wbyc/docker-openldap
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
docker-openldap/schema/kerberos.schema
Patrick de Ruiter c556664056
Initial Commit
2025-12-25 12:36:39 +01:00

292 lines
9.8 KiB
Plaintext
Raw Permalink Blame History

# ===========================================================================
# MIT Kerberos LDAP Schema
#
# This schema enables storing Kerberos principals in OpenLDAP.
# It is loaded by default but remains DORMANT until Kerberos is enabled.
#
# OID Base: 2.16.840.1.113719.1.301
#
# When Kerberos is enabled:
# 1. krbPrincipalAux objectClass is added to user entries
# 2. MIT KDC is deployed with LDAP backend
# 3. Principals are created via kadmin
#
# Source: MIT Kerberos source code (src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema)
# Reference: https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
#
# Dependencies:
# - core.schema
# ===========================================================================
# ---------------------------------------------------------------------------
# Attribute Types
# ---------------------------------------------------------------------------
attributetype ( 2.16.840.1.113719.1.301.4.1.1
NAME 'krbPrincipalName'
DESC 'Kerberos principal name (e.g., user@REALM)'
EQUALITY caseExactIA5Match
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.2.1
NAME 'krbPrincipalKey'
DESC 'Kerberos principal key data (managed by KDC)'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
attributetype ( 2.16.840.1.113719.1.301.4.3.1
NAME 'krbTicketPolicyReference'
DESC 'DN of ticket policy'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.4.1
NAME 'krbPrincipalExpiration'
DESC 'Principal expiration time'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.5.1
NAME 'krbPasswordExpiration'
DESC 'Password expiration time'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.6.1
NAME 'krbMaxTicketLife'
DESC 'Maximum ticket lifetime in seconds'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.7.1
NAME 'krbMaxRenewableLife'
DESC 'Maximum renewable ticket lifetime in seconds'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.8.1
NAME 'krbTicketFlags'
DESC 'Kerberos ticket flags'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.9.1
NAME 'krbPrincipalType'
DESC 'Kerberos principal type'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.10.1
NAME 'krbPwdPolicyReference'
DESC 'DN of password policy'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.11.1
NAME 'krbPrincipalReferences'
DESC 'DN of associated principal entries'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.113719.1.301.4.12.1
NAME 'krbLastPwdChange'
DESC 'Time of last password change'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.13.1
NAME 'krbLastSuccessfulAuth'
DESC 'Time of last successful authentication'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.14.1
NAME 'krbLastFailedAuth'
DESC 'Time of last failed authentication'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.15.1
NAME 'krbLoginFailedCount'
DESC 'Number of consecutive failed login attempts'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.16.1
NAME 'krbExtraData'
DESC 'Extra data for Kerberos'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
attributetype ( 2.16.840.1.113719.1.301.4.17.1
NAME 'krbAllowedToDelegateTo'
DESC 'Services this principal can delegate to (S4U2Proxy)'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# ---------------------------------------------------------------------------
# Realm Container Attributes
# ---------------------------------------------------------------------------
attributetype ( 2.16.840.1.113719.1.301.4.20.1
NAME 'krbSubTrees'
DESC 'DNs of subtrees containing principals'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.113719.1.301.4.21.1
NAME 'krbSearchScope'
DESC 'Search scope for principals (0=base, 1=one, 2=sub)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.22.1
NAME 'krbPrincContainerRef'
DESC 'DN of principal container'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.113719.1.301.4.23.1
NAME 'krbMaxPwdLife'
DESC 'Maximum password lifetime in realm'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.24.1
NAME 'krbMinPwdLife'
DESC 'Minimum password lifetime in realm'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.25.1
NAME 'krbPwdMinDiffChars'
DESC 'Minimum number of character classes in password'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.26.1
NAME 'krbPwdMinLength'
DESC 'Minimum password length'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.27.1
NAME 'krbPwdHistoryLength'
DESC 'Number of passwords to keep in history'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.28.1
NAME 'krbPwdMaxFailure'
DESC 'Maximum password failures before lockout'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.29.1
NAME 'krbPwdFailureCountInterval'
DESC 'Failure count reset interval in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 2.16.840.1.113719.1.301.4.30.1
NAME 'krbPwdLockoutDuration'
DESC 'Lockout duration in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
# ---------------------------------------------------------------------------
# Object Classes
# ---------------------------------------------------------------------------
# Auxiliary class for adding Kerberos attributes to user entries
# This is what gets added to users when Kerberos premium feature is enabled
objectclass ( 2.16.840.1.113719.1.301.6.8.1
NAME 'krbPrincipalAux'
DESC 'Auxiliary class for Kerberos principal attributes'
SUP top AUXILIARY
MAY ( krbPrincipalName $ krbPrincipalKey $ krbTicketPolicyReference $
krbPrincipalExpiration $ krbPasswordExpiration $
krbMaxTicketLife $ krbMaxRenewableLife $ krbTicketFlags $
krbPrincipalType $ krbPwdPolicyReference $ krbPrincipalReferences $
krbLastPwdChange $ krbLastSuccessfulAuth $ krbLastFailedAuth $
krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo ) )
# Structural class for standalone principal entries (less common)
objectclass ( 2.16.840.1.113719.1.301.6.9.1
NAME 'krbPrincipal'
DESC 'Structural class for Kerberos principals'
SUP top STRUCTURAL
MUST krbPrincipalName
MAY ( krbPrincipalKey $ krbTicketPolicyReference $
krbPrincipalExpiration $ krbPasswordExpiration $
krbMaxTicketLife $ krbMaxRenewableLife $ krbTicketFlags $
krbPrincipalType $ krbPwdPolicyReference $ krbPrincipalReferences $
krbLastPwdChange $ krbLastSuccessfulAuth $ krbLastFailedAuth $
krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo ) )
# Container for Kerberos realm
objectclass ( 2.16.840.1.113719.1.301.6.1.1
NAME 'krbRealmContainer'
DESC 'Container for Kerberos realm'
SUP top STRUCTURAL
MUST cn
MAY ( krbSubTrees $ krbSearchScope $ krbPrincContainerRef $
krbMaxTicketLife $ krbMaxRenewableLife $ krbTicketFlags ) )
# Ticket policy object
objectclass ( 2.16.840.1.113719.1.301.6.2.1
NAME 'krbTicketPolicy'
DESC 'Kerberos ticket policy'
SUP top STRUCTURAL
MUST cn
MAY ( krbMaxTicketLife $ krbMaxRenewableLife $ krbTicketFlags ) )
# Password policy object for Kerberos
objectclass ( 2.16.840.1.113719.1.301.6.3.1
NAME 'krbPwdPolicy'
DESC 'Kerberos password policy'
SUP top STRUCTURAL
MUST cn
MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $
krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $
krbPwdFailureCountInterval $ krbPwdLockoutDuration ) )
# Service principal container
objectclass ( 2.16.840.1.113719.1.301.6.4.1
NAME 'krbService'
DESC 'Kerberos service'
SUP krbPrincipal STRUCTURAL )
Reference in New Issue View Git Blame Copy Permalink