Dear all,
I'm currently experimenting with (MIT) Kerberos and got to the point where I need to add the Kerberos definitions to
LDAP (krb5-kdc.ldif). (This is on Rocky Linux 9 with symas-openldap-servers-2.6.6-1.el9.x86_64.)
First question: is this the correct schema file or should I use the one provided by MIT Kerberos 1.20.1
(/usr/share/doc/krb5-server-ldap/kerberos.ldif) ?
If I use krb5-kdc.ldif I get the following:
[root@gateway ~]# cd /opt/symas/etc/openldap/schema/
[root@gateway schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f krb5-kdc.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=krb5-kdc,cn=schema,cn=config"
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed
Is this a permission issue or does the provided LDIF file contain lines that
prevent the addition of the schema?
If I use the file provided by MIT Kerberos I get:
[root@gateway ~]# cd /usr/share/doc/krb5-server-ldap
[root@gateway krb5-server-ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f
kerberos.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=schema"
ldap_modify: Invalid syntax (21)
additional info: attributetypes: value #0 invalid per syntax
The book I'm following still uses Symas' LDAP 2.4 and thus needs to convert the .schema file to .ldif provided by MIT
Kerberos. The procedure is:
#### start instructions ####
# echo 'include /usr/share/doc/krb5-server-ldap/kerberos.schema' >
/tmp/slapd.conf
# mkdir /tmp/slapd.d
# slaptest -f /tmp/slapd.conf -F /tmp/slapd.d
# cp '/tmp/slapd.conf/cn=config/cn=schema/cn={0}kerberos.ldif'
/tmp/kerberos.conf
Further instructions say:
- remove '{0}' in /tmp/kerberos.conf in lines startig with 'dn:' and 'cn:'
- add 'cn=schema,cn=config' to the DN
- remove the lines containing 'structuralObjectClass', 'entryUUID', 'creatorsName', 'createTimestamp', 'modifiersName',
'modifyTimestamp' and 'entryCSN' at the end of the file
After the modifications, there should be only lines containing 'objectClass', 'olcAttributeTypes', 'olcObjectClasses',
'cn' or 'dn'.
#### end instructions ####
If I follow these instructions and use the converted LDIF file the command
succeeds:
[root@gateway tmp]# ldapadd -Y EXTERNAL -H ldapi:/// -f kerberos.ldif.converted
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=kerberos,cn=schema,cn=config"
Is there an explanation for this behavior? Do the files provided by Symas and
MIT contain errors?
(For convenience I attached all three files to this mail.)
Thank you,
Uwe# Novell Kerberos Schema Definitions
# Novell Inc.
# 1800 South Novell Place
# Provo, UT 84606
#
# VeRsIoN=1.0
# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved
#
# OIDs:
# joint-iso-ccitt(2)
# country(16)
# us(840)
# organization(1)
# Novell(113719)
# applications(1)
# kerberos(301)
# Kerberos Attribute Type(4) attr# version#
# specific attribute definitions
# Kerberos Attribute Syntax(5)
# specific syntax definitions
# Kerberos Object Class(6) class# version#
# specific class definitions
#
# iso(1)
# member-body(2)
# United States(840)
# mit (113554)
# infosys(1)
# ldap(4)
# attributeTypes(1)
# Kerberos(6)
########################################################################
########################################################################
# Attribute Type Definitions #
########################################################################
##### This is the principal name in the RFC 1964 specified format
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.1.1
NAME 'krbPrincipalName'
EQUALITY caseExactIA5Match
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
##### If there are multiple krbPrincipalName values for an entry, this
##### is the canonical principal name in the RFC 1964 specified
##### format. (If this attribute does not exist, then all
##### krbPrincipalName values are treated as canonical.)
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.2.840.113554.1.4.1.6.1
NAME 'krbCanonicalName'
EQUALITY caseExactIA5Match
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
##### This specifies the type of the principal, the types could be any of
##### the types mentioned in section 6.2 of RFC 4120
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.3.1
NAME 'krbPrincipalType'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### This flag is used to find whether directory User Password has to be used
##### as kerberos password.
##### TRUE, if User Password is to be used as the kerberos password.
##### FALSE, if User Password and the kerberos password are different.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.5.1
NAME 'krbUPEnabled'
DESC 'Boolean'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
##### The time at which the principal expires
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.6.1
NAME 'krbPrincipalExpiration'
EQUALITY generalizedTimeMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
##### The values (0x00000001 - 0x00800000) are reserved for standards and
##### values (0x01000000 - 0x80000000) can be used for proprietary extensions.
##### The flags and values as per RFC 4120 and MIT implementation are,
##### DISALLOW_POSTDATED 0x00000001
##### DISALLOW_FORWARDABLE 0x00000002
##### DISALLOW_TGT_BASED 0x00000004
##### DISALLOW_RENEWABLE 0x00000008
##### DISALLOW_PROXIABLE 0x00000010
##### DISALLOW_DUP_SKEY 0x00000020
##### DISALLOW_ALL_TIX 0x00000040
##### REQUIRES_PRE_AUTH 0x00000080
##### REQUIRES_HW_AUTH 0x00000100
##### REQUIRES_PWCHANGE 0x00000200
##### DISALLOW_SVR 0x00001000
##### PWCHANGE_SERVICE 0x00002000
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.8.1
NAME 'krbTicketFlags'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### The maximum ticket lifetime for a principal in seconds
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.9.1
NAME 'krbMaxTicketLife'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Maximum renewable lifetime for a principal's ticket in seconds
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.10.1
NAME 'krbMaxRenewableAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Forward reference to the Realm object.
##### (FDN of the krbRealmContainer object).
##### Example: cn=ACME.COM, cn=Kerberos, cn=Security
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.14.1
NAME 'krbRealmReferences'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
##### List of LDAP servers that kerberos servers can contact.
##### The attribute holds data in the ldap uri format,
##### Example: ldaps://acme.com:636
#####
##### The values of this attribute need to be updated, when
##### the LDAP servers listed here are renamed, moved or deleted.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.15.1
NAME 'krbLdapServers'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##### A set of forward references to the KDC Service objects.
##### (FDNs of the krbKdcService objects).
##### Example: cn=kdc - server 1, ou=uvw, o=xyz
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.17.1
NAME 'krbKdcServers'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
##### A set of forward references to the Password Service objects.
##### (FDNs of the krbPwdService objects).
##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.18.1
NAME 'krbPwdServers'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
##### This attribute holds the Host Name or the ip address,
##### transport protocol and ports of the kerberos service host
##### The format is host_name-or-ip_address#protocol#port
##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.24.1
NAME 'krbHostServer'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
##### This attribute holds the scope for searching the principals
##### under krbSubTree attribute of krbRealmContainer
##### The value can either be 1 (ONE) or 2 (SUB_TREE).
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.25.1
NAME 'krbSearchScope'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### FDNs pointing to Kerberos principals
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.26.1
NAME 'krbPrincipalReferences'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
##### This attribute specifies which attribute of the user objects
##### be used as the principal name component for Kerberos.
##### The allowed values are cn, sn, uid, givenname, fullname.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.28.1
NAME 'krbPrincNamingAttr'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
##### A set of forward references to the Administration Service objects.
##### (FDNs of the krbAdmService objects).
##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.29.1
NAME 'krbAdmServers'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
##### Maximum lifetime of a principal's password
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.30.1
NAME 'krbMaxPwdLife'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Minimum lifetime of a principal's password
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.31.1
NAME 'krbMinPwdLife'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Minimum number of character clases allowed in a password
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.32.1
NAME 'krbPwdMinDiffChars'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Minimum length of the password
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.33.1
NAME 'krbPwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Number of previous versions of passwords that are stored
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.34.1
NAME 'krbPwdHistoryLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Number of consecutive pre-authentication failures before lockout
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.5322.21.2.1
NAME 'krbPwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Period after which bad preauthentication count will be reset
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.5322.21.2.2
NAME 'krbPwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Period in which lockout is enforced
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.5322.21.2.3
NAME 'krbPwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Policy attribute flags
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.2.840.113554.1.4.1.6.2
NAME 'krbPwdAttributes'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Policy maximum ticket lifetime
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.2.840.113554.1.4.1.6.3
NAME 'krbPwdMaxLife'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Policy maximum ticket renewable lifetime
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.2.840.113554.1.4.1.6.4
NAME 'krbPwdMaxRenewableLife'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### Allowed enctype:salttype combinations for key changes
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.2.840.113554.1.4.1.6.5
NAME 'krbPwdAllowedKeysalts'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
##### FDN pointing to a Kerberos Password Policy object
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.36.1
NAME 'krbPwdPolicyReference'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE )
##### The time at which the principal's password expires
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.37.1
NAME 'krbPasswordExpiration'
EQUALITY generalizedTimeMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with
##### the master key (krbMKey).
##### The attribute is ASN.1 encoded.
#####
##### The format of the value for this attribute is explained below,
##### KrbKeySet ::= SEQUENCE {
##### attribute-major-vno [0] UInt16,
##### attribute-minor-vno [1] UInt16,
##### kvno [2] UInt32,
##### mkvno [3] UInt32 OPTIONAL,
##### keys [4] SEQUENCE OF KrbKey,
##### ...
##### }
#####
##### KrbKey ::= SEQUENCE {
##### salt [0] KrbSalt OPTIONAL,
##### key [1] EncryptionKey,
##### s2kparams [2] OCTET STRING OPTIONAL,
##### ...
##### }
#####
##### KrbSalt ::= SEQUENCE {
##### type [0] Int32,
##### salt [1] OCTET STRING OPTIONAL
##### }
#####
##### EncryptionKey ::= SEQUENCE {
##### keytype [0] Int32,
##### keyvalue [1] OCTET STRING
##### }
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.39.1
NAME 'krbPrincipalKey'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
##### FDN pointing to a Kerberos Ticket Policy object.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.40.1
NAME 'krbTicketPolicyReference'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE )
##### Forward reference to an entry that starts sub-trees
##### where principals and other kerberos objects in the realm are configured.
##### Example: ou=acme, ou=pq, o=xyz
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.41.1
NAME 'krbSubTrees'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
##### Holds the default encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings.
##### Example: aes256-cts-hmac-sha384-192:normal
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.42.1
NAME 'krbDefaultEncSaltTypes'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##### Holds the Supported encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings.
##### The supported encryption types are mentioned in RFC 3961
##### The supported salt types are,
##### NORMAL
##### V4
##### NOREALM
##### ONLYREALM
##### SPECIAL
##### AFS3
##### Example: aes256-cts-hmac-sha384-192:normal
#####
##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes
##### attributes.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.43.1
NAME 'krbSupportedEncSaltTypes'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with
##### the kadmin/history key.
##### The attribute is ASN.1 encoded.
#####
##### The format of the value for this attribute is explained below,
##### KrbKeySet ::= SEQUENCE {
##### attribute-major-vno [0] UInt16,
##### attribute-minor-vno [1] UInt16,
##### kvno [2] UInt32,
##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key,
##### keys [4] SEQUENCE OF KrbKey,
##### ...
##### }
#####
##### KrbKey ::= SEQUENCE {
##### salt [0] KrbSalt OPTIONAL,
##### key [1] EncryptionKey,
##### s2kparams [2] OCTET STRING OPTIONAL,
##### ...
##### }
#####
##### KrbSalt ::= SEQUENCE {
##### type [0] Int32,
##### salt [1] OCTET STRING OPTIONAL
##### }
#####
##### EncryptionKey ::= SEQUENCE {
##### keytype [0] Int32,
##### keyvalue [1] OCTET STRING
##### }
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.44.1
NAME 'krbPwdHistory'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
##### The time at which the principal's password last password change happened.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.45.1
NAME 'krbLastPwdChange'
EQUALITY generalizedTimeMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
##### The time at which the principal was last administratively unlocked.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.5322.21.2.5
NAME 'krbLastAdminUnlock'
EQUALITY generalizedTimeMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
##### This attribute holds the kerberos master key.
##### This can be used to encrypt principal keys.
##### This attribute has to be secured in directory.
#####
##### This attribute is ASN.1 encoded.
##### The format of the value for this attribute is explained below,
##### KrbMKey ::= SEQUENCE {
##### kvno [0] UInt32,
##### key [1] MasterKey
##### }
#####
##### MasterKey ::= SEQUENCE {
##### keytype [0] Int32,
##### keyvalue [1] OCTET STRING
##### }
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.46.1
NAME 'krbMKey'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
##### This stores the alternate principal names for the principal in the RFC 1961 specified format
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.47.1
NAME 'krbPrincipalAliases'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
##### The time at which the principal's last successful authentication happened.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.48.1
NAME 'krbLastSuccessfulAuth'
EQUALITY generalizedTimeMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
##### The time at which the principal's last failed authentication happened.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.49.1
NAME 'krbLastFailedAuth'
EQUALITY generalizedTimeMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
##### This attribute stores the number of failed authentication attempts
##### happened for the principal since the last successful authentication.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.50.1
NAME 'krbLoginFailedCount'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
##### This attribute holds the application specific data.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.51.1
NAME 'krbExtraData'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
##### This attributes holds references to the set of directory objects.
##### This stores the DNs of the directory objects to which the
##### principal object belongs to.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.52.1
NAME 'krbObjectReferences'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
##### This attribute holds references to a Container object where
##### the additional principal objects and stand alone principal
##### objects (krbPrincipal) can be created.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.301.4.53.1
NAME 'krbPrincContainerRef'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
##### A list of authentication indicator strings, one of which must be satisfied
##### to authenticate to the principal as a service.
##### FreeIPA OID:
##### joint-iso-ccitt(3) country(16) us(840) organization(1) netscape(113730)
##### ldap(3) freeipa(8) krb5(15) attributes(2)
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113730.3.8.15.2.1
NAME 'krbPrincipalAuthInd'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
##### A list of services to which a service principal can delegate.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.5322.21.2.4
NAME 'krbAllowedToDelegateTo'
EQUALITY caseExactIA5Match
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
########################################################################
########################################################################
# Object Class Definitions #
########################################################################
#### This is a kerberos container for all the realms in a tree.
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.1.1
NAME 'krbContainer'
SUP top
MUST ( cn ) )
##### The krbRealmContainer is created per realm and holds realm specific data.
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.2.1
NAME 'krbRealmContainer'
SUP top
MUST ( cn )
MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) )
##### An instance of a class derived from krbService is created per
##### kerberos authentication or administration server in an realm and holds
##### references to the realm objects. These references is used to further read
##### realm specific data to service AS/TGS requests. Additionally this object
##### contains some server specific data like pathnames and ports that the
##### server uses. This is the identity the kerberos server logs in with. A key
##### pair for the same is created and the kerberos server logs in with the same.
#####
##### krbKdcService, krbAdmService and krbPwdService derive from this class.
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.3.1
NAME 'krbService'
ABSTRACT
SUP ( top )
MUST ( cn )
MAY ( krbHostServer $ krbRealmReferences ) )
##### Representative object for the KDC server to bind into a LDAP directory
##### and have a connection to access Kerberos data with the required
##### access rights.
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.4.1
NAME 'krbKdcService'
SUP ( krbService ) )
##### Representative object for the Kerberos Password server to bind into a LDAP directory
##### and have a connection to access Kerberos data with the required
##### access rights.
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.5.1
NAME 'krbPwdService'
SUP ( krbService ) )
###### The principal data auxiliary class. Holds principal information
###### and is used to store principal information for Person, Service objects.
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.8.1
NAME 'krbPrincipalAux'
AUXILIARY
MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) )
###### This class is used to create additional principals and stand alone principals.
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.9.1
NAME 'krbPrincipal'
SUP ( top )
MUST ( krbPrincipalName )
MAY ( krbObjectReferences ) )
###### The principal references auxiliary class. Holds all principals referred
###### from a service
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.11.1
NAME 'krbPrincRefAux'
SUP top
AUXILIARY
MAY krbPrincipalReferences )
##### Representative object for the Kerberos Administration server to bind into a LDAP directory
##### and have a connection Id to access Kerberos data with the required access rights.
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.13.1
NAME 'krbAdmService'
SUP ( krbService ) )
##### The krbPwdPolicy object is a template password policy that
##### can be applied to principals when they are created.
##### These policy attributes will be in effect, when the Kerberos
##### passwords are different from users' passwords (UP).
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.14.1
NAME 'krbPwdPolicy'
SUP top
MUST ( cn )
MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
##### This class can be attached to a principal object or realm object.
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.16.1
NAME 'krbTicketPolicyAux'
AUXILIARY
MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal
dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: ( 2.16.840.1.113719.1.301.6.17.1
NAME 'krbTicketPolicy'
SUP top
MUST ( cn ) )
dn: cn=kerberos,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: kerberos
olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName'
EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1
.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUAL
ITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466
.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {2}( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {3}( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC
'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {4}( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpira
tion' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SING
LE-VALUE )
olcAttributeTypes: {5}( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQ
UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAg
e' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReference
s' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {9}( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' E
QUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {10}( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' E
QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {11}( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' E
QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {12}( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' E
QUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {13}( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {14}( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalRefe
rences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)
olcAttributeTypes: {15}( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAt
tr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU
E )
olcAttributeTypes: {16}( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' E
QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {17}( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' E
QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {18}( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' E
QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {19}( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffCha
rs' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {20}( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {21}( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLen
gth' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
)
olcAttributeTypes: {22}( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUAL
ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {23}( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInter
val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
)
olcAttributeTypes: {24}( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {25}( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQUA
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {26}( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUALIT
Y integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {27}( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLife
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {28}( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalts'
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALU
E )
olcAttributeTypes: {29}( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyRefe
rence' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 S
INGLE-VALUE )
olcAttributeTypes: {30}( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpir
ation' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN
GLE-VALUE )
olcAttributeTypes: {31}( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey'
EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {32}( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyR
eference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
2 SINGLE-VALUE )
olcAttributeTypes: {33}( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQU
ALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {34}( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSal
tTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {35}( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncS
altTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {36}( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' E
QUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {37}( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange
' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-V
ALUE )
olcAttributeTypes: {38}( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQU
ALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
)
olcAttributeTypes: {39}( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALIT
Y octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {40}( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAlia
ses' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {41}( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfu
lAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN
GLE-VALUE )
olcAttributeTypes: {42}( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAut
h' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-
VALUE )
olcAttributeTypes: {43}( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCo
unt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
)
olcAttributeTypes: {44}( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQ
UALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {45}( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferen
ces' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {46}( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContaine
rRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {47}( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuthIn
d' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {48}( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo'
EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.26 )
olcObjectClasses: {0}( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP t
op STRUCTURAL MUST cn )
olcObjectClasses: {1}( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer'
SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSe
archScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltType
s $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers
$ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) )
olcObjectClasses: {2}( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top
ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) )
olcObjectClasses: {3}( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP
krbService STRUCTURAL )
olcObjectClasses: {4}( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP
krbService STRUCTURAL )
olcObjectClasses: {5}( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' SU
P top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ kr
bPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswo
rdExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krb
LastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulA
uth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDe
legateTo $ krbPrincipalAuthInd ) )
olcObjectClasses: {6}( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP t
op STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences )
olcObjectClasses: {7}( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SU
P top AUXILIARY MAY krbPrincipalReferences )
olcObjectClasses: {8}( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP
krbService STRUCTURAL )
olcObjectClasses: {9}( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP
top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffCha
rs $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailure
CountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ kr
bPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAu
x' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewabl
eAge ) )
olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy'
SUP top STRUCTURAL MUST cn )
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
dn: cn=krb5-kdc,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: krb5-kdc
olcAttributeTypes: {0}( 1.3.6.1.4.1.5322.10.1.1 NAME 'krb5PrincipalName' DES
C 'The unparsed Kerberos principal name' EQUALITY caseExactIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.5322.10.1.2 NAME 'krb5KeyVersionNumber'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.5322.10.1.3 NAME 'krb5MaxLife' EQUALITY
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.5322.10.1.4 NAME 'krb5MaxRenew' EQUALITY
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.5322.10.1.5 NAME 'krb5KDCFlags' EQUALITY
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.5322.10.1.6 NAME 'krb5EncryptionType' EQ
UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.5322.10.1.7 NAME 'krb5ValidStart' EQUALI
TY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.
1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.5322.10.1.8 NAME 'krb5ValidEnd' EQUALITY
generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.
4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.5322.10.1.9 NAME 'krb5PasswordEnd' EQUAL
ITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6
.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.5322.10.1.10 NAME 'krb5Key' DESC 'Encode
d ASN1 Key as an octet string' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
olcAttributeTypes: {10}( 1.3.6.1.4.1.5322.10.1.11 NAME 'krb5PrincipalRealm'
DESC 'Distinguished name of krb5Realm entry' SUP distinguishedName )
olcAttributeTypes: {11}( 1.3.6.1.4.1.5322.10.1.12 NAME 'krb5RealmName' EQUAL
ITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
olcAttributeTypes: {12}( 1.3.6.1.4.1.5322.10.1.13 NAME 'krb5ExtendedAttribut
es' DESC 'Encoded ASN1 HDB Extension Attributes as an octet string' SYNTAX
1.3.6.1.4.1.1466.115.121.1.5 )
olcObjectClasses: {0}( 1.3.6.1.4.1.5322.10.2.1 NAME 'krb5Principal' SUP top
AUXILIARY MUST krb5PrincipalName MAY ( cn $ krb5PrincipalRealm ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.5322.10.2.2 NAME 'krb5KDCEntry' SUP krb5P
rincipal AUXILIARY MUST krb5KeyVersionNumber MAY ( krb5ValidStart $ krb5Val
idEnd $ krb5PasswordEnd $ krb5MaxLife $ krb5MaxRenew $ krb5KDCFlags $ krb5E
ncryptionType $ krb5Key $ krb5ExtendedAttributes ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.5322.10.2.3 NAME 'krb5Realm' SUP top AUXI
LIARY MUST krb5RealmName )
structuralObjectClass: olcSchemaConfig
entryUUID: bfa5ab6c-de72-1036-96d5-b13d6bffbc8d
creatorsName: cn=config
createTimestamp: 20170605194144Z
entryCSN: 20170605194144.029748Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20170605194144Z
