| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| |
| # $Id: krb5-kdc.schema,v 1.1 2004/03/22 17:25:05 quanah Exp $ |
| # Definitions for a Kerberos V KDC schema |
| |
| # OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) padl(5322) kdcSchema(10) |
| # |
| # Syntaxes are under 1.3.6.1.4.1.5322.10.0 |
| # Attributes types are under 1.3.6.1.4.1.5322.10.1 |
| # Object classes are under 1.3.6.1.4.1.5322.10.2 |
| |
| # Syntax definitions |
| |
| #krb5KDCFlagsSyntax SYNTAX ::= { |
| # WITH SYNTAX INTEGER |
| #-- initial(0), -- require as-req |
| #-- forwardable(1), -- may issue forwardable |
| #-- proxiable(2), -- may issue proxiable |
| #-- renewable(3), -- may issue renewable |
| #-- postdate(4), -- may issue postdatable |
| #-- server(5), -- may be server |
| #-- client(6), -- may be client |
| #-- invalid(7), -- entry is invalid |
| #-- require-preauth(8), -- must use preauth |
| #-- change-pw(9), -- change password service |
| #-- require-hwauth(10), -- must use hwauth |
| #-- ok-as-delegate(11), -- as in TicketFlags |
| #-- user-to-user(12), -- may use user-to-user auth |
| #-- immutable(13) -- may not be deleted |
| # ID { 1.3.6.1.4.1.5322.10.0.1 } |
| #} |
| |
| #krb5PrincipalNameSyntax SYNTAX ::= { |
| # WITH SYNTAX OCTET STRING |
| #-- String representations of distinguished names as per RFC1510 |
| # ID { 1.3.6.1.4.1.5322.10.0.2 } |
| #} |
| |
| # Attribute type definitions |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.1 |
| NAME 'krb5PrincipalName' |
| DESC 'The unparsed Kerberos principal name' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
| SINGLE-VALUE ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.2 |
| NAME 'krb5KeyVersionNumber' |
| EQUALITY integerMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
| SINGLE-VALUE ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.3 |
| NAME 'krb5MaxLife' |
| EQUALITY integerMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
| SINGLE-VALUE ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.4 |
| NAME 'krb5MaxRenew' |
| EQUALITY integerMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
| SINGLE-VALUE ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.5 |
| NAME 'krb5KDCFlags' |
| EQUALITY integerMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
| SINGLE-VALUE ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.6 |
| NAME 'krb5EncryptionType' |
| EQUALITY integerMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.7 |
| NAME 'krb5ValidStart' |
| EQUALITY generalizedTimeMatch |
| ORDERING generalizedTimeOrderingMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
| SINGLE-VALUE ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.8 |
| NAME 'krb5ValidEnd' |
| EQUALITY generalizedTimeMatch |
| ORDERING generalizedTimeOrderingMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
| SINGLE-VALUE ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.9 |
| NAME 'krb5PasswordEnd' |
| EQUALITY generalizedTimeMatch |
| ORDERING generalizedTimeOrderingMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 |
| SINGLE-VALUE ) |
| |
| # this is temporary; keys will eventually |
| # be child entries or compound attributes. |
| attributetype ( 1.3.6.1.4.1.5322.10.1.10 |
| NAME 'krb5Key' |
| DESC 'Encoded ASN1 Key as an octet string' |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.11 |
| NAME 'krb5PrincipalRealm' |
| DESC 'Distinguished name of krb5Realm entry' |
| SUP distinguishedName ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.12 |
| NAME 'krb5RealmName' |
| EQUALITY caseExactIA5Match |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.13 |
| NAME 'krb5AccountDisabled' |
| EQUALITY booleanMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.14 |
| NAME 'krb5AccountLockedOut' |
| EQUALITY booleanMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
| |
| attributetype ( 1.3.6.1.4.1.5322.10.1.15 |
| NAME 'krb5AccountExpirationTime' |
| EQUALITY generalizedTimeMatch |
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) |
| |
| # Object class definitions |
| |
| objectclass ( 1.3.6.1.4.1.5322.10.2.1 |
| NAME 'krb5Principal' |
| SUP top |
| AUXILIARY |
| MUST ( krb5PrincipalName ) |
| MAY ( cn $ krb5PrincipalRealm ) ) |
| |
| objectclass ( 1.3.6.1.4.1.5322.10.2.2 |
| NAME 'krb5KDCEntry' |
| SUP krb5Principal |
| AUXILIARY |
| MUST ( krb5KeyVersionNumber ) |
| MAY ( krb5ValidStart $ krb5ValidEnd $ krb5PasswordEnd $ |
| krb5MaxLife $ krb5MaxRenew $ krb5KDCFlags $ |
| krb5EncryptionType $ krb5Key $ krb5AccountDisabled $ |
| krb5AccountLockedOut $ krb5AccountExpirationTime ) ) |
| |
| objectclass ( 1.3.6.1.4.1.5322.10.2.3 |
| NAME 'krb5Realm' |
| SUP top |
| AUXILIARY |
| MUST ( krb5RealmName ) ) |
| |