old_trunk/schema-extras/src/main/schema/krb5kdc.schema

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
# 
#   http://www.apache.org/licenses/LICENSE-2.0
# 
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License. 

# $Id: krb5-kdc.schema,v 1.1 2004/03/22 17:25:05 quanah Exp $
# Definitions for a Kerberos V KDC schema

# OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) padl(5322) kdcSchema(10)
#
# Syntaxes are under 1.3.6.1.4.1.5322.10.0
# Attributes types are under 1.3.6.1.4.1.5322.10.1
# Object classes are under 1.3.6.1.4.1.5322.10.2

# Syntax definitions

#krb5KDCFlagsSyntax SYNTAX ::= {
#   WITH SYNTAX            INTEGER
#--        initial(0),             -- require as-req
#--        forwardable(1),         -- may issue forwardable
#--        proxiable(2),           -- may issue proxiable
#--        renewable(3),           -- may issue renewable
#--        postdate(4),            -- may issue postdatable
#--        server(5),              -- may be server
#--        client(6),              -- may be client
#--        invalid(7),             -- entry is invalid
#--        require-preauth(8),     -- must use preauth
#--        change-pw(9),           -- change password service
#--        require-hwauth(10),     -- must use hwauth
#--        ok-as-delegate(11),     -- as in TicketFlags
#--        user-to-user(12),       -- may use user-to-user auth
#--        immutable(13)           -- may not be deleted         
#   ID                     { 1.3.6.1.4.1.5322.10.0.1 }
#}

#krb5PrincipalNameSyntax SYNTAX ::= {
#   WITH SYNTAX            OCTET STRING
#-- String representations of distinguished names as per RFC1510
#   ID                     { 1.3.6.1.4.1.5322.10.0.2 }
#}

# Attribute type definitions
 
attributetype ( 1.3.6.1.4.1.5322.10.1.1
	NAME 'krb5PrincipalName'
	DESC 'The unparsed Kerberos principal name'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.2
	NAME 'krb5KeyVersionNumber'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.3
	NAME 'krb5MaxLife'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.4
	NAME 'krb5MaxRenew'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.5
	NAME 'krb5KDCFlags'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.6
	NAME 'krb5EncryptionType'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.5322.10.1.7
	NAME 'krb5ValidStart'
	EQUALITY generalizedTimeMatch
	ORDERING generalizedTimeOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.8
	NAME 'krb5ValidEnd'
	EQUALITY generalizedTimeMatch
	ORDERING generalizedTimeOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.9
	NAME 'krb5PasswordEnd'
	EQUALITY generalizedTimeMatch
	ORDERING generalizedTimeOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
	SINGLE-VALUE )

# this is temporary; keys will eventually
# be child entries or compound attributes.
attributetype ( 1.3.6.1.4.1.5322.10.1.10
	NAME 'krb5Key'
	DESC 'Encoded ASN1 Key as an octet string'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 1.3.6.1.4.1.5322.10.1.11
	NAME 'krb5PrincipalRealm'
	DESC 'Distinguished name of krb5Realm entry'
	SUP distinguishedName )

attributetype ( 1.3.6.1.4.1.5322.10.1.12
	NAME 'krb5RealmName'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.5322.10.1.13
  NAME 'krb5AccountDisabled'
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.14
  NAME 'krb5AccountLockedOut'
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.15
  NAME 'krb5AccountExpirationTime'
  EQUALITY generalizedTimeMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )

# Object class definitions

objectclass ( 1.3.6.1.4.1.5322.10.2.1
	NAME 'krb5Principal'
	SUP top
	AUXILIARY
	MUST ( krb5PrincipalName )
	MAY ( cn $ krb5PrincipalRealm ) )

objectclass ( 1.3.6.1.4.1.5322.10.2.2
	NAME 'krb5KDCEntry'
	SUP krb5Principal
	AUXILIARY
	MUST ( krb5KeyVersionNumber )
	MAY ( krb5ValidStart $ krb5ValidEnd $ krb5PasswordEnd $
              krb5MaxLife $ krb5MaxRenew $ krb5KDCFlags $
              krb5EncryptionType $ krb5Key $ krb5AccountDisabled $
              krb5AccountLockedOut $ krb5AccountExpirationTime ) )

objectclass ( 1.3.6.1.4.1.5322.10.2.3
	NAME 'krb5Realm'
	SUP top
	AUXILIARY
	MUST ( krb5RealmName ) )