# ===========================================================================
# MIT Kerberos LDAP Schema
#
# This schema enables storing Kerberos principals in OpenLDAP.
# It is loaded by default but remains DORMANT until Kerberos is enabled.
#
# OID Base: 2.16.840.1.113719.1.301
#
# When Kerberos is enabled:
#   1. krbPrincipalAux objectClass is added to user entries
#   2. MIT KDC is deployed with LDAP backend
#   3. Principals are created via kadmin
#
# Source: MIT Kerberos source code (src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema)
# Reference: https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
#
# Dependencies:
#   - core.schema
# ===========================================================================

# ---------------------------------------------------------------------------
# Attribute Types
# ---------------------------------------------------------------------------

attributetype ( 2.16.840.1.113719.1.301.4.1.1
    NAME 'krbPrincipalName'
    DESC 'Kerberos principal name (e.g., user@REALM)'
    EQUALITY caseExactIA5Match
    SUBSTR caseExactSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.2.1
    NAME 'krbPrincipalKey'
    DESC 'Kerberos principal key data (managed by KDC)'
    EQUALITY octetStringMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

attributetype ( 2.16.840.1.113719.1.301.4.3.1
    NAME 'krbTicketPolicyReference'
    DESC 'DN of ticket policy'
    EQUALITY distinguishedNameMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.4.1
    NAME 'krbPrincipalExpiration'
    DESC 'Principal expiration time'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.5.1
    NAME 'krbPasswordExpiration'
    DESC 'Password expiration time'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.6.1
    NAME 'krbMaxTicketLife'
    DESC 'Maximum ticket lifetime in seconds'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.7.1
    NAME 'krbMaxRenewableLife'
    DESC 'Maximum renewable ticket lifetime in seconds'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.8.1
    NAME 'krbTicketFlags'
    DESC 'Kerberos ticket flags'
    EQUALITY integerMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.9.1
    NAME 'krbPrincipalType'
    DESC 'Kerberos principal type'
    EQUALITY integerMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.10.1
    NAME 'krbPwdPolicyReference'
    DESC 'DN of password policy'
    EQUALITY distinguishedNameMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.11.1
    NAME 'krbPrincipalReferences'
    DESC 'DN of associated principal entries'
    EQUALITY distinguishedNameMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

attributetype ( 2.16.840.1.113719.1.301.4.12.1
    NAME 'krbLastPwdChange'
    DESC 'Time of last password change'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.13.1
    NAME 'krbLastSuccessfulAuth'
    DESC 'Time of last successful authentication'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.14.1
    NAME 'krbLastFailedAuth'
    DESC 'Time of last failed authentication'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.15.1
    NAME 'krbLoginFailedCount'
    DESC 'Number of consecutive failed login attempts'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.16.1
    NAME 'krbExtraData'
    DESC 'Extra data for Kerberos'
    EQUALITY octetStringMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

attributetype ( 2.16.840.1.113719.1.301.4.17.1
    NAME 'krbAllowedToDelegateTo'
    DESC 'Services this principal can delegate to (S4U2Proxy)'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

# ---------------------------------------------------------------------------
# Realm Container Attributes
# ---------------------------------------------------------------------------

attributetype ( 2.16.840.1.113719.1.301.4.20.1
    NAME 'krbSubTrees'
    DESC 'DNs of subtrees containing principals'
    EQUALITY distinguishedNameMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

attributetype ( 2.16.840.1.113719.1.301.4.21.1
    NAME 'krbSearchScope'
    DESC 'Search scope for principals (0=base, 1=one, 2=sub)'
    EQUALITY integerMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.22.1
    NAME 'krbPrincContainerRef'
    DESC 'DN of principal container'
    EQUALITY distinguishedNameMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

attributetype ( 2.16.840.1.113719.1.301.4.23.1
    NAME 'krbMaxPwdLife'
    DESC 'Maximum password lifetime in realm'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.24.1
    NAME 'krbMinPwdLife'
    DESC 'Minimum password lifetime in realm'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.25.1
    NAME 'krbPwdMinDiffChars'
    DESC 'Minimum number of character classes in password'
    EQUALITY integerMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.26.1
    NAME 'krbPwdMinLength'
    DESC 'Minimum password length'
    EQUALITY integerMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.27.1
    NAME 'krbPwdHistoryLength'
    DESC 'Number of passwords to keep in history'
    EQUALITY integerMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.28.1
    NAME 'krbPwdMaxFailure'
    DESC 'Maximum password failures before lockout'
    EQUALITY integerMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.29.1
    NAME 'krbPwdFailureCountInterval'
    DESC 'Failure count reset interval in seconds'
    EQUALITY integerMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113719.1.301.4.30.1
    NAME 'krbPwdLockoutDuration'
    DESC 'Lockout duration in seconds'
    EQUALITY integerMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

# ---------------------------------------------------------------------------
# Object Classes
# ---------------------------------------------------------------------------

# Auxiliary class for adding Kerberos attributes to user entries
# This is what gets added to users when Kerberos premium feature is enabled
objectclass ( 2.16.840.1.113719.1.301.6.8.1
    NAME 'krbPrincipalAux'
    DESC 'Auxiliary class for Kerberos principal attributes'
    SUP top AUXILIARY
    MAY ( krbPrincipalName $ krbPrincipalKey $ krbTicketPolicyReference $
          krbPrincipalExpiration $ krbPasswordExpiration $
          krbMaxTicketLife $ krbMaxRenewableLife $ krbTicketFlags $
          krbPrincipalType $ krbPwdPolicyReference $ krbPrincipalReferences $
          krbLastPwdChange $ krbLastSuccessfulAuth $ krbLastFailedAuth $
          krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo ) )

# Structural class for standalone principal entries (less common)
objectclass ( 2.16.840.1.113719.1.301.6.9.1
    NAME 'krbPrincipal'
    DESC 'Structural class for Kerberos principals'
    SUP top STRUCTURAL
    MUST krbPrincipalName
    MAY ( krbPrincipalKey $ krbTicketPolicyReference $
          krbPrincipalExpiration $ krbPasswordExpiration $
          krbMaxTicketLife $ krbMaxRenewableLife $ krbTicketFlags $
          krbPrincipalType $ krbPwdPolicyReference $ krbPrincipalReferences $
          krbLastPwdChange $ krbLastSuccessfulAuth $ krbLastFailedAuth $
          krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo ) )

# Container for Kerberos realm
objectclass ( 2.16.840.1.113719.1.301.6.1.1
    NAME 'krbRealmContainer'
    DESC 'Container for Kerberos realm'
    SUP top STRUCTURAL
    MUST cn
    MAY ( krbSubTrees $ krbSearchScope $ krbPrincContainerRef $
          krbMaxTicketLife $ krbMaxRenewableLife $ krbTicketFlags ) )

# Ticket policy object
objectclass ( 2.16.840.1.113719.1.301.6.2.1
    NAME 'krbTicketPolicy'
    DESC 'Kerberos ticket policy'
    SUP top STRUCTURAL
    MUST cn
    MAY ( krbMaxTicketLife $ krbMaxRenewableLife $ krbTicketFlags ) )

# Password policy object for Kerberos
objectclass ( 2.16.840.1.113719.1.301.6.3.1
    NAME 'krbPwdPolicy'
    DESC 'Kerberos password policy'
    SUP top STRUCTURAL
    MUST cn
    MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $
          krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $
          krbPwdFailureCountInterval $ krbPwdLockoutDuration ) )

# Service principal container
objectclass ( 2.16.840.1.113719.1.301.6.4.1
    NAME 'krbService'
    DESC 'Kerberos service'
    SUP krbPrincipal STRUCTURAL )