====== OpenLDAP: Installation and Configuration ======
Often it is advantageous to have authentication, security and application settings centralised for ease of management. Microsoft provide Active Directory for Windows users and through the use of [[http://www.openldap.org/|OpenLDAP]], we can duplicate this behaviour in a cross-platform and open-source way. An [[wp>LDAP|LDAP]] directory can be used to provide single sign-on for Linux, Windows, OSX and web-based applications as well as network authentication via [[wp>RADIUS|RADIUS]].
This article describes how to install OpenLDAP and configure a basic directory information tree.
===== Supported Releases =====
Should work in all Ubuntu releases from 8.10 (Intrepid Ibex) upwards. Tested on 10.04 (Lucid Lynx) Ubuntu Server 64-bit.
===== Required Packages =====
For an installation that does not require password synchronisation for Windows users:
sudo apt-get install slapd ldap-utils
Alternatively, if you are using SAMBA and wish to keep your LDAP and SAMBA passwords synchronised, the following is required to work-around a packaging [[launchpad>82853|bug]]. Add the following to ''/etc/apt/sources.list'':
# Debian Stable repository
deb http://ftp.debian.org/debian stable main
Then, create the file ''/etc/apt/preferences'' with the following content to prevent the Debian releases automatically updating our installation:
Package: *
Pin: release l=Debian
Pin-Priority: 10
Next, edit ''/etc/apt/apt.conf.d/70debconf'' and add the following to allow for the much larger Debian repository list we must now manage:
APT::Cache-Limit "100000000";
You are now ready to obtain the Debian Squeeze release keys and update your repository lists:
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0xB98321F9
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x473041FA
sudo apt-get update
Finally, install the required packages:
sudo apt-get install slapd-smbk5pwd ldap-utils
===== Schema Creation =====
A schema defines the objects and attributes in the LDAP database. Depending on the applications we are going to hook into the directory, different schema files will be needed.
LDIF files are sensitive to white space and may not import correctly if you simply copy and paste them from this page. Please click on the header at the top of each file to download a copy in its original format instead.
Log on and become root:
sudo -s
Add the basic schema files required for all directories:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
==== Sudo via LDAP ====
To enable the management of root privileges via the directory using [[wp>Sudo|Sudo]], load the file below. It was converted from the original, located in ''/usr/share/doc/sudo-ldap/schema.OpenLDAP'' on an Ubuntu system once the ''sudo-ldap'' package has been installed.
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s)
who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMa
tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s)
who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMat
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Comma
nd(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1
466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s)
impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1
.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Option
s(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115
.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'Use
r(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466
.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Gr
oup(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.14
66.115.121.1.26 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer En
tries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ s
udoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f sudo.ldif
==== Password Policy ====
To implement password expiry, strength controls, lockout, etc. with [[http://www.openldap.org/doc/admin24/overlays.html#Password Policies|password policies]], load the file below. It was converted from the original, located in ''/etc/ldap/schema/ppolicy.schema'' on an Ubuntu system once the ''slapd'' package has been installed.
dn: cn=ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ppolicy
olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY
objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in
tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in
tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL
ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ
UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b
ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E
QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL
ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter
val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
)
olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL
ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange'
EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL
ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L
oadable module that instantiates "check_password() function' EQUALITY caseExa
ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top
AUXILIARY MAY pwdCheckModule )
olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI
LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck
Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $
pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange
$ pwdAllowUserChange $ pwdSafeModify ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif
==== Thunderbird Contacts ====
To store Mozilla [[http://www.mozilla.org/thunderbird/|Thunderbird]] contacts and groups in the directory, load the file below. It was originally downloaded from https://wiki.mozilla.org/MailNews:Mozilla_LDAP_Address_Book_Schema and converted to LDIF format.
dn: cn=mozillaAbPersonAlpha,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: mozillaAbPersonAlpha
olcAttributeTypes: {0}( 1.3.6.1.4.1.13769.4.1 NAME 'mozillaCustom1' EQUALITY c
aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.13769.4.2 NAME 'mozillaCustom2' EQUALITY c
aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.13769.4.3 NAME 'mozillaCustom3' EQUALITY c
aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.13769.4.4 NAME 'mozillaCustom4' EQUALITY c
aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.13769.3.1 NAME 'mozillaHomeStreet' EQUALIT
Y caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.11
5.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.13769.3.2 NAME 'mozillaHomeStreet2' EQUALI
TY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.1
15.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.13769.3.3 NAME 'mozillaHomeLocalityName' S
UP name SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.13769.3.4 NAME 'mozillaHomeState' SUP name
SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.13769.3.5 NAME 'mozillaHomePostalCode' EQU
ALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.146
6.115.121.1.15{40} SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.13769.3.6 NAME 'mozillaHomeCountryName' SU
P name SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.13769.3.7 NAME 'mozillaHomeUrl' EQUALITY
caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.13769.3.8 NAME 'mozillaWorkStreet2' EQUAL
ITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.
115.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.13769.3.9 NAME 'mozillaWorkUrl' EQUALITY
caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.13769.2.1 NAME ( 'mozillaNickname' 'xmozi
llanickname' ) SUP name )
olcAttributeTypes: {14}( 1.3.6.1.4.1.13769.2.2 NAME ( 'mozillaSecondEmail' 'xm
ozillasecondemail' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrin
gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.13769.2.3 NAME ( 'mozillaUseHtmlMail' 'xm
ozillausehtmlmail' ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.13769.2.4 NAME ( 'nsAIMid' 'nscpaimscreen
name' ) EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch S
YNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
olcObjectClasses: {0}( 1.3.6.1.4.1.13769.9.1 NAME 'mozillaAbPersonAlpha' SUP t
op AUXILIARY MUST cn MAY ( c $ description $ displayName $ facsimileTelephone
Number $ givenName $ homePhone $ l $ mail $ mobile $ mozillaCustom1 $ mozilla
Custom2 $ mozillaCustom3 $ mozillaCustom4 $ mozillaHomeCountryName $ mozillaH
omeLocalityName $ mozillaHomePostalCode $ mozillaHomeState $ mozillaHomeStree
t $ mozillaHomeStreet2 $ mozillaHomeUrl $ mozillaNickname $ mozillaSecondEmai
l $ mozillaUseHtmlMail $ mozillaWorkStreet2 $ mozillaWorkUrl $ nsAIMid $ o $
ou $ pager $ postalCode $ postOfficeBox $ sn $ st $ street $ telephoneNumber
$ title ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f mozillaAbPersonAlpha.ldif
==== FreeRADIUS ====
To use [[wp>RADIUS|RADIUS]] to authenticate network users via LAN, Wi-Fi or VPN in conjunction with compatible network switches, routers and access points, download the file below. It was converted from the original, located in ''/usr/share/doc/freeradius/examples/openldap.schema'' on an Ubuntu system once the ''freeradius-ldap'' package has been installed.
dn: cn=freeradius,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: freeradius
olcAttributeTypes: {0}( 1.3.6.1.4.1.3317.4.3.1.1 NAME 'radiusArapFeatures' DES
C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.3317.4.3.1.2 NAME 'radiusArapSecurity' DES
C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.3317.4.3.1.3 NAME 'radiusArapZoneAccess' D
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
E-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' DESC '
' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VAL
UE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' DESC
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA
LUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' D
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
E-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING
LE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationId'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
GLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC '' EQ
UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddress'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
GLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC '
' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {11}( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTalk
Link' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
6 SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTalk
Network' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.
1.26 )
olcAttributeTypes: {13}( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTalk
Zone' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
6 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompressi
on' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
olcAttributeTypes: {15}( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddress
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI
NGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetmask
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI
NGLE-VALUE )
olcAttributeTypes: {17}( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetwor
k' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
INGLE-VALUE )
olcAttributeTypes: {18}( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DESC
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
ALUE )
olcAttributeTypes: {19}( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtocol'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
GLE-VALUE )
olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' DE
SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {21}( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING
LE-VALUE )
olcAttributeTypes: {22}( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DESC
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {23}( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC '' E
QUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
)
olcAttributeTypes: {24}( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' DE
SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE
-VALUE )
olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' DE
SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {27}( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING
LE-VALUE )
olcAttributeTypes: {28}( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode' D
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
E-VALUE )
olcAttributeTypes: {29}( 1.3.6.1.4.1.3317.4.3.1.25 NAME 'radiusLoginLATPort' D
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
E-VALUE )
olcAttributeTypes: {30}( 1.3.6.1.4.1.3317.4.3.1.26 NAME 'radiusLoginLATService
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI
NGLE-VALUE )
olcAttributeTypes: {31}( 1.3.6.1.4.1.3317.4.3.1.27 NAME 'radiusLoginService' D
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
E-VALUE )
olcAttributeTypes: {32}( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort' D
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
E-VALUE )
olcAttributeTypes: {33}( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING
LE-VALUE )
olcAttributeTypes: {34}( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DESC
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
ALUE )
olcAttributeTypes: {35}( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DESC
'' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SING
LE-VALUE )
olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC ''
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALU
E )
olcAttributeTypes: {37}( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm' D
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
E-VALUE )
olcAttributeTypes: {38}( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToReal
m' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
INGLE-VALUE )
olcAttributeTypes: {39}( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC ''
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
)
olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' DE
SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE
-VALUE )
olcAttributeTypes: {41}( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeout'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
GLE-VALUE )
olcAttributeTypes: {42}( 1.3.6.1.4.1.3317.4.3.1.34 NAME 'radiusTerminationActi
on' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
olcAttributeTypes: {43}( 1.3.6.1.4.1.3317.4.3.1.35 NAME 'radiusTunnelAssignmen
tId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
olcAttributeTypes: {44}( 1.3.6.1.4.1.3317.4.3.1.36 NAME 'radiusTunnelMediumTyp
e' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {45}( 1.3.6.1.4.1.3317.4.3.1.37 NAME 'radiusTunnelPassword'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
GLE-VALUE )
olcAttributeTypes: {46}( 1.3.6.1.4.1.3317.4.3.1.38 NAME 'radiusTunnelPreferenc
e' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {47}( 1.3.6.1.4.1.3317.4.3.1.39 NAME 'radiusTunnelPrivateGr
oupId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
26 )
olcAttributeTypes: {48}( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerEnd
point' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
26 )
olcAttributeTypes: {49}( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' DES
C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' EQ
UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {51}( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientEnd
point' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
26 )
olcAttributeTypes: {52}( 1.3.6.1.4.1.3317.4.3.1.53 NAME 'radiusSimultaneousUse
' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {53}( 1.3.6.1.4.1.3317.4.3.1.54 NAME 'radiusLoginTime' DESC
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
ALUE )
olcAttributeTypes: {54}( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory' D
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
E-VALUE )
olcAttributeTypes: {55}( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName'
DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC ''
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALU
E )
olcAttributeTypes: {57}( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' DES
C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
VALUE )
olcAttributeTypes: {58}( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DESC
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {59}( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DESC
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {60}( 1.3.6.1.4.1.3317.4.3.1.61 NAME 'radiusNASIpAddress' D
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
E-VALUE )
olcAttributeTypes: {61}( 1.3.6.1.4.1.3317.4.3.1.62 NAME 'radiusReplyMessage' D
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC '' S
UP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radi
usArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientI
PAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalk
Network $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedI
PAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $
radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ radiusFramedRoute
$ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ r
adiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLAT
Node $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radi
usLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ ra
diusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $ radi
usServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminatio
nAction $ radiusTunnelClientEndpoint $ radiusProfileDn $ radiusSimultaneousUs
e $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword
$ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEnd
point $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration
$ dialupAccess $ radiusNASIpAddress $ radiusReplyMessage ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.3317.4.3.2.2 NAME 'radiusObjectProfile' DES
C 'A Container Objectclass to be used for creating radius profile object' SUP
top STRUCTURAL MUST cn MAY ( uid $ userPassword $ description ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f freeradius.ldif
==== Pure FTP ====
To control [[http://www.pureftpd.org/|Pure-FTPd]] users, home directories, quotas, bandwidth, etc. via the directory, load the file below. It was converted from the original, located in ''/usr/share/doc/pure-ftpd-common/pureftpd.schema'' on an Ubuntu system once the ''pure-ftpd-common'' package has been installed.
dn: cn=pureftpd,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: pureftpd
olcAttributeTypes: {0}( 1.3.6.1.4.1.6981.11.3.1 NAME 'FTPQuotaFiles' DESC 'Quo
ta (in number of files) for an FTP user' EQUALITY integerMatch SYNTAX 1.3.6.1
.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.6981.11.3.2 NAME 'FTPQuotaMBytes' DESC 'Qu
ota (in megabytes) for an FTP user' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.
1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.6981.11.3.3 NAME 'FTPUploadRatio' DESC 'Ra
tio (compared with FTPRatioDown) for uploaded files' EQUALITY integerMatch SY
NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.6981.11.3.4 NAME 'FTPDownloadRatio' DESC '
Ratio (compared with FTPRatioUp) for downloaded files' EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.6981.11.3.5 NAME 'FTPUploadBandwidth' DESC
'Bandwidth (in KB/s) to limit upload speeds to' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.6981.11.3.6 NAME 'FTPDownloadBandwidth' DE
SC 'Bandwidth (in KB/s) to limit download speeds to' EQUALITY integerMatch SY
NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.6981.11.3.7 NAME 'FTPStatus' DESC 'Account
status: enabled or disabled' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.
1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.6981.11.3.8 NAME 'FTPuid' DESC 'System uid
(overrides uidNumber if present)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.6981.11.3.9 NAME 'FTPgid' DESC 'System uid
(overrides gidNumber if present)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
466.115.121.1.27 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.6981.11.2.3 NAME 'PureFTPdUser' DESC 'PureF
TPd user with optional quota, throttling and ratio' SUP top AUXILIARY MAY ( F
TPStatus $ FTPQuotaFiles $ FTPQuotaMBytes $ FTPUploadRatio $ FTPDownloadRatio
$ FTPUploadBandwidth $ FTPDownloadBandwidth $ FTPuid $ FTPgid ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f pureftpd.ldif
==== SAMBA v3 ====
To run as a SAMBA domain controller and/or share files and printers with Windows systems, download the file below. It was converted from the original, located in ''/usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz'' on an Ubuntu system once the ''samba-doc'' package has been installed.
The file has been modified to include the attributes acctFlags, pwdLastSet, logonTime, logoffTime, kickoffTime, homeDrive, scriptPath, profilePath, userWorkstations, smbHome, rid and primaryGroupID from the SAMBA v2 configuration as these are used by the Apple OSX schema. This should not cause any problems whether you intend supporting Macs or not but leaves the option open.
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' DESC 'Account
Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} S
INGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' DESC 'NT pwdL
astSet' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL
UE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' DESC 'NT logon
Time' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
)
olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime' DESC 'NT logo
ffTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL
UE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' DESC 'NT kic
koffTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-V
ALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' DESC 'NT home
Drive' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SI
NGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath' DESC 'NT scr
iptPath' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255
} SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath' DESC 'NT pr
ofilePath' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2
55} SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' DESC '
userWorkstations' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
.1.26{255} SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' DESC 'smbHome'
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' DESC 'NT rid' EQUA
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' DESC 'N
T Group RID' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL
E-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC '
LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.
121.1.26{32} SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC '
MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.
4.1.1466.115.121.1.26{32} SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'A
ccount Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
6{16} SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC '
Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4
.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC
'Timestamp of when the user is allowed to update the password' EQUALITY inte
gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DES
C 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'T
imestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121
.1.27 SINGLE-VALUE )
olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC '
Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.27 SINGLE-VALUE )
olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC
'Timestamp of when the user will be logged off automatically' EQUALITY intege
rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14
66.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D
ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.
6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC '
Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
{42} SINGLE-VALUE )
olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D
river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.
3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC
'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
1.15{255} SINGLE-VALUE )
olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC
'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.15{255} SINGLE-VALUE )
olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas
eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho
me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.15{128} )
olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC '
Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{128} )
olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '
Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.
4.1.1466.115.121.1.15{1050} )
olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D
ESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit
y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D
ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
1.1466.115.121.1.26{64} SINGLE-VALUE )
olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec
urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
26{64} )
olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N
T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
LE-VALUE )
olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC
'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.
1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC
'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex
t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase
' DESC 'Base at which the samba RID generation algorithm should operate' EQUA
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S
hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING
LE-VALUE )
olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC '
Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{256} )
olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC '
A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S
INGLE-VALUE )
olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES
C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.27 SINGLE-VALUE )
olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC
'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
.1.26 SINGLE-VALUE )
olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.
115.121.1.15 )
olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC '
Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115
.121.1.26 )
olcAttributeTypes: {47}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC
'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.
4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {48}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege
rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {49}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES
C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU
ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {50}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M
aximum password age, in seconds (default: -1 => never expire passwords)' EQUA
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {51}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M
inimum password age, in seconds (default: 0 => allow immediate password chang
e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {52}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D
ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ
erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {53}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation
Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int
egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {54}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in
tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {55}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC
'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {56}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh
ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte
gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {57}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword'
DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octe
tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {58}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextP
assword' DESC 'Previous clear text password (used for trusted domain password
s)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam
ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY (
cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s
ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $
sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr
ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr
oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad
PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S
amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou
pType ) MAY ( displayName $ description $ sambaSIDList ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC
'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas
sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) )
olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPasswor
d' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomain
Name $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviou
sClearTextPassword )
olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D
omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY
( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB
ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM
axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin
dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange
) )
olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo
l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb
er ) )
olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map
ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g
idNumber ) )
olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc
tural Class for a SID' SUP top STRUCTURAL MUST sambaSID )
olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba
Configuration Section' SUP top AUXILIARY MAY description )
olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S
hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description )
olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC
'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sa
mbaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoptio
n $ description ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f samba.ldif
==== Apple OS X ====
To support Apple [[http://www.apple.com/mac/|Macintosh]] computers and their policies via [[wp>Workgroup_Manager|Workgroup Manager]], download the two files below. They have been converted from the originals found in ''/etc/openldap/schema/'' on any Mac running OS X Lion (10.7).
The apple.schema file has been modified to include the attributes authAuthority, apple-user-homeDirectory and apple-acl-entry. The definition authAuthority has been moved to the beginning of the file, prior to its use. The object class apple-user has been extended to include the attribute apple-user-homeDirectory.
dn: cn=apple_auxillary,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: apple_auxillary
olcAttributeTypes: {0}( 1.2.840.113556.1.4.867 NAME 'altSecurityIdentities' EQ
UALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.14
66.115.121.1.15 )
olcAttributeTypes: {1}( 1.2.840.113556.1.4.771 NAME 'servicePrincipalName' EQU
ALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.
115.121.1.15 )
dn: cn=apple,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: apple
olcAttributeTypes: {0}( 1.3.6.1.4.1.63.1000.1.1.2.16.1 NAME 'authAuthority' DE
SC 'password server authentication authority' EQUALITY caseExactIA5Match SUBS
TR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.250.1.60 NAME 'ttl' EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.63.1000.1.1.1.1.6 NAME 'apple-user-homeurl
' DESC 'home directory URL' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Sub
stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.63.1000.1.1.1.1.7 NAME 'apple-user-class'
DESC 'user class' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMat
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.63.1000.1.1.1.1.8 NAME 'apple-user-homequo
ta' DESC 'home directory quota' EQUALITY caseExactIA5Match SUBSTR caseExactIA
5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.63.1000.1.1.1.1.9 NAME 'apple-user-mailatt
ribute' DESC 'mail attribute' EQUALITY caseExactMatch SUBSTR caseExactSubstri
ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.63.1000.1.1.1.1.10 NAME 'apple-mcxflags' D
ESC 'mcx flags' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTA
X 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.63.1000.1.1.1.1.16 NAME ( 'apple-mcxsettin
gs' 'apple-mcxsettings2' ) DESC 'mcx settings' EQUALITY caseExactMatch SUBSTR
caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {8}( 1.3.6.1.4.1.63.1000.1.1.1.1.12 NAME 'apple-user-pictur
e' DESC 'picture' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.63.1000.1.1.1.1.13 NAME 'apple-user-printa
ttribute' DESC 'print attribute' EQUALITY caseExactMatch SUBSTR caseExactSubs
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.63.1000.1.1.1.1.14 NAME 'apple-user-admin
limits' DESC 'admin limits' EQUALITY caseExactMatch SUBSTR caseExactSubstring
sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.63.1000.1.1.1.1.15 NAME 'apple-user-authe
nticationhint' DESC 'password hint' EQUALITY caseExactMatch SUBSTR caseExactS
ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.63.1000.1.1.1.1.17 NAME 'apple-user-homes
oftquota' DESC 'home directory soft quota' EQUALITY caseExactIA5Match SUBSTR
caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
)
olcAttributeTypes: {13}( 1.3.6.1.4.1.63.1000.1.1.1.1.18 NAME 'apple-user-passw
ordpolicy' DESC 'password policy options' EQUALITY caseExactMatch SUBSTR case
ExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.63.1000.1.1.1.1.19 NAME 'apple-keyword' D
ESC 'keywords' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {15}( 1.3.6.1.4.1.63.1000.1.1.1.1.20 NAME 'apple-generatedu
id' DESC 'generated unique ID' EQUALITY caseExactMatch SUBSTR caseExactSubstr
ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.63.1000.1.1.1.1.21 NAME 'apple-imhandle'
DESC 'IM handle (service:account name)' EQUALITY caseExactMatch SUBSTR caseEx
actSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {17}( 1.3.6.1.4.1.63.1000.1.1.1.1.22 NAME 'apple-webloguri'
DESC 'Weblog URI' EQUALITY caseIgnoreMatch SUBSTR caseExactSubstringsMatch S
YNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {18}( 1.3.6.1.4.1.63.1000.1.1.1.1.23 NAME 'apple-mapcoordin
ates' DESC 'Map Coordinates' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Su
bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {19}( 1.3.6.1.4.1.63.1000.1.1.1.1.24 NAME 'apple-postaladdr
esses' DESC 'Postal Addresses' EQUALITY caseExactIA5Match SUBSTR caseExactIA5
SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {20}( 1.3.6.1.4.1.63.1000.1.1.1.1.25 NAME 'apple-phoneconta
cts' DESC 'Phone Contacts' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {21}( 1.3.6.1.4.1.63.1000.1.1.1.1.26 NAME 'apple-emailconta
cts' DESC 'EMail Contacts' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {22}( 1.3.6.1.4.1.63.1000.1.1.1.1.27 NAME 'apple-birthday'
DESC 'Birthday' EQUALITY generalizedTimeMatch SUBSTR caseExactIA5SubstringsMa
tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {23}( 1.3.6.1.4.1.63.1000.1.1.1.1.28 NAME 'apple-relationsh
ips' DESC 'Relationships' EQUALITY caseExactMatch SUBSTR caseExactSubstringsM
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {24}( 1.3.6.1.4.1.63.1000.1.1.1.1.29 NAME 'apple-company' D
ESC 'company' EQUALITY caseIgnoreMatch SUBSTR caseExactSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {25}( 1.3.6.1.4.1.63.1000.1.1.1.1.30 NAME 'apple-nickname'
DESC 'nickname' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTA
X 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {26}( 1.3.6.1.4.1.63.1000.1.1.1.1.31 NAME 'apple-mapuri' DE
SC 'Map URI' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SY
NTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {27}( 1.3.6.1.4.1.63.1000.1.1.1.1.32 NAME 'apple-mapguid' D
ESC 'map GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {28}( 1.3.6.1.4.1.63.1000.1.1.1.1.33 NAME 'apple-serviceslo
cator' DESC 'Calendar Principal URI' EQUALITY caseExactMatch SUBSTR caseExact
SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {29}( 1.3.6.1.4.1.63.1000.1.1.1.1.34 NAME 'apple-organizati
oninfo' DESC 'Originization Info data' EQUALITY caseExactMatch SUBSTR caseExa
ctSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {30}( 1.3.6.1.4.1.63.1000.1.1.1.1.35 NAME 'apple-namesuffix
' DESC 'namesuffix' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch S
YNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {31}( 1.3.6.1.4.1.63.1000.1.1.1.1.36 NAME 'apple-primarycom
puterlist' DESC 'primary computer list' EQUALITY caseExactMatch SUBSTR caseEx
actSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {32}( 1.3.6.1.4.1.63.1000.1.1.1.1.100 NAME 'apple-user-home
Directory' DESC 'The absolute path to the home directory' EQUALITY caseExactI
A5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {33}( 1.3.6.1.4.1.63.1000.1.1.1.14.1 NAME 'apple-group-home
url' DESC 'group home url' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {34}( 1.3.6.1.4.1.63.1000.1.1.1.14.2 NAME 'apple-group-home
owner' DESC 'group home owner settings' EQUALITY caseExactIA5Match SUBSTR cas
eExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {35}( 1.3.6.1.4.1.63.1000.1.1.1.14.5 NAME 'apple-group-real
name' DESC 'group real name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstr
ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {36}( 1.3.6.1.4.1.63.1000.1.1.1.14.6 NAME 'apple-group-nest
edgroup' DESC 'group real name' EQUALITY caseExactMatch SUBSTR caseExactSubst
ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {37}( 1.3.6.1.4.1.63.1000.1.1.1.14.7 NAME 'apple-group-memb
erguid' DESC 'group real name' EQUALITY caseExactMatch SUBSTR caseExactSubstr
ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {38}( 1.3.6.1.4.1.63.1000.1.1.1.14.8 NAME 'apple-group-serv
ices' DESC 'group services' EQUALITY caseExactMatch SUBSTR caseExactSubstring
sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {39}( 1.3.6.1.4.1.63.1000.1.1.1.14.9 NAME 'apple-contactgui
d' DESC 'contact GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatc
h SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {40}( 1.3.6.1.4.1.63.1000.1.1.1.14.10 NAME 'apple-ownerguid
' DESC 'owner GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch S
YNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {41}( 1.3.6.1.4.1.63.1000.1.1.1.14.11 NAME 'apple-primaryco
mputerguid' DESC 'primary computer GUID' EQUALITY caseExactMatch SUBSTR caseE
xactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {42}( 1.3.6.1.4.1.63.1000.1.1.1.14.12 NAME 'apple-group-exp
andednestedgroup' DESC 'expanded nested group list' EQUALITY caseExactMatch S
UBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {43}( 1.3.6.1.4.1.63.1000.1.1.1.14.13 NAME 'apple-selfwrite
' DESC 'selfwrite flag' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMat
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {44}( 1.3.6.1.4.1.63.1000.1.1.1.14.14 NAME 'apple-locale-re
lay' DESC 'designated locale relay server for replication' EQUALITY caseExact
Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {45}( 1.3.6.1.4.1.63.1000.1.1.1.14.15 NAME 'apple-locale-su
bnets' DESC 'subnets associated with a locale' EQUALITY caseExactMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {46}( 1.3.6.1.4.1.63.1000.1.1.1.3.8 NAME 'apple-machine-sof
tware' DESC 'installed system software' EQUALITY caseIgnoreIA5Match SUBSTR ca
seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {47}( 1.3.6.1.4.1.63.1000.1.1.1.3.9 NAME 'apple-machine-har
dware' DESC 'system hardware description' EQUALITY caseIgnoreIA5Match SUBSTR
caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {48}( 1.3.6.1.4.1.63.1000.1.1.1.3.10 NAME 'apple-machine-se
rves' DESC 'NetInfo Domain Server Binding' EQUALITY caseExactIA5Match SUBSTR
caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {49}( 1.3.6.1.4.1.63.1000.1.1.1.3.11 NAME 'apple-machine-su
ffix' DESC 'DIT suffix' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsM
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {50}( 1.3.6.1.4.1.63.1000.1.1.1.3.12 NAME 'apple-machine-co
ntactperson' DESC 'Name of contact person/owner of this machine' EQUALITY cas
eIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
.1.15 )
olcAttributeTypes: {51}( 1.3.6.1.4.1.63.1000.1.1.1.22.1 NAME 'attributeTypesCo
nfig' DESC 'RFC2252: attribute types' EQUALITY caseExactMatch SUBSTR caseExac
tSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {52}( 1.3.6.1.4.1.63.1000.1.1.1.22.2 NAME 'objectClassesCon
fig' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4
.1.1466.115.121.1.15 )
olcAttributeTypes: {53}( 1.3.6.1.4.1.63.1000.1.1.1.8.1 NAME 'mountDirectory' D
ESC 'mount path' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNT
AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {54}( 1.3.6.1.4.1.63.1000.1.1.1.8.2 NAME 'mountType' DESC '
mount VFS type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMat
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {55}( 1.3.6.1.4.1.63.1000.1.1.1.8.3 NAME 'mountOption' DESC
'mount options' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMa
tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {56}( 1.3.6.1.4.1.63.1000.1.1.1.8.4 NAME 'mountDumpFrequenc
y' DESC 'mount dump frequency' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreI
A5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {57}( 1.3.6.1.4.1.63.1000.1.1.1.8.5 NAME 'mountPassNo' DESC
'mount passno' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMat
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {58}( 1.3.6.1.4.1.63.1000.1.1.1.9.1 NAME 'apple-printer-att
ributes' DESC 'printer attributes in /etc/printcap format' EQUALITY caseIgnor
eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
.1.26 )
olcAttributeTypes: {59}( 1.3.6.1.4.1.63.1000.1.1.1.9.2 NAME 'apple-printer-lpr
host' DESC 'printer LPR host name' EQUALITY caseIgnoreMatch SUBSTR caseIgnore
SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {60}( 1.3.6.1.4.1.63.1000.1.1.1.9.3 NAME 'apple-printer-lpr
queue' DESC 'printer LPR queue' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSub
stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {61}( 1.3.6.1.4.1.63.1000.1.1.1.9.4 NAME 'apple-printer-typ
e' DESC 'printer type' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa
tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {62}( 1.3.6.1.4.1.63.1000.1.1.1.9.5 NAME 'apple-printer-not
e' DESC 'printer note' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa
tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {63}( 1.3.6.1.4.1.63.1000.1.1.1.10.2 NAME 'apple-realname'
DESC 'real name' EQUALITY caseIgnoreMatch SUBSTR caseExactSubstringsMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {64}( 1.3.6.1.4.1.63.1000.1.1.1.10.3 NAME 'apple-networkvie
w' DESC 'Network view for the computer' EQUALITY caseExactMatch SUBSTR caseEx
actSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {65}( 1.3.6.1.4.1.63.1000.1.1.1.10.4 NAME 'apple-category'
DESC 'Category for the computer or neighborhood' EQUALITY caseExactMatch SUBS
TR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {66}( 1.3.6.1.4.1.63.1000.1.1.1.10.5 NAME 'apple-srv' DESC
'List of services to advertize via srv records' EQUALITY caseExactMatch SUBST
R caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {67}( 1.3.6.1.4.1.63.1000.1.1.1.10.6 NAME 'apple-primary-lo
cale' DESC 'primary locale for replication' EQUALITY caseExactMatch SYNTAX 1.
3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {68}( 1.3.6.1.4.1.63.1000.1.1.1.10.7 NAME 'apple-parentloca
les' DESC 'parent locale' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115
.121.1.15 )
olcAttributeTypes: {69}( 1.3.6.1.4.1.63.1000.1.1.1.10.8 NAME 'apple-networkint
erfaces' DESC 'list of available network interfaces' EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {70}( 1.3.6.1.4.1.63.1000.1.1.1.11.3 NAME 'apple-computers'
DESC 'computers' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {71}( 1.3.6.1.4.1.63.1000.1.1.1.11.4 NAME 'apple-computer-l
ist-groups' DESC 'groups' EQUALITY caseExactMatch SUBSTR caseExactSubstringsM
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {72}( 1.3.6.1.4.1.63.1000.1.1.1.17.1 NAME 'apple-xmlplist'
DESC 'XML plist data' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {73}( 1.3.6.1.4.1.63.1000.1.1.1.19.2 NAME 'apple-service-ur
l' DESC 'URL of service' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substr
ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {74}( 1.3.6.1.4.1.63.1000.1.1.1.19.6 NAME 'apple-serviceinf
o' DESC 'service related information' EQUALITY caseExactMatch SUBSTR caseExac
tSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {75}( 1.3.6.1.4.1.63.1000.1.1.1.19.7 NAME 'apple-hwuuid' DE
SC 'Hardware uuid of computer' EQUALITY caseExactMatch SUBSTR caseExactSubstr
ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {76}( 1.3.6.1.4.1.63.1000.1.1.1.19.8 NAME 'apple-ldap-serve
rid' DESC 'ID used by LDAP' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115
.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {77}( 1.3.6.1.4.1.63.1000.1.1.1.12.1 NAME 'apple-password-s
erver-location' DESC 'password server location' EQUALITY caseExactIA5Match SU
BSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
VALUE )
olcAttributeTypes: {78}( 1.3.6.1.4.1.63.1000.1.1.1.12.2 NAME 'apple-data-stamp
' DESC 'data stamp' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsM
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {79}( 1.3.6.1.4.1.63.1000.1.1.1.12.3 NAME 'apple-config-rea
lname' DESC 'config real name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5
SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {80}( 1.3.6.1.4.1.63.1000.1.1.1.12.4 NAME 'apple-password-s
erver-list' DESC 'password server replication plist' EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-V
ALUE )
olcAttributeTypes: {81}( 1.3.6.1.4.1.63.1000.1.1.1.12.5 NAME 'apple-ldap-repli
ca' DESC 'LDAP replication list' EQUALITY caseExactMatch SUBSTR caseExactSubs
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {82}( 1.3.6.1.4.1.63.1000.1.1.1.12.6 NAME 'apple-ldap-writa
ble-replica' DESC 'LDAP writable replication list' EQUALITY caseExactMatch SU
BSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {83}( 1.3.6.1.4.1.63.1000.1.1.1.12.7 NAME 'apple-kdc-authke
y' DESC 'KDC master key RSA encrypted with realm public key' EQUALITY caseExa
ctMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
olcAttributeTypes: {84}( 1.3.6.1.4.1.63.1000.1.1.1.12.8 NAME 'apple-kdc-config
data' DESC 'Contents of the kdc.conf file' EQUALITY caseExactMatch SUBSTR cas
eExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {85}( 1.3.6.1.4.1.63.1000.1.1.1.12.9 NAME 'apple-last-serve
rid' DESC 'Last serverID used' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.
115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {86}( 1.3.6.1.4.1.63.1000.1.1.1.15.1 NAME 'apple-preset-use
r-is-admin' DESC 'flag indicating whether the preset user is an administrator
' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.
1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {87}( 1.3.6.1.4.1.63.1000.1.1.1.18.1 NAME 'apple-dns-domain
' DESC 'DNS domain' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch S
YNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {88}( 1.3.6.1.4.1.63.1000.1.1.1.18.2 NAME 'apple-dns-namese
rver' DESC 'DNS name server list' EQUALITY caseExactMatch SUBSTR caseExactSub
stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {89}( 1.3.6.1.4.1.63.1000.1.1.1.19.1 NAME 'apple-service-ty
pe' DESC 'type of service' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {90}( 1.3.6.1.4.1.63.1000.1.1.1.19.3 NAME 'apple-service-po
rt' DESC 'Service port number' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.
115.121.1.27 )
olcAttributeTypes: {91}( 1.3.6.1.4.1.63.1000.1.1.1.19.4 NAME 'apple-dnsname' D
ESC 'DNS name' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {92}( 1.3.6.1.4.1.63.1000.1.1.1.19.5 NAME 'apple-service-lo
cation' DESC 'Service location' EQUALITY caseExactMatch SUBSTR caseExactSubst
ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {93}( 1.3.6.1.4.1.63.1000.1.1.1.20.1 NAME 'apple-nodepathxm
l' DESC 'XML plist of directory node path' EQUALITY caseExactMatch SUBSTR cas
eExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {94}( 1.3.6.1.4.1.63.1000.1.1.1.20.2 NAME 'apple-neighborho
odalias' DESC 'XML plist referring to another neighborhood record' EQUALITY c
aseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
.1.15 )
olcAttributeTypes: {95}( 1.3.6.1.4.1.63.1000.1.1.1.20.3 NAME 'apple-computeral
ias' DESC 'XML plist referring to a computer record' EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {96}( 1.3.6.1.4.1.63.1000.1.1.1.21.1 NAME 'apple-acl-entry'
DESC 'acl entry' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {97}( 1.3.6.1.4.1.63.1000.1.1.1.23.1 NAME 'apple-resource-t
ype' DESC 'resource type' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subst
ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {98}( 1.3.6.1.4.1.63.1000.1.1.1.23.2 NAME 'apple-resource-i
nfo' DESC 'resource info' EQUALITY caseExactMatch SUBSTR caseExactSubstringsM
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {99}( 1.3.6.1.4.1.63.1000.1.1.1.23.3 NAME 'apple-capacity'
DESC 'capacity' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SI
NGLE-VALUE )
olcAttributeTypes: {100}( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'autom
ount Map Name' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S
INGLE-VALUE )
olcAttributeTypes: {101}( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount
Key value' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING
LE-VALUE )
olcAttributeTypes: {102}( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'A
utomount information' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121
.1.15 SINGLE-VALUE )
olcAttributeTypes: {103}( 1.3.6.1.1.1.1.35 NAME 'lastLoginTime' EQUALITY gener
alizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {104}( 1.3.6.1.1.1.1.36 NAME 'passwordModDate' EQUALITY gen
eralizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {105}( 1.3.6.1.1.1.1.37 NAME 'authGUID' EQUALITY caseIgnore
Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S
INGLE-VALUE )
olcAttributeTypes: {106}( 1.3.6.1.1.1.1.38 NAME 'loginFailedAttempts' EQUALITY
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {107}( 1.3.6.1.1.1.1.39 NAME 'userLinkage' EQUALITY caseIgn
oreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
5 SINGLE-VALUE )
olcAttributeTypes: {108}( 1.3.6.1.1.1.1.40 NAME 'disableReason' EQUALITY caseI
gnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {109}( 1.3.6.1.1.1.1.42 NAME 'cmusaslsecretSMBNT' EQUALITY
octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {110}( 1.3.6.1.1.1.1.43 NAME 'cmusaslsecretSMBLM' EQUALITY
octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {111}( 1.3.6.1.1.1.1.44 NAME 'cmusaslsecretDIGEST-MD5' EQUA
LITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {112}( 1.3.6.1.1.1.1.45 NAME 'cmusaslsecretCRAM-MD5' EQUALI
TY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {113}( 1.3.6.1.1.1.1.46 NAME 'cmusaslsecretPPS' EQUALITY oc
tetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {114}( 1.3.6.1.1.1.1.47 NAME 'KerberosRealmName' EQUALITY c
aseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {115}( 1.3.6.1.1.1.1.48 NAME 'KerberosPrincName' EQUALITY c
aseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {116}( 1.3.6.1.1.1.1.49 NAME 'password' EQUALITY octetStrin
gMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {117}( 1.3.6.1.1.1.1.50 NAME 'adminGroups' SYNTAX 1.3.6.1.4
.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {118}( 1.3.6.1.1.1.1.55 NAME 'creationDate' EQUALITY genera
lizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {119}( 1.3.6.1.1.1.1.56 NAME 'historyData' EQUALITY octetSt
ringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {120}( 1.3.6.1.1.1.1.86 NAME 'draft-krbPrincipalName' DESC
'Canonical principal name' EQUALITY caseExactIA5Match SUBSTR caseExactSubstri
ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {121}( 1.3.6.1.1.1.1.87 NAME 'draft-krbRealmName' EQUALITY
octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {122}( 1.3.6.1.1.1.1.88 NAME 'draft-krbPrincipalAliases' SU
P draft-krbPrincipalName )
olcAttributeTypes: {123}( 1.3.6.1.1.1.1.89 NAME 'draft-krbTicketMaxLife' EQUAL
ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.27 SINGLE-VALUE )
olcAttributeTypes: {124}( 1.3.6.1.1.1.1.90 NAME 'draft-krbTicketMaxRenewal' EQ
UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115
.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {125}( 1.3.6.1.1.1.1.91 NAME 'draft-krbEncSaltTypes' EQUALI
TY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {126}( 1.3.6.1.1.1.1.92 NAME 'draft-krbKeySet' EQUALITY oct
etStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {127}( 1.3.6.1.1.1.1.93 NAME 'draft-krbKeyVersion' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.27 SINGLE-VALUE )
olcAttributeTypes: {128}( 1.3.6.1.1.1.1.94 NAME 'draft-krbPrincipalRealm' DESC
'DN of krbRealm entry' SUP distinguishedName )
olcAttributeTypes: {129}( 1.3.6.1.1.1.1.95 NAME 'draft-krbTicketPolicy' EQUALI
TY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {130}( 1.3.6.1.1.1.1.96 NAME 'draft-krbExtraData' EQUALITY
octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {131}( 1.3.6.1.1.1.1.98 NAME 'draft-krbPrincipalACL' EQUALI
TY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {132}( 1.3.6.1.1.1.1.97 NAME 'crschallenge' EQUALITY caseIg
noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {133}( 1.3.6.1.1.1.1.103 NAME 'ownerGUIDList' DESC 'compute
r account owner GUID' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.15 )
olcAttributeTypes: {134}( 1.3.6.1.1.1.1.76 NAME 'weakAuthMethod' EQUALITY case
IgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {135}( 1.3.6.1.1.1.1.77 NAME 'PWSPrivateKey' EQUALITY octet
StringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {136}( 1.3.6.1.1.1.1.78 NAME 'PWSPublicKey' EQUALITY caseIg
noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {137}( 1.3.6.1.1.1.1.79 NAME 'apple-transactionID' EQUALITY
caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {138}( 1.3.6.1.1.1.1.80 NAME 'apple-pkiStatus' EQUALITY int
egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {139}( 1.3.6.1.1.1.1.81 NAME 'apple-failInfo' EQUALITY inte
gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {140}( 1.3.6.1.1.1.1.82 NAME 'apple-certificateSigningReque
st' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 SINGLE
-VALUE )
olcAttributeTypes: {141}( 1.3.6.1.1.1.1.83 NAME 'apple-device-guid' EQUALITY c
aseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {142}( 1.3.6.1.1.1.1.84 NAME 'apple-issuer' EQUALITY caseIg
noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {143}( 1.3.6.1.1.1.1.85 NAME 'apple-serialNumber' EQUALITY
caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {144}( 1.3.6.1.1.1.1.99 NAME 'apple-revocationReason' EQUAL
ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {145}( 1.3.6.1.1.1.1.100 NAME 'apple-revocationDate' EQUALI
TY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {146}( 1.3.6.1.1.1.1.101 NAME 'apple-validNotBefore' EQUALI
TY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {147}( 1.3.6.1.1.1.1.102 NAME 'apple-validNotAfter' EQUALIT
Y generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcObjectClasses: {0}( 1.2.840.113556.1.3.23 NAME 'container' SUP top STRUCTUR
AL MUST cn )
olcObjectClasses: {1}( 1.3.6.1.4.1.250.3.18 NAME 'cacheObject' DESC 'Auxiliary
object class to hold TTL caching information' SUP top AUXILIARY MAY ttl )
olcObjectClasses: {2}( 1.3.6.1.4.1.63.1000.1.1.2.1 NAME 'apple-user' DESC 'app
le user account' SUP top AUXILIARY MAY ( apple-user-homeurl $ apple-user-clas
s $ apple-user-homequota $ apple-user-mailattribute $ apple-user-printattribu
te $ apple-mcxflags $ apple-mcxsettings $ apple-user-adminlimits $ apple-user
-picture $ apple-user-authenticationhint $ apple-user-homesoftquota $ apple-u
ser-passwordpolicy $ apple-keyword $ apple-generateduid $ apple-imhandle $ ap
ple-webloguri $ authAuthority $ acctFlags $ pwdLastSet $ logonTime $ logoffTi
me $ kickoffTime $ homeDrive $ scriptPath $ profilePath $ userWorkstations $
smbHome $ rid $ apple-user-homeDirectory $ primaryGroupID $ sambaSID $ sambaP
rimaryGroupSID $ userCertificate $ userPKCS12 $ jpegPhoto $ apple-nickname $
apple-namesuffix $ apple-birthday $ apple-relationships $ apple-organizationi
nfo $ apple-phonecontacts $ apple-emailcontacts $ apple-postaladdresses $ app
le-mapcoordinates $ apple-mapuri $ apple-mapguid $ apple-serviceslocator $ al
tSecurityIdentities ) )
olcObjectClasses: {3}( 1.3.6.1.4.1.63.1000.1.1.2.14 NAME 'apple-group' DESC 'g
roup account' SUP top AUXILIARY MAY ( apple-group-homeurl $ apple-group-homeo
wner $ apple-mcxflags $ apple-mcxsettings $ apple-group-realname $ apple-user
-picture $ apple-keyword $ apple-generateduid $ apple-group-nestedgroup $ app
le-group-memberguid $ mail $ rid $ sambaSID $ ttl $ jpegPhoto $ apple-group-s
ervices $ apple-contactguid $ apple-ownerguid $ labeledURI $ apple-locale-rel
ay $ apple-locale-subnets $ apple-serviceslocator ) )
olcObjectClasses: {4}( 1.3.6.1.4.1.63.1000.1.1.2.3 NAME 'apple-machine' SUP to
p AUXILIARY MAY ( apple-machine-software $ apple-machine-hardware $ apple-mac
hine-serves $ apple-machine-suffix $ apple-machine-contactperson ) )
olcObjectClasses: {5}( 1.3.6.1.4.1.63.1000.1.1.2.8 NAME 'mount' SUP top STRUCT
URAL MUST cn MAY ( mountDirectory $ mountType $ mountOption $ mountDumpFreque
ncy $ mountPassNo ) )
olcObjectClasses: {6}( 1.3.6.1.4.1.63.1000.1.1.2.9 NAME 'apple-printer' SUP to
p STRUCTURAL MUST cn MAY ( apple-printer-attributes $ apple-printer-lprhost $
apple-printer-lprqueue $ apple-printer-type $ apple-printer-note ) )
olcObjectClasses: {7}( 1.3.6.1.4.1.63.1000.1.1.2.10 NAME 'apple-computer' DESC
'computer' SUP top STRUCTURAL MUST cn MAY ( apple-realname $ description $ m
acAddress $ apple-category $ apple-computer-list-groups $ apple-keyword $ app
le-mcxflags $ apple-mcxsettings $ apple-networkview $ apple-xmlplist $ apple-
service-url $ apple-serviceinfo $ apple-serviceslocator $ apple-primarycomput
erlist $ apple-ldap-serverid $ authAuthority $ uidNumber $ gidNumber $ apple-
generateduid $ ttl $ acctFlags $ pwdLastSet $ logonTime $ logoffTime $ kickof
fTime $ rid $ primaryGroupID $ sambaSID $ sambaPrimaryGroupSID $ owner $ appl
e-ownerguid $ apple-contactguid $ ipHostNumber $ bootFile $ apple-hwuuid $ ap
ple-srv $ apple-primary-locale $ apple-parentlocales $ apple-networkinterface
s $ userCertificate $ userPKCS12 ) )
olcObjectClasses: {8}( 1.3.6.1.4.1.63.1000.1.1.2.11 NAME 'apple-computer-list'
DESC 'computer list' SUP top STRUCTURAL MUST cn MAY ( apple-mcxflags $ apple
-mcxsettings $ apple-computer-list-groups $ apple-computers $ apple-generated
uid $ apple-keyword ) )
olcObjectClasses: {9}( 1.3.6.1.4.1.63.1000.1.1.2.12 NAME 'apple-configuration'
DESC 'configuration' SUP top STRUCTURAL MAY ( cn $ apple-config-realname $ a
pple-data-stamp $ apple-password-server-location $ apple-password-server-list
$ apple-ldap-replica $ apple-ldap-writable-replica $ apple-keyword $ apple-k
dc-authkey $ apple-kdc-configdata $ apple-xmlplist $ ttl $ apple-last-serveri
d ) )
olcObjectClasses: {10}( 1.3.6.1.4.1.63.1000.1.1.2.13 NAME 'apple-preset-comput
er-list' DESC 'preset computer list' SUP top STRUCTURAL MUST cn MAY ( apple-m
cxflags $ apple-mcxsettings $ apple-computer-list-groups $ apple-keyword ) )
olcObjectClasses: {11}( 1.3.6.1.4.1.63.1000.1.1.2.25 NAME 'apple-preset-comput
er' DESC 'preset computer' SUP top STRUCTURAL MUST cn MAY ( apple-mcxflags $
apple-mcxsettings $ apple-computer-list-groups $ apple-primarycomputerlist $
description $ apple-networkview $ apple-keyword ) )
olcObjectClasses: {12}( 1.3.6.1.4.1.63.1000.1.1.2.26 NAME 'apple-preset-comput
er-group' DESC 'preset computer group' SUP top STRUCTURAL MUST cn MAY ( gidNu
mber $ memberUID $ apple-mcxflags $ apple-mcxsettings $ apple-group-nestedgro
up $ description $ jpegPhoto $ apple-keyword ) )
olcObjectClasses: {13}( 1.3.6.1.4.1.63.1000.1.1.3.14 NAME 'apple-preset-group'
DESC 'preset group' SUP top STRUCTURAL MUST cn MAY ( memberUid $ gidNumber $
description $ apple-group-homeurl $ apple-group-homeowner $ apple-mcxflags $
apple-mcxsettings $ apple-group-realname $ apple-keyword $ apple-group-neste
dgroup $ apple-group-memberguid $ ttl $ jpegPhoto $ apple-group-services $ la
beledURI $ apple-serviceslocator ) )
olcObjectClasses: {14}( 1.3.6.1.4.1.63.1000.1.1.2.15 NAME 'apple-preset-user'
DESC 'preset user' SUP top STRUCTURAL MUST cn MAY ( uid $ memberUid $ gidNumb
er $ homeDirectory $ apple-user-homeurl $ apple-user-homequota $ apple-user-h
omesoftquota $ apple-user-mailattribute $ apple-user-printattribute $ apple-m
cxflags $ apple-mcxsettings $ apple-user-adminlimits $ apple-user-passwordpol
icy $ userPassword $ apple-user-picture $ apple-keyword $ loginShell $ descri
ption $ shadowLastChange $ shadowExpire $ authAuthority $ homeDrive $ scriptP
ath $ profilePath $ smbHome $ apple-preset-user-is-admin $ jpegPhoto $ apple-
relationships $ apple-phonecontacts $ apple-emailcontacts $ apple-postaladdre
sses $ apple-mapcoordinates $ apple-serviceslocator ) )
olcObjectClasses: {15}( 1.3.6.1.4.1.63.1000.1.1.2.16 NAME 'authAuthorityObject
' SUP top AUXILIARY MAY authAuthority )
olcObjectClasses: {16}( 1.3.6.1.4.1.63.1000.1.1.2.17 NAME 'apple-serverassista
nt-config' SUP top STRUCTURAL MUST cn MAY apple-xmlplist )
olcObjectClasses: {17}( 1.3.6.1.4.1.63.1000.1.1.2.18 NAME 'apple-location' SUP
top AUXILIARY MUST cn MAY ( apple-dns-domain $ apple-dns-nameserver ) )
olcObjectClasses: {18}( 1.3.6.1.4.1.63.1000.1.1.2.19 NAME 'apple-service' SUP
top STRUCTURAL MUST ( cn $ apple-service-type ) MAY ( ipHostNumber $ descript
ion $ apple-service-location $ apple-service-url $ apple-service-port $ apple
-dnsname $ apple-keyword ) )
olcObjectClasses: {19}( 1.3.6.1.4.1.63.1000.1.1.2.20 NAME 'apple-neighborhood'
SUP top STRUCTURAL MUST cn MAY ( description $ apple-generateduid $ apple-ca
tegory $ apple-nodepathxml $ apple-neighborhoodalias $ apple-computeralias $
apple-keyword $ apple-realname $ apple-xmlplist $ ttl ) )
olcObjectClasses: {20}( 1.3.6.1.4.1.63.1000.1.1.2.21 NAME 'apple-acl' SUP top
STRUCTURAL MUST ( cn $ apple-acl-entry ) )
olcObjectClasses: {21}( 1.3.6.1.4.1.63.1000.1.1.2.23 NAME 'apple-resource' SUP
top STRUCTURAL MUST cn MAY ( apple-realname $ description $ jpegPhoto $ appl
e-keyword $ apple-generateduid $ apple-contactguid $ apple-ownerguid $ apple-
resource-info $ apple-resource-type $ apple-capacity $ labeledURI $ apple-map
uri $ apple-serviceslocator $ apple-phonecontacts $ c $ apple-mapguid $ apple
-mapcoordinates $ apple-xmlplist ) )
olcObjectClasses: {22}( 1.3.6.1.4.1.63.1000.1.1.2.24 NAME 'apple-augment' SUP
top STRUCTURAL MUST cn )
olcObjectClasses: {23}( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURA
L MUST automountMapName MAY description )
olcObjectClasses: {24}( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount' SUP
top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description
)
olcObjectClasses: {25}( 1.3.6.1.4.1.63.1000.1.1.2.27 NAME 'apple-user-info' SU
P top STRUCTURAL MAY ( apple-namesuffix $ apple-phonecontacts $ apple-emailco
ntacts $ apple-postaladdresses $ telephoneNumber $ mobile $ facsimileTelephon
eNumber $ pager $ l $ st $ c $ postalCode $ postalAddress $ street $ apple-im
handle $ loginShell $ jpegPhoto $ apple-user-picture $ description $ userCert
ificate $ userPKCS12 ) )
olcObjectClasses: {26}( 1.3.6.1.4.1.63.1000.1.1.2.31 NAME 'apple-computer-info
' SUP top STRUCTURAL MAY ( apple-serviceinfo $ apple-serviceslocator $ apple-
keyword $ userCertificate $ userPKCS12 ) )
olcObjectClasses: {27}( 1.3.6.1.4.1.63.1000.1.1.2.28 NAME 'pwsAuthdata' STRUCT
URAL MUST authGUID MAY ( uid $ authGUID $ passwordModDate $ lastLoginTime $ l
oginFailedAttempts $ disableReason $ apple-user-passwordpolicy $ adminGroups
$ cmusaslsecretSMBNT $ cmusaslsecretSMBLM $ cmusaslsecretDIGEST-MD5 $ cmusasl
secretCRAM-MD5 $ cmusaslsecretPPS $ KerberosRealmName $ KerberosPrincName $ p
assword $ creationDate $ historyData $ draft-krbPrincipalName $ draft-krbReal
mName $ draft-krbPrincipalAliases $ draft-krbTicketMaxLife $ draft-krbTicketM
axRenewal $ draft-krbEncSaltTypes $ draft-krbKeySet $ draft-krbKeyVersion $ d
raft-krbPrincipalRealm $ draft-krbTicketPolicy $ draft-krbExtraData $ draft-k
rbPrincipalACL $ crschallenge $ userLinkage $ ownerGUIDList ) )
olcObjectClasses: {28}( 1.3.6.1.4.1.63.1000.1.1.2.29 NAME 'pwPolicy' STRUCTURA
L MUST cn MAY ( apple-user-passwordpolicy $ weakAuthMethod ) )
olcObjectClasses: {29}( 1.3.6.1.4.1.63.1000.1.1.2.30 NAME 'pwAuthData' SUP con
tainer STRUCTURAL MAY ( PWSPrivateKey $ PWSPublicKey ) )
olcObjectClasses: {30}( 1.3.6.1.4.1.63.1000.1.1.2.33 NAME 'apple-certificateRe
questInfo' SUP top STRUCTURAL MUST ( apple-transactionID $ apple-pkiStatus )
MAY ( apple-failInfo $ apple-issuer $ apple-serialNumber $ userCertificate $
apple-certificateSigningRequest $ apple-device-guid $ apple-xmlplist $ apple-
revocationReason $ apple-revocationDate $ apple-validNotBefore $ apple-validN
otAfter ) )
Apply the schema modifications with the following commands:
ldapadd -Y EXTERNAL -H ldapi:/// -f apple_auxillary.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f apple.ldif
===== Configuration =====
Once the schema has been established, it is necessary to set a password on the configuration directory tree and create a second tree, which will hold the data relevant to the application that hook into LDAP. The directory will have an administration account (cn=admin,dc=example,dc=com) with read/write access to both trees. Firstly we must create a password for this account:
slappasswd -s
Where '''' is a secure password you wish to use for full access to LDAP. The result will be a string similar to ''{SSHA}xeunX6dBrnhdEIZ/bPvr819tqM7SJQTo'', which must be inserted as '''' when the following file is downloaded:
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
Once downloaded and the password hash inserted in the appropriate place, create the new directory tree:
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
We must now populate our new directory tree with the structure and user information to make it useful to us. In the example below we create the administrator (cn=admin,dc=example,dc=com) and a single Standard User (uid=user1,dc=people,dc=example,dc=com):
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Organisation
dc: Example
description: LDAP Example
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:
dn: ou=apps,dc=example,dc=com
objectClass: organizationalUnit
ou: apps
dn: ou=computers,dc=example,dc=com
objectClass: organizationalUnit
ou: computers
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: uid=user1,ou=people,dc=example,dc=com
cn: Standard User
displayname: Standard User
gecos: Standard User
gidnumber: 5000
givenname: Standard
homedirectory: /home/user1
initials: SU
l: London
loginshell: /bin/bash
mail: user1@example.com
o: Example Company
objectclass: inetOrgPerson
objectclass: posixAccount
sn: User
uid: user1
uidnumber: 5000
userpassword:
dn: cn=group1,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: group1
gidNumber: 5000
We have now set a password on the LDAP database, so to import this file we must use the following syntax and enter the directory administrator's password we hashed above when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif
==== Sudo ====
To configure the directory to mimic the behaviour of a standard ''/etc/sudoers'' file, import the file below. Further details of the specification and configuration of sudo via LDAP can be found on the [[http://www.sudo.ws/sudo/sudoers.ldap.man.html|man]] page.
dn: ou=sudo,ou=apps,dc=example,dc=com
objectClass: organizationalUnit
ou: sudo
dn: cn=defaults,ou=sudo,ou=apps,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_reset
dn: cn=%admin,ou=sudo,ou=apps,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoCommand: ALL
To import this file we must use the following command and enter the directory administrator's password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f sudo.apps.example.com.ldif
To improve the performance of sudoers lookups via LDAP, we must add an additional index:
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: sudoUser eq
Make the index changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f sudo_index.ldif
==== Password Policy ====
Import the file below to configure the directory to support password policy enforcement for parameters such as length, age, failed logons, lockout, etc. Further details of this directory overlay can be found in the OpenLDAP [[http://www.openldap.org/doc/admin24/overlays.html#Password Policies|documentation]].
The default policy created here forces users to change their password every 28 days, with a minimum length of 8 characters. They are warned 3 days prior to their password expiry and allowed a further 3 logins once it expires. Invalid login attempts are tracked and 5 within 5 minutes will lock the account out for half an hour.
dn: ou=policies,dc=example,dc=com
objectClass: organizationalUnit
ou: policies
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
pwdCheckQuality: 0
pwdExpireWarning: 259200
pwdFailureCountInterval: 300
pwdGraceAuthNLimit: 3
pwdInHistory: 12
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxAge: 2419200
pwdMaxFailure: 5
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: FALSE
To import this file we must use the following command and enter the directory administrator's password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f policies.example.com.ldif
To load the password policy overlay and point it to the default policy, we must download the following file:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
Make the configuration changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f overlay_ppolicy.ldif
==== Postfix ====
To allow Postfix mail addresses and aliases to be configured via the LDAP directory, import the file below.
dn: ou=mail,ou=apps,dc=example,dc=com
objectclass: organizationalUnit
ou: mail
dn: ou=aliases,ou=mail,ou=apps,dc=example,dc=com
objectclass: organizationalUnit
ou: aliases
dn: cn=abuse@example.com,ou=aliases,ou=mail,ou=apps,dc=example,dc=com
cn: abuse@example.com
objectclass: groupOfUniqueNames
uniquemember: uid=user1,ou=people,dc=example,dc=com
dn: cn=postmaster@example.com,ou=aliases,ou=mail,ou=apps,dc=example,dc=com
cn: postmaster@example.com
objectclass: groupOfUniqueNames
uniquemember: uid=user1,ou=people,dc=example,dc=com
To import this file we must use the following command and enter the directory administrator's password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f mail.apps.example.com.ldif
To improve the performance of e-mail address lookups via LDAP, we must add an additional index:
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: mail eq,subinitial
Make the index changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f postfix_index.ldif
==== SAMBA v3 ====
To improve the performance of SAMBA domain and user lookups via LDAP, we must add some additional indices:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
Make the index changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_index.ldif
==== Apple OS X ====
To support Apple Macs in native [[wp>Apple_Open_Directory|Open Directory]] mode, we must mimic the structure of the Apple directory by importing the file below.
dn: ou=macosx,dc=example,dc=com
ou: macosx
objectClass: organizationalUnit
description: Holds metadata for OS X Server
dn: cn=mounts,ou=macosx,dc=example,dc=com
cn: mounts
objectClass: container
dn: cn=accesscontrols,ou=macosx,dc=example,dc=com
cn: accesscontrols
objectClass: container
dn: cn=certificateauthorities,ou=macosx,dc=example,dc=com
cn: certificateauthorities
objectClass: container
dn: cn=computers,ou=macosx,dc=example,dc=com
cn: computers
objectClass: container
dn: cn=computer_groups,ou=macosx,dc=example,dc=com
cn: computer_groups
objectClass: container
dn: cn=computer_lists,ou=macosx,dc=example,dc=com
cn: computer_lists
objectClass: container
dn: cn=config,ou=macosx,dc=example,dc=com
cn: config
objectClass: container
dn: cn=locations,ou=macosx,dc=example,dc=com
cn: locations
objectClass: container
dn: cn=machines,ou=macosx,dc=example,dc=com
cn: machines
objectClass: container
dn: cn=neighborhoods,ou=macosx,dc=example,dc=com
cn: neighborhoods
objectClass: container
dn: cn=people,ou=macosx,dc=example,dc=com
cn: people
objectClass: container
dn: cn=presets_computer_lists,ou=macosx,dc=example,dc=com
cn: presets_computer_lists
objectClass: container
dn: cn=presets_groups,ou=macosx,dc=example,dc=com
cn: presets_groups
objectClass: container
dn: cn=presets_users,ou=macosx,dc=example,dc=com
cn: presets_users
objectClass: container
dn: cn=printers,ou=macosx,dc=example,dc=com
cn: printers
objectClass: container
dn: cn=augments,ou=macosx,dc=example,dc=com
cn: augments
objectClass: container
dn: cn=autoserversetup,ou=macosx,dc=example,dc=com
cn: autoserversetup
objectClass: container
dn: cn=filemakerservers,ou=macosx,dc=example,dc=com
cn: filemakerservers
objectClass: container
dn: cn=resources,ou=macosx,dc=example,dc=com
cn: resources
objectClass: container
dn: cn=places,ou=macosx,dc=example,dc=com
cn: places
objectClass: container
dn: cn=maps,ou=macosx,dc=example,dc=com
cn: maps
objectClass: container
dn: cn=presets_computers,ou=macosx,dc=example,dc=com
cn: presets_computers
objectClass: container
dn: cn=presets_computer_groups,ou=macosx,dc=example,dc=com
cn: presets_computer_groups
objectClass: container
dn: cn=automountMap,ou=macosx,dc=example,dc=com
cn: automountMap
objectClass: container
dn: ou=macosxodconfig,cn=config,ou=macosx,dc=example,dc=com
ou: macosxodconfig
objectClass: organizationalUnit
dn: cn=mcx_cache,cn=config,ou=macosx,dc=example,dc=com
cn: mcx_cache
objectClass: apple-configuration
dn: cn=ldapreplicas,cn=config,ou=macosx,dc=example,dc=com
cn: ldapreplicas
objectClass: apple-configuration
dn: cn=passwordserver,cn=config,ou=macosx,dc=example,dc=com
cn: passwordserver
objectClass: apple-configuration
dn: cn=macosxodpolicy,cn=config,ou=macosx,dc=example,dc=com
cn: macosxodpolicy
objectClass: apple-configuration
dn: cn=CollabServices,cn=config,ou=macosx,dc=example,dc=com
cn: CollabServices
objectClass: apple-configuration
dn: cn=CIFSServer,cn=config,ou=macosx,dc=example,dc=com
cn: CIFSServer
objectClass: apple-configuration
dn: cn=KerberosKDC,cn=config,ou=macosx,dc=example,dc=com
cn: KerberosKDC
objectClass: apple-configuration
dn: cn=KerberosClient,cn=config,ou=macosx,dc=example,dc=com
cn: KerberosClient
objectClass: apple-configuration
dn: cn=Home_Dir_Items,cn=config,ou=macosx,dc=example,dc=com
cn: Home_Dir_Items
objectClass: apple-configuration
dn: cn=Group_Dir_Items,cn=config,ou=macosx,dc=example,dc=com
cn: Group_Dir_Items
objectClass: apple-configuration
To import this file we must use the following command and enter the directory administrator's password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f macosx.example.com.ldif
===== Security =====
Due to the nature of the information frequently held in the LDAP directory, it is essential that we protect access to it and reduce the chances of eavesdropping.
==== TLS/SSL ====
Many applications will use the LDAP simple bind mechanism, which transmits the username and password in clear text over the network. Where this is an internal, trusted network or via a VPN, this might just about be acceptable. In all other cases we will use [[wp>Transport_Layer_Security|TLS]] to encrypt the data before it is sent. As OpenLDAP on Ubuntu (and Debian) is compiled against [[http://www.gnu.org/s/gnutls/|GnuTLS]] libraries, we must install their certificate tools:
apt-get install gnutls-bin
Now we must generate a secure private key and certificate signing request (CSR) to pass to our certificate authority (CA):
certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/severname.example.com.key
adduser openldap ssl-cert
chgrp ssl-cert /etc/ssl/private/severname.example.com.key
chmod 640 /etc/ssl/private/severname.example.com.key
certtool --generate-request --load-privkey /etc/ssl/private/severname.example.com.key --outfile servername.example.com.csr
Generating a PKCS #10 certificate request...
Country name (2 chars): GB
Organization name: Example Company
Organizational unit name:
Locality name: Basingstoke
State or province name: Hampshire
Common name: servername.example.com
UID:
Enter a dnsName of the subject of the certificate: servername.example.com
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N):
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N): y
Copy the contents of the resulting ''servername.example.com.csr'' file to your CA (in our case we used [[http://www.startssl.com/|StartSSL]]) and ask them to certify it for you. Depending on the authority used this should require proof of identity and possibly the removal of some money. Once your key has been certified, save the certificate in ''/etc/ssl/certs/servername.example.com.pem''.
It is now necessary to create a certificate chain file, which will be used to verify our new server certificate up to the CA's root. In our case we were issued a Class 1 Server certificate, which is one level below StartCom's root. Create ''/etc/ssl/certs/StartCom_Class_1_Server.pem'', paste into it the contents of https://www.startssl.com/certs/sub.class1.server.ca.pem followed by https://www.startssl.com/certs/ca.pem and then save the file.
The following file is then needed to enable TLS:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/StartCom_Class_1_Server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/servername.example.com.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/servername.example.com.key
-
add: olcTLSCipherSuite
olcTLSCipherSuite: SECURE256
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
Make the security changes with the following commands:
ldapmodify -Y EXTERNAL -H ldapi:/// -f tls_enable.ldif
Edit ''/etc/default/slapd'' and update the ''SLAPD_SERVICES'' option:
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Finally, restart slapd and test that TLS is operational:
service slapd restart
gnutls-cli-debug -p 636 localhost
==== Listening Interfaces ====
Often an LDAP server has multiple network interfaces, bound to different LANs or VLANs. It can be advantageous to limit the interfaces slapd listens on. In the example below unencrypted connections are allowed from the local machine only and
To restrict the listening interfaces, edit ''/etc/default/slapd'' and update the ''SLAPD_SERVICES'' option:
SLAPD_SERVICES="ldap://127.0.0.1/ ldapi:/// ldaps://192.0.2.1/"
Then restart slapd and check which interfaces it is listening on:
service slapd restart
netstat -tlpn | grep slapd
===== Testing and Tools =====
Once you have added the schema and data, it is necessary to stop LDAP, re-build its indices, restart it and check the system log for any problems:
service slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
service slapd start
Examine the tail of ''/var/log/syslog'' for any errors or warnings being reported by the ''slapd'' process.
If you would like to see which schema modifications have been loaded, type
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
===== See Also =====
* [[sigma:how_to]]
* [[sigma:contact]]