341 lines
11 KiB
Plaintext
341 lines
11 KiB
Plaintext
# ===========================================================================
|
|
# RFC2307bis Schema
|
|
#
|
|
# This schema provides POSIX account and group support with the critical
|
|
# difference from RFC2307 (nis.schema) that posixGroup is AUXILIARY,
|
|
# allowing it to be combined with groupOfNames/groupOfMembers for
|
|
# proper memberOf overlay support.
|
|
#
|
|
# Source: https://github.com/jtyr/rfc2307bis
|
|
# See also: https://tools.ietf.org/html/draft-howard-rfc2307bis-02
|
|
#
|
|
# Key differences from nis.schema (RFC2307):
|
|
# - posixGroup is AUXILIARY (not STRUCTURAL)
|
|
# - Allows combining with groupOfNames/groupOfMembers
|
|
# - memberOf overlay works correctly
|
|
# - Empty groups are allowed
|
|
#
|
|
# Dependencies:
|
|
# - core.schema
|
|
# - cosine.schema
|
|
#
|
|
# DO NOT load nis.schema alongside this schema - they conflict!
|
|
#
|
|
# NOTE: On Alpine Linux, uidNumber and gidNumber are built-in to OpenLDAP
|
|
# and must NOT be redefined. They are commented out below.
|
|
# ===========================================================================
|
|
|
|
# Attribute types from RFC 2307
|
|
|
|
# uidNumber is built-in on Alpine Linux OpenLDAP
|
|
#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
|
|
# DESC 'An integer uniquely identifying a user in an administrative domain'
|
|
# EQUALITY integerMatch
|
|
# ORDERING integerOrderingMatch
|
|
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
# SINGLE-VALUE )
|
|
|
|
# gidNumber is built-in on Alpine Linux OpenLDAP
|
|
#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
|
|
# DESC 'An integer uniquely identifying a group in an administrative domain'
|
|
# EQUALITY integerMatch
|
|
# ORDERING integerOrderingMatch
|
|
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
# SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos'
|
|
DESC 'The GECOS field; the common name'
|
|
EQUALITY caseIgnoreMatch
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
|
|
DESC 'The absolute path to the home directory'
|
|
EQUALITY caseExactIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
|
|
DESC 'The path to the login shell'
|
|
EQUALITY caseExactIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
|
|
DESC 'Member UID - for backwards compatibility with RFC2307'
|
|
EQUALITY caseExactMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
|
|
EQUALITY caseExactMatch
|
|
SUBSTR caseExactSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
|
|
DESC 'Netgroup triple'
|
|
EQUALITY caseIgnoreMatch
|
|
SUBSTR caseIgnoreSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
|
|
DESC 'Service port number'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
|
|
DESC 'Service protocol name'
|
|
SUP name )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
|
|
DESC 'IP protocol number'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
|
|
DESC 'ONC RPC number'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
|
|
DESC 'IPv4 addresses as a dotted decimal omitting leading zeros or IPv6 addresses as defined in RFC 4291'
|
|
SUP name )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
|
|
DESC 'IP network omitting leading zeros, eg. 192.168'
|
|
SUP name
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
|
|
DESC 'IP netmask omitting leading zeros, eg. 255.255.255.0'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
|
|
DESC 'MAC address in maximal, colon separated hex notation, eg. 00:00:92:90:ee:e2'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
|
|
DESC 'rpc.bootparamd parameter'
|
|
EQUALITY caseExactIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
|
|
DESC 'Boot image name'
|
|
EQUALITY caseExactIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
|
|
DESC 'Name of a generic NIS map'
|
|
SUP name )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
|
|
DESC 'A generic NIS entry'
|
|
EQUALITY caseExactMatch
|
|
SUBSTR caseExactSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
|
|
DESC 'NIS public key'
|
|
EQUALITY octetStringMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
|
|
DESC 'NIS secret key'
|
|
EQUALITY octetStringMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
|
|
DESC 'NIS domain'
|
|
EQUALITY caseIgnoreIA5Match
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
|
|
DESC 'automount Map Name'
|
|
EQUALITY caseExactMatch
|
|
SUBSTR caseExactSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
|
|
DESC 'Automount Key value'
|
|
EQUALITY caseExactMatch
|
|
SUBSTR caseExactSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
SINGLE-VALUE )
|
|
|
|
attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
|
|
DESC 'Automount information'
|
|
EQUALITY caseExactMatch
|
|
SUBSTR caseExactSubstringsMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
SINGLE-VALUE )
|
|
|
|
# Object classes from RFC 2307bis
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount'
|
|
DESC 'Abstraction of an account with POSIX attributes'
|
|
SUP top AUXILIARY
|
|
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
|
|
MAY ( userPassword $ loginShell $ gecos $ description ) )
|
|
|
|
# THIS IS THE KEY DIFFERENCE FROM RFC2307:
|
|
# posixGroup is AUXILIARY, not STRUCTURAL
|
|
# This allows combining with groupOfNames/groupOfMembers
|
|
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
|
|
DESC 'Abstraction of a group of accounts'
|
|
SUP top AUXILIARY
|
|
MUST ( cn $ gidNumber )
|
|
MAY ( userPassword $ memberUid $ description ) )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount'
|
|
DESC 'Additional attributes for shadow passwords'
|
|
SUP top AUXILIARY
|
|
MUST uid
|
|
MAY ( userPassword $ description $
|
|
shadowLastChange $ shadowMin $ shadowMax $
|
|
shadowWarning $ shadowInactive $
|
|
shadowExpire $ shadowFlag ) )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService'
|
|
DESC 'Abstraction an Internet Protocol service. Maps an IP port and protocol (such as tcp or udp) to one or more names'
|
|
SUP top STRUCTURAL
|
|
MUST ( cn $ ipServicePort $ ipServiceProtocol )
|
|
MAY description )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol'
|
|
DESC 'Abstraction of an IP protocol. Maps a protocol number to one or more names'
|
|
SUP top STRUCTURAL
|
|
MUST ( cn $ ipProtocolNumber )
|
|
MAY description )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc'
|
|
DESC 'Abstraction of an Open Network Computing (ONC) Remote Procedure Call (RPC) binding'
|
|
SUP top STRUCTURAL
|
|
MUST ( cn $ oncRpcNumber )
|
|
MAY description )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost'
|
|
DESC 'Abstraction of a host, an IP device. The distinguished value of the cn attribute denotes the hosts canonical name'
|
|
SUP top AUXILIARY
|
|
MUST ( cn $ ipHostNumber )
|
|
MAY ( userPassword $ l $ description $ manager ) )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork'
|
|
DESC 'Abstraction of a network. The distinguished value of the cn attribute denotes the networks canonical name'
|
|
SUP top STRUCTURAL
|
|
MUST ipNetworkNumber
|
|
MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup'
|
|
DESC 'Abstraction of a netgroup. May refer to other netgroups'
|
|
SUP top STRUCTURAL
|
|
MUST cn
|
|
MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap'
|
|
DESC 'A generic abstraction of a NIS map'
|
|
SUP top STRUCTURAL
|
|
MUST nisMapName
|
|
MAY description )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject'
|
|
DESC 'An entry in a NIS map'
|
|
SUP top STRUCTURAL
|
|
MUST ( cn $ nisMapEntry $ nisMapName )
|
|
MAY description )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device'
|
|
DESC 'A device with a MAC address'
|
|
SUP top AUXILIARY
|
|
MAY macAddress )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice'
|
|
DESC 'A device with boot parameters'
|
|
SUP top AUXILIARY
|
|
MAY ( bootFile $ bootParameter ) )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject'
|
|
DESC 'An object with a public and secret key'
|
|
SUP top AUXILIARY
|
|
MUST ( cn $ nisPublicKey $ nisSecretKey )
|
|
MAY ( uidNumber $ description ) )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject'
|
|
DESC 'Associates a NIS domain with a naming context'
|
|
SUP top AUXILIARY
|
|
MUST nisDomain )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap'
|
|
DESC 'An group of related automount objects'
|
|
SUP top STRUCTURAL
|
|
MUST ( automountMapName )
|
|
MAY description )
|
|
|
|
objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount'
|
|
DESC 'An automount entry'
|
|
SUP top STRUCTURAL
|
|
MUST ( automountKey $ automountInformation )
|
|
MAY description )
|
|
|
|
# groupOfMembers - like groupOfNames but allows empty groups
|
|
# This is essential for memberOf overlay support
|
|
objectclass ( 2.16.840.1.113730.3.2.33 NAME 'groupOfMembers'
|
|
DESC 'A group with members (like groupOfNames but member is optional)'
|
|
SUP top STRUCTURAL
|
|
MUST cn
|
|
MAY ( member $ businessCategory $ description $ o $ ou $ owner $ seeAlso ) )
|