OpenLDAP: Installation and Configuration

Often it is advantageous to have authentication, security and application settings centralised for ease of management. Microsoft provide Active Directory for Windows users and through the use of OpenLDAP, we can duplicate this behaviour in a cross-platform and open-source way. An LDAP directory can be used to provide single sign-on for Linux, Windows, OSX and web-based applications as well as network authentication via RADIUS.

This article describes how to install OpenLDAP and configure a basic directory information tree.

Should work in all Ubuntu releases from 8.10 (Intrepid Ibex) upwards. Tested on 10.04 (Lucid Lynx) Ubuntu Server 64-bit.

For an installation that does not require password synchronisation for Windows users:

sudo apt-get install slapd ldap-utils

Alternatively, if you are using SAMBA and wish to keep your LDAP and SAMBA passwords synchronised, the following is required to work-around a packaging bug. Add the following to /etc/apt/sources.list:

# Debian Stable repository
deb http://ftp.debian.org/debian stable main

Then, create the file /etc/apt/preferences with the following content to prevent the Debian releases automatically updating our installation:

Package: *
Pin: release l=Debian
Pin-Priority: 10

Next, edit /etc/apt/apt.conf.d/70debconf and add the following to allow for the much larger Debian repository list we must now manage:

APT::Cache-Limit "100000000";

You are now ready to obtain the Debian Squeeze release keys and update your repository lists:

sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0xB98321F9
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x473041FA
sudo apt-get update

Finally, install the required packages:

sudo apt-get install slapd-smbk5pwd ldap-utils

A schema defines the objects and attributes in the LDAP database. Depending on the applications we are going to hook into the directory, different schema files will be needed.

LDIF files are sensitive to white space and may not import correctly if you simply copy and paste them from this page. Please click on the header at the top of each file to download a copy in its original format instead.

Log on and become root:

sudo -s

Add the basic schema files required for all directories:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif

To enable the management of root privileges via the directory using Sudo, load the file below. It was converted from the original, located in /usr/share/doc/sudo-ldap/schema.OpenLDAP on an Ubuntu system once the sudo-ldap package has been installed.

sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) 
 who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMa
 tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) 
 who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMat
 ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Comma
 nd(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1
 466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s)
  impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1
 .4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Option
 s(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115
 .121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'Use
 r(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466
 .115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Gr
 oup(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.14
 66.115.121.1.26 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer En
 tries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ s
 udoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )

Apply the schema modifications with the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f sudo.ldif

To implement password expiry, strength controls, lockout, etc. with password policies, load the file below. It was converted from the original, located in /etc/ldap/schema/ppolicy.schema on an Ubuntu system once the slapd package has been installed.

ppolicy.ldif
dn: cn=ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ppolicy
olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY
  objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in
 tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in
 tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY
  integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL
 ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY
  integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA
 LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ
 UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b
 ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E
 QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL
 ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter
 val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE 
 )
olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL
 ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' 
 EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL
 ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L
 oadable module that instantiates "check_password() function' EQUALITY caseExa
 ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top
  AUXILIARY MAY pwdCheckModule )
olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI
 LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck
 Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $
  pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange
  $ pwdAllowUserChange $ pwdSafeModify ) )

Apply the schema modifications with the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif

To store Mozilla Thunderbird contacts and groups in the directory, load the file below. It was originally downloaded from https://wiki.mozilla.org/MailNews:Mozilla_LDAP_Address_Book_Schema and converted to LDIF format.

mozillaAbPersonAlpha.ldif
dn: cn=mozillaAbPersonAlpha,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: mozillaAbPersonAlpha
olcAttributeTypes: {0}( 1.3.6.1.4.1.13769.4.1 NAME 'mozillaCustom1' EQUALITY c
 aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.13769.4.2 NAME 'mozillaCustom2' EQUALITY c
 aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.13769.4.3 NAME 'mozillaCustom3' EQUALITY c
 aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.13769.4.4 NAME 'mozillaCustom4' EQUALITY c
 aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.13769.3.1 NAME 'mozillaHomeStreet' EQUALIT
 Y caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.11
 5.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.13769.3.2 NAME 'mozillaHomeStreet2' EQUALI
 TY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.1
 15.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.13769.3.3 NAME 'mozillaHomeLocalityName' S
 UP name SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.13769.3.4 NAME 'mozillaHomeState' SUP name
  SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.13769.3.5 NAME 'mozillaHomePostalCode' EQU
 ALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.146
 6.115.121.1.15{40} SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.13769.3.6 NAME 'mozillaHomeCountryName' SU
 P name SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.13769.3.7 NAME 'mozillaHomeUrl' EQUALITY 
 caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.13769.3.8 NAME 'mozillaWorkStreet2' EQUAL
 ITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.
 115.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.13769.3.9 NAME 'mozillaWorkUrl' EQUALITY 
 caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.13769.2.1 NAME ( 'mozillaNickname' 'xmozi
 llanickname' ) SUP name )
olcAttributeTypes: {14}( 1.3.6.1.4.1.13769.2.2 NAME ( 'mozillaSecondEmail' 'xm
 ozillasecondemail' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrin
 gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.13769.2.3 NAME ( 'mozillaUseHtmlMail' 'xm
 ozillausehtmlmail' ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.13769.2.4 NAME ( 'nsAIMid' 'nscpaimscreen
 name' ) EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch S
 YNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
olcObjectClasses: {0}( 1.3.6.1.4.1.13769.9.1 NAME 'mozillaAbPersonAlpha' SUP t
 op AUXILIARY MUST cn MAY ( c $ description $ displayName $ facsimileTelephone
 Number $ givenName $ homePhone $ l $ mail $ mobile $ mozillaCustom1 $ mozilla
 Custom2 $ mozillaCustom3 $ mozillaCustom4 $ mozillaHomeCountryName $ mozillaH
 omeLocalityName $ mozillaHomePostalCode $ mozillaHomeState $ mozillaHomeStree
 t $ mozillaHomeStreet2 $ mozillaHomeUrl $ mozillaNickname $ mozillaSecondEmai
 l $ mozillaUseHtmlMail $ mozillaWorkStreet2 $ mozillaWorkUrl $ nsAIMid $ o $ 
 ou $ pager $ postalCode $ postOfficeBox $ sn $ st $ street $ telephoneNumber 
 $ title ) )

Apply the schema modifications with the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f mozillaAbPersonAlpha.ldif

To use RADIUS to authenticate network users via LAN, Wi-Fi or VPN in conjunction with compatible network switches, routers and access points, download the file below. It was converted from the original, located in /usr/share/doc/freeradius/examples/openldap.schema on an Ubuntu system once the freeradius-ldap package has been installed.

freeradius.ldif
dn: cn=freeradius,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: freeradius
olcAttributeTypes: {0}( 1.3.6.1.4.1.3317.4.3.1.1 NAME 'radiusArapFeatures' DES
 C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
 VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.3317.4.3.1.2 NAME 'radiusArapSecurity' DES
 C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
 VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.3317.4.3.1.3 NAME 'radiusArapZoneAccess' D
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
 E-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' DESC '
 ' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VAL
 UE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' DESC 
 '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA
 LUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' D
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
 E-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId' 
 DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING
 LE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationId'
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
 GLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC '' EQ
 UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddress'
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
 GLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC '
 ' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {11}( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTalk
 Link' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
 6 SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTalk
 Network' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.26 )
olcAttributeTypes: {13}( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTalk
 Zone' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
 6 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompressi
 on' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
 )
olcAttributeTypes: {15}( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddress
 ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI
 NGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetmask
 ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI
 NGLE-VALUE )
olcAttributeTypes: {17}( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetwor
 k' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
 INGLE-VALUE )
olcAttributeTypes: {18}( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DESC
  '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
 ALUE )
olcAttributeTypes: {19}( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtocol'
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
 GLE-VALUE )
olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' DE
 SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {21}( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting' 
 DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING
 LE-VALUE )
olcAttributeTypes: {22}( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DESC
  '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {23}( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC '' E
 QUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE 
 )
olcAttributeTypes: {24}( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName' 
 DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' DE
 SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE
 -VALUE )
olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' DE
 SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {27}( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup' 
 DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING
 LE-VALUE )
olcAttributeTypes: {28}( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode' D
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
 E-VALUE )
olcAttributeTypes: {29}( 1.3.6.1.4.1.3317.4.3.1.25 NAME 'radiusLoginLATPort' D
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
 E-VALUE )
olcAttributeTypes: {30}( 1.3.6.1.4.1.3317.4.3.1.26 NAME 'radiusLoginLATService
 ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI
 NGLE-VALUE )
olcAttributeTypes: {31}( 1.3.6.1.4.1.3317.4.3.1.27 NAME 'radiusLoginService' D
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
 E-VALUE )
olcAttributeTypes: {32}( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort' D
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
 E-VALUE )
olcAttributeTypes: {33}( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry' 
 DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING
 LE-VALUE )
olcAttributeTypes: {34}( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DESC
  '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
 ALUE )
olcAttributeTypes: {35}( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DESC
  '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SING
 LE-VALUE )
olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC ''
  EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALU
 E )
olcAttributeTypes: {37}( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm' D
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
 E-VALUE )
olcAttributeTypes: {38}( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToReal
 m' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
 INGLE-VALUE )
olcAttributeTypes: {39}( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC '' 
 EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
  )
olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' DE
 SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE
 -VALUE )
olcAttributeTypes: {41}( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeout'
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
 GLE-VALUE )
olcAttributeTypes: {42}( 1.3.6.1.4.1.3317.4.3.1.34 NAME 'radiusTerminationActi
 on' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
 SINGLE-VALUE )
olcAttributeTypes: {43}( 1.3.6.1.4.1.3317.4.3.1.35 NAME 'radiusTunnelAssignmen
 tId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  )
olcAttributeTypes: {44}( 1.3.6.1.4.1.3317.4.3.1.36 NAME 'radiusTunnelMediumTyp
 e' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {45}( 1.3.6.1.4.1.3317.4.3.1.37 NAME 'radiusTunnelPassword'
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
 GLE-VALUE )
olcAttributeTypes: {46}( 1.3.6.1.4.1.3317.4.3.1.38 NAME 'radiusTunnelPreferenc
 e' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {47}( 1.3.6.1.4.1.3317.4.3.1.39 NAME 'radiusTunnelPrivateGr
 oupId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
 26 )
olcAttributeTypes: {48}( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerEnd
 point' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
 26 )
olcAttributeTypes: {49}( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' DES
 C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' EQ
 UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {51}( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientEnd
 point' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
 26 )
olcAttributeTypes: {52}( 1.3.6.1.4.1.3317.4.3.1.53 NAME 'radiusSimultaneousUse
 ' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {53}( 1.3.6.1.4.1.3317.4.3.1.54 NAME 'radiusLoginTime' DESC
  '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
 ALUE )
olcAttributeTypes: {54}( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory' D
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
 E-VALUE )
olcAttributeTypes: {55}( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName' 
 DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC ''
  EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALU
 E )
olcAttributeTypes: {57}( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' DES
 C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
 VALUE )
olcAttributeTypes: {58}( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DESC
  '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {59}( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DESC
  '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {60}( 1.3.6.1.4.1.3317.4.3.1.61 NAME 'radiusNASIpAddress' D
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL
 E-VALUE )
olcAttributeTypes: {61}( 1.3.6.1.4.1.3317.4.3.1.62 NAME 'radiusReplyMessage' D
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC '' S
 UP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radi
 usArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
  radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientI
 PAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalk
 Network $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedI
 PAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $
  radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ radiusFramedRoute
  $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ r
 adiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLAT
 Node $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radi
 usLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ ra
 diusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $ radi
 usServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminatio
 nAction $ radiusTunnelClientEndpoint $ radiusProfileDn $ radiusSimultaneousUs
 e $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword 
 $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEnd
 point $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration 
 $ dialupAccess $ radiusNASIpAddress $ radiusReplyMessage ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.3317.4.3.2.2 NAME 'radiusObjectProfile' DES
 C 'A Container Objectclass to be used for creating radius profile object' SUP
  top STRUCTURAL MUST cn MAY ( uid $ userPassword $ description ) )

Apply the schema modifications with the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f freeradius.ldif

To control Pure-FTPd users, home directories, quotas, bandwidth, etc. via the directory, load the file below. It was converted from the original, located in /usr/share/doc/pure-ftpd-common/pureftpd.schema on an Ubuntu system once the pure-ftpd-common package has been installed.

pureftpd.ldif
dn: cn=pureftpd,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: pureftpd
olcAttributeTypes: {0}( 1.3.6.1.4.1.6981.11.3.1 NAME 'FTPQuotaFiles' DESC 'Quo
 ta (in number of files) for an FTP user' EQUALITY integerMatch SYNTAX 1.3.6.1
 .4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.6981.11.3.2 NAME 'FTPQuotaMBytes' DESC 'Qu
 ota (in megabytes) for an FTP user' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.
 1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.6981.11.3.3 NAME 'FTPUploadRatio' DESC 'Ra
 tio (compared with FTPRatioDown) for uploaded files' EQUALITY integerMatch SY
 NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.6981.11.3.4 NAME 'FTPDownloadRatio' DESC '
 Ratio (compared with FTPRatioUp) for downloaded files' EQUALITY integerMatch 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.6981.11.3.5 NAME 'FTPUploadBandwidth' DESC
  'Bandwidth (in KB/s) to limit upload speeds to' EQUALITY integerMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.6981.11.3.6 NAME 'FTPDownloadBandwidth' DE
 SC 'Bandwidth (in KB/s) to limit download speeds to' EQUALITY integerMatch SY
 NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.6981.11.3.7 NAME 'FTPStatus' DESC 'Account
  status: enabled or disabled' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.
 1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.6981.11.3.8 NAME 'FTPuid' DESC 'System uid
  (overrides uidNumber if present)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
 466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.6981.11.3.9 NAME 'FTPgid' DESC 'System uid
  (overrides gidNumber if present)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
 466.115.121.1.27 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.6981.11.2.3 NAME 'PureFTPdUser' DESC 'PureF
 TPd user with optional quota, throttling and ratio' SUP top AUXILIARY MAY ( F
 TPStatus $ FTPQuotaFiles $ FTPQuotaMBytes $ FTPUploadRatio $ FTPDownloadRatio
  $ FTPUploadBandwidth $ FTPDownloadBandwidth $ FTPuid $ FTPgid ) )

Apply the schema modifications with the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f pureftpd.ldif

To run as a SAMBA domain controller and/or share files and printers with Windows systems, download the file below. It was converted from the original, located in /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz on an Ubuntu system once the samba-doc package has been installed.

The file has been modified to include the attributes acctFlags, pwdLastSet, logonTime, logoffTime, kickoffTime, homeDrive, scriptPath, profilePath, userWorkstations, smbHome, rid and primaryGroupID from the SAMBA v2 configuration as these are used by the Apple OSX schema. This should not cause any problems whether you intend supporting Macs or not but leaves the option open.

samba.ldif
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' DESC 'Account 
 Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} S
 INGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' DESC 'NT pwdL
 astSet' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL
 UE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' DESC 'NT logon
 Time' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
  )
olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime' DESC 'NT logo
 ffTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL
 UE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' DESC 'NT kic
 koffTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-V
 ALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' DESC 'NT home
 Drive' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SI
 NGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath' DESC 'NT scr
 iptPath' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255
 } SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath' DESC 'NT pr
 ofilePath' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2
 55} SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' DESC '
 userWorkstations' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
 .1.26{255} SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' DESC 'smbHome' 
 EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' DESC 'NT rid' EQUA
 LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' DESC 'N
 T Group RID' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL
 E-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC '
 LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.
 121.1.26{32} SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC '
 MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.
 4.1.1466.115.121.1.26{32} SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'A
 ccount Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
 6{16} SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC '
 Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4
 .1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC
  'Timestamp of when the user is allowed to update the password' EQUALITY inte
 gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DES
 C 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1
 .3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'T
 imestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121
 .1.27 SINGLE-VALUE )
olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC '
 Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.27 SINGLE-VALUE )
olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 
 'Timestamp of when the user will be logged off automatically' EQUALITY intege
 rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' 
 DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14
 66.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D
 ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.
 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC '
 Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 {42} SINGLE-VALUE )
olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D
 river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.
 3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 
 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.15{255} SINGLE-VALUE )
olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 
 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.15{255} SINGLE-VALUE )
olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' 
 DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas
 eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho
 me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.15{128} )
olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC '
 Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 
 1.3.6.1.4.1.1466.115.121.1.15{128} )
olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '
 Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.
 4.1.1466.115.121.1.15{1050} )
olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D
 ESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
  EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit
 y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1
 .3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D
 ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.26{64} SINGLE-VALUE )
olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec
 urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
 26{64} )
olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N
 T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
 LE-VALUE )
olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 
 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.
 1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC
  'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex
 t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
 466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase
 ' DESC 'Base at which the samba RID generation algorithm should operate' EQUA
 LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S
 hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING
 LE-VALUE )
olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC '
 Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.15{256} )
olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC '
 A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S
 INGLE-VALUE )
olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES
 C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
 .27 SINGLE-VALUE )
olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC
  'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
 .1.26 SINGLE-VALUE )
olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' 
 DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.
 115.121.1.15 )
olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC '
 Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115
 .121.1.26 )
olcAttributeTypes: {47}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC
  'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.
 4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {48}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' 
 DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege
 rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {49}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES
 C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU
 ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {50}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M
 aximum password age, in seconds (default: -1 => never expire passwords)' EQUA
 LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {51}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M
 inimum password age, in seconds (default: 0 => allow immediate password chang
 e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {52}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D
 ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ
 erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {53}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation
 Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int
 egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {54}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' 
 DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in
 tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {55}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 
 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY
  integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {56}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh
 ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte
 gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {57}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword'
  DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octe
 tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {58}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextP
 assword' DESC 'Previous clear text password (used for trusted domain password
 s)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam
 ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( 
 cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s
 ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ 
 sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr
 ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr
 oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad
 PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S
 amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou
 pType ) MAY ( displayName $ description $ sambaSIDList ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC 
 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas
 sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) )
olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPasswor
 d' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomain
 Name $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviou
 sClearTextPassword )
olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D
 omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY
  ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB
 ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM
 axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin
 dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange 
 ) )
olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo
 l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb
 er ) )
olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map
 ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g
 idNumber ) )
olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc
 tural Class for a SID' SUP top STRUCTURAL MUST sambaSID )
olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba 
 Configuration Section' SUP top AUXILIARY MAY description )
olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S
 hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description )
olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC 
 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sa
 mbaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoptio
 n $ description ) )

Apply the schema modifications with the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f samba.ldif

To support Apple Macintosh computers and their policies via Workgroup Manager, download the two files below. They have been converted from the originals found in /etc/openldap/schema/ on any Mac running OS X Lion (10.7).

The apple.schema file has been modified to include the attributes authAuthority, apple-user-homeDirectory and apple-acl-entry. The definition authAuthority has been moved to the beginning of the file, prior to its use. The object class apple-user has been extended to include the attribute apple-user-homeDirectory.

apple_auxillary.ldif
dn: cn=apple_auxillary,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: apple_auxillary
olcAttributeTypes: {0}( 1.2.840.113556.1.4.867 NAME 'altSecurityIdentities' EQ
 UALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.14
 66.115.121.1.15 )
olcAttributeTypes: {1}( 1.2.840.113556.1.4.771 NAME 'servicePrincipalName' EQU
 ALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.
 115.121.1.15 )
apple.ldif
dn: cn=apple,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: apple
olcAttributeTypes: {0}( 1.3.6.1.4.1.63.1000.1.1.2.16.1 NAME 'authAuthority' DE
 SC 'password server authentication authority' EQUALITY caseExactIA5Match SUBS
 TR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.250.1.60 NAME 'ttl' EQUALITY integerMatch 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.63.1000.1.1.1.1.6 NAME 'apple-user-homeurl
 ' DESC 'home directory URL' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Sub
 stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.63.1000.1.1.1.1.7 NAME 'apple-user-class' 
 DESC 'user class' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMat
 ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.63.1000.1.1.1.1.8 NAME 'apple-user-homequo
 ta' DESC 'home directory quota' EQUALITY caseExactIA5Match SUBSTR caseExactIA
 5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.63.1000.1.1.1.1.9 NAME 'apple-user-mailatt
 ribute' DESC 'mail attribute' EQUALITY caseExactMatch SUBSTR caseExactSubstri
 ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.63.1000.1.1.1.1.10 NAME 'apple-mcxflags' D
 ESC 'mcx flags' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTA
 X 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.63.1000.1.1.1.1.16 NAME ( 'apple-mcxsettin
 gs' 'apple-mcxsettings2' ) DESC 'mcx settings' EQUALITY caseExactMatch SUBSTR
  caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {8}( 1.3.6.1.4.1.63.1000.1.1.1.1.12 NAME 'apple-user-pictur
 e' DESC 'picture' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYN
 TAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.63.1000.1.1.1.1.13 NAME 'apple-user-printa
 ttribute' DESC 'print attribute' EQUALITY caseExactMatch SUBSTR caseExactSubs
 tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.63.1000.1.1.1.1.14 NAME 'apple-user-admin
 limits' DESC 'admin limits' EQUALITY caseExactMatch SUBSTR caseExactSubstring
 sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.63.1000.1.1.1.1.15 NAME 'apple-user-authe
 nticationhint' DESC 'password hint' EQUALITY caseExactMatch SUBSTR caseExactS
 ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.63.1000.1.1.1.1.17 NAME 'apple-user-homes
 oftquota' DESC 'home directory soft quota' EQUALITY caseExactIA5Match SUBSTR 
 caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
  )
olcAttributeTypes: {13}( 1.3.6.1.4.1.63.1000.1.1.1.1.18 NAME 'apple-user-passw
 ordpolicy' DESC 'password policy options' EQUALITY caseExactMatch SUBSTR case
 ExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.63.1000.1.1.1.1.19 NAME 'apple-keyword' D
 ESC 'keywords' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {15}( 1.3.6.1.4.1.63.1000.1.1.1.1.20 NAME 'apple-generatedu
 id' DESC 'generated unique ID' EQUALITY caseExactMatch SUBSTR caseExactSubstr
 ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.63.1000.1.1.1.1.21 NAME 'apple-imhandle' 
 DESC 'IM handle (service:account name)' EQUALITY caseExactMatch SUBSTR caseEx
 actSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {17}( 1.3.6.1.4.1.63.1000.1.1.1.1.22 NAME 'apple-webloguri'
  DESC 'Weblog URI' EQUALITY caseIgnoreMatch SUBSTR caseExactSubstringsMatch S
 YNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {18}( 1.3.6.1.4.1.63.1000.1.1.1.1.23 NAME 'apple-mapcoordin
 ates' DESC 'Map Coordinates' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Su
 bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {19}( 1.3.6.1.4.1.63.1000.1.1.1.1.24 NAME 'apple-postaladdr
 esses' DESC 'Postal Addresses' EQUALITY caseExactIA5Match SUBSTR caseExactIA5
 SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {20}( 1.3.6.1.4.1.63.1000.1.1.1.1.25 NAME 'apple-phoneconta
 cts' DESC 'Phone Contacts' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs
 tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {21}( 1.3.6.1.4.1.63.1000.1.1.1.1.26 NAME 'apple-emailconta
 cts' DESC 'EMail Contacts' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs
 tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {22}( 1.3.6.1.4.1.63.1000.1.1.1.1.27 NAME 'apple-birthday' 
 DESC 'Birthday' EQUALITY generalizedTimeMatch SUBSTR caseExactIA5SubstringsMa
 tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {23}( 1.3.6.1.4.1.63.1000.1.1.1.1.28 NAME 'apple-relationsh
 ips' DESC 'Relationships' EQUALITY caseExactMatch SUBSTR caseExactSubstringsM
 atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {24}( 1.3.6.1.4.1.63.1000.1.1.1.1.29 NAME 'apple-company' D
 ESC 'company' EQUALITY caseIgnoreMatch SUBSTR caseExactSubstringsMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {25}( 1.3.6.1.4.1.63.1000.1.1.1.1.30 NAME 'apple-nickname' 
 DESC 'nickname' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTA
 X 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {26}( 1.3.6.1.4.1.63.1000.1.1.1.1.31 NAME 'apple-mapuri' DE
 SC 'Map URI' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SY
 NTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {27}( 1.3.6.1.4.1.63.1000.1.1.1.1.32 NAME 'apple-mapguid' D
 ESC 'map GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {28}( 1.3.6.1.4.1.63.1000.1.1.1.1.33 NAME 'apple-serviceslo
 cator' DESC 'Calendar Principal URI' EQUALITY caseExactMatch SUBSTR caseExact
 SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {29}( 1.3.6.1.4.1.63.1000.1.1.1.1.34 NAME 'apple-organizati
 oninfo' DESC 'Originization Info data' EQUALITY caseExactMatch SUBSTR caseExa
 ctSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {30}( 1.3.6.1.4.1.63.1000.1.1.1.1.35 NAME 'apple-namesuffix
 ' DESC 'namesuffix' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch S
 YNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {31}( 1.3.6.1.4.1.63.1000.1.1.1.1.36 NAME 'apple-primarycom
 puterlist' DESC 'primary computer list' EQUALITY caseExactMatch SUBSTR caseEx
 actSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {32}( 1.3.6.1.4.1.63.1000.1.1.1.1.100 NAME 'apple-user-home
 Directory' DESC 'The absolute path to the home directory' EQUALITY caseExactI
 A5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {33}( 1.3.6.1.4.1.63.1000.1.1.1.14.1 NAME 'apple-group-home
 url' DESC 'group home url' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs
 tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {34}( 1.3.6.1.4.1.63.1000.1.1.1.14.2 NAME 'apple-group-home
 owner' DESC 'group home owner settings' EQUALITY caseExactIA5Match SUBSTR cas
 eExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {35}( 1.3.6.1.4.1.63.1000.1.1.1.14.5 NAME 'apple-group-real
 name' DESC 'group real name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstr
 ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {36}( 1.3.6.1.4.1.63.1000.1.1.1.14.6 NAME 'apple-group-nest
 edgroup' DESC 'group real name' EQUALITY caseExactMatch SUBSTR caseExactSubst
 ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {37}( 1.3.6.1.4.1.63.1000.1.1.1.14.7 NAME 'apple-group-memb
 erguid' DESC 'group real name' EQUALITY caseExactMatch SUBSTR caseExactSubstr
 ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {38}( 1.3.6.1.4.1.63.1000.1.1.1.14.8 NAME 'apple-group-serv
 ices' DESC 'group services' EQUALITY caseExactMatch SUBSTR caseExactSubstring
 sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {39}( 1.3.6.1.4.1.63.1000.1.1.1.14.9 NAME 'apple-contactgui
 d' DESC 'contact GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatc
 h SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {40}( 1.3.6.1.4.1.63.1000.1.1.1.14.10 NAME 'apple-ownerguid
 ' DESC 'owner GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch S
 YNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {41}( 1.3.6.1.4.1.63.1000.1.1.1.14.11 NAME 'apple-primaryco
 mputerguid' DESC 'primary computer GUID' EQUALITY caseExactMatch SUBSTR caseE
 xactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {42}( 1.3.6.1.4.1.63.1000.1.1.1.14.12 NAME 'apple-group-exp
 andednestedgroup' DESC 'expanded nested group list' EQUALITY caseExactMatch S
 UBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {43}( 1.3.6.1.4.1.63.1000.1.1.1.14.13 NAME 'apple-selfwrite
 ' DESC 'selfwrite flag' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMat
 ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {44}( 1.3.6.1.4.1.63.1000.1.1.1.14.14 NAME 'apple-locale-re
 lay' DESC 'designated locale relay server for replication' EQUALITY caseExact
 Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {45}( 1.3.6.1.4.1.63.1000.1.1.1.14.15 NAME 'apple-locale-su
 bnets' DESC 'subnets associated with a locale' EQUALITY caseExactMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {46}( 1.3.6.1.4.1.63.1000.1.1.1.3.8 NAME 'apple-machine-sof
 tware' DESC 'installed system software' EQUALITY caseIgnoreIA5Match SUBSTR ca
 seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {47}( 1.3.6.1.4.1.63.1000.1.1.1.3.9 NAME 'apple-machine-har
 dware' DESC 'system hardware description' EQUALITY caseIgnoreIA5Match SUBSTR 
 caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {48}( 1.3.6.1.4.1.63.1000.1.1.1.3.10 NAME 'apple-machine-se
 rves' DESC 'NetInfo Domain Server Binding' EQUALITY caseExactIA5Match SUBSTR 
 caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {49}( 1.3.6.1.4.1.63.1000.1.1.1.3.11 NAME 'apple-machine-su
 ffix' DESC 'DIT suffix' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsM
 atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {50}( 1.3.6.1.4.1.63.1000.1.1.1.3.12 NAME 'apple-machine-co
 ntactperson' DESC 'Name of contact person/owner of this machine' EQUALITY cas
 eIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
 .1.15 )
olcAttributeTypes: {51}( 1.3.6.1.4.1.63.1000.1.1.1.22.1 NAME 'attributeTypesCo
 nfig' DESC 'RFC2252: attribute types' EQUALITY caseExactMatch SUBSTR caseExac
 tSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {52}( 1.3.6.1.4.1.63.1000.1.1.1.22.2 NAME 'objectClassesCon
 fig' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4
 .1.1466.115.121.1.15 )
olcAttributeTypes: {53}( 1.3.6.1.4.1.63.1000.1.1.1.8.1 NAME 'mountDirectory' D
 ESC 'mount path' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNT
 AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {54}( 1.3.6.1.4.1.63.1000.1.1.1.8.2 NAME 'mountType' DESC '
 mount VFS type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMat
 ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {55}( 1.3.6.1.4.1.63.1000.1.1.1.8.3 NAME 'mountOption' DESC
  'mount options' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMa
 tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {56}( 1.3.6.1.4.1.63.1000.1.1.1.8.4 NAME 'mountDumpFrequenc
 y' DESC 'mount dump frequency' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreI
 A5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {57}( 1.3.6.1.4.1.63.1000.1.1.1.8.5 NAME 'mountPassNo' DESC
  'mount passno' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMat
 ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {58}( 1.3.6.1.4.1.63.1000.1.1.1.9.1 NAME 'apple-printer-att
 ributes' DESC 'printer attributes in /etc/printcap format' EQUALITY caseIgnor
 eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
 .1.26 )
olcAttributeTypes: {59}( 1.3.6.1.4.1.63.1000.1.1.1.9.2 NAME 'apple-printer-lpr
 host' DESC 'printer LPR host name' EQUALITY caseIgnoreMatch SUBSTR caseIgnore
 SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {60}( 1.3.6.1.4.1.63.1000.1.1.1.9.3 NAME 'apple-printer-lpr
 queue' DESC 'printer LPR queue' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSub
 stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {61}( 1.3.6.1.4.1.63.1000.1.1.1.9.4 NAME 'apple-printer-typ
 e' DESC 'printer type' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa
 tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {62}( 1.3.6.1.4.1.63.1000.1.1.1.9.5 NAME 'apple-printer-not
 e' DESC 'printer note' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa
 tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {63}( 1.3.6.1.4.1.63.1000.1.1.1.10.2 NAME 'apple-realname' 
 DESC 'real name' EQUALITY caseIgnoreMatch SUBSTR caseExactSubstringsMatch SYN
 TAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {64}( 1.3.6.1.4.1.63.1000.1.1.1.10.3 NAME 'apple-networkvie
 w' DESC 'Network view for the computer' EQUALITY caseExactMatch SUBSTR caseEx
 actSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {65}( 1.3.6.1.4.1.63.1000.1.1.1.10.4 NAME 'apple-category' 
 DESC 'Category for the computer or neighborhood' EQUALITY caseExactMatch SUBS
 TR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {66}( 1.3.6.1.4.1.63.1000.1.1.1.10.5 NAME 'apple-srv' DESC 
 'List of services to advertize via srv records' EQUALITY caseExactMatch SUBST
 R caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {67}( 1.3.6.1.4.1.63.1000.1.1.1.10.6 NAME 'apple-primary-lo
 cale' DESC 'primary locale for replication' EQUALITY caseExactMatch SYNTAX 1.
 3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {68}( 1.3.6.1.4.1.63.1000.1.1.1.10.7 NAME 'apple-parentloca
 les' DESC 'parent locale' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115
 .121.1.15 )
olcAttributeTypes: {69}( 1.3.6.1.4.1.63.1000.1.1.1.10.8 NAME 'apple-networkint
 erfaces' DESC 'list of available network interfaces' EQUALITY caseExactMatch 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {70}( 1.3.6.1.4.1.63.1000.1.1.1.11.3 NAME 'apple-computers'
  DESC 'computers' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYN
 TAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {71}( 1.3.6.1.4.1.63.1000.1.1.1.11.4 NAME 'apple-computer-l
 ist-groups' DESC 'groups' EQUALITY caseExactMatch SUBSTR caseExactSubstringsM
 atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {72}( 1.3.6.1.4.1.63.1000.1.1.1.17.1 NAME 'apple-xmlplist' 
 DESC 'XML plist data' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {73}( 1.3.6.1.4.1.63.1000.1.1.1.19.2 NAME 'apple-service-ur
 l' DESC 'URL of service' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substr
 ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {74}( 1.3.6.1.4.1.63.1000.1.1.1.19.6 NAME 'apple-serviceinf
 o' DESC 'service related information' EQUALITY caseExactMatch SUBSTR caseExac
 tSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {75}( 1.3.6.1.4.1.63.1000.1.1.1.19.7 NAME 'apple-hwuuid' DE
 SC 'Hardware uuid of computer' EQUALITY caseExactMatch SUBSTR caseExactSubstr
 ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {76}( 1.3.6.1.4.1.63.1000.1.1.1.19.8 NAME 'apple-ldap-serve
 rid' DESC 'ID used by LDAP' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115
 .121.1.27 SINGLE-VALUE )
olcAttributeTypes: {77}( 1.3.6.1.4.1.63.1000.1.1.1.12.1 NAME 'apple-password-s
 erver-location' DESC 'password server location' EQUALITY caseExactIA5Match SU
 BSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
 VALUE )
olcAttributeTypes: {78}( 1.3.6.1.4.1.63.1000.1.1.1.12.2 NAME 'apple-data-stamp
 ' DESC 'data stamp' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsM
 atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {79}( 1.3.6.1.4.1.63.1000.1.1.1.12.3 NAME 'apple-config-rea
 lname' DESC 'config real name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5
 SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {80}( 1.3.6.1.4.1.63.1000.1.1.1.12.4 NAME 'apple-password-s
 erver-list' DESC 'password server replication plist' EQUALITY caseExactMatch 
 SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-V
 ALUE )
olcAttributeTypes: {81}( 1.3.6.1.4.1.63.1000.1.1.1.12.5 NAME 'apple-ldap-repli
 ca' DESC 'LDAP replication list' EQUALITY caseExactMatch SUBSTR caseExactSubs
 tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {82}( 1.3.6.1.4.1.63.1000.1.1.1.12.6 NAME 'apple-ldap-writa
 ble-replica' DESC 'LDAP writable replication list' EQUALITY caseExactMatch SU
 BSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {83}( 1.3.6.1.4.1.63.1000.1.1.1.12.7 NAME 'apple-kdc-authke
 y' DESC 'KDC master key RSA encrypted with realm public key' EQUALITY caseExa
 ctMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
 )
olcAttributeTypes: {84}( 1.3.6.1.4.1.63.1000.1.1.1.12.8 NAME 'apple-kdc-config
 data' DESC 'Contents of the kdc.conf file' EQUALITY caseExactMatch SUBSTR cas
 eExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {85}( 1.3.6.1.4.1.63.1000.1.1.1.12.9 NAME 'apple-last-serve
 rid' DESC 'Last serverID used' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.
 115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {86}( 1.3.6.1.4.1.63.1000.1.1.1.15.1 NAME 'apple-preset-use
 r-is-admin' DESC 'flag indicating whether the preset user is an administrator
 ' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.
 1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {87}( 1.3.6.1.4.1.63.1000.1.1.1.18.1 NAME 'apple-dns-domain
 ' DESC 'DNS domain' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch S
 YNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {88}( 1.3.6.1.4.1.63.1000.1.1.1.18.2 NAME 'apple-dns-namese
 rver' DESC 'DNS name server list' EQUALITY caseExactMatch SUBSTR caseExactSub
 stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {89}( 1.3.6.1.4.1.63.1000.1.1.1.19.1 NAME 'apple-service-ty
 pe' DESC 'type of service' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs
 tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {90}( 1.3.6.1.4.1.63.1000.1.1.1.19.3 NAME 'apple-service-po
 rt' DESC 'Service port number' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.
 115.121.1.27 )
olcAttributeTypes: {91}( 1.3.6.1.4.1.63.1000.1.1.1.19.4 NAME 'apple-dnsname' D
 ESC 'DNS name' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {92}( 1.3.6.1.4.1.63.1000.1.1.1.19.5 NAME 'apple-service-lo
 cation' DESC 'Service location' EQUALITY caseExactMatch SUBSTR caseExactSubst
 ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {93}( 1.3.6.1.4.1.63.1000.1.1.1.20.1 NAME 'apple-nodepathxm
 l' DESC 'XML plist of directory node path' EQUALITY caseExactMatch SUBSTR cas
 eExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {94}( 1.3.6.1.4.1.63.1000.1.1.1.20.2 NAME 'apple-neighborho
 odalias' DESC 'XML plist referring to another neighborhood record' EQUALITY c
 aseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
 .1.15 )
olcAttributeTypes: {95}( 1.3.6.1.4.1.63.1000.1.1.1.20.3 NAME 'apple-computeral
 ias' DESC 'XML plist referring to a computer record' EQUALITY caseExactMatch 
 SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {96}( 1.3.6.1.4.1.63.1000.1.1.1.21.1 NAME 'apple-acl-entry'
  DESC 'acl entry' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYN
 TAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {97}( 1.3.6.1.4.1.63.1000.1.1.1.23.1 NAME 'apple-resource-t
 ype' DESC 'resource type' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subst
 ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {98}( 1.3.6.1.4.1.63.1000.1.1.1.23.2 NAME 'apple-resource-i
 nfo' DESC 'resource info' EQUALITY caseExactMatch SUBSTR caseExactSubstringsM
 atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {99}( 1.3.6.1.4.1.63.1000.1.1.1.23.3 NAME 'apple-capacity' 
 DESC 'capacity' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SI
 NGLE-VALUE )
olcAttributeTypes: {100}( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'autom
 ount Map Name' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S
 INGLE-VALUE )
olcAttributeTypes: {101}( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount
  Key value' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING
 LE-VALUE )
olcAttributeTypes: {102}( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'A
 utomount information' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121
 .1.15 SINGLE-VALUE )
olcAttributeTypes: {103}( 1.3.6.1.1.1.1.35 NAME 'lastLoginTime' EQUALITY gener
 alizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {104}( 1.3.6.1.1.1.1.36 NAME 'passwordModDate' EQUALITY gen
 eralizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {105}( 1.3.6.1.1.1.1.37 NAME 'authGUID' EQUALITY caseIgnore
 Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S
 INGLE-VALUE )
olcAttributeTypes: {106}( 1.3.6.1.1.1.1.38 NAME 'loginFailedAttempts' EQUALITY
  integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {107}( 1.3.6.1.1.1.1.39 NAME 'userLinkage' EQUALITY caseIgn
 oreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
 5 SINGLE-VALUE )
olcAttributeTypes: {108}( 1.3.6.1.1.1.1.40 NAME 'disableReason' EQUALITY caseI
 gnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {109}( 1.3.6.1.1.1.1.42 NAME 'cmusaslsecretSMBNT' EQUALITY 
 octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {110}( 1.3.6.1.1.1.1.43 NAME 'cmusaslsecretSMBLM' EQUALITY 
 octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {111}( 1.3.6.1.1.1.1.44 NAME 'cmusaslsecretDIGEST-MD5' EQUA
 LITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {112}( 1.3.6.1.1.1.1.45 NAME 'cmusaslsecretCRAM-MD5' EQUALI
 TY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {113}( 1.3.6.1.1.1.1.46 NAME 'cmusaslsecretPPS' EQUALITY oc
 tetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {114}( 1.3.6.1.1.1.1.47 NAME 'KerberosRealmName' EQUALITY c
 aseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {115}( 1.3.6.1.1.1.1.48 NAME 'KerberosPrincName' EQUALITY c
 aseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {116}( 1.3.6.1.1.1.1.49 NAME 'password' EQUALITY octetStrin
 gMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {117}( 1.3.6.1.1.1.1.50 NAME 'adminGroups' SYNTAX 1.3.6.1.4
 .1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {118}( 1.3.6.1.1.1.1.55 NAME 'creationDate' EQUALITY genera
 lizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {119}( 1.3.6.1.1.1.1.56 NAME 'historyData' EQUALITY octetSt
 ringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {120}( 1.3.6.1.1.1.1.86 NAME 'draft-krbPrincipalName' DESC 
 'Canonical principal name' EQUALITY caseExactIA5Match SUBSTR caseExactSubstri
 ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {121}( 1.3.6.1.1.1.1.87 NAME 'draft-krbRealmName' EQUALITY 
 octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {122}( 1.3.6.1.1.1.1.88 NAME 'draft-krbPrincipalAliases' SU
 P draft-krbPrincipalName )
olcAttributeTypes: {123}( 1.3.6.1.1.1.1.89 NAME 'draft-krbTicketMaxLife' EQUAL
 ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
 1.1.27 SINGLE-VALUE )
olcAttributeTypes: {124}( 1.3.6.1.1.1.1.90 NAME 'draft-krbTicketMaxRenewal' EQ
 UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115
 .121.1.27 SINGLE-VALUE )
olcAttributeTypes: {125}( 1.3.6.1.1.1.1.91 NAME 'draft-krbEncSaltTypes' EQUALI
 TY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {126}( 1.3.6.1.1.1.1.92 NAME 'draft-krbKeySet' EQUALITY oct
 etStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {127}( 1.3.6.1.1.1.1.93 NAME 'draft-krbKeyVersion' EQUALITY
  integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
 .27 SINGLE-VALUE )
olcAttributeTypes: {128}( 1.3.6.1.1.1.1.94 NAME 'draft-krbPrincipalRealm' DESC
  'DN of krbRealm entry' SUP distinguishedName )
olcAttributeTypes: {129}( 1.3.6.1.1.1.1.95 NAME 'draft-krbTicketPolicy' EQUALI
 TY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {130}( 1.3.6.1.1.1.1.96 NAME 'draft-krbExtraData' EQUALITY 
 octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {131}( 1.3.6.1.1.1.1.98 NAME 'draft-krbPrincipalACL' EQUALI
 TY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {132}( 1.3.6.1.1.1.1.97 NAME 'crschallenge' EQUALITY caseIg
 noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {133}( 1.3.6.1.1.1.1.103 NAME 'ownerGUIDList' DESC 'compute
 r account owner GUID' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.12
 1.1.15 )
olcAttributeTypes: {134}( 1.3.6.1.1.1.1.76 NAME 'weakAuthMethod' EQUALITY case
 IgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {135}( 1.3.6.1.1.1.1.77 NAME 'PWSPrivateKey' EQUALITY octet
 StringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {136}( 1.3.6.1.1.1.1.78 NAME 'PWSPublicKey' EQUALITY caseIg
 noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {137}( 1.3.6.1.1.1.1.79 NAME 'apple-transactionID' EQUALITY
  caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {138}( 1.3.6.1.1.1.1.80 NAME 'apple-pkiStatus' EQUALITY int
 egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {139}( 1.3.6.1.1.1.1.81 NAME 'apple-failInfo' EQUALITY inte
 gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {140}( 1.3.6.1.1.1.1.82 NAME 'apple-certificateSigningReque
 st' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 SINGLE
 -VALUE )
olcAttributeTypes: {141}( 1.3.6.1.1.1.1.83 NAME 'apple-device-guid' EQUALITY c
 aseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {142}( 1.3.6.1.1.1.1.84 NAME 'apple-issuer' EQUALITY caseIg
 noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {143}( 1.3.6.1.1.1.1.85 NAME 'apple-serialNumber' EQUALITY 
 caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {144}( 1.3.6.1.1.1.1.99 NAME 'apple-revocationReason' EQUAL
 ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {145}( 1.3.6.1.1.1.1.100 NAME 'apple-revocationDate' EQUALI
 TY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {146}( 1.3.6.1.1.1.1.101 NAME 'apple-validNotBefore' EQUALI
 TY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcAttributeTypes: {147}( 1.3.6.1.1.1.1.102 NAME 'apple-validNotAfter' EQUALIT
 Y generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
olcObjectClasses: {0}( 1.2.840.113556.1.3.23 NAME 'container' SUP top STRUCTUR
 AL MUST cn )
olcObjectClasses: {1}( 1.3.6.1.4.1.250.3.18 NAME 'cacheObject' DESC 'Auxiliary
  object class to hold TTL caching information' SUP top AUXILIARY MAY ttl )
olcObjectClasses: {2}( 1.3.6.1.4.1.63.1000.1.1.2.1 NAME 'apple-user' DESC 'app
 le user account' SUP top AUXILIARY MAY ( apple-user-homeurl $ apple-user-clas
 s $ apple-user-homequota $ apple-user-mailattribute $ apple-user-printattribu
 te $ apple-mcxflags $ apple-mcxsettings $ apple-user-adminlimits $ apple-user
 -picture $ apple-user-authenticationhint $ apple-user-homesoftquota $ apple-u
 ser-passwordpolicy $ apple-keyword $ apple-generateduid $ apple-imhandle $ ap
 ple-webloguri $ authAuthority $ acctFlags $ pwdLastSet $ logonTime $ logoffTi
 me $ kickoffTime $ homeDrive $ scriptPath $ profilePath $ userWorkstations $ 
 smbHome $ rid $ apple-user-homeDirectory $ primaryGroupID $ sambaSID $ sambaP
 rimaryGroupSID $ userCertificate $ userPKCS12 $ jpegPhoto $ apple-nickname $ 
 apple-namesuffix $ apple-birthday $ apple-relationships $ apple-organizationi
 nfo $ apple-phonecontacts $ apple-emailcontacts $ apple-postaladdresses $ app
 le-mapcoordinates $ apple-mapuri $ apple-mapguid $ apple-serviceslocator $ al
 tSecurityIdentities ) )
olcObjectClasses: {3}( 1.3.6.1.4.1.63.1000.1.1.2.14 NAME 'apple-group' DESC 'g
 roup account' SUP top AUXILIARY MAY ( apple-group-homeurl $ apple-group-homeo
 wner $ apple-mcxflags $ apple-mcxsettings $ apple-group-realname $ apple-user
 -picture $ apple-keyword $ apple-generateduid $ apple-group-nestedgroup $ app
 le-group-memberguid $ mail $ rid $ sambaSID $ ttl $ jpegPhoto $ apple-group-s
 ervices $ apple-contactguid $ apple-ownerguid $ labeledURI $ apple-locale-rel
 ay $ apple-locale-subnets $ apple-serviceslocator ) )
olcObjectClasses: {4}( 1.3.6.1.4.1.63.1000.1.1.2.3 NAME 'apple-machine' SUP to
 p AUXILIARY MAY ( apple-machine-software $ apple-machine-hardware $ apple-mac
 hine-serves $ apple-machine-suffix $ apple-machine-contactperson ) )
olcObjectClasses: {5}( 1.3.6.1.4.1.63.1000.1.1.2.8 NAME 'mount' SUP top STRUCT
 URAL MUST cn MAY ( mountDirectory $ mountType $ mountOption $ mountDumpFreque
 ncy $ mountPassNo ) )
olcObjectClasses: {6}( 1.3.6.1.4.1.63.1000.1.1.2.9 NAME 'apple-printer' SUP to
 p STRUCTURAL MUST cn MAY ( apple-printer-attributes $ apple-printer-lprhost $
  apple-printer-lprqueue $ apple-printer-type $ apple-printer-note ) )
olcObjectClasses: {7}( 1.3.6.1.4.1.63.1000.1.1.2.10 NAME 'apple-computer' DESC
  'computer' SUP top STRUCTURAL MUST cn MAY ( apple-realname $ description $ m
 acAddress $ apple-category $ apple-computer-list-groups $ apple-keyword $ app
 le-mcxflags $ apple-mcxsettings $ apple-networkview $ apple-xmlplist $ apple-
 service-url $ apple-serviceinfo $ apple-serviceslocator $ apple-primarycomput
 erlist $ apple-ldap-serverid $ authAuthority $ uidNumber $ gidNumber $ apple-
 generateduid $ ttl $ acctFlags $ pwdLastSet $ logonTime $ logoffTime $ kickof
 fTime $ rid $ primaryGroupID $ sambaSID $ sambaPrimaryGroupSID $ owner $ appl
 e-ownerguid $ apple-contactguid $ ipHostNumber $ bootFile $ apple-hwuuid $ ap
 ple-srv $ apple-primary-locale $ apple-parentlocales $ apple-networkinterface
 s $ userCertificate $ userPKCS12 ) )
olcObjectClasses: {8}( 1.3.6.1.4.1.63.1000.1.1.2.11 NAME 'apple-computer-list'
  DESC 'computer list' SUP top STRUCTURAL MUST cn MAY ( apple-mcxflags $ apple
 -mcxsettings $ apple-computer-list-groups $ apple-computers $ apple-generated
 uid $ apple-keyword ) )
olcObjectClasses: {9}( 1.3.6.1.4.1.63.1000.1.1.2.12 NAME 'apple-configuration'
  DESC 'configuration' SUP top STRUCTURAL MAY ( cn $ apple-config-realname $ a
 pple-data-stamp $ apple-password-server-location $ apple-password-server-list
  $ apple-ldap-replica $ apple-ldap-writable-replica $ apple-keyword $ apple-k
 dc-authkey $ apple-kdc-configdata $ apple-xmlplist $ ttl $ apple-last-serveri
 d ) )
olcObjectClasses: {10}( 1.3.6.1.4.1.63.1000.1.1.2.13 NAME 'apple-preset-comput
 er-list' DESC 'preset computer list' SUP top STRUCTURAL MUST cn MAY ( apple-m
 cxflags $ apple-mcxsettings $ apple-computer-list-groups $ apple-keyword ) )
olcObjectClasses: {11}( 1.3.6.1.4.1.63.1000.1.1.2.25 NAME 'apple-preset-comput
 er' DESC 'preset computer' SUP top STRUCTURAL MUST cn MAY ( apple-mcxflags $ 
 apple-mcxsettings $ apple-computer-list-groups $ apple-primarycomputerlist $ 
 description $ apple-networkview $ apple-keyword ) )
olcObjectClasses: {12}( 1.3.6.1.4.1.63.1000.1.1.2.26 NAME 'apple-preset-comput
 er-group' DESC 'preset computer group' SUP top STRUCTURAL MUST cn MAY ( gidNu
 mber $ memberUID $ apple-mcxflags $ apple-mcxsettings $ apple-group-nestedgro
 up $ description $ jpegPhoto $ apple-keyword ) )
olcObjectClasses: {13}( 1.3.6.1.4.1.63.1000.1.1.3.14 NAME 'apple-preset-group'
  DESC 'preset group' SUP top STRUCTURAL MUST cn MAY ( memberUid $ gidNumber $
  description $ apple-group-homeurl $ apple-group-homeowner $ apple-mcxflags $
  apple-mcxsettings $ apple-group-realname $ apple-keyword $ apple-group-neste
 dgroup $ apple-group-memberguid $ ttl $ jpegPhoto $ apple-group-services $ la
 beledURI $ apple-serviceslocator ) )
olcObjectClasses: {14}( 1.3.6.1.4.1.63.1000.1.1.2.15 NAME 'apple-preset-user' 
 DESC 'preset user' SUP top STRUCTURAL MUST cn MAY ( uid $ memberUid $ gidNumb
 er $ homeDirectory $ apple-user-homeurl $ apple-user-homequota $ apple-user-h
 omesoftquota $ apple-user-mailattribute $ apple-user-printattribute $ apple-m
 cxflags $ apple-mcxsettings $ apple-user-adminlimits $ apple-user-passwordpol
 icy $ userPassword $ apple-user-picture $ apple-keyword $ loginShell $ descri
 ption $ shadowLastChange $ shadowExpire $ authAuthority $ homeDrive $ scriptP
 ath $ profilePath $ smbHome $ apple-preset-user-is-admin $ jpegPhoto $ apple-
 relationships $ apple-phonecontacts $ apple-emailcontacts $ apple-postaladdre
 sses $ apple-mapcoordinates $ apple-serviceslocator ) )
olcObjectClasses: {15}( 1.3.6.1.4.1.63.1000.1.1.2.16 NAME 'authAuthorityObject
 ' SUP top AUXILIARY MAY authAuthority )
olcObjectClasses: {16}( 1.3.6.1.4.1.63.1000.1.1.2.17 NAME 'apple-serverassista
 nt-config' SUP top STRUCTURAL MUST cn MAY apple-xmlplist )
olcObjectClasses: {17}( 1.3.6.1.4.1.63.1000.1.1.2.18 NAME 'apple-location' SUP
  top AUXILIARY MUST cn MAY ( apple-dns-domain $ apple-dns-nameserver ) )
olcObjectClasses: {18}( 1.3.6.1.4.1.63.1000.1.1.2.19 NAME 'apple-service' SUP 
 top STRUCTURAL MUST ( cn $ apple-service-type ) MAY ( ipHostNumber $ descript
 ion $ apple-service-location $ apple-service-url $ apple-service-port $ apple
 -dnsname $ apple-keyword ) )
olcObjectClasses: {19}( 1.3.6.1.4.1.63.1000.1.1.2.20 NAME 'apple-neighborhood'
  SUP top STRUCTURAL MUST cn MAY ( description $ apple-generateduid $ apple-ca
 tegory $ apple-nodepathxml $ apple-neighborhoodalias $ apple-computeralias $ 
 apple-keyword $ apple-realname $ apple-xmlplist $ ttl ) )
olcObjectClasses: {20}( 1.3.6.1.4.1.63.1000.1.1.2.21 NAME 'apple-acl' SUP top 
 STRUCTURAL MUST ( cn $ apple-acl-entry ) )
olcObjectClasses: {21}( 1.3.6.1.4.1.63.1000.1.1.2.23 NAME 'apple-resource' SUP
  top STRUCTURAL MUST cn MAY ( apple-realname $ description $ jpegPhoto $ appl
 e-keyword $ apple-generateduid $ apple-contactguid $ apple-ownerguid $ apple-
 resource-info $ apple-resource-type $ apple-capacity $ labeledURI $ apple-map
 uri $ apple-serviceslocator $ apple-phonecontacts $ c $ apple-mapguid $ apple
 -mapcoordinates $ apple-xmlplist ) )
olcObjectClasses: {22}( 1.3.6.1.4.1.63.1000.1.1.2.24 NAME 'apple-augment' SUP 
 top STRUCTURAL MUST cn )
olcObjectClasses: {23}( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURA
 L MUST automountMapName MAY description )
olcObjectClasses: {24}( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount' SUP
  top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description 
 )
olcObjectClasses: {25}( 1.3.6.1.4.1.63.1000.1.1.2.27 NAME 'apple-user-info' SU
 P top STRUCTURAL MAY ( apple-namesuffix $ apple-phonecontacts $ apple-emailco
 ntacts $ apple-postaladdresses $ telephoneNumber $ mobile $ facsimileTelephon
 eNumber $ pager $ l $ st $ c $ postalCode $ postalAddress $ street $ apple-im
 handle $ loginShell $ jpegPhoto $ apple-user-picture $ description $ userCert
 ificate $ userPKCS12 ) )
olcObjectClasses: {26}( 1.3.6.1.4.1.63.1000.1.1.2.31 NAME 'apple-computer-info
 ' SUP top STRUCTURAL MAY ( apple-serviceinfo $ apple-serviceslocator $ apple-
 keyword $ userCertificate $ userPKCS12 ) )
olcObjectClasses: {27}( 1.3.6.1.4.1.63.1000.1.1.2.28 NAME 'pwsAuthdata' STRUCT
 URAL MUST authGUID MAY ( uid $ authGUID $ passwordModDate $ lastLoginTime $ l
 oginFailedAttempts $ disableReason $ apple-user-passwordpolicy $ adminGroups 
 $ cmusaslsecretSMBNT $ cmusaslsecretSMBLM $ cmusaslsecretDIGEST-MD5 $ cmusasl
 secretCRAM-MD5 $ cmusaslsecretPPS $ KerberosRealmName $ KerberosPrincName $ p
 assword $ creationDate $ historyData $ draft-krbPrincipalName $ draft-krbReal
 mName $ draft-krbPrincipalAliases $ draft-krbTicketMaxLife $ draft-krbTicketM
 axRenewal $ draft-krbEncSaltTypes $ draft-krbKeySet $ draft-krbKeyVersion $ d
 raft-krbPrincipalRealm $ draft-krbTicketPolicy $ draft-krbExtraData $ draft-k
 rbPrincipalACL $ crschallenge $ userLinkage $ ownerGUIDList ) )
olcObjectClasses: {28}( 1.3.6.1.4.1.63.1000.1.1.2.29 NAME 'pwPolicy' STRUCTURA
 L MUST cn MAY ( apple-user-passwordpolicy $ weakAuthMethod ) )
olcObjectClasses: {29}( 1.3.6.1.4.1.63.1000.1.1.2.30 NAME 'pwAuthData' SUP con
 tainer STRUCTURAL MAY ( PWSPrivateKey $ PWSPublicKey ) )
olcObjectClasses: {30}( 1.3.6.1.4.1.63.1000.1.1.2.33 NAME 'apple-certificateRe
 questInfo' SUP top STRUCTURAL MUST ( apple-transactionID $ apple-pkiStatus ) 
 MAY ( apple-failInfo $ apple-issuer $ apple-serialNumber $ userCertificate $ 
 apple-certificateSigningRequest $ apple-device-guid $ apple-xmlplist $ apple-
 revocationReason $ apple-revocationDate $ apple-validNotBefore $ apple-validN
 otAfter ) )

Apply the schema modifications with the following commands:

ldapadd -Y EXTERNAL -H ldapi:/// -f apple_auxillary.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f apple.ldif

Once the schema has been established, it is necessary to set a password on the configuration directory tree and create a second tree, which will hold the data relevant to the application that hook into LDAP. The directory will have an administration account (cn=admin,dc=example,dc=com) with read/write access to both trees. Firstly we must create a password for this account:

slappasswd -s <password>

Where <password> is a secure password you wish to use for full access to LDAP. The result will be a string similar to {SSHA}xeunX6dBrnhdEIZ/bPvr819tqM7SJQTo, which must be inserted as <slappasswd_output> when the following file is downloaded:

backend.ldif
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
 
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: <slappaswd_output>
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

Once downloaded and the password hash inserted in the appropriate place, create the new directory tree:

ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

We must now populate our new directory tree with the structure and user information to make it useful to us. In the example below we create the administrator (cn=admin,dc=example,dc=com) and a single Standard User (uid=user1,dc=people,dc=example,dc=com):

example.com.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Organisation
dc: Example
description: LDAP Example 
 
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: <slappaswd_output>
 
dn: ou=apps,dc=example,dc=com
objectClass: organizationalUnit
ou: apps
 
dn: ou=computers,dc=example,dc=com
objectClass: organizationalUnit
ou: computers
 
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
 
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
 
dn: uid=user1,ou=people,dc=example,dc=com
cn: Standard User
displayname: Standard User
gecos: Standard User
gidnumber: 5000
givenname: Standard
homedirectory: /home/user1
initials: SU
l: London
loginshell: /bin/bash
mail: user1@example.com
o: Example Company
objectclass: inetOrgPerson
objectclass: posixAccount
sn: User
uid: user1
uidnumber: 5000
userpassword: <slappasswd_output>
 
dn: cn=group1,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: group1
gidNumber: 5000

We have now set a password on the LDAP database, so to import this file we must use the following syntax and enter the directory administrator's password we hashed above when prompted:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif

To configure the directory to mimic the behaviour of a standard /etc/sudoers file, import the file below. Further details of the specification and configuration of sudo via LDAP can be found on the man page.

sudo.apps.example.com.ldif
dn: ou=sudo,ou=apps,dc=example,dc=com
objectClass: organizationalUnit
ou: sudo
 
dn: cn=defaults,ou=sudo,ou=apps,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_reset
 
dn: cn=%admin,ou=sudo,ou=apps,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoCommand: ALL

To import this file we must use the following command and enter the directory administrator's password when prompted:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f sudo.apps.example.com.ldif

To improve the performance of sudoers lookups via LDAP, we must add an additional index:

sudo_index.ldif
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: sudoUser eq

Make the index changes with the following command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f sudo_index.ldif

Import the file below to configure the directory to support password policy enforcement for parameters such as length, age, failed logons, lockout, etc. Further details of this directory overlay can be found in the OpenLDAP documentation.

The default policy created here forces users to change their password every 28 days, with a minimum length of 8 characters. They are warned 3 days prior to their password expiry and allowed a further 3 logins once it expires. Invalid login attempts are tracked and 5 within 5 minutes will lock the account out for half an hour.

policies.example.com.ldif
dn: ou=policies,dc=example,dc=com
objectClass: organizationalUnit
ou: policies
 
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
pwdCheckQuality: 0
pwdExpireWarning: 259200
pwdFailureCountInterval: 300
pwdGraceAuthNLimit: 3
pwdInHistory: 12
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxAge: 2419200
pwdMaxFailure: 5
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: FALSE

To import this file we must use the following command and enter the directory administrator's password when prompted:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f policies.example.com.ldif

To load the password policy overlay and point it to the default policy, we must download the following file:

overlay_ppolicy.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
 
dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE

Make the configuration changes with the following command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f overlay_ppolicy.ldif

To allow Postfix mail addresses and aliases to be configured via the LDAP directory, import the file below.

mail.apps.example.com.ldif
dn: ou=mail,ou=apps,dc=example,dc=com
objectclass: organizationalUnit
ou: mail
 
dn: ou=aliases,ou=mail,ou=apps,dc=example,dc=com
objectclass: organizationalUnit
ou: aliases
 
dn: cn=abuse@example.com,ou=aliases,ou=mail,ou=apps,dc=example,dc=com
cn: abuse@example.com
objectclass: groupOfUniqueNames
uniquemember: uid=user1,ou=people,dc=example,dc=com
 
dn: cn=postmaster@example.com,ou=aliases,ou=mail,ou=apps,dc=example,dc=com
cn: postmaster@example.com
objectclass: groupOfUniqueNames
uniquemember: uid=user1,ou=people,dc=example,dc=com

To import this file we must use the following command and enter the directory administrator's password when prompted:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f mail.apps.example.com.ldif

To improve the performance of e-mail address lookups via LDAP, we must add an additional index:

postfix_index.ldif
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: mail eq,subinitial

Make the index changes with the following command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f postfix_index.ldif

To improve the performance of SAMBA domain and user lookups via LDAP, we must add some additional indices:

samba_index.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

Make the index changes with the following command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_index.ldif

To support Apple Macs in native Open Directory mode, we must mimic the structure of the Apple directory by importing the file below.

macosx.example.com.ldif
dn: ou=macosx,dc=example,dc=com
ou: macosx
objectClass: organizationalUnit
description: Holds metadata for OS X Server
 
dn: cn=mounts,ou=macosx,dc=example,dc=com
cn: mounts
objectClass: container
 
dn: cn=accesscontrols,ou=macosx,dc=example,dc=com
cn: accesscontrols
objectClass: container
 
dn: cn=certificateauthorities,ou=macosx,dc=example,dc=com
cn: certificateauthorities
objectClass: container
 
dn: cn=computers,ou=macosx,dc=example,dc=com
cn: computers
objectClass: container
 
dn: cn=computer_groups,ou=macosx,dc=example,dc=com
cn: computer_groups
objectClass: container
 
dn: cn=computer_lists,ou=macosx,dc=example,dc=com
cn: computer_lists
objectClass: container
 
dn: cn=config,ou=macosx,dc=example,dc=com
cn: config
objectClass: container
 
dn: cn=locations,ou=macosx,dc=example,dc=com
cn: locations
objectClass: container
 
dn: cn=machines,ou=macosx,dc=example,dc=com
cn: machines
objectClass: container
 
dn: cn=neighborhoods,ou=macosx,dc=example,dc=com
cn: neighborhoods
objectClass: container
 
dn: cn=people,ou=macosx,dc=example,dc=com
cn: people
objectClass: container
 
dn: cn=presets_computer_lists,ou=macosx,dc=example,dc=com
cn: presets_computer_lists
objectClass: container
 
dn: cn=presets_groups,ou=macosx,dc=example,dc=com
cn: presets_groups
objectClass: container
 
dn: cn=presets_users,ou=macosx,dc=example,dc=com
cn: presets_users
objectClass: container
 
dn: cn=printers,ou=macosx,dc=example,dc=com
cn: printers
objectClass: container
 
dn: cn=augments,ou=macosx,dc=example,dc=com
cn: augments
objectClass: container
 
dn: cn=autoserversetup,ou=macosx,dc=example,dc=com
cn: autoserversetup
objectClass: container
 
dn: cn=filemakerservers,ou=macosx,dc=example,dc=com
cn: filemakerservers
objectClass: container
 
dn: cn=resources,ou=macosx,dc=example,dc=com
cn: resources
objectClass: container
 
dn: cn=places,ou=macosx,dc=example,dc=com
cn: places
objectClass: container
 
dn: cn=maps,ou=macosx,dc=example,dc=com
cn: maps
objectClass: container
 
dn: cn=presets_computers,ou=macosx,dc=example,dc=com
cn: presets_computers
objectClass: container
 
dn: cn=presets_computer_groups,ou=macosx,dc=example,dc=com
cn: presets_computer_groups
objectClass: container
 
dn: cn=automountMap,ou=macosx,dc=example,dc=com
cn: automountMap
objectClass: container
 
dn: ou=macosxodconfig,cn=config,ou=macosx,dc=example,dc=com
ou: macosxodconfig
objectClass: organizationalUnit
 
dn: cn=mcx_cache,cn=config,ou=macosx,dc=example,dc=com
cn: mcx_cache
objectClass: apple-configuration
 
dn: cn=ldapreplicas,cn=config,ou=macosx,dc=example,dc=com
cn: ldapreplicas
objectClass: apple-configuration
 
dn: cn=passwordserver,cn=config,ou=macosx,dc=example,dc=com
cn: passwordserver
objectClass: apple-configuration
 
dn: cn=macosxodpolicy,cn=config,ou=macosx,dc=example,dc=com
cn: macosxodpolicy
objectClass: apple-configuration
 
dn: cn=CollabServices,cn=config,ou=macosx,dc=example,dc=com
cn: CollabServices
objectClass: apple-configuration
 
dn: cn=CIFSServer,cn=config,ou=macosx,dc=example,dc=com
cn: CIFSServer
objectClass: apple-configuration
 
dn: cn=KerberosKDC,cn=config,ou=macosx,dc=example,dc=com
cn: KerberosKDC
objectClass: apple-configuration
 
dn: cn=KerberosClient,cn=config,ou=macosx,dc=example,dc=com
cn: KerberosClient
objectClass: apple-configuration
 
dn: cn=Home_Dir_Items,cn=config,ou=macosx,dc=example,dc=com
cn: Home_Dir_Items
objectClass: apple-configuration
 
dn: cn=Group_Dir_Items,cn=config,ou=macosx,dc=example,dc=com
cn: Group_Dir_Items
objectClass: apple-configuration

To import this file we must use the following command and enter the directory administrator's password when prompted:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f macosx.example.com.ldif

Due to the nature of the information frequently held in the LDAP directory, it is essential that we protect access to it and reduce the chances of eavesdropping.

Many applications will use the LDAP simple bind mechanism, which transmits the username and password in clear text over the network. Where this is an internal, trusted network or via a VPN, this might just about be acceptable. In all other cases we will use TLS to encrypt the data before it is sent. As OpenLDAP on Ubuntu (and Debian) is compiled against GnuTLS libraries, we must install their certificate tools:

apt-get install gnutls-bin

Now we must generate a secure private key and certificate signing request (CSR) to pass to our certificate authority (CA):

certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/severname.example.com.key
adduser openldap ssl-cert
chgrp ssl-cert /etc/ssl/private/severname.example.com.key
chmod 640 /etc/ssl/private/severname.example.com.key

certtool --generate-request --load-privkey /etc/ssl/private/severname.example.com.key --outfile servername.example.com.csr
Generating a PKCS #10 certificate request...
Country name (2 chars): GB
Organization name: Example Company
Organizational unit name: 
Locality name: Basingstoke
State or province name: Hampshire
Common name: servername.example.com
UID: 
Enter a dnsName of the subject of the certificate: servername.example.com
Enter a dnsName of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Enter the e-mail of the subject of the certificate: 
Enter a challenge password: 
Does the certificate belong to an authority? (y/N): 
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): 
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
Is this a TLS web client certificate? (y/N): 
Is this also a TLS web server certificate? (y/N): y

Copy the contents of the resulting servername.example.com.csr file to your CA (in our case we used StartSSL) and ask them to certify it for you. Depending on the authority used this should require proof of identity and possibly the removal of some money. Once your key has been certified, save the certificate in /etc/ssl/certs/servername.example.com.pem.

It is now necessary to create a certificate chain file, which will be used to verify our new server certificate up to the CA's root. In our case we were issued a Class 1 Server certificate, which is one level below StartCom's root. Create /etc/ssl/certs/StartCom_Class_1_Server.pem, paste into it the contents of https://www.startssl.com/certs/sub.class1.server.ca.pem followed by https://www.startssl.com/certs/ca.pem and then save the file.

The following file is then needed to enable TLS:

tls_enable.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/StartCom_Class_1_Server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/servername.example.com.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/servername.example.com.key
-
add: olcTLSCipherSuite
olcTLSCipherSuite: SECURE256
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

Make the security changes with the following commands:

ldapmodify -Y EXTERNAL -H ldapi:/// -f tls_enable.ldif

Edit /etc/default/slapd and update the SLAPD_SERVICES option:

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Finally, restart slapd and test that TLS is operational:

service slapd restart
gnutls-cli-debug -p 636 localhost

Often an LDAP server has multiple network interfaces, bound to different LANs or VLANs. It can be advantageous to limit the interfaces slapd listens on. In the example below unencrypted connections are allowed from the local machine only and

To restrict the listening interfaces, edit /etc/default/slapd and update the SLAPD_SERVICES option:

SLAPD_SERVICES="ldap://127.0.0.1/ ldapi:/// ldaps://192.0.2.1/"

Then restart slapd and check which interfaces it is listening on:

service slapd restart
netstat -tlpn | grep slapd

Once you have added the schema and data, it is necessary to stop LDAP, re-build its indices, restart it and check the system log for any problems:

service slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
service slapd start

Examine the tail of /var/log/syslog for any errors or warnings being reported by the slapd process.

If you would like to see which schema modifications have been loaded, type

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn