| |
@@ -0,0 +1,353 @@
|
| |
+ # New and improved RFC 2307 schema that is forward compatable between
|
| |
+ # rfc2307 and rfc2307bis (aka RFC 2307 compat)
|
| |
+ # "An Approach for Using LDAP as a Network Information Service"
|
| |
+ #
|
| |
+ dn: cn=schema
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.0 NAME 'uidNumber'
|
| |
+ DESC 'An integer uniquely identifying a user in an administrative domain'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.1 NAME 'gidNumber'
|
| |
+ DESC 'An integer uniquely identifying a group in an
|
| |
+ administrative domain'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.2 NAME 'gecos'
|
| |
+ DESC 'The GECOS field; the common name'
|
| |
+ EQUALITY caseIgnoreIA5Match
|
| |
+ SUBSTR caseIgnoreIA5SubstringsMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
|
| |
+ DESC 'The absolute path to the home directory'
|
| |
+ EQUALITY caseExactIA5Match
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.4 NAME 'loginShell'
|
| |
+ DESC 'The path to the login shell'
|
| |
+ EQUALITY caseExactIA5Match
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.6 NAME 'shadowMin'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.7 NAME 'shadowMax'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.12 NAME 'memberUid'
|
| |
+ EQUALITY caseExactIA5Match
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
|
| |
+ EQUALITY caseExactIA5Match
|
| |
+ SUBSTR caseExactIA5SubstringsMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
|
| |
+ DESC 'Netgroup triple'
|
| |
+ EQUALITY caseIgnoreIA5Match
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
|
| |
+ DESC 'Service port number'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
|
| |
+ DESC 'Service protocol name'
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
|
| |
+ DESC 'IP protocol number'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
|
| |
+ DESC 'ONC RPC number'
|
| |
+ EQUALITY integerMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
|
| |
+ DESC 'IPv4 addresses as a dotted decimal omitting leading
|
| |
+ zeros or IPv6 addresses as defined in RFC2373'
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
|
| |
+ DESC 'IP network as a dotted decimal, eg. 192.168,
|
| |
+ omitting leading zeros'
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
|
| |
+ DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0,
|
| |
+ omitting leading zeros'
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.22 NAME 'macAddress'
|
| |
+ DESC 'MAC address in maximal, colon separated hex
|
| |
+ notation, eg. 00:00:92:90:ee:e2'
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.23 NAME 'bootParameter'
|
| |
+ DESC 'rpc.bootparamd parameter'
|
| |
+ EQUALITY caseExactIA5Match
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.24 NAME 'bootFile'
|
| |
+ DESC 'Boot image name'
|
| |
+ EQUALITY caseExactIA5Match
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.26 NAME 'nisMapName'
|
| |
+ DESC 'Name of a A generic NIS map'
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
|
| |
+ DESC 'A generic NIS entry'
|
| |
+ EQUALITY caseExactIA5Match
|
| |
+ SUBSTR caseExactIA5SubstringsMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
|
| |
+ DESC 'NIS public key'
|
| |
+ EQUALITY octetStringMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
|
| |
+ DESC 'NIS secret key'
|
| |
+ EQUALITY octetStringMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.30 NAME 'nisDomain'
|
| |
+ DESC 'NIS domain'
|
| |
+ EQUALITY caseIgnoreIA5Match
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.31 NAME 'automountMapName'
|
| |
+ DESC 'automount Map Name'
|
| |
+ EQUALITY caseExactIA5Match
|
| |
+ SUBSTR caseExactIA5SubstringsMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.32 NAME 'automountKey'
|
| |
+ DESC 'Automount Key value'
|
| |
+ EQUALITY caseExactIA5Match
|
| |
+ SUBSTR caseExactIA5SubstringsMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ attributeTypes: (
|
| |
+ 1.3.6.1.1.1.1.33 NAME 'automountInformation'
|
| |
+ DESC 'Automount information'
|
| |
+ EQUALITY caseExactIA5Match
|
| |
+ SUBSTR caseExactIA5SubstringsMatch
|
| |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
| |
+ SINGLE-VALUE
|
| |
+ )
|
| |
+ # end of attribute types - beginning of objectclasses
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
|
| |
+ DESC 'Abstraction of an account with POSIX attributes'
|
| |
+ MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
|
| |
+ MAY ( userPassword $ loginShell $ gecos $
|
| |
+ description )
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
|
| |
+ DESC 'Additional attributes for shadow passwords'
|
| |
+ MUST uid
|
| |
+ MAY ( userPassword $ description $
|
| |
+ shadowLastChange $ shadowMin $ shadowMax $
|
| |
+ shadowWarning $ shadowInactive $
|
| |
+ shadowExpire $ shadowFlag )
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
|
| |
+ DESC 'Abstraction of a group of accounts. Change from
|
| |
+ rfc2307bis -> +MAY cn'
|
| |
+ MUST gidNumber
|
| |
+ MAY ( cn $ userPassword $ memberUid $
|
| |
+ description )
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL
|
| |
+ DESC 'Abstraction an Internet Protocol service.
|
| |
+ Maps an IP port and protocol (such as tcp or udp)
|
| |
+ to one or more names; the distinguished value of
|
| |
+ the cn attribute denotes the services canonical
|
| |
+ name'
|
| |
+ MUST ( cn $ ipServicePort $ ipServiceProtocol )
|
| |
+ MAY description
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
|
| |
+ DESC 'Abstraction of an IP protocol. Maps a protocol number
|
| |
+ to one or more names. The distinguished value of the cn
|
| |
+ attribute denotes the protocols canonical name'
|
| |
+ MUST ( cn $ ipProtocolNumber )
|
| |
+ MAY description
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL
|
| |
+ DESC 'Abstraction of an Open Network Computing (ONC)
|
| |
+ [RFC1057] Remote Procedure Call (RPC) binding.
|
| |
+ This class maps an ONC RPC number to a name.
|
| |
+ The distinguished value of the cn attribute denotes
|
| |
+ the RPC services canonical name'
|
| |
+ MUST ( cn $ oncRpcNumber )
|
| |
+ MAY description
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
|
| |
+ DESC 'Abstraction of a host, an IP device. The distinguished
|
| |
+ value of the cn attribute denotes the hosts canonical
|
| |
+ name. Device SHOULD be used as a structural class.
|
| |
+ Change from rfc2307bis -> +MAY o $ ou $ owner $ seeAlso
|
| |
+ $ serialNumber'
|
| |
+ MUST ( cn $ ipHostNumber )
|
| |
+ MAY ( userPassword $ l $ description $ manager $ o $ ou $ owner $ seeAlso $ serialNumber )
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
|
| |
+ DESC 'Abstraction of a network. The distinguished value of
|
| |
+ the cn attribute denotes the networks canonical name'
|
| |
+ MUST ipNetworkNumber
|
| |
+ MAY ( cn $ ipNetmaskNumber $ l $ description $ manager )
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
|
| |
+ DESC 'Abstraction of a netgroup. May refer to other netgroups'
|
| |
+ MUST cn
|
| |
+ MAY ( nisNetgroupTriple $ memberNisNetgroup $ description )
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL
|
| |
+ DESC 'A generic abstraction of a NIS map'
|
| |
+ MUST nisMapName
|
| |
+ MAY description
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL
|
| |
+ DESC 'An entry in a NIS map'
|
| |
+ MUST ( cn $ nisMapEntry $ nisMapName )
|
| |
+ MAY description
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
|
| |
+ DESC 'A device with a MAC address; device SHOULD be
|
| |
+ used as a structural class. Change from rfc2307bis
|
| |
+ -> +MAY cn $ description $ l $ o $ ou $ owner $
|
| |
+ seeAlso $ serialNumber'
|
| |
+ MAY ( macAddress $ cn $ description $ l $ o $ ou $ owner $ seeAlso $ serialNumber )
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
|
| |
+ DESC 'A device with boot parameters; device SHOULD be
|
| |
+ used as a structural class. Change from rfc2307bis
|
| |
+ -> +MAY cn $ description $ l $ o $ ou $ owner $
|
| |
+ seeAlso $ serialNumber'
|
| |
+ MAY ( bootFile $ bootParameter $ cn $ description $ l $ o $ ou $ owner $ seeAlso $ serialNumber )
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
|
| |
+ DESC 'An object with a public and secret key'
|
| |
+ MUST ( cn $ nisPublicKey $ nisSecretKey )
|
| |
+ MAY ( uidNumber $ description )
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
|
| |
+ DESC 'Associates a NIS domain with a naming context'
|
| |
+ MUST nisDomain
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
|
| |
+ MUST ( automountMapName )
|
| |
+ MAY description
|
| |
+ )
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
|
| |
+ DESC 'Automount information'
|
| |
+ MUST ( automountKey $ automountInformation )
|
| |
+ MAY description
|
| |
+ )
|
| |
+ ## namedObject is needed for groups without members
|
| |
+ objectClasses: (
|
| |
+ 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top STRUCTURAL
|
| |
+ MAY cn
|
| |
+ )
|
| |
Bug Description: rfc2307 is the original schema for posix and other related
attributes. rfc2307bis was a draft propsed by a member of the openldap team
that fixed a number of deficiencies in rfc2307. However, rfc2307bis is not
completely forward compatible - replacing them may introduce possible data
errors or other subtle issues.
In the interest of allowing easier openldap to 389 migrations
( https://pagure.io/389-ds-base/issue/50544 ) I propose a rfc2307compat,
which is a forward compatible version combining rfc2307 and rfc2307bis. This
would allow items from both to be considered "valid' without changing the
semantics of either.
Fix Description: This adds rfc2307compat.ldif, which is a forward compatabile
expression of both rfc2307 and rfc2307bis, with the knowledge that 389 ds
does not enforce structural/auxillary rules.
https://pagure.io/389-ds-base/issue/50933
Author: William Brown william@blackhats.net.au
Review by: ???