[751] | 1 | # Novell Kerberos Schema Definitions |
---|
| 2 | # Novell Inc. |
---|
| 3 | # 1800 South Novell Place |
---|
| 4 | # Provo, UT 84606 |
---|
| 5 | # |
---|
| 6 | # VeRsIoN=1.0 |
---|
| 7 | # CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved |
---|
| 8 | # |
---|
| 9 | # OIDs: |
---|
| 10 | # joint-iso-ccitt(2) |
---|
| 11 | # country(16) |
---|
| 12 | # us(840) |
---|
| 13 | # organization(1) |
---|
| 14 | # Novell(113719) |
---|
| 15 | # applications(1) |
---|
| 16 | # kerberos(301) |
---|
| 17 | # Kerberos Attribute Type(4) attr# version# |
---|
| 18 | # specific attribute definitions |
---|
| 19 | # Kerberos Attribute Syntax(5) |
---|
| 20 | # specific syntax definitions |
---|
| 21 | # Kerberos Object Class(6) class# version# |
---|
| 22 | # specific class definitions |
---|
| 23 | |
---|
| 24 | ######################################################################## |
---|
| 25 | |
---|
| 26 | |
---|
| 27 | ######################################################################## |
---|
| 28 | # Attribute Type Definitions # |
---|
| 29 | ######################################################################## |
---|
| 30 | |
---|
| 31 | ##### This is the principal name in the RFC 1964 specified format |
---|
| 32 | |
---|
| 33 | attributetype ( 2.16.840.1.113719.1.301.4.1.1 |
---|
| 34 | NAME 'krbPrincipalName' |
---|
| 35 | EQUALITY caseExactIA5Match |
---|
| 36 | SUBSTR caseExactSubstringsMatch |
---|
| 37 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) |
---|
| 38 | |
---|
| 39 | |
---|
| 40 | ##### This specifies the type of the principal, the types could be any of |
---|
| 41 | ##### the types mentioned in section 6.2 of RFC 4120 |
---|
| 42 | |
---|
| 43 | attributetype ( 2.16.840.1.113719.1.301.4.3.1 |
---|
| 44 | NAME 'krbPrincipalType' |
---|
| 45 | EQUALITY integerMatch |
---|
| 46 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
---|
| 47 | SINGLE-VALUE) |
---|
| 48 | |
---|
| 49 | |
---|
| 50 | ##### This flag is used to find whether directory User Password has to be used |
---|
| 51 | ##### as kerberos password. |
---|
| 52 | ##### TRUE, if User Password is to be used as the kerberos password. |
---|
| 53 | ##### FALSE, if User Password and the kerberos password are different. |
---|
| 54 | |
---|
| 55 | attributetype ( 2.16.840.1.113719.1.301.4.5.1 |
---|
| 56 | NAME 'krbUPEnabled' |
---|
| 57 | DESC 'Boolean' |
---|
| 58 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 |
---|
| 59 | SINGLE-VALUE) |
---|
| 60 | |
---|
| 61 | |
---|
| 62 | ##### The time at which the principal expires |
---|
| 63 | |
---|
| 64 | attributetype ( 2.16.840.1.113719.1.301.4.6.1 |
---|
| 65 | NAME 'krbPrincipalExpiration' |
---|
| 66 | EQUALITY generalizedTimeMatch |
---|
| 67 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
---|
| 68 | SINGLE-VALUE) |
---|
| 69 | |
---|
| 70 | |
---|
| 71 | ##### The krbTicketFlags attribute holds information about the kerberos flags for a principal |
---|
| 72 | ##### The values (0x00000001 - 0x00800000) are reserved for standards and |
---|
| 73 | ##### values (0x01000000 - 0x80000000) can be used for proprietary extensions. |
---|
| 74 | ##### The flags and values as per RFC 4120 and MIT implementation are, |
---|
| 75 | ##### DISALLOW_POSTDATED 0x00000001 |
---|
| 76 | ##### DISALLOW_FORWARDABLE 0x00000002 |
---|
| 77 | ##### DISALLOW_TGT_BASED 0x00000004 |
---|
| 78 | ##### DISALLOW_RENEWABLE 0x00000008 |
---|
| 79 | ##### DISALLOW_PROXIABLE 0x00000010 |
---|
| 80 | ##### DISALLOW_DUP_SKEY 0x00000020 |
---|
| 81 | ##### DISALLOW_ALL_TIX 0x00000040 |
---|
| 82 | ##### REQUIRES_PRE_AUTH 0x00000080 |
---|
| 83 | ##### REQUIRES_HW_AUTH 0x00000100 |
---|
| 84 | ##### REQUIRES_PWCHANGE 0x00000200 |
---|
| 85 | ##### DISALLOW_SVR 0x00001000 |
---|
| 86 | ##### PWCHANGE_SERVICE 0x00002000 |
---|
| 87 | |
---|
| 88 | |
---|
| 89 | attributetype ( 2.16.840.1.113719.1.301.4.8.1 |
---|
| 90 | NAME 'krbTicketFlags' |
---|
| 91 | EQUALITY integerMatch |
---|
| 92 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
---|
| 93 | SINGLE-VALUE) |
---|
| 94 | |
---|
| 95 | |
---|
| 96 | ##### The maximum ticket lifetime for a principal in seconds |
---|
| 97 | |
---|
| 98 | attributetype ( 2.16.840.1.113719.1.301.4.9.1 |
---|
| 99 | NAME 'krbMaxTicketLife' |
---|
| 100 | EQUALITY integerMatch |
---|
| 101 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
---|
| 102 | SINGLE-VALUE) |
---|
| 103 | |
---|
| 104 | |
---|
| 105 | ##### Maximum renewable lifetime for a principal's ticket in seconds |
---|
| 106 | |
---|
| 107 | attributetype ( 2.16.840.1.113719.1.301.4.10.1 |
---|
| 108 | NAME 'krbMaxRenewableAge' |
---|
| 109 | EQUALITY integerMatch |
---|
| 110 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
---|
| 111 | SINGLE-VALUE) |
---|
| 112 | |
---|
| 113 | |
---|
| 114 | ##### Forward reference to the Realm object. |
---|
| 115 | ##### (FDN of the krbRealmContainer object). |
---|
| 116 | ##### Example: cn=ACME.COM, cn=Kerberos, cn=Security |
---|
| 117 | |
---|
| 118 | attributetype ( 2.16.840.1.113719.1.301.4.14.1 |
---|
| 119 | NAME 'krbRealmReferences' |
---|
| 120 | EQUALITY distinguishedNameMatch |
---|
| 121 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
---|
| 122 | |
---|
| 123 | |
---|
| 124 | ##### List of LDAP servers that kerberos servers can contact. |
---|
| 125 | ##### The attribute holds data in the ldap uri format, |
---|
| 126 | ##### Examples: acme.com#636, 164.164.164.164#1636, ldaps://acme.com:636 |
---|
| 127 | ##### |
---|
| 128 | ##### The values of this attribute need to be updated, when |
---|
| 129 | ##### the LDAP servers listed here are renamed, moved or deleted. |
---|
| 130 | |
---|
| 131 | attributetype ( 2.16.840.1.113719.1.301.4.15.1 |
---|
| 132 | NAME 'krbLdapServers' |
---|
| 133 | EQUALITY caseIgnoreMatch |
---|
| 134 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) |
---|
| 135 | |
---|
| 136 | |
---|
| 137 | ##### A set of forward references to the KDC Service objects. |
---|
| 138 | ##### (FDNs of the krbKdcService objects). |
---|
| 139 | ##### Example: cn=kdc - server 1, ou=uvw, o=xyz |
---|
| 140 | |
---|
| 141 | attributetype ( 2.16.840.1.113719.1.301.4.17.1 |
---|
| 142 | NAME 'krbKdcServers' |
---|
| 143 | EQUALITY distinguishedNameMatch |
---|
| 144 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
---|
| 145 | |
---|
| 146 | |
---|
| 147 | ##### A set of forward references to the Password Service objects. |
---|
| 148 | ##### (FDNs of the krbPwdService objects). |
---|
| 149 | ##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz |
---|
| 150 | |
---|
| 151 | attributetype ( 2.16.840.1.113719.1.301.4.18.1 |
---|
| 152 | NAME 'krbPwdServers' |
---|
| 153 | EQUALITY distinguishedNameMatch |
---|
| 154 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
---|
| 155 | |
---|
| 156 | |
---|
| 157 | ##### This attribute holds the Host Name or the ip address, |
---|
| 158 | ##### transport protocol and ports of the kerberos service host |
---|
| 159 | ##### The format is host_name-or-ip_address#protocol#port |
---|
| 160 | ##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. |
---|
| 161 | |
---|
| 162 | attributetype ( 2.16.840.1.113719.1.301.4.24.1 |
---|
| 163 | NAME 'krbHostServer' |
---|
| 164 | EQUALITY caseExactIA5Match |
---|
| 165 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) |
---|
| 166 | |
---|
| 167 | |
---|
| 168 | ##### This attribute holds the scope for searching the principals |
---|
| 169 | ##### under krbSubTree attribute of krbRealmContainer |
---|
| 170 | ##### The value can either be 1 (ONE) or 2 (SUB_TREE). |
---|
| 171 | |
---|
| 172 | attributetype ( 2.16.840.1.113719.1.301.4.25.1 |
---|
| 173 | NAME 'krbSearchScope' |
---|
| 174 | EQUALITY integerMatch |
---|
| 175 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
---|
| 176 | SINGLE-VALUE) |
---|
| 177 | |
---|
| 178 | |
---|
| 179 | ##### FDNs pointing to Kerberos principals |
---|
| 180 | |
---|
| 181 | attributetype ( 2.16.840.1.113719.1.301.4.26.1 |
---|
| 182 | NAME 'krbPrincipalReferences' |
---|
| 183 | EQUALITY distinguishedNameMatch |
---|
| 184 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
---|
| 185 | |
---|
| 186 | |
---|
| 187 | ##### This attribute specifies which attribute of the user objects |
---|
| 188 | ##### be used as the principal name component for Kerberos. |
---|
| 189 | ##### The allowed values are cn, sn, uid, givenname, fullname. |
---|
| 190 | |
---|
| 191 | attributetype ( 2.16.840.1.113719.1.301.4.28.1 |
---|
| 192 | NAME 'krbPrincNamingAttr' |
---|
| 193 | EQUALITY caseIgnoreMatch |
---|
| 194 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 |
---|
| 195 | SINGLE-VALUE) |
---|
| 196 | |
---|
| 197 | |
---|
| 198 | ##### A set of forward references to the Administration Service objects. |
---|
| 199 | ##### (FDNs of the krbAdmService objects). |
---|
| 200 | ##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz |
---|
| 201 | |
---|
| 202 | attributetype ( 2.16.840.1.113719.1.301.4.29.1 |
---|
| 203 | NAME 'krbAdmServers' |
---|
| 204 | EQUALITY distinguishedNameMatch |
---|
| 205 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
---|
| 206 | |
---|
| 207 | |
---|
| 208 | ##### Maximum lifetime of a principal's password |
---|
| 209 | |
---|
| 210 | attributetype ( 2.16.840.1.113719.1.301.4.30.1 |
---|
| 211 | NAME 'krbMaxPwdLife' |
---|
| 212 | EQUALITY integerMatch |
---|
| 213 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
---|
| 214 | SINGLE-VALUE) |
---|
| 215 | |
---|
| 216 | |
---|
| 217 | ##### Minimum lifetime of a principal's password |
---|
| 218 | |
---|
| 219 | attributetype ( 2.16.840.1.113719.1.301.4.31.1 |
---|
| 220 | NAME 'krbMinPwdLife' |
---|
| 221 | EQUALITY integerMatch |
---|
| 222 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
---|
| 223 | SINGLE-VALUE) |
---|
| 224 | |
---|
| 225 | |
---|
| 226 | ##### Minimum number of character clases allowed in a password |
---|
| 227 | |
---|
| 228 | attributetype ( 2.16.840.1.113719.1.301.4.32.1 |
---|
| 229 | NAME 'krbPwdMinDiffChars' |
---|
| 230 | EQUALITY integerMatch |
---|
| 231 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
---|
| 232 | SINGLE-VALUE) |
---|
| 233 | |
---|
| 234 | |
---|
| 235 | ##### Minimum length of the password |
---|
| 236 | |
---|
| 237 | attributetype ( 2.16.840.1.113719.1.301.4.33.1 |
---|
| 238 | NAME 'krbPwdMinLength' |
---|
| 239 | EQUALITY integerMatch |
---|
| 240 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
---|
| 241 | SINGLE-VALUE) |
---|
| 242 | |
---|
| 243 | |
---|
| 244 | ##### Number of previous versions of passwords that are stored |
---|
| 245 | |
---|
| 246 | attributetype ( 2.16.840.1.113719.1.301.4.34.1 |
---|
| 247 | NAME 'krbPwdHistoryLength' |
---|
| 248 | EQUALITY integerMatch |
---|
| 249 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
---|
| 250 | SINGLE-VALUE) |
---|
| 251 | |
---|
| 252 | |
---|
| 253 | ##### FDN pointing to a Kerberos Password Policy object |
---|
| 254 | |
---|
| 255 | attributetype ( 2.16.840.1.113719.1.301.4.36.1 |
---|
| 256 | NAME 'krbPwdPolicyReference' |
---|
| 257 | EQUALITY distinguishedNameMatch |
---|
| 258 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 |
---|
| 259 | SINGLE-VALUE) |
---|
| 260 | |
---|
| 261 | |
---|
| 262 | ##### The time at which the principal's password expires |
---|
| 263 | |
---|
| 264 | attributetype ( 2.16.840.1.113719.1.301.4.37.1 |
---|
| 265 | NAME 'krbPasswordExpiration' |
---|
| 266 | EQUALITY generalizedTimeMatch |
---|
| 267 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
---|
| 268 | SINGLE-VALUE) |
---|
| 269 | |
---|
| 270 | |
---|
| 271 | ##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with |
---|
| 272 | ##### the master key (krbMKey). |
---|
| 273 | ##### The attribute is ASN.1 encoded. |
---|
| 274 | ##### |
---|
| 275 | ##### The format of the value for this attribute is explained below, |
---|
| 276 | ##### KrbKeySet ::= SEQUENCE { |
---|
| 277 | ##### attribute-major-vno [0] UInt16, |
---|
| 278 | ##### attribute-minor-vno [1] UInt16, |
---|
| 279 | ##### kvno [2] UInt32, |
---|
| 280 | ##### mkvno [3] UInt32 OPTIONAL, |
---|
| 281 | ##### keys [4] SEQUENCE OF KrbKey, |
---|
| 282 | ##### ... |
---|
| 283 | ##### } |
---|
| 284 | ##### |
---|
| 285 | ##### KrbKey ::= SEQUENCE { |
---|
| 286 | ##### salt [0] KrbSalt OPTIONAL, |
---|
| 287 | ##### key [1] EncryptionKey, |
---|
| 288 | ##### s2kparams [2] OCTET STRING OPTIONAL, |
---|
| 289 | ##### ... |
---|
| 290 | ##### } |
---|
| 291 | ##### |
---|
| 292 | ##### KrbSalt ::= SEQUENCE { |
---|
| 293 | ##### type [0] Int32, |
---|
| 294 | ##### salt [1] OCTET STRING OPTIONAL |
---|
| 295 | ##### } |
---|
| 296 | ##### |
---|
| 297 | ##### EncryptionKey ::= SEQUENCE { |
---|
| 298 | ##### keytype [0] Int32, |
---|
| 299 | ##### keyvalue [1] OCTET STRING |
---|
| 300 | ##### } |
---|
| 301 | |
---|
| 302 | attributetype ( 2.16.840.1.113719.1.301.4.39.1 |
---|
| 303 | NAME 'krbPrincipalKey' |
---|
| 304 | EQUALITY octetStringMatch |
---|
| 305 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) |
---|
| 306 | |
---|
| 307 | |
---|
| 308 | ##### FDN pointing to a Kerberos Ticket Policy object. |
---|
| 309 | |
---|
| 310 | attributetype ( 2.16.840.1.113719.1.301.4.40.1 |
---|
| 311 | NAME 'krbTicketPolicyReference' |
---|
| 312 | EQUALITY distinguishedNameMatch |
---|
| 313 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 |
---|
| 314 | SINGLE-VALUE) |
---|
| 315 | |
---|
| 316 | |
---|
| 317 | ##### Forward reference to an entry that starts sub-trees |
---|
| 318 | ##### where principals and other kerberos objects in the realm are configured. |
---|
| 319 | ##### Example: ou=acme, ou=pq, o=xyz |
---|
| 320 | |
---|
| 321 | attributetype ( 2.16.840.1.113719.1.301.4.41.1 |
---|
| 322 | NAME 'krbSubTrees' |
---|
| 323 | EQUALITY distinguishedNameMatch |
---|
| 324 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
---|
| 325 | |
---|
| 326 | |
---|
| 327 | ##### Holds the default encryption/salt type combinations of principals for |
---|
| 328 | ##### the Realm. Stores in the form of key:salt strings. This will be |
---|
| 329 | ##### subset of the supported encryption/salt types. |
---|
| 330 | ##### Example: des-cbc-crc:normal |
---|
| 331 | |
---|
| 332 | attributetype ( 2.16.840.1.113719.1.301.4.42.1 |
---|
| 333 | NAME 'krbDefaultEncSaltTypes' |
---|
| 334 | EQUALITY caseIgnoreMatch |
---|
| 335 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) |
---|
| 336 | |
---|
| 337 | |
---|
| 338 | ##### Holds the supported encryption/salt type combinations of principals for |
---|
| 339 | ##### the Realm. Stores in the form of key:salt strings. |
---|
| 340 | ##### The supported encryption types are mentioned in RFC 3961 |
---|
| 341 | ##### The supported salt types are, |
---|
| 342 | ##### NORMAL |
---|
| 343 | ##### V4 |
---|
| 344 | ##### NOREALM |
---|
| 345 | ##### ONLYREALM |
---|
| 346 | ##### SPECIAL |
---|
| 347 | ##### AFS3 |
---|
| 348 | ##### Example: des-cbc-crc:normal |
---|
| 349 | |
---|
| 350 | attributetype ( 2.16.840.1.113719.1.301.4.43.1 |
---|
| 351 | NAME 'krbSupportedEncSaltTypes' |
---|
| 352 | EQUALITY caseIgnoreMatch |
---|
| 353 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) |
---|
| 354 | |
---|
| 355 | |
---|
| 356 | ##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with |
---|
| 357 | ##### the kadmin/history key. |
---|
| 358 | ##### The attribute is ASN.1 encoded. |
---|
| 359 | ##### |
---|
| 360 | ##### The format of the value for this attribute is explained below, |
---|
| 361 | ##### KrbKeySet ::= SEQUENCE { |
---|
| 362 | ##### attribute-major-vno [0] UInt16, |
---|
| 363 | ##### attribute-minor-vno [1] UInt16, |
---|
| 364 | ##### kvno [2] UInt32, |
---|
| 365 | ##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key, |
---|
| 366 | ##### keys [4] SEQUENCE OF KrbKey, |
---|
| 367 | ##### ... |
---|
| 368 | ##### } |
---|
| 369 | ##### |
---|
| 370 | ##### KrbKey ::= SEQUENCE { |
---|
| 371 | ##### salt [0] KrbSalt OPTIONAL, |
---|
| 372 | ##### key [1] EncryptionKey, |
---|
| 373 | ##### s2kparams [2] OCTET STRING OPTIONAL, |
---|
| 374 | ##### ... |
---|
| 375 | ##### } |
---|
| 376 | ##### |
---|
| 377 | ##### KrbSalt ::= SEQUENCE { |
---|
| 378 | ##### type [0] Int32, |
---|
| 379 | ##### salt [1] OCTET STRING OPTIONAL |
---|
| 380 | ##### } |
---|
| 381 | ##### |
---|
| 382 | ##### EncryptionKey ::= SEQUENCE { |
---|
| 383 | ##### keytype [0] Int32, |
---|
| 384 | ##### keyvalue [1] OCTET STRING |
---|
| 385 | ##### } |
---|
| 386 | |
---|
| 387 | attributetype ( 2.16.840.1.113719.1.301.4.44.1 |
---|
| 388 | NAME 'krbPwdHistory' |
---|
| 389 | EQUALITY octetStringMatch |
---|
| 390 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) |
---|
| 391 | |
---|
| 392 | |
---|
| 393 | ##### The time at which the principal's password last password change happened. |
---|
| 394 | |
---|
| 395 | attributetype ( 2.16.840.1.113719.1.301.4.45.1 |
---|
| 396 | NAME 'krbLastPwdChange' |
---|
| 397 | EQUALITY generalizedTimeMatch |
---|
| 398 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
---|
| 399 | SINGLE-VALUE) |
---|
| 400 | |
---|
| 401 | |
---|
| 402 | ##### This attribute holds the kerberos master key. |
---|
| 403 | ##### This can be used to encrypt principal keys. |
---|
| 404 | ##### This attribute has to be secured in directory. |
---|
| 405 | ##### |
---|
| 406 | ##### This attribute is ASN.1 encoded. |
---|
| 407 | ##### The format of the value for this attribute is explained below, |
---|
| 408 | ##### KrbMKey ::= SEQUENCE { |
---|
| 409 | ##### kvno [0] UInt32, |
---|
| 410 | ##### key [1] MasterKey |
---|
| 411 | ##### } |
---|
| 412 | ##### |
---|
| 413 | ##### MasterKey ::= SEQUENCE { |
---|
| 414 | ##### keytype [0] Int32, |
---|
| 415 | ##### keyvalue [1] OCTET STRING |
---|
| 416 | ##### } |
---|
| 417 | |
---|
| 418 | |
---|
| 419 | attributetype ( 2.16.840.1.113719.1.301.4.46.1 |
---|
| 420 | NAME 'krbMKey' |
---|
| 421 | EQUALITY octetStringMatch |
---|
| 422 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) |
---|
| 423 | |
---|
| 424 | |
---|
| 425 | ##### This stores the alternate principal names for the principal in the RFC 1961 specified format |
---|
| 426 | |
---|
| 427 | attributetype ( 2.16.840.1.113719.1.301.4.47.1 |
---|
| 428 | NAME 'krbPrincipalAliases' |
---|
| 429 | EQUALITY caseExactIA5Match |
---|
| 430 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) |
---|
| 431 | |
---|
| 432 | |
---|
| 433 | ##### The time at which the principal's last successful authentication happened. |
---|
| 434 | |
---|
| 435 | attributetype ( 2.16.840.1.113719.1.301.4.48.1 |
---|
| 436 | NAME 'krbLastSuccessfulAuth' |
---|
| 437 | EQUALITY generalizedTimeMatch |
---|
| 438 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
---|
| 439 | SINGLE-VALUE) |
---|
| 440 | |
---|
| 441 | |
---|
| 442 | ##### The time at which the principal's last failed authentication happened. |
---|
| 443 | |
---|
| 444 | attributetype ( 2.16.840.1.113719.1.301.4.49.1 |
---|
| 445 | NAME 'krbLastFailedAuth' |
---|
| 446 | EQUALITY generalizedTimeMatch |
---|
| 447 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
---|
| 448 | SINGLE-VALUE) |
---|
| 449 | |
---|
| 450 | |
---|
| 451 | ##### This attribute stores the number of failed authentication attempts |
---|
| 452 | ##### happened for the principal since the last successful authentication. |
---|
| 453 | |
---|
| 454 | attributetype ( 2.16.840.1.113719.1.301.4.50.1 |
---|
| 455 | NAME 'krbLoginFailedCount' |
---|
| 456 | EQUALITY integerMatch |
---|
| 457 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
---|
| 458 | SINGLE-VALUE) |
---|
| 459 | |
---|
| 460 | |
---|
| 461 | |
---|
| 462 | ##### This attribute holds the application specific data. |
---|
| 463 | |
---|
| 464 | attributetype ( 2.16.840.1.113719.1.301.4.51.1 |
---|
| 465 | NAME 'krbExtraData' |
---|
| 466 | EQUALITY octetStringMatch |
---|
| 467 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) |
---|
| 468 | |
---|
| 469 | |
---|
| 470 | ##### This attributes holds references to the set of directory objects. |
---|
| 471 | ##### This stores the DNs of the directory objects to which the |
---|
| 472 | ##### principal object belongs to. |
---|
| 473 | |
---|
| 474 | attributetype ( 2.16.840.1.113719.1.301.4.52.1 |
---|
| 475 | NAME 'krbObjectReferences' |
---|
| 476 | EQUALITY distinguishedNameMatch |
---|
| 477 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
---|
| 478 | |
---|
| 479 | |
---|
| 480 | ##### This attribute holds references to a Container object where |
---|
| 481 | ##### the additional principal objects and stand alone principal |
---|
| 482 | ##### objects (krbPrincipal) can be created. |
---|
| 483 | |
---|
| 484 | attributetype ( 2.16.840.1.113719.1.301.4.53.1 |
---|
| 485 | NAME 'krbPrincContainerRef' |
---|
| 486 | EQUALITY distinguishedNameMatch |
---|
| 487 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) |
---|
| 488 | |
---|
| 489 | |
---|
| 490 | ######################################################################## |
---|
| 491 | ######################################################################## |
---|
| 492 | # Object Class Definitions # |
---|
| 493 | ######################################################################## |
---|
| 494 | |
---|
| 495 | #### This is a kerberos container for all the realms in a tree. |
---|
| 496 | |
---|
| 497 | objectclass ( 2.16.840.1.113719.1.301.6.1.1 |
---|
| 498 | NAME 'krbContainer' |
---|
| 499 | SUP top |
---|
| 500 | STRUCTURAL |
---|
| 501 | MUST ( cn ) ) |
---|
| 502 | |
---|
| 503 | |
---|
| 504 | ##### The krbRealmContainer is created per realm and holds realm specific data. |
---|
| 505 | |
---|
| 506 | objectclass ( 2.16.840.1.113719.1.301.6.2.1 |
---|
| 507 | NAME 'krbRealmContainer' |
---|
| 508 | SUP top |
---|
| 509 | STRUCTURAL |
---|
| 510 | MUST ( cn ) |
---|
| 511 | MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) ) |
---|
| 512 | |
---|
| 513 | |
---|
| 514 | ##### An instance of a class derived from krbService is created per |
---|
| 515 | ##### kerberos authentication or administration server in an realm and holds |
---|
| 516 | ##### references to the realm objects. These references is used to further read |
---|
| 517 | ##### realm specific data to service AS/TGS requests. Additionally this object |
---|
| 518 | ##### contains some server specific data like pathnames and ports that the |
---|
| 519 | ##### server uses. This is the identity the kerberos server logs in with. A key |
---|
| 520 | ##### pair for the same is created and the kerberos server logs in with the same. |
---|
| 521 | ##### |
---|
| 522 | ##### krbKdcService, krbAdmService and krbPwdService derive from this class. |
---|
| 523 | |
---|
| 524 | objectclass ( 2.16.840.1.113719.1.301.6.3.1 |
---|
| 525 | NAME 'krbService' |
---|
| 526 | SUP top |
---|
| 527 | ABSTRACT |
---|
| 528 | MUST ( cn ) |
---|
| 529 | MAY ( krbHostServer $ krbRealmReferences ) ) |
---|
| 530 | |
---|
| 531 | |
---|
| 532 | ##### Representative object for the KDC server to bind into a LDAP directory |
---|
| 533 | ##### and have a connection to access Kerberos data with the required |
---|
| 534 | ##### access rights. |
---|
| 535 | |
---|
| 536 | objectclass ( 2.16.840.1.113719.1.301.6.4.1 |
---|
| 537 | NAME 'krbKdcService' |
---|
| 538 | SUP krbService |
---|
| 539 | STRUCTURAL ) |
---|
| 540 | |
---|
| 541 | |
---|
| 542 | ##### Representative object for the Kerberos Password server to bind into a LDAP directory |
---|
| 543 | ##### and have a connection to access Kerberos data with the required |
---|
| 544 | ##### access rights. |
---|
| 545 | |
---|
| 546 | objectclass ( 2.16.840.1.113719.1.301.6.5.1 |
---|
| 547 | NAME 'krbPwdService' |
---|
| 548 | SUP krbService |
---|
| 549 | STRUCTURAL ) |
---|
| 550 | |
---|
| 551 | |
---|
| 552 | ###### The principal data auxiliary class. Holds principal information |
---|
| 553 | ###### and is used to store principal information for Person, Service objects. |
---|
| 554 | |
---|
| 555 | objectclass ( 2.16.840.1.113719.1.301.6.8.1 |
---|
| 556 | NAME 'krbPrincipalAux' |
---|
| 557 | SUP top |
---|
| 558 | AUXILIARY |
---|
| 559 | MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) |
---|
| 560 | |
---|
| 561 | |
---|
| 562 | ###### This class is used to create additional principals and stand alone principals. |
---|
| 563 | |
---|
| 564 | objectclass ( 2.16.840.1.113719.1.301.6.9.1 |
---|
| 565 | NAME 'krbPrincipal' |
---|
| 566 | SUP top |
---|
| 567 | MUST ( krbPrincipalName ) |
---|
| 568 | MAY ( krbObjectReferences ) ) |
---|
| 569 | |
---|
| 570 | |
---|
| 571 | ###### The principal references auxiliary class. Holds all principals referred |
---|
| 572 | ###### from a service |
---|
| 573 | |
---|
| 574 | objectclass ( 2.16.840.1.113719.1.301.6.11.1 |
---|
| 575 | NAME 'krbPrincRefAux' |
---|
| 576 | SUP top |
---|
| 577 | AUXILIARY |
---|
| 578 | MAY krbPrincipalReferences ) |
---|
| 579 | |
---|
| 580 | |
---|
| 581 | ##### Representative object for the Kerberos Administration server to bind into a LDAP directory |
---|
| 582 | ##### and have a connection Id to access Kerberos data with the required access rights. |
---|
| 583 | |
---|
| 584 | objectclass ( 2.16.840.1.113719.1.301.6.13.1 |
---|
| 585 | NAME 'krbAdmService' |
---|
| 586 | SUP krbService |
---|
| 587 | STRUCTURAL ) |
---|
| 588 | |
---|
| 589 | |
---|
| 590 | ##### The krbPwdPolicy object is a template password policy that |
---|
| 591 | ##### can be applied to principals when they are created. |
---|
| 592 | ##### These policy attributes will be in effect, when the Kerberos |
---|
| 593 | ##### passwords are different from users' passwords (UP). |
---|
| 594 | |
---|
| 595 | objectclass ( 2.16.840.1.113719.1.301.6.14.1 |
---|
| 596 | NAME 'krbPwdPolicy' |
---|
| 597 | SUP top |
---|
| 598 | MUST ( cn ) |
---|
| 599 | MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) ) |
---|
| 600 | |
---|
| 601 | |
---|
| 602 | ##### The krbTicketPolicyAux holds Kerberos ticket policy attributes. |
---|
| 603 | ##### This class can be attached to a principal object or realm object. |
---|
| 604 | |
---|
| 605 | objectclass ( 2.16.840.1.113719.1.301.6.16.1 |
---|
| 606 | NAME 'krbTicketPolicyAux' |
---|
| 607 | SUP top |
---|
| 608 | AUXILIARY |
---|
| 609 | MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) |
---|
| 610 | |
---|
| 611 | |
---|
| 612 | ##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal |
---|
| 613 | |
---|
| 614 | objectclass ( 2.16.840.1.113719.1.301.6.17.1 |
---|
| 615 | NAME 'krbTicketPolicy' |
---|
| 616 | SUP top |
---|
| 617 | MUST ( cn ) ) |
---|
| 618 | |
---|