4.1.1466.115.121.1.12 ) |
2154 | +olcAttributeTypes: {11}( 2.16.840.1.113719.1.203.4.12 NAME 'dhcpGroupDN' DESC |
2155 | + 'The distinguished name(s) of the groups.' EQUALITY distinguishedNameMatch |
2156 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
2157 | +olcAttributeTypes: {12}( 2.16.840.1.113719.1.203.4.13 NAME 'dhcpSubnetDN' DESC |
2158 | + 'The distinguished name(s) of the subnets.' EQUALITY distinguishedNameMatch |
2159 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
2160 | +olcAttributeTypes: {13}( 2.16.840.1.113719.1.203.4.14 NAME 'dhcpLeaseDN' DESC |
2161 | + 'The distinguished name of a client address.' EQUALITY distinguishedNameMatch |
2162 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) |
2163 | +olcAttributeTypes: {14}( 2.16.840.1.113719.1.203.4.15 NAME 'dhcpLeasesDN' DESC |
2164 | + 'The distinguished name(s) client addresses.' EQUALITY distinguishedNameMatc |
2165 | + h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
2166 | +olcAttributeTypes: {15}( 2.16.840.1.113719.1.203.4.16 NAME 'dhcpClassesDN' DES |
2167 | + C 'The distinguished name(s) of a class(es) in a subclass.' EQUALITY distingu |
2168 | + ishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
2169 | +olcAttributeTypes: {16}( 2.16.840.1.113719.1.203.4.17 NAME 'dhcpSubclassesDN' |
2170 | + DESC 'The distinguished name(s) of subclass(es).' EQUALITY distinguishedNameM |
2171 | + atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
2172 | +olcAttributeTypes: {17}( 2.16.840.1.113719.1.203.4.18 NAME 'dhcpSharedNetworkD |
2173 | + N' DESC 'The distinguished name(s) of sharedNetworks.' EQUALITY distinguished |
2174 | + NameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
2175 | +olcAttributeTypes: {18}( 2.16.840.1.113719.1.203.4.19 NAME 'dhcpServiceDN' DES |
2176 | + C 'The DN of dhcpService object(s)which contain the configuration information |
2177 | + . Each dhcpServer object has this attribute identifying the DHCP configuratio |
2178 | + n(s) that the server is associated with.' EQUALITY distinguishedNameMatch SYN |
2179 | + TAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
2180 | +olcAttributeTypes: {19}( 2.16.840.1.113719.1.203.4.20 NAME 'dhcpVersion' DESC |
2181 | + 'The version attribute of this object.' EQUALITY caseIgnoreIA5Match SYNTAX 1. |
2182 | + 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
2183 | +olcAttributeTypes: {20}( 2.16.840.1.113719.1.203.4.21 NAME 'dhcpImplementation |
2184 | + ' DESC 'Description of the DHCP Server implementation e.g. DHCP Servers vendo |
2185 | + r.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V |
2186 | + ALUE ) |
2187 | +olcAttributeTypes: {21}( 2.16.840.1.113719.1.203.4.22 NAME 'dhcpAddressState' |
2188 | + DESC 'This stores information about the current binding-status of an address. |
2189 | + For dynamic addresses managed by DHCP, the values should be restricted to t |
2190 | + he following: "FREE", "ACTIVE", "EXPIRED", "RELEASED", "RESET", "ABANDONED", |
2191 | + "BACKUP". For other addresses, it SHOULD be one of the following: "UNKNOWN", |
2192 | + "RESERVED" (an address that is managed by DHCP that is reserved for a specif |
2193 | + ic client), "RESERVED-ACTIVE" (same as reserved, but address is currently in |
2194 | + use), "ASSIGNED" (assigned manually or by some other mechanism), "UNASSIGNED" |
2195 | + , "NOTASSIGNABLE".' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1 |
2196 | + 21.1.26 SINGLE-VALUE ) |
2197 | +olcAttributeTypes: {22}( 2.16.840.1.113719.1.203.4.23 NAME 'dhcpExpirationTime |
2198 | + ' DESC 'This is the time the current lease for an address expires.' EQUALITY |
2199 | + generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) |
2200 | +olcAttributeTypes: {23}( 2.16.840.1.113719.1.203.4.24 NAME 'dhcpStartTimeOfSta |
2201 | + te' DESC 'This is the time of the last state change for a leased address.' EQ |
2202 | + UALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE |
2203 | + ) |
2204 | +olcAttributeTypes: {24}( 2.16.840.1.113719.1.203.4.25 NAME 'dhcpLastTransactio |
2205 | + nTime' DESC 'This is the last time a valid DHCP packet was received from the |
2206 | + client.' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 S |
2207 | + INGLE-VALUE ) |
2208 | +olcAttributeTypes: {25}( 2.16.840.1.113719.1.203.4.26 NAME 'dhcpBootpFlag' DES |
2209 | + C 'This indicates whether the address was assigned via BOOTP.' EQUALITY boole |
2210 | + anMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
2211 | +olcAttributeTypes: {26}( 2.16.840.1.113719.1.203.4.27 NAME 'dhcpDomainName' DE |
2212 | + SC 'This is the name of the domain sent to the client by the server. It is e |
2213 | + ssentially the same as the value for DHCP option 15 sent to the client, and r |
2214 | + epresents only the domain - not the full FQDN. To obtain the full FQDN assig |
2215 | + ned to the client you must prepend the "dhcpAssignedHostName" to this value w |
2216 | + ith a ".".' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
2217 | + SINGLE-VALUE ) |
2218 | +olcAttributeTypes: {27}( 2.16.840.1.113719.1.203.4.28 NAME 'dhcpDnsStatus' DES |
2219 | + C 'This indicates the status of updating DNS resource records on behalf of th |
2220 | + e client by the DHCP server for this address. The value is a 16-bit bitmask. |
2221 | + ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
2222 | +olcAttributeTypes: {28}( 2.16.840.1.113719.1.203.4.29 NAME 'dhcpRequestedHostN |
2223 | + ame' DESC 'This is the hostname that was requested by the client.' EQUALITY c |
2224 | + aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
2225 | +olcAttributeTypes: {29}( 2.16.840.1.113719.1.203.4.30 NAME 'dhcpAssignedHostNa |
2226 | + me' DESC 'This is the actual hostname that was assigned to a client. It may n |
2227 | + ot be the name that was requested by the client. The fully qualified domain |
2228 | + name can be determined by appending the value of "dhcpDomainName" (with a dot |
2229 | + separator) to this name.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.146 |
2230 | + 6.115.121.1.26 SINGLE-VALUE ) |
2231 | +olcAttributeTypes: {30}( 2.16.840.1.113719.1.203.4.31 NAME 'dhcpReservedForCli |
2232 | + ent' DESC 'The distinguished name of a "dhcpClient" that an address is reserv |
2233 | + ed for. This may not be the same as the "dhcpAssignedToClient" attribute if |
2234 | + the address is being reassigned but the current lease has not yet expired.' E |
2235 | + QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VA |
2236 | + LUE ) |
2237 | +olcAttributeTypes: {31}( 2.16.840.1.113719.1.203.4.32 NAME 'dhcpAssignedToClie |
2238 | + nt' DESC 'This is the distinguished name of a "dhcpClient" that an address is |
2239 | + currently assigned to. This attribute is only present in the class when the |
2240 | + address is leased.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466. |
2241 | + 115.121.1.12 SINGLE-VALUE ) |
2242 | +olcAttributeTypes: {32}( 2.16.840.1.113719.1.203.4.33 NAME 'dhcpRelayAgentInfo |
2243 | + ' DESC 'If the client request was received via a relay agent, this contains i |
2244 | + nformation about the relay agent that was available from the DHCP request. T |
2245 | + his is a hex-encoded option value.' EQUALITY octetStringMatch SYNTAX 1.3.6.1. |
2246 | + 4.1.1466.115.121.1.40 SINGLE-VALUE ) |
2247 | +olcAttributeTypes: {33}( 2.16.840.1.113719.1.203.4.34 NAME 'dhcpHWAddress' DES |
2248 | + C 'The clients hardware address that requested this IP address.' EQUALITY oct |
2249 | + etStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) |
2250 | +olcAttributeTypes: {34}( 2.16.840.1.113719.1.203.4.35 NAME 'dhcpHashBucketAssi |
2251 | + gnment' DESC 'HashBucketAssignment bit map for the DHCP Server, as defined in |
2252 | + DHC Load Balancing Algorithm [RFC 3074].' EQUALITY octetStringMatch SYNTAX 1 |
2253 | + .3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) |
2254 | +olcAttributeTypes: {35}( 2.16.840.1.113719.1.203.4.36 NAME 'dhcpDelayedService |
2255 | + Parameter' DESC 'Delay in seconds corresponding to Delayed Service Parameter |
2256 | + configuration, as defined in DHC Load Balancing Algorithm [RFC 3074]. ' EQUA |
2257 | + LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
2258 | +olcAttributeTypes: {36}( 2.16.840.1.113719.1.203.4.37 NAME 'dhcpMaxClientLeadT |
2259 | + ime' DESC 'Maximum Client Lead Time configuration in seconds, as defined in D |
2260 | + HCP Failover Protocol [FAILOVR]' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146 |
2261 | + 6.115.121.1.27 SINGLE-VALUE ) |
2262 | +olcAttributeTypes: {37}( 2.16.840.1.113719.1.203.4.38 NAME 'dhcpFailOverEndpoi |
2263 | + ntState' DESC 'Server (Failover Endpoint) state, as defined in DHCP Failover |
2264 | + Protocol [FAILOVR]' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1 |
2265 | + 21.1.26 SINGLE-VALUE ) |
2266 | +olcAttributeTypes: {38}( 2.16.840.1.113719.1.203.4.39 NAME 'dhcpErrorLog' DESC |
2267 | + 'Generic error log attribute that allows logging error conditions within a d |
2268 | + hcpService or a dhcpSubnet, like no IP addresses available for lease.' EQUALI |
2269 | + TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
2270 | +olcObjectClasses: {0}( 2.16.840.1.113719.1.203.6.1 NAME 'dhcpService' DESC 'Se |
2271 | + rvice object that represents the actual DHCP Service configuration. This is a |
2272 | + container object.' SUP top STRUCTURAL MUST ( cn $ dhcpPrimaryDN ) MAY ( dhcp |
2273 | + SecondaryDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpGroupDN $ dhcpHostDN $ |
2274 | + dhcpClassesDN $ dhcpOptionsDN $ dhcpStatements ) ) |
2275 | +olcObjectClasses: {1}( 2.16.840.1.113719.1.203.6.2 NAME 'dhcpSharedNetwork' DE |
2276 | + SC 'This stores configuration information for a shared network.' SUP top STRU |
2277 | + CTURAL MUST cn MAY ( dhcpSubnetDN $ dhcpPoolDN $ dhcpOptionsDN $ dhcpStatemen |
2278 | + ts ) X-NDS_CONTAINMENT 'dhcpService' ) |
2279 | +olcObjectClasses: {2}( 2.16.840.1.113719.1.203.6.3 NAME 'dhcpSubnet' DESC 'Thi |
2280 | + s class defines a subnet. This is a container object.' SUP top STRUCTURAL MUS |
2281 | + T ( cn $ dhcpNetMask ) MAY ( dhcpRange $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostD |
2282 | + N $ dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CON |
2283 | + TAINMENT ( 'dhcpService' 'dhcpSharedNetwork' ) ) |
2284 | +olcObjectClasses: {3}( 2.16.840.1.113719.1.203.6.4 NAME 'dhcpPool' DESC 'This |
2285 | + stores configuration information about a pool.' SUP top STRUCTURAL MUST ( cn |
2286 | + $ dhcpRange ) MAY ( dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptio |
2287 | + nsDN $ dhcpStatements ) X-NDS_CONTAINMENT ( 'dhcpSubnet' 'dhcpSharedNetwork' |
2288 | + ) ) |
2289 | +olcObjectClasses: {4}( 2.16.840.1.113719.1.203.6.5 NAME 'dhcpGroup' DESC 'Grou |
2290 | + p object that lists host DNs and parameters. This is a container object.' SUP |
2291 | + top STRUCTURAL MUST cn MAY ( dhcpHostDN $ dhcpOptionsDN $ dhcpStatements ) X |
2292 | + -NDS_CONTAINMENT ( 'dhcpSubnet' 'dhcpService' ) ) |
2293 | +olcObjectClasses: {5}( 2.16.840.1.113719.1.203.6.6 NAME 'dhcpHost' DESC 'This |
2294 | + represents information about a particular client' SUP top STRUCTURAL MUST cn |
2295 | + MAY ( dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CO |
2296 | + NTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpGroup' ) ) |
2297 | +olcObjectClasses: {6}( 2.16.840.1.113719.1.203.6.7 NAME 'dhcpClass' DESC 'Repr |
2298 | + esents information about a collection of related clients.' SUP top STRUCTURAL |
2299 | + MUST cn MAY ( dhcpSubClassesDN $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CONT |
2300 | + AINMENT ( 'dhcpService' 'dhcpSubnet' ) ) |
2301 | +olcObjectClasses: {7}( 2.16.840.1.113719.1.203.6.8 NAME 'dhcpSubClass' DESC 'R |
2302 | + epresents information about a collection of related classes.' SUP top STRUCTU |
2303 | + RAL MUST cn MAY ( dhcpClassData $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CONT |
2304 | + AINMENT 'dhcpClass' ) |
2305 | +olcObjectClasses: {8}( 2.16.840.1.113719.1.203.6.9 NAME 'dhcpOptions' DESC 'Re |
2306 | + presents information about a collection of options defined.' SUP top AUXILIAR |
2307 | + Y MUST cn MAY dhcpOption X-NDS_CONTAINMENT ( 'dhcpService' 'dhcpSharedNetwork |
2308 | + ' 'dhcpSubnet' 'dhcpPool' 'dhcpGroup' 'dhcpHost' 'dhcpClass' ) ) |
2309 | +olcObjectClasses: {9}( 2.16.840.1.113719.1.203.6.10 NAME 'dhcpLeases' DESC 'Th |
2310 | + is class represents an IP Address, which may or may not have been leased.' SU |
2311 | + P top STRUCTURAL MUST ( cn $ dhcpAddressState ) MAY ( dhcpExpirationTime $ dh |
2312 | + cpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName |
2313 | + $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReserve |
2314 | + dForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress ) X-ND |
2315 | + S_CONTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpPool' ) ) |
2316 | +olcObjectClasses: {10}( 2.16.840.1.113719.1.203.6.11 NAME 'dhcpLog' DESC 'This |
2317 | + is the object that holds past information about the IP address. The cn is th |
2318 | + e time/date stamp when the address was assigned or released, the address stat |
2319 | + e at the time, if the address was assigned or released.' SUP top STRUCTURAL M |
2320 | + UST cn MAY ( dhcpAddressState $ dhcpExpirationTime $ dhcpStartTimeOfState $ d |
2321 | + hcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhc |
2322 | + pRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssig |
2323 | + nedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress $ dhcpErrorLog ) X-NDS_CONTA |
2324 | + INMENT ( 'dhcpLeases' 'dhcpPool' 'dhcpSubnet' 'dhcpSharedNetwork' 'dhcpServic |
2325 | + e' ) ) |
2326 | +olcObjectClasses: {11}( 2.16.840.1.113719.1.203.6.12 NAME 'dhcpServer' DESC 'D |
2327 | + HCP Server Object' SUP top STRUCTURAL MUST ( cn $ dhcpServiceDN ) MAY ( dhcpV |
2328 | + ersion $ dhcpImplementation $ dhcpHashBucketAssignment $ dhcpDelayedServicePa |
2329 | + rameter $ dhcpMaxClientLeadTime $ dhcpFailOverEndpointState $ dhcpStatements |
2330 | + ) X-NDS_CONTAINMENT ( 'o' 'ou' 'dc' ) ) |
2331 | |
2332 | === added directory 'dns' |
2333 | === added file 'dns/dns-acl.ldif' |
2334 | --- dns/dns-acl.ldif 1970-01-01 00:00:00 +0000 |
2335 | +++ dns/dns-acl.ldif 2010-07-19 21:25:56 +0000 |
2336 | @@ -0,0 +1,26 @@ |
2337 | +dn: olcDatabase={1}hdb,cn=config |
2338 | +changetype: modify |
2339 | +add: olcDbIndex |
2340 | +olcDbIndex: zoneName eq |
2341 | +- |
2342 | +add: olcDbIndex |
2343 | +olcDbIndex: relativeDomainName eq |
2344 | +- |
2345 | +delete: olcAccess |
2346 | +olcAccess: to dn.subtree="@SUFFIX@" by * read |
2347 | +- |
2348 | +add: olcAccess |
2349 | +olcAccess: to dn.base="ou=dns,@SUFFIX@" |
2350 | + attrs=entry,@extensibleObject |
2351 | + by group/groupOfMembers/member.exact="cn=dns admins,ou=system groups,@SUFFIX@" write |
2352 | + by * read |
2353 | +- |
2354 | +add: olcAccess |
2355 | +olcAccess: to dn.subtree="ou=dns,@SUFFIX@" |
2356 | + attrs=children,entry,@dNSZone |
2357 | + by group/groupOfMembers/member.exact="cn=dns admins,ou=system groups,@SUFFIX@" write |
2358 | + by group/groupOfMembers/member.exact="cn=dns readers,ou=system groups,@SUFFIX@" read |
2359 | + by * none |
2360 | +- |
2361 | +add: olcAccess |
2362 | +olcAccess: to dn.subtree="@SUFFIX@" by * read |
2363 | |
2364 | === added file 'dns/dns-dit.ldif' |
2365 | --- dns/dns-dit.ldif 1970-01-01 00:00:00 +0000 |
2366 | +++ dns/dns-dit.ldif 2010-07-19 21:25:56 +0000 |
2367 | @@ -0,0 +1,33 @@ |
2368 | +dn: ou=dns,@SUFFIX@ |
2369 | +ou: dns |
2370 | +objectClass: organizationalUnit |
2371 | +description: Container for DNS related entries |
2372 | + |
2373 | +dn: uid=DNS Admin,ou=System Accounts,@SUFFIX@ |
2374 | +uid: DNS Admin |
2375 | +objectClass: account |
2376 | +objectClass: simpleSecurityObject |
2377 | +userPassword: {CRYPT}x |
2378 | +description: Account used to administer DNS related entries and attributes |
2379 | + |
2380 | +dn: uid=DNS Reader,ou=System Accounts,@SUFFIX@ |
2381 | +uid: DNS Reader |
2382 | +objectClass: account |
2383 | +objectClass: simpleSecurityObject |
2384 | +userPassword: {CRYPT}x |
2385 | +description: Account used to read entries and attributes under ou=dns |
2386 | + |
2387 | +dn: cn=DNS Admins,ou=System Groups,@SUFFIX@ |
2388 | +cn: DNS Admins |
2389 | +objectClass: groupOfMembers |
2390 | +description: Members can administer ou=DNS entries and attributes |
2391 | +owner: uid=DNS Admin,ou=System Accounts,@SUFFIX@ |
2392 | +member: uid=DNS Admin,ou=System Accounts,@SUFFIX@ |
2393 | + |
2394 | +dn: cn=DNS Readers,ou=System Groups,@SUFFIX@ |
2395 | +cn: DNS Readers |
2396 | +objectClass: groupOfMembers |
2397 | +description: Members can read entries and attributes under ou=dns |
2398 | +owner: uid=DNS Admin,ou=System Accounts,@SUFFIX@ |
2399 | +member: uid=DNS Reader,ou=System Accounts,@SUFFIX@ |
2400 | + |
2401 | |
2402 | === added file 'dns/dnszone-schema.ldif' |
2403 | --- dns/dnszone-schema.ldif 1970-01-01 00:00:00 +0000 |
2404 | +++ dns/dnszone-schema.ldif 2010-07-19 21:25:56 +0000 |
2405 | @@ -0,0 +1,67 @@ |
2406 | +dn: cn=dnszone,cn=schema,cn=config |
2407 | +objectClass: olcSchemaConfig |
2408 | +cn: dnszone |
2409 | +olcAttributeTypes: {0}( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' DESC 'An integer |
2410 | + denoting time to live' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121 |
2411 | + .1.27 ) |
2412 | +olcAttributeTypes: {1}( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' DESC 'The clas |
2413 | + s of a resource record' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.1 |
2414 | + 15.121.1.26 ) |
2415 | +olcAttributeTypes: {2}( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName' DESC 'The name |
2416 | + of a zone, i.e. the name of the highest node in the zone' EQUALITY caseIgnor |
2417 | + eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 |
2418 | + .1.26 ) |
2419 | +olcAttributeTypes: {3}( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName' DESC |
2420 | + 'The starting labels of a domain name' EQUALITY caseIgnoreIA5Match SUBSTR ca |
2421 | + seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2422 | +olcAttributeTypes: {4}( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' DESC 'domain |
2423 | + name pointer, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs |
2424 | + tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2425 | +olcAttributeTypes: {5}( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' DESC 'host |
2426 | + information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst |
2427 | + ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2428 | +olcAttributeTypes: {6}( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' DESC 'mail |
2429 | + box or mail list information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR ca |
2430 | + seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2431 | +olcAttributeTypes: {7}( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' DESC 'text s |
2432 | + tring, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMa |
2433 | + tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2434 | +olcAttributeTypes: {8}( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Signat |
2435 | + ure, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatc |
2436 | + h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2437 | +olcAttributeTypes: {9}( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key, R |
2438 | + FC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNT |
2439 | + AX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2440 | +olcAttributeTypes: {10}( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' DESC 'IPv6 |
2441 | + address, RFC 1886' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substring |
2442 | + sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2443 | +olcAttributeTypes: {11}( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' DESC 'Locat |
2444 | + ion, RFC 1876' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatc |
2445 | + h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2446 | +olcAttributeTypes: {12}( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' DESC 'non-e |
2447 | + xistant, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings |
2448 | + Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2449 | +olcAttributeTypes: {13}( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' DESC 'servi |
2450 | + ce location, RFC 2782' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr |
2451 | + ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2452 | +olcAttributeTypes: {14}( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' DESC 'Nam |
2453 | + ing Authority Pointer, RFC 2915' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor |
2454 | + eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2455 | +olcAttributeTypes: {15}( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Ex |
2456 | + change Delegation, RFC 2230' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5 |
2457 | + SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2458 | +olcAttributeTypes: {16}( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'cert |
2459 | + ificate, RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings |
2460 | + Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2461 | +olcAttributeTypes: {17}( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 Rec |
2462 | + ord Type, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substring |
2463 | + sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2464 | +olcAttributeTypes: {18}( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non |
2465 | + -Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR |
2466 | + caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
2467 | +olcObjectClasses: {0}( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone' SUP top STRUCTURAL |
2468 | + MUST ( zoneName $ relativeDomainName ) MAY ( DNSTTL $ DNSClass $ ARecord $ M |
2469 | + DRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $ PTRRecord $ HINFORe |
2470 | + cord $ MINFORecord $ TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCReco |
2471 | + rd $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ |
2472 | + DNAMERecord ) ) |
2473 | |
2474 | === removed file 'doc/README' |
2475 | --- doc/README 2009-09-11 16:20:31 +0000 |
2476 | +++ doc/README 1970-01-01 00:00:00 +0000 |
2477 | @@ -1,321 +0,0 @@ |
2478 | -Introduction |
2479 | -============ |
2480 | - |
2481 | -This document aims to explain the Directory Information Tree (DIT) used in the |
2482 | -openldap-dit package. |
2483 | - |
2484 | -The motivation for this new layout is the need for a better separation of |
2485 | -privileges regarding access to the information stored in the directory. The |
2486 | -super user account of the directory should be used rarely and delegation of |
2487 | -privileges should be easier. |
2488 | - |
2489 | -We think this proposed layout accomplishes that by providing several groups |
2490 | -which have distinctive access rules, providing a clear separation of |
2491 | -privileges. In order to give an user a new privilege, all is needed is to add |
2492 | -him/her to one of these specific groups. |
2493 | - |
2494 | -These are the characteristics of the proposed DIT: |
2495 | -- several groups for common services |
2496 | -- most access control rules based on group membership |
2497 | -- several system accounts ready to use (just add a password) by many services |
2498 | - such as: |
2499 | - - sudo |
2500 | - - dns |
2501 | - - samba |
2502 | - - etc |
2503 | -- simple installation script which prepares the tree asking very few questions |
2504 | - (just two, and one of them is just a password) |
2505 | -- easy support for OpenLDAP's password policy overlay |
2506 | - |
2507 | -These accounts get their privileges by being associated to specific group(s). |
2508 | - |
2509 | -Administrators should note that we will probably find out that there are too |
2510 | -few groups, or too many. Or that some ACLs are too restrictive, or too broad. |
2511 | -It is difficult to come up with a one-size-fits-all DIT, but we can start here. |
2512 | - |
2513 | -By the way, there is no password set for the "rootdn" account as it (the |
2514 | -account) is not used. |
2515 | - |
2516 | -If you just want to know how to use this DIT, skip to the end of the document |
2517 | -to the section called "Enough with the theory: how to use this?". |
2518 | - |
2519 | - |
2520 | -The Tree |
2521 | -======== |
2522 | - |
2523 | - dc=example,dc=com |
2524 | - |
2525 | - ou=Hosts ou=System Groups ou=System Accounts |
2526 | - ou=Idmap cn=LDAP Admins uid=Ldap Admin |
2527 | - ou=Address Book cn=Sudo Admins uid=Sudo Admin |
2528 | - ou=dhcp cn=DNS Admins uid=DNS Admin |
2529 | - ou=dns cn=DNS Readers uid=DNS Reader |
2530 | - ou=People cn=DHCP Admins uid=DHCP Admin |
2531 | - ou=Group cn=Address Book Admins uid=Address Book Admin |
2532 | - ou=Password Policies cn=LDAP Replicators uid=LDAP Replicator |
2533 | - ou=Sudoers cn=Account Admins uid=Account Admin |
2534 | - cn=MTA Admins uid=MTA Admin |
2535 | - cn=LDAP Monitors uid=LDAP Monitor |
2536 | - cn=Idmap Admins uid=Idmap Admin |
2537 | - uid=smbldap-tools |
2538 | - uid=nssldap |
2539 | - |
2540 | -The services |
2541 | -============ |
2542 | - |
2543 | -We created some entries for a few services that can use LDAP to store their |
2544 | -information. More will probably be added in the future. For now, we have |
2545 | -branches for: |
2546 | -- dns (ou=dns) |
2547 | -- sudo (ou=sudoers) |
2548 | -- dhcp (ou=dhcp) |
2549 | - |
2550 | -The respective administrative groups have read/write access to these branches |
2551 | -for specific entries. |
2552 | - |
2553 | - |
2554 | -The groups |
2555 | -========== |
2556 | - |
2557 | -Groups are the core of this proposed DIT layout, because most ACLs are |
2558 | -constructed via group membership to allow for greater flexibility and |
2559 | -delegation. |
2560 | - |
2561 | -The current default groups that are born with the new DIT layout are as |
2562 | -follows: |
2563 | -- LDAP Admins |
2564 | -- Sudo Admins |
2565 | -- DNS Admins |
2566 | -- DNS Readers |
2567 | -- DHCP Admins |
2568 | -- Address Book Admins |
2569 | -- LDAP Replicators |
2570 | -- Account Admins |
2571 | -- MTA Admins |
2572 | -- LDAP Monitors |
2573 | -- Idmap Admins |
2574 | - |
2575 | -Each entry has a description attribute filled in with a brief text describing |
2576 | -the purpose of the members of each group. For example: |
2577 | - |
2578 | -dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com |
2579 | -description: Members can administer ou=sudoers entries and attributes |
2580 | - |
2581 | -In order to use groups in ACLs, the objectClass used for these entries has to |
2582 | -use attributes where membership is indicated distinguished names and not just |
2583 | -names. In other words, the membership attribute has to use a full DN to |
2584 | -indicate its member. The standard object class used for this by OpenLDAP is |
2585 | -groupOfNames, and this is what we used. For example: |
2586 | - |
2587 | -dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com |
2588 | -member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com |
2589 | - |
2590 | -A side effect of using groupOfNames is that we *have* to have at least one |
2591 | -member in each group. So we needed to create standard accounts, which proved to |
2592 | -be usefull anyway. The previous example showed the standard account for |
2593 | -adminstering sudo entries and attributes. |
2594 | - |
2595 | - |
2596 | -The accounts |
2597 | -============ |
2598 | - |
2599 | -As was the case with the groups, many standard system accounts were created. |
2600 | -Each group has at least a corresponding system account as its membership. The |
2601 | -current list is as follows: |
2602 | - |
2603 | -- Account Admin |
2604 | -- smbldap-tools |
2605 | -- nssldap |
2606 | -- MTA Admin |
2607 | -- DHCP Admin |
2608 | -- DNS Admin |
2609 | -- DNS Reader |
2610 | -- Sudo Admin |
2611 | -- Address Book Admin |
2612 | -- LDAP Admin |
2613 | -- LDAP Replicator |
2614 | -- LDAP Monitor |
2615 | -- Idmap Admin |
2616 | - |
2617 | - |
2618 | -The privileges |
2619 | -============== |
2620 | - |
2621 | -The idea is to give each group the needed privileges to complete its |
2622 | -administration tasks. This usually means having access to the respective ou=foo |
2623 | -branch of the directory. For example, the Sudo Admins group has rights over the |
2624 | -ou=sudoers branch of the directory. |
2625 | - |
2626 | -Whenever possible, however, these rights are limited to that specific service, |
2627 | -i.e., it's not any kind of entry that can be created but just those relevant to |
2628 | -the service. For example, the Sudo Admins members can only create entries one |
2629 | -level below ou=sudoers, and only with the attributes allowed by the sudoRole |
2630 | -object class. |
2631 | - |
2632 | -Other cases, however, are more complicated. We will list them here and the |
2633 | -reasoning behind the chosen ACLs. |
2634 | - |
2635 | - |
2636 | -Monitoring access |
2637 | ------------------ |
2638 | -The "LDAP Monitors" group is the only grop besides "LDAP Admins" which can read |
2639 | -entries under cn=monitor. This base dn contains statistics about the server, |
2640 | -such as operations performed, backends and overlays being used, etc. So, if you |
2641 | -need an user to have read access to this kind of information, just put him/her |
2642 | -in this group. |
2643 | - |
2644 | - |
2645 | -Samba, Unix and Kerberos admins |
2646 | -------------------------------- |
2647 | -Samba needs to have corresponding unix accounts for its users and machine |
2648 | -accounts. It will not by itself create those, however. For example, when |
2649 | -running "smbpasswd -a foo", the "foo" user account will only be created if |
2650 | -samba can find the corresponding unix attributes. The same for group mappings |
2651 | -and machine accounts. |
2652 | - |
2653 | -Earlier versions of openldap-dit had two separate privilege groups: |
2654 | -one for Unix accounts and another for Samba accounts. This complicated ACLs, |
2655 | -and it was worse when we later added Kerberos Admins to the mix because they |
2656 | -also had to touch some of the account-related attributes. |
2657 | - |
2658 | -So, since version 0.11, we merged these groups into one called Account Admins |
2659 | -(and the respective Account Admin account). This made the ACLs simplier and |
2660 | -faster, at the expense of some granularity in privileges. |
2661 | - |
2662 | -The smbldap-tools account, uid=smbldap-tools,ou=System Accounts, still exists |
2663 | -but is now a member of the Account Admins group. |
2664 | - |
2665 | - |
2666 | -MTA |
2667 | ---- |
2668 | -As of this moment, there is no clear scenario for usage of this account. For |
2669 | -now, it can administer just a few attributes: all the ones from the |
2670 | -inetLocalMailRecipient object class plus the single mail attribute. |
2671 | - |
2672 | -As more usage scenarios appear, these ACLs should be incremented. |
2673 | - |
2674 | - |
2675 | -DNS Readers |
2676 | ------------ |
2677 | -Members of this group are allowed read access to all attributes of the dNSZone |
2678 | -object class under ou=dns. Besides them and the members of the DNS Admins |
2679 | -group, no other entity can read these entries. This was done so to avoid the |
2680 | -"zone transfer" vulnerability scenario, where anonymous users could gather the |
2681 | -whole DNS database. |
2682 | - |
2683 | - |
2684 | -LDAP Admins |
2685 | ------------ |
2686 | -Members of this group can write to and read from all entries and attributes of |
2687 | -the directory and have no size or time limits. |
2688 | - |
2689 | - |
2690 | -LDAP Replicators |
2691 | ----------------- |
2692 | -The members of the LDAP Replicators group have read access to all attributes |
2693 | -and entries of the directory so that they can be used in a syncrepl replication |
2694 | -setup. The bind dn used for the replication should be a member of this group. |
2695 | -For example: |
2696 | - |
2697 | -syncrepl rid=100 |
2698 | - provider=ldap://dirserv.example.com |
2699 | - type=refreshAndPersist |
2700 | - retry="60 +" |
2701 | - searchbase="dc=example,dc=com" |
2702 | - starttls=critical |
2703 | - bindmethod=simple |
2704 | - binddn="uid=LDAP Replicator,ou=System Accounts,dc=example,dc=com" |
2705 | - credentials="secret" |
2706 | - |
2707 | -Here, "uid=LDAP Replicator,ou=System Accounts,dc=example,dc=com" is a member of |
2708 | -the "LDAP Replicators" group and is automatically granted read rights to all |
2709 | -entries of the directory (assuming the provider was also installed with this |
2710 | -base DIT and ACLs). |
2711 | - |
2712 | - |
2713 | -Generic directory read accounts |
2714 | -------------------------------- |
2715 | -A few accounts were created for specific read access. Some administrators |
2716 | -prefer to block anonymous read access to the directory, in which case these |
2717 | -accounts would then be used. For the moment we have: |
2718 | -- nssldap: nss_ldap can bind to the directory either anonymously or with a |
2719 | - specific account. The "uid=nssldap,ou=System Accounts" was created for this |
2720 | - purpose. Currently no ACLs make use of this account. Were the administrator to |
2721 | - use it, he/she would also have to block anonymous read access to many |
2722 | - attributes. |
2723 | - |
2724 | -Currently anonymous read access is granted to many attributes. As of this |
2725 | -moment, if the administrator wants to restrict anonymous access and use these |
2726 | -accounts, the ACLs would have to be changed manually. |
2727 | - |
2728 | - |
2729 | -The installation script |
2730 | -======================= |
2731 | - |
2732 | -The openldap-dit package contains a shell script which can be used to |
2733 | -install the accounts and ACLs described in this document. The script is |
2734 | -installed at /usr/share/openldap/scripts/openldap-dit-setup.sh and performs the |
2735 | -following: |
2736 | -- asks the DNS domain (suggesting whatever was auto-detected) |
2737 | -- constructs the top-level directory entry from this domain using dc style |
2738 | - attributes |
2739 | -- creates and imports an ldif file with the accounts and groups described here |
2740 | -- installs new slapd.conf and openldap-dit-access.conf files (making backups of |
2741 | - the previous ones) with the default ACLs and other useful configurations |
2742 | - (like cache) |
2743 | -- loads the ldif file, backing up the previous database directory |
2744 | - |
2745 | -Even though the script performs many tests and backups many files before |
2746 | -overwriting them, administrators are advised to backup all data before running |
2747 | -this script. |
2748 | - |
2749 | - |
2750 | -Enough with the theory: how to use this? |
2751 | -======================================== |
2752 | - |
2753 | -The installation script will overwrite some OpenLDAP files and directories. |
2754 | -Specifically, it will backup and overwrite the following: |
2755 | -- /etc/ldap/slapd.conf |
2756 | -- /etc/ldap/ldap.conf |
2757 | -- /etc/ldap/openldap-dit-access.conf (THIS ONE HAS NO BACKUP CURRENTLY) |
2758 | -- /var/lib/ldap contents |
2759 | - |
2760 | -So, after you are satisfied that nothing important will be lost, run the |
2761 | -script. Below is a sample run using the example.com domain: |
2762 | - |
2763 | -root@nsn2:~# /usr/share/slapd/openldap-dit-setup.sh |
2764 | -Please enter your DNS domain name [example.com]: |
2765 | - |
2766 | - |
2767 | -Administrator account |
2768 | - |
2769 | -The administrator account for this directory is |
2770 | -uid=LDAP Admin,ou=System Accounts,dc=example,dc=com |
2771 | - |
2772 | -Please choose a password for this account: |
2773 | -New password: |
2774 | -Re-enter new password: |
2775 | - |
2776 | - |
2777 | -Summary |
2778 | -======= |
2779 | - |
2780 | -Domain: example.com |
2781 | -LDAP suffix: dc=example,dc=com |
2782 | -Administrator: uid=LDAP Admin,ou=System Accounts,dc=example,dc=com |
2783 | - |
2784 | -Confirm? (Y/n) |
2785 | - |
2786 | -config file testing succeeded |
2787 | -Stopping ldap service |
2788 | -Finished, starting ldap service |
2789 | -Starting OpenLDAP: slapd. |
2790 | - |
2791 | -Your previous database directory has been backed up as /var/lib/ldap.1228858266 |
2792 | -All files that were backed up got the suffix "1228858266". |
2793 | - |
2794 | - |
2795 | -Now, fire up an LDAP browser and use the LDAP Admin account shown above to set |
2796 | -up some passwords for the other less privileged accounts that you are going to |
2797 | -use. Note that the "rootdn" account is not used. |
2798 | - |
2799 | |
2800 | === added file 'doc/README.kde' |
2801 | === added directory 'mit-kerberos' |
2802 | === added file 'mit-kerberos/mit-kerberos-acl.ldif' |
2803 | --- mit-kerberos/mit-kerberos-acl.ldif 1970-01-01 00:00:00 +0000 |
2804 | +++ mit-kerberos/mit-kerberos-acl.ldif 2010-07-19 21:25:56 +0000 |
2805 | @@ -0,0 +1,29 @@ |
2806 | +dn: olcDatabase={1}hdb,cn=config |
2807 | +changetype: modify |
2808 | +add: olcDbIndex |
2809 | +olcDbIndex: krbPrincipalName eq |
2810 | +- |
2811 | +add: olcDbIndex |
2812 | +olcDbIndex: krbPwdPolicyReference eq |
2813 | +- |
2814 | +delete: olcAccess |
2815 | +olcAccess: to dn.subtree="@SUFFIX@" by * read |
2816 | +- |
2817 | +add: olcAccess |
2818 | +olcAccess: to dn.subtree="@SUFFIX@" |
2819 | + attrs=krbPrincipalKey |
2820 | + by self write |
2821 | + by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
2822 | + by dn.exact="uid=kdc-service,ou=System Accounts,@SUFFIX@" read |
2823 | + by dn.exact="uid=kadmin-service,ou=System Accounts,@SUFFIX@" write |
2824 | + by anonymous auth |
2825 | + by * none |
2826 | +- |
2827 | +add: olcAccess |
2828 | +olcAccess: to dn.subtree="ou=Kerberos Realms,@SUFFIX@" |
2829 | + by dn.exact="uid=kdc-service,ou=System Accounts,@SUFFIX@" read |
2830 | + by dn.exact="uid=kadmin-service,ou=System Accounts,@SUFFIX@" write |
2831 | + by * none |
2832 | +- |
2833 | +add: olcAccess |
2834 | +olcAccess: to dn.subtree="@SUFFIX@" by * read |
2835 | |
2836 | === added file 'mit-kerberos/mit-kerberos-dit.ldif' |
2837 | --- mit-kerberos/mit-kerberos-dit.ldif 1970-01-01 00:00:00 +0000 |
2838 | +++ mit-kerberos/mit-kerberos-dit.ldif 2010-07-19 21:25:56 +0000 |
2839 | @@ -0,0 +1,19 @@ |
2840 | +dn: ou=Kerberos Realms,@SUFFIX@ |
2841 | +ou: Kerberos Realms |
2842 | +objectClass: organizationalUnit |
2843 | +description: Container for Kerberos Realms |
2844 | + |
2845 | +dn: uid=kdc-service,ou=System Accounts,@SUFFIX@ |
2846 | +uid: kdc-service |
2847 | +objectClass: account |
2848 | +objectClass: simpleSecurityObject |
2849 | +userPassword: {CRYPT}x |
2850 | +description: Account used for the Kerberos KDC |
2851 | + |
2852 | +dn: uid=kadmin-service,ou=System Accounts,@SUFFIX@ |
2853 | +uid: kadmin-service |
2854 | +objectClass: account |
2855 | +objectClass: simpleSecurityObject |
2856 | +userPassword: {CRYPT}x |
2857 | +description: Account used for the Kerberos Admin server |
2858 | + |
2859 | |
2860 | === added file 'mit-kerberos/mit-kerberos-schema.ldif' |
2861 | --- mit-kerberos/mit-kerberos-schema.ldif 1970-01-01 00:00:00 +0000 |
2862 | +++ mit-kerberos/mit-kerberos-schema.ldif 2010-07-19 21:25:56 +0000 |
2863 | @@ -0,0 +1,473 @@ |
2864 | +# Novell Kerberos Schema Definitions |
2865 | +# Novell Inc. |
2866 | +# 1800 South Novell Place |
2867 | +# Provo, UT 84606 |
2868 | +# |
2869 | +# VeRsIoN=1.0 |
2870 | +# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved |
2871 | +# |
2872 | +# OIDs: |
2873 | +# joint-iso-ccitt(2) |
2874 | +# country(16) |
2875 | +# us(840) |
2876 | +# organization(1) |
2877 | +# Novell(113719) |
2878 | +# applications(1) |
2879 | +# kerberos(301) |
2880 | +# Kerberos Attribute Type(4) attr# version# |
2881 | +# specific attribute definitions |
2882 | +# Kerberos Attribute Syntax(5) |
2883 | +# specific syntax definitions |
2884 | +# Kerberos Object Class(6) class# version# |
2885 | +# specific class definitions |
2886 | +# |
2887 | +# iso(1) |
2888 | +# member-body(2) |
2889 | +# United States(840) |
2890 | +# mit (113554) |
2891 | +# infosys(1) |
2892 | +# ldap(4) |
2893 | +# attributeTypes(1) |
2894 | +# Kerberos(6) |
2895 | +######################################################################## |
2896 | +######################################################################## |
2897 | +# Attribute Type Definitions # |
2898 | +######################################################################## |
2899 | +dn: cn=mit-kerberos,cn=schema,cn=config |
2900 | +cn: kerberos |
2901 | +objectClass: olcSchemaConfig |
2902 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 |
2903 | + NAME 'krbPrincipalName' |
2904 | + EQUALITY caseExactIA5Match |
2905 | + SUBSTR caseExactSubstringsMatch |
2906 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) |
2907 | +##### If there are multiple krbPrincipalName values for an entry, this |
2908 | +##### is the canonical principal name in the RFC 1964 specified |
2909 | +##### format. (If this attribute does not exist, then all |
2910 | +##### krbPrincipalName values are treated as canonical.) |
2911 | +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1 |
2912 | + NAME 'krbCanonicalName' |
2913 | + EQUALITY caseExactIA5Match |
2914 | + SUBSTR caseExactSubstringsMatch |
2915 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
2916 | + SINGLE-VALUE) |
2917 | +##### This specifies the type of the principal, the types could be any of |
2918 | +##### the types mentioned in section 6.2 of RFC 4120 |
2919 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 |
2920 | + NAME 'krbPrincipalType' |
2921 | + EQUALITY integerMatch |
2922 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
2923 | + SINGLE-VALUE) |
2924 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1 |
2925 | + NAME 'krbUPEnabled' |
2926 | + DESC 'Boolean' |
2927 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 |
2928 | + SINGLE-VALUE) |
2929 | +##### The time at which the principal expires |
2930 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1 |
2931 | + NAME 'krbPrincipalExpiration' |
2932 | + EQUALITY generalizedTimeMatch |
2933 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
2934 | + SINGLE-VALUE) |
2935 | +##### The krbTicketFlags attribute holds information about the kerberos flags for a principal |
2936 | +##### The values (0x00000001 - 0x00800000) are reserved for standards and |
2937 | +##### values (0x01000000 - 0x80000000) can be used for proprietary extensions. |
2938 | +##### The flags and values as per RFC 4120 and MIT implementation are, |
2939 | +##### DISALLOW_POSTDATED 0x00000001 |
2940 | +##### DISALLOW_FORWARDABLE 0x00000002 |
2941 | +##### DISALLOW_TGT_BASED 0x00000004 |
2942 | +##### DISALLOW_RENEWABLE 0x00000008 |
2943 | +##### DISALLOW_PROXIABLE 0x00000010 |
2944 | +##### DISALLOW_DUP_SKEY 0x00000020 |
2945 | +##### DISALLOW_ALL_TIX 0x00000040 |
2946 | +##### REQUIRES_PRE_AUTH 0x00000080 |
2947 | +##### REQUIRES_HW_AUTH 0x00000100 |
2948 | +##### REQUIRES_PWCHANGE 0x00000200 |
2949 | +##### DISALLOW_SVR 0x00001000 |
2950 | +##### PWCHANGE_SERVICE 0x00002000 |
2951 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1 |
2952 | + NAME 'krbTicketFlags' |
2953 | + EQUALITY integerMatch |
2954 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
2955 | + SINGLE-VALUE) |
2956 | +##### The maximum ticket lifetime for a principal in seconds |
2957 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1 |
2958 | + NAME 'krbMaxTicketLife' |
2959 | + EQUALITY integerMatch |
2960 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
2961 | + SINGLE-VALUE) |
2962 | +##### Maximum renewable lifetime for a principal's ticket in seconds |
2963 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1 |
2964 | + NAME 'krbMaxRenewableAge' |
2965 | + EQUALITY integerMatch |
2966 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
2967 | + SINGLE-VALUE) |
2968 | +##### Forward reference to the Realm object. |
2969 | +##### (FDN of the krbRealmContainer object). |
2970 | +##### Example: cn=ACME.COM, cn=Kerberos, cn=Security |
2971 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1 |
2972 | + NAME 'krbRealmReferences' |
2973 | + EQUALITY distinguishedNameMatch |
2974 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
2975 | +##### List of LDAP servers that kerberos servers can contact. |
2976 | +##### The attribute holds data in the ldap uri format, |
2977 | +##### Example: ldaps://acme.com:636 |
2978 | +##### |
2979 | +##### The values of this attribute need to be updated, when |
2980 | +##### the LDAP servers listed here are renamed, moved or deleted. |
2981 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1 |
2982 | + NAME 'krbLdapServers' |
2983 | + EQUALITY caseIgnoreMatch |
2984 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) |
2985 | +##### A set of forward references to the KDC Service objects. |
2986 | +##### (FDNs of the krbKdcService objects). |
2987 | +##### Example: cn=kdc - server 1, ou=uvw, o=xyz |
2988 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 |
2989 | + NAME 'krbKdcServers' |
2990 | + EQUALITY distinguishedNameMatch |
2991 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
2992 | +##### A set of forward references to the Password Service objects. |
2993 | +##### (FDNs of the krbPwdService objects). |
2994 | +##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz |
2995 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1 |
2996 | + NAME 'krbPwdServers' |
2997 | + EQUALITY distinguishedNameMatch |
2998 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
2999 | +##### This attribute holds the Host Name or the ip address, |
3000 | +##### transport protocol and ports of the kerberos service host |
3001 | +##### The format is host_name-or-ip_address#protocol#port |
3002 | +##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. |
3003 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1 |
3004 | + NAME 'krbHostServer' |
3005 | + EQUALITY caseExactIA5Match |
3006 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) |
3007 | +##### This attribute holds the scope for searching the principals |
3008 | +##### under krbSubTree attribute of krbRealmContainer |
3009 | +##### The value can either be 1 (ONE) or 2 (SUB_TREE). |
3010 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1 |
3011 | + NAME 'krbSearchScope' |
3012 | + EQUALITY integerMatch |
3013 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
3014 | + SINGLE-VALUE) |
3015 | +##### FDNs pointing to Kerberos principals |
3016 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1 |
3017 | + NAME 'krbPrincipalReferences' |
3018 | + EQUALITY distinguishedNameMatch |
3019 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
3020 | +##### This attribute specifies which attribute of the user objects |
3021 | +##### be used as the principal name component for Kerberos. |
3022 | +##### The allowed values are cn, sn, uid, givenname, fullname. |
3023 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1 |
3024 | + NAME 'krbPrincNamingAttr' |
3025 | + EQUALITY caseIgnoreMatch |
3026 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 |
3027 | + SINGLE-VALUE) |
3028 | +##### A set of forward references to the Administration Service objects. |
3029 | +##### (FDNs of the krbAdmService objects). |
3030 | +##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz |
3031 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.29.1 |
3032 | + NAME 'krbAdmServers' |
3033 | + EQUALITY distinguishedNameMatch |
3034 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
3035 | +##### Maximum lifetime of a principal's password |
3036 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.30.1 |
3037 | + NAME 'krbMaxPwdLife' |
3038 | + EQUALITY integerMatch |
3039 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
3040 | + SINGLE-VALUE) |
3041 | +##### Minimum lifetime of a principal's password |
3042 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.31.1 |
3043 | + NAME 'krbMinPwdLife' |
3044 | + EQUALITY integerMatch |
3045 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
3046 | + SINGLE-VALUE) |
3047 | +##### Minimum number of character clases allowed in a password |
3048 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.32.1 |
3049 | + NAME 'krbPwdMinDiffChars' |
3050 | + EQUALITY integerMatch |
3051 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
3052 | + SINGLE-VALUE) |
3053 | +##### Minimum length of the password |
3054 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.33.1 |
3055 | + NAME 'krbPwdMinLength' |
3056 | + EQUALITY integerMatch |
3057 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
3058 | + SINGLE-VALUE) |
3059 | +##### Number of previous versions of passwords that are stored |
3060 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.34.1 |
3061 | + NAME 'krbPwdHistoryLength' |
3062 | + EQUALITY integerMatch |
3063 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
3064 | + SINGLE-VALUE) |
3065 | +##### FDN pointing to a Kerberos Password Policy object |
3066 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.36.1 |
3067 | + NAME 'krbPwdPolicyReference' |
3068 | + EQUALITY distinguishedNameMatch |
3069 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 |
3070 | + SINGLE-VALUE) |
3071 | +##### The time at which the principal's password expires |
3072 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.37.1 |
3073 | + NAME 'krbPasswordExpiration' |
3074 | + EQUALITY generalizedTimeMatch |
3075 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
3076 | + SINGLE-VALUE) |
3077 | +##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with |
3078 | +##### the master key (krbMKey). |
3079 | +##### The attribute is ASN.1 encoded. |
3080 | +##### |
3081 | +##### The format of the value for this attribute is explained below, |
3082 | +##### KrbKeySet ::= SEQUENCE { |
3083 | +##### attribute-major-vno [0] UInt16, |
3084 | +##### attribute-minor-vno [1] UInt16, |
3085 | +##### kvno [2] UInt32, |
3086 | +##### mkvno [3] UInt32 OPTIONAL, |
3087 | +##### keys [4] SEQUENCE OF KrbKey, |
3088 | +##### ... |
3089 | +##### } |
3090 | +##### |
3091 | +##### KrbKey ::= SEQUENCE { |
3092 | +##### salt [0] KrbSalt OPTIONAL, |
3093 | +##### key [1] EncryptionKey, |
3094 | +##### s2kparams [2] OCTET STRING OPTIONAL, |
3095 | +##### ... |
3096 | +##### } |
3097 | +##### |
3098 | +##### KrbSalt ::= SEQUENCE { |
3099 | +##### type [0] Int32, |
3100 | +##### salt [1] OCTET STRING OPTIONAL |
3101 | +##### } |
3102 | +##### |
3103 | +##### EncryptionKey ::= SEQUENCE { |
3104 | +##### keytype [0] Int32, |
3105 | +##### keyvalue [1] OCTET STRING |
3106 | +##### } |
3107 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.39.1 |
3108 | + NAME 'krbPrincipalKey' |
3109 | + EQUALITY octetStringMatch |
3110 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) |
3111 | +##### FDN pointing to a Kerberos Ticket Policy object. |
3112 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.40.1 |
3113 | + NAME 'krbTicketPolicyReference' |
3114 | + EQUALITY distinguishedNameMatch |
3115 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 |
3116 | + SINGLE-VALUE) |
3117 | +##### Forward reference to an entry that starts sub-trees |
3118 | +##### where principals and other kerberos objects in the realm are configured. |
3119 | +##### Example: ou=acme, ou=pq, o=xyz |
3120 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.41.1 |
3121 | + NAME 'krbSubTrees' |
3122 | + EQUALITY distinguishedNameMatch |
3123 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
3124 | +##### Holds the default encryption/salt type combinations of principals for |
3125 | +##### the Realm. Stores in the form of key:salt strings. |
3126 | +##### Example: des-cbc-crc:normal |
3127 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.42.1 |
3128 | + NAME 'krbDefaultEncSaltTypes' |
3129 | + EQUALITY caseIgnoreMatch |
3130 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) |
3131 | +##### Holds the Supported encryption/salt type combinations of principals for |
3132 | +##### the Realm. Stores in the form of key:salt strings. |
3133 | +##### The supported encryption types are mentioned in RFC 3961 |
3134 | +##### The supported salt types are, |
3135 | +##### NORMAL |
3136 | +##### V4 |
3137 | +##### NOREALM |
3138 | +##### ONLYREALM |
3139 | +##### SPECIAL |
3140 | +##### AFS3 |
3141 | +##### Example: des-cbc-crc:normal |
3142 | +##### |
3143 | +##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes |
3144 | +##### attributes. |
3145 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.43.1 |
3146 | + NAME 'krbSupportedEncSaltTypes' |
3147 | + EQUALITY caseIgnoreMatch |
3148 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) |
3149 | +##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with |
3150 | +##### the kadmin/history key. |
3151 | +##### The attribute is ASN.1 encoded. |
3152 | +##### |
3153 | +##### The format of the value for this attribute is explained below, |
3154 | +##### KrbKeySet ::= SEQUENCE { |
3155 | +##### attribute-major-vno [0] UInt16, |
3156 | +##### attribute-minor-vno [1] UInt16, |
3157 | +##### kvno [2] UInt32, |
3158 | +##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key, |
3159 | +##### keys [4] SEQUENCE OF KrbKey, |
3160 | +##### ... |
3161 | +##### } |
3162 | +##### |
3163 | +##### KrbKey ::= SEQUENCE { |
3164 | +##### salt [0] KrbSalt OPTIONAL, |
3165 | +##### key [1] EncryptionKey, |
3166 | +##### s2kparams [2] OCTET STRING OPTIONAL, |
3167 | +##### ... |
3168 | +##### } |
3169 | +##### |
3170 | +##### KrbSalt ::= SEQUENCE { |
3171 | +##### type [0] Int32, |
3172 | +##### salt [1] OCTET STRING OPTIONAL |
3173 | +##### } |
3174 | +##### |
3175 | +##### EncryptionKey ::= SEQUENCE { |
3176 | +##### keytype [0] Int32, |
3177 | +##### keyvalue [1] OCTET STRING |
3178 | +##### } |
3179 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.44.1 |
3180 | + NAME 'krbPwdHistory' |
3181 | + EQUALITY octetStringMatch |
3182 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) |
3183 | +##### The time at which the principal's password last password change happened. |
3184 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.45.1 |
3185 | + NAME 'krbLastPwdChange' |
3186 | + EQUALITY generalizedTimeMatch |
3187 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
3188 | + SINGLE-VALUE) |
3189 | +##### This attribute holds the kerberos master key. |
3190 | +##### This can be used to encrypt principal keys. |
3191 | +##### This attribute has to be secured in directory. |
3192 | +##### |
3193 | +##### This attribute is ASN.1 encoded. |
3194 | +##### The format of the value for this attribute is explained below, |
3195 | +##### KrbMKey ::= SEQUENCE { |
3196 | +##### kvno [0] UInt32, |
3197 | +##### key [1] MasterKey |
3198 | +##### } |
3199 | +##### |
3200 | +##### MasterKey ::= SEQUENCE { |
3201 | +##### keytype [0] Int32, |
3202 | +##### keyvalue [1] OCTET STRING |
3203 | +##### } |
3204 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.46.1 |
3205 | + NAME 'krbMKey' |
3206 | + EQUALITY octetStringMatch |
3207 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) |
3208 | +##### This stores the alternate principal names for the principal in the RFC 1961 specified format |
3209 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.47.1 |
3210 | + NAME 'krbPrincipalAliases' |
3211 | + EQUALITY caseExactIA5Match |
3212 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) |
3213 | +##### The time at which the principal's last successful authentication happened. |
3214 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.48.1 |
3215 | + NAME 'krbLastSuccessfulAuth' |
3216 | + EQUALITY generalizedTimeMatch |
3217 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
3218 | + SINGLE-VALUE) |
3219 | +##### The time at which the principal's last failed authentication happened. |
3220 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.49.1 |
3221 | + NAME 'krbLastFailedAuth' |
3222 | + EQUALITY generalizedTimeMatch |
3223 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
3224 | + SINGLE-VALUE) |
3225 | +##### This attribute stores the number of failed authentication attempts |
3226 | +##### happened for the principal since the last successful authentication. |
3227 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.50.1 |
3228 | + NAME 'krbLoginFailedCount' |
3229 | + EQUALITY integerMatch |
3230 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
3231 | + SINGLE-VALUE) |
3232 | +##### This attribute holds the application specific data. |
3233 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.51.1 |
3234 | + NAME 'krbExtraData' |
3235 | + EQUALITY octetStringMatch |
3236 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) |
3237 | +##### This attributes holds references to the set of directory objects. |
3238 | +##### This stores the DNs of the directory objects to which the |
3239 | +##### principal object belongs to. |
3240 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.52.1 |
3241 | + NAME 'krbObjectReferences' |
3242 | + EQUALITY distinguishedNameMatch |
3243 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
3244 | +##### This attribute holds references to a Container object where |
3245 | +##### the additional principal objects and stand alone principal |
3246 | +##### objects (krbPrincipal) can be created. |
3247 | +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.53.1 |
3248 | + NAME 'krbPrincContainerRef' |
3249 | + EQUALITY distinguishedNameMatch |
3250 | + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
3251 | +######################################################################## |
3252 | +######################################################################## |
3253 | +# Object Class Definitions # |
3254 | +######################################################################## |
3255 | +#### This is a kerberos container for all the realms in a tree. |
3256 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.1.1 |
3257 | + NAME 'krbContainer' |
3258 | + SUP top |
3259 | + MUST ( cn ) ) |
3260 | +##### The krbRealmContainer is created per realm and holds realm specific data. |
3261 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.2.1 |
3262 | + NAME 'krbRealmContainer' |
3263 | + SUP top |
3264 | + MUST ( cn ) |
3265 | + MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) ) |
3266 | +##### An instance of a class derived from krbService is created per |
3267 | +##### kerberos authentication or administration server in an realm and holds |
3268 | +##### references to the realm objects. These references is used to further read |
3269 | +##### realm specific data to service AS/TGS requests. Additionally this object |
3270 | +##### contains some server specific data like pathnames and ports that the |
3271 | +##### server uses. This is the identity the kerberos server logs in with. A key |
3272 | +##### pair for the same is created and the kerberos server logs in with the same. |
3273 | +##### |
3274 | +##### krbKdcService, krbAdmService and krbPwdService derive from this class. |
3275 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.3.1 |
3276 | + NAME 'krbService' |
3277 | + ABSTRACT |
3278 | + SUP ( top ) |
3279 | + MUST ( cn ) |
3280 | + MAY ( krbHostServer $ krbRealmReferences ) ) |
3281 | +##### Representative object for the KDC server to bind into a LDAP directory |
3282 | +##### and have a connection to access Kerberos data with the required |
3283 | +##### access rights. |
3284 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.4.1 |
3285 | + NAME 'krbKdcService' |
3286 | + SUP ( krbService ) ) |
3287 | +##### Representative object for the Kerberos Password server to bind into a LDAP directory |
3288 | +##### and have a connection to access Kerberos data with the required |
3289 | +##### access rights. |
3290 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.5.1 |
3291 | + NAME 'krbPwdService' |
3292 | + SUP ( krbService ) ) |
3293 | +###### The principal data auxiliary class. Holds principal information |
3294 | +###### and is used to store principal information for Person, Service objects. |
3295 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.8.1 |
3296 | + NAME 'krbPrincipalAux' |
3297 | + AUXILIARY |
3298 | + MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) |
3299 | +###### This class is used to create additional principals and stand alone principals. |
3300 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.9.1 |
3301 | + NAME 'krbPrincipal' |
3302 | + SUP ( top ) |
3303 | + MUST ( krbPrincipalName ) |
3304 | + MAY ( krbObjectReferences ) ) |
3305 | +###### The principal references auxiliary class. Holds all principals referred |
3306 | +###### from a service |
3307 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.11.1 |
3308 | + NAME 'krbPrincRefAux' |
3309 | + SUP top |
3310 | + AUXILIARY |
3311 | + MAY krbPrincipalReferences ) |
3312 | +##### Representative object for the Kerberos Administration server to bind into a LDAP directory |
3313 | +##### and have a connection Id to access Kerberos data with the required access rights. |
3314 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.13.1 |
3315 | + NAME 'krbAdmService' |
3316 | + SUP ( krbService ) ) |
3317 | +##### The krbPwdPolicy object is a template password policy that |
3318 | +##### can be applied to principals when they are created. |
3319 | +##### These policy attributes will be in effect, when the Kerberos |
3320 | +##### passwords are different from users' passwords (UP). |
3321 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.14.1 |
3322 | + NAME 'krbPwdPolicy' |
3323 | + SUP top |
3324 | + MUST ( cn ) |
3325 | + MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) ) |
3326 | +##### The krbTicketPolicyAux holds Kerberos ticket policy attributes. |
3327 | +##### This class can be attached to a principal object or realm object. |
3328 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.16.1 |
3329 | + NAME 'krbTicketPolicyAux' |
3330 | + AUXILIARY |
3331 | + MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) |
3332 | +##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal |
3333 | +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.17.1 |
3334 | + NAME 'krbTicketPolicy' |
3335 | + SUP top |
3336 | + MUST ( cn ) ) |
3337 | |
3338 | === added file 'mit-kerberos/mit-refint-overlay.ldif' |
3339 | --- mit-kerberos/mit-refint-overlay.ldif 1970-01-01 00:00:00 +0000 |
3340 | +++ mit-kerberos/mit-refint-overlay.ldif 2010-07-19 21:25:56 +0000 |
3341 | @@ -0,0 +1,7 @@ |
3342 | +dn: olcOverlay={3}refint,olcDatabase={1}hdb,cn=config |
3343 | +changetype: modify |
3344 | +add: olcRefintAttribute |
3345 | +olcRefintAttribute: krbObjectReferences |
3346 | +- |
3347 | +add: olcRefintAttribute |
3348 | +olcRefintAttribute: krbPwdPolicyReference |
3349 | |
3350 | === removed directory 'modules' |
3351 | === removed file 'modules/add-modules.ldif' |
3352 | --- modules/add-modules.ldif 2009-09-11 14:28:41 +0000 |
3353 | +++ modules/add-modules.ldif 1970-01-01 00:00:00 +0000 |
3354 | @@ -1,10 +0,0 @@ |
3355 | -dn: cn=module,cn=config |
3356 | -cn: module |
3357 | -objectClass: olcModuleList |
3358 | -olcModuleLoad: back_hdb.la |
3359 | -olcModuleLoad: back_bdb.la |
3360 | -olcModuleLoad: ppolicy.la |
3361 | -olcModuleLoad: unique.la |
3362 | -olcModuleLoad: back_monitor.la |
3363 | -olcModuleLoad: refint.la |
3364 | -olcModuleLoad: syncprov.la |
3365 | |
3366 | === added directory 'monitor' |
3367 | === added file 'monitor/README' |
3368 | --- monitor/README 1970-01-01 00:00:00 +0000 |
3369 | +++ monitor/README 2010-07-19 21:25:56 +0000 |
3370 | @@ -0,0 +1,1 @@ |
3371 | +TODO |
3372 | |
3373 | === added file 'monitor/acl.ldif' |
3374 | --- monitor/acl.ldif 1970-01-01 00:00:00 +0000 |
3375 | +++ monitor/acl.ldif 2010-07-19 21:25:56 +0000 |
3376 | @@ -0,0 +1,12 @@ |
3377 | +dn: olcDatabase=monitor,cn=config |
3378 | +changetype: modify |
3379 | +add: olcAccess |
3380 | +olcAccess: to dn.subtree="" |
3381 | + by dn.exact="uid=LDAP Monitor,ou=System Accounts,@SUFFIX@" read |
3382 | + by * none |
3383 | +- |
3384 | +add: olcAccess |
3385 | +olcAccess: to dn.subtree="" |
3386 | + by group/groupOfMembers/member.exact="cn=LDAP Admins,ou=System Groups,@SUFFIX@" read |
3387 | + by group/groupOfMembers/member.exact="cn=LDAP Monitors,ou=System Groups,@SUFFIX@" read |
3388 | + by * none |
3389 | |
3390 | === added file 'monitor/database.ldif' |
3391 | --- monitor/database.ldif 1970-01-01 00:00:00 +0000 |
3392 | +++ monitor/database.ldif 2010-07-19 21:25:56 +0000 |
3393 | @@ -0,0 +1,7 @@ |
3394 | +dn: olcDatabase=monitor,cn=config |
3395 | +changetype: add |
3396 | +objectClass: olcMonitorConfig |
3397 | +objectClass: olcDatabaseConfig |
3398 | +objectClass: olcConfig |
3399 | +olcDatabase: monitor |
3400 | +olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
3401 | |
3402 | === added file 'monitor/modules.ldif' |
3403 | --- monitor/modules.ldif 1970-01-01 00:00:00 +0000 |
3404 | +++ monitor/modules.ldif 2010-07-19 21:25:56 +0000 |
3405 | @@ -0,0 +1,4 @@ |
3406 | +dn: cn=module,cn=config |
3407 | +changetype: modify |
3408 | +add: olcModuleLoad |
3409 | +olcModuleLoad: back_monitor.la |
3410 | |
3411 | === removed file 'openldap-dit-setup.sh' |
3412 | --- openldap-dit-setup.sh 2009-12-02 20:23:12 +0000 |
3413 | +++ openldap-dit-setup.sh 1970-01-01 00:00:00 +0000 |
3414 | @@ -1,394 +0,0 @@ |
3415 | -#!/bin/bash |
3416 | - |
3417 | -if [ "`id -u`" != "0" ]; then |
3418 | - echo "Error, must be root user" |
3419 | - exit 1 |
3420 | -fi |
3421 | - |
3422 | -LDAPWHOAMI="ldapwhoami -H ldapi:/// -Y EXTERNAL -Q" |
3423 | -LDAPADD="ldapadd -H ldapi:/// -Y EXTERNAL -Q" |
3424 | -LDAPMODIFY="ldapmodify -H ldapi:/// -Y EXTERNAL -Q" |
3425 | -LDAPPASSWD="ldappasswd -H ldapi:/// -Y EXTERNAL -Q" |
3426 | - |
3427 | -function distro_guess() |
3428 | -{ |
3429 | -#$ cat /etc/lsb-release |
3430 | -#DISTRIB_ID=Ubuntu |
3431 | -#DISTRIB_RELEASE=8.04 |
3432 | -#DISTRIB_CODENAME=hardy |
3433 | -#DISTRIB_DESCRIPTION="Ubuntu 8.04" |
3434 | - if [ -r "/etc/lsb-release" ]; then |
3435 | - source /etc/lsb-release |
3436 | - else |
3437 | - echo "Can't guess distro name (no /etc/lsb-release or it's not readable)" |
3438 | - exit 1 |
3439 | - fi |
3440 | - if [ -z "$DISTRIB_ID" -o -z "$DISTRIB_RELEASE" ]; then |
3441 | - echo "No DISTRIB_ID or DISTRIB_RELEASE variable(s) in /etc/lsb-release" |
3442 | - exit 1 |
3443 | - fi |
3444 | - DISTRIB_ID=`echo $DISTRIB_ID | tr A-Z a-z` |
3445 | - export DISTRIB_ID DISTRIB_RELEASE |
3446 | - echo $DISTRIB_ID |
3447 | - return 0 |
3448 | -} |
3449 | - |
3450 | -function ubuntu_setup() |
3451 | -{ |
3452 | - if [ -x /usr/sbin/invoke-rc.d ]; then |
3453 | - SERVICE="/usr/sbin/invoke-rc.d slapd" |
3454 | - else |
3455 | - SERVICE="/etc/init.d/slapd" |
3456 | - fi |
3457 | - export root="/usr/share/slapd/openldap-dit" |
3458 | - export databases_dir="$root/databases" |
3459 | - export schemas_dir="$root/schemas" |
3460 | - export acls_dir="$root/acls" |
3461 | - export modules_dir="$root/modules" |
3462 | - export overlays_dir="$root/overlays" |
3463 | - export contents_dir="$root/contents" |
3464 | - |
3465 | - for package in slapd ldap-utils libsasl2-modules; do |
3466 | - if ! dpkg -l $package 2>/dev/null | grep -q ^ii; then |
3467 | - echo "Error, please install package $package" |
3468 | - exit 1 |
3469 | - fi |
3470 | - done |
3471 | - |
3472 | - return 0 |
3473 | -} |
3474 | - |
3475 | -function usage() { |
3476 | - echo "Usage:" |
3477 | - echo "$0 [-h | --help] [-v] [-d <dnsdomain>] [-p <password>] [-y]" |
3478 | - echo |
3479 | - echo "-h | --help : shows this help" |
3480 | - echo "-v : verbose mode" |
3481 | - echo "-d <dnsdomain> : use <dnsdomain> for dns domain" |
3482 | - echo "-p <password> : use <password> for LDAP Admin password" |
3483 | - echo |
3484 | - echo "-y : assume default answer in all prompts " |
3485 | - echo " except the password one" |
3486 | -} |
3487 | - |
3488 | -function echo_v() { |
3489 | - if [ -n "$verbose" ]; then |
3490 | - echo "== $@" |
3491 | - fi |
3492 | -} |
3493 | - |
3494 | -# output: stdout: example.com or the possible detected domain |
3495 | -function detect_domain() { |
3496 | - mydomain=`hostname -d` |
3497 | - if [ -z "$mydomain" ]; then |
3498 | - mydomain="example.com" |
3499 | - fi |
3500 | - echo "$mydomain" |
3501 | - return 0 |
3502 | -} |
3503 | - |
3504 | -# $1: domain |
3505 | -# returns standard dc=foo,dc=bar suffix on stdout |
3506 | -function calc_suffix() { |
3507 | - old_ifs=${IFS} |
3508 | - IFS="." |
3509 | - for component in $1; do |
3510 | - result="$result,dc=$component" |
3511 | - done |
3512 | - IFS="${old_ifs}" |
3513 | - echo "${result#,}" |
3514 | - return 0 |
3515 | -} |
3516 | - |
3517 | -# test if sasl external works and maps us to something |
3518 | -function test_auth() { |
3519 | - out=$($LDAPWHOAMI) |
3520 | - [ "$?" -ne "0" ] && return 1 |
3521 | - # XXX - too specific for ubuntu's ldap deployment... |
3522 | - # a better test would be slapacl, but I couldn't get it |
3523 | - # to work |
3524 | - if [ "$out" = "dn:cn=localroot,cn=config" ]; then |
3525 | - return 0 |
3526 | - else |
3527 | - return 1 |
3528 | - fi |
3529 | -} |
3530 | - |
3531 | -function get_admin_password() { |
3532 | - echo |
3533 | - echo "Administrator account" |
3534 | - echo |
3535 | - echo "The administrator account for this directory is" |
3536 | - echo "uid=LDAP Admin,ou=System Accounts,$mysuffix" |
3537 | - echo |
3538 | - echo "Please choose a password for this account:" |
3539 | - while /bin/true; do |
3540 | - echo -n "New password: " |
3541 | - stty -echo |
3542 | - read pass1 |
3543 | - stty echo |
3544 | - echo |
3545 | - if [ -z "$pass1" ]; then |
3546 | - echo "Error, password cannot be empty" |
3547 | - echo |
3548 | - continue |
3549 | - fi |
3550 | - echo -n "Repeat new password: " |
3551 | - stty -echo |
3552 | - read pass2 |
3553 | - stty echo |
3554 | - echo |
3555 | - if [ "$pass1" != "$pass2" ]; then |
3556 | - echo "Error, passwords don't match" |
3557 | - echo |
3558 | - continue |
3559 | - fi |
3560 | - pass="$pass1" |
3561 | - break |
3562 | - done |
3563 | - if [ -n "$pass" ]; then |
3564 | - return 0 |
3565 | - fi |
3566 | - return 1 |
3567 | -} |
3568 | - |
3569 | -function check_result() { |
3570 | - if [ "$1" -ne "0" ]; then |
3571 | - echo "ERROR, aborting" |
3572 | - exit 1 |
3573 | - else |
3574 | - echo "Succeeded!" |
3575 | - fi |
3576 | -} |
3577 | - |
3578 | -# $1: descriptive text of what is being added |
3579 | -# $2: directory where the files are |
3580 | -# $3: optional sed expression to use |
3581 | -function add_ldif() { |
3582 | - echo "Adding $1..." |
3583 | - for n in $2/*.ldif; do |
3584 | - if [ -z "$n" ]; then |
3585 | - echo "Error, no file to use!" |
3586 | - return 1 |
3587 | - fi |
3588 | - if [ -z "$3" ]; then |
3589 | - cat "$n" | $LDAPADD |
3590 | - else |
3591 | - cat "$n" | sed -e "$3" | $LDAPADD |
3592 | - fi |
3593 | - if [ "$?" -ne "0" ]; then |
3594 | - echo "Error using \"$n\", aborting" |
3595 | - exit 1 |
3596 | - fi |
3597 | - done |
3598 | - return 0 |
3599 | -} |
3600 | - |
3601 | -# $1: descriptive text of what is being added |
3602 | -# $2: directory where the files are |
3603 | -# $3: optional sed expression to use |
3604 | -function modify_ldif() { |
3605 | - echo "Modifying $1..." |
3606 | - for n in $2/*.ldif; do |
3607 | - if [ -z "$n" ]; then |
3608 | - echo "Error, no file to use!" |
3609 | - return 1 |
3610 | - fi |
3611 | - if [ -z "$3" ]; then |
3612 | - cat "$n" | $LDAPMODIFY |
3613 | - else |
3614 | - cat "$n" | sed -e "$3" | $LDAPMODIFY |
3615 | - fi |
3616 | - if [ "$?" -ne "0" ]; then |
3617 | - echo "Error using \"$n\", aborting" |
3618 | - return 1 |
3619 | - fi |
3620 | - done |
3621 | - return 0 |
3622 | -} |
3623 | - |
3624 | -function add_modules() { |
3625 | - add_ldif "modules" "$modules_dir" |
3626 | - return 0 |
3627 | -} |
3628 | - |
3629 | -function add_schemas() { |
3630 | - add_ldif "schemas" "$schemas_dir" |
3631 | - return 0 |
3632 | -} |
3633 | - |
3634 | -function add_db () { |
3635 | - add_ldif "database" "$databases_dir" "s/@SUFFIX@/$mysuffix/g" |
3636 | - return 0 |
3637 | -} |
3638 | - |
3639 | -function modify_acls() { |
3640 | - modify_ldif "ACLs" "$acls_dir" "s/@SUFFIX@/$mysuffix/g" |
3641 | - return 0 |
3642 | -} |
3643 | - |
3644 | -function add_overlays() { |
3645 | - add_ldif "overlays" "$overlays_dir" "s/@SUFFIX@/$mysuffix/g" |
3646 | - return 0 |
3647 | -} |
3648 | - |
3649 | -function populate_db() { |
3650 | - add_ldif "populated database" "$contents_dir" "s/@SUFFIX@/$mysuffix/g;s/@DC@/${mydomain%%.[a-zA-Z0-9]*}/g;s/@DOMAIN@/${mydomain}/g" |
3651 | - return 0 |
3652 | -} |
3653 | - |
3654 | -function set_admin_password() { |
3655 | - echo "Setting the admin password..." |
3656 | - # XXX - password will show up briefly in the command line and process |
3657 | - # list |
3658 | - $LDAPPASSWD -s "$pass" "uid=LDAP Admin,ou=System Accounts,$mysuffix" |
3659 | - return $? |
3660 | -} |
3661 | - |
3662 | - |
3663 | -now=`date +%s` |
3664 | -myfqdn=`hostname -f` |
3665 | -verbose= |
3666 | -noprompt= |
3667 | -if [ -z "$myfqdn" ]; then |
3668 | - myfqdn="localhost" |
3669 | -fi |
3670 | -distro=`distro_guess` |
3671 | -${distro}_setup |
3672 | - |
3673 | -while [ -n "$1" ]; do |
3674 | - case "$1" in |
3675 | - -h | --help) |
3676 | - usage |
3677 | - exit 1 |
3678 | - ;; |
3679 | - -v) |
3680 | - verbose=1 |
3681 | - shift |
3682 | - ;; |
3683 | - -d) |
3684 | - shift |
3685 | - if [ -n "$1" -a "${1##-}" != "${1}" -o -z "${1}" ]; then |
3686 | - echo "Error, -d requires an argument" |
3687 | - exit 1 |
3688 | - fi |
3689 | - mydomain="$1" |
3690 | - shift |
3691 | - ;; |
3692 | - -p) |
3693 | - shift |
3694 | - if [ -n "$1" -a "${1##-}" != "${1}" -o -z "${1}" ]; then |
3695 | - echo "Error, -p requires an argument" |
3696 | - exit 1 |
3697 | - fi |
3698 | - mypass="$1" |
3699 | - shift |
3700 | - ;; |
3701 | - -y) |
3702 | - noprompt=1 |
3703 | - shift |
3704 | - ;; |
3705 | - esac |
3706 | -done |
3707 | - |
3708 | -echo_v |
3709 | -echo_v "Running in verbose mode" |
3710 | -echo_v |
3711 | - |
3712 | - |
3713 | -# testing |
3714 | -echo "Testing administrative access to local ldap server" |
3715 | -test_auth |
3716 | -if [ "$?" -eq "0" ]; then |
3717 | - echo "Success!" |
3718 | -else |
3719 | - echo "FAILURE!" |
3720 | - echo "Command \"$LDAPWHOAMI\" failed" |
3721 | - exit 1 |
3722 | -fi |
3723 | - |
3724 | -if [ -z "$mydomain" ]; then |
3725 | - mydomain=`detect_domain` |
3726 | - if [ -z "$noprompt" ]; then |
3727 | - echo "Please enter your DNS domain name [$mydomain]:" |
3728 | - read inputdomain |
3729 | - if [ -n "$inputdomain" ]; then |
3730 | - mydomain="$inputdomain" |
3731 | - fi |
3732 | - fi |
3733 | -fi |
3734 | -mysuffix=`calc_suffix $mydomain` |
3735 | - |
3736 | -if [ -z "$mypass" ]; then |
3737 | - get_admin_password |
3738 | -else |
3739 | - pass="$mypass" |
3740 | -fi |
3741 | - |
3742 | -# confirmation |
3743 | -echo |
3744 | -echo |
3745 | -echo "Summary" |
3746 | -echo "=======" |
3747 | -echo |
3748 | -echo "Domain: $mydomain" |
3749 | -echo "LDAP suffix: $mysuffix" |
3750 | -echo "Administrator: uid=LDAP Admin,ou=System Accounts,$mysuffix" |
3751 | -echo |
3752 | -if [ -z "$noprompt" ]; then |
3753 | - echo "Confirm? (Y/n)" |
3754 | - read val |
3755 | - if [ "$val" = "n" -o "$val" = "N" ]; then |
3756 | - echo |
3757 | - echo "Cancelled." |
3758 | - exit 1 |
3759 | - fi |
3760 | -fi |
3761 | - |
3762 | -# steps: |
3763 | -# - add modules |
3764 | -# - add schema |
3765 | -# - add db + its acls |
3766 | -# - modify frontend acls |
3767 | -# - modify config acls |
3768 | -# - add overlays |
3769 | -# - populate db |
3770 | -# - set password for admin |
3771 | - |
3772 | -add_modules |
3773 | -check_result $? |
3774 | - |
3775 | -add_schemas |
3776 | -check_result $? |
3777 | - |
3778 | -add_db |
3779 | -check_result $? |
3780 | - |
3781 | -modify_acls |
3782 | -check_result $? |
3783 | - |
3784 | -add_overlays |
3785 | -check_result $? |
3786 | - |
3787 | -populate_db |
3788 | -check_result $? |
3789 | - |
3790 | -set_admin_password |
3791 | -check_result $? |
3792 | - |
3793 | -echo |
3794 | -echo "Finished, doing one last restart..." |
3795 | -/etc/init.d/slapd restart |
3796 | -check_result $? |
3797 | - |
3798 | -echo |
3799 | -echo "Done, enjoy!" |
3800 | -echo |
3801 | -echo "Remember: this is your administrator bind dn:" |
3802 | -echo "uid=LDAP Admin,ou=System Accounts,$mysuffix" |
3803 | -echo |
3804 | -echo "You can use it in double quotes in the command line, like:" |
3805 | -echo "ldapwhoami -x -D \"uid=LDAP Admin,ou=System Accounts,$mysuffix\" -W " |
3806 | -echo |
3807 | - |
3808 | - |
3809 | |
3810 | === removed directory 'overlays' |
3811 | === removed file 'overlays/1_add-ppolicy-overlay.ldif' |
3812 | --- overlays/1_add-ppolicy-overlay.ldif 2009-12-02 19:40:56 +0000 |
3813 | +++ overlays/1_add-ppolicy-overlay.ldif 1970-01-01 00:00:00 +0000 |
3814 | @@ -1,6 +0,0 @@ |
3815 | -dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config |
3816 | -objectClass: olcOverlayConfig |
3817 | -objectClass: olcPPolicyConfig |
3818 | -olcOverlay: ppolicy |
3819 | -olcPPolicyDefault: cn=default,ou=password policies,@SUFFIX@ |
3820 | - |
3821 | |
3822 | === removed file 'overlays/2_add-unique-overlay.ldif' |
3823 | --- overlays/2_add-unique-overlay.ldif 2009-12-02 19:40:56 +0000 |
3824 | +++ overlays/2_add-unique-overlay.ldif 1970-01-01 00:00:00 +0000 |
3825 | @@ -1,11 +0,0 @@ |
3826 | -dn: olcOverlay=unique,olcDatabase={1}hdb,cn=config |
3827 | -objectClass: olcUniqueConfig |
3828 | -objectClass: olcOverlayConfig |
3829 | -objectClass: olcConfig |
3830 | -objectClass: top |
3831 | -olcOverlay: unique |
3832 | -olcUniqueURI: ldap:///ou=People,@SUFFIX@?uidNumber |
3833 | - ?one?(objectClass=posixAccount) |
3834 | -olcUniqueURI: ldap:///ou=Group,@SUFFIX@?gidNumber?one?(objectClass=po |
3835 | - sixGroup) |
3836 | - |
3837 | |
3838 | === removed file 'overlays/3_add-syncprov-overlay.ldif' |
3839 | --- overlays/3_add-syncprov-overlay.ldif 2009-12-02 19:40:56 +0000 |
3840 | +++ overlays/3_add-syncprov-overlay.ldif 1970-01-01 00:00:00 +0000 |
3841 | @@ -1,9 +0,0 @@ |
3842 | -dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config |
3843 | -objectClass: olcSyncProvConfig |
3844 | -objectClass: olcOverlayConfig |
3845 | -objectClass: olcConfig |
3846 | -objectClass: top |
3847 | -olcOverlay: syncprov |
3848 | -olcSpCheckpoint: 100 10 |
3849 | -olcSpSessionlog: 100 |
3850 | - |
3851 | |
3852 | === removed file 'overlays/4_add-refint-overlay.ldif' |
3853 | --- overlays/4_add-refint-overlay.ldif 2009-12-02 19:40:56 +0000 |
3854 | +++ overlays/4_add-refint-overlay.ldif 1970-01-01 00:00:00 +0000 |
3855 | @@ -1,10 +0,0 @@ |
3856 | -dn: olcOverlay=refint,olcDatabase={1}hdb,cn=config |
3857 | -olcOverlay: refint |
3858 | -objectClass: olcConfig |
3859 | -objectClass: olcOverlayConfig |
3860 | -objectClass: olcRefintConfig |
3861 | -olcRefintAttribute: member |
3862 | -olcRefintAttribute: krbObjectReferences |
3863 | -olcRefintAttribute: krbPwdPolicyReference |
3864 | -olcRefintNothing: cn=localroot,cn=config |
3865 | - |
3866 | |
3867 | === added directory 'replication' |
3868 | === added file 'replication/replication-acl.ldif' |
3869 | --- replication/replication-acl.ldif 1970-01-01 00:00:00 +0000 |
3870 | +++ replication/replication-acl.ldif 2010-07-19 21:25:56 +0000 |
3871 | @@ -0,0 +1,7 @@ |
3872 | +olcAccess: {0}to dn.subtree="@SUFFIX@" |
3873 | + by group/groupOfMembers/member.exact="cn=ldap replicators,ou=system groups,@SUFFIX@" read |
3874 | + by * break |
3875 | + |
3876 | +olcLimits: {0}group/groupOfMembers/member="cn=ldap replicators,ou=system groups,@SUFFIX@" |
3877 | + size=unlimited |
3878 | + time=unlimited |
3879 | |
3880 | === added file 'replication/replication-dit.ldif' |
3881 | --- replication/replication-dit.ldif 1970-01-01 00:00:00 +0000 |
3882 | +++ replication/replication-dit.ldif 2010-07-19 21:25:56 +0000 |
3883 | @@ -0,0 +1,14 @@ |
3884 | +dn: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@ |
3885 | +uid: LDAP Replicator |
3886 | +objectClass: account |
3887 | +objectClass: simpleSecurityObject |
3888 | +userPassword: {CRYPT}x |
3889 | +description: Account used by consumer servers for replication |
3890 | + |
3891 | +dn: cn=LDAP Replicators,ou=System Groups,@SUFFIX@ |
3892 | +cn: LDAP Replicators |
3893 | +objectClass: groupOfMembers |
3894 | +description: Members can be used for syncrepl replication |
3895 | +owner: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@ |
3896 | +member: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@ |
3897 | + |
3898 | |
3899 | === added file 'replication/replication-modules.ldif' |
3900 | --- replication/replication-modules.ldif 1970-01-01 00:00:00 +0000 |
3901 | +++ replication/replication-modules.ldif 2010-07-19 21:25:56 +0000 |
3902 | @@ -0,0 +1,4 @@ |
3903 | +dn: cn=module,cn=config |
3904 | +changetype: add |
3905 | +add: olcModuleLoad |
3906 | +olcModuleLoad: syncprov.la |
3907 | |
3908 | === added file 'replication/syncprov-overlay.ldif' |
3909 | --- replication/syncprov-overlay.ldif 1970-01-01 00:00:00 +0000 |
3910 | +++ replication/syncprov-overlay.ldif 2010-07-19 21:25:56 +0000 |
3911 | @@ -0,0 +1,9 @@ |
3912 | +dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config |
3913 | +objectClass: olcSyncProvConfig |
3914 | +objectClass: olcOverlayConfig |
3915 | +objectClass: olcConfig |
3916 | +objectClass: top |
3917 | +olcOverlay: syncprov |
3918 | +olcSpCheckpoint: 100 10 |
3919 | +olcSpSessionlog: 100 |
3920 | + |
3921 | |
3922 | === added directory 'samba' |
3923 | === added file 'samba/samba-acl.ldif' |
3924 | --- samba/samba-acl.ldif 1970-01-01 00:00:00 +0000 |
3925 | +++ samba/samba-acl.ldif 2010-07-19 21:25:56 +0000 |
3926 | @@ -0,0 +1,47 @@ |
3927 | +dn: olcDatabase={1}hdb,cn=config |
3928 | +changetype: modify |
3929 | +add: olcDbIndex |
3930 | +olcDbIndex: sambaDomainName eq |
3931 | +- |
3932 | +add: olcDbIndex |
3933 | +olcDbIndex: sambaSID eq,sub |
3934 | +- |
3935 | +add: olcDbIndex |
3936 | +olcDbIndex: sambaGroupType eq |
3937 | +- |
3938 | +add: olcDbIndex |
3939 | +olcDbIndex: sambaSIDList eq |
3940 | +- |
3941 | +delete: olcAccess |
3942 | +olcAccess: to dn.subtree="@SUFFIX@" by * read |
3943 | +- |
3944 | +add: olcAccess |
3945 | +olcAccess: to dn.subtree="@SUFFIX@" |
3946 | + attrs=sambaLMPassword,sambaNTPassword |
3947 | + by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
3948 | + by anonymous auth |
3949 | + by self write |
3950 | + by * none |
3951 | +- |
3952 | +add: olcAccess |
3953 | +olcAccess: to dn.subtree="@SUFFIX@" |
3954 | + attrs=sambaPasswordHistory,pwdHistory |
3955 | + by self read |
3956 | + by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
3957 | + by * none |
3958 | +- |
3959 | +add: olcAccess |
3960 | +olcAccess: to dn.regex="^(sambaDomainName=[^,]+,)?@SUFFIX@$" |
3961 | + attrs=children,entry,@sambaDomain,@sambaUnixIdPool |
3962 | + by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
3963 | + by * read |
3964 | +- |
3965 | +add: olcAccess |
3966 | +olcAccess: to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,@SUFFIX@$" |
3967 | + attrs=children,entry,@sambaIdmapEntry |
3968 | + by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write |
3969 | + by group/groupOfMembers/member.exact="cn=idmap admins,ou=system groups,@SUFFIX@" write |
3970 | + by * read |
3971 | +- |
3972 | +add: olcAccess |
3973 | +olcAccess: to dn.subtree="@SUFFIX@" by * read |
3974 | |
3975 | === added file 'samba/samba-dit.ldif' |
3976 | --- samba/samba-dit.ldif 1970-01-01 00:00:00 +0000 |
3977 | +++ samba/samba-dit.ldif 2010-07-19 21:25:56 +0000 |
3978 | @@ -0,0 +1,19 @@ |
3979 | +dn: ou=Idmap,@SUFFIX@ |
3980 | +ou: Idmap |
3981 | +objectClass: organizationalUnit |
3982 | +description: Container for Samba Winbind ID mappings |
3983 | + |
3984 | +dn: uid=Idmap Admin,ou=System Accounts,@SUFFIX@ |
3985 | +uid: Idmap Admin |
3986 | +objectClass: account |
3987 | +objectClass: simpleSecurityObject |
3988 | +userPassword: {CRYPT}x |
3989 | +description: Account used to administer Samba Winbind ID mapping related entries and attributes |
3990 | + |
3991 | +dn: cn=Idmap Admins,ou=System Groups,@SUFFIX@ |
3992 | +cn: Idmap Admins |
3993 | +objectClass: groupOfMembers |
3994 | +description: Members can administer ou=Idmap entries and attributes |
3995 | +owner: uid=Idmap Admin,ou=System Accounts,@SUFFIX@ |
3996 | +member: uid=Idmap Admin,ou=System Accounts,@SUFFIX@ |
3997 | + |
3998 | |
3999 | === added file 'samba/samba-schema.ldif' |
4000 | --- samba/samba-schema.ldif 1970-01-01 00:00:00 +0000 |
4001 | +++ samba/samba-schema.ldif 2010-07-19 21:25:56 +0000 |
4002 | @@ -0,0 +1,175 @@ |
4003 | +dn: cn=samba,cn=schema,cn=config |
4004 | +objectClass: olcSchemaConfig |
4005 | +cn: samba |
4006 | +olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L |
4007 | + anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1 |
4008 | + 21.1.26{32} SINGLE-VALUE ) |
4009 | +olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'M |
4010 | + D4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 |
4011 | + .1.1466.115.121.1.26{32} SINGLE-VALUE ) |
4012 | +olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Ac |
4013 | + count Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
4014 | + {16} SINGLE-VALUE ) |
4015 | +olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'T |
4016 | + imestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4. |
4017 | + 1.1466.115.121.1.27 SINGLE-VALUE ) |
4018 | +olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC |
4019 | + 'Timestamp of when the user is allowed to update the password' EQUALITY integ |
4020 | + erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4021 | +olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC |
4022 | + 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1. |
4023 | + 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4024 | +olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Ti |
4025 | + mestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121. |
4026 | + 1.27 SINGLE-VALUE ) |
4027 | +olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'T |
4028 | + imestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12 |
4029 | + 1.1.27 SINGLE-VALUE ) |
4030 | +olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC ' |
4031 | + Timestamp of when the user will be logged off automatically' EQUALITY integer |
4032 | + Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4033 | +olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' D |
4034 | + ESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146 |
4035 | + 6.115.121.1.27 SINGLE-VALUE ) |
4036 | +olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D |
4037 | + ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3. |
4038 | + 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4039 | +olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC ' |
4040 | + Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
4041 | + {42} SINGLE-VALUE ) |
4042 | +olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D |
4043 | + river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1. |
4044 | + 3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) |
4045 | +olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC |
4046 | + 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121. |
4047 | + 1.15{255} SINGLE-VALUE ) |
4048 | +olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC |
4049 | + 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1 |
4050 | + 21.1.15{255} SINGLE-VALUE ) |
4051 | +olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' |
4052 | + DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas |
4053 | + eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) |
4054 | +olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho |
4055 | + me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1 |
4056 | + 21.1.15{128} ) |
4057 | +olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC ' |
4058 | + Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX |
4059 | + 1.3.6.1.4.1.1466.115.121.1.15{128} ) |
4060 | +olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC ' |
4061 | + Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1. |
4062 | + 4.1.1466.115.121.1.15{1050} ) |
4063 | +olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D |
4064 | + ESC 'Concatenated MD4 hashes of the unicode passwords used on this account' E |
4065 | + QUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) |
4066 | +olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit |
4067 | + y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1 |
4068 | + .3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) |
4069 | +olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D |
4070 | + ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4. |
4071 | + 1.1466.115.121.1.26{64} SINGLE-VALUE ) |
4072 | +olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec |
4073 | + urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
4074 | + 26{64} ) |
4075 | +olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N |
4076 | + T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING |
4077 | + LE-VALUE ) |
4078 | +olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC |
4079 | + 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1. |
4080 | + 1466.115.121.1.27 SINGLE-VALUE ) |
4081 | +olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC |
4082 | + 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4. |
4083 | + 1.1466.115.121.1.27 SINGLE-VALUE ) |
4084 | +olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex |
4085 | + t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1 |
4086 | + 466.115.121.1.27 SINGLE-VALUE ) |
4087 | +olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase |
4088 | + ' DESC 'Base at which the samba RID generation algorithm should operate' EQUA |
4089 | + LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4090 | +olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S |
4091 | + hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING |
4092 | + LE-VALUE ) |
4093 | +olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC ' |
4094 | + Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX |
4095 | + 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4096 | +olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC ' |
4097 | + A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S |
4098 | + INGLE-VALUE ) |
4099 | +olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES |
4100 | + C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 |
4101 | + .27 SINGLE-VALUE ) |
4102 | +olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC |
4103 | + 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 |
4104 | + .1.26 SINGLE-VALUE ) |
4105 | +olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' |
4106 | + DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466. |
4107 | + 115.121.1.15 ) |
4108 | +olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC ' |
4109 | + Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115 |
4110 | + .121.1.26 ) |
4111 | +olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC |
4112 | + 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1. |
4113 | + 4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4114 | +olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' |
4115 | + DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege |
4116 | + rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4117 | +olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES |
4118 | + C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU |
4119 | + ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4120 | +olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M |
4121 | + aximum password age, in seconds (default: -1 => never expire passwords)' EQUA |
4122 | + LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4123 | +olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M |
4124 | + inimum password age, in seconds (default: 0 => allow immediate password chang |
4125 | + e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4126 | +olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D |
4127 | + ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ |
4128 | + erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4129 | +olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation |
4130 | + Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int |
4131 | + egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4132 | +olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' |
4133 | + DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in |
4134 | + tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4135 | +olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC |
4136 | + 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY |
4137 | + integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4138 | +olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh |
4139 | + ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte |
4140 | + gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4141 | +olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam |
4142 | + ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( |
4143 | + cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s |
4144 | + ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ |
4145 | + sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr |
4146 | + ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr |
4147 | + oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad |
4148 | + PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) ) |
4149 | +olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S |
4150 | + amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou |
4151 | + pType ) MAY ( displayName $ description $ sambaSIDList ) ) |
4152 | +olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC |
4153 | + 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas |
4154 | + sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) ) |
4155 | +olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D |
4156 | + omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY |
4157 | + ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB |
4158 | + ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM |
4159 | + axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin |
4160 | + dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange |
4161 | + ) ) |
4162 | +olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo |
4163 | + l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb |
4164 | + er ) ) |
4165 | +olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map |
4166 | + ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g |
4167 | + idNumber ) ) |
4168 | +olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc |
4169 | + tural Class for a SID' SUP top STRUCTURAL MUST sambaSID ) |
4170 | +olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba |
4171 | + Configuration Section' SUP top AUXILIARY MAY description ) |
4172 | +olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S |
4173 | + hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description ) |
4174 | +olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC ' |
4175 | + Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sam |
4176 | + baBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption |
4177 | + $ description ) ) |
4178 | |
4179 | === removed directory 'schemas' |
4180 | === removed file 'schemas/autofs.ldif' |
4181 | --- schemas/autofs.ldif 2009-09-11 14:25:59 +0000 |
4182 | +++ schemas/autofs.ldif 1970-01-01 00:00:00 +0000 |
4183 | @@ -1,11 +0,0 @@ |
4184 | -dn: cn=autofs,cn=schema,cn=config |
4185 | -objectClass: olcSchemaConfig |
4186 | -cn: autofs |
4187 | -olcAttributeTypes: {0}( 1.3.6.1.1.1.1.25 NAME 'automountInformation' DESC 'Inf |
4188 | - ormation used by the autofs automounter' EQUALITY caseExactIA5Match SYNTAX 1. |
4189 | - 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
4190 | -olcObjectClasses: {0}( 1.3.6.1.1.1.1.13 NAME 'automount' DESC 'An entry in an |
4191 | - automounter map' SUP top STRUCTURAL MUST ( cn $ automountInformation ) MAY de |
4192 | - scription ) |
4193 | -olcObjectClasses: {1}( 1.3.6.1.4.1.2312.4.2.2 NAME 'automountMap' DESC 'An gro |
4194 | - up of related automount objects' SUP top STRUCTURAL MUST ou ) |
4195 | |
4196 | === removed file 'schemas/cosine.ldif' |
4197 | --- schemas/cosine.ldif 2009-09-11 14:25:59 +0000 |
4198 | +++ schemas/cosine.ldif 1970-01-01 00:00:00 +0000 |
4199 | @@ -1,200 +0,0 @@ |
4200 | -# RFC1274: Cosine and Internet X.500 schema |
4201 | -# $OpenLDAP: pkg/ldap/servers/slapd/schema/cosine.ldif,v 1.1.2.4 2009/01/22 00:01:14 kurt Exp $ |
4202 | -## This work is part of OpenLDAP Software <http://www.openldap.org/>. |
4203 | -## |
4204 | -## Copyright 1998-2009 The OpenLDAP Foundation. |
4205 | -## All rights reserved. |
4206 | -## |
4207 | -## Redistribution and use in source and binary forms, with or without |
4208 | -## modification, are permitted only as authorized by the OpenLDAP |
4209 | -## Public License. |
4210 | -## |
4211 | -## A copy of this license is available in the file LICENSE in the |
4212 | -## top-level directory of the distribution or, alternatively, at |
4213 | -## <http://www.OpenLDAP.org/license.html>. |
4214 | -# |
4215 | -# RFC1274: Cosine and Internet X.500 schema |
4216 | -# |
4217 | -# This file contains LDAPv3 schema derived from X.500 COSINE "pilot" |
4218 | -# schema. As this schema was defined for X.500(89), some |
4219 | -# oddities were introduced in the mapping to LDAPv3. The |
4220 | -# mappings were based upon: draft-ietf-asid-ldapv3-attributes-03.txt |
4221 | -# (a work in progress) |
4222 | -# |
4223 | -# Note: It seems that the pilot schema evolved beyond what was |
4224 | -# described in RFC1274. However, this document attempts to describes |
4225 | -# RFC1274 as published. |
4226 | -# |
4227 | -# Depends on core.ldif |
4228 | -# |
4229 | -# This file was automatically generated from cosine.schema; see that |
4230 | -# file for complete background. |
4231 | -# |
4232 | -dn: cn=cosine,cn=schema,cn=config |
4233 | -objectClass: olcSchemaConfig |
4234 | -cn: cosine |
4235 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORAddress' |
4236 | - EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1. |
4237 | - 1466.115.121.1.15{256} ) |
4238 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.4 NAME 'info' DESC 'RFC1274: g |
4239 | - eneral information' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
4240 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} ) |
4241 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.5 NAME ( 'drink' 'favouriteDri |
4242 | - nk' ) DESC 'RFC1274: favorite drink' EQUALITY caseIgnoreMatch SUBSTR caseIgno |
4243 | - reSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4244 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' DESC 'RFC1 |
4245 | - 274: room number' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch S |
4246 | - YNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4247 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.7 NAME 'photo' DESC 'RFC1274: |
4248 | - photo (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.23{25000} ) |
4249 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.8 NAME 'userClass' DESC 'RFC12 |
4250 | - 74: category of user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat |
4251 | - ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4252 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.9 NAME 'host' DESC 'RFC1274: h |
4253 | - ost computer' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTA |
4254 | - X 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4255 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager' DESC 'RFC127 |
4256 | - 4: DN of manager' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115 |
4257 | - .121.1.12 ) |
4258 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier' D |
4259 | - ESC 'RFC1274: unique identifier of document' EQUALITY caseIgnoreMatch SUBSTR |
4260 | - caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4261 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' DESC ' |
4262 | - RFC1274: title of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstri |
4263 | - ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4264 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' DES |
4265 | - C 'RFC1274: version of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSu |
4266 | - bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4267 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' DESC |
4268 | - 'RFC1274: DN of author of document' EQUALITY distinguishedNameMatch SYNTAX 1 |
4269 | - .3.6.1.4.1.1466.115.121.1.12 ) |
4270 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' DE |
4271 | - SC 'RFC1274: location of document original' EQUALITY caseIgnoreMatch SUBSTR c |
4272 | - aseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4273 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.20 NAME ( 'homePhone' 'homeTe |
4274 | - lephoneNumber' ) DESC 'RFC1274: home telephone number' EQUALITY telephoneNumb |
4275 | - erMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 |
4276 | - .1.50 ) |
4277 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.21 NAME 'secretary' DESC 'RFC |
4278 | - 1274: DN of secretary' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.146 |
4279 | - 6.115.121.1.12 ) |
4280 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNTAX |
4281 | - 1.3.6.1.4.1.1466.115.121.1.39 ) |
4282 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY ca |
4283 | - seIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4284 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY c |
4285 | - aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4286 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.28 NAME 'mXRecord' EQUALITY c |
4287 | - aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4288 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY c |
4289 | - aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4290 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.30 NAME 'sOARecord' EQUALITY |
4291 | - caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4292 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALIT |
4293 | - Y caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4294 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' DESC |
4295 | - 'RFC1274: DN of entry associated with domain' EQUALITY distinguishedNameMatc |
4296 | - h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
4297 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' D |
4298 | - ESC 'RFC1274: home postal address' EQUALITY caseIgnoreListMatch SUBSTR caseIg |
4299 | - noreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) |
4300 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' DESC |
4301 | - 'RFC1274: personal title' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstring |
4302 | - sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4303 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.41 NAME ( 'mobile' 'mobileTel |
4304 | - ephoneNumber' ) DESC 'RFC1274: mobile telephone number' EQUALITY telephoneNum |
4305 | - berMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 |
4306 | - 1.1.50 ) |
4307 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.42 NAME ( 'pager' 'pagerTelep |
4308 | - honeNumber' ) DESC 'RFC1274: pager telephone number' EQUALITY telephoneNumber |
4309 | - Match SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 |
4310 | - .50 ) |
4311 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.43 NAME ( 'co' 'friendlyCount |
4312 | - ryName' ) DESC 'RFC1274: friendly country name' EQUALITY caseIgnoreMatch SUBS |
4313 | - TR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
4314 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' DE |
4315 | - SC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.14 |
4316 | - 66.115.121.1.15{256} ) |
4317 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus |
4318 | - ' DESC 'RFC1274: organizational status' EQUALITY caseIgnoreMatch SUBSTR caseI |
4319 | - gnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4320 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox' DESC ' |
4321 | - RFC1274: Janet mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst |
4322 | - ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) |
4323 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.47 NAME 'mailPreferenceOption |
4324 | - ' DESC 'RFC1274: mail preference option' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
4325 | - ) |
4326 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.48 NAME 'buildingName' DESC ' |
4327 | - RFC1274: name of building' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin |
4328 | - gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) |
4329 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality' DESC 'RF |
4330 | - C1274: DSA Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.19 SINGLE-VALUE ) |
4331 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality' |
4332 | - DESC 'RFC1274: Single Level Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SIN |
4333 | - GLE-VALUE ) |
4334 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQualit |
4335 | - y' DESC 'RFC1274: Subtree Mininum Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
4336 | - 13 SINGLE-VALUE ) |
4337 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQualit |
4338 | - y' DESC 'RFC1274: Subtree Maximun Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
4339 | - 13 SINGLE-VALUE ) |
4340 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature' D |
4341 | - ESC 'RFC1274: Personal Signature (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
4342 | - 23 ) |
4343 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' DESC 'R |
4344 | - FC1274: DIT Redirect' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466 |
4345 | - .115.121.1.12 ) |
4346 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.55 NAME 'audio' DESC 'RFC1274 |
4347 | - : audio (u-law)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.4{25000} ) |
4348 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' D |
4349 | - ESC 'RFC1274: publisher of document' EQUALITY caseIgnoreMatch SUBSTR caseIgno |
4350 | - reSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
4351 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilo |
4352 | - tPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822 |
4353 | - Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ hom |
4354 | - ePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ busine |
4355 | - ssCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelep |
4356 | - honeNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature |
4357 | - ) ) |
4358 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCT |
4359 | - URAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationNam |
4360 | - e $ organizationalUnitName $ host ) ) |
4361 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUC |
4362 | - TURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ loca |
4363 | - lityName $ organizationName $ organizationalUnitName $ documentTitle $ docume |
4364 | - ntVersion $ documentAuthor $ documentLocation $ documentPublisher ) ) |
4365 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURA |
4366 | - L MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber |
4367 | - ) ) |
4368 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top |
4369 | - STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ l |
4370 | - ocalityName $ organizationName $ organizationalUnitName ) ) |
4371 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCT |
4372 | - URAL MUST domainComponent MAY ( associatedName $ organizationName $ descripti |
4373 | - on $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $ |
4374 | - stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAdd |
4375 | - ress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber |
4376 | - $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ tel |
4377 | - exNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress |
4378 | - $ x121Address ) ) |
4379 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP d |
4380 | - omain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telepho |
4381 | - neNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOffi |
4382 | - ceBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ |
4383 | - telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDelivery |
4384 | - Method $ destinationIndicator $ registeredAddress $ x121Address ) ) |
4385 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain |
4386 | - STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAME |
4387 | - Record ) ) |
4388 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' D |
4389 | - ESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associat |
4390 | - edDomain ) |
4391 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP c |
4392 | - ountry STRUCTURAL MUST friendlyCountryName ) |
4393 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SU |
4394 | - P ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName ) |
4395 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STR |
4396 | - UCTURAL MAY dSAQuality ) |
4397 | -olcObjectClasses: ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' |
4398 | - SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximu |
4399 | - mQuality ) ) |
4400 | |
4401 | === removed file 'schemas/dhcp.ldif' |
4402 | --- schemas/dhcp.ldif 2009-09-11 14:25:59 +0000 |
4403 | +++ schemas/dhcp.ldif 1970-01-01 00:00:00 +0000 |
4404 | @@ -1,224 +0,0 @@ |
4405 | -dn: cn=dhcp,cn=schema,cn=config |
4406 | -objectClass: olcSchemaConfig |
4407 | -cn: dhcp |
4408 | -olcAttributeTypes: {0}( 2.16.840.1.113719.1.203.4.1 NAME 'dhcpPrimaryDN' DESC |
4409 | - 'The DN of the dhcpServer which is the primary server for the configuration.' |
4410 | - EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE- |
4411 | - VALUE ) |
4412 | -olcAttributeTypes: {1}( 2.16.840.1.113719.1.203.4.2 NAME 'dhcpSecondaryDN' DES |
4413 | - C 'The DN of dhcpServer(s) which provide backup service for the configuration |
4414 | - .' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
4415 | -olcAttributeTypes: {2}( 2.16.840.1.113719.1.203.4.3 NAME 'dhcpStatements' DESC |
4416 | - 'Flexible storage for specific data depending on what object this exists in. |
4417 | - Like conditional statements, server parameters, etc. This allows the standar |
4418 | - d to evolve without needing to adjust the schema.' EQUALITY caseIgnoreIA5Matc |
4419 | - h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4420 | -olcAttributeTypes: {3}( 2.16.840.1.113719.1.203.4.4 NAME 'dhcpRange' DESC 'The |
4421 | - starting & ending IP Addresses in the range (inclusive), separated by a hyph |
4422 | - en; if the range only contains one address, then just the address can be spec |
4423 | - ified with no hyphen. Each range is defined as a separate value.' EQUALITY c |
4424 | - aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4425 | -olcAttributeTypes: {4}( 2.16.840.1.113719.1.203.4.5 NAME 'dhcpPermitList' DESC |
4426 | - 'This attribute contains the permit lists associated with a pool. Each permi |
4427 | - t list is defined as a separate value.' EQUALITY caseIgnoreIA5Match SYNTAX 1. |
4428 | - 3.6.1.4.1.1466.115.121.1.26 ) |
4429 | -olcAttributeTypes: {5}( 2.16.840.1.113719.1.203.4.6 NAME 'dhcpNetMask' DESC 'T |
4430 | - he subnet mask length for the subnet. The mask can be easily computed from t |
4431 | - his length.' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL |
4432 | - E-VALUE ) |
4433 | -olcAttributeTypes: {6}( 2.16.840.1.113719.1.203.4.7 NAME 'dhcpOption' DESC 'En |
4434 | - coded option values to be sent to clients. Each value represents a single op |
4435 | - tion and contains (OptionTag, Length, OptionValue) encoded in the format used |
4436 | - by DHCP.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4437 | -olcAttributeTypes: {7}( 2.16.840.1.113719.1.203.4.8 NAME 'dhcpClassData' DESC |
4438 | - 'Encoded text string or list of bytes expressed in hexadecimal, separated by |
4439 | - colons. Clients match subclasses based on matching the class data with the r |
4440 | - esults of match or spawn with statements in the class name declarations.' EQU |
4441 | - ALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
4442 | -olcAttributeTypes: {8}( 2.16.840.1.113719.1.203.4.9 NAME 'dhcpOptionsDN' DESC |
4443 | - 'The distinguished name(s) of the dhcpOption objects containing the configura |
4444 | - tion options provided by the server.' EQUALITY distinguishedNameMatch SYNTAX |
4445 | - 1.3.6.1.4.1.1466.115.121.1.12 ) |
4446 | -olcAttributeTypes: {9}( 2.16.840.1.113719.1.203.4.10 NAME 'dhcpHostDN' DESC 't |
4447 | - he distinguished name(s) of the dhcpHost objects.' EQUALITY distinguishedName |
4448 | - Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
4449 | -olcAttributeTypes: {10}( 2.16.840.1.113719.1.203.4.11 NAME 'dhcpPoolDN' DESC ' |
4450 | - The distinguished name(s) of pools.' EQUALITY distinguishedNameMatch SYNTAX 1 |
4451 | - .3.6.1.4.1.1466.115.121.1.12 ) |
4452 | -olcAttributeTypes: {11}( 2.16.840.1.113719.1.203.4.12 NAME 'dhcpGroupDN' DESC |
4453 | - 'The distinguished name(s) of the groups.' EQUALITY distinguishedNameMatch |
4454 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
4455 | -olcAttributeTypes: {12}( 2.16.840.1.113719.1.203.4.13 NAME 'dhcpSubnetDN' DESC |
4456 | - 'The distinguished name(s) of the subnets.' EQUALITY distinguishedNameMatch |
4457 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
4458 | -olcAttributeTypes: {13}( 2.16.840.1.113719.1.203.4.14 NAME 'dhcpLeaseDN' DESC |
4459 | - 'The distinguished name of a client address.' EQUALITY distinguishedNameMatch |
4460 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) |
4461 | -olcAttributeTypes: {14}( 2.16.840.1.113719.1.203.4.15 NAME 'dhcpLeasesDN' DESC |
4462 | - 'The distinguished name(s) client addresses.' EQUALITY distinguishedNameMatc |
4463 | - h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
4464 | -olcAttributeTypes: {15}( 2.16.840.1.113719.1.203.4.16 NAME 'dhcpClassesDN' DES |
4465 | - C 'The distinguished name(s) of a class(es) in a subclass.' EQUALITY distingu |
4466 | - ishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
4467 | -olcAttributeTypes: {16}( 2.16.840.1.113719.1.203.4.17 NAME 'dhcpSubclassesDN' |
4468 | - DESC 'The distinguished name(s) of subclass(es).' EQUALITY distinguishedNameM |
4469 | - atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
4470 | -olcAttributeTypes: {17}( 2.16.840.1.113719.1.203.4.18 NAME 'dhcpSharedNetworkD |
4471 | - N' DESC 'The distinguished name(s) of sharedNetworks.' EQUALITY distinguished |
4472 | - NameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
4473 | -olcAttributeTypes: {18}( 2.16.840.1.113719.1.203.4.19 NAME 'dhcpServiceDN' DES |
4474 | - C 'The DN of dhcpService object(s)which contain the configuration information |
4475 | - . Each dhcpServer object has this attribute identifying the DHCP configuratio |
4476 | - n(s) that the server is associated with.' EQUALITY distinguishedNameMatch SYN |
4477 | - TAX 1.3.6.1.4.1.1466.115.121.1.12 ) |
4478 | -olcAttributeTypes: {19}( 2.16.840.1.113719.1.203.4.20 NAME 'dhcpVersion' DESC |
4479 | - 'The version attribute of this object.' EQUALITY caseIgnoreIA5Match SYNTAX 1. |
4480 | - 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
4481 | -olcAttributeTypes: {20}( 2.16.840.1.113719.1.203.4.21 NAME 'dhcpImplementation |
4482 | - ' DESC 'Description of the DHCP Server implementation e.g. DHCP Servers vendo |
4483 | - r.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V |
4484 | - ALUE ) |
4485 | -olcAttributeTypes: {21}( 2.16.840.1.113719.1.203.4.22 NAME 'dhcpAddressState' |
4486 | - DESC 'This stores information about the current binding-status of an address. |
4487 | - For dynamic addresses managed by DHCP, the values should be restricted to t |
4488 | - he following: "FREE", "ACTIVE", "EXPIRED", "RELEASED", "RESET", "ABANDONED", |
4489 | - "BACKUP". For other addresses, it SHOULD be one of the following: "UNKNOWN", |
4490 | - "RESERVED" (an address that is managed by DHCP that is reserved for a specif |
4491 | - ic client), "RESERVED-ACTIVE" (same as reserved, but address is currently in |
4492 | - use), "ASSIGNED" (assigned manually or by some other mechanism), "UNASSIGNED" |
4493 | - , "NOTASSIGNABLE".' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1 |
4494 | - 21.1.26 SINGLE-VALUE ) |
4495 | -olcAttributeTypes: {22}( 2.16.840.1.113719.1.203.4.23 NAME 'dhcpExpirationTime |
4496 | - ' DESC 'This is the time the current lease for an address expires.' EQUALITY |
4497 | - generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) |
4498 | -olcAttributeTypes: {23}( 2.16.840.1.113719.1.203.4.24 NAME 'dhcpStartTimeOfSta |
4499 | - te' DESC 'This is the time of the last state change for a leased address.' EQ |
4500 | - UALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE |
4501 | - ) |
4502 | -olcAttributeTypes: {24}( 2.16.840.1.113719.1.203.4.25 NAME 'dhcpLastTransactio |
4503 | - nTime' DESC 'This is the last time a valid DHCP packet was received from the |
4504 | - client.' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 S |
4505 | - INGLE-VALUE ) |
4506 | -olcAttributeTypes: {25}( 2.16.840.1.113719.1.203.4.26 NAME 'dhcpBootpFlag' DES |
4507 | - C 'This indicates whether the address was assigned via BOOTP.' EQUALITY boole |
4508 | - anMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
4509 | -olcAttributeTypes: {26}( 2.16.840.1.113719.1.203.4.27 NAME 'dhcpDomainName' DE |
4510 | - SC 'This is the name of the domain sent to the client by the server. It is e |
4511 | - ssentially the same as the value for DHCP option 15 sent to the client, and r |
4512 | - epresents only the domain - not the full FQDN. To obtain the full FQDN assig |
4513 | - ned to the client you must prepend the "dhcpAssignedHostName" to this value w |
4514 | - ith a ".".' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
4515 | - SINGLE-VALUE ) |
4516 | -olcAttributeTypes: {27}( 2.16.840.1.113719.1.203.4.28 NAME 'dhcpDnsStatus' DES |
4517 | - C 'This indicates the status of updating DNS resource records on behalf of th |
4518 | - e client by the DHCP server for this address. The value is a 16-bit bitmask. |
4519 | - ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4520 | -olcAttributeTypes: {28}( 2.16.840.1.113719.1.203.4.29 NAME 'dhcpRequestedHostN |
4521 | - ame' DESC 'This is the hostname that was requested by the client.' EQUALITY c |
4522 | - aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
4523 | -olcAttributeTypes: {29}( 2.16.840.1.113719.1.203.4.30 NAME 'dhcpAssignedHostNa |
4524 | - me' DESC 'This is the actual hostname that was assigned to a client. It may n |
4525 | - ot be the name that was requested by the client. The fully qualified domain |
4526 | - name can be determined by appending the value of "dhcpDomainName" (with a dot |
4527 | - separator) to this name.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.146 |
4528 | - 6.115.121.1.26 SINGLE-VALUE ) |
4529 | -olcAttributeTypes: {30}( 2.16.840.1.113719.1.203.4.31 NAME 'dhcpReservedForCli |
4530 | - ent' DESC 'The distinguished name of a "dhcpClient" that an address is reserv |
4531 | - ed for. This may not be the same as the "dhcpAssignedToClient" attribute if |
4532 | - the address is being reassigned but the current lease has not yet expired.' E |
4533 | - QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VA |
4534 | - LUE ) |
4535 | -olcAttributeTypes: {31}( 2.16.840.1.113719.1.203.4.32 NAME 'dhcpAssignedToClie |
4536 | - nt' DESC 'This is the distinguished name of a "dhcpClient" that an address is |
4537 | - currently assigned to. This attribute is only present in the class when the |
4538 | - address is leased.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466. |
4539 | - 115.121.1.12 SINGLE-VALUE ) |
4540 | -olcAttributeTypes: {32}( 2.16.840.1.113719.1.203.4.33 NAME 'dhcpRelayAgentInfo |
4541 | - ' DESC 'If the client request was received via a relay agent, this contains i |
4542 | - nformation about the relay agent that was available from the DHCP request. T |
4543 | - his is a hex-encoded option value.' EQUALITY octetStringMatch SYNTAX 1.3.6.1. |
4544 | - 4.1.1466.115.121.1.40 SINGLE-VALUE ) |
4545 | -olcAttributeTypes: {33}( 2.16.840.1.113719.1.203.4.34 NAME 'dhcpHWAddress' DES |
4546 | - C 'The clients hardware address that requested this IP address.' EQUALITY oct |
4547 | - etStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) |
4548 | -olcAttributeTypes: {34}( 2.16.840.1.113719.1.203.4.35 NAME 'dhcpHashBucketAssi |
4549 | - gnment' DESC 'HashBucketAssignment bit map for the DHCP Server, as defined in |
4550 | - DHC Load Balancing Algorithm [RFC 3074].' EQUALITY octetStringMatch SYNTAX 1 |
4551 | - .3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) |
4552 | -olcAttributeTypes: {35}( 2.16.840.1.113719.1.203.4.36 NAME 'dhcpDelayedService |
4553 | - Parameter' DESC 'Delay in seconds corresponding to Delayed Service Parameter |
4554 | - configuration, as defined in DHC Load Balancing Algorithm [RFC 3074]. ' EQUA |
4555 | - LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) |
4556 | -olcAttributeTypes: {36}( 2.16.840.1.113719.1.203.4.37 NAME 'dhcpMaxClientLeadT |
4557 | - ime' DESC 'Maximum Client Lead Time configuration in seconds, as defined in D |
4558 | - HCP Failover Protocol [FAILOVR]' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146 |
4559 | - 6.115.121.1.27 SINGLE-VALUE ) |
4560 | -olcAttributeTypes: {37}( 2.16.840.1.113719.1.203.4.38 NAME 'dhcpFailOverEndpoi |
4561 | - ntState' DESC 'Server (Failover Endpoint) state, as defined in DHCP Failover |
4562 | - Protocol [FAILOVR]' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1 |
4563 | - 21.1.26 SINGLE-VALUE ) |
4564 | -olcAttributeTypes: {38}( 2.16.840.1.113719.1.203.4.39 NAME 'dhcpErrorLog' DESC |
4565 | - 'Generic error log attribute that allows logging error conditions within a d |
4566 | - hcpService or a dhcpSubnet, like no IP addresses available for lease.' EQUALI |
4567 | - TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
4568 | -olcObjectClasses: {0}( 2.16.840.1.113719.1.203.6.1 NAME 'dhcpService' DESC 'Se |
4569 | - rvice object that represents the actual DHCP Service configuration. This is a |
4570 | - container object.' SUP top STRUCTURAL MUST ( cn $ dhcpPrimaryDN ) MAY ( dhcp |
4571 | - SecondaryDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpGroupDN $ dhcpHostDN $ |
4572 | - dhcpClassesDN $ dhcpOptionsDN $ dhcpStatements ) ) |
4573 | -olcObjectClasses: {1}( 2.16.840.1.113719.1.203.6.2 NAME 'dhcpSharedNetwork' DE |
4574 | - SC 'This stores configuration information for a shared network.' SUP top STRU |
4575 | - CTURAL MUST cn MAY ( dhcpSubnetDN $ dhcpPoolDN $ dhcpOptionsDN $ dhcpStatemen |
4576 | - ts ) X-NDS_CONTAINMENT 'dhcpService' ) |
4577 | -olcObjectClasses: {2}( 2.16.840.1.113719.1.203.6.3 NAME 'dhcpSubnet' DESC 'Thi |
4578 | - s class defines a subnet. This is a container object.' SUP top STRUCTURAL MUS |
4579 | - T ( cn $ dhcpNetMask ) MAY ( dhcpRange $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostD |
4580 | - N $ dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CON |
4581 | - TAINMENT ( 'dhcpService' 'dhcpSharedNetwork' ) ) |
4582 | -olcObjectClasses: {3}( 2.16.840.1.113719.1.203.6.4 NAME 'dhcpPool' DESC 'This |
4583 | - stores configuration information about a pool.' SUP top STRUCTURAL MUST ( cn |
4584 | - $ dhcpRange ) MAY ( dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptio |
4585 | - nsDN $ dhcpStatements ) X-NDS_CONTAINMENT ( 'dhcpSubnet' 'dhcpSharedNetwork' |
4586 | - ) ) |
4587 | -olcObjectClasses: {4}( 2.16.840.1.113719.1.203.6.5 NAME 'dhcpGroup' DESC 'Grou |
4588 | - p object that lists host DNs and parameters. This is a container object.' SUP |
4589 | - top STRUCTURAL MUST cn MAY ( dhcpHostDN $ dhcpOptionsDN $ dhcpStatements ) X |
4590 | - -NDS_CONTAINMENT ( 'dhcpSubnet' 'dhcpService' ) ) |
4591 | -olcObjectClasses: {5}( 2.16.840.1.113719.1.203.6.6 NAME 'dhcpHost' DESC 'This |
4592 | - represents information about a particular client' SUP top STRUCTURAL MUST cn |
4593 | - MAY ( dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CO |
4594 | - NTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpGroup' ) ) |
4595 | -olcObjectClasses: {6}( 2.16.840.1.113719.1.203.6.7 NAME 'dhcpClass' DESC 'Repr |
4596 | - esents information about a collection of related clients.' SUP top STRUCTURAL |
4597 | - MUST cn MAY ( dhcpSubClassesDN $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CONT |
4598 | - AINMENT ( 'dhcpService' 'dhcpSubnet' ) ) |
4599 | -olcObjectClasses: {7}( 2.16.840.1.113719.1.203.6.8 NAME 'dhcpSubClass' DESC 'R |
4600 | - epresents information about a collection of related classes.' SUP top STRUCTU |
4601 | - RAL MUST cn MAY ( dhcpClassData $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CONT |
4602 | - AINMENT 'dhcpClass' ) |
4603 | -olcObjectClasses: {8}( 2.16.840.1.113719.1.203.6.9 NAME 'dhcpOptions' DESC 'Re |
4604 | - presents information about a collection of options defined.' SUP top AUXILIAR |
4605 | - Y MUST cn MAY dhcpOption X-NDS_CONTAINMENT ( 'dhcpService' 'dhcpSharedNetwork |
4606 | - ' 'dhcpSubnet' 'dhcpPool' 'dhcpGroup' 'dhcpHost' 'dhcpClass' ) ) |
4607 | -olcObjectClasses: {9}( 2.16.840.1.113719.1.203.6.10 NAME 'dhcpLeases' DESC 'Th |
4608 | - is class represents an IP Address, which may or may not have been leased.' SU |
4609 | - P top STRUCTURAL MUST ( cn $ dhcpAddressState ) MAY ( dhcpExpirationTime $ dh |
4610 | - cpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName |
4611 | - $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReserve |
4612 | - dForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress ) X-ND |
4613 | - S_CONTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpPool' ) ) |
4614 | -olcObjectClasses: {10}( 2.16.840.1.113719.1.203.6.11 NAME 'dhcpLog' DESC 'This |
4615 | - is the object that holds past information about the IP address. The cn is th |
4616 | - e time/date stamp when the address was assigned or released, the address stat |
4617 | - e at the time, if the address was assigned or released.' SUP top STRUCTURAL M |
4618 | - UST cn MAY ( dhcpAddressState $ dhcpExpirationTime $ dhcpStartTimeOfState $ d |
4619 | - hcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhc |
4620 | - pRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssig |
4621 | - nedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress $ dhcpErrorLog ) X-NDS_CONTA |
4622 | - INMENT ( 'dhcpLeases' 'dhcpPool' 'dhcpSubnet' 'dhcpSharedNetwork' 'dhcpServic |
4623 | - e' ) ) |
4624 | -olcObjectClasses: {11}( 2.16.840.1.113719.1.203.6.12 NAME 'dhcpServer' DESC 'D |
4625 | - HCP Server Object' SUP top STRUCTURAL MUST ( cn $ dhcpServiceDN ) MAY ( dhcpV |
4626 | - ersion $ dhcpImplementation $ dhcpHashBucketAssignment $ dhcpDelayedServicePa |
4627 | - rameter $ dhcpMaxClientLeadTime $ dhcpFailOverEndpointState $ dhcpStatements |
4628 | - ) X-NDS_CONTAINMENT ( 'o' 'ou' 'dc' ) ) |
4629 | |
4630 | === removed file 'schemas/dnszone.ldif' |
4631 | --- schemas/dnszone.ldif 2009-09-11 14:25:59 +0000 |
4632 | +++ schemas/dnszone.ldif 1970-01-01 00:00:00 +0000 |
4633 | @@ -1,67 +0,0 @@ |
4634 | -dn: cn=dnszone,cn=schema,cn=config |
4635 | -objectClass: olcSchemaConfig |
4636 | -cn: dnszone |
4637 | -olcAttributeTypes: {0}( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' DESC 'An integer |
4638 | - denoting time to live' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121 |
4639 | - .1.27 ) |
4640 | -olcAttributeTypes: {1}( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' DESC 'The clas |
4641 | - s of a resource record' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.1 |
4642 | - 15.121.1.26 ) |
4643 | -olcAttributeTypes: {2}( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName' DESC 'The name |
4644 | - of a zone, i.e. the name of the highest node in the zone' EQUALITY caseIgnor |
4645 | - eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 |
4646 | - .1.26 ) |
4647 | -olcAttributeTypes: {3}( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName' DESC |
4648 | - 'The starting labels of a domain name' EQUALITY caseIgnoreIA5Match SUBSTR ca |
4649 | - seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4650 | -olcAttributeTypes: {4}( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' DESC 'domain |
4651 | - name pointer, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs |
4652 | - tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4653 | -olcAttributeTypes: {5}( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' DESC 'host |
4654 | - information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst |
4655 | - ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4656 | -olcAttributeTypes: {6}( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' DESC 'mail |
4657 | - box or mail list information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR ca |
4658 | - seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4659 | -olcAttributeTypes: {7}( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' DESC 'text s |
4660 | - tring, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMa |
4661 | - tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4662 | -olcAttributeTypes: {8}( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Signat |
4663 | - ure, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatc |
4664 | - h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4665 | -olcAttributeTypes: {9}( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key, R |
4666 | - FC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNT |
4667 | - AX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4668 | -olcAttributeTypes: {10}( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' DESC 'IPv6 |
4669 | - address, RFC 1886' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substring |
4670 | - sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4671 | -olcAttributeTypes: {11}( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' DESC 'Locat |
4672 | - ion, RFC 1876' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatc |
4673 | - h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4674 | -olcAttributeTypes: {12}( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' DESC 'non-e |
4675 | - xistant, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings |
4676 | - Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4677 | -olcAttributeTypes: {13}( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' DESC 'servi |
4678 | - ce location, RFC 2782' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr |
4679 | - ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4680 | -olcAttributeTypes: {14}( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' DESC 'Nam |
4681 | - ing Authority Pointer, RFC 2915' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor |
4682 | - eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4683 | -olcAttributeTypes: {15}( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Ex |
4684 | - change Delegation, RFC 2230' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5 |
4685 | - SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4686 | -olcAttributeTypes: {16}( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'cert |
4687 | - ificate, RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings |
4688 | - Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4689 | -olcAttributeTypes: {17}( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 Rec |
4690 | - ord Type, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substring |
4691 | - sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4692 | -olcAttributeTypes: {18}( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non |
4693 | - -Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR |
4694 | - caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
4695 | -olcObjectClasses: {0}( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone' SUP top STRUCTURAL |
4696 | - MUST ( zoneName $ relativeDomainName ) MAY ( DNSTTL $ DNSClass $ ARecord $ M |
4697 | - DRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $ PTRRecord $ HINFORe |
4698 | - cord $ MINFORecord $ TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCReco |
4699 | - rd $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ |
4700 | - DNAMERecord ) ) |
4701 | |
4702 | === removed file 'schemas/dyngroup.ldif' |
4703 | --- schemas/dyngroup.ldif 2009-09-11 14:25:59 +0000 |
4704 | +++ schemas/dyngroup.ldif 1970-01-01 00:00:00 +0000 |
4705 | @@ -1,24 +0,0 @@ |
4706 | -dn: cn=dyngroup,cn=schema,cn=config |
4707 | -objectClass: olcSchemaConfig |
4708 | -cn: dyngroup |
4709 | -olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730 |
4710 | -olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3 |
4711 | -olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDAP:1 |
4712 | -olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:2 |
4713 | -olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11 |
4714 | -olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8 |
4715 | -olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1 |
4716 | -olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2 |
4717 | -olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'memberURL' DESC 'I |
4718 | - dentifies an URL associated with each member of a group. Any type of labeled |
4719 | - URL can be used.' SUP labeledURI ) |
4720 | -olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC 'Identity to use |
4721 | - when processing the memberURL' SUP distinguishedName SINGLE-VALUE ) |
4722 | -olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'Optional authoriza |
4723 | - tion rules that determine who is allowed to assume the dgIdentity' EQUALITY a |
4724 | - uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES' ) |
4725 | -olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S |
4726 | - TRUCTURAL MUST cn MAY ( memberURL $ businessCategory $ description $ o $ ou $ |
4727 | - owner $ seeAlso ) ) |
4728 | -olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP top AUXILIARY MAY |
4729 | - ( dgIdentity $ dgAuthz ) ) |
4730 | |
4731 | === removed file 'schemas/inetorgperson.ldif' |
4732 | --- schemas/inetorgperson.ldif 2009-09-11 14:25:59 +0000 |
4733 | +++ schemas/inetorgperson.ldif 1970-01-01 00:00:00 +0000 |
4734 | @@ -1,69 +0,0 @@ |
4735 | -# InetOrgPerson (RFC2798) |
4736 | -# $OpenLDAP: pkg/ldap/servers/slapd/schema/inetorgperson.ldif,v 1.1.2.4 2009/01/22 00:01:14 kurt Exp $ |
4737 | -## This work is part of OpenLDAP Software <http://www.openldap.org/>. |
4738 | -## |
4739 | -## Copyright 1998-2009 The OpenLDAP Foundation. |
4740 | -## All rights reserved. |
4741 | -## |
4742 | -## Redistribution and use in source and binary forms, with or without |
4743 | -## modification, are permitted only as authorized by the OpenLDAP |
4744 | -## Public License. |
4745 | -## |
4746 | -## A copy of this license is available in the file LICENSE in the |
4747 | -## top-level directory of the distribution or, alternatively, at |
4748 | -## <http://www.OpenLDAP.org/license.html>. |
4749 | -# |
4750 | -# InetOrgPerson (RFC2798) |
4751 | -# |
4752 | -# Depends upon |
4753 | -# Definition of an X.500 Attribute Type and an Object Class to Hold |
4754 | -# Uniform Resource Identifiers (URIs) [RFC2079] |
4755 | -# (core.ldif) |
4756 | -# |
4757 | -# A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256] |
4758 | -# (core.ldif) |
4759 | -# |
4760 | -# The COSINE and Internet X.500 Schema [RFC1274] (cosine.ldif) |
4761 | -# |
4762 | -# This file was automatically generated from inetorgperson.schema; see |
4763 | -# that file for complete references. |
4764 | -# |
4765 | -dn: cn=inetorgperson,cn=schema,cn=config |
4766 | -objectClass: olcSchemaConfig |
4767 | -cn: inetorgperson |
4768 | -olcAttributeTypes: ( 2.16.840.1.113730.3.1.1 NAME 'carLicense' DESC 'RFC279 |
4769 | - 8: vehicle license or registration plate' EQUALITY caseIgnoreMatch SUBSTR cas |
4770 | - eIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
4771 | -olcAttributeTypes: ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC ' |
4772 | - RFC2798: identifies a department within an organization' EQUALITY caseIgnoreM |
4773 | - atch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
4774 | -olcAttributeTypes: ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'RFC |
4775 | - 2798: preferred name to be used when displaying entries' EQUALITY caseIgnoreM |
4776 | - atch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI |
4777 | - NGLE-VALUE ) |
4778 | -olcAttributeTypes: ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'RF |
4779 | - C2798: numerically identifies an employee within an organization' EQUALITY ca |
4780 | - seIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 |
4781 | - 1.1.15 SINGLE-VALUE ) |
4782 | -olcAttributeTypes: ( 2.16.840.1.113730.3.1.4 NAME 'employeeType' DESC 'RFC2 |
4783 | - 798: type of employment for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgn |
4784 | - oreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
4785 | -olcAttributeTypes: ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' DESC 'RFC2 |
4786 | - 798: a JPEG image' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 ) |
4787 | -olcAttributeTypes: ( 2.16.840.1.113730.3.1.39 NAME 'preferredLanguage' DESC |
4788 | - 'RFC2798: preferred written or spoken language for a person' EQUALITY caseIg |
4789 | - noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
4790 | - 15 SINGLE-VALUE ) |
4791 | -olcAttributeTypes: ( 2.16.840.1.113730.3.1.40 NAME 'userSMIMECertificate' D |
4792 | - ESC 'RFC2798: PKCS#7 SignedData used to support S/MIME' SYNTAX 1.3.6.1.4.1.14 |
4793 | - 66.115.121.1.5 ) |
4794 | -olcAttributeTypes: ( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'RFC2 |
4795 | - 798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.1466.1 |
4796 | - 15.121.1.5 ) |
4797 | -olcObjectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2 |
4798 | - 798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY |
4799 | - ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ em |
4800 | - ployeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ ini |
4801 | - tials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo |
4802 | - $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ pre |
4803 | - ferredLanguage $ userSMIMECertificate $ userPKCS12 ) ) |
4804 | |
4805 | === removed file 'schemas/misc.ldif' |
4806 | --- schemas/misc.ldif 2009-09-11 14:25:59 +0000 |
4807 | +++ schemas/misc.ldif 1970-01-01 00:00:00 +0000 |
4808 | @@ -1,25 +0,0 @@ |
4809 | -# misc.ldif |
4810 | -# |
4811 | -# This is the ldif version of misc.schema to be used with cn=config. |
4812 | -# The nss overlay requires rfc822MailMember which is defined here. |
4813 | -# |
4814 | -dn: cn=misc,cn=schema,cn=config |
4815 | -objectClass: olcSchemaConfig |
4816 | -cn: misc |
4817 | -olcAttributeTypes: ( 2.16.840.1.113730.3.1.13 NAME 'mailLocalAddress' DESC |
4818 | - 'RFC822 email address of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1 |
4819 | - .3.6.1.4.1.1466.115.121.1.26{256} ) |
4820 | -olcAttributeTypes: ( 2.16.840.1.113730.3.1.18 NAME 'mailHost' DESC 'FQDN of |
4821 | - the SMTP/MTA of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 |
4822 | - .1.1466.115.121.1.26{256} SINGLE-VALUE ) |
4823 | -olcAttributeTypes: ( 2.16.840.1.113730.3.1.47 NAME 'mailRoutingAddress' DES |
4824 | - C 'RFC822 routing address of this recipient' EQUALITY caseIgnoreIA5Match SYNT |
4825 | - AX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) |
4826 | -olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822MailMember' DES |
4827 | - C 'rfc822 mail address of group member(s)' EQUALITY caseIgnoreIA5Match SYNTAX |
4828 | - 1.3.6.1.4.1.1466.115.121.1.26 ) |
4829 | -olcObjectClasses: ( 2.16.840.1.113730.3.2.147 NAME 'inetLocalMailRecipient' |
4830 | - DESC 'Internet local mail recipient' SUP top AUXILIARY MAY ( mailLocalAddres |
4831 | - s $ mailHost $ mailRoutingAddress ) ) |
4832 | -olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' DESC 'NIS |
4833 | - mail alias' SUP top STRUCTURAL MUST cn MAY rfc822MailMember ) |
4834 | |
4835 | === removed file 'schemas/mit-kerberos.ldif' |
4836 | --- schemas/mit-kerberos.ldif 2009-10-06 20:36:12 +0000 |
4837 | +++ schemas/mit-kerberos.ldif 1970-01-01 00:00:00 +0000 |
4838 | @@ -1,473 +0,0 @@ |
4839 | -# Novell Kerberos Schema Definitions |
4840 | -# Novell Inc. |
4841 | -# 1800 South Novell Place |
4842 | -# Provo, UT 84606 |
4843 | -# |
4844 | -# VeRsIoN=1.0 |
4845 | -# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved |
4846 | -# |
4847 | -# OIDs: |
4848 | -# joint-iso-ccitt(2) |
4849 | -# country(16) |
4850 | -# us(840) |
4851 | -# organization(1) |
4852 | -# Novell(113719) |
4853 | -# applications(1) |
4854 | -# kerberos(301) |
4855 | -# Kerberos Attribute Type(4) attr# version# |
4856 | -# specific attribute definitions |
4857 | -# Kerberos Attribute Syntax(5) |
4858 | -# specific syntax definitions |
4859 | -# Kerberos Object Class(6) class# version# |
4860 | -# specific class definitions |
4861 | -# |
4862 | -# iso(1) |
4863 | -# member-body(2) |
4864 | -# United States(840) |
4865 | -# mit (113554) |
4866 | -# infosys(1) |
4867 | -# ldap(4) |
4868 | -# attributeTypes(1) |
4869 | -# Kerberos(6) |
4870 | -######################################################################## |
4871 | -######################################################################## |
4872 | -# Attribute Type Definitions # |
4873 | -######################################################################## |
4874 | -dn: cn=mit-kerberos,cn=schema,cn=config |
4875 | -cn: kerberos |
4876 | -objectClass: olcSchemaConfig |
4877 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 |
4878 | - NAME 'krbPrincipalName' |
4879 | - EQUALITY caseExactIA5Match |
4880 | - SUBSTR caseExactSubstringsMatch |
4881 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) |
4882 | -##### If there are multiple krbPrincipalName values for an entry, this |
4883 | -##### is the canonical principal name in the RFC 1964 specified |
4884 | -##### format. (If this attribute does not exist, then all |
4885 | -##### krbPrincipalName values are treated as canonical.) |
4886 | -olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1 |
4887 | - NAME 'krbCanonicalName' |
4888 | - EQUALITY caseExactIA5Match |
4889 | - SUBSTR caseExactSubstringsMatch |
4890 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
4891 | - SINGLE-VALUE) |
4892 | -##### This specifies the type of the principal, the types could be any of |
4893 | -##### the types mentioned in section 6.2 of RFC 4120 |
4894 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 |
4895 | - NAME 'krbPrincipalType' |
4896 | - EQUALITY integerMatch |
4897 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
4898 | - SINGLE-VALUE) |
4899 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1 |
4900 | - NAME 'krbUPEnabled' |
4901 | - DESC 'Boolean' |
4902 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 |
4903 | - SINGLE-VALUE) |
4904 | -##### The time at which the principal expires |
4905 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1 |
4906 | - NAME 'krbPrincipalExpiration' |
4907 | - EQUALITY generalizedTimeMatch |
4908 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
4909 | - SINGLE-VALUE) |
4910 | -##### The krbTicketFlags attribute holds information about the kerberos flags for a principal |
4911 | -##### The values (0x00000001 - 0x00800000) are reserved for standards and |
4912 | -##### values (0x01000000 - 0x80000000) can be used for proprietary extensions. |
4913 | -##### The flags and values as per RFC 4120 and MIT implementation are, |
4914 | -##### DISALLOW_POSTDATED 0x00000001 |
4915 | -##### DISALLOW_FORWARDABLE 0x00000002 |
4916 | -##### DISALLOW_TGT_BASED 0x00000004 |
4917 | -##### DISALLOW_RENEWABLE 0x00000008 |
4918 | -##### DISALLOW_PROXIABLE 0x00000010 |
4919 | -##### DISALLOW_DUP_SKEY 0x00000020 |
4920 | -##### DISALLOW_ALL_TIX 0x00000040 |
4921 | -##### REQUIRES_PRE_AUTH 0x00000080 |
4922 | -##### REQUIRES_HW_AUTH 0x00000100 |
4923 | -##### REQUIRES_PWCHANGE 0x00000200 |
4924 | -##### DISALLOW_SVR 0x00001000 |
4925 | -##### PWCHANGE_SERVICE 0x00002000 |
4926 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1 |
4927 | - NAME 'krbTicketFlags' |
4928 | - EQUALITY integerMatch |
4929 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
4930 | - SINGLE-VALUE) |
4931 | -##### The maximum ticket lifetime for a principal in seconds |
4932 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1 |
4933 | - NAME 'krbMaxTicketLife' |
4934 | - EQUALITY integerMatch |
4935 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
4936 | - SINGLE-VALUE) |
4937 | -##### Maximum renewable lifetime for a principal's ticket in seconds |
4938 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1 |
4939 | - NAME 'krbMaxRenewableAge' |
4940 | - EQUALITY integerMatch |
4941 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
4942 | - SINGLE-VALUE) |
4943 | -##### Forward reference to the Realm object. |
4944 | -##### (FDN of the krbRealmContainer object). |
4945 | -##### Example: cn=ACME.COM, cn=Kerberos, cn=Security |
4946 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1 |
4947 | - NAME 'krbRealmReferences' |
4948 | - EQUALITY distinguishedNameMatch |
4949 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
4950 | -##### List of LDAP servers that kerberos servers can contact. |
4951 | -##### The attribute holds data in the ldap uri format, |
4952 | -##### Example: ldaps://acme.com:636 |
4953 | -##### |
4954 | -##### The values of this attribute need to be updated, when |
4955 | -##### the LDAP servers listed here are renamed, moved or deleted. |
4956 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1 |
4957 | - NAME 'krbLdapServers' |
4958 | - EQUALITY caseIgnoreMatch |
4959 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) |
4960 | -##### A set of forward references to the KDC Service objects. |
4961 | -##### (FDNs of the krbKdcService objects). |
4962 | -##### Example: cn=kdc - server 1, ou=uvw, o=xyz |
4963 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 |
4964 | - NAME 'krbKdcServers' |
4965 | - EQUALITY distinguishedNameMatch |
4966 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
4967 | -##### A set of forward references to the Password Service objects. |
4968 | -##### (FDNs of the krbPwdService objects). |
4969 | -##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz |
4970 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1 |
4971 | - NAME 'krbPwdServers' |
4972 | - EQUALITY distinguishedNameMatch |
4973 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
4974 | -##### This attribute holds the Host Name or the ip address, |
4975 | -##### transport protocol and ports of the kerberos service host |
4976 | -##### The format is host_name-or-ip_address#protocol#port |
4977 | -##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. |
4978 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1 |
4979 | - NAME 'krbHostServer' |
4980 | - EQUALITY caseExactIA5Match |
4981 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) |
4982 | -##### This attribute holds the scope for searching the principals |
4983 | -##### under krbSubTree attribute of krbRealmContainer |
4984 | -##### The value can either be 1 (ONE) or 2 (SUB_TREE). |
4985 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1 |
4986 | - NAME 'krbSearchScope' |
4987 | - EQUALITY integerMatch |
4988 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
4989 | - SINGLE-VALUE) |
4990 | -##### FDNs pointing to Kerberos principals |
4991 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1 |
4992 | - NAME 'krbPrincipalReferences' |
4993 | - EQUALITY distinguishedNameMatch |
4994 | - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
4995 | -##### This attribute specifies which attribute of the user objects |
4996 | -##### be used as the principal name component for Kerberos. |
4997 | -##### The allowed values are cn, sn, uid, givenname, fullname. |
4998 | -olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1 |
4999 | - NAME 'krbPrincNamingAttr' |
5000 | - EQUALITY caseIgnoreMatch |
Is this available as a pre-built package?
-Bruce
On Wed, Apr 28, 2010 at 6:54 AM, Adam Sommer <email address hidden> wrote:
> Adam Sommer has proposed merging /blueprints. launchpad. net/openldap- dit/+spec/ split-dit- package cn=config authentication method. /code.launchpad .net/~asommer/ openldap- dit/openldap- dit-split/ +merge/ 24321 config- acl.ldif' config- acl.ldif 1970-01-01 00:00:00 +0000 config- acl.ldif 2010-04-28 13:54:17 +0000 {0}config, cn=config mbers/member. exact=" cn=LDAP Admins,ou=System acl.ldif' acl.ldif 2009-09-17 13:38:20 +0000 acl.ldif 1970-01-01 00:00:00 +0000 {0}config, cn=config mbers/member. exact=" cn=LDAP Admins,ou=System acl.ldif' acl.ldif 2009-09-14 20:38:42 +0000 acl.ldif 1970-01-01 00:00:00 +0000 {-1}frontend, cn=config "cn=subschema" by * read base/base- dit.ldif' base/base- dit.ldif 1970-01-01 00:00:00 +0000 base/base- dit.ldif 2010-04-28 13:54:17 +0000
> lp:~asommer/openldap-dit/openldap-dit-split into lp:openldap-dit.
>
> Requested reviews:
> Andreas Hasenack (ahasenack)
>
>
> My attempt to solve the split-dit-package blueprint:
> https:/
>
> Created subdirectories in the schemas, acls, databases, contents, modules,
> and overlays directories for the various "services" that can be added to the
> DIT. Doing this also allows users to easily create a base DIT if that is
> all they desire.
>
> Code is also updated for latest slapd package which makes changes to the
> cn=localroot,
>
> --
>
> https:/
> You are subscribed to branch lp:openldap-dit.
>
> === added directory 'acls/base'
> === added file 'acls/base/
> --- acls/base/
> +++ acls/base/
> @@ -0,0 +1,6 @@
> +dn: olcDatabase=
> +changetype: modify
> +add: olcAccess
> +olcAccess: to *
> + by group/groupOfMe
> Groups,@SUFFIX@" manage
> + by * break
>
> === removed file 'acls/config-
> --- acls/config-
> +++ acls/config-
> @@ -1,6 +0,0 @@
> -dn: olcDatabase=
> -changetype: modify
> -add: olcAccess
> -olcAccess: to *
> - by group/groupOfMe
> Groups,@SUFFIX@" manage
> - by * break
>
> === removed file 'acls/frontend-
> --- acls/frontend-
> +++ acls/frontend-
> @@ -1,7 +0,0 @@
> -# see bug #427842
> -dn: olcDatabase=
> -changetype: modify
> -add: olcAccess
> -olcAccess: to dn.base="" by * read
> -olcAccess: to dn.base=
> -
>
> === added directory 'contents/base'
> === added file 'contents/
> --- contents/
> +++ contents/
> @@ -0,0 +1,160 @@
> +# base tree
> +dn: @SUFFIX@
> +dc: @DC@
> +objectClass: domain
> +objectClass: domainRelatedObject
> +associatedDomain: @DOMAIN@
> +
> +dn: ou=People,@SUFFIX@
> +ou: People
> +objectClass: organizationalUnit
> +
> +dn: ou=Group,@SUFFIX@
> +ou: Group
> +objectClass: organizationalUnit
> +description: Container for user accounts
> +
> +dn: ou=System Accounts,@SUFFIX@
> +ou: System Accounts
> +objectClass: organizationalUnit
> +description: Container for System and Services privileged accounts
> +
> +dn: ou=System Groups,@SUFFIX@
> +ou: System Groups
> +objectClass: organizationalUnit
> +description: Container for System and Services privileged groups
> +
> +dn: ou=Hosts,@SUFFIX@
> +ou: Hosts
> +objectClass: organizationalUnit
> +description: Container for Samba machine accounts
> +
> +dn: ou=Idmap,@SUFFIX@
> +ou: Idmap
> +objectCla...