OpenLDAP DIT

Merge lp:~asommer/openldap-dit/openldap-dit-split into lp:openldap-dit

  1. openldap-dit-split
  2. Merge into trunk
Proposed by Adam Sommer
Status: Needs review
Proposed branch: lp:~asommer/openldap-dit/openldap-dit-split
Merge into: lp:openldap-dit
Diff against target: 6285 lines (+3036/-2712)
91 files modified
Makefile (+10/-17)
acls/config-acl.ldif (+0/-6)
acls/frontend-acl.ldif (+0/-7)
autofs/autofs.ldif (+11/-0)
contents/dit.ldif (+0/-270)
core/README (+321/-0)
core/acl.ldif (+16/-0)
core/cosine.schema.ldif (+200/-0)
core/database.ldif (+13/-0)
core/dit.ldif (+19/-0)
core/inetorgperson.schema.ldif (+69/-0)
core/misc.schema.ldif (+25/-0)
core/modules.ldif (+4/-0)
core/namedObject.schema.ldif (+5/-0)
databases/add-hdb.ldif (+0/-152)
databases/add-monitor.ldif (+0/-10)
debian/changelog (+44/-1)
debian/control (+18/-7)
debian/copyright (+2/-0)
debian/dirs (+0/-1)
debian/docs (+0/-10)
debian/files (+0/-1)
debian/openldap-dit-core.config (+79/-0)
debian/openldap-dit-core.dirs (+1/-0)
debian/openldap-dit-core.docs (+3/-0)
debian/openldap-dit-core.postinst.in (+59/-0)
debian/openldap-dit-core.postrm (+15/-0)
debian/openldap-dit-core.templates (+28/-0)
debian/openldap-dit-usersandgroups.dirs (+1/-0)
debian/openldap-dit-usersandgroups.docs (+1/-0)
debian/openldap-dit-usersandgroups.postinst.in (+50/-0)
debian/openldap-dit.scripts-common (+217/-0)
debian/po/POTFILES.in (+1/-0)
debian/po/templates.pot (+82/-0)
debian/rules (+6/-3)
debian/source/format (+1/-0)
dhcp/dhcp-acl.ldif (+21/-0)
dhcp/dhcp-dit.ldif (+33/-0)
dhcp/dhcp-schema.ldif (+224/-0)
dns/dns-acl.ldif (+26/-0)
dns/dns-dit.ldif (+33/-0)
dns/dnszone-schema.ldif (+67/-0)
doc/README (+0/-321)
mit-kerberos/mit-kerberos-acl.ldif (+29/-0)
mit-kerberos/mit-kerberos-dit.ldif (+19/-0)
mit-kerberos/mit-kerberos-schema.ldif (+473/-0)
mit-kerberos/mit-refint-overlay.ldif (+7/-0)
modules/add-modules.ldif (+0/-10)
monitor/README (+1/-0)
monitor/acl.ldif (+12/-0)
monitor/database.ldif (+7/-0)
monitor/modules.ldif (+4/-0)
openldap-dit-setup.sh (+0/-394)
overlays/1_add-ppolicy-overlay.ldif (+0/-6)
overlays/2_add-unique-overlay.ldif (+0/-11)
overlays/3_add-syncprov-overlay.ldif (+0/-9)
overlays/4_add-refint-overlay.ldif (+0/-10)
replication/replication-acl.ldif (+7/-0)
replication/replication-dit.ldif (+14/-0)
replication/replication-modules.ldif (+4/-0)
replication/syncprov-overlay.ldif (+9/-0)
samba/samba-acl.ldif (+47/-0)
samba/samba-dit.ldif (+19/-0)
samba/samba-schema.ldif (+175/-0)
schemas/autofs.ldif (+0/-11)
schemas/cosine.ldif (+0/-200)
schemas/dhcp.ldif (+0/-224)
schemas/dnszone.ldif (+0/-67)
schemas/dyngroup.ldif (+0/-24)
schemas/inetorgperson.ldif (+0/-69)
schemas/misc.ldif (+0/-25)
schemas/mit-kerberos.ldif (+0/-473)
schemas/namedObject.ldif (+0/-5)
schemas/ppolicy.ldif (+0/-44)
schemas/rfc2307bis.ldif (+0/-128)
schemas/samba.ldif (+0/-175)
schemas/sudo.ldif (+0/-21)
sudo/sudo-acl.ldif (+16/-0)
sudo/sudo-dit.ldif (+24/-0)
sudo/sudo-schema.ldif (+21/-0)
usersandgroups/README (+1/-0)
usersandgroups/acl.ldif (+81/-0)
usersandgroups/dit.ldif (+88/-0)
usersandgroups/dyngroup-schema.ldif (+24/-0)
usersandgroups/indexes.ldif (+42/-0)
usersandgroups/modules.ldif (+10/-0)
usersandgroups/ppolicy.overlay.ldif (+6/-0)
usersandgroups/ppolicy.schema.ldif (+44/-0)
usersandgroups/refint.overlay.ldif (+8/-0)
usersandgroups/rfc2307bis.schema.ldif (+128/-0)
usersandgroups/unique.overlay.ldif (+11/-0)
To merge this branch: bzr merge lp:~asommer/openldap-dit/openldap-dit-split
Reviewer Review Type Date Requested Status
Mathias Gug (community) Needs Fixing
Andreas Hasenack Pending
Review via email: mp+24321@code.launchpad.net

Description of the change

My attempt to solve the split-dit-package blueprint: https://blueprints.launchpad.net/openldap-dit/+spec/split-dit-package

Created subdirectories in the schemas, acls, databases, contents, modules, and overlays directories for the various "services" that can be added to the DIT. Doing this also allows users to easily create a base DIT if that is all they desire.

Code is also updated for latest slapd package which makes changes to the cn=localroot,cn=config authentication method.

To post a comment you must log in.
Revision history for this message
Bruce Edge (bruce-edge) wrote :
Download full text (107.0 KiB)

Is this available as a pre-built package?

-Bruce

On Wed, Apr 28, 2010 at 6:54 AM, Adam Sommer <email address hidden> wrote:

> Adam Sommer has proposed merging
> lp:~asommer/openldap-dit/openldap-dit-split into lp:openldap-dit.
>
> Requested reviews:
> Andreas Hasenack (ahasenack)
>
>
> My attempt to solve the split-dit-package blueprint:
> https://blueprints.launchpad.net/openldap-dit/+spec/split-dit-package
>
> Created subdirectories in the schemas, acls, databases, contents, modules,
> and overlays directories for the various "services" that can be added to the
> DIT. Doing this also allows users to easily create a base DIT if that is
> all they desire.
>
> Code is also updated for latest slapd package which makes changes to the
> cn=localroot,cn=config authentication method.
>
> --
>
> https://code.launchpad.net/~asommer/openldap-dit/openldap-dit-split/+merge/24321
> You are subscribed to branch lp:openldap-dit.
>
> === added directory 'acls/base'
> === added file 'acls/base/config-acl.ldif'
> --- acls/base/config-acl.ldif 1970-01-01 00:00:00 +0000
> +++ acls/base/config-acl.ldif 2010-04-28 13:54:17 +0000
> @@ -0,0 +1,6 @@
> +dn: olcDatabase={0}config,cn=config
> +changetype: modify
> +add: olcAccess
> +olcAccess: to *
> + by group/groupOfMembers/member.exact="cn=LDAP Admins,ou=System
> Groups,@SUFFIX@" manage
> + by * break
>
> === removed file 'acls/config-acl.ldif'
> --- acls/config-acl.ldif 2009-09-17 13:38:20 +0000
> +++ acls/config-acl.ldif 1970-01-01 00:00:00 +0000
> @@ -1,6 +0,0 @@
> -dn: olcDatabase={0}config,cn=config
> -changetype: modify
> -add: olcAccess
> -olcAccess: to *
> - by group/groupOfMembers/member.exact="cn=LDAP Admins,ou=System
> Groups,@SUFFIX@" manage
> - by * break
>
> === removed file 'acls/frontend-acl.ldif'
> --- acls/frontend-acl.ldif 2009-09-14 20:38:42 +0000
> +++ acls/frontend-acl.ldif 1970-01-01 00:00:00 +0000
> @@ -1,7 +0,0 @@
> -# see bug #427842
> -dn: olcDatabase={-1}frontend,cn=config
> -changetype: modify
> -add: olcAccess
> -olcAccess: to dn.base="" by * read
> -olcAccess: to dn.base="cn=subschema" by * read
> -
>
> === added directory 'contents/base'
> === added file 'contents/base/base-dit.ldif'
> --- contents/base/base-dit.ldif 1970-01-01 00:00:00 +0000
> +++ contents/base/base-dit.ldif 2010-04-28 13:54:17 +0000
> @@ -0,0 +1,160 @@
> +# base tree
> +dn: @SUFFIX@
> +dc: @DC@
> +objectClass: domain
> +objectClass: domainRelatedObject
> +associatedDomain: @DOMAIN@
> +
> +dn: ou=People,@SUFFIX@
> +ou: People
> +objectClass: organizationalUnit
> +
> +dn: ou=Group,@SUFFIX@
> +ou: Group
> +objectClass: organizationalUnit
> +description: Container for user accounts
> +
> +dn: ou=System Accounts,@SUFFIX@
> +ou: System Accounts
> +objectClass: organizationalUnit
> +description: Container for System and Services privileged accounts
> +
> +dn: ou=System Groups,@SUFFIX@
> +ou: System Groups
> +objectClass: organizationalUnit
> +description: Container for System and Services privileged groups
> +
> +dn: ou=Hosts,@SUFFIX@
> +ou: Hosts
> +objectClass: organizationalUnit
> +description: Container for Samba machine accounts
> +
> +dn: ou=Idmap,@SUFFIX@
> +ou: Idmap
> +objectCla...

Reply
Revision history for this message
Adam Sommer (asommer) wrote :

On Wed, Apr 28, 2010 at 10:30 PM, Thag <email address hidden> wrote:

> Is this available as a pre-built package?
>
> -Bruce
>

Not at this time that I know of, but it should be pretty simple to setup a
PPA for the package or to create a local build using pbuilder.

Thanks.
--
Party On,
Adam

Reply
lp:~asommer/openldap-dit/openldap-dit-split updated
68. By Adam Sommer

Reorganizing files into minimal core scheme.

69. By Adam Sommer

Moved syncprov overlay into it's own directory.

70. By Adam Sommer

Moved syncrepl module out of core-modules.ldif

71. By Adam Sommer

Updated package for new modular approach.

72. By Adam Sommer

More Makefile updates to implement the new directory layout.

73. By Adam Sommer

Finally have the correct loop to install the ldifs.

74. By Adam Sommer

Got package working under openldap-dit-core directories.

75. By Adam Sommer

Reorganizing into simple service directories with service-LDIFTYPE.ldif files.

76. By Adam Sommer

Creation of openldap-dit-usersandgroups package.

77. By Adam Sommer

Finished second directory reorganization.

78. By Adam Sommer

Cleaning up postinst scripts.

79. By Adam Sommer

Working toward using debconf to get suffix (from domain) and admin password.

80. By Adam Sommer

Using openldap-dit.sripts-common to hold common postinst functions that will be added using openldap-dit-.postinst.in for earch package.

81. By Adam Sommer

Get domain and admin password from debconf, but still need to do sanity checks on password.

82. By Adam Sommer

New while loop to check password confirmation.

83. By Adam Sommer

 * Fixed ACL replacement code.
 * Updated usersandgroups postinst.in working on checking for previous DIT.

84. By Adam Sommer

Removed unused functions and cleaned up comments.

85. By Adam Sommer

Adjusted ACL to allow LDAP Admin full control.

86. By Adam Sommer

More ACL adjustments, groups should now work as advertised.

87. By Adam Sommer

 * Fixed dsc lintian errors by using pot files for the templates,
   creating the debian/source/format file, updated standards version,
   and changed version number.
 * Removed openldap-dit-setup.sh.

88. By Adam Sommer

Fixing lintian errors in .deb file.

89. By Adam Sommer

Removed LICENSE install to fix lintian error.

90. By Adam Sommer

Created Lucid package.

91. By Adam Sommer

Forgot to remove comments.

Revision history for this message
Mathias Gug (mathiaz) wrote :
Download full text (4.6 KiB)

Hi Adam,

Thanks for working on this. As this is a big diff I'll split the review in multiple passes.

Here are a few comments about the upstream code changes (ie outside the debian/ directory):

> === modified file 'Makefile'
> --- Makefile 2009-12-02 21:04:38 +0000
> +++ Makefile 2010-06-17 16:58:16 +0000
> @@ -43,7 +36,7 @@
>
> tarball: clean
> mkdir $(NAME)-$(VERSION)
> - cp -a Makefile *.sh schemas doc TODO LICENSE COPYRIGHT acls databases overlays modules contents $(NAME)-$(VERSION)
> + cp -a Makefile *.sh schemas doc TODO COPYRIGHT acls databases overlays modules contents $(NAME)-$(VERSION)

Why is the LICENSE file removed from the tarball?

> === added directory 'core'
> === added file 'core/core-acl.ldif'
> --- core/core-acl.ldif 1970-01-01 00:00:00 +0000
> +++ core/core-acl.ldif 2010-06-17 16:58:16 +0000
> @@ -0,0 +1,34 @@

I would split the acl parts from the database defintion. Every parts that other
modules (eg usersandgruops) could define should be part of their own file.

The actual database definition could be put in core/database.ldif.

> +olcDbDirectory: /var/lib/ldap

I would use a sub-directory of /var/lib/ldap/ such as openldap-dit/ so that
other packages could also use /var/lib/ldap/ for their own database backend.

> +olcDbIndex: objectClass eq
> +olcDbIndex: entryUUID eq
> +olcDbIndex: entryCSN eq
> +olcDbIndex: cn eq,subinitial

I would suggest to put all the indexes definition in an core/indexes.ldif file.

> +olcDbIndex: uid eq,subinitial
> +olcDbIndex: uidNumber eq
> +olcDbIndex: gidNumber eq
> +olcDbIndex: sn eq,subinitial
> +olcDbIndex: member eq
> +olcDbIndex: mail eq,subinitial
> +olcDbIndex: givenName eq,subinitial
> +olcDbIndex: displayName eq
> +olcDbIndex: uniqueMember pres,eq

All of these indexes are actually related to the user and group module. So move them to usersandgroups/indexes.ldif.

> +olcAccess: {0}to dn.subtree="@SUFFIX@"
> + by dn.exact="uid=LDAP Admin,ou=System Accounts,@SUFFIX@" manage
> + by * break
> +olcAccess: {1}to dn.subtree="@SUFFIX@"
> + by * read

I'd suggest that all the acl definition should go in the core/acl.ldif file.

> +olcAddContentAcl: TRUE
> +olcLastMod: TRUE

These should be part of the core database configuration in core/database.ldif.

> === added file 'core/core-dit.ldif'
> --- core/core-dit.ldif 1970-01-01 00:00:00 +0000
> +++ core/core-dit.ldif 2010-06-17 16:58:16 +0000

I would name the file dit.ldif instead of core-dit.ldif since core is already in the directory name.

> === added file 'core/core-modules.ldif'
> --- core/core-modules.ldif 1970-01-01 00:00:00 +0000
> +++ core/core-modules.ldif 2010-06-17 16:58:16 +0000

I would rename core-modules to modules.ldif since core is already part of the directory name.

> @@ -0,0 +1,9 @@
> +dn: cn=module,cn=config

[...]

> +olcModuleLoad: back_bdb.la

You don't need back_bdb as long as you're using back_hdb only.

> +olcModuleLoad: ppolicy.la
> +olcModuleLoad: unique.la

These two modules are part of usersandgroups. I'd move them to usersandgroups/modules.ldif.

[...]

> +olcModuleLoad: refint.la

I think this module should also be part of userandgroups.

> === added file 'core/cosine-schema.ldif'
> === added file ...

Read more...

review: Needs Fixing
Reply
lp:~asommer/openldap-dit/openldap-dit-split updated
92. By Adam Sommer

Adjusted file content and naming per Mathias good suggestions.

93. By Adam Sommer

New check to find suffix database to add LDIFs to.

94. By Adam Sommer

Finished changes to dynamically find suffix database.

95. By Adam Sommer

Find index of module suffix.

Revision history for this message
Adam Sommer (asommer) wrote :

Hello Mathias,

Sorry for taking so long to get back to you... got jammed up in the day job,
but should have a lot of time to focus on this. Thank you very much for
reviewing my submission.

> > === modified file 'Makefile'
> > --- Makefile 2009-12-02 21:04:38 +0000
> > +++ Makefile 2010-06-17 16:58:16 +0000
> > @@ -43,7 +36,7 @@
> >
> > tarball: clean
> > mkdir $(NAME)-$(VERSION)
> > - cp -a Makefile *.sh schemas doc TODO LICENSE COPYRIGHT acls
> databases overlays modules contents $(NAME)-$(VERSION)
> > + cp -a Makefile *.sh schemas doc TODO COPYRIGHT acls databases
> overlays modules contents $(NAME)-$(VERSION)
>
> Why is the LICENSE file removed from the tarball?
>

It was removed to fix a lintian error... this was probably the wrong way to
fix that, so I'll revisit and come up with the correct solution.

>
> I would use a sub-directory of /var/lib/ldap/ such as openldap-dit/ so that
> other packages could also use /var/lib/ldap/ for their own database
> backend.
>

Not sure I agree with this point. What other packages use /var/lib/ldap?
 Besides slapd that is (which doesn't actually add anything by default)?
 Just wondering why it'd be better to use a subdirectory... my impression of
openldap-dit was for it to configure the main LDAP directory tree for an
organizations server/network.

Also, doing so would require adjusting the AppArmor profile... I'm sure that
isn't a big deal, but something else to keep in mind.

>
> I'd try not to use indexes here as we're not sure the index number of the
> database. Computing the actual index should be left to the script that is
> actually responsible for loading these overlays in the correct database.
>
>

Renamed the directories as you suggested... I like it better too. Coded a
way to find the database that contains the suffix. Also, added a check to
find the cn=module suffix.

I think that covers everything, but if not just let me know.

Thanks again Mathias.

--
Party On,
Adam

Reply

Unmerged revisions

95. By Adam Sommer

Find index of module suffix.

94. By Adam Sommer

Finished changes to dynamically find suffix database.

93. By Adam Sommer

New check to find suffix database to add LDIFs to.

92. By Adam Sommer

Adjusted file content and naming per Mathias good suggestions.

91. By Adam Sommer

Forgot to remove comments.

90. By Adam Sommer

Created Lucid package.

89. By Adam Sommer

Removed LICENSE install to fix lintian error.

88. By Adam Sommer

Fixing lintian errors in .deb file.

87. By Adam Sommer

 * Fixed dsc lintian errors by using pot files for the templates,
   creating the debian/source/format file, updated standards version,
   and changed version number.
 * Removed openldap-dit-setup.sh.

86. By Adam Sommer

More ACL adjustments, groups should now work as advertised.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'Makefile'
2--- Makefile 2009-12-02 21:04:38 +0000
3+++ Makefile 2010-07-19 21:25:56 +0000
4@@ -1,7 +1,7 @@
5 # Makefile for openldap-dit
6
7 NAME = openldap-dit
8-VERSION = 0.21
9+VERSION = 0.22
10 DESTDIR =
11 prefix = /usr
12 bindir = $(prefix)/bin
13@@ -14,24 +14,17 @@
14 mydir = $(ldapdatadir)/$(NAME)
15 ldapscriptdir = $(ldapdatadir)
16
17-install:
18+install-core:
19 mkdir -p $(DESTDIR)$(mydir)
20 mkdir -p $(DESTDIR)$(docdir)
21 mkdir -p $(DESTDIR)$(ldapscriptdir)
22- mkdir -p $(DESTDIR)$(mydir)/acls
23- mkdir -p $(DESTDIR)$(mydir)/databases
24- mkdir -p $(DESTDIR)$(mydir)/overlays
25- mkdir -p $(DESTDIR)$(mydir)/schemas
26- mkdir -p $(DESTDIR)$(mydir)/modules
27- mkdir -p $(DESTDIR)$(mydir)/contents
28- install -m 0755 *.sh $(DESTDIR)$(ldapscriptdir)
29- install -m 0644 schemas/* $(DESTDIR)$(mydir)/schemas
30- install -m 0644 doc/* TODO LICENSE COPYRIGHT $(DESTDIR)$(docdir)
31- install -m 0644 acls/* $(DESTDIR)$(mydir)/acls/
32- install -m 0644 databases/* $(DESTDIR)$(mydir)/databases/
33- install -m 0644 overlays/* $(DESTDIR)$(mydir)/overlays/
34- install -m 0644 modules/* $(DESTDIR)$(mydir)/modules/
35- install -m 0644 contents/* $(DESTDIR)$(mydir)/contents/
36+ install -m 0644 TODO COPYRIGHT $(DESTDIR)$(docdir)
37+ mkdir -p $(DESTDIR)$(mydir)/core
38+ install -m 0644 core/* $(DESTDIR)$(mydir)/core
39+
40+install-usersandgroups:
41+ mkdir -p $(DESTDIR)$(mydir)/usersandgroups
42+ install -m 0644 usersandgroups/* $(DESTDIR)$(mydir)/usersandgroups
43
44 clean:
45 rm -rf *~ $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.bz2 debian/$(NAME)
46@@ -43,7 +36,7 @@
47
48 tarball: clean
49 mkdir $(NAME)-$(VERSION)
50- cp -a Makefile *.sh schemas doc TODO LICENSE COPYRIGHT acls databases overlays modules contents $(NAME)-$(VERSION)
51+ cp -a Makefile *.sh schemas doc TODO COPYRIGHT acls databases overlays modules contents $(NAME)-$(VERSION)
52 cp -a debian $(NAME)-$(VERSION)
53 tar czf $(NAME)-$(VERSION).tar.gz $(NAME)-$(VERSION)
54 rm -rf $(NAME)-$(VERSION)
55
56=== removed directory 'acls'
57=== removed file 'acls/config-acl.ldif'
58--- acls/config-acl.ldif 2009-09-17 13:38:20 +0000
59+++ acls/config-acl.ldif 1970-01-01 00:00:00 +0000
60@@ -1,6 +0,0 @@
61-dn: olcDatabase={0}config,cn=config
62-changetype: modify
63-add: olcAccess
64-olcAccess: to *
65- by group/groupOfMembers/member.exact="cn=LDAP Admins,ou=System Groups,@SUFFIX@" manage
66- by * break
67
68=== removed file 'acls/frontend-acl.ldif'
69--- acls/frontend-acl.ldif 2009-09-14 20:38:42 +0000
70+++ acls/frontend-acl.ldif 1970-01-01 00:00:00 +0000
71@@ -1,7 +0,0 @@
72-# see bug #427842
73-dn: olcDatabase={-1}frontend,cn=config
74-changetype: modify
75-add: olcAccess
76-olcAccess: to dn.base="" by * read
77-olcAccess: to dn.base="cn=subschema" by * read
78-
79
80=== added directory 'autofs'
81=== added file 'autofs/autofs.ldif'
82--- autofs/autofs.ldif 1970-01-01 00:00:00 +0000
83+++ autofs/autofs.ldif 2010-07-19 21:25:56 +0000
84@@ -0,0 +1,11 @@
85+dn: cn=autofs,cn=schema,cn=config
86+objectClass: olcSchemaConfig
87+cn: autofs
88+olcAttributeTypes: {0}( 1.3.6.1.1.1.1.25 NAME 'automountInformation' DESC 'Inf
89+ ormation used by the autofs automounter' EQUALITY caseExactIA5Match SYNTAX 1.
90+ 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
91+olcObjectClasses: {0}( 1.3.6.1.1.1.1.13 NAME 'automount' DESC 'An entry in an
92+ automounter map' SUP top STRUCTURAL MUST ( cn $ automountInformation ) MAY de
93+ scription )
94+olcObjectClasses: {1}( 1.3.6.1.4.1.2312.4.2.2 NAME 'automountMap' DESC 'An gro
95+ up of related automount objects' SUP top STRUCTURAL MUST ou )
96
97=== removed directory 'contents'
98=== removed file 'contents/dit.ldif'
99--- contents/dit.ldif 2009-10-06 18:58:32 +0000
100+++ contents/dit.ldif 1970-01-01 00:00:00 +0000
101@@ -1,270 +0,0 @@
102-# base tree
103-dn: @SUFFIX@
104-dc: @DC@
105-objectClass: domain
106-objectClass: domainRelatedObject
107-associatedDomain: @DOMAIN@
108-
109-dn: ou=People,@SUFFIX@
110-ou: People
111-objectClass: organizationalUnit
112-
113-dn: ou=Group,@SUFFIX@
114-ou: Group
115-objectClass: organizationalUnit
116-description: Container for user accounts
117-
118-dn: ou=System Accounts,@SUFFIX@
119-ou: System Accounts
120-objectClass: organizationalUnit
121-description: Container for System and Services privileged accounts
122-
123-dn: ou=System Groups,@SUFFIX@
124-ou: System Groups
125-objectClass: organizationalUnit
126-description: Container for System and Services privileged groups
127-
128-dn: ou=Hosts,@SUFFIX@
129-ou: Hosts
130-objectClass: organizationalUnit
131-description: Container for Samba machine accounts
132-
133-dn: ou=Idmap,@SUFFIX@
134-ou: Idmap
135-objectClass: organizationalUnit
136-description: Container for Samba Winbind ID mappings
137-
138-dn: ou=Address Book,@SUFFIX@
139-ou: Address Book
140-objectClass: organizationalUnit
141-description: Container for global address book entries
142-
143-dn: ou=sudoers,@SUFFIX@
144-ou: sudoers
145-objectClass: organizationalUnit
146-description: Container for sudo related entries
147-
148-dn: cn=defaults,ou=sudoers,@SUFFIX@
149-cn: defaults
150-objectClass: sudoRole
151-sudoOption: authenticate
152-description: Default options for sudo roles
153-
154-dn: ou=dhcp,@SUFFIX@
155-ou: dhcp
156-objectClass: organizationalUnit
157-description: Container for DHCP related entries
158-
159-dn: ou=dns,@SUFFIX@
160-ou: dns
161-objectClass: organizationalUnit
162-description: Container for DNS related entries
163-
164-dn: ou=Kerberos Realms,@SUFFIX@
165-ou: Kerberos Realms
166-objectClass: organizationalUnit
167-description: Container for Kerberos Realms
168-
169-dn: ou=Password Policies,@SUFFIX@
170-ou: Password Policies
171-objectClass: organizationalUnit
172-description: Container for OpenLDAP password policies
173-
174-dn: cn=default,ou=Password Policies,@SUFFIX@
175-cn: default
176-objectClass: pwdPolicy
177-objectClass: namedObject
178-pwdAttribute: userPassword
179-pwdCheckQuality: 1
180-
181-# System Accounts
182-dn: uid=Account Admin,ou=System Accounts,@SUFFIX@
183-uid: Account Admin
184-objectClass: account
185-objectClass: simpleSecurityObject
186-userPassword: {CRYPT}x
187-description: Account used to administer all users, groups, machines and general accounts
188-
189-dn: uid=nssldap,ou=System Accounts,@SUFFIX@
190-uid: nssldap
191-objectClass: account
192-objectClass: simpleSecurityObject
193-userPassword: {CRYPT}x
194-description: Unprivileged account which can be used by nss_ldap for when anonymous searches are disabled
195-
196-dn: uid=MTA Admin,ou=System Accounts,@SUFFIX@
197-uid: MTA Admin
198-objectClass: account
199-objectClass: simpleSecurityObject
200-userPassword: {CRYPT}x
201-description: Account used to administer email related attributes
202-
203-dn: uid=DHCP Admin,ou=System Accounts,@SUFFIX@
204-uid: DHCP Admin
205-objectClass: account
206-objectClass: simpleSecurityObject
207-userPassword: {CRYPT}x
208-description: Account used to administer DHCP related entries and attributes
209-
210-dn: uid=DHCP Reader,ou=System Accounts,@SUFFIX@
211-uid: DHCP Reader
212-objectClass: account
213-objectClass: simpleSecurityObject
214-userPassword: {CRYPT}x
215-description: Account used to read entries and attributes under ou=dhcp
216-
217-dn: uid=DNS Admin,ou=System Accounts,@SUFFIX@
218-uid: DNS Admin
219-objectClass: account
220-objectClass: simpleSecurityObject
221-userPassword: {CRYPT}x
222-description: Account used to administer DNS related entries and attributes
223-
224-dn: uid=DNS Reader,ou=System Accounts,@SUFFIX@
225-uid: DNS Reader
226-objectClass: account
227-objectClass: simpleSecurityObject
228-userPassword: {CRYPT}x
229-description: Account used to read entries and attributes under ou=dns
230-
231-dn: uid=Sudo Admin,ou=System Accounts,@SUFFIX@
232-uid: Sudo Admin
233-objectClass: account
234-objectClass: simpleSecurityObject
235-userPassword: {CRYPT}x
236-description: Account used to administer Sudo related entries and attributes
237-
238-dn: uid=Address Book Admin,ou=System Accounts,@SUFFIX@
239-uid: Address Book Admin
240-objectClass: account
241-objectClass: simpleSecurityObject
242-userPassword: {CRYPT}x
243-description: Account used to administer global Address Book related entries and attributes
244-
245-dn: uid=LDAP Admin,ou=System Accounts,@SUFFIX@
246-uid: LDAP Admin
247-objectClass: account
248-objectClass: simpleSecurityObject
249-userPassword: {CRYPT}x
250-description: Account used to administer all parts of the Directory
251-
252-dn: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@
253-uid: LDAP Replicator
254-objectClass: account
255-objectClass: simpleSecurityObject
256-userPassword: {CRYPT}x
257-description: Account used by consumer servers for replication
258-
259-dn: uid=LDAP Monitor,ou=System Accounts,@SUFFIX@
260-uid: LDAP Monitor
261-objectClass: account
262-objectClass: simpleSecurityObject
263-userPassword: {CRYPT}x
264-description: Account used to read cn=monitor entries
265-
266-dn: uid=Idmap Admin,ou=System Accounts,@SUFFIX@
267-uid: Idmap Admin
268-objectClass: account
269-objectClass: simpleSecurityObject
270-userPassword: {CRYPT}x
271-description: Account used to administer Samba Winbind ID mapping related entries and attributes
272-
273-dn: uid=kdc-service,ou=System Accounts,@SUFFIX@
274-uid: kdc-service
275-objectClass: account
276-objectClass: simpleSecurityObject
277-userPassword: {CRYPT}x
278-description: Account used for the Kerberos KDC
279-
280-dn: uid=kadmin-service,ou=System Accounts,@SUFFIX@
281-uid: kadmin-service
282-objectClass: account
283-objectClass: simpleSecurityObject
284-userPassword: {CRYPT}x
285-description: Account used for the Kerberos Admin server
286-
287-# Groups associated with system accounts
288-dn: cn=LDAP Admins,ou=System Groups,@SUFFIX@
289-cn: LDAP Admins
290-objectClass: groupOfMembers
291-description: Members can administer all parts of the Directory
292-owner: uid=LDAP Admin,ou=System Accounts,@SUFFIX@
293-member: uid=LDAP Admin,ou=System Accounts,@SUFFIX@
294-
295-dn: cn=Account Admins,ou=System Groups,@SUFFIX@
296-cn: Account Admins
297-objectClass: groupOfMembers
298-description: Members can administer all user, group and machine accounts
299-owner: uid=Account Admin,ou=System Accounts,@SUFFIX@
300-member: uid=Account Admin,ou=System Accounts,@SUFFIX@
301-
302-dn: cn=Sudo Admins,ou=System Groups,@SUFFIX@
303-cn: Sudo Admins
304-objectClass: groupOfMembers
305-description: Members can administer ou=sudoers entries and attributes
306-owner: uid=Sudo Admin,ou=System Accounts,@SUFFIX@
307-member: uid=Sudo Admin,ou=System Accounts,@SUFFIX@
308-
309-dn: cn=DNS Admins,ou=System Groups,@SUFFIX@
310-cn: DNS Admins
311-objectClass: groupOfMembers
312-description: Members can administer ou=DNS entries and attributes
313-owner: uid=DNS Admin,ou=System Accounts,@SUFFIX@
314-member: uid=DNS Admin,ou=System Accounts,@SUFFIX@
315-
316-dn: cn=DNS Readers,ou=System Groups,@SUFFIX@
317-cn: DNS Readers
318-objectClass: groupOfMembers
319-description: Members can read entries and attributes under ou=dns
320-owner: uid=DNS Admin,ou=System Accounts,@SUFFIX@
321-member: uid=DNS Reader,ou=System Accounts,@SUFFIX@
322-
323-dn: cn=DHCP Admins,ou=System Groups,@SUFFIX@
324-cn: DHCP Admins
325-objectClass: groupOfMembers
326-description: Members can administer ou=DHCP entries and attributes
327-owner: uid=DHCP Admin,ou=System Accounts,@SUFFIX@
328-member: uid=DHCP Admin,ou=System Accounts,@SUFFIX@
329-
330-dn: cn=DHCP Readers,ou=System Groups,@SUFFIX@
331-cn: DHCP Readers
332-objectClass: groupOfMembers
333-description: Members can read entries and attributes under ou=dhcp
334-owner: uid=DHCP Admin,ou=System Accounts,@SUFFIX@
335-member: uid=DHCP Reader,ou=System Accounts,@SUFFIX@
336-
337-dn: cn=Address Book Admins,ou=System Groups,@SUFFIX@
338-cn: Address Book Admins
339-objectClass: groupOfMembers
340-description: Members can administer ou=Address Book entries and attributes
341-owner: uid=Address Book Admin,ou=System Accounts,@SUFFIX@
342-member: uid=Address Book Admin,ou=System Accounts,@SUFFIX@
343-
344-dn: cn=LDAP Replicators,ou=System Groups,@SUFFIX@
345-cn: LDAP Replicators
346-objectClass: groupOfMembers
347-description: Members can be used for syncrepl replication
348-owner: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@
349-member: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@
350-
351-dn: cn=MTA Admins,ou=System Groups,@SUFFIX@
352-cn: MTA Admins
353-objectClass: groupOfMembers
354-description: Members can administer email related attributes
355-owner: uid=MTA Admin,ou=System Accounts,@SUFFIX@
356-member: uid=MTA Admin,ou=System Accounts,@SUFFIX@
357-
358-dn: cn=LDAP Monitors,ou=System Groups,@SUFFIX@
359-cn: LDAP Monitors
360-objectClass: groupOfMembers
361-description: Members can read the cn=monitor backend
362-owner: uid=LDAP Monitor,ou=System Accounts,@SUFFIX@
363-member: uid=LDAP Monitor,ou=System Accounts,@SUFFIX@
364-
365-dn: cn=Idmap Admins,ou=System Groups,@SUFFIX@
366-cn: Idmap Admins
367-objectClass: groupOfMembers
368-description: Members can administer ou=Idmap entries and attributes
369-owner: uid=Idmap Admin,ou=System Accounts,@SUFFIX@
370-member: uid=Idmap Admin,ou=System Accounts,@SUFFIX@
371-
372
373=== added directory 'core'
374=== added file 'core/README'
375--- core/README 1970-01-01 00:00:00 +0000
376+++ core/README 2010-07-19 21:25:56 +0000
377@@ -0,0 +1,321 @@
378+Introduction
379+============
380+
381+This document aims to explain the Directory Information Tree (DIT) used in the
382+openldap-dit-core package.
383+
384+The motivation for this new layout is the need for a better separation of
385+privileges regarding access to the information stored in the directory. The
386+super user account of the directory should be used rarely and delegation of
387+privileges should be easier.
388+
389+We think this proposed layout accomplishes that by providing several groups
390+which have distinctive access rules, providing a clear separation of
391+privileges. In order to give an user a new privilege, all is needed is to add
392+him/her to one of these specific groups.
393+
394+These are the characteristics of the proposed DIT:
395+- several groups for common services
396+- most access control rules based on group membership
397+- several system accounts ready to use (just add a password) by many services
398+ such as:
399+ - sudo
400+ - dns
401+ - samba
402+ - etc
403+- simple installation script which prepares the tree asking very few questions
404+ (just two, and one of them is just a password)
405+- easy support for OpenLDAP's password policy overlay
406+
407+These accounts get their privileges by being associated to specific group(s).
408+
409+Administrators should note that we will probably find out that there are too
410+few groups, or too many. Or that some ACLs are too restrictive, or too broad.
411+It is difficult to come up with a one-size-fits-all DIT, but we can start here.
412+
413+By the way, there is no password set for the "rootdn" account as it (the
414+account) is not used.
415+
416+If you just want to know how to use this DIT, skip to the end of the document
417+to the section called "Enough with the theory: how to use this?".
418+
419+
420+The Tree
421+========
422+
423+ dc=example,dc=com
424+
425+ ou=Hosts ou=System Groups ou=System Accounts
426+ ou=Idmap cn=LDAP Admins uid=Ldap Admin
427+ ou=Address Book cn=Sudo Admins uid=Sudo Admin
428+ ou=dhcp cn=DNS Admins uid=DNS Admin
429+ ou=dns cn=DNS Readers uid=DNS Reader
430+ ou=People cn=DHCP Admins uid=DHCP Admin
431+ ou=Group cn=Address Book Admins uid=Address Book Admin
432+ ou=Password Policies cn=LDAP Replicators uid=LDAP Replicator
433+ ou=Sudoers cn=Account Admins uid=Account Admin
434+ cn=MTA Admins uid=MTA Admin
435+ cn=LDAP Monitors uid=LDAP Monitor
436+ cn=Idmap Admins uid=Idmap Admin
437+ uid=smbldap-tools
438+ uid=nssldap
439+
440+The services
441+============
442+
443+We created some entries for a few services that can use LDAP to store their
444+information. More will probably be added in the future. For now, we have
445+branches for:
446+- dns (ou=dns)
447+- sudo (ou=sudoers)
448+- dhcp (ou=dhcp)
449+
450+The respective administrative groups have read/write access to these branches
451+for specific entries.
452+
453+
454+The groups
455+==========
456+
457+Groups are the core of this proposed DIT layout, because most ACLs are
458+constructed via group membership to allow for greater flexibility and
459+delegation.
460+
461+The current default groups that are born with the new DIT layout are as
462+follows:
463+- LDAP Admins
464+- Sudo Admins
465+- DNS Admins
466+- DNS Readers
467+- DHCP Admins
468+- Address Book Admins
469+- LDAP Replicators
470+- Account Admins
471+- MTA Admins
472+- LDAP Monitors
473+- Idmap Admins
474+
475+Each entry has a description attribute filled in with a brief text describing
476+the purpose of the members of each group. For example:
477+
478+dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com
479+description: Members can administer ou=sudoers entries and attributes
480+
481+In order to use groups in ACLs, the objectClass used for these entries has to
482+use attributes where membership is indicated distinguished names and not just
483+names. In other words, the membership attribute has to use a full DN to
484+indicate its member. The standard object class used for this by OpenLDAP is
485+groupOfNames, and this is what we used. For example:
486+
487+dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com
488+member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
489+
490+A side effect of using groupOfNames is that we *have* to have at least one
491+member in each group. So we needed to create standard accounts, which proved to
492+be usefull anyway. The previous example showed the standard account for
493+adminstering sudo entries and attributes.
494+
495+
496+The accounts
497+============
498+
499+As was the case with the groups, many standard system accounts were created.
500+Each group has at least a corresponding system account as its membership. The
501+current list is as follows:
502+
503+- Account Admin
504+- smbldap-tools
505+- nssldap
506+- MTA Admin
507+- DHCP Admin
508+- DNS Admin
509+- DNS Reader
510+- Sudo Admin
511+- Address Book Admin
512+- LDAP Admin
513+- LDAP Replicator
514+- LDAP Monitor
515+- Idmap Admin
516+
517+
518+The privileges
519+==============
520+
521+The idea is to give each group the needed privileges to complete its
522+administration tasks. This usually means having access to the respective ou=foo
523+branch of the directory. For example, the Sudo Admins group has rights over the
524+ou=sudoers branch of the directory.
525+
526+Whenever possible, however, these rights are limited to that specific service,
527+i.e., it's not any kind of entry that can be created but just those relevant to
528+the service. For example, the Sudo Admins members can only create entries one
529+level below ou=sudoers, and only with the attributes allowed by the sudoRole
530+object class.
531+
532+Other cases, however, are more complicated. We will list them here and the
533+reasoning behind the chosen ACLs.
534+
535+
536+Monitoring access
537+-----------------
538+The "LDAP Monitors" group is the only grop besides "LDAP Admins" which can read
539+entries under cn=monitor. This base dn contains statistics about the server,
540+such as operations performed, backends and overlays being used, etc. So, if you
541+need an user to have read access to this kind of information, just put him/her
542+in this group.
543+
544+
545+Samba, Unix and Kerberos admins
546+-------------------------------
547+Samba needs to have corresponding unix accounts for its users and machine
548+accounts. It will not by itself create those, however. For example, when
549+running "smbpasswd -a foo", the "foo" user account will only be created if
550+samba can find the corresponding unix attributes. The same for group mappings
551+and machine accounts.
552+
553+Earlier versions of openldap-dit had two separate privilege groups:
554+one for Unix accounts and another for Samba accounts. This complicated ACLs,
555+and it was worse when we later added Kerberos Admins to the mix because they
556+also had to touch some of the account-related attributes.
557+
558+So, since version 0.11, we merged these groups into one called Account Admins
559+(and the respective Account Admin account). This made the ACLs simplier and
560+faster, at the expense of some granularity in privileges.
561+
562+The smbldap-tools account, uid=smbldap-tools,ou=System Accounts, still exists
563+but is now a member of the Account Admins group.
564+
565+
566+MTA
567+---
568+As of this moment, there is no clear scenario for usage of this account. For
569+now, it can administer just a few attributes: all the ones from the
570+inetLocalMailRecipient object class plus the single mail attribute.
571+
572+As more usage scenarios appear, these ACLs should be incremented.
573+
574+
575+DNS Readers
576+-----------
577+Members of this group are allowed read access to all attributes of the dNSZone
578+object class under ou=dns. Besides them and the members of the DNS Admins
579+group, no other entity can read these entries. This was done so to avoid the
580+"zone transfer" vulnerability scenario, where anonymous users could gather the
581+whole DNS database.
582+
583+
584+LDAP Admins
585+-----------
586+Members of this group can write to and read from all entries and attributes of
587+the directory and have no size or time limits.
588+
589+
590+LDAP Replicators
591+----------------
592+The members of the LDAP Replicators group have read access to all attributes
593+and entries of the directory so that they can be used in a syncrepl replication
594+setup. The bind dn used for the replication should be a member of this group.
595+For example:
596+
597+syncrepl rid=100
598+ provider=ldap://dirserv.example.com
599+ type=refreshAndPersist
600+ retry="60 +"
601+ searchbase="dc=example,dc=com"
602+ starttls=critical
603+ bindmethod=simple
604+ binddn="uid=LDAP Replicator,ou=System Accounts,dc=example,dc=com"
605+ credentials="secret"
606+
607+Here, "uid=LDAP Replicator,ou=System Accounts,dc=example,dc=com" is a member of
608+the "LDAP Replicators" group and is automatically granted read rights to all
609+entries of the directory (assuming the provider was also installed with this
610+base DIT and ACLs).
611+
612+
613+Generic directory read accounts
614+-------------------------------
615+A few accounts were created for specific read access. Some administrators
616+prefer to block anonymous read access to the directory, in which case these
617+accounts would then be used. For the moment we have:
618+- nssldap: nss_ldap can bind to the directory either anonymously or with a
619+ specific account. The "uid=nssldap,ou=System Accounts" was created for this
620+ purpose. Currently no ACLs make use of this account. Were the administrator to
621+ use it, he/she would also have to block anonymous read access to many
622+ attributes.
623+
624+Currently anonymous read access is granted to many attributes. As of this
625+moment, if the administrator wants to restrict anonymous access and use these
626+accounts, the ACLs would have to be changed manually.
627+
628+
629+The installation script
630+=======================
631+
632+The openldap-dit package contains a shell script which can be used to
633+install the accounts and ACLs described in this document. The script is
634+installed at /usr/share/openldap/scripts/openldap-dit-setup.sh and performs the
635+following:
636+- asks the DNS domain (suggesting whatever was auto-detected)
637+- constructs the top-level directory entry from this domain using dc style
638+ attributes
639+- creates and imports an ldif file with the accounts and groups described here
640+- installs new slapd.conf and openldap-dit-access.conf files (making backups of
641+ the previous ones) with the default ACLs and other useful configurations
642+ (like cache)
643+- loads the ldif file, backing up the previous database directory
644+
645+Even though the script performs many tests and backups many files before
646+overwriting them, administrators are advised to backup all data before running
647+this script.
648+
649+
650+Enough with the theory: how to use this?
651+========================================
652+
653+The installation script will overwrite some OpenLDAP files and directories.
654+Specifically, it will backup and overwrite the following:
655+- /etc/ldap/slapd.conf
656+- /etc/ldap/ldap.conf
657+- /etc/ldap/openldap-dit-access.conf (THIS ONE HAS NO BACKUP CURRENTLY)
658+- /var/lib/ldap contents
659+
660+So, after you are satisfied that nothing important will be lost, run the
661+script. Below is a sample run using the example.com domain:
662+
663+root@nsn2:~# /usr/share/slapd/openldap-dit-setup.sh
664+Please enter your DNS domain name [example.com]:
665+
666+
667+Administrator account
668+
669+The administrator account for this directory is
670+uid=LDAP Admin,ou=System Accounts,dc=example,dc=com
671+
672+Please choose a password for this account:
673+New password:
674+Re-enter new password:
675+
676+
677+Summary
678+=======
679+
680+Domain: example.com
681+LDAP suffix: dc=example,dc=com
682+Administrator: uid=LDAP Admin,ou=System Accounts,dc=example,dc=com
683+
684+Confirm? (Y/n)
685+
686+config file testing succeeded
687+Stopping ldap service
688+Finished, starting ldap service
689+Starting OpenLDAP: slapd.
690+
691+Your previous database directory has been backed up as /var/lib/ldap.1228858266
692+All files that were backed up got the suffix "1228858266".
693+
694+
695+Now, fire up an LDAP browser and use the LDAP Admin account shown above to set
696+up some passwords for the other less privileged accounts that you are going to
697+use. Note that the "rootdn" account is not used.
698+
699
700=== added file 'core/acl.ldif'
701--- core/acl.ldif 1970-01-01 00:00:00 +0000
702+++ core/acl.ldif 2010-07-19 21:25:56 +0000
703@@ -0,0 +1,16 @@
704+dn: olcDatabase=@DATABASE@,cn=config
705+changetype: modify
706+add: olcAccess
707+olcAccess: to dn.subtree="@SUFFIX@"
708+ by dn.exact="uid=LDAP Admin,ou=System Accounts,@SUFFIX@" manage
709+ by * break
710+-
711+add: olcAccess
712+olcAccess: {1}to dn.subtree="@SUFFIX@"
713+ by * read
714+-
715+add: olcAddContentAcl
716+olcAddContentAcl: TRUE
717+-
718+add: olcLastMod
719+olcLastMod: TRUE
720
721=== added file 'core/cosine.schema.ldif'
722--- core/cosine.schema.ldif 1970-01-01 00:00:00 +0000
723+++ core/cosine.schema.ldif 2010-07-19 21:25:56 +0000
724@@ -0,0 +1,200 @@
725+# RFC1274: Cosine and Internet X.500 schema
726+# $OpenLDAP: pkg/ldap/servers/slapd/schema/cosine.ldif,v 1.1.2.4 2009/01/22 00:01:14 kurt Exp $
727+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
728+##
729+## Copyright 1998-2009 The OpenLDAP Foundation.
730+## All rights reserved.
731+##
732+## Redistribution and use in source and binary forms, with or without
733+## modification, are permitted only as authorized by the OpenLDAP
734+## Public License.
735+##
736+## A copy of this license is available in the file LICENSE in the
737+## top-level directory of the distribution or, alternatively, at
738+## <http://www.OpenLDAP.org/license.html>.
739+#
740+# RFC1274: Cosine and Internet X.500 schema
741+#
742+# This file contains LDAPv3 schema derived from X.500 COSINE "pilot"
743+# schema. As this schema was defined for X.500(89), some
744+# oddities were introduced in the mapping to LDAPv3. The
745+# mappings were based upon: draft-ietf-asid-ldapv3-attributes-03.txt
746+# (a work in progress)
747+#
748+# Note: It seems that the pilot schema evolved beyond what was
749+# described in RFC1274. However, this document attempts to describes
750+# RFC1274 as published.
751+#
752+# Depends on core.ldif
753+#
754+# This file was automatically generated from cosine.schema; see that
755+# file for complete background.
756+#
757+dn: cn=cosine,cn=schema,cn=config
758+objectClass: olcSchemaConfig
759+cn: cosine
760+olcAttributeTypes: ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORAddress'
761+ EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.
762+ 1466.115.121.1.15{256} )
763+olcAttributeTypes: ( 0.9.2342.19200300.100.1.4 NAME 'info' DESC 'RFC1274: g
764+ eneral information' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
765+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
766+olcAttributeTypes: ( 0.9.2342.19200300.100.1.5 NAME ( 'drink' 'favouriteDri
767+ nk' ) DESC 'RFC1274: favorite drink' EQUALITY caseIgnoreMatch SUBSTR caseIgno
768+ reSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
769+olcAttributeTypes: ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' DESC 'RFC1
770+ 274: room number' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch S
771+ YNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
772+olcAttributeTypes: ( 0.9.2342.19200300.100.1.7 NAME 'photo' DESC 'RFC1274:
773+ photo (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.23{25000} )
774+olcAttributeTypes: ( 0.9.2342.19200300.100.1.8 NAME 'userClass' DESC 'RFC12
775+ 74: category of user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat
776+ ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
777+olcAttributeTypes: ( 0.9.2342.19200300.100.1.9 NAME 'host' DESC 'RFC1274: h
778+ ost computer' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTA
779+ X 1.3.6.1.4.1.1466.115.121.1.15{256} )
780+olcAttributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager' DESC 'RFC127
781+ 4: DN of manager' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115
782+ .121.1.12 )
783+olcAttributeTypes: ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier' D
784+ ESC 'RFC1274: unique identifier of document' EQUALITY caseIgnoreMatch SUBSTR
785+ caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
786+olcAttributeTypes: ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' DESC '
787+ RFC1274: title of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstri
788+ ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
789+olcAttributeTypes: ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' DES
790+ C 'RFC1274: version of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSu
791+ bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
792+olcAttributeTypes: ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' DESC
793+ 'RFC1274: DN of author of document' EQUALITY distinguishedNameMatch SYNTAX 1
794+ .3.6.1.4.1.1466.115.121.1.12 )
795+olcAttributeTypes: ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' DE
796+ SC 'RFC1274: location of document original' EQUALITY caseIgnoreMatch SUBSTR c
797+ aseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
798+olcAttributeTypes: ( 0.9.2342.19200300.100.1.20 NAME ( 'homePhone' 'homeTe
799+ lephoneNumber' ) DESC 'RFC1274: home telephone number' EQUALITY telephoneNumb
800+ erMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
801+ .1.50 )
802+olcAttributeTypes: ( 0.9.2342.19200300.100.1.21 NAME 'secretary' DESC 'RFC
803+ 1274: DN of secretary' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.146
804+ 6.115.121.1.12 )
805+olcAttributeTypes: ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNTAX
806+ 1.3.6.1.4.1.1466.115.121.1.39 )
807+olcAttributeTypes: ( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY ca
808+ seIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
809+olcAttributeTypes: ( 0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY c
810+ aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
811+olcAttributeTypes: ( 0.9.2342.19200300.100.1.28 NAME 'mXRecord' EQUALITY c
812+ aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
813+olcAttributeTypes: ( 0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY c
814+ aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
815+olcAttributeTypes: ( 0.9.2342.19200300.100.1.30 NAME 'sOARecord' EQUALITY
816+ caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
817+olcAttributeTypes: ( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALIT
818+ Y caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
819+olcAttributeTypes: ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' DESC
820+ 'RFC1274: DN of entry associated with domain' EQUALITY distinguishedNameMatc
821+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
822+olcAttributeTypes: ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' D
823+ ESC 'RFC1274: home postal address' EQUALITY caseIgnoreListMatch SUBSTR caseIg
824+ noreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
825+olcAttributeTypes: ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' DESC
826+ 'RFC1274: personal title' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstring
827+ sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
828+olcAttributeTypes: ( 0.9.2342.19200300.100.1.41 NAME ( 'mobile' 'mobileTel
829+ ephoneNumber' ) DESC 'RFC1274: mobile telephone number' EQUALITY telephoneNum
830+ berMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12
831+ 1.1.50 )
832+olcAttributeTypes: ( 0.9.2342.19200300.100.1.42 NAME ( 'pager' 'pagerTelep
833+ honeNumber' ) DESC 'RFC1274: pager telephone number' EQUALITY telephoneNumber
834+ Match SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
835+ .50 )
836+olcAttributeTypes: ( 0.9.2342.19200300.100.1.43 NAME ( 'co' 'friendlyCount
837+ ryName' ) DESC 'RFC1274: friendly country name' EQUALITY caseIgnoreMatch SUBS
838+ TR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
839+olcAttributeTypes: ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' DE
840+ SC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.14
841+ 66.115.121.1.15{256} )
842+olcAttributeTypes: ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus
843+ ' DESC 'RFC1274: organizational status' EQUALITY caseIgnoreMatch SUBSTR caseI
844+ gnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
845+olcAttributeTypes: ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox' DESC '
846+ RFC1274: Janet mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst
847+ ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
848+olcAttributeTypes: ( 0.9.2342.19200300.100.1.47 NAME 'mailPreferenceOption
849+ ' DESC 'RFC1274: mail preference option' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
850+ )
851+olcAttributeTypes: ( 0.9.2342.19200300.100.1.48 NAME 'buildingName' DESC '
852+ RFC1274: name of building' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin
853+ gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
854+olcAttributeTypes: ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality' DESC 'RF
855+ C1274: DSA Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.19 SINGLE-VALUE )
856+olcAttributeTypes: ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality'
857+ DESC 'RFC1274: Single Level Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SIN
858+ GLE-VALUE )
859+olcAttributeTypes: ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQualit
860+ y' DESC 'RFC1274: Subtree Mininum Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.
861+ 13 SINGLE-VALUE )
862+olcAttributeTypes: ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQualit
863+ y' DESC 'RFC1274: Subtree Maximun Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.
864+ 13 SINGLE-VALUE )
865+olcAttributeTypes: ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature' D
866+ ESC 'RFC1274: Personal Signature (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.
867+ 23 )
868+olcAttributeTypes: ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' DESC 'R
869+ FC1274: DIT Redirect' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466
870+ .115.121.1.12 )
871+olcAttributeTypes: ( 0.9.2342.19200300.100.1.55 NAME 'audio' DESC 'RFC1274
872+ : audio (u-law)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.4{25000} )
873+olcAttributeTypes: ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' D
874+ ESC 'RFC1274: publisher of document' EQUALITY caseIgnoreMatch SUBSTR caseIgno
875+ reSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
876+olcObjectClasses: ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilo
877+ tPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822
878+ Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ hom
879+ ePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ busine
880+ ssCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelep
881+ honeNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature
882+ ) )
883+olcObjectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCT
884+ URAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationNam
885+ e $ organizationalUnitName $ host ) )
886+olcObjectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUC
887+ TURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ loca
888+ lityName $ organizationName $ organizationalUnitName $ documentTitle $ docume
889+ ntVersion $ documentAuthor $ documentLocation $ documentPublisher ) )
890+olcObjectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURA
891+ L MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber
892+ ) )
893+olcObjectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top
894+ STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ l
895+ ocalityName $ organizationName $ organizationalUnitName ) )
896+olcObjectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCT
897+ URAL MUST domainComponent MAY ( associatedName $ organizationName $ descripti
898+ on $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $
899+ stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAdd
900+ ress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber
901+ $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ tel
902+ exNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress
903+ $ x121Address ) )
904+olcObjectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP d
905+ omain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telepho
906+ neNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOffi
907+ ceBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $
908+ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDelivery
909+ Method $ destinationIndicator $ registeredAddress $ x121Address ) )
910+olcObjectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain
911+ STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAME
912+ Record ) )
913+olcObjectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' D
914+ ESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associat
915+ edDomain )
916+olcObjectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP c
917+ ountry STRUCTURAL MUST friendlyCountryName )
918+olcObjectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SU
919+ P ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName )
920+olcObjectClasses: ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STR
921+ UCTURAL MAY dSAQuality )
922+olcObjectClasses: ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData'
923+ SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximu
924+ mQuality ) )
925
926=== added file 'core/database.ldif'
927--- core/database.ldif 1970-01-01 00:00:00 +0000
928+++ core/database.ldif 2010-07-19 21:25:56 +0000
929@@ -0,0 +1,13 @@
930+dn: olcDatabase=hdb,cn=config
931+olcDatabase: hdb
932+objectClass: olcDatabaseConfig
933+objectClass: olcHdbConfig
934+olcSuffix: @SUFFIX@
935+olcDbDirectory: /var/lib/ldap
936+olcDbCacheSize: 1000
937+olcDbCheckpoint: 1024 10
938+olcDbConfig: set_cachesize 0 10485760 0
939+olcDbConfig: set_lg_bsize 2097152
940+olcDbConfig: set_flags DB_LOG_AUTOREMOVE
941+olcDbIDLcacheSize: 3000
942+olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
943
944=== added file 'core/dit.ldif'
945--- core/dit.ldif 1970-01-01 00:00:00 +0000
946+++ core/dit.ldif 2010-07-19 21:25:56 +0000
947@@ -0,0 +1,19 @@
948+# base tree
949+dn: @SUFFIX@
950+dc: @DC@
951+objectClass: domain
952+objectClass: domainRelatedObject
953+associatedDomain: @DOMAIN@
954+
955+dn: ou=System Accounts,@SUFFIX@
956+ou: System Accounts
957+objectClass: organizationalUnit
958+description: Container for System and Services privileged accounts
959+
960+dn: uid=LDAP Admin,ou=System Accounts,@SUFFIX@
961+uid: LDAP Admin
962+objectClass: account
963+objectClass: simpleSecurityObject
964+userPassword: @ADMINPASS@
965+description: Account used to administer all parts of the Directory
966+
967
968=== added file 'core/inetorgperson.schema.ldif'
969--- core/inetorgperson.schema.ldif 1970-01-01 00:00:00 +0000
970+++ core/inetorgperson.schema.ldif 2010-07-19 21:25:56 +0000
971@@ -0,0 +1,69 @@
972+# InetOrgPerson (RFC2798)
973+# $OpenLDAP: pkg/ldap/servers/slapd/schema/inetorgperson.ldif,v 1.1.2.4 2009/01/22 00:01:14 kurt Exp $
974+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
975+##
976+## Copyright 1998-2009 The OpenLDAP Foundation.
977+## All rights reserved.
978+##
979+## Redistribution and use in source and binary forms, with or without
980+## modification, are permitted only as authorized by the OpenLDAP
981+## Public License.
982+##
983+## A copy of this license is available in the file LICENSE in the
984+## top-level directory of the distribution or, alternatively, at
985+## <http://www.OpenLDAP.org/license.html>.
986+#
987+# InetOrgPerson (RFC2798)
988+#
989+# Depends upon
990+# Definition of an X.500 Attribute Type and an Object Class to Hold
991+# Uniform Resource Identifiers (URIs) [RFC2079]
992+# (core.ldif)
993+#
994+# A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256]
995+# (core.ldif)
996+#
997+# The COSINE and Internet X.500 Schema [RFC1274] (cosine.ldif)
998+#
999+# This file was automatically generated from inetorgperson.schema; see
1000+# that file for complete references.
1001+#
1002+dn: cn=inetorgperson,cn=schema,cn=config
1003+objectClass: olcSchemaConfig
1004+cn: inetorgperson
1005+olcAttributeTypes: ( 2.16.840.1.113730.3.1.1 NAME 'carLicense' DESC 'RFC279
1006+ 8: vehicle license or registration plate' EQUALITY caseIgnoreMatch SUBSTR cas
1007+ eIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1008+olcAttributeTypes: ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC '
1009+ RFC2798: identifies a department within an organization' EQUALITY caseIgnoreM
1010+ atch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1011+olcAttributeTypes: ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'RFC
1012+ 2798: preferred name to be used when displaying entries' EQUALITY caseIgnoreM
1013+ atch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI
1014+ NGLE-VALUE )
1015+olcAttributeTypes: ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'RF
1016+ C2798: numerically identifies an employee within an organization' EQUALITY ca
1017+ seIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1018+ 1.1.15 SINGLE-VALUE )
1019+olcAttributeTypes: ( 2.16.840.1.113730.3.1.4 NAME 'employeeType' DESC 'RFC2
1020+ 798: type of employment for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgn
1021+ oreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1022+olcAttributeTypes: ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' DESC 'RFC2
1023+ 798: a JPEG image' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )
1024+olcAttributeTypes: ( 2.16.840.1.113730.3.1.39 NAME 'preferredLanguage' DESC
1025+ 'RFC2798: preferred written or spoken language for a person' EQUALITY caseIg
1026+ noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
1027+ 15 SINGLE-VALUE )
1028+olcAttributeTypes: ( 2.16.840.1.113730.3.1.40 NAME 'userSMIMECertificate' D
1029+ ESC 'RFC2798: PKCS#7 SignedData used to support S/MIME' SYNTAX 1.3.6.1.4.1.14
1030+ 66.115.121.1.5 )
1031+olcAttributeTypes: ( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'RFC2
1032+ 798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.1466.1
1033+ 15.121.1.5 )
1034+olcObjectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2
1035+ 798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY
1036+ ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ em
1037+ ployeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ ini
1038+ tials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo
1039+ $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ pre
1040+ ferredLanguage $ userSMIMECertificate $ userPKCS12 ) )
1041
1042=== added file 'core/misc.schema.ldif'
1043--- core/misc.schema.ldif 1970-01-01 00:00:00 +0000
1044+++ core/misc.schema.ldif 2010-07-19 21:25:56 +0000
1045@@ -0,0 +1,25 @@
1046+# misc.ldif
1047+#
1048+# This is the ldif version of misc.schema to be used with cn=config.
1049+# The nss overlay requires rfc822MailMember which is defined here.
1050+#
1051+dn: cn=misc,cn=schema,cn=config
1052+objectClass: olcSchemaConfig
1053+cn: misc
1054+olcAttributeTypes: ( 2.16.840.1.113730.3.1.13 NAME 'mailLocalAddress' DESC
1055+ 'RFC822 email address of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1
1056+ .3.6.1.4.1.1466.115.121.1.26{256} )
1057+olcAttributeTypes: ( 2.16.840.1.113730.3.1.18 NAME 'mailHost' DESC 'FQDN of
1058+ the SMTP/MTA of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
1059+ .1.1466.115.121.1.26{256} SINGLE-VALUE )
1060+olcAttributeTypes: ( 2.16.840.1.113730.3.1.47 NAME 'mailRoutingAddress' DES
1061+ C 'RFC822 routing address of this recipient' EQUALITY caseIgnoreIA5Match SYNT
1062+ AX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
1063+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822MailMember' DES
1064+ C 'rfc822 mail address of group member(s)' EQUALITY caseIgnoreIA5Match SYNTAX
1065+ 1.3.6.1.4.1.1466.115.121.1.26 )
1066+olcObjectClasses: ( 2.16.840.1.113730.3.2.147 NAME 'inetLocalMailRecipient'
1067+ DESC 'Internet local mail recipient' SUP top AUXILIARY MAY ( mailLocalAddres
1068+ s $ mailHost $ mailRoutingAddress ) )
1069+olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' DESC 'NIS
1070+ mail alias' SUP top STRUCTURAL MUST cn MAY rfc822MailMember )
1071
1072=== added file 'core/modules.ldif'
1073--- core/modules.ldif 1970-01-01 00:00:00 +0000
1074+++ core/modules.ldif 2010-07-19 21:25:56 +0000
1075@@ -0,0 +1,4 @@
1076+dn: cn=module,cn=config
1077+cn: module
1078+objectClass: olcModuleList
1079+olcModuleLoad: back_hdb.la
1080
1081=== added file 'core/namedObject.schema.ldif'
1082--- core/namedObject.schema.ldif 1970-01-01 00:00:00 +0000
1083+++ core/namedObject.schema.ldif 2010-07-19 21:25:56 +0000
1084@@ -0,0 +1,5 @@
1085+dn: cn=namedObject,cn=schema,cn=config
1086+objectClass: olcSchemaConfig
1087+cn: namedObject
1088+olcObjectClasses: {0}( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top STRU
1089+ CTURAL MAY cn )
1090
1091=== removed directory 'databases'
1092=== removed file 'databases/add-hdb.ldif'
1093--- databases/add-hdb.ldif 2009-10-06 23:18:47 +0000
1094+++ databases/add-hdb.ldif 1970-01-01 00:00:00 +0000
1095@@ -1,152 +0,0 @@
1096-dn: olcDatabase=hdb,cn=config
1097-olcDatabase: hdb
1098-objectClass: olcDatabaseConfig
1099-objectClass: olcHdbConfig
1100-olcSuffix: @SUFFIX@
1101-olcDbDirectory: /var/lib/ldap
1102-olcDbCacheSize: 1000
1103-olcDbCheckpoint: 1024 10
1104-olcDbConfig: set_cachesize 0 10485760 0
1105-olcDbConfig: set_lg_bsize 2097152
1106-olcDbConfig: set_flags DB_LOG_AUTOREMOVE
1107-olcDbIDLcacheSize: 3000
1108-olcRootDN: cn=localroot,cn=config
1109-olcDbIndex: objectClass eq
1110-olcDbIndex: entryUUID eq
1111-olcDbIndex: entryCSN eq
1112-olcDbIndex: cn eq,subinitial
1113-olcDbIndex: uid eq,subinitial
1114-olcDbIndex: uidNumber eq
1115-olcDbIndex: gidNumber eq
1116-olcDbIndex: sn eq,subinitial
1117-olcDbIndex: member eq
1118-olcDbIndex: memberUid eq
1119-olcDbIndex: mail eq,subinitial
1120-olcDbIndex: givenName eq,subinitial
1121-olcDbIndex: sambaDomainName eq
1122-olcDbIndex: sambaSID eq,sub
1123-olcDbIndex: displayName eq
1124-olcDbIndex: sambaGroupType eq
1125-olcDbIndex: krbPrincipalName eq
1126-olcDbIndex: krbPwdPolicyReference eq
1127-olcDbIndex: sambaSIDList eq
1128-olcDbIndex: uniqueMember pres,eq
1129-olcDbIndex: zoneName eq
1130-olcDbIndex: dhcpClassData eq
1131-olcDbIndex: relativeDomainName eq
1132-olcDbIndex: dhcpHWAddress eq
1133-olcDbIndex: sudoUser eq,sub
1134-olcAccess: {0}to dn.subtree="@SUFFIX@"
1135- by group/groupOfMembers/member.exact="cn=ldap admins,ou=system groups,@SUFFIX@" manage
1136- by group/groupOfMembers/member.exact="cn=ldap replicators,ou=system groups,@SUFFIX@" read
1137- by * break
1138-olcAccess: {1}to dn.subtree="ou=people,@SUFFIX@"
1139- attrs=shadowLastChange
1140- by self write
1141- by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
1142- by * read
1143-olcAccess: {2}to dn.subtree="ou=people,@SUFFIX@"
1144- attrs=userPassword
1145- by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
1146- by self write
1147- by anonymous auth
1148- by * none
1149-olcAccess: {3}to dn.subtree="@SUFFIX@"
1150- attrs=userPassword
1151- by self write
1152- by anonymous auth
1153- by * none
1154-olcAccess: {4}to dn.subtree="@SUFFIX@"
1155- attrs=krbPrincipalKey
1156- by self write
1157- by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
1158- by dn.exact="uid=kdc-service,ou=System Accounts,@SUFFIX@" read
1159- by dn.exact="uid=kadmin-service,ou=System Accounts,@SUFFIX@" write
1160- by anonymous auth
1161- by * none
1162-olcAccess: {5}to dn.subtree="ou=password policies,@SUFFIX@"
1163- by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
1164- by * read
1165-olcAccess: {6}to dn.subtree="@SUFFIX@"
1166- attrs=sambaLMPassword,sambaNTPassword
1167- by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
1168- by anonymous auth
1169- by self write
1170- by * none
1171-olcAccess: {7}to dn.subtree="@SUFFIX@"
1172- attrs=sambaPasswordHistory,pwdHistory
1173- by self read
1174- by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
1175- by * none
1176-olcAccess: {8}to dn.subtree="@SUFFIX@"
1177- attrs=pwdReset
1178- by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
1179- by * read
1180-olcAccess: {9}to dn.regex="^cn=[^,]+,ou=(System Groups|Group),@SUFFIX@$"
1181- attrs=member
1182- by dnattr=owner write
1183- by * break
1184-olcAccess: {10}to dn.subtree="ou=people,@SUFFIX@"
1185- attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber
1186- by self write
1187- by * break
1188-olcAccess: {11}to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),@SUFFIX@$"
1189- attrs=children,entry
1190- by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
1191- by * break
1192-olcAccess: {12}to dn.regex="^[^,]+,ou=(People|Hosts|Group),@SUFFIX@$"
1193- by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
1194- by * break
1195-olcAccess: {13}to dn.regex="^(sambaDomainName=[^,]+,)?@SUFFIX@$"
1196- attrs=children,entry,@sambaDomain,@sambaUnixIdPool
1197- by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
1198- by * read
1199-olcAccess: {14}to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,@SUFFIX@$"
1200- attrs=children,entry,@sambaIdmapEntry
1201- by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
1202- by group/groupOfMembers/member.exact="cn=idmap admins,ou=system groups,@SUFFIX@" write
1203- by * read
1204-olcAccess: {15}to dn.regex="^(.*,)?ou=Address Book,@SUFFIX@"
1205- attrs=children,entry,@inetOrgPerson
1206- by group/groupOfMembers/member.exact="cn=address book admins,ou=system groups,@SUFFIX@" write
1207- by * read
1208-olcAccess: {16}to dn.subtree="ou=dhcp,@SUFFIX@"
1209- attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,
1210- @dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
1211- by group/groupOfMembers/member.exact="cn=dhcp admins,ou=system groups,@SUFFIX@" write
1212- by group/groupOfMembers/member.exact="cn=dhcp readers,ou=system groups,@SUFFIX@" read
1213- by * read
1214-olcAccess: {17}to dn.regex="^([^,]+,)?ou=sudoers,@SUFFIX@$"
1215- attrs=children,entry,@sudoRole
1216- by group/groupOfMembers/member.exact="cn=sudo admins,ou=system groups,@SUFFIX@" write
1217- by * read
1218-olcAccess: {18}to dn.base="ou=dns,@SUFFIX@"
1219- attrs=entry,@extensibleObject
1220- by group/groupOfMembers/member.exact="cn=dns admins,ou=system groups,@SUFFIX@" write
1221- by * read
1222-olcAccess: {19}to dn.subtree="ou=dns,@SUFFIX@"
1223- attrs=children,entry,@dNSZone
1224- by group/groupOfMembers/member.exact="cn=dns admins,ou=system groups,@SUFFIX@" write
1225- by group/groupOfMembers/member.exact="cn=dns readers,ou=system groups,@SUFFIX@" read
1226- by * none
1227-olcAccess: {20}to dn.subtree="ou=Kerberos Realms,@SUFFIX@"
1228- by dn.exact="uid=kdc-service,ou=System Accounts,@SUFFIX@" read
1229- by dn.exact="uid=kadmin-service,ou=System Accounts,@SUFFIX@" write
1230- by * none
1231-olcAccess: {21}to dn.one="ou=people,@SUFFIX@"
1232- attrs=@inetLocalMailRecipient,mail
1233- by group/groupOfMembers/member.exact="cn=mta admins,ou=system groups,@SUFFIX@" write
1234- by * read
1235-olcAccess: {22}to dn.subtree="@SUFFIX@"
1236- by * read
1237-olcAddContentAcl: TRUE
1238-olcLastMod: TRUE
1239-olcLimits: {0}group/groupOfMembers/member="cn=ldap replicators,ou=system groups,@SUFFIX@"
1240- size=unlimited
1241- time=unlimited
1242-olcLimits: {1}group/groupOfMembers/member="cn=ldap admins,ou=system groups,@SUFFIX@"
1243- size=unlimited
1244- time=unlimited
1245-olcLimits: {2}group/groupOfMembers/member="cn=account admins,ou=system groups,@SUFFIX@"
1246- size=unlimited
1247- time=unlimited
1248
1249=== removed file 'databases/add-monitor.ldif'
1250--- databases/add-monitor.ldif 2009-09-17 14:09:01 +0000
1251+++ databases/add-monitor.ldif 1970-01-01 00:00:00 +0000
1252@@ -1,10 +0,0 @@
1253-dn: olcDatabase=monitor,cn=config
1254-objectClass: olcMonitorConfig
1255-objectClass: olcDatabaseConfig
1256-objectClass: olcConfig
1257-olcDatabase: monitor
1258-olcRootDN: cn=localroot,cn=config
1259-olcAccess: {0}to dn.subtree=""
1260- by group/groupOfMembers/member.exact="cn=LDAP Admins,ou=System Groups,@SUFFIX@" read
1261- by group/groupOfMembers/member.exact="cn=LDAP Monitors,ou=System Groups,@SUFFIX@" read
1262- by * none
1263
1264=== modified file 'debian/changelog'
1265--- debian/changelog 2008-06-04 20:17:58 +0000
1266+++ debian/changelog 2010-07-19 21:25:56 +0000
1267@@ -1,4 +1,47 @@
1268-openldap-dit (0.19-1) unstable; urgency=low
1269+openldap-dit (0.20-1) lucid; urgency=low
1270+
1271+ * Using debconf to ask for domain and admin password.
1272+ * Will create openldap-dit-$service.postinst during build time
1273+ from openldap-dit.scripts-common.
1274+ * Remove last olcAccess and re-add at the end of ACL.
1275+ * Switch to dpkg-source 3.0 (quilt) format
1276+ * Updated standards-version.
1277+ * Changed version number, removed debian versions.
1278+ * Removed LICENSE from openldap-dit-core.docs because information
1279+ is covered in debian/copyright.
1280+ * Now using "invoke-rc.d slapd restart" to restart slapd.
1281+ * Removed path to slappasswd utility in debian/openldap-dit.scripts-common.
1282+ * Find index for main database, and index of module suffix.
1283+
1284+ -- Adam Sommer <asommer@ubuntu.com> Tue, 01 Jun 2010 13:41:30 -0400
1285+
1286+openldap-dit (0.19) unstable; urgency=low
1287+
1288+ * Another directory reorganization.
1289+ * Created openldap-dit-usersandgroups package.
1290+ * Updated Makefile and debian/rules for new package.
1291+
1292+ -- Adam Sommer <asommer@ubuntu.com> Mon, 24 May 2010 16:09:10 -0400
1293+
1294+openldap-dit (0.19) unstable; urgency=low
1295+
1296+ * Created openldap-dit-core package.
1297+ * Reorganized file structure to reflect core DIT.
1298+ * Changed openldap-dit-setup.sh to postinst scripts.
1299+ * Updated Makefile for subdirectory layout.
1300+
1301+ -- Adam Sommer <asommer@ubuntu.com> Tue, 18 May 2010 11:29:38 -0400
1302+
1303+openldap-dit (0.19) unstable; urgency=low
1304+
1305+ * Adjusted README paths in debian/docs.
1306+ * Created empty doc/README.kde
1307+ * Changed "install-ubuntu" command in debian/rules to "install"
1308+ which allows package to build.
1309+
1310+ -- Adam Sommer <asommer@ubuntu.com> Mon, 26 Apr 2010 15:35:42 -0400
1311+
1312+openldap-dit (0.19) unstable; urgency=low
1313
1314 * Initial release
1315
1316
1317=== modified file 'debian/control'
1318--- debian/control 2008-06-04 20:30:39 +0000
1319+++ debian/control 2010-07-19 21:25:56 +0000
1320@@ -1,14 +1,25 @@
1321 Source: openldap-dit
1322 Section: net
1323 Priority: extra
1324-Maintainer: Andreas Hasenack <andreas@canonical.com>
1325+Maintainer: Adam Sommer <asommer@ubuntu.com>
1326 Build-Depends: debhelper (>= 5)
1327-Standards-Version: 3.7.3
1328+Homepage: https://launchpad.net/openldap-dit
1329+Standards-Version: 3.8.4
1330
1331-Package: openldap-dit
1332+Package: openldap-dit-core
1333+Section: net
1334+Priority: extra
1335 Architecture: all
1336 Depends: ${shlibs:Depends}, ${misc:Depends}, slapd, ldap-utils
1337-Description: Sample DIT for OpenLDAP
1338- This package contains a sample DIT for OpenLDAP which can be
1339- used together with many services and has a group based access
1340- control.
1341+Description: Simple DIT for OpenLDAP
1342+ This package contains a very simple DIT for OpenLDAP which can
1343+ be extened for many services.
1344+
1345+Package: openldap-dit-usersandgroups
1346+Section: net
1347+Priority: extra
1348+Architecture: all
1349+Depends: ${shlibs:Depends}, ${misc:Depends}, slapd, ldap-utils, openldap-dit-core
1350+Description: Simple DIT Users and Groups
1351+ This package contains a simple DIT for OpenLDAP which can be
1352+ used for group based access control.
1353
1354=== modified file 'debian/copyright'
1355--- debian/copyright 2008-06-04 20:37:03 +0000
1356+++ debian/copyright 2010-07-19 21:25:56 +0000
1357@@ -4,9 +4,11 @@
1358 Upstream Author:
1359
1360 Andreas Hasenack <andreas@canonical.com>
1361+ Adam Sommer <asommer@ubuntu.com>
1362
1363 Copyright:
1364
1365+ Copyright (C) 2010 Adam Sommer
1366 Copyright (C) 2008 Andreas Hasenack
1367 Copyright (C) 2007 and before: Mandriva
1368
1369
1370=== removed file 'debian/dirs'
1371--- debian/dirs 2008-06-04 20:30:39 +0000
1372+++ debian/dirs 1970-01-01 00:00:00 +0000
1373@@ -1,1 +0,0 @@
1374-usr/share/slapd/openldap-dit
1375
1376=== removed file 'debian/docs'
1377--- debian/docs 2008-06-04 20:17:58 +0000
1378+++ debian/docs 1970-01-01 00:00:00 +0000
1379@@ -1,10 +0,0 @@
1380-README
1381-README.dhcp
1382-README.dns
1383-README.heimdal
1384-README.kde
1385-README.samba
1386-README.sudo
1387-TODO
1388-COPYRIGHT
1389-LICENSE
1390
1391=== removed file 'debian/files'
1392--- debian/files 2008-06-04 20:30:39 +0000
1393+++ debian/files 1970-01-01 00:00:00 +0000
1394@@ -1,1 +0,0 @@
1395-openldap-dit_0.19-1_all.deb net extra
1396
1397=== added file 'debian/openldap-dit-core.config'
1398--- debian/openldap-dit-core.config 1970-01-01 00:00:00 +0000
1399+++ debian/openldap-dit-core.config 2010-07-19 21:25:56 +0000
1400@@ -0,0 +1,79 @@
1401+#!/bin/bash
1402+
1403+set -e
1404+
1405+. /usr/share/debconf/confmodule
1406+
1407+get_domain() {
1408+# Ask domain question.
1409+# Usage: get_domain
1410+ local invalid
1411+ invalid=""
1412+
1413+ db_input high openldap-dit-core/domain || true
1414+ db_go || true
1415+
1416+ # Make sure the domain name is valid.
1417+ db_get openldap-dit-core/domain
1418+ if [ -z "$RET" ] || ! echo "$RET" | grep -q '^[a-zA-Z0-9.-]*$'; then
1419+ db_fset openldap-dit-core/domain seen false
1420+ invalid=true
1421+ fi
1422+
1423+ if [ "$invalid" ]; then
1424+ return 1
1425+ else
1426+ return 0
1427+ fi
1428+}
1429+
1430+crypt_admin_pass() {
1431+# Store the encrypted admin password into the debconf db
1432+# Usage: crypt_admin_pass
1433+
1434+ db_get openldap-dit-core/password1
1435+ if [ ! -z "$RET" ]; then
1436+ db_set openldap-dit-core/internal/adminpw $(slappasswd -n -s "$RET")
1437+ fi
1438+ db_go || true
1439+}
1440+
1441+get_admin_password() {
1442+# Ask for admin password and confirmation.
1443+# Usage: get_admin_password
1444+
1445+ while :; do
1446+ RET=""
1447+ db_input high openldap-dit-core/password1 || true
1448+ db_input high openldap-dit-core/password2 || true
1449+ db_go
1450+
1451+ # Make sure the passwords match
1452+ local pass1 pass2
1453+ db_get openldap-dit-core/password1
1454+ pass1="$RET"
1455+ db_get openldap-dit-core/password2
1456+ pass2="$RET"
1457+ if [ $pass1 == $pass2 ]; then
1458+ #ROOT_PW=''
1459+ break
1460+ fi
1461+ db_fset openldap-dit-core/password_mismatch seen false
1462+ db_input critical openldap-dit-core/password_mismatch
1463+ db_set openldap-dit-core/password1 ""
1464+ db_set openldap-dit-core/password2 ""
1465+ db_fset openldap-dit-core/password1 seen false
1466+ db_fset openldap-dit-core/password2 seen false
1467+ db_go
1468+ done
1469+
1470+}
1471+
1472+
1473+get_domain
1474+get_admin_password
1475+crypt_admin_pass
1476+
1477+db_go || true
1478+
1479+exit 0
1480
1481=== added file 'debian/openldap-dit-core.dirs'
1482--- debian/openldap-dit-core.dirs 1970-01-01 00:00:00 +0000
1483+++ debian/openldap-dit-core.dirs 2010-07-19 21:25:56 +0000
1484@@ -0,0 +1,1 @@
1485+usr/share/slapd/openldap-dit/core
1486
1487=== added file 'debian/openldap-dit-core.docs'
1488--- debian/openldap-dit-core.docs 1970-01-01 00:00:00 +0000
1489+++ debian/openldap-dit-core.docs 2010-07-19 21:25:56 +0000
1490@@ -0,0 +1,3 @@
1491+core/README
1492+TODO
1493+COPYRIGHT
1494
1495=== added file 'debian/openldap-dit-core.postinst.in'
1496--- debian/openldap-dit-core.postinst.in 1970-01-01 00:00:00 +0000
1497+++ debian/openldap-dit-core.postinst.in 2010-07-19 21:25:56 +0000
1498@@ -0,0 +1,59 @@
1499+#!/bin/bash
1500+
1501+
1502+myservice="core"
1503+
1504+#COMMON-FUNCTIONS#
1505+
1506+
1507+# steps:
1508+# - add modules
1509+# - add schema
1510+# - add db + its acls
1511+# - modify frontend acls
1512+# - modify config acls
1513+# - add overlays
1514+# - populate db
1515+# - set password for admin
1516+
1517+add_modules
1518+check_result $?
1519+
1520+add_database
1521+check_result $?
1522+
1523+add_schemas
1524+check_result $?
1525+
1526+modify_acls
1527+check_result $?
1528+
1529+add_overlays
1530+check_result $?
1531+
1532+populate_dit
1533+check_result $?
1534+
1535+echo
1536+echo "Finished, doing one last restart..."
1537+invoke-rc.d slapd restart
1538+check_result $?
1539+
1540+echo
1541+echo "Done, enjoy!"
1542+echo
1543+echo "Remember: this is your administrator bind dn:"
1544+echo "uid=LDAP Admin,ou=System Accounts,$mysuffix"
1545+echo
1546+echo "You can use it in double quotes in the command line, like:"
1547+echo "ldapwhoami -x -D \"uid=LDAP Admin,ou=System Accounts,$mysuffix\" -W "
1548+echo
1549+
1550+wipe_admin_pass
1551+
1552+# dh_installdeb will replace this with shell code automatically
1553+# generated by other debhelper scripts.
1554+
1555+#DEBHELPER#
1556+
1557+exit 0
1558
1559=== added file 'debian/openldap-dit-core.postrm'
1560--- debian/openldap-dit-core.postrm 1970-01-01 00:00:00 +0000
1561+++ debian/openldap-dit-core.postrm 2010-07-19 21:25:56 +0000
1562@@ -0,0 +1,15 @@
1563+#! /bin/sh
1564+
1565+set -e
1566+
1567+ . /usr/share/debconf/confmodule
1568+
1569+db_purge
1570+
1571+# dh_installdeb will replace this with shell code automatically
1572+# generated by other debhelper scripts.
1573+
1574+#DEBHELPER#
1575+
1576+exit 0
1577+
1578
1579=== added file 'debian/openldap-dit-core.templates'
1580--- debian/openldap-dit-core.templates 1970-01-01 00:00:00 +0000
1581+++ debian/openldap-dit-core.templates 2010-07-19 21:25:56 +0000
1582@@ -0,0 +1,28 @@
1583+Template: openldap-dit-core/domain
1584+Type: string
1585+Description: DNS domain name:
1586+ The DNS domain name is used to construct the base DN of the LDAP directory.
1587+ For example, 'foo.example.org' will create the directory with
1588+ 'dc=foo, dc=example, dc=org' as base DN.
1589+
1590+Template: openldap-dit-core/password1
1591+Type: password
1592+Description: Administrator password:
1593+ Please enter the password for the admin entry in your LDAP directory.
1594+
1595+Template: openldap-dit-core/password2
1596+Type: password
1597+Description: Confirm password:
1598+ Please enter the admin password for your LDAP directory again to verify
1599+ that you have typed it correctly.
1600+
1601+Template: openldap-dit-core/password_mismatch
1602+Type: note
1603+Description: Password mismatch
1604+ The two passwords you entered were not the same. Please try again.
1605+
1606+Template: openldap-dit-core/internal/adminpw
1607+Type: password
1608+Description: Encrypted admin password:
1609+ Internal template, should never be displayed to users.
1610+
1611
1612=== added file 'debian/openldap-dit-usersandgroups.dirs'
1613--- debian/openldap-dit-usersandgroups.dirs 1970-01-01 00:00:00 +0000
1614+++ debian/openldap-dit-usersandgroups.dirs 2010-07-19 21:25:56 +0000
1615@@ -0,0 +1,1 @@
1616+usr/share/slapd/openldap-dit/usersandgroups
1617
1618=== added file 'debian/openldap-dit-usersandgroups.docs'
1619--- debian/openldap-dit-usersandgroups.docs 1970-01-01 00:00:00 +0000
1620+++ debian/openldap-dit-usersandgroups.docs 2010-07-19 21:25:56 +0000
1621@@ -0,0 +1,1 @@
1622+usersandgroups/README
1623
1624=== added file 'debian/openldap-dit-usersandgroups.postinst.in'
1625--- debian/openldap-dit-usersandgroups.postinst.in 1970-01-01 00:00:00 +0000
1626+++ debian/openldap-dit-usersandgroups.postinst.in 2010-07-19 21:25:56 +0000
1627@@ -0,0 +1,50 @@
1628+#!/bin/bash
1629+
1630+myservice="usersandgroups"
1631+
1632+#COMMON-FUNCTIONS#
1633+
1634+# steps:
1635+# - add modules
1636+# - add schema
1637+# - add db + its acls
1638+# - modify frontend acls
1639+# - modify config acls
1640+# - add overlays
1641+# - populate db
1642+# - set password for admin
1643+
1644+check_dit
1645+check_result $?
1646+
1647+echo "Adding modules..."
1648+add_modules
1649+check_result $?
1650+
1651+add_schemas
1652+check_result $?
1653+
1654+add_overlays
1655+check_result $?
1656+
1657+add_indexes
1658+check_result $?
1659+
1660+populate_dit
1661+check_result $?
1662+
1663+modify_acls
1664+check_result $?
1665+
1666+echo
1667+echo "Finished, doing one last restart..."
1668+invoke-rc.d slapd restart
1669+check_result $?
1670+
1671+# dh_installdeb will replace this with shell code automatically
1672+# generated by other debhelper scripts.
1673+
1674+#DEBHELPER#
1675+
1676+exit 0
1677+
1678
1679=== added file 'debian/openldap-dit.scripts-common'
1680--- debian/openldap-dit.scripts-common 1970-01-01 00:00:00 +0000
1681+++ debian/openldap-dit.scripts-common 2010-07-19 21:25:56 +0000
1682@@ -0,0 +1,217 @@
1683+
1684+set -e
1685+
1686+. /usr/share/debconf/confmodule
1687+
1688+LDAPWHOAMI="ldapwhoami -H ldapi:/// -Y EXTERNAL -Q"
1689+LDAPADD="ldapadd -H ldapi:/// -Y EXTERNAL -Q"
1690+LDAPMODIFY="ldapmodify -H ldapi:/// -Y EXTERNAL -Q"
1691+LDAPPASSWD="ldappasswd -H ldapi:/// -Y EXTERNAL -Q"
1692+LDAPSEARCH="ldapsearch -H ldapi:/// -Y EXTERNAL -Q -LLL"
1693+LASTACL='olcAccess: to dn.subtree="@SUFFIX@" by * read'
1694+
1695+now=`date +%s`
1696+myfqdn=`hostname -f`
1697+if [ -z "$myfqdn" ]; then
1698+ myfqdn="localhost"
1699+fi
1700+
1701+root="/usr/share/slapd/openldap-dit"
1702+
1703+# $1: domain
1704+# returns standard dc=foo,dc=bar suffix on stdout
1705+function calc_suffix() {
1706+ old_ifs=${IFS}
1707+ IFS="."
1708+ for component in $1; do
1709+ result="$result,dc=$component"
1710+ done
1711+ IFS="${old_ifs}"
1712+ echo "${result#,}"
1713+ return 0
1714+}
1715+
1716+function check_result() {
1717+ if [ "$1" -ne "0" ]; then
1718+ echo "ERROR, aborting"
1719+ exit 1
1720+ else
1721+ echo "Succeeded!"
1722+ fi
1723+}
1724+
1725+# $1: descriptive text of what is being added
1726+# $2: directory where the files are
1727+# $3: optional sed expression to use
1728+function add_ldif() {
1729+ echo "Adding $2 $1..."
1730+ for n in $(ls $2/ | grep "$1"); do
1731+ if [ ! -e "$2/$n" ]; then
1732+ echo "No additional $1 needed for this service!"
1733+ return 0
1734+ fi
1735+ if [ -z "$3" ]; then
1736+ cat "$2/$n" | $LDAPADD
1737+ else
1738+ cat "$2/$n" | sed -e "$3" | $LDAPADD
1739+ fi
1740+ if [ "$?" -ne "0" ]; then
1741+ echo "Error using \"$n\", aborting"
1742+ exit 1
1743+ fi
1744+ done
1745+ return 0
1746+}
1747+
1748+# $1: descriptive text of what is being added
1749+# $2: directory where the files are
1750+function modify_ldif() {
1751+ echo "Modifying $2 $1..."
1752+ for n in $(ls $2/ | grep "$1"); do
1753+ if [ ! -e "$2/$n" ]; then
1754+ echo "No additional $1 needed for this service!"
1755+ return 0
1756+ fi
1757+ if [ -z "$3" ]; then
1758+ cat "$2/$n" | $LDAPMODIFY
1759+ else
1760+ cat "$2/$n" | sed -e "$3" | $LDAPMODIFY
1761+ fi
1762+ if [ "$?" -ne "0" ]; then
1763+ echo "Error using \"$n\", aborting"
1764+ return 1
1765+ fi
1766+ done
1767+ return 0
1768+}
1769+
1770+# $1: index of last olcAccess attribute.
1771+function remove_last_acl() {
1772+$LDAPMODIFY <<REMOVE
1773+dn: olcDatabase={1}hdb,cn=config
1774+changetype: modify
1775+delete: olcAccess
1776+olcAccess: {$1}
1777+REMOVE
1778+}
1779+
1780+# $1: olcAccess string to be inserted last.
1781+function replace_last_acl() {
1782+ # Subfunction used for heredoc ldif.
1783+ echo "Replacing ACL..."
1784+ replace() {
1785+sed -e "s/{.*}to/to/g" <<ADD
1786+dn: olcDatabase={1}hdb,cn=config
1787+changetype: modify
1788+add: olcAccess
1789+$1
1790+ADD
1791+}
1792+
1793+ replace "$1" | $LDAPMODIFY
1794+}
1795+
1796+function add_database() {
1797+ add_ldif "database" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;"
1798+ return 0
1799+}
1800+
1801+function add_modules() {
1802+ if [ $myservice == 'core' ]; then
1803+ add_ldif "modules" "$root/$myservice"
1804+ return 0
1805+ else
1806+ mymodules=`$LDAPSEARCH -b "cn=config" objectClass=olcModuleList dn | egrep -o 'module[{][0123456789][}]'`
1807+ modify_ldif "modules" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@MODULE@/$mymodules/g"
1808+ fi
1809+}
1810+
1811+# $1: sub directory containing schema LDIF files.
1812+function add_schemas() {
1813+ add_ldif "schema" "$root/$myservice"
1814+ return 0
1815+}
1816+
1817+function modify_acls() {
1818+ echo "Modifying ACLs..."
1819+ # Find database index number.
1820+ mydb=`find_main_db`
1821+
1822+ if [ $myservice != "core" ]; then
1823+ # Get last olcAccess index number.
1824+ indexs=$($LDAPSEARCH -b cn=config olcDatabase=$mydb olcaccess | grep olcAccess -c)
1825+ last_index=$(($indexs - 1))
1826+
1827+ # Store the last olcAccess string.
1828+ last_olcaccess=$($LDAPSEARCH -b cn=config olcDatabase=$mydb olcaccess | grep -A5 "olcAccess:.*$last_index")
1829+
1830+ remove_last_acl $last_index
1831+
1832+ modify_ldif "acl" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DATABASE@/$mydb/g"
1833+
1834+ replace_last_acl "$last_olcaccess"
1835+ else
1836+ modify_ldif "acl" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DATABASE@/$mydb/g"
1837+ fi
1838+
1839+ return 0
1840+}
1841+
1842+function add_overlays() {
1843+ mydb=`find_main_db`
1844+ add_ldif "overlay" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DATABASE@/$mydb/g"
1845+ return 0
1846+}
1847+
1848+function add_indexes() {
1849+ mydb=`find_main_db`
1850+ add_ldif "indexes" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DATABASE@/$mydb/g"
1851+ return 0
1852+}
1853+
1854+function populate_dit() {
1855+ mydb=`find_main_db`
1856+ if [ $myservice == "core" ]; then
1857+ # Set the uid="LDAP Admin" password.
1858+ db_get openldap-dit-core/internal/adminpw
1859+ adminpass="$RET"
1860+ add_ldif "dit" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DC@/${mydomain%%.[a-zA-Z0-9]*}/g;s/@DOMAIN@/${mydomain}/g;s#@ADMINPASS@#$adminpass#g;s/@DATABASE@/$mydb/g"
1861+ else
1862+ add_ldif "dit" "$root/$myservice" "s/@SUFFIX@/$mysuffix/g;s/@DC@/${mydomain%%.[a-zA-Z0-9]*}/g;s/@DOMAIN@/${mydomain}/g;s/@DATABASE@/$mydb/g"
1863+ fi
1864+ return 0
1865+}
1866+
1867+wipe_admin_pass() {
1868+# Remove passwords after creating the initial ldap database.
1869+# Usage: wipe_admin_pass
1870+ db_set openldap-dit-core/password1 ""
1871+ db_set openldap-dit-core/password2 ""
1872+ db_set openldap-dit-core/internal/adminpw ""
1873+}
1874+
1875+function find_main_db() {
1876+ if [ -z `$LDAPSEARCH -b "cn=config" olcSuffix="$mysuffix" dn | egrep -o '[{][0123456789][}]hdb'` ]; then
1877+ db='hdb'
1878+ else
1879+ db=`$LDAPSEARCH -b "cn=config" olcSuffix="$mysuffix" dn | egrep -o '[{][0123456789][}]hdb'`
1880+ fi
1881+ echo "$db"
1882+ return 0
1883+}
1884+
1885+function check_dit() {
1886+ base_dit=$($LDAPSEARCH -b $mysuffix associatedDomain=$mydomain dn 2>&1)
1887+ if [ "$base_dit" != "dn: $mysuffix" ]; then
1888+ return 1
1889+ fi
1890+
1891+}
1892+
1893+if [ -z "$mydomain" ]; then
1894+ db_get openldap-dit-core/domain
1895+ mydomain=$RET
1896+fi
1897+mysuffix=`calc_suffix $mydomain`
1898+
1899+
1900
1901=== added directory 'debian/po'
1902=== added file 'debian/po/POTFILES.in'
1903--- debian/po/POTFILES.in 1970-01-01 00:00:00 +0000
1904+++ debian/po/POTFILES.in 2010-07-19 21:25:56 +0000
1905@@ -0,0 +1,1 @@
1906+[type: gettext/rfc822deb] openldap-dit-core.templates
1907
1908=== added file 'debian/po/templates.pot'
1909--- debian/po/templates.pot 1970-01-01 00:00:00 +0000
1910+++ debian/po/templates.pot 2010-07-19 21:25:56 +0000
1911@@ -0,0 +1,82 @@
1912+# SOME DESCRIPTIVE TITLE.
1913+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
1914+# This file is distributed under the same license as the PACKAGE package.
1915+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
1916+#
1917+#, fuzzy
1918+msgid ""
1919+msgstr ""
1920+"Project-Id-Version: PACKAGE VERSION\n"
1921+"Report-Msgid-Bugs-To: openldap-dit@packages.debian.org\n"
1922+"POT-Creation-Date: 2010-06-01 13:33-0400\n"
1923+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
1924+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
1925+"Language-Team: LANGUAGE <LL@li.org>\n"
1926+"MIME-Version: 1.0\n"
1927+"Content-Type: text/plain; charset=CHARSET\n"
1928+"Content-Transfer-Encoding: 8bit\n"
1929+
1930+#. Type: string
1931+#. Description
1932+#: ../openldap-dit-core.templates:1001
1933+msgid "DNS domain name:"
1934+msgstr ""
1935+
1936+#. Type: string
1937+#. Description
1938+#: ../openldap-dit-core.templates:1001
1939+msgid ""
1940+"The DNS domain name is used to construct the base DN of the LDAP directory. "
1941+"For example, 'foo.example.org' will create the directory with 'dc=foo, "
1942+"dc=example, dc=org' as base DN."
1943+msgstr ""
1944+
1945+#. Type: password
1946+#. Description
1947+#: ../openldap-dit-core.templates:2001
1948+msgid "Administrator password:"
1949+msgstr ""
1950+
1951+#. Type: password
1952+#. Description
1953+#: ../openldap-dit-core.templates:2001
1954+msgid "Please enter the password for the admin entry in your LDAP directory."
1955+msgstr ""
1956+
1957+#. Type: password
1958+#. Description
1959+#: ../openldap-dit-core.templates:3001
1960+msgid "Confirm password:"
1961+msgstr ""
1962+
1963+#. Type: password
1964+#. Description
1965+#: ../openldap-dit-core.templates:3001
1966+msgid ""
1967+"Please enter the admin password for your LDAP directory again to verify that "
1968+"you have typed it correctly."
1969+msgstr ""
1970+
1971+#. Type: note
1972+#. Description
1973+#: ../openldap-dit-core.templates:4001
1974+msgid "Password mismatch"
1975+msgstr ""
1976+
1977+#. Type: note
1978+#. Description
1979+#: ../openldap-dit-core.templates:4001
1980+msgid "The two passwords you entered were not the same. Please try again."
1981+msgstr ""
1982+
1983+#. Type: password
1984+#. Description
1985+#: ../openldap-dit-core.templates:5001
1986+msgid "Encrypted admin password:"
1987+msgstr ""
1988+
1989+#. Type: password
1990+#. Description
1991+#: ../openldap-dit-core.templates:5001
1992+msgid "Internal template, should never be displayed to users."
1993+msgstr ""
1994
1995=== modified file 'debian/rules'
1996--- debian/rules 2008-06-04 20:49:11 +0000
1997+++ debian/rules 2010-07-19 21:25:56 +0000
1998@@ -21,6 +21,8 @@
1999
2000
2001 build: build-stamp
2002+ perl -pe 's~#COMMON-FUNCTIONS#~qx{cat debian/openldap-dit.scripts-common}~eg' < debian/openldap-dit-core.postinst.in > debian/openldap-dit-core.postinst
2003+ perl -pe 's~#COMMON-FUNCTIONS#~qx{cat debian/openldap-dit.scripts-common}~eg' < debian/openldap-dit-usersandgroups.postinst.in > debian/openldap-dit-usersandgroups.postinst
2004
2005 build-stamp: configure-stamp
2006 dh_testdir
2007@@ -41,10 +43,12 @@
2008 dh_testdir
2009 dh_testroot
2010 dh_clean -k
2011- dh_installdirs
2012+ dh_installdirs
2013+ dh_installdebconf
2014
2015 # Add here commands to install the package into debian/openldap-dit.
2016- $(MAKE) DESTDIR=$(CURDIR)/debian/openldap-dit install-ubuntu
2017+ $(MAKE) DESTDIR=$(CURDIR)/debian/openldap-dit-core install-core
2018+ $(MAKE) DESTDIR=$(CURDIR)/debian/openldap-dit-usersandgroups install-usersandgroups
2019
2020
2021 # Build architecture-independent files here.
2022@@ -56,7 +60,6 @@
2023 dh_installexamples
2024 # dh_install
2025 # dh_installmenu
2026-# dh_installdebconf
2027 # dh_installlogrotate
2028 # dh_installemacsen
2029 # dh_installpam
2030
2031=== added directory 'debian/source'
2032=== added file 'debian/source/format'
2033--- debian/source/format 1970-01-01 00:00:00 +0000
2034+++ debian/source/format 2010-07-19 21:25:56 +0000
2035@@ -0,0 +1,1 @@
2036+3.0 (quilt)
2037
2038=== added directory 'dhcp'
2039=== added file 'dhcp/dhcp-acl.ldif'
2040--- dhcp/dhcp-acl.ldif 1970-01-01 00:00:00 +0000
2041+++ dhcp/dhcp-acl.ldif 2010-07-19 21:25:56 +0000
2042@@ -0,0 +1,21 @@
2043+dn: olcDatabase={1}hdb,cn=config
2044+changetype: modify
2045+add: olcDbIndex
2046+olcDbIndex: dhcpClassData eq
2047+-
2048+add: olcDbIndex
2049+olcDbIndex: dhcpHWAddress eq
2050+-
2051+delete: olcAccess
2052+olcAccess: to dn.subtree="@SUFFIX@" by * read
2053+-
2054+add: olcAccess
2055+olcAccess: to dn.subtree="ou=dhcp,@SUFFIX@"
2056+ attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,
2057+ @dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
2058+ by group/groupOfMembers/member.exact="cn=dhcp admins,ou=system groups,@SUFFIX@" write
2059+ by group/groupOfMembers/member.exact="cn=dhcp readers,ou=system groups,@SUFFIX@" read
2060+ by * read
2061+-
2062+add: olcAccess
2063+olcAccess: to dn.subtree="@SUFFIX@" by * read
2064
2065=== added file 'dhcp/dhcp-dit.ldif'
2066--- dhcp/dhcp-dit.ldif 1970-01-01 00:00:00 +0000
2067+++ dhcp/dhcp-dit.ldif 2010-07-19 21:25:56 +0000
2068@@ -0,0 +1,33 @@
2069+dn: ou=dhcp,@SUFFIX@
2070+ou: dhcp
2071+objectClass: organizationalUnit
2072+description: Container for DHCP related entries
2073+
2074+dn: uid=DHCP Admin,ou=System Accounts,@SUFFIX@
2075+uid: DHCP Admin
2076+objectClass: account
2077+objectClass: simpleSecurityObject
2078+userPassword: {CRYPT}x
2079+description: Account used to administer DHCP related entries and attributes
2080+
2081+dn: uid=DHCP Reader,ou=System Accounts,@SUFFIX@
2082+uid: DHCP Reader
2083+objectClass: account
2084+objectClass: simpleSecurityObject
2085+userPassword: {CRYPT}x
2086+description: Account used to read entries and attributes under ou=dhcp
2087+
2088+dn: cn=DHCP Admins,ou=System Groups,@SUFFIX@
2089+cn: DHCP Admins
2090+objectClass: groupOfMembers
2091+description: Members can administer ou=DHCP entries and attributes
2092+owner: uid=DHCP Admin,ou=System Accounts,@SUFFIX@
2093+member: uid=DHCP Admin,ou=System Accounts,@SUFFIX@
2094+
2095+dn: cn=DHCP Readers,ou=System Groups,@SUFFIX@
2096+cn: DHCP Readers
2097+objectClass: groupOfMembers
2098+description: Members can read entries and attributes under ou=dhcp
2099+owner: uid=DHCP Admin,ou=System Accounts,@SUFFIX@
2100+member: uid=DHCP Reader,ou=System Accounts,@SUFFIX@
2101+
2102
2103=== added file 'dhcp/dhcp-schema.ldif'
2104--- dhcp/dhcp-schema.ldif 1970-01-01 00:00:00 +0000
2105+++ dhcp/dhcp-schema.ldif 2010-07-19 21:25:56 +0000
2106@@ -0,0 +1,224 @@
2107+dn: cn=dhcp,cn=schema,cn=config
2108+objectClass: olcSchemaConfig
2109+cn: dhcp
2110+olcAttributeTypes: {0}( 2.16.840.1.113719.1.203.4.1 NAME 'dhcpPrimaryDN' DESC
2111+ 'The DN of the dhcpServer which is the primary server for the configuration.'
2112+ EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-
2113+ VALUE )
2114+olcAttributeTypes: {1}( 2.16.840.1.113719.1.203.4.2 NAME 'dhcpSecondaryDN' DES
2115+ C 'The DN of dhcpServer(s) which provide backup service for the configuration
2116+ .' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
2117+olcAttributeTypes: {2}( 2.16.840.1.113719.1.203.4.3 NAME 'dhcpStatements' DESC
2118+ 'Flexible storage for specific data depending on what object this exists in.
2119+ Like conditional statements, server parameters, etc. This allows the standar
2120+ d to evolve without needing to adjust the schema.' EQUALITY caseIgnoreIA5Matc
2121+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2122+olcAttributeTypes: {3}( 2.16.840.1.113719.1.203.4.4 NAME 'dhcpRange' DESC 'The
2123+ starting & ending IP Addresses in the range (inclusive), separated by a hyph
2124+ en; if the range only contains one address, then just the address can be spec
2125+ ified with no hyphen. Each range is defined as a separate value.' EQUALITY c
2126+ aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2127+olcAttributeTypes: {4}( 2.16.840.1.113719.1.203.4.5 NAME 'dhcpPermitList' DESC
2128+ 'This attribute contains the permit lists associated with a pool. Each permi
2129+ t list is defined as a separate value.' EQUALITY caseIgnoreIA5Match SYNTAX 1.
2130+ 3.6.1.4.1.1466.115.121.1.26 )
2131+olcAttributeTypes: {5}( 2.16.840.1.113719.1.203.4.6 NAME 'dhcpNetMask' DESC 'T
2132+ he subnet mask length for the subnet. The mask can be easily computed from t
2133+ his length.' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL
2134+ E-VALUE )
2135+olcAttributeTypes: {6}( 2.16.840.1.113719.1.203.4.7 NAME 'dhcpOption' DESC 'En
2136+ coded option values to be sent to clients. Each value represents a single op
2137+ tion and contains (OptionTag, Length, OptionValue) encoded in the format used
2138+ by DHCP.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2139+olcAttributeTypes: {7}( 2.16.840.1.113719.1.203.4.8 NAME 'dhcpClassData' DESC
2140+ 'Encoded text string or list of bytes expressed in hexadecimal, separated by
2141+ colons. Clients match subclasses based on matching the class data with the r
2142+ esults of match or spawn with statements in the class name declarations.' EQU
2143+ ALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
2144+olcAttributeTypes: {8}( 2.16.840.1.113719.1.203.4.9 NAME 'dhcpOptionsDN' DESC
2145+ 'The distinguished name(s) of the dhcpOption objects containing the configura
2146+ tion options provided by the server.' EQUALITY distinguishedNameMatch SYNTAX
2147+ 1.3.6.1.4.1.1466.115.121.1.12 )
2148+olcAttributeTypes: {9}( 2.16.840.1.113719.1.203.4.10 NAME 'dhcpHostDN' DESC 't
2149+ he distinguished name(s) of the dhcpHost objects.' EQUALITY distinguishedName
2150+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
2151+olcAttributeTypes: {10}( 2.16.840.1.113719.1.203.4.11 NAME 'dhcpPoolDN' DESC '
2152+ The distinguished name(s) of pools.' EQUALITY distinguishedNameMatch SYNTAX 1
2153+ .3.6.1.4.1.1466.115.121.1.12 )
2154+olcAttributeTypes: {11}( 2.16.840.1.113719.1.203.4.12 NAME 'dhcpGroupDN' DESC
2155+ 'The distinguished name(s) of the groups.' EQUALITY distinguishedNameMatch
2156+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
2157+olcAttributeTypes: {12}( 2.16.840.1.113719.1.203.4.13 NAME 'dhcpSubnetDN' DESC
2158+ 'The distinguished name(s) of the subnets.' EQUALITY distinguishedNameMatch
2159+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
2160+olcAttributeTypes: {13}( 2.16.840.1.113719.1.203.4.14 NAME 'dhcpLeaseDN' DESC
2161+ 'The distinguished name of a client address.' EQUALITY distinguishedNameMatch
2162+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
2163+olcAttributeTypes: {14}( 2.16.840.1.113719.1.203.4.15 NAME 'dhcpLeasesDN' DESC
2164+ 'The distinguished name(s) client addresses.' EQUALITY distinguishedNameMatc
2165+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
2166+olcAttributeTypes: {15}( 2.16.840.1.113719.1.203.4.16 NAME 'dhcpClassesDN' DES
2167+ C 'The distinguished name(s) of a class(es) in a subclass.' EQUALITY distingu
2168+ ishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
2169+olcAttributeTypes: {16}( 2.16.840.1.113719.1.203.4.17 NAME 'dhcpSubclassesDN'
2170+ DESC 'The distinguished name(s) of subclass(es).' EQUALITY distinguishedNameM
2171+ atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
2172+olcAttributeTypes: {17}( 2.16.840.1.113719.1.203.4.18 NAME 'dhcpSharedNetworkD
2173+ N' DESC 'The distinguished name(s) of sharedNetworks.' EQUALITY distinguished
2174+ NameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
2175+olcAttributeTypes: {18}( 2.16.840.1.113719.1.203.4.19 NAME 'dhcpServiceDN' DES
2176+ C 'The DN of dhcpService object(s)which contain the configuration information
2177+ . Each dhcpServer object has this attribute identifying the DHCP configuratio
2178+ n(s) that the server is associated with.' EQUALITY distinguishedNameMatch SYN
2179+ TAX 1.3.6.1.4.1.1466.115.121.1.12 )
2180+olcAttributeTypes: {19}( 2.16.840.1.113719.1.203.4.20 NAME 'dhcpVersion' DESC
2181+ 'The version attribute of this object.' EQUALITY caseIgnoreIA5Match SYNTAX 1.
2182+ 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
2183+olcAttributeTypes: {20}( 2.16.840.1.113719.1.203.4.21 NAME 'dhcpImplementation
2184+ ' DESC 'Description of the DHCP Server implementation e.g. DHCP Servers vendo
2185+ r.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
2186+ ALUE )
2187+olcAttributeTypes: {21}( 2.16.840.1.113719.1.203.4.22 NAME 'dhcpAddressState'
2188+ DESC 'This stores information about the current binding-status of an address.
2189+ For dynamic addresses managed by DHCP, the values should be restricted to t
2190+ he following: "FREE", "ACTIVE", "EXPIRED", "RELEASED", "RESET", "ABANDONED",
2191+ "BACKUP". For other addresses, it SHOULD be one of the following: "UNKNOWN",
2192+ "RESERVED" (an address that is managed by DHCP that is reserved for a specif
2193+ ic client), "RESERVED-ACTIVE" (same as reserved, but address is currently in
2194+ use), "ASSIGNED" (assigned manually or by some other mechanism), "UNASSIGNED"
2195+ , "NOTASSIGNABLE".' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
2196+ 21.1.26 SINGLE-VALUE )
2197+olcAttributeTypes: {22}( 2.16.840.1.113719.1.203.4.23 NAME 'dhcpExpirationTime
2198+ ' DESC 'This is the time the current lease for an address expires.' EQUALITY
2199+ generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
2200+olcAttributeTypes: {23}( 2.16.840.1.113719.1.203.4.24 NAME 'dhcpStartTimeOfSta
2201+ te' DESC 'This is the time of the last state change for a leased address.' EQ
2202+ UALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
2203+ )
2204+olcAttributeTypes: {24}( 2.16.840.1.113719.1.203.4.25 NAME 'dhcpLastTransactio
2205+ nTime' DESC 'This is the last time a valid DHCP packet was received from the
2206+ client.' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 S
2207+ INGLE-VALUE )
2208+olcAttributeTypes: {25}( 2.16.840.1.113719.1.203.4.26 NAME 'dhcpBootpFlag' DES
2209+ C 'This indicates whether the address was assigned via BOOTP.' EQUALITY boole
2210+ anMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
2211+olcAttributeTypes: {26}( 2.16.840.1.113719.1.203.4.27 NAME 'dhcpDomainName' DE
2212+ SC 'This is the name of the domain sent to the client by the server. It is e
2213+ ssentially the same as the value for DHCP option 15 sent to the client, and r
2214+ epresents only the domain - not the full FQDN. To obtain the full FQDN assig
2215+ ned to the client you must prepend the "dhcpAssignedHostName" to this value w
2216+ ith a ".".' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
2217+ SINGLE-VALUE )
2218+olcAttributeTypes: {27}( 2.16.840.1.113719.1.203.4.28 NAME 'dhcpDnsStatus' DES
2219+ C 'This indicates the status of updating DNS resource records on behalf of th
2220+ e client by the DHCP server for this address. The value is a 16-bit bitmask.
2221+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
2222+olcAttributeTypes: {28}( 2.16.840.1.113719.1.203.4.29 NAME 'dhcpRequestedHostN
2223+ ame' DESC 'This is the hostname that was requested by the client.' EQUALITY c
2224+ aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
2225+olcAttributeTypes: {29}( 2.16.840.1.113719.1.203.4.30 NAME 'dhcpAssignedHostNa
2226+ me' DESC 'This is the actual hostname that was assigned to a client. It may n
2227+ ot be the name that was requested by the client. The fully qualified domain
2228+ name can be determined by appending the value of "dhcpDomainName" (with a dot
2229+ separator) to this name.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.146
2230+ 6.115.121.1.26 SINGLE-VALUE )
2231+olcAttributeTypes: {30}( 2.16.840.1.113719.1.203.4.31 NAME 'dhcpReservedForCli
2232+ ent' DESC 'The distinguished name of a "dhcpClient" that an address is reserv
2233+ ed for. This may not be the same as the "dhcpAssignedToClient" attribute if
2234+ the address is being reassigned but the current lease has not yet expired.' E
2235+ QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VA
2236+ LUE )
2237+olcAttributeTypes: {31}( 2.16.840.1.113719.1.203.4.32 NAME 'dhcpAssignedToClie
2238+ nt' DESC 'This is the distinguished name of a "dhcpClient" that an address is
2239+ currently assigned to. This attribute is only present in the class when the
2240+ address is leased.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.
2241+ 115.121.1.12 SINGLE-VALUE )
2242+olcAttributeTypes: {32}( 2.16.840.1.113719.1.203.4.33 NAME 'dhcpRelayAgentInfo
2243+ ' DESC 'If the client request was received via a relay agent, this contains i
2244+ nformation about the relay agent that was available from the DHCP request. T
2245+ his is a hex-encoded option value.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.
2246+ 4.1.1466.115.121.1.40 SINGLE-VALUE )
2247+olcAttributeTypes: {33}( 2.16.840.1.113719.1.203.4.34 NAME 'dhcpHWAddress' DES
2248+ C 'The clients hardware address that requested this IP address.' EQUALITY oct
2249+ etStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
2250+olcAttributeTypes: {34}( 2.16.840.1.113719.1.203.4.35 NAME 'dhcpHashBucketAssi
2251+ gnment' DESC 'HashBucketAssignment bit map for the DHCP Server, as defined in
2252+ DHC Load Balancing Algorithm [RFC 3074].' EQUALITY octetStringMatch SYNTAX 1
2253+ .3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
2254+olcAttributeTypes: {35}( 2.16.840.1.113719.1.203.4.36 NAME 'dhcpDelayedService
2255+ Parameter' DESC 'Delay in seconds corresponding to Delayed Service Parameter
2256+ configuration, as defined in DHC Load Balancing Algorithm [RFC 3074]. ' EQUA
2257+ LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
2258+olcAttributeTypes: {36}( 2.16.840.1.113719.1.203.4.37 NAME 'dhcpMaxClientLeadT
2259+ ime' DESC 'Maximum Client Lead Time configuration in seconds, as defined in D
2260+ HCP Failover Protocol [FAILOVR]' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146
2261+ 6.115.121.1.27 SINGLE-VALUE )
2262+olcAttributeTypes: {37}( 2.16.840.1.113719.1.203.4.38 NAME 'dhcpFailOverEndpoi
2263+ ntState' DESC 'Server (Failover Endpoint) state, as defined in DHCP Failover
2264+ Protocol [FAILOVR]' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
2265+ 21.1.26 SINGLE-VALUE )
2266+olcAttributeTypes: {38}( 2.16.840.1.113719.1.203.4.39 NAME 'dhcpErrorLog' DESC
2267+ 'Generic error log attribute that allows logging error conditions within a d
2268+ hcpService or a dhcpSubnet, like no IP addresses available for lease.' EQUALI
2269+ TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
2270+olcObjectClasses: {0}( 2.16.840.1.113719.1.203.6.1 NAME 'dhcpService' DESC 'Se
2271+ rvice object that represents the actual DHCP Service configuration. This is a
2272+ container object.' SUP top STRUCTURAL MUST ( cn $ dhcpPrimaryDN ) MAY ( dhcp
2273+ SecondaryDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpGroupDN $ dhcpHostDN $
2274+ dhcpClassesDN $ dhcpOptionsDN $ dhcpStatements ) )
2275+olcObjectClasses: {1}( 2.16.840.1.113719.1.203.6.2 NAME 'dhcpSharedNetwork' DE
2276+ SC 'This stores configuration information for a shared network.' SUP top STRU
2277+ CTURAL MUST cn MAY ( dhcpSubnetDN $ dhcpPoolDN $ dhcpOptionsDN $ dhcpStatemen
2278+ ts ) X-NDS_CONTAINMENT 'dhcpService' )
2279+olcObjectClasses: {2}( 2.16.840.1.113719.1.203.6.3 NAME 'dhcpSubnet' DESC 'Thi
2280+ s class defines a subnet. This is a container object.' SUP top STRUCTURAL MUS
2281+ T ( cn $ dhcpNetMask ) MAY ( dhcpRange $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostD
2282+ N $ dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CON
2283+ TAINMENT ( 'dhcpService' 'dhcpSharedNetwork' ) )
2284+olcObjectClasses: {3}( 2.16.840.1.113719.1.203.6.4 NAME 'dhcpPool' DESC 'This
2285+ stores configuration information about a pool.' SUP top STRUCTURAL MUST ( cn
2286+ $ dhcpRange ) MAY ( dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptio
2287+ nsDN $ dhcpStatements ) X-NDS_CONTAINMENT ( 'dhcpSubnet' 'dhcpSharedNetwork'
2288+ ) )
2289+olcObjectClasses: {4}( 2.16.840.1.113719.1.203.6.5 NAME 'dhcpGroup' DESC 'Grou
2290+ p object that lists host DNs and parameters. This is a container object.' SUP
2291+ top STRUCTURAL MUST cn MAY ( dhcpHostDN $ dhcpOptionsDN $ dhcpStatements ) X
2292+ -NDS_CONTAINMENT ( 'dhcpSubnet' 'dhcpService' ) )
2293+olcObjectClasses: {5}( 2.16.840.1.113719.1.203.6.6 NAME 'dhcpHost' DESC 'This
2294+ represents information about a particular client' SUP top STRUCTURAL MUST cn
2295+ MAY ( dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CO
2296+ NTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpGroup' ) )
2297+olcObjectClasses: {6}( 2.16.840.1.113719.1.203.6.7 NAME 'dhcpClass' DESC 'Repr
2298+ esents information about a collection of related clients.' SUP top STRUCTURAL
2299+ MUST cn MAY ( dhcpSubClassesDN $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CONT
2300+ AINMENT ( 'dhcpService' 'dhcpSubnet' ) )
2301+olcObjectClasses: {7}( 2.16.840.1.113719.1.203.6.8 NAME 'dhcpSubClass' DESC 'R
2302+ epresents information about a collection of related classes.' SUP top STRUCTU
2303+ RAL MUST cn MAY ( dhcpClassData $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CONT
2304+ AINMENT 'dhcpClass' )
2305+olcObjectClasses: {8}( 2.16.840.1.113719.1.203.6.9 NAME 'dhcpOptions' DESC 'Re
2306+ presents information about a collection of options defined.' SUP top AUXILIAR
2307+ Y MUST cn MAY dhcpOption X-NDS_CONTAINMENT ( 'dhcpService' 'dhcpSharedNetwork
2308+ ' 'dhcpSubnet' 'dhcpPool' 'dhcpGroup' 'dhcpHost' 'dhcpClass' ) )
2309+olcObjectClasses: {9}( 2.16.840.1.113719.1.203.6.10 NAME 'dhcpLeases' DESC 'Th
2310+ is class represents an IP Address, which may or may not have been leased.' SU
2311+ P top STRUCTURAL MUST ( cn $ dhcpAddressState ) MAY ( dhcpExpirationTime $ dh
2312+ cpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName
2313+ $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReserve
2314+ dForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress ) X-ND
2315+ S_CONTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpPool' ) )
2316+olcObjectClasses: {10}( 2.16.840.1.113719.1.203.6.11 NAME 'dhcpLog' DESC 'This
2317+ is the object that holds past information about the IP address. The cn is th
2318+ e time/date stamp when the address was assigned or released, the address stat
2319+ e at the time, if the address was assigned or released.' SUP top STRUCTURAL M
2320+ UST cn MAY ( dhcpAddressState $ dhcpExpirationTime $ dhcpStartTimeOfState $ d
2321+ hcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhc
2322+ pRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssig
2323+ nedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress $ dhcpErrorLog ) X-NDS_CONTA
2324+ INMENT ( 'dhcpLeases' 'dhcpPool' 'dhcpSubnet' 'dhcpSharedNetwork' 'dhcpServic
2325+ e' ) )
2326+olcObjectClasses: {11}( 2.16.840.1.113719.1.203.6.12 NAME 'dhcpServer' DESC 'D
2327+ HCP Server Object' SUP top STRUCTURAL MUST ( cn $ dhcpServiceDN ) MAY ( dhcpV
2328+ ersion $ dhcpImplementation $ dhcpHashBucketAssignment $ dhcpDelayedServicePa
2329+ rameter $ dhcpMaxClientLeadTime $ dhcpFailOverEndpointState $ dhcpStatements
2330+ ) X-NDS_CONTAINMENT ( 'o' 'ou' 'dc' ) )
2331
2332=== added directory 'dns'
2333=== added file 'dns/dns-acl.ldif'
2334--- dns/dns-acl.ldif 1970-01-01 00:00:00 +0000
2335+++ dns/dns-acl.ldif 2010-07-19 21:25:56 +0000
2336@@ -0,0 +1,26 @@
2337+dn: olcDatabase={1}hdb,cn=config
2338+changetype: modify
2339+add: olcDbIndex
2340+olcDbIndex: zoneName eq
2341+-
2342+add: olcDbIndex
2343+olcDbIndex: relativeDomainName eq
2344+-
2345+delete: olcAccess
2346+olcAccess: to dn.subtree="@SUFFIX@" by * read
2347+-
2348+add: olcAccess
2349+olcAccess: to dn.base="ou=dns,@SUFFIX@"
2350+ attrs=entry,@extensibleObject
2351+ by group/groupOfMembers/member.exact="cn=dns admins,ou=system groups,@SUFFIX@" write
2352+ by * read
2353+-
2354+add: olcAccess
2355+olcAccess: to dn.subtree="ou=dns,@SUFFIX@"
2356+ attrs=children,entry,@dNSZone
2357+ by group/groupOfMembers/member.exact="cn=dns admins,ou=system groups,@SUFFIX@" write
2358+ by group/groupOfMembers/member.exact="cn=dns readers,ou=system groups,@SUFFIX@" read
2359+ by * none
2360+-
2361+add: olcAccess
2362+olcAccess: to dn.subtree="@SUFFIX@" by * read
2363
2364=== added file 'dns/dns-dit.ldif'
2365--- dns/dns-dit.ldif 1970-01-01 00:00:00 +0000
2366+++ dns/dns-dit.ldif 2010-07-19 21:25:56 +0000
2367@@ -0,0 +1,33 @@
2368+dn: ou=dns,@SUFFIX@
2369+ou: dns
2370+objectClass: organizationalUnit
2371+description: Container for DNS related entries
2372+
2373+dn: uid=DNS Admin,ou=System Accounts,@SUFFIX@
2374+uid: DNS Admin
2375+objectClass: account
2376+objectClass: simpleSecurityObject
2377+userPassword: {CRYPT}x
2378+description: Account used to administer DNS related entries and attributes
2379+
2380+dn: uid=DNS Reader,ou=System Accounts,@SUFFIX@
2381+uid: DNS Reader
2382+objectClass: account
2383+objectClass: simpleSecurityObject
2384+userPassword: {CRYPT}x
2385+description: Account used to read entries and attributes under ou=dns
2386+
2387+dn: cn=DNS Admins,ou=System Groups,@SUFFIX@
2388+cn: DNS Admins
2389+objectClass: groupOfMembers
2390+description: Members can administer ou=DNS entries and attributes
2391+owner: uid=DNS Admin,ou=System Accounts,@SUFFIX@
2392+member: uid=DNS Admin,ou=System Accounts,@SUFFIX@
2393+
2394+dn: cn=DNS Readers,ou=System Groups,@SUFFIX@
2395+cn: DNS Readers
2396+objectClass: groupOfMembers
2397+description: Members can read entries and attributes under ou=dns
2398+owner: uid=DNS Admin,ou=System Accounts,@SUFFIX@
2399+member: uid=DNS Reader,ou=System Accounts,@SUFFIX@
2400+
2401
2402=== added file 'dns/dnszone-schema.ldif'
2403--- dns/dnszone-schema.ldif 1970-01-01 00:00:00 +0000
2404+++ dns/dnszone-schema.ldif 2010-07-19 21:25:56 +0000
2405@@ -0,0 +1,67 @@
2406+dn: cn=dnszone,cn=schema,cn=config
2407+objectClass: olcSchemaConfig
2408+cn: dnszone
2409+olcAttributeTypes: {0}( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' DESC 'An integer
2410+ denoting time to live' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121
2411+ .1.27 )
2412+olcAttributeTypes: {1}( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' DESC 'The clas
2413+ s of a resource record' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.1
2414+ 15.121.1.26 )
2415+olcAttributeTypes: {2}( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName' DESC 'The name
2416+ of a zone, i.e. the name of the highest node in the zone' EQUALITY caseIgnor
2417+ eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
2418+ .1.26 )
2419+olcAttributeTypes: {3}( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName' DESC
2420+ 'The starting labels of a domain name' EQUALITY caseIgnoreIA5Match SUBSTR ca
2421+ seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2422+olcAttributeTypes: {4}( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' DESC 'domain
2423+ name pointer, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs
2424+ tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2425+olcAttributeTypes: {5}( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' DESC 'host
2426+ information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst
2427+ ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2428+olcAttributeTypes: {6}( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' DESC 'mail
2429+ box or mail list information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR ca
2430+ seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2431+olcAttributeTypes: {7}( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' DESC 'text s
2432+ tring, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMa
2433+ tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2434+olcAttributeTypes: {8}( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Signat
2435+ ure, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatc
2436+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2437+olcAttributeTypes: {9}( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key, R
2438+ FC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNT
2439+ AX 1.3.6.1.4.1.1466.115.121.1.26 )
2440+olcAttributeTypes: {10}( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' DESC 'IPv6
2441+ address, RFC 1886' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substring
2442+ sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2443+olcAttributeTypes: {11}( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' DESC 'Locat
2444+ ion, RFC 1876' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatc
2445+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2446+olcAttributeTypes: {12}( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' DESC 'non-e
2447+ xistant, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings
2448+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2449+olcAttributeTypes: {13}( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' DESC 'servi
2450+ ce location, RFC 2782' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr
2451+ ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2452+olcAttributeTypes: {14}( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' DESC 'Nam
2453+ ing Authority Pointer, RFC 2915' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor
2454+ eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2455+olcAttributeTypes: {15}( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Ex
2456+ change Delegation, RFC 2230' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5
2457+ SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2458+olcAttributeTypes: {16}( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'cert
2459+ ificate, RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings
2460+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2461+olcAttributeTypes: {17}( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 Rec
2462+ ord Type, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substring
2463+ sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2464+olcAttributeTypes: {18}( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non
2465+ -Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR
2466+ caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2467+olcObjectClasses: {0}( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone' SUP top STRUCTURAL
2468+ MUST ( zoneName $ relativeDomainName ) MAY ( DNSTTL $ DNSClass $ ARecord $ M
2469+ DRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $ PTRRecord $ HINFORe
2470+ cord $ MINFORecord $ TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCReco
2471+ rd $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
2472+ DNAMERecord ) )
2473
2474=== removed file 'doc/README'
2475--- doc/README 2009-09-11 16:20:31 +0000
2476+++ doc/README 1970-01-01 00:00:00 +0000
2477@@ -1,321 +0,0 @@
2478-Introduction
2479-============
2480-
2481-This document aims to explain the Directory Information Tree (DIT) used in the
2482-openldap-dit package.
2483-
2484-The motivation for this new layout is the need for a better separation of
2485-privileges regarding access to the information stored in the directory. The
2486-super user account of the directory should be used rarely and delegation of
2487-privileges should be easier.
2488-
2489-We think this proposed layout accomplishes that by providing several groups
2490-which have distinctive access rules, providing a clear separation of
2491-privileges. In order to give an user a new privilege, all is needed is to add
2492-him/her to one of these specific groups.
2493-
2494-These are the characteristics of the proposed DIT:
2495-- several groups for common services
2496-- most access control rules based on group membership
2497-- several system accounts ready to use (just add a password) by many services
2498- such as:
2499- - sudo
2500- - dns
2501- - samba
2502- - etc
2503-- simple installation script which prepares the tree asking very few questions
2504- (just two, and one of them is just a password)
2505-- easy support for OpenLDAP's password policy overlay
2506-
2507-These accounts get their privileges by being associated to specific group(s).
2508-
2509-Administrators should note that we will probably find out that there are too
2510-few groups, or too many. Or that some ACLs are too restrictive, or too broad.
2511-It is difficult to come up with a one-size-fits-all DIT, but we can start here.
2512-
2513-By the way, there is no password set for the "rootdn" account as it (the
2514-account) is not used.
2515-
2516-If you just want to know how to use this DIT, skip to the end of the document
2517-to the section called "Enough with the theory: how to use this?".
2518-
2519-
2520-The Tree
2521-========
2522-
2523- dc=example,dc=com
2524-
2525- ou=Hosts ou=System Groups ou=System Accounts
2526- ou=Idmap cn=LDAP Admins uid=Ldap Admin
2527- ou=Address Book cn=Sudo Admins uid=Sudo Admin
2528- ou=dhcp cn=DNS Admins uid=DNS Admin
2529- ou=dns cn=DNS Readers uid=DNS Reader
2530- ou=People cn=DHCP Admins uid=DHCP Admin
2531- ou=Group cn=Address Book Admins uid=Address Book Admin
2532- ou=Password Policies cn=LDAP Replicators uid=LDAP Replicator
2533- ou=Sudoers cn=Account Admins uid=Account Admin
2534- cn=MTA Admins uid=MTA Admin
2535- cn=LDAP Monitors uid=LDAP Monitor
2536- cn=Idmap Admins uid=Idmap Admin
2537- uid=smbldap-tools
2538- uid=nssldap
2539-
2540-The services
2541-============
2542-
2543-We created some entries for a few services that can use LDAP to store their
2544-information. More will probably be added in the future. For now, we have
2545-branches for:
2546-- dns (ou=dns)
2547-- sudo (ou=sudoers)
2548-- dhcp (ou=dhcp)
2549-
2550-The respective administrative groups have read/write access to these branches
2551-for specific entries.
2552-
2553-
2554-The groups
2555-==========
2556-
2557-Groups are the core of this proposed DIT layout, because most ACLs are
2558-constructed via group membership to allow for greater flexibility and
2559-delegation.
2560-
2561-The current default groups that are born with the new DIT layout are as
2562-follows:
2563-- LDAP Admins
2564-- Sudo Admins
2565-- DNS Admins
2566-- DNS Readers
2567-- DHCP Admins
2568-- Address Book Admins
2569-- LDAP Replicators
2570-- Account Admins
2571-- MTA Admins
2572-- LDAP Monitors
2573-- Idmap Admins
2574-
2575-Each entry has a description attribute filled in with a brief text describing
2576-the purpose of the members of each group. For example:
2577-
2578-dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com
2579-description: Members can administer ou=sudoers entries and attributes
2580-
2581-In order to use groups in ACLs, the objectClass used for these entries has to
2582-use attributes where membership is indicated distinguished names and not just
2583-names. In other words, the membership attribute has to use a full DN to
2584-indicate its member. The standard object class used for this by OpenLDAP is
2585-groupOfNames, and this is what we used. For example:
2586-
2587-dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com
2588-member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
2589-
2590-A side effect of using groupOfNames is that we *have* to have at least one
2591-member in each group. So we needed to create standard accounts, which proved to
2592-be usefull anyway. The previous example showed the standard account for
2593-adminstering sudo entries and attributes.
2594-
2595-
2596-The accounts
2597-============
2598-
2599-As was the case with the groups, many standard system accounts were created.
2600-Each group has at least a corresponding system account as its membership. The
2601-current list is as follows:
2602-
2603-- Account Admin
2604-- smbldap-tools
2605-- nssldap
2606-- MTA Admin
2607-- DHCP Admin
2608-- DNS Admin
2609-- DNS Reader
2610-- Sudo Admin
2611-- Address Book Admin
2612-- LDAP Admin
2613-- LDAP Replicator
2614-- LDAP Monitor
2615-- Idmap Admin
2616-
2617-
2618-The privileges
2619-==============
2620-
2621-The idea is to give each group the needed privileges to complete its
2622-administration tasks. This usually means having access to the respective ou=foo
2623-branch of the directory. For example, the Sudo Admins group has rights over the
2624-ou=sudoers branch of the directory.
2625-
2626-Whenever possible, however, these rights are limited to that specific service,
2627-i.e., it's not any kind of entry that can be created but just those relevant to
2628-the service. For example, the Sudo Admins members can only create entries one
2629-level below ou=sudoers, and only with the attributes allowed by the sudoRole
2630-object class.
2631-
2632-Other cases, however, are more complicated. We will list them here and the
2633-reasoning behind the chosen ACLs.
2634-
2635-
2636-Monitoring access
2637------------------
2638-The "LDAP Monitors" group is the only grop besides "LDAP Admins" which can read
2639-entries under cn=monitor. This base dn contains statistics about the server,
2640-such as operations performed, backends and overlays being used, etc. So, if you
2641-need an user to have read access to this kind of information, just put him/her
2642-in this group.
2643-
2644-
2645-Samba, Unix and Kerberos admins
2646--------------------------------
2647-Samba needs to have corresponding unix accounts for its users and machine
2648-accounts. It will not by itself create those, however. For example, when
2649-running "smbpasswd -a foo", the "foo" user account will only be created if
2650-samba can find the corresponding unix attributes. The same for group mappings
2651-and machine accounts.
2652-
2653-Earlier versions of openldap-dit had two separate privilege groups:
2654-one for Unix accounts and another for Samba accounts. This complicated ACLs,
2655-and it was worse when we later added Kerberos Admins to the mix because they
2656-also had to touch some of the account-related attributes.
2657-
2658-So, since version 0.11, we merged these groups into one called Account Admins
2659-(and the respective Account Admin account). This made the ACLs simplier and
2660-faster, at the expense of some granularity in privileges.
2661-
2662-The smbldap-tools account, uid=smbldap-tools,ou=System Accounts, still exists
2663-but is now a member of the Account Admins group.
2664-
2665-
2666-MTA
2667----
2668-As of this moment, there is no clear scenario for usage of this account. For
2669-now, it can administer just a few attributes: all the ones from the
2670-inetLocalMailRecipient object class plus the single mail attribute.
2671-
2672-As more usage scenarios appear, these ACLs should be incremented.
2673-
2674-
2675-DNS Readers
2676------------
2677-Members of this group are allowed read access to all attributes of the dNSZone
2678-object class under ou=dns. Besides them and the members of the DNS Admins
2679-group, no other entity can read these entries. This was done so to avoid the
2680-"zone transfer" vulnerability scenario, where anonymous users could gather the
2681-whole DNS database.
2682-
2683-
2684-LDAP Admins
2685------------
2686-Members of this group can write to and read from all entries and attributes of
2687-the directory and have no size or time limits.
2688-
2689-
2690-LDAP Replicators
2691-----------------
2692-The members of the LDAP Replicators group have read access to all attributes
2693-and entries of the directory so that they can be used in a syncrepl replication
2694-setup. The bind dn used for the replication should be a member of this group.
2695-For example:
2696-
2697-syncrepl rid=100
2698- provider=ldap://dirserv.example.com
2699- type=refreshAndPersist
2700- retry="60 +"
2701- searchbase="dc=example,dc=com"
2702- starttls=critical
2703- bindmethod=simple
2704- binddn="uid=LDAP Replicator,ou=System Accounts,dc=example,dc=com"
2705- credentials="secret"
2706-
2707-Here, "uid=LDAP Replicator,ou=System Accounts,dc=example,dc=com" is a member of
2708-the "LDAP Replicators" group and is automatically granted read rights to all
2709-entries of the directory (assuming the provider was also installed with this
2710-base DIT and ACLs).
2711-
2712-
2713-Generic directory read accounts
2714--------------------------------
2715-A few accounts were created for specific read access. Some administrators
2716-prefer to block anonymous read access to the directory, in which case these
2717-accounts would then be used. For the moment we have:
2718-- nssldap: nss_ldap can bind to the directory either anonymously or with a
2719- specific account. The "uid=nssldap,ou=System Accounts" was created for this
2720- purpose. Currently no ACLs make use of this account. Were the administrator to
2721- use it, he/she would also have to block anonymous read access to many
2722- attributes.
2723-
2724-Currently anonymous read access is granted to many attributes. As of this
2725-moment, if the administrator wants to restrict anonymous access and use these
2726-accounts, the ACLs would have to be changed manually.
2727-
2728-
2729-The installation script
2730-=======================
2731-
2732-The openldap-dit package contains a shell script which can be used to
2733-install the accounts and ACLs described in this document. The script is
2734-installed at /usr/share/openldap/scripts/openldap-dit-setup.sh and performs the
2735-following:
2736-- asks the DNS domain (suggesting whatever was auto-detected)
2737-- constructs the top-level directory entry from this domain using dc style
2738- attributes
2739-- creates and imports an ldif file with the accounts and groups described here
2740-- installs new slapd.conf and openldap-dit-access.conf files (making backups of
2741- the previous ones) with the default ACLs and other useful configurations
2742- (like cache)
2743-- loads the ldif file, backing up the previous database directory
2744-
2745-Even though the script performs many tests and backups many files before
2746-overwriting them, administrators are advised to backup all data before running
2747-this script.
2748-
2749-
2750-Enough with the theory: how to use this?
2751-========================================
2752-
2753-The installation script will overwrite some OpenLDAP files and directories.
2754-Specifically, it will backup and overwrite the following:
2755-- /etc/ldap/slapd.conf
2756-- /etc/ldap/ldap.conf
2757-- /etc/ldap/openldap-dit-access.conf (THIS ONE HAS NO BACKUP CURRENTLY)
2758-- /var/lib/ldap contents
2759-
2760-So, after you are satisfied that nothing important will be lost, run the
2761-script. Below is a sample run using the example.com domain:
2762-
2763-root@nsn2:~# /usr/share/slapd/openldap-dit-setup.sh
2764-Please enter your DNS domain name [example.com]:
2765-
2766-
2767-Administrator account
2768-
2769-The administrator account for this directory is
2770-uid=LDAP Admin,ou=System Accounts,dc=example,dc=com
2771-
2772-Please choose a password for this account:
2773-New password:
2774-Re-enter new password:
2775-
2776-
2777-Summary
2778-=======
2779-
2780-Domain: example.com
2781-LDAP suffix: dc=example,dc=com
2782-Administrator: uid=LDAP Admin,ou=System Accounts,dc=example,dc=com
2783-
2784-Confirm? (Y/n)
2785-
2786-config file testing succeeded
2787-Stopping ldap service
2788-Finished, starting ldap service
2789-Starting OpenLDAP: slapd.
2790-
2791-Your previous database directory has been backed up as /var/lib/ldap.1228858266
2792-All files that were backed up got the suffix "1228858266".
2793-
2794-
2795-Now, fire up an LDAP browser and use the LDAP Admin account shown above to set
2796-up some passwords for the other less privileged accounts that you are going to
2797-use. Note that the "rootdn" account is not used.
2798-
2799
2800=== added file 'doc/README.kde'
2801=== added directory 'mit-kerberos'
2802=== added file 'mit-kerberos/mit-kerberos-acl.ldif'
2803--- mit-kerberos/mit-kerberos-acl.ldif 1970-01-01 00:00:00 +0000
2804+++ mit-kerberos/mit-kerberos-acl.ldif 2010-07-19 21:25:56 +0000
2805@@ -0,0 +1,29 @@
2806+dn: olcDatabase={1}hdb,cn=config
2807+changetype: modify
2808+add: olcDbIndex
2809+olcDbIndex: krbPrincipalName eq
2810+-
2811+add: olcDbIndex
2812+olcDbIndex: krbPwdPolicyReference eq
2813+-
2814+delete: olcAccess
2815+olcAccess: to dn.subtree="@SUFFIX@" by * read
2816+-
2817+add: olcAccess
2818+olcAccess: to dn.subtree="@SUFFIX@"
2819+ attrs=krbPrincipalKey
2820+ by self write
2821+ by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
2822+ by dn.exact="uid=kdc-service,ou=System Accounts,@SUFFIX@" read
2823+ by dn.exact="uid=kadmin-service,ou=System Accounts,@SUFFIX@" write
2824+ by anonymous auth
2825+ by * none
2826+-
2827+add: olcAccess
2828+olcAccess: to dn.subtree="ou=Kerberos Realms,@SUFFIX@"
2829+ by dn.exact="uid=kdc-service,ou=System Accounts,@SUFFIX@" read
2830+ by dn.exact="uid=kadmin-service,ou=System Accounts,@SUFFIX@" write
2831+ by * none
2832+-
2833+add: olcAccess
2834+olcAccess: to dn.subtree="@SUFFIX@" by * read
2835
2836=== added file 'mit-kerberos/mit-kerberos-dit.ldif'
2837--- mit-kerberos/mit-kerberos-dit.ldif 1970-01-01 00:00:00 +0000
2838+++ mit-kerberos/mit-kerberos-dit.ldif 2010-07-19 21:25:56 +0000
2839@@ -0,0 +1,19 @@
2840+dn: ou=Kerberos Realms,@SUFFIX@
2841+ou: Kerberos Realms
2842+objectClass: organizationalUnit
2843+description: Container for Kerberos Realms
2844+
2845+dn: uid=kdc-service,ou=System Accounts,@SUFFIX@
2846+uid: kdc-service
2847+objectClass: account
2848+objectClass: simpleSecurityObject
2849+userPassword: {CRYPT}x
2850+description: Account used for the Kerberos KDC
2851+
2852+dn: uid=kadmin-service,ou=System Accounts,@SUFFIX@
2853+uid: kadmin-service
2854+objectClass: account
2855+objectClass: simpleSecurityObject
2856+userPassword: {CRYPT}x
2857+description: Account used for the Kerberos Admin server
2858+
2859
2860=== added file 'mit-kerberos/mit-kerberos-schema.ldif'
2861--- mit-kerberos/mit-kerberos-schema.ldif 1970-01-01 00:00:00 +0000
2862+++ mit-kerberos/mit-kerberos-schema.ldif 2010-07-19 21:25:56 +0000
2863@@ -0,0 +1,473 @@
2864+# Novell Kerberos Schema Definitions
2865+# Novell Inc.
2866+# 1800 South Novell Place
2867+# Provo, UT 84606
2868+#
2869+# VeRsIoN=1.0
2870+# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved
2871+#
2872+# OIDs:
2873+# joint-iso-ccitt(2)
2874+# country(16)
2875+# us(840)
2876+# organization(1)
2877+# Novell(113719)
2878+# applications(1)
2879+# kerberos(301)
2880+# Kerberos Attribute Type(4) attr# version#
2881+# specific attribute definitions
2882+# Kerberos Attribute Syntax(5)
2883+# specific syntax definitions
2884+# Kerberos Object Class(6) class# version#
2885+# specific class definitions
2886+#
2887+# iso(1)
2888+# member-body(2)
2889+# United States(840)
2890+# mit (113554)
2891+# infosys(1)
2892+# ldap(4)
2893+# attributeTypes(1)
2894+# Kerberos(6)
2895+########################################################################
2896+########################################################################
2897+# Attribute Type Definitions #
2898+########################################################################
2899+dn: cn=mit-kerberos,cn=schema,cn=config
2900+cn: kerberos
2901+objectClass: olcSchemaConfig
2902+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1
2903+ NAME 'krbPrincipalName'
2904+ EQUALITY caseExactIA5Match
2905+ SUBSTR caseExactSubstringsMatch
2906+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
2907+##### If there are multiple krbPrincipalName values for an entry, this
2908+##### is the canonical principal name in the RFC 1964 specified
2909+##### format. (If this attribute does not exist, then all
2910+##### krbPrincipalName values are treated as canonical.)
2911+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1
2912+ NAME 'krbCanonicalName'
2913+ EQUALITY caseExactIA5Match
2914+ SUBSTR caseExactSubstringsMatch
2915+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
2916+ SINGLE-VALUE)
2917+##### This specifies the type of the principal, the types could be any of
2918+##### the types mentioned in section 6.2 of RFC 4120
2919+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1
2920+ NAME 'krbPrincipalType'
2921+ EQUALITY integerMatch
2922+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
2923+ SINGLE-VALUE)
2924+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1
2925+ NAME 'krbUPEnabled'
2926+ DESC 'Boolean'
2927+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
2928+ SINGLE-VALUE)
2929+##### The time at which the principal expires
2930+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1
2931+ NAME 'krbPrincipalExpiration'
2932+ EQUALITY generalizedTimeMatch
2933+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
2934+ SINGLE-VALUE)
2935+##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
2936+##### The values (0x00000001 - 0x00800000) are reserved for standards and
2937+##### values (0x01000000 - 0x80000000) can be used for proprietary extensions.
2938+##### The flags and values as per RFC 4120 and MIT implementation are,
2939+##### DISALLOW_POSTDATED 0x00000001
2940+##### DISALLOW_FORWARDABLE 0x00000002
2941+##### DISALLOW_TGT_BASED 0x00000004
2942+##### DISALLOW_RENEWABLE 0x00000008
2943+##### DISALLOW_PROXIABLE 0x00000010
2944+##### DISALLOW_DUP_SKEY 0x00000020
2945+##### DISALLOW_ALL_TIX 0x00000040
2946+##### REQUIRES_PRE_AUTH 0x00000080
2947+##### REQUIRES_HW_AUTH 0x00000100
2948+##### REQUIRES_PWCHANGE 0x00000200
2949+##### DISALLOW_SVR 0x00001000
2950+##### PWCHANGE_SERVICE 0x00002000
2951+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1
2952+ NAME 'krbTicketFlags'
2953+ EQUALITY integerMatch
2954+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
2955+ SINGLE-VALUE)
2956+##### The maximum ticket lifetime for a principal in seconds
2957+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1
2958+ NAME 'krbMaxTicketLife'
2959+ EQUALITY integerMatch
2960+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
2961+ SINGLE-VALUE)
2962+##### Maximum renewable lifetime for a principal's ticket in seconds
2963+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1
2964+ NAME 'krbMaxRenewableAge'
2965+ EQUALITY integerMatch
2966+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
2967+ SINGLE-VALUE)
2968+##### Forward reference to the Realm object.
2969+##### (FDN of the krbRealmContainer object).
2970+##### Example: cn=ACME.COM, cn=Kerberos, cn=Security
2971+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1
2972+ NAME 'krbRealmReferences'
2973+ EQUALITY distinguishedNameMatch
2974+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
2975+##### List of LDAP servers that kerberos servers can contact.
2976+##### The attribute holds data in the ldap uri format,
2977+##### Example: ldaps://acme.com:636
2978+#####
2979+##### The values of this attribute need to be updated, when
2980+##### the LDAP servers listed here are renamed, moved or deleted.
2981+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1
2982+ NAME 'krbLdapServers'
2983+ EQUALITY caseIgnoreMatch
2984+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
2985+##### A set of forward references to the KDC Service objects.
2986+##### (FDNs of the krbKdcService objects).
2987+##### Example: cn=kdc - server 1, ou=uvw, o=xyz
2988+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1
2989+ NAME 'krbKdcServers'
2990+ EQUALITY distinguishedNameMatch
2991+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
2992+##### A set of forward references to the Password Service objects.
2993+##### (FDNs of the krbPwdService objects).
2994+##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz
2995+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1
2996+ NAME 'krbPwdServers'
2997+ EQUALITY distinguishedNameMatch
2998+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
2999+##### This attribute holds the Host Name or the ip address,
3000+##### transport protocol and ports of the kerberos service host
3001+##### The format is host_name-or-ip_address#protocol#port
3002+##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP.
3003+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1
3004+ NAME 'krbHostServer'
3005+ EQUALITY caseExactIA5Match
3006+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
3007+##### This attribute holds the scope for searching the principals
3008+##### under krbSubTree attribute of krbRealmContainer
3009+##### The value can either be 1 (ONE) or 2 (SUB_TREE).
3010+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1
3011+ NAME 'krbSearchScope'
3012+ EQUALITY integerMatch
3013+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
3014+ SINGLE-VALUE)
3015+##### FDNs pointing to Kerberos principals
3016+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1
3017+ NAME 'krbPrincipalReferences'
3018+ EQUALITY distinguishedNameMatch
3019+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
3020+##### This attribute specifies which attribute of the user objects
3021+##### be used as the principal name component for Kerberos.
3022+##### The allowed values are cn, sn, uid, givenname, fullname.
3023+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1
3024+ NAME 'krbPrincNamingAttr'
3025+ EQUALITY caseIgnoreMatch
3026+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
3027+ SINGLE-VALUE)
3028+##### A set of forward references to the Administration Service objects.
3029+##### (FDNs of the krbAdmService objects).
3030+##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz
3031+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.29.1
3032+ NAME 'krbAdmServers'
3033+ EQUALITY distinguishedNameMatch
3034+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
3035+##### Maximum lifetime of a principal's password
3036+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.30.1
3037+ NAME 'krbMaxPwdLife'
3038+ EQUALITY integerMatch
3039+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
3040+ SINGLE-VALUE)
3041+##### Minimum lifetime of a principal's password
3042+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.31.1
3043+ NAME 'krbMinPwdLife'
3044+ EQUALITY integerMatch
3045+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
3046+ SINGLE-VALUE)
3047+##### Minimum number of character clases allowed in a password
3048+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.32.1
3049+ NAME 'krbPwdMinDiffChars'
3050+ EQUALITY integerMatch
3051+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
3052+ SINGLE-VALUE)
3053+##### Minimum length of the password
3054+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.33.1
3055+ NAME 'krbPwdMinLength'
3056+ EQUALITY integerMatch
3057+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
3058+ SINGLE-VALUE)
3059+##### Number of previous versions of passwords that are stored
3060+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.34.1
3061+ NAME 'krbPwdHistoryLength'
3062+ EQUALITY integerMatch
3063+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
3064+ SINGLE-VALUE)
3065+##### FDN pointing to a Kerberos Password Policy object
3066+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.36.1
3067+ NAME 'krbPwdPolicyReference'
3068+ EQUALITY distinguishedNameMatch
3069+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
3070+ SINGLE-VALUE)
3071+##### The time at which the principal's password expires
3072+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.37.1
3073+ NAME 'krbPasswordExpiration'
3074+ EQUALITY generalizedTimeMatch
3075+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
3076+ SINGLE-VALUE)
3077+##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with
3078+##### the master key (krbMKey).
3079+##### The attribute is ASN.1 encoded.
3080+#####
3081+##### The format of the value for this attribute is explained below,
3082+##### KrbKeySet ::= SEQUENCE {
3083+##### attribute-major-vno [0] UInt16,
3084+##### attribute-minor-vno [1] UInt16,
3085+##### kvno [2] UInt32,
3086+##### mkvno [3] UInt32 OPTIONAL,
3087+##### keys [4] SEQUENCE OF KrbKey,
3088+##### ...
3089+##### }
3090+#####
3091+##### KrbKey ::= SEQUENCE {
3092+##### salt [0] KrbSalt OPTIONAL,
3093+##### key [1] EncryptionKey,
3094+##### s2kparams [2] OCTET STRING OPTIONAL,
3095+##### ...
3096+##### }
3097+#####
3098+##### KrbSalt ::= SEQUENCE {
3099+##### type [0] Int32,
3100+##### salt [1] OCTET STRING OPTIONAL
3101+##### }
3102+#####
3103+##### EncryptionKey ::= SEQUENCE {
3104+##### keytype [0] Int32,
3105+##### keyvalue [1] OCTET STRING
3106+##### }
3107+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.39.1
3108+ NAME 'krbPrincipalKey'
3109+ EQUALITY octetStringMatch
3110+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
3111+##### FDN pointing to a Kerberos Ticket Policy object.
3112+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.40.1
3113+ NAME 'krbTicketPolicyReference'
3114+ EQUALITY distinguishedNameMatch
3115+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
3116+ SINGLE-VALUE)
3117+##### Forward reference to an entry that starts sub-trees
3118+##### where principals and other kerberos objects in the realm are configured.
3119+##### Example: ou=acme, ou=pq, o=xyz
3120+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.41.1
3121+ NAME 'krbSubTrees'
3122+ EQUALITY distinguishedNameMatch
3123+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
3124+##### Holds the default encryption/salt type combinations of principals for
3125+##### the Realm. Stores in the form of key:salt strings.
3126+##### Example: des-cbc-crc:normal
3127+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.42.1
3128+ NAME 'krbDefaultEncSaltTypes'
3129+ EQUALITY caseIgnoreMatch
3130+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
3131+##### Holds the Supported encryption/salt type combinations of principals for
3132+##### the Realm. Stores in the form of key:salt strings.
3133+##### The supported encryption types are mentioned in RFC 3961
3134+##### The supported salt types are,
3135+##### NORMAL
3136+##### V4
3137+##### NOREALM
3138+##### ONLYREALM
3139+##### SPECIAL
3140+##### AFS3
3141+##### Example: des-cbc-crc:normal
3142+#####
3143+##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes
3144+##### attributes.
3145+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.43.1
3146+ NAME 'krbSupportedEncSaltTypes'
3147+ EQUALITY caseIgnoreMatch
3148+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
3149+##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with
3150+##### the kadmin/history key.
3151+##### The attribute is ASN.1 encoded.
3152+#####
3153+##### The format of the value for this attribute is explained below,
3154+##### KrbKeySet ::= SEQUENCE {
3155+##### attribute-major-vno [0] UInt16,
3156+##### attribute-minor-vno [1] UInt16,
3157+##### kvno [2] UInt32,
3158+##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key,
3159+##### keys [4] SEQUENCE OF KrbKey,
3160+##### ...
3161+##### }
3162+#####
3163+##### KrbKey ::= SEQUENCE {
3164+##### salt [0] KrbSalt OPTIONAL,
3165+##### key [1] EncryptionKey,
3166+##### s2kparams [2] OCTET STRING OPTIONAL,
3167+##### ...
3168+##### }
3169+#####
3170+##### KrbSalt ::= SEQUENCE {
3171+##### type [0] Int32,
3172+##### salt [1] OCTET STRING OPTIONAL
3173+##### }
3174+#####
3175+##### EncryptionKey ::= SEQUENCE {
3176+##### keytype [0] Int32,
3177+##### keyvalue [1] OCTET STRING
3178+##### }
3179+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.44.1
3180+ NAME 'krbPwdHistory'
3181+ EQUALITY octetStringMatch
3182+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
3183+##### The time at which the principal's password last password change happened.
3184+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.45.1
3185+ NAME 'krbLastPwdChange'
3186+ EQUALITY generalizedTimeMatch
3187+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
3188+ SINGLE-VALUE)
3189+##### This attribute holds the kerberos master key.
3190+##### This can be used to encrypt principal keys.
3191+##### This attribute has to be secured in directory.
3192+#####
3193+##### This attribute is ASN.1 encoded.
3194+##### The format of the value for this attribute is explained below,
3195+##### KrbMKey ::= SEQUENCE {
3196+##### kvno [0] UInt32,
3197+##### key [1] MasterKey
3198+##### }
3199+#####
3200+##### MasterKey ::= SEQUENCE {
3201+##### keytype [0] Int32,
3202+##### keyvalue [1] OCTET STRING
3203+##### }
3204+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.46.1
3205+ NAME 'krbMKey'
3206+ EQUALITY octetStringMatch
3207+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
3208+##### This stores the alternate principal names for the principal in the RFC 1961 specified format
3209+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.47.1
3210+ NAME 'krbPrincipalAliases'
3211+ EQUALITY caseExactIA5Match
3212+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
3213+##### The time at which the principal's last successful authentication happened.
3214+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.48.1
3215+ NAME 'krbLastSuccessfulAuth'
3216+ EQUALITY generalizedTimeMatch
3217+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
3218+ SINGLE-VALUE)
3219+##### The time at which the principal's last failed authentication happened.
3220+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.49.1
3221+ NAME 'krbLastFailedAuth'
3222+ EQUALITY generalizedTimeMatch
3223+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
3224+ SINGLE-VALUE)
3225+##### This attribute stores the number of failed authentication attempts
3226+##### happened for the principal since the last successful authentication.
3227+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.50.1
3228+ NAME 'krbLoginFailedCount'
3229+ EQUALITY integerMatch
3230+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
3231+ SINGLE-VALUE)
3232+##### This attribute holds the application specific data.
3233+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.51.1
3234+ NAME 'krbExtraData'
3235+ EQUALITY octetStringMatch
3236+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
3237+##### This attributes holds references to the set of directory objects.
3238+##### This stores the DNs of the directory objects to which the
3239+##### principal object belongs to.
3240+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.52.1
3241+ NAME 'krbObjectReferences'
3242+ EQUALITY distinguishedNameMatch
3243+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
3244+##### This attribute holds references to a Container object where
3245+##### the additional principal objects and stand alone principal
3246+##### objects (krbPrincipal) can be created.
3247+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.53.1
3248+ NAME 'krbPrincContainerRef'
3249+ EQUALITY distinguishedNameMatch
3250+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
3251+########################################################################
3252+########################################################################
3253+# Object Class Definitions #
3254+########################################################################
3255+#### This is a kerberos container for all the realms in a tree.
3256+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.1.1
3257+ NAME 'krbContainer'
3258+ SUP top
3259+ MUST ( cn ) )
3260+##### The krbRealmContainer is created per realm and holds realm specific data.
3261+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.2.1
3262+ NAME 'krbRealmContainer'
3263+ SUP top
3264+ MUST ( cn )
3265+ MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) )
3266+##### An instance of a class derived from krbService is created per
3267+##### kerberos authentication or administration server in an realm and holds
3268+##### references to the realm objects. These references is used to further read
3269+##### realm specific data to service AS/TGS requests. Additionally this object
3270+##### contains some server specific data like pathnames and ports that the
3271+##### server uses. This is the identity the kerberos server logs in with. A key
3272+##### pair for the same is created and the kerberos server logs in with the same.
3273+#####
3274+##### krbKdcService, krbAdmService and krbPwdService derive from this class.
3275+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.3.1
3276+ NAME 'krbService'
3277+ ABSTRACT
3278+ SUP ( top )
3279+ MUST ( cn )
3280+ MAY ( krbHostServer $ krbRealmReferences ) )
3281+##### Representative object for the KDC server to bind into a LDAP directory
3282+##### and have a connection to access Kerberos data with the required
3283+##### access rights.
3284+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.4.1
3285+ NAME 'krbKdcService'
3286+ SUP ( krbService ) )
3287+##### Representative object for the Kerberos Password server to bind into a LDAP directory
3288+##### and have a connection to access Kerberos data with the required
3289+##### access rights.
3290+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.5.1
3291+ NAME 'krbPwdService'
3292+ SUP ( krbService ) )
3293+###### The principal data auxiliary class. Holds principal information
3294+###### and is used to store principal information for Person, Service objects.
3295+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.8.1
3296+ NAME 'krbPrincipalAux'
3297+ AUXILIARY
3298+ MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
3299+###### This class is used to create additional principals and stand alone principals.
3300+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.9.1
3301+ NAME 'krbPrincipal'
3302+ SUP ( top )
3303+ MUST ( krbPrincipalName )
3304+ MAY ( krbObjectReferences ) )
3305+###### The principal references auxiliary class. Holds all principals referred
3306+###### from a service
3307+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.11.1
3308+ NAME 'krbPrincRefAux'
3309+ SUP top
3310+ AUXILIARY
3311+ MAY krbPrincipalReferences )
3312+##### Representative object for the Kerberos Administration server to bind into a LDAP directory
3313+##### and have a connection Id to access Kerberos data with the required access rights.
3314+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.13.1
3315+ NAME 'krbAdmService'
3316+ SUP ( krbService ) )
3317+##### The krbPwdPolicy object is a template password policy that
3318+##### can be applied to principals when they are created.
3319+##### These policy attributes will be in effect, when the Kerberos
3320+##### passwords are different from users' passwords (UP).
3321+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.14.1
3322+ NAME 'krbPwdPolicy'
3323+ SUP top
3324+ MUST ( cn )
3325+ MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) )
3326+##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
3327+##### This class can be attached to a principal object or realm object.
3328+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.16.1
3329+ NAME 'krbTicketPolicyAux'
3330+ AUXILIARY
3331+ MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
3332+##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal
3333+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.17.1
3334+ NAME 'krbTicketPolicy'
3335+ SUP top
3336+ MUST ( cn ) )
3337
3338=== added file 'mit-kerberos/mit-refint-overlay.ldif'
3339--- mit-kerberos/mit-refint-overlay.ldif 1970-01-01 00:00:00 +0000
3340+++ mit-kerberos/mit-refint-overlay.ldif 2010-07-19 21:25:56 +0000
3341@@ -0,0 +1,7 @@
3342+dn: olcOverlay={3}refint,olcDatabase={1}hdb,cn=config
3343+changetype: modify
3344+add: olcRefintAttribute
3345+olcRefintAttribute: krbObjectReferences
3346+-
3347+add: olcRefintAttribute
3348+olcRefintAttribute: krbPwdPolicyReference
3349
3350=== removed directory 'modules'
3351=== removed file 'modules/add-modules.ldif'
3352--- modules/add-modules.ldif 2009-09-11 14:28:41 +0000
3353+++ modules/add-modules.ldif 1970-01-01 00:00:00 +0000
3354@@ -1,10 +0,0 @@
3355-dn: cn=module,cn=config
3356-cn: module
3357-objectClass: olcModuleList
3358-olcModuleLoad: back_hdb.la
3359-olcModuleLoad: back_bdb.la
3360-olcModuleLoad: ppolicy.la
3361-olcModuleLoad: unique.la
3362-olcModuleLoad: back_monitor.la
3363-olcModuleLoad: refint.la
3364-olcModuleLoad: syncprov.la
3365
3366=== added directory 'monitor'
3367=== added file 'monitor/README'
3368--- monitor/README 1970-01-01 00:00:00 +0000
3369+++ monitor/README 2010-07-19 21:25:56 +0000
3370@@ -0,0 +1,1 @@
3371+TODO
3372
3373=== added file 'monitor/acl.ldif'
3374--- monitor/acl.ldif 1970-01-01 00:00:00 +0000
3375+++ monitor/acl.ldif 2010-07-19 21:25:56 +0000
3376@@ -0,0 +1,12 @@
3377+dn: olcDatabase=monitor,cn=config
3378+changetype: modify
3379+add: olcAccess
3380+olcAccess: to dn.subtree=""
3381+ by dn.exact="uid=LDAP Monitor,ou=System Accounts,@SUFFIX@" read
3382+ by * none
3383+-
3384+add: olcAccess
3385+olcAccess: to dn.subtree=""
3386+ by group/groupOfMembers/member.exact="cn=LDAP Admins,ou=System Groups,@SUFFIX@" read
3387+ by group/groupOfMembers/member.exact="cn=LDAP Monitors,ou=System Groups,@SUFFIX@" read
3388+ by * none
3389
3390=== added file 'monitor/database.ldif'
3391--- monitor/database.ldif 1970-01-01 00:00:00 +0000
3392+++ monitor/database.ldif 2010-07-19 21:25:56 +0000
3393@@ -0,0 +1,7 @@
3394+dn: olcDatabase=monitor,cn=config
3395+changetype: add
3396+objectClass: olcMonitorConfig
3397+objectClass: olcDatabaseConfig
3398+objectClass: olcConfig
3399+olcDatabase: monitor
3400+olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
3401
3402=== added file 'monitor/modules.ldif'
3403--- monitor/modules.ldif 1970-01-01 00:00:00 +0000
3404+++ monitor/modules.ldif 2010-07-19 21:25:56 +0000
3405@@ -0,0 +1,4 @@
3406+dn: cn=module,cn=config
3407+changetype: modify
3408+add: olcModuleLoad
3409+olcModuleLoad: back_monitor.la
3410
3411=== removed file 'openldap-dit-setup.sh'
3412--- openldap-dit-setup.sh 2009-12-02 20:23:12 +0000
3413+++ openldap-dit-setup.sh 1970-01-01 00:00:00 +0000
3414@@ -1,394 +0,0 @@
3415-#!/bin/bash
3416-
3417-if [ "`id -u`" != "0" ]; then
3418- echo "Error, must be root user"
3419- exit 1
3420-fi
3421-
3422-LDAPWHOAMI="ldapwhoami -H ldapi:/// -Y EXTERNAL -Q"
3423-LDAPADD="ldapadd -H ldapi:/// -Y EXTERNAL -Q"
3424-LDAPMODIFY="ldapmodify -H ldapi:/// -Y EXTERNAL -Q"
3425-LDAPPASSWD="ldappasswd -H ldapi:/// -Y EXTERNAL -Q"
3426-
3427-function distro_guess()
3428-{
3429-#$ cat /etc/lsb-release
3430-#DISTRIB_ID=Ubuntu
3431-#DISTRIB_RELEASE=8.04
3432-#DISTRIB_CODENAME=hardy
3433-#DISTRIB_DESCRIPTION="Ubuntu 8.04"
3434- if [ -r "/etc/lsb-release" ]; then
3435- source /etc/lsb-release
3436- else
3437- echo "Can't guess distro name (no /etc/lsb-release or it's not readable)"
3438- exit 1
3439- fi
3440- if [ -z "$DISTRIB_ID" -o -z "$DISTRIB_RELEASE" ]; then
3441- echo "No DISTRIB_ID or DISTRIB_RELEASE variable(s) in /etc/lsb-release"
3442- exit 1
3443- fi
3444- DISTRIB_ID=`echo $DISTRIB_ID | tr A-Z a-z`
3445- export DISTRIB_ID DISTRIB_RELEASE
3446- echo $DISTRIB_ID
3447- return 0
3448-}
3449-
3450-function ubuntu_setup()
3451-{
3452- if [ -x /usr/sbin/invoke-rc.d ]; then
3453- SERVICE="/usr/sbin/invoke-rc.d slapd"
3454- else
3455- SERVICE="/etc/init.d/slapd"
3456- fi
3457- export root="/usr/share/slapd/openldap-dit"
3458- export databases_dir="$root/databases"
3459- export schemas_dir="$root/schemas"
3460- export acls_dir="$root/acls"
3461- export modules_dir="$root/modules"
3462- export overlays_dir="$root/overlays"
3463- export contents_dir="$root/contents"
3464-
3465- for package in slapd ldap-utils libsasl2-modules; do
3466- if ! dpkg -l $package 2>/dev/null | grep -q ^ii; then
3467- echo "Error, please install package $package"
3468- exit 1
3469- fi
3470- done
3471-
3472- return 0
3473-}
3474-
3475-function usage() {
3476- echo "Usage:"
3477- echo "$0 [-h | --help] [-v] [-d <dnsdomain>] [-p <password>] [-y]"
3478- echo
3479- echo "-h | --help : shows this help"
3480- echo "-v : verbose mode"
3481- echo "-d <dnsdomain> : use <dnsdomain> for dns domain"
3482- echo "-p <password> : use <password> for LDAP Admin password"
3483- echo
3484- echo "-y : assume default answer in all prompts "
3485- echo " except the password one"
3486-}
3487-
3488-function echo_v() {
3489- if [ -n "$verbose" ]; then
3490- echo "== $@"
3491- fi
3492-}
3493-
3494-# output: stdout: example.com or the possible detected domain
3495-function detect_domain() {
3496- mydomain=`hostname -d`
3497- if [ -z "$mydomain" ]; then
3498- mydomain="example.com"
3499- fi
3500- echo "$mydomain"
3501- return 0
3502-}
3503-
3504-# $1: domain
3505-# returns standard dc=foo,dc=bar suffix on stdout
3506-function calc_suffix() {
3507- old_ifs=${IFS}
3508- IFS="."
3509- for component in $1; do
3510- result="$result,dc=$component"
3511- done
3512- IFS="${old_ifs}"
3513- echo "${result#,}"
3514- return 0
3515-}
3516-
3517-# test if sasl external works and maps us to something
3518-function test_auth() {
3519- out=$($LDAPWHOAMI)
3520- [ "$?" -ne "0" ] && return 1
3521- # XXX - too specific for ubuntu's ldap deployment...
3522- # a better test would be slapacl, but I couldn't get it
3523- # to work
3524- if [ "$out" = "dn:cn=localroot,cn=config" ]; then
3525- return 0
3526- else
3527- return 1
3528- fi
3529-}
3530-
3531-function get_admin_password() {
3532- echo
3533- echo "Administrator account"
3534- echo
3535- echo "The administrator account for this directory is"
3536- echo "uid=LDAP Admin,ou=System Accounts,$mysuffix"
3537- echo
3538- echo "Please choose a password for this account:"
3539- while /bin/true; do
3540- echo -n "New password: "
3541- stty -echo
3542- read pass1
3543- stty echo
3544- echo
3545- if [ -z "$pass1" ]; then
3546- echo "Error, password cannot be empty"
3547- echo
3548- continue
3549- fi
3550- echo -n "Repeat new password: "
3551- stty -echo
3552- read pass2
3553- stty echo
3554- echo
3555- if [ "$pass1" != "$pass2" ]; then
3556- echo "Error, passwords don't match"
3557- echo
3558- continue
3559- fi
3560- pass="$pass1"
3561- break
3562- done
3563- if [ -n "$pass" ]; then
3564- return 0
3565- fi
3566- return 1
3567-}
3568-
3569-function check_result() {
3570- if [ "$1" -ne "0" ]; then
3571- echo "ERROR, aborting"
3572- exit 1
3573- else
3574- echo "Succeeded!"
3575- fi
3576-}
3577-
3578-# $1: descriptive text of what is being added
3579-# $2: directory where the files are
3580-# $3: optional sed expression to use
3581-function add_ldif() {
3582- echo "Adding $1..."
3583- for n in $2/*.ldif; do
3584- if [ -z "$n" ]; then
3585- echo "Error, no file to use!"
3586- return 1
3587- fi
3588- if [ -z "$3" ]; then
3589- cat "$n" | $LDAPADD
3590- else
3591- cat "$n" | sed -e "$3" | $LDAPADD
3592- fi
3593- if [ "$?" -ne "0" ]; then
3594- echo "Error using \"$n\", aborting"
3595- exit 1
3596- fi
3597- done
3598- return 0
3599-}
3600-
3601-# $1: descriptive text of what is being added
3602-# $2: directory where the files are
3603-# $3: optional sed expression to use
3604-function modify_ldif() {
3605- echo "Modifying $1..."
3606- for n in $2/*.ldif; do
3607- if [ -z "$n" ]; then
3608- echo "Error, no file to use!"
3609- return 1
3610- fi
3611- if [ -z "$3" ]; then
3612- cat "$n" | $LDAPMODIFY
3613- else
3614- cat "$n" | sed -e "$3" | $LDAPMODIFY
3615- fi
3616- if [ "$?" -ne "0" ]; then
3617- echo "Error using \"$n\", aborting"
3618- return 1
3619- fi
3620- done
3621- return 0
3622-}
3623-
3624-function add_modules() {
3625- add_ldif "modules" "$modules_dir"
3626- return 0
3627-}
3628-
3629-function add_schemas() {
3630- add_ldif "schemas" "$schemas_dir"
3631- return 0
3632-}
3633-
3634-function add_db () {
3635- add_ldif "database" "$databases_dir" "s/@SUFFIX@/$mysuffix/g"
3636- return 0
3637-}
3638-
3639-function modify_acls() {
3640- modify_ldif "ACLs" "$acls_dir" "s/@SUFFIX@/$mysuffix/g"
3641- return 0
3642-}
3643-
3644-function add_overlays() {
3645- add_ldif "overlays" "$overlays_dir" "s/@SUFFIX@/$mysuffix/g"
3646- return 0
3647-}
3648-
3649-function populate_db() {
3650- add_ldif "populated database" "$contents_dir" "s/@SUFFIX@/$mysuffix/g;s/@DC@/${mydomain%%.[a-zA-Z0-9]*}/g;s/@DOMAIN@/${mydomain}/g"
3651- return 0
3652-}
3653-
3654-function set_admin_password() {
3655- echo "Setting the admin password..."
3656- # XXX - password will show up briefly in the command line and process
3657- # list
3658- $LDAPPASSWD -s "$pass" "uid=LDAP Admin,ou=System Accounts,$mysuffix"
3659- return $?
3660-}
3661-
3662-
3663-now=`date +%s`
3664-myfqdn=`hostname -f`
3665-verbose=
3666-noprompt=
3667-if [ -z "$myfqdn" ]; then
3668- myfqdn="localhost"
3669-fi
3670-distro=`distro_guess`
3671-${distro}_setup
3672-
3673-while [ -n "$1" ]; do
3674- case "$1" in
3675- -h | --help)
3676- usage
3677- exit 1
3678- ;;
3679- -v)
3680- verbose=1
3681- shift
3682- ;;
3683- -d)
3684- shift
3685- if [ -n "$1" -a "${1##-}" != "${1}" -o -z "${1}" ]; then
3686- echo "Error, -d requires an argument"
3687- exit 1
3688- fi
3689- mydomain="$1"
3690- shift
3691- ;;
3692- -p)
3693- shift
3694- if [ -n "$1" -a "${1##-}" != "${1}" -o -z "${1}" ]; then
3695- echo "Error, -p requires an argument"
3696- exit 1
3697- fi
3698- mypass="$1"
3699- shift
3700- ;;
3701- -y)
3702- noprompt=1
3703- shift
3704- ;;
3705- esac
3706-done
3707-
3708-echo_v
3709-echo_v "Running in verbose mode"
3710-echo_v
3711-
3712-
3713-# testing
3714-echo "Testing administrative access to local ldap server"
3715-test_auth
3716-if [ "$?" -eq "0" ]; then
3717- echo "Success!"
3718-else
3719- echo "FAILURE!"
3720- echo "Command \"$LDAPWHOAMI\" failed"
3721- exit 1
3722-fi
3723-
3724-if [ -z "$mydomain" ]; then
3725- mydomain=`detect_domain`
3726- if [ -z "$noprompt" ]; then
3727- echo "Please enter your DNS domain name [$mydomain]:"
3728- read inputdomain
3729- if [ -n "$inputdomain" ]; then
3730- mydomain="$inputdomain"
3731- fi
3732- fi
3733-fi
3734-mysuffix=`calc_suffix $mydomain`
3735-
3736-if [ -z "$mypass" ]; then
3737- get_admin_password
3738-else
3739- pass="$mypass"
3740-fi
3741-
3742-# confirmation
3743-echo
3744-echo
3745-echo "Summary"
3746-echo "======="
3747-echo
3748-echo "Domain: $mydomain"
3749-echo "LDAP suffix: $mysuffix"
3750-echo "Administrator: uid=LDAP Admin,ou=System Accounts,$mysuffix"
3751-echo
3752-if [ -z "$noprompt" ]; then
3753- echo "Confirm? (Y/n)"
3754- read val
3755- if [ "$val" = "n" -o "$val" = "N" ]; then
3756- echo
3757- echo "Cancelled."
3758- exit 1
3759- fi
3760-fi
3761-
3762-# steps:
3763-# - add modules
3764-# - add schema
3765-# - add db + its acls
3766-# - modify frontend acls
3767-# - modify config acls
3768-# - add overlays
3769-# - populate db
3770-# - set password for admin
3771-
3772-add_modules
3773-check_result $?
3774-
3775-add_schemas
3776-check_result $?
3777-
3778-add_db
3779-check_result $?
3780-
3781-modify_acls
3782-check_result $?
3783-
3784-add_overlays
3785-check_result $?
3786-
3787-populate_db
3788-check_result $?
3789-
3790-set_admin_password
3791-check_result $?
3792-
3793-echo
3794-echo "Finished, doing one last restart..."
3795-/etc/init.d/slapd restart
3796-check_result $?
3797-
3798-echo
3799-echo "Done, enjoy!"
3800-echo
3801-echo "Remember: this is your administrator bind dn:"
3802-echo "uid=LDAP Admin,ou=System Accounts,$mysuffix"
3803-echo
3804-echo "You can use it in double quotes in the command line, like:"
3805-echo "ldapwhoami -x -D \"uid=LDAP Admin,ou=System Accounts,$mysuffix\" -W "
3806-echo
3807-
3808-
3809
3810=== removed directory 'overlays'
3811=== removed file 'overlays/1_add-ppolicy-overlay.ldif'
3812--- overlays/1_add-ppolicy-overlay.ldif 2009-12-02 19:40:56 +0000
3813+++ overlays/1_add-ppolicy-overlay.ldif 1970-01-01 00:00:00 +0000
3814@@ -1,6 +0,0 @@
3815-dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
3816-objectClass: olcOverlayConfig
3817-objectClass: olcPPolicyConfig
3818-olcOverlay: ppolicy
3819-olcPPolicyDefault: cn=default,ou=password policies,@SUFFIX@
3820-
3821
3822=== removed file 'overlays/2_add-unique-overlay.ldif'
3823--- overlays/2_add-unique-overlay.ldif 2009-12-02 19:40:56 +0000
3824+++ overlays/2_add-unique-overlay.ldif 1970-01-01 00:00:00 +0000
3825@@ -1,11 +0,0 @@
3826-dn: olcOverlay=unique,olcDatabase={1}hdb,cn=config
3827-objectClass: olcUniqueConfig
3828-objectClass: olcOverlayConfig
3829-objectClass: olcConfig
3830-objectClass: top
3831-olcOverlay: unique
3832-olcUniqueURI: ldap:///ou=People,@SUFFIX@?uidNumber
3833- ?one?(objectClass=posixAccount)
3834-olcUniqueURI: ldap:///ou=Group,@SUFFIX@?gidNumber?one?(objectClass=po
3835- sixGroup)
3836-
3837
3838=== removed file 'overlays/3_add-syncprov-overlay.ldif'
3839--- overlays/3_add-syncprov-overlay.ldif 2009-12-02 19:40:56 +0000
3840+++ overlays/3_add-syncprov-overlay.ldif 1970-01-01 00:00:00 +0000
3841@@ -1,9 +0,0 @@
3842-dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
3843-objectClass: olcSyncProvConfig
3844-objectClass: olcOverlayConfig
3845-objectClass: olcConfig
3846-objectClass: top
3847-olcOverlay: syncprov
3848-olcSpCheckpoint: 100 10
3849-olcSpSessionlog: 100
3850-
3851
3852=== removed file 'overlays/4_add-refint-overlay.ldif'
3853--- overlays/4_add-refint-overlay.ldif 2009-12-02 19:40:56 +0000
3854+++ overlays/4_add-refint-overlay.ldif 1970-01-01 00:00:00 +0000
3855@@ -1,10 +0,0 @@
3856-dn: olcOverlay=refint,olcDatabase={1}hdb,cn=config
3857-olcOverlay: refint
3858-objectClass: olcConfig
3859-objectClass: olcOverlayConfig
3860-objectClass: olcRefintConfig
3861-olcRefintAttribute: member
3862-olcRefintAttribute: krbObjectReferences
3863-olcRefintAttribute: krbPwdPolicyReference
3864-olcRefintNothing: cn=localroot,cn=config
3865-
3866
3867=== added directory 'replication'
3868=== added file 'replication/replication-acl.ldif'
3869--- replication/replication-acl.ldif 1970-01-01 00:00:00 +0000
3870+++ replication/replication-acl.ldif 2010-07-19 21:25:56 +0000
3871@@ -0,0 +1,7 @@
3872+olcAccess: {0}to dn.subtree="@SUFFIX@"
3873+ by group/groupOfMembers/member.exact="cn=ldap replicators,ou=system groups,@SUFFIX@" read
3874+ by * break
3875+
3876+olcLimits: {0}group/groupOfMembers/member="cn=ldap replicators,ou=system groups,@SUFFIX@"
3877+ size=unlimited
3878+ time=unlimited
3879
3880=== added file 'replication/replication-dit.ldif'
3881--- replication/replication-dit.ldif 1970-01-01 00:00:00 +0000
3882+++ replication/replication-dit.ldif 2010-07-19 21:25:56 +0000
3883@@ -0,0 +1,14 @@
3884+dn: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@
3885+uid: LDAP Replicator
3886+objectClass: account
3887+objectClass: simpleSecurityObject
3888+userPassword: {CRYPT}x
3889+description: Account used by consumer servers for replication
3890+
3891+dn: cn=LDAP Replicators,ou=System Groups,@SUFFIX@
3892+cn: LDAP Replicators
3893+objectClass: groupOfMembers
3894+description: Members can be used for syncrepl replication
3895+owner: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@
3896+member: uid=LDAP Replicator,ou=System Accounts,@SUFFIX@
3897+
3898
3899=== added file 'replication/replication-modules.ldif'
3900--- replication/replication-modules.ldif 1970-01-01 00:00:00 +0000
3901+++ replication/replication-modules.ldif 2010-07-19 21:25:56 +0000
3902@@ -0,0 +1,4 @@
3903+dn: cn=module,cn=config
3904+changetype: add
3905+add: olcModuleLoad
3906+olcModuleLoad: syncprov.la
3907
3908=== added file 'replication/syncprov-overlay.ldif'
3909--- replication/syncprov-overlay.ldif 1970-01-01 00:00:00 +0000
3910+++ replication/syncprov-overlay.ldif 2010-07-19 21:25:56 +0000
3911@@ -0,0 +1,9 @@
3912+dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
3913+objectClass: olcSyncProvConfig
3914+objectClass: olcOverlayConfig
3915+objectClass: olcConfig
3916+objectClass: top
3917+olcOverlay: syncprov
3918+olcSpCheckpoint: 100 10
3919+olcSpSessionlog: 100
3920+
3921
3922=== added directory 'samba'
3923=== added file 'samba/samba-acl.ldif'
3924--- samba/samba-acl.ldif 1970-01-01 00:00:00 +0000
3925+++ samba/samba-acl.ldif 2010-07-19 21:25:56 +0000
3926@@ -0,0 +1,47 @@
3927+dn: olcDatabase={1}hdb,cn=config
3928+changetype: modify
3929+add: olcDbIndex
3930+olcDbIndex: sambaDomainName eq
3931+-
3932+add: olcDbIndex
3933+olcDbIndex: sambaSID eq,sub
3934+-
3935+add: olcDbIndex
3936+olcDbIndex: sambaGroupType eq
3937+-
3938+add: olcDbIndex
3939+olcDbIndex: sambaSIDList eq
3940+-
3941+delete: olcAccess
3942+olcAccess: to dn.subtree="@SUFFIX@" by * read
3943+-
3944+add: olcAccess
3945+olcAccess: to dn.subtree="@SUFFIX@"
3946+ attrs=sambaLMPassword,sambaNTPassword
3947+ by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
3948+ by anonymous auth
3949+ by self write
3950+ by * none
3951+-
3952+add: olcAccess
3953+olcAccess: to dn.subtree="@SUFFIX@"
3954+ attrs=sambaPasswordHistory,pwdHistory
3955+ by self read
3956+ by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
3957+ by * none
3958+-
3959+add: olcAccess
3960+olcAccess: to dn.regex="^(sambaDomainName=[^,]+,)?@SUFFIX@$"
3961+ attrs=children,entry,@sambaDomain,@sambaUnixIdPool
3962+ by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
3963+ by * read
3964+-
3965+add: olcAccess
3966+olcAccess: to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,@SUFFIX@$"
3967+ attrs=children,entry,@sambaIdmapEntry
3968+ by group/groupOfMembers/member.exact="cn=account admins,ou=system groups,@SUFFIX@" write
3969+ by group/groupOfMembers/member.exact="cn=idmap admins,ou=system groups,@SUFFIX@" write
3970+ by * read
3971+-
3972+add: olcAccess
3973+olcAccess: to dn.subtree="@SUFFIX@" by * read
3974
3975=== added file 'samba/samba-dit.ldif'
3976--- samba/samba-dit.ldif 1970-01-01 00:00:00 +0000
3977+++ samba/samba-dit.ldif 2010-07-19 21:25:56 +0000
3978@@ -0,0 +1,19 @@
3979+dn: ou=Idmap,@SUFFIX@
3980+ou: Idmap
3981+objectClass: organizationalUnit
3982+description: Container for Samba Winbind ID mappings
3983+
3984+dn: uid=Idmap Admin,ou=System Accounts,@SUFFIX@
3985+uid: Idmap Admin
3986+objectClass: account
3987+objectClass: simpleSecurityObject
3988+userPassword: {CRYPT}x
3989+description: Account used to administer Samba Winbind ID mapping related entries and attributes
3990+
3991+dn: cn=Idmap Admins,ou=System Groups,@SUFFIX@
3992+cn: Idmap Admins
3993+objectClass: groupOfMembers
3994+description: Members can administer ou=Idmap entries and attributes
3995+owner: uid=Idmap Admin,ou=System Accounts,@SUFFIX@
3996+member: uid=Idmap Admin,ou=System Accounts,@SUFFIX@
3997+
3998
3999=== added file 'samba/samba-schema.ldif'
4000--- samba/samba-schema.ldif 1970-01-01 00:00:00 +0000
4001+++ samba/samba-schema.ldif 2010-07-19 21:25:56 +0000
4002@@ -0,0 +1,175 @@
4003+dn: cn=samba,cn=schema,cn=config
4004+objectClass: olcSchemaConfig
4005+cn: samba
4006+olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L
4007+ anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
4008+ 21.1.26{32} SINGLE-VALUE )
4009+olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'M
4010+ D4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
4011+ .1.1466.115.121.1.26{32} SINGLE-VALUE )
4012+olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Ac
4013+ count Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
4014+ {16} SINGLE-VALUE )
4015+olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'T
4016+ imestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
4017+ 1.1466.115.121.1.27 SINGLE-VALUE )
4018+olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC
4019+ 'Timestamp of when the user is allowed to update the password' EQUALITY integ
4020+ erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4021+olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC
4022+ 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.
4023+ 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4024+olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Ti
4025+ mestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
4026+ 1.27 SINGLE-VALUE )
4027+olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'T
4028+ imestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12
4029+ 1.1.27 SINGLE-VALUE )
4030+olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC '
4031+ Timestamp of when the user will be logged off automatically' EQUALITY integer
4032+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4033+olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' D
4034+ ESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146
4035+ 6.115.121.1.27 SINGLE-VALUE )
4036+olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D
4037+ ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.
4038+ 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4039+olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC '
4040+ Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
4041+ {42} SINGLE-VALUE )
4042+olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D
4043+ river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.
4044+ 3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
4045+olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC
4046+ 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
4047+ 1.15{255} SINGLE-VALUE )
4048+olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC
4049+ 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
4050+ 21.1.15{255} SINGLE-VALUE )
4051+olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
4052+ DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas
4053+ eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
4054+olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho
4055+ me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
4056+ 21.1.15{128} )
4057+olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC '
4058+ Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX
4059+ 1.3.6.1.4.1.1466.115.121.1.15{128} )
4060+olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '
4061+ Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.
4062+ 4.1.1466.115.121.1.15{1050} )
4063+olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D
4064+ ESC 'Concatenated MD4 hashes of the unicode passwords used on this account' E
4065+ QUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
4066+olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit
4067+ y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1
4068+ .3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
4069+olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D
4070+ ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
4071+ 1.1466.115.121.1.26{64} SINGLE-VALUE )
4072+olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec
4073+ urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
4074+ 26{64} )
4075+olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N
4076+ T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
4077+ LE-VALUE )
4078+olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC
4079+ 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.
4080+ 1466.115.121.1.27 SINGLE-VALUE )
4081+olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC
4082+ 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
4083+ 1.1466.115.121.1.27 SINGLE-VALUE )
4084+olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex
4085+ t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
4086+ 466.115.121.1.27 SINGLE-VALUE )
4087+olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase
4088+ ' DESC 'Base at which the samba RID generation algorithm should operate' EQUA
4089+ LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4090+olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S
4091+ hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING
4092+ LE-VALUE )
4093+olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC '
4094+ Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
4095+ 1.3.6.1.4.1.1466.115.121.1.15{256} )
4096+olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC '
4097+ A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S
4098+ INGLE-VALUE )
4099+olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES
4100+ C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
4101+ .27 SINGLE-VALUE )
4102+olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC
4103+ 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
4104+ .1.26 SINGLE-VALUE )
4105+olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
4106+ DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.
4107+ 115.121.1.15 )
4108+olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC '
4109+ Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115
4110+ .121.1.26 )
4111+olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC
4112+ 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.
4113+ 4.1.1466.115.121.1.27 SINGLE-VALUE )
4114+olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
4115+ DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege
4116+ rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4117+olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES
4118+ C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU
4119+ ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4120+olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M
4121+ aximum password age, in seconds (default: -1 => never expire passwords)' EQUA
4122+ LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4123+olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M
4124+ inimum password age, in seconds (default: 0 => allow immediate password chang
4125+ e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4126+olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D
4127+ ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ
4128+ erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4129+olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation
4130+ Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int
4131+ egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4132+olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
4133+ DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in
4134+ tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4135+olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC
4136+ 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY
4137+ integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4138+olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh
4139+ ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte
4140+ gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4141+olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam
4142+ ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY (
4143+ cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s
4144+ ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $
4145+ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr
4146+ ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr
4147+ oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad
4148+ PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) )
4149+olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S
4150+ amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou
4151+ pType ) MAY ( displayName $ description $ sambaSIDList ) )
4152+olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC
4153+ 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas
4154+ sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) )
4155+olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D
4156+ omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY
4157+ ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB
4158+ ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM
4159+ axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin
4160+ dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange
4161+ ) )
4162+olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo
4163+ l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb
4164+ er ) )
4165+olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map
4166+ ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g
4167+ idNumber ) )
4168+olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc
4169+ tural Class for a SID' SUP top STRUCTURAL MUST sambaSID )
4170+olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba
4171+ Configuration Section' SUP top AUXILIARY MAY description )
4172+olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S
4173+ hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description )
4174+olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC '
4175+ Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sam
4176+ baBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption
4177+ $ description ) )
4178
4179=== removed directory 'schemas'
4180=== removed file 'schemas/autofs.ldif'
4181--- schemas/autofs.ldif 2009-09-11 14:25:59 +0000
4182+++ schemas/autofs.ldif 1970-01-01 00:00:00 +0000
4183@@ -1,11 +0,0 @@
4184-dn: cn=autofs,cn=schema,cn=config
4185-objectClass: olcSchemaConfig
4186-cn: autofs
4187-olcAttributeTypes: {0}( 1.3.6.1.1.1.1.25 NAME 'automountInformation' DESC 'Inf
4188- ormation used by the autofs automounter' EQUALITY caseExactIA5Match SYNTAX 1.
4189- 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4190-olcObjectClasses: {0}( 1.3.6.1.1.1.1.13 NAME 'automount' DESC 'An entry in an
4191- automounter map' SUP top STRUCTURAL MUST ( cn $ automountInformation ) MAY de
4192- scription )
4193-olcObjectClasses: {1}( 1.3.6.1.4.1.2312.4.2.2 NAME 'automountMap' DESC 'An gro
4194- up of related automount objects' SUP top STRUCTURAL MUST ou )
4195
4196=== removed file 'schemas/cosine.ldif'
4197--- schemas/cosine.ldif 2009-09-11 14:25:59 +0000
4198+++ schemas/cosine.ldif 1970-01-01 00:00:00 +0000
4199@@ -1,200 +0,0 @@
4200-# RFC1274: Cosine and Internet X.500 schema
4201-# $OpenLDAP: pkg/ldap/servers/slapd/schema/cosine.ldif,v 1.1.2.4 2009/01/22 00:01:14 kurt Exp $
4202-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4203-##
4204-## Copyright 1998-2009 The OpenLDAP Foundation.
4205-## All rights reserved.
4206-##
4207-## Redistribution and use in source and binary forms, with or without
4208-## modification, are permitted only as authorized by the OpenLDAP
4209-## Public License.
4210-##
4211-## A copy of this license is available in the file LICENSE in the
4212-## top-level directory of the distribution or, alternatively, at
4213-## <http://www.OpenLDAP.org/license.html>.
4214-#
4215-# RFC1274: Cosine and Internet X.500 schema
4216-#
4217-# This file contains LDAPv3 schema derived from X.500 COSINE "pilot"
4218-# schema. As this schema was defined for X.500(89), some
4219-# oddities were introduced in the mapping to LDAPv3. The
4220-# mappings were based upon: draft-ietf-asid-ldapv3-attributes-03.txt
4221-# (a work in progress)
4222-#
4223-# Note: It seems that the pilot schema evolved beyond what was
4224-# described in RFC1274. However, this document attempts to describes
4225-# RFC1274 as published.
4226-#
4227-# Depends on core.ldif
4228-#
4229-# This file was automatically generated from cosine.schema; see that
4230-# file for complete background.
4231-#
4232-dn: cn=cosine,cn=schema,cn=config
4233-objectClass: olcSchemaConfig
4234-cn: cosine
4235-olcAttributeTypes: ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORAddress'
4236- EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.
4237- 1466.115.121.1.15{256} )
4238-olcAttributeTypes: ( 0.9.2342.19200300.100.1.4 NAME 'info' DESC 'RFC1274: g
4239- eneral information' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
4240- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
4241-olcAttributeTypes: ( 0.9.2342.19200300.100.1.5 NAME ( 'drink' 'favouriteDri
4242- nk' ) DESC 'RFC1274: favorite drink' EQUALITY caseIgnoreMatch SUBSTR caseIgno
4243- reSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
4244-olcAttributeTypes: ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' DESC 'RFC1
4245- 274: room number' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch S
4246- YNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
4247-olcAttributeTypes: ( 0.9.2342.19200300.100.1.7 NAME 'photo' DESC 'RFC1274:
4248- photo (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.23{25000} )
4249-olcAttributeTypes: ( 0.9.2342.19200300.100.1.8 NAME 'userClass' DESC 'RFC12
4250- 74: category of user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat
4251- ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
4252-olcAttributeTypes: ( 0.9.2342.19200300.100.1.9 NAME 'host' DESC 'RFC1274: h
4253- ost computer' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTA
4254- X 1.3.6.1.4.1.1466.115.121.1.15{256} )
4255-olcAttributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager' DESC 'RFC127
4256- 4: DN of manager' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115
4257- .121.1.12 )
4258-olcAttributeTypes: ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier' D
4259- ESC 'RFC1274: unique identifier of document' EQUALITY caseIgnoreMatch SUBSTR
4260- caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
4261-olcAttributeTypes: ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' DESC '
4262- RFC1274: title of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstri
4263- ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
4264-olcAttributeTypes: ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' DES
4265- C 'RFC1274: version of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSu
4266- bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
4267-olcAttributeTypes: ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' DESC
4268- 'RFC1274: DN of author of document' EQUALITY distinguishedNameMatch SYNTAX 1
4269- .3.6.1.4.1.1466.115.121.1.12 )
4270-olcAttributeTypes: ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' DE
4271- SC 'RFC1274: location of document original' EQUALITY caseIgnoreMatch SUBSTR c
4272- aseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
4273-olcAttributeTypes: ( 0.9.2342.19200300.100.1.20 NAME ( 'homePhone' 'homeTe
4274- lephoneNumber' ) DESC 'RFC1274: home telephone number' EQUALITY telephoneNumb
4275- erMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
4276- .1.50 )
4277-olcAttributeTypes: ( 0.9.2342.19200300.100.1.21 NAME 'secretary' DESC 'RFC
4278- 1274: DN of secretary' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.146
4279- 6.115.121.1.12 )
4280-olcAttributeTypes: ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNTAX
4281- 1.3.6.1.4.1.1466.115.121.1.39 )
4282-olcAttributeTypes: ( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY ca
4283- seIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4284-olcAttributeTypes: ( 0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY c
4285- aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4286-olcAttributeTypes: ( 0.9.2342.19200300.100.1.28 NAME 'mXRecord' EQUALITY c
4287- aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4288-olcAttributeTypes: ( 0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY c
4289- aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4290-olcAttributeTypes: ( 0.9.2342.19200300.100.1.30 NAME 'sOARecord' EQUALITY
4291- caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4292-olcAttributeTypes: ( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALIT
4293- Y caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4294-olcAttributeTypes: ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' DESC
4295- 'RFC1274: DN of entry associated with domain' EQUALITY distinguishedNameMatc
4296- h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
4297-olcAttributeTypes: ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' D
4298- ESC 'RFC1274: home postal address' EQUALITY caseIgnoreListMatch SUBSTR caseIg
4299- noreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
4300-olcAttributeTypes: ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' DESC
4301- 'RFC1274: personal title' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstring
4302- sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
4303-olcAttributeTypes: ( 0.9.2342.19200300.100.1.41 NAME ( 'mobile' 'mobileTel
4304- ephoneNumber' ) DESC 'RFC1274: mobile telephone number' EQUALITY telephoneNum
4305- berMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12
4306- 1.1.50 )
4307-olcAttributeTypes: ( 0.9.2342.19200300.100.1.42 NAME ( 'pager' 'pagerTelep
4308- honeNumber' ) DESC 'RFC1274: pager telephone number' EQUALITY telephoneNumber
4309- Match SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
4310- .50 )
4311-olcAttributeTypes: ( 0.9.2342.19200300.100.1.43 NAME ( 'co' 'friendlyCount
4312- ryName' ) DESC 'RFC1274: friendly country name' EQUALITY caseIgnoreMatch SUBS
4313- TR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4314-olcAttributeTypes: ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' DE
4315- SC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.14
4316- 66.115.121.1.15{256} )
4317-olcAttributeTypes: ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus
4318- ' DESC 'RFC1274: organizational status' EQUALITY caseIgnoreMatch SUBSTR caseI
4319- gnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
4320-olcAttributeTypes: ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox' DESC '
4321- RFC1274: Janet mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst
4322- ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
4323-olcAttributeTypes: ( 0.9.2342.19200300.100.1.47 NAME 'mailPreferenceOption
4324- ' DESC 'RFC1274: mail preference option' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
4325- )
4326-olcAttributeTypes: ( 0.9.2342.19200300.100.1.48 NAME 'buildingName' DESC '
4327- RFC1274: name of building' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin
4328- gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
4329-olcAttributeTypes: ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality' DESC 'RF
4330- C1274: DSA Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.19 SINGLE-VALUE )
4331-olcAttributeTypes: ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality'
4332- DESC 'RFC1274: Single Level Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SIN
4333- GLE-VALUE )
4334-olcAttributeTypes: ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQualit
4335- y' DESC 'RFC1274: Subtree Mininum Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.
4336- 13 SINGLE-VALUE )
4337-olcAttributeTypes: ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQualit
4338- y' DESC 'RFC1274: Subtree Maximun Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.
4339- 13 SINGLE-VALUE )
4340-olcAttributeTypes: ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature' D
4341- ESC 'RFC1274: Personal Signature (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.
4342- 23 )
4343-olcAttributeTypes: ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' DESC 'R
4344- FC1274: DIT Redirect' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466
4345- .115.121.1.12 )
4346-olcAttributeTypes: ( 0.9.2342.19200300.100.1.55 NAME 'audio' DESC 'RFC1274
4347- : audio (u-law)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.4{25000} )
4348-olcAttributeTypes: ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' D
4349- ESC 'RFC1274: publisher of document' EQUALITY caseIgnoreMatch SUBSTR caseIgno
4350- reSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4351-olcObjectClasses: ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilo
4352- tPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822
4353- Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ hom
4354- ePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ busine
4355- ssCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelep
4356- honeNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature
4357- ) )
4358-olcObjectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCT
4359- URAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationNam
4360- e $ organizationalUnitName $ host ) )
4361-olcObjectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUC
4362- TURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ loca
4363- lityName $ organizationName $ organizationalUnitName $ documentTitle $ docume
4364- ntVersion $ documentAuthor $ documentLocation $ documentPublisher ) )
4365-olcObjectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURA
4366- L MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber
4367- ) )
4368-olcObjectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top
4369- STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ l
4370- ocalityName $ organizationName $ organizationalUnitName ) )
4371-olcObjectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCT
4372- URAL MUST domainComponent MAY ( associatedName $ organizationName $ descripti
4373- on $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $
4374- stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAdd
4375- ress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber
4376- $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ tel
4377- exNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress
4378- $ x121Address ) )
4379-olcObjectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP d
4380- omain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telepho
4381- neNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOffi
4382- ceBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $
4383- telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDelivery
4384- Method $ destinationIndicator $ registeredAddress $ x121Address ) )
4385-olcObjectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain
4386- STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAME
4387- Record ) )
4388-olcObjectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' D
4389- ESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associat
4390- edDomain )
4391-olcObjectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP c
4392- ountry STRUCTURAL MUST friendlyCountryName )
4393-olcObjectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SU
4394- P ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName )
4395-olcObjectClasses: ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STR
4396- UCTURAL MAY dSAQuality )
4397-olcObjectClasses: ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData'
4398- SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximu
4399- mQuality ) )
4400
4401=== removed file 'schemas/dhcp.ldif'
4402--- schemas/dhcp.ldif 2009-09-11 14:25:59 +0000
4403+++ schemas/dhcp.ldif 1970-01-01 00:00:00 +0000
4404@@ -1,224 +0,0 @@
4405-dn: cn=dhcp,cn=schema,cn=config
4406-objectClass: olcSchemaConfig
4407-cn: dhcp
4408-olcAttributeTypes: {0}( 2.16.840.1.113719.1.203.4.1 NAME 'dhcpPrimaryDN' DESC
4409- 'The DN of the dhcpServer which is the primary server for the configuration.'
4410- EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-
4411- VALUE )
4412-olcAttributeTypes: {1}( 2.16.840.1.113719.1.203.4.2 NAME 'dhcpSecondaryDN' DES
4413- C 'The DN of dhcpServer(s) which provide backup service for the configuration
4414- .' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
4415-olcAttributeTypes: {2}( 2.16.840.1.113719.1.203.4.3 NAME 'dhcpStatements' DESC
4416- 'Flexible storage for specific data depending on what object this exists in.
4417- Like conditional statements, server parameters, etc. This allows the standar
4418- d to evolve without needing to adjust the schema.' EQUALITY caseIgnoreIA5Matc
4419- h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4420-olcAttributeTypes: {3}( 2.16.840.1.113719.1.203.4.4 NAME 'dhcpRange' DESC 'The
4421- starting & ending IP Addresses in the range (inclusive), separated by a hyph
4422- en; if the range only contains one address, then just the address can be spec
4423- ified with no hyphen. Each range is defined as a separate value.' EQUALITY c
4424- aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4425-olcAttributeTypes: {4}( 2.16.840.1.113719.1.203.4.5 NAME 'dhcpPermitList' DESC
4426- 'This attribute contains the permit lists associated with a pool. Each permi
4427- t list is defined as a separate value.' EQUALITY caseIgnoreIA5Match SYNTAX 1.
4428- 3.6.1.4.1.1466.115.121.1.26 )
4429-olcAttributeTypes: {5}( 2.16.840.1.113719.1.203.4.6 NAME 'dhcpNetMask' DESC 'T
4430- he subnet mask length for the subnet. The mask can be easily computed from t
4431- his length.' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL
4432- E-VALUE )
4433-olcAttributeTypes: {6}( 2.16.840.1.113719.1.203.4.7 NAME 'dhcpOption' DESC 'En
4434- coded option values to be sent to clients. Each value represents a single op
4435- tion and contains (OptionTag, Length, OptionValue) encoded in the format used
4436- by DHCP.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4437-olcAttributeTypes: {7}( 2.16.840.1.113719.1.203.4.8 NAME 'dhcpClassData' DESC
4438- 'Encoded text string or list of bytes expressed in hexadecimal, separated by
4439- colons. Clients match subclasses based on matching the class data with the r
4440- esults of match or spawn with statements in the class name declarations.' EQU
4441- ALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4442-olcAttributeTypes: {8}( 2.16.840.1.113719.1.203.4.9 NAME 'dhcpOptionsDN' DESC
4443- 'The distinguished name(s) of the dhcpOption objects containing the configura
4444- tion options provided by the server.' EQUALITY distinguishedNameMatch SYNTAX
4445- 1.3.6.1.4.1.1466.115.121.1.12 )
4446-olcAttributeTypes: {9}( 2.16.840.1.113719.1.203.4.10 NAME 'dhcpHostDN' DESC 't
4447- he distinguished name(s) of the dhcpHost objects.' EQUALITY distinguishedName
4448- Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
4449-olcAttributeTypes: {10}( 2.16.840.1.113719.1.203.4.11 NAME 'dhcpPoolDN' DESC '
4450- The distinguished name(s) of pools.' EQUALITY distinguishedNameMatch SYNTAX 1
4451- .3.6.1.4.1.1466.115.121.1.12 )
4452-olcAttributeTypes: {11}( 2.16.840.1.113719.1.203.4.12 NAME 'dhcpGroupDN' DESC
4453- 'The distinguished name(s) of the groups.' EQUALITY distinguishedNameMatch
4454- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
4455-olcAttributeTypes: {12}( 2.16.840.1.113719.1.203.4.13 NAME 'dhcpSubnetDN' DESC
4456- 'The distinguished name(s) of the subnets.' EQUALITY distinguishedNameMatch
4457- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
4458-olcAttributeTypes: {13}( 2.16.840.1.113719.1.203.4.14 NAME 'dhcpLeaseDN' DESC
4459- 'The distinguished name of a client address.' EQUALITY distinguishedNameMatch
4460- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
4461-olcAttributeTypes: {14}( 2.16.840.1.113719.1.203.4.15 NAME 'dhcpLeasesDN' DESC
4462- 'The distinguished name(s) client addresses.' EQUALITY distinguishedNameMatc
4463- h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
4464-olcAttributeTypes: {15}( 2.16.840.1.113719.1.203.4.16 NAME 'dhcpClassesDN' DES
4465- C 'The distinguished name(s) of a class(es) in a subclass.' EQUALITY distingu
4466- ishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
4467-olcAttributeTypes: {16}( 2.16.840.1.113719.1.203.4.17 NAME 'dhcpSubclassesDN'
4468- DESC 'The distinguished name(s) of subclass(es).' EQUALITY distinguishedNameM
4469- atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
4470-olcAttributeTypes: {17}( 2.16.840.1.113719.1.203.4.18 NAME 'dhcpSharedNetworkD
4471- N' DESC 'The distinguished name(s) of sharedNetworks.' EQUALITY distinguished
4472- NameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
4473-olcAttributeTypes: {18}( 2.16.840.1.113719.1.203.4.19 NAME 'dhcpServiceDN' DES
4474- C 'The DN of dhcpService object(s)which contain the configuration information
4475- . Each dhcpServer object has this attribute identifying the DHCP configuratio
4476- n(s) that the server is associated with.' EQUALITY distinguishedNameMatch SYN
4477- TAX 1.3.6.1.4.1.1466.115.121.1.12 )
4478-olcAttributeTypes: {19}( 2.16.840.1.113719.1.203.4.20 NAME 'dhcpVersion' DESC
4479- 'The version attribute of this object.' EQUALITY caseIgnoreIA5Match SYNTAX 1.
4480- 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4481-olcAttributeTypes: {20}( 2.16.840.1.113719.1.203.4.21 NAME 'dhcpImplementation
4482- ' DESC 'Description of the DHCP Server implementation e.g. DHCP Servers vendo
4483- r.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
4484- ALUE )
4485-olcAttributeTypes: {21}( 2.16.840.1.113719.1.203.4.22 NAME 'dhcpAddressState'
4486- DESC 'This stores information about the current binding-status of an address.
4487- For dynamic addresses managed by DHCP, the values should be restricted to t
4488- he following: "FREE", "ACTIVE", "EXPIRED", "RELEASED", "RESET", "ABANDONED",
4489- "BACKUP". For other addresses, it SHOULD be one of the following: "UNKNOWN",
4490- "RESERVED" (an address that is managed by DHCP that is reserved for a specif
4491- ic client), "RESERVED-ACTIVE" (same as reserved, but address is currently in
4492- use), "ASSIGNED" (assigned manually or by some other mechanism), "UNASSIGNED"
4493- , "NOTASSIGNABLE".' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
4494- 21.1.26 SINGLE-VALUE )
4495-olcAttributeTypes: {22}( 2.16.840.1.113719.1.203.4.23 NAME 'dhcpExpirationTime
4496- ' DESC 'This is the time the current lease for an address expires.' EQUALITY
4497- generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
4498-olcAttributeTypes: {23}( 2.16.840.1.113719.1.203.4.24 NAME 'dhcpStartTimeOfSta
4499- te' DESC 'This is the time of the last state change for a leased address.' EQ
4500- UALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
4501- )
4502-olcAttributeTypes: {24}( 2.16.840.1.113719.1.203.4.25 NAME 'dhcpLastTransactio
4503- nTime' DESC 'This is the last time a valid DHCP packet was received from the
4504- client.' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 S
4505- INGLE-VALUE )
4506-olcAttributeTypes: {25}( 2.16.840.1.113719.1.203.4.26 NAME 'dhcpBootpFlag' DES
4507- C 'This indicates whether the address was assigned via BOOTP.' EQUALITY boole
4508- anMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
4509-olcAttributeTypes: {26}( 2.16.840.1.113719.1.203.4.27 NAME 'dhcpDomainName' DE
4510- SC 'This is the name of the domain sent to the client by the server. It is e
4511- ssentially the same as the value for DHCP option 15 sent to the client, and r
4512- epresents only the domain - not the full FQDN. To obtain the full FQDN assig
4513- ned to the client you must prepend the "dhcpAssignedHostName" to this value w
4514- ith a ".".' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
4515- SINGLE-VALUE )
4516-olcAttributeTypes: {27}( 2.16.840.1.113719.1.203.4.28 NAME 'dhcpDnsStatus' DES
4517- C 'This indicates the status of updating DNS resource records on behalf of th
4518- e client by the DHCP server for this address. The value is a 16-bit bitmask.
4519- ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4520-olcAttributeTypes: {28}( 2.16.840.1.113719.1.203.4.29 NAME 'dhcpRequestedHostN
4521- ame' DESC 'This is the hostname that was requested by the client.' EQUALITY c
4522- aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4523-olcAttributeTypes: {29}( 2.16.840.1.113719.1.203.4.30 NAME 'dhcpAssignedHostNa
4524- me' DESC 'This is the actual hostname that was assigned to a client. It may n
4525- ot be the name that was requested by the client. The fully qualified domain
4526- name can be determined by appending the value of "dhcpDomainName" (with a dot
4527- separator) to this name.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.146
4528- 6.115.121.1.26 SINGLE-VALUE )
4529-olcAttributeTypes: {30}( 2.16.840.1.113719.1.203.4.31 NAME 'dhcpReservedForCli
4530- ent' DESC 'The distinguished name of a "dhcpClient" that an address is reserv
4531- ed for. This may not be the same as the "dhcpAssignedToClient" attribute if
4532- the address is being reassigned but the current lease has not yet expired.' E
4533- QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VA
4534- LUE )
4535-olcAttributeTypes: {31}( 2.16.840.1.113719.1.203.4.32 NAME 'dhcpAssignedToClie
4536- nt' DESC 'This is the distinguished name of a "dhcpClient" that an address is
4537- currently assigned to. This attribute is only present in the class when the
4538- address is leased.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.
4539- 115.121.1.12 SINGLE-VALUE )
4540-olcAttributeTypes: {32}( 2.16.840.1.113719.1.203.4.33 NAME 'dhcpRelayAgentInfo
4541- ' DESC 'If the client request was received via a relay agent, this contains i
4542- nformation about the relay agent that was available from the DHCP request. T
4543- his is a hex-encoded option value.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.
4544- 4.1.1466.115.121.1.40 SINGLE-VALUE )
4545-olcAttributeTypes: {33}( 2.16.840.1.113719.1.203.4.34 NAME 'dhcpHWAddress' DES
4546- C 'The clients hardware address that requested this IP address.' EQUALITY oct
4547- etStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
4548-olcAttributeTypes: {34}( 2.16.840.1.113719.1.203.4.35 NAME 'dhcpHashBucketAssi
4549- gnment' DESC 'HashBucketAssignment bit map for the DHCP Server, as defined in
4550- DHC Load Balancing Algorithm [RFC 3074].' EQUALITY octetStringMatch SYNTAX 1
4551- .3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
4552-olcAttributeTypes: {35}( 2.16.840.1.113719.1.203.4.36 NAME 'dhcpDelayedService
4553- Parameter' DESC 'Delay in seconds corresponding to Delayed Service Parameter
4554- configuration, as defined in DHC Load Balancing Algorithm [RFC 3074]. ' EQUA
4555- LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4556-olcAttributeTypes: {36}( 2.16.840.1.113719.1.203.4.37 NAME 'dhcpMaxClientLeadT
4557- ime' DESC 'Maximum Client Lead Time configuration in seconds, as defined in D
4558- HCP Failover Protocol [FAILOVR]' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146
4559- 6.115.121.1.27 SINGLE-VALUE )
4560-olcAttributeTypes: {37}( 2.16.840.1.113719.1.203.4.38 NAME 'dhcpFailOverEndpoi
4561- ntState' DESC 'Server (Failover Endpoint) state, as defined in DHCP Failover
4562- Protocol [FAILOVR]' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
4563- 21.1.26 SINGLE-VALUE )
4564-olcAttributeTypes: {38}( 2.16.840.1.113719.1.203.4.39 NAME 'dhcpErrorLog' DESC
4565- 'Generic error log attribute that allows logging error conditions within a d
4566- hcpService or a dhcpSubnet, like no IP addresses available for lease.' EQUALI
4567- TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4568-olcObjectClasses: {0}( 2.16.840.1.113719.1.203.6.1 NAME 'dhcpService' DESC 'Se
4569- rvice object that represents the actual DHCP Service configuration. This is a
4570- container object.' SUP top STRUCTURAL MUST ( cn $ dhcpPrimaryDN ) MAY ( dhcp
4571- SecondaryDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpGroupDN $ dhcpHostDN $
4572- dhcpClassesDN $ dhcpOptionsDN $ dhcpStatements ) )
4573-olcObjectClasses: {1}( 2.16.840.1.113719.1.203.6.2 NAME 'dhcpSharedNetwork' DE
4574- SC 'This stores configuration information for a shared network.' SUP top STRU
4575- CTURAL MUST cn MAY ( dhcpSubnetDN $ dhcpPoolDN $ dhcpOptionsDN $ dhcpStatemen
4576- ts ) X-NDS_CONTAINMENT 'dhcpService' )
4577-olcObjectClasses: {2}( 2.16.840.1.113719.1.203.6.3 NAME 'dhcpSubnet' DESC 'Thi
4578- s class defines a subnet. This is a container object.' SUP top STRUCTURAL MUS
4579- T ( cn $ dhcpNetMask ) MAY ( dhcpRange $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostD
4580- N $ dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CON
4581- TAINMENT ( 'dhcpService' 'dhcpSharedNetwork' ) )
4582-olcObjectClasses: {3}( 2.16.840.1.113719.1.203.6.4 NAME 'dhcpPool' DESC 'This
4583- stores configuration information about a pool.' SUP top STRUCTURAL MUST ( cn
4584- $ dhcpRange ) MAY ( dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptio
4585- nsDN $ dhcpStatements ) X-NDS_CONTAINMENT ( 'dhcpSubnet' 'dhcpSharedNetwork'
4586- ) )
4587-olcObjectClasses: {4}( 2.16.840.1.113719.1.203.6.5 NAME 'dhcpGroup' DESC 'Grou
4588- p object that lists host DNs and parameters. This is a container object.' SUP
4589- top STRUCTURAL MUST cn MAY ( dhcpHostDN $ dhcpOptionsDN $ dhcpStatements ) X
4590- -NDS_CONTAINMENT ( 'dhcpSubnet' 'dhcpService' ) )
4591-olcObjectClasses: {5}( 2.16.840.1.113719.1.203.6.6 NAME 'dhcpHost' DESC 'This
4592- represents information about a particular client' SUP top STRUCTURAL MUST cn
4593- MAY ( dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CO
4594- NTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpGroup' ) )
4595-olcObjectClasses: {6}( 2.16.840.1.113719.1.203.6.7 NAME 'dhcpClass' DESC 'Repr
4596- esents information about a collection of related clients.' SUP top STRUCTURAL
4597- MUST cn MAY ( dhcpSubClassesDN $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CONT
4598- AINMENT ( 'dhcpService' 'dhcpSubnet' ) )
4599-olcObjectClasses: {7}( 2.16.840.1.113719.1.203.6.8 NAME 'dhcpSubClass' DESC 'R
4600- epresents information about a collection of related classes.' SUP top STRUCTU
4601- RAL MUST cn MAY ( dhcpClassData $ dhcpOptionsDN $ dhcpStatements ) X-NDS_CONT
4602- AINMENT 'dhcpClass' )
4603-olcObjectClasses: {8}( 2.16.840.1.113719.1.203.6.9 NAME 'dhcpOptions' DESC 'Re
4604- presents information about a collection of options defined.' SUP top AUXILIAR
4605- Y MUST cn MAY dhcpOption X-NDS_CONTAINMENT ( 'dhcpService' 'dhcpSharedNetwork
4606- ' 'dhcpSubnet' 'dhcpPool' 'dhcpGroup' 'dhcpHost' 'dhcpClass' ) )
4607-olcObjectClasses: {9}( 2.16.840.1.113719.1.203.6.10 NAME 'dhcpLeases' DESC 'Th
4608- is class represents an IP Address, which may or may not have been leased.' SU
4609- P top STRUCTURAL MUST ( cn $ dhcpAddressState ) MAY ( dhcpExpirationTime $ dh
4610- cpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName
4611- $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReserve
4612- dForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress ) X-ND
4613- S_CONTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpPool' ) )
4614-olcObjectClasses: {10}( 2.16.840.1.113719.1.203.6.11 NAME 'dhcpLog' DESC 'This
4615- is the object that holds past information about the IP address. The cn is th
4616- e time/date stamp when the address was assigned or released, the address stat
4617- e at the time, if the address was assigned or released.' SUP top STRUCTURAL M
4618- UST cn MAY ( dhcpAddressState $ dhcpExpirationTime $ dhcpStartTimeOfState $ d
4619- hcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhc
4620- pRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssig
4621- nedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress $ dhcpErrorLog ) X-NDS_CONTA
4622- INMENT ( 'dhcpLeases' 'dhcpPool' 'dhcpSubnet' 'dhcpSharedNetwork' 'dhcpServic
4623- e' ) )
4624-olcObjectClasses: {11}( 2.16.840.1.113719.1.203.6.12 NAME 'dhcpServer' DESC 'D
4625- HCP Server Object' SUP top STRUCTURAL MUST ( cn $ dhcpServiceDN ) MAY ( dhcpV
4626- ersion $ dhcpImplementation $ dhcpHashBucketAssignment $ dhcpDelayedServicePa
4627- rameter $ dhcpMaxClientLeadTime $ dhcpFailOverEndpointState $ dhcpStatements
4628- ) X-NDS_CONTAINMENT ( 'o' 'ou' 'dc' ) )
4629
4630=== removed file 'schemas/dnszone.ldif'
4631--- schemas/dnszone.ldif 2009-09-11 14:25:59 +0000
4632+++ schemas/dnszone.ldif 1970-01-01 00:00:00 +0000
4633@@ -1,67 +0,0 @@
4634-dn: cn=dnszone,cn=schema,cn=config
4635-objectClass: olcSchemaConfig
4636-cn: dnszone
4637-olcAttributeTypes: {0}( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' DESC 'An integer
4638- denoting time to live' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121
4639- .1.27 )
4640-olcAttributeTypes: {1}( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' DESC 'The clas
4641- s of a resource record' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.1
4642- 15.121.1.26 )
4643-olcAttributeTypes: {2}( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName' DESC 'The name
4644- of a zone, i.e. the name of the highest node in the zone' EQUALITY caseIgnor
4645- eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
4646- .1.26 )
4647-olcAttributeTypes: {3}( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName' DESC
4648- 'The starting labels of a domain name' EQUALITY caseIgnoreIA5Match SUBSTR ca
4649- seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4650-olcAttributeTypes: {4}( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' DESC 'domain
4651- name pointer, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs
4652- tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4653-olcAttributeTypes: {5}( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' DESC 'host
4654- information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst
4655- ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4656-olcAttributeTypes: {6}( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' DESC 'mail
4657- box or mail list information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR ca
4658- seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4659-olcAttributeTypes: {7}( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' DESC 'text s
4660- tring, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMa
4661- tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4662-olcAttributeTypes: {8}( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Signat
4663- ure, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatc
4664- h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4665-olcAttributeTypes: {9}( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key, R
4666- FC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNT
4667- AX 1.3.6.1.4.1.1466.115.121.1.26 )
4668-olcAttributeTypes: {10}( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' DESC 'IPv6
4669- address, RFC 1886' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substring
4670- sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4671-olcAttributeTypes: {11}( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' DESC 'Locat
4672- ion, RFC 1876' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatc
4673- h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4674-olcAttributeTypes: {12}( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' DESC 'non-e
4675- xistant, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings
4676- Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4677-olcAttributeTypes: {13}( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' DESC 'servi
4678- ce location, RFC 2782' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr
4679- ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4680-olcAttributeTypes: {14}( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' DESC 'Nam
4681- ing Authority Pointer, RFC 2915' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor
4682- eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4683-olcAttributeTypes: {15}( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Ex
4684- change Delegation, RFC 2230' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5
4685- SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4686-olcAttributeTypes: {16}( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'cert
4687- ificate, RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings
4688- Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4689-olcAttributeTypes: {17}( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 Rec
4690- ord Type, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substring
4691- sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4692-olcAttributeTypes: {18}( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non
4693- -Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR
4694- caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4695-olcObjectClasses: {0}( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone' SUP top STRUCTURAL
4696- MUST ( zoneName $ relativeDomainName ) MAY ( DNSTTL $ DNSClass $ ARecord $ M
4697- DRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $ PTRRecord $ HINFORe
4698- cord $ MINFORecord $ TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCReco
4699- rd $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
4700- DNAMERecord ) )
4701
4702=== removed file 'schemas/dyngroup.ldif'
4703--- schemas/dyngroup.ldif 2009-09-11 14:25:59 +0000
4704+++ schemas/dyngroup.ldif 1970-01-01 00:00:00 +0000
4705@@ -1,24 +0,0 @@
4706-dn: cn=dyngroup,cn=schema,cn=config
4707-objectClass: olcSchemaConfig
4708-cn: dyngroup
4709-olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
4710-olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
4711-olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDAP:1
4712-olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:2
4713-olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
4714-olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
4715-olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
4716-olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
4717-olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'memberURL' DESC 'I
4718- dentifies an URL associated with each member of a group. Any type of labeled
4719- URL can be used.' SUP labeledURI )
4720-olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC 'Identity to use
4721- when processing the memberURL' SUP distinguishedName SINGLE-VALUE )
4722-olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'Optional authoriza
4723- tion rules that determine who is allowed to assume the dgIdentity' EQUALITY a
4724- uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES' )
4725-olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S
4726- TRUCTURAL MUST cn MAY ( memberURL $ businessCategory $ description $ o $ ou $
4727- owner $ seeAlso ) )
4728-olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP top AUXILIARY MAY
4729- ( dgIdentity $ dgAuthz ) )
4730
4731=== removed file 'schemas/inetorgperson.ldif'
4732--- schemas/inetorgperson.ldif 2009-09-11 14:25:59 +0000
4733+++ schemas/inetorgperson.ldif 1970-01-01 00:00:00 +0000
4734@@ -1,69 +0,0 @@
4735-# InetOrgPerson (RFC2798)
4736-# $OpenLDAP: pkg/ldap/servers/slapd/schema/inetorgperson.ldif,v 1.1.2.4 2009/01/22 00:01:14 kurt Exp $
4737-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4738-##
4739-## Copyright 1998-2009 The OpenLDAP Foundation.
4740-## All rights reserved.
4741-##
4742-## Redistribution and use in source and binary forms, with or without
4743-## modification, are permitted only as authorized by the OpenLDAP
4744-## Public License.
4745-##
4746-## A copy of this license is available in the file LICENSE in the
4747-## top-level directory of the distribution or, alternatively, at
4748-## <http://www.OpenLDAP.org/license.html>.
4749-#
4750-# InetOrgPerson (RFC2798)
4751-#
4752-# Depends upon
4753-# Definition of an X.500 Attribute Type and an Object Class to Hold
4754-# Uniform Resource Identifiers (URIs) [RFC2079]
4755-# (core.ldif)
4756-#
4757-# A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256]
4758-# (core.ldif)
4759-#
4760-# The COSINE and Internet X.500 Schema [RFC1274] (cosine.ldif)
4761-#
4762-# This file was automatically generated from inetorgperson.schema; see
4763-# that file for complete references.
4764-#
4765-dn: cn=inetorgperson,cn=schema,cn=config
4766-objectClass: olcSchemaConfig
4767-cn: inetorgperson
4768-olcAttributeTypes: ( 2.16.840.1.113730.3.1.1 NAME 'carLicense' DESC 'RFC279
4769- 8: vehicle license or registration plate' EQUALITY caseIgnoreMatch SUBSTR cas
4770- eIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4771-olcAttributeTypes: ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC '
4772- RFC2798: identifies a department within an organization' EQUALITY caseIgnoreM
4773- atch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4774-olcAttributeTypes: ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'RFC
4775- 2798: preferred name to be used when displaying entries' EQUALITY caseIgnoreM
4776- atch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI
4777- NGLE-VALUE )
4778-olcAttributeTypes: ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'RF
4779- C2798: numerically identifies an employee within an organization' EQUALITY ca
4780- seIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12
4781- 1.1.15 SINGLE-VALUE )
4782-olcAttributeTypes: ( 2.16.840.1.113730.3.1.4 NAME 'employeeType' DESC 'RFC2
4783- 798: type of employment for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgn
4784- oreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4785-olcAttributeTypes: ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' DESC 'RFC2
4786- 798: a JPEG image' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )
4787-olcAttributeTypes: ( 2.16.840.1.113730.3.1.39 NAME 'preferredLanguage' DESC
4788- 'RFC2798: preferred written or spoken language for a person' EQUALITY caseIg
4789- noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
4790- 15 SINGLE-VALUE )
4791-olcAttributeTypes: ( 2.16.840.1.113730.3.1.40 NAME 'userSMIMECertificate' D
4792- ESC 'RFC2798: PKCS#7 SignedData used to support S/MIME' SYNTAX 1.3.6.1.4.1.14
4793- 66.115.121.1.5 )
4794-olcAttributeTypes: ( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'RFC2
4795- 798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.1466.1
4796- 15.121.1.5 )
4797-olcObjectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2
4798- 798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY
4799- ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ em
4800- ployeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ ini
4801- tials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo
4802- $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ pre
4803- ferredLanguage $ userSMIMECertificate $ userPKCS12 ) )
4804
4805=== removed file 'schemas/misc.ldif'
4806--- schemas/misc.ldif 2009-09-11 14:25:59 +0000
4807+++ schemas/misc.ldif 1970-01-01 00:00:00 +0000
4808@@ -1,25 +0,0 @@
4809-# misc.ldif
4810-#
4811-# This is the ldif version of misc.schema to be used with cn=config.
4812-# The nss overlay requires rfc822MailMember which is defined here.
4813-#
4814-dn: cn=misc,cn=schema,cn=config
4815-objectClass: olcSchemaConfig
4816-cn: misc
4817-olcAttributeTypes: ( 2.16.840.1.113730.3.1.13 NAME 'mailLocalAddress' DESC
4818- 'RFC822 email address of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1
4819- .3.6.1.4.1.1466.115.121.1.26{256} )
4820-olcAttributeTypes: ( 2.16.840.1.113730.3.1.18 NAME 'mailHost' DESC 'FQDN of
4821- the SMTP/MTA of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
4822- .1.1466.115.121.1.26{256} SINGLE-VALUE )
4823-olcAttributeTypes: ( 2.16.840.1.113730.3.1.47 NAME 'mailRoutingAddress' DES
4824- C 'RFC822 routing address of this recipient' EQUALITY caseIgnoreIA5Match SYNT
4825- AX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
4826-olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822MailMember' DES
4827- C 'rfc822 mail address of group member(s)' EQUALITY caseIgnoreIA5Match SYNTAX
4828- 1.3.6.1.4.1.1466.115.121.1.26 )
4829-olcObjectClasses: ( 2.16.840.1.113730.3.2.147 NAME 'inetLocalMailRecipient'
4830- DESC 'Internet local mail recipient' SUP top AUXILIARY MAY ( mailLocalAddres
4831- s $ mailHost $ mailRoutingAddress ) )
4832-olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' DESC 'NIS
4833- mail alias' SUP top STRUCTURAL MUST cn MAY rfc822MailMember )
4834
4835=== removed file 'schemas/mit-kerberos.ldif'
4836--- schemas/mit-kerberos.ldif 2009-10-06 20:36:12 +0000
4837+++ schemas/mit-kerberos.ldif 1970-01-01 00:00:00 +0000
4838@@ -1,473 +0,0 @@
4839-# Novell Kerberos Schema Definitions
4840-# Novell Inc.
4841-# 1800 South Novell Place
4842-# Provo, UT 84606
4843-#
4844-# VeRsIoN=1.0
4845-# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved
4846-#
4847-# OIDs:
4848-# joint-iso-ccitt(2)
4849-# country(16)
4850-# us(840)
4851-# organization(1)
4852-# Novell(113719)
4853-# applications(1)
4854-# kerberos(301)
4855-# Kerberos Attribute Type(4) attr# version#
4856-# specific attribute definitions
4857-# Kerberos Attribute Syntax(5)
4858-# specific syntax definitions
4859-# Kerberos Object Class(6) class# version#
4860-# specific class definitions
4861-#
4862-# iso(1)
4863-# member-body(2)
4864-# United States(840)
4865-# mit (113554)
4866-# infosys(1)
4867-# ldap(4)
4868-# attributeTypes(1)
4869-# Kerberos(6)
4870-########################################################################
4871-########################################################################
4872-# Attribute Type Definitions #
4873-########################################################################
4874-dn: cn=mit-kerberos,cn=schema,cn=config
4875-cn: kerberos
4876-objectClass: olcSchemaConfig
4877-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1
4878- NAME 'krbPrincipalName'
4879- EQUALITY caseExactIA5Match
4880- SUBSTR caseExactSubstringsMatch
4881- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
4882-##### If there are multiple krbPrincipalName values for an entry, this
4883-##### is the canonical principal name in the RFC 1964 specified
4884-##### format. (If this attribute does not exist, then all
4885-##### krbPrincipalName values are treated as canonical.)
4886-olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1
4887- NAME 'krbCanonicalName'
4888- EQUALITY caseExactIA5Match
4889- SUBSTR caseExactSubstringsMatch
4890- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
4891- SINGLE-VALUE)
4892-##### This specifies the type of the principal, the types could be any of
4893-##### the types mentioned in section 6.2 of RFC 4120
4894-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1
4895- NAME 'krbPrincipalType'
4896- EQUALITY integerMatch
4897- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
4898- SINGLE-VALUE)
4899-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1
4900- NAME 'krbUPEnabled'
4901- DESC 'Boolean'
4902- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
4903- SINGLE-VALUE)
4904-##### The time at which the principal expires
4905-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1
4906- NAME 'krbPrincipalExpiration'
4907- EQUALITY generalizedTimeMatch
4908- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
4909- SINGLE-VALUE)
4910-##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
4911-##### The values (0x00000001 - 0x00800000) are reserved for standards and
4912-##### values (0x01000000 - 0x80000000) can be used for proprietary extensions.
4913-##### The flags and values as per RFC 4120 and MIT implementation are,
4914-##### DISALLOW_POSTDATED 0x00000001
4915-##### DISALLOW_FORWARDABLE 0x00000002
4916-##### DISALLOW_TGT_BASED 0x00000004
4917-##### DISALLOW_RENEWABLE 0x00000008
4918-##### DISALLOW_PROXIABLE 0x00000010
4919-##### DISALLOW_DUP_SKEY 0x00000020
4920-##### DISALLOW_ALL_TIX 0x00000040
4921-##### REQUIRES_PRE_AUTH 0x00000080
4922-##### REQUIRES_HW_AUTH 0x00000100
4923-##### REQUIRES_PWCHANGE 0x00000200
4924-##### DISALLOW_SVR 0x00001000
4925-##### PWCHANGE_SERVICE 0x00002000
4926-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1
4927- NAME 'krbTicketFlags'
4928- EQUALITY integerMatch
4929- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
4930- SINGLE-VALUE)
4931-##### The maximum ticket lifetime for a principal in seconds
4932-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1
4933- NAME 'krbMaxTicketLife'
4934- EQUALITY integerMatch
4935- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
4936- SINGLE-VALUE)
4937-##### Maximum renewable lifetime for a principal's ticket in seconds
4938-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1
4939- NAME 'krbMaxRenewableAge'
4940- EQUALITY integerMatch
4941- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
4942- SINGLE-VALUE)
4943-##### Forward reference to the Realm object.
4944-##### (FDN of the krbRealmContainer object).
4945-##### Example: cn=ACME.COM, cn=Kerberos, cn=Security
4946-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1
4947- NAME 'krbRealmReferences'
4948- EQUALITY distinguishedNameMatch
4949- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
4950-##### List of LDAP servers that kerberos servers can contact.
4951-##### The attribute holds data in the ldap uri format,
4952-##### Example: ldaps://acme.com:636
4953-#####
4954-##### The values of this attribute need to be updated, when
4955-##### the LDAP servers listed here are renamed, moved or deleted.
4956-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1
4957- NAME 'krbLdapServers'
4958- EQUALITY caseIgnoreMatch
4959- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
4960-##### A set of forward references to the KDC Service objects.
4961-##### (FDNs of the krbKdcService objects).
4962-##### Example: cn=kdc - server 1, ou=uvw, o=xyz
4963-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1
4964- NAME 'krbKdcServers'
4965- EQUALITY distinguishedNameMatch
4966- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
4967-##### A set of forward references to the Password Service objects.
4968-##### (FDNs of the krbPwdService objects).
4969-##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz
4970-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1
4971- NAME 'krbPwdServers'
4972- EQUALITY distinguishedNameMatch
4973- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
4974-##### This attribute holds the Host Name or the ip address,
4975-##### transport protocol and ports of the kerberos service host
4976-##### The format is host_name-or-ip_address#protocol#port
4977-##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP.
4978-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1
4979- NAME 'krbHostServer'
4980- EQUALITY caseExactIA5Match
4981- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
4982-##### This attribute holds the scope for searching the principals
4983-##### under krbSubTree attribute of krbRealmContainer
4984-##### The value can either be 1 (ONE) or 2 (SUB_TREE).
4985-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1
4986- NAME 'krbSearchScope'
4987- EQUALITY integerMatch
4988- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
4989- SINGLE-VALUE)
4990-##### FDNs pointing to Kerberos principals
4991-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1
4992- NAME 'krbPrincipalReferences'
4993- EQUALITY distinguishedNameMatch
4994- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
4995-##### This attribute specifies which attribute of the user objects
4996-##### be used as the principal name component for Kerberos.
4997-##### The allowed values are cn, sn, uid, givenname, fullname.
4998-olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1
4999- NAME 'krbPrincNamingAttr'
5000- EQUALITY caseIgnoreMatch
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches