OpenLDAP: Installation and Configuration
Often it is advantageous to have authentication, security and application settings centralised for ease of management. Microsoft provide Active Directory for Windows users and through the use of OpenLDAP, we can duplicate this behaviour in a cross-platform and open-source way. An LDAP directory can be used to provide single sign-on for Linux, Windows, OSX and web-based applications as well as network authentication via RADIUS.
This article describes how to install OpenLDAP and configure a basic directory information tree.
Supported Releases
Should work in all Ubuntu releases from 8.10 (Intrepid Ibex) upwards. Tested on 10.04 (Lucid Lynx) Ubuntu Server 64-bit.
Required Packages
For an installation that does not require password synchronisation for Windows users:
sudo apt-get install slapd ldap-utils
Alternatively, if you are using SAMBA and wish to keep your LDAP and SAMBA passwords synchronised, the following is required to work-around a packaging bug. Add the following to /etc/apt/sources.list
:
# Debian Stable repository deb http://ftp.debian.org/debian stable main
Then, create the file /etc/apt/preferences
with the following content to prevent the Debian releases automatically updating our installation:
Package: * Pin: release l=Debian Pin-Priority: 10
Next, edit /etc/apt/apt.conf.d/70debconf
and add the following to allow for the much larger Debian repository list we must now manage:
APT::Cache-Limit "100000000";
You are now ready to obtain the Debian Squeeze release keys and update your repository lists:
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0xB98321F9 sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x473041FA sudo apt-get update
Finally, install the required packages:
sudo apt-get install slapd-smbk5pwd ldap-utils
Schema Creation
A schema defines the objects and attributes in the LDAP database. Depending on the applications we are going to hook into the directory, different schema files will be needed.
Log on and become root:
sudo -s
Add the basic schema files required for all directories:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
Sudo via LDAP
To enable the management of root privileges via the directory using Sudo, load the file below. It was converted from the original, located in /usr/share/doc/sudo-ldap/schema.OpenLDAP
on an Ubuntu system once the sudo-ldap
package has been installed.
- sudo.ldif
dn: cn=sudo,cn=schema,cn=config objectClass: olcSchemaConfig cn: sudo olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Comma nd(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1 466.115.121.1.26 ) olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1 .4.1.1466.115.121.1.26 ) olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Option s(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115 .121.1.26 ) olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'Use r(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466 .115.121.1.26 ) olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Gr oup(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.14 66.115.121.1.26 ) olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer En tries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ s udoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f sudo.ldif
Password Policy
To implement password expiry, strength controls, lockout, etc. with password policies, load the file below. It was converted from the original, located in /etc/ldap/schema/ppolicy.schema
on an Ubuntu system once the slapd
package has been installed.
- ppolicy.ldif
dn: cn=ppolicy,cn=schema,cn=config objectClass: olcSchemaConfig cn: ppolicy olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L oadable module that instantiates "check_password() function' EQUALITY caseExa ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY pwdCheckModule ) olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif
Thunderbird Contacts
To store Mozilla Thunderbird contacts and groups in the directory, load the file below. It was originally downloaded from https://wiki.mozilla.org/MailNews:Mozilla_LDAP_Address_Book_Schema and converted to LDIF format.
- mozillaAbPersonAlpha.ldif
dn: cn=mozillaAbPersonAlpha,cn=schema,cn=config objectClass: olcSchemaConfig cn: mozillaAbPersonAlpha olcAttributeTypes: {0}( 1.3.6.1.4.1.13769.4.1 NAME 'mozillaCustom1' EQUALITY c aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15{128} SINGLE-VALUE ) olcAttributeTypes: {1}( 1.3.6.1.4.1.13769.4.2 NAME 'mozillaCustom2' EQUALITY c aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15{128} SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.13769.4.3 NAME 'mozillaCustom3' EQUALITY c aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15{128} SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.13769.4.4 NAME 'mozillaCustom4' EQUALITY c aseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15{128} SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.13769.3.1 NAME 'mozillaHomeStreet' EQUALIT Y caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.15{128} SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.13769.3.2 NAME 'mozillaHomeStreet2' EQUALI TY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.15{128} SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.13769.3.3 NAME 'mozillaHomeLocalityName' S UP name SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.13769.3.4 NAME 'mozillaHomeState' SUP name SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.13769.3.5 NAME 'mozillaHomePostalCode' EQU ALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.15{40} SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.13769.3.6 NAME 'mozillaHomeCountryName' SU P name SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.13769.3.7 NAME 'mozillaHomeUrl' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.13769.3.8 NAME 'mozillaWorkStreet2' EQUAL ITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.15{128} SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.13769.3.9 NAME 'mozillaWorkUrl' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.13769.2.1 NAME ( 'mozillaNickname' 'xmozi llanickname' ) SUP name ) olcAttributeTypes: {14}( 1.3.6.1.4.1.13769.2.2 NAME ( 'mozillaSecondEmail' 'xm ozillasecondemail' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrin gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) olcAttributeTypes: {15}( 1.3.6.1.4.1.13769.2.3 NAME ( 'mozillaUseHtmlMail' 'xm ozillausehtmlmail' ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {16}( 1.3.6.1.4.1.13769.2.4 NAME ( 'nsAIMid' 'nscpaimscreen name' ) EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) olcObjectClasses: {0}( 1.3.6.1.4.1.13769.9.1 NAME 'mozillaAbPersonAlpha' SUP t op AUXILIARY MUST cn MAY ( c $ description $ displayName $ facsimileTelephone Number $ givenName $ homePhone $ l $ mail $ mobile $ mozillaCustom1 $ mozilla Custom2 $ mozillaCustom3 $ mozillaCustom4 $ mozillaHomeCountryName $ mozillaH omeLocalityName $ mozillaHomePostalCode $ mozillaHomeState $ mozillaHomeStree t $ mozillaHomeStreet2 $ mozillaHomeUrl $ mozillaNickname $ mozillaSecondEmai l $ mozillaUseHtmlMail $ mozillaWorkStreet2 $ mozillaWorkUrl $ nsAIMid $ o $ ou $ pager $ postalCode $ postOfficeBox $ sn $ st $ street $ telephoneNumber $ title ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f mozillaAbPersonAlpha.ldif
FreeRADIUS
To use RADIUS to authenticate network users via LAN, Wi-Fi or VPN in conjunction with compatible network switches, routers and access points, download the file below. It was converted from the original, located in /usr/share/doc/freeradius/examples/openldap.schema
on an Ubuntu system once the freeradius-ldap
package has been installed.
- freeradius.ldif
dn: cn=freeradius,cn=schema,cn=config objectClass: olcSchemaConfig cn: freeradius olcAttributeTypes: {0}( 1.3.6.1.4.1.3317.4.3.1.1 NAME 'radiusArapFeatures' DES C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- VALUE ) olcAttributeTypes: {1}( 1.3.6.1.4.1.3317.4.3.1.2 NAME 'radiusArapSecurity' DES C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.3317.4.3.1.3 NAME 'radiusArapZoneAccess' D ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL E-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' DESC ' ' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VAL UE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA LUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' D ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL E-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING LE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN GLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC '' EQ UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {9}( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddress' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN GLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC ' ' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {11}( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTalk Link' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.2 6 SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTalk Network' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121. 1.26 ) olcAttributeTypes: {13}( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTalk Zone' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.2 6 SINGLE-VALUE ) olcAttributeTypes: {14}( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompressi on' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {15}( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddress ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI NGLE-VALUE ) olcAttributeTypes: {16}( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetmask ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI NGLE-VALUE ) olcAttributeTypes: {17}( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetwor k' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S INGLE-VALUE ) olcAttributeTypes: {18}( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V ALUE ) olcAttributeTypes: {19}( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtocol' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN GLE-VALUE ) olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' DE SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {21}( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING LE-VALUE ) olcAttributeTypes: {22}( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {23}( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC '' E QUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {24}( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' DE SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE -VALUE ) olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' DE SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {27}( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING LE-VALUE ) olcAttributeTypes: {28}( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode' D ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL E-VALUE ) olcAttributeTypes: {29}( 1.3.6.1.4.1.3317.4.3.1.25 NAME 'radiusLoginLATPort' D ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL E-VALUE ) olcAttributeTypes: {30}( 1.3.6.1.4.1.3317.4.3.1.26 NAME 'radiusLoginLATService ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI NGLE-VALUE ) olcAttributeTypes: {31}( 1.3.6.1.4.1.3317.4.3.1.27 NAME 'radiusLoginService' D ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL E-VALUE ) olcAttributeTypes: {32}( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort' D ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL E-VALUE ) olcAttributeTypes: {33}( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING LE-VALUE ) olcAttributeTypes: {34}( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V ALUE ) olcAttributeTypes: {35}( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DESC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SING LE-VALUE ) olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALU E ) olcAttributeTypes: {37}( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm' D ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL E-VALUE ) olcAttributeTypes: {38}( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToReal m' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S INGLE-VALUE ) olcAttributeTypes: {39}( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' DE SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE -VALUE ) olcAttributeTypes: {41}( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeout' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN GLE-VALUE ) olcAttributeTypes: {42}( 1.3.6.1.4.1.3317.4.3.1.34 NAME 'radiusTerminationActi on' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {43}( 1.3.6.1.4.1.3317.4.3.1.35 NAME 'radiusTunnelAssignmen tId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {44}( 1.3.6.1.4.1.3317.4.3.1.36 NAME 'radiusTunnelMediumTyp e' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {45}( 1.3.6.1.4.1.3317.4.3.1.37 NAME 'radiusTunnelPassword' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN GLE-VALUE ) olcAttributeTypes: {46}( 1.3.6.1.4.1.3317.4.3.1.38 NAME 'radiusTunnelPreferenc e' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {47}( 1.3.6.1.4.1.3317.4.3.1.39 NAME 'radiusTunnelPrivateGr oupId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. 26 ) olcAttributeTypes: {48}( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerEnd point' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. 26 ) olcAttributeTypes: {49}( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' DES C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' EQ UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {51}( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientEnd point' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. 26 ) olcAttributeTypes: {52}( 1.3.6.1.4.1.3317.4.3.1.53 NAME 'radiusSimultaneousUse ' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {53}( 1.3.6.1.4.1.3317.4.3.1.54 NAME 'radiusLoginTime' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V ALUE ) olcAttributeTypes: {54}( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory' D ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL E-VALUE ) olcAttributeTypes: {55}( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALU E ) olcAttributeTypes: {57}( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' DES C '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- VALUE ) olcAttributeTypes: {58}( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {59}( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {60}( 1.3.6.1.4.1.3317.4.3.1.61 NAME 'radiusNASIpAddress' D ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL E-VALUE ) olcAttributeTypes: {61}( 1.3.6.1.4.1.3317.4.3.1.62 NAME 'radiusReplyMessage' D ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC '' S UP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radi usArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientI PAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalk Network $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedI PAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ r adiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLAT Node $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radi usLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ ra diusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $ radi usServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminatio nAction $ radiusTunnelClientEndpoint $ radiusProfileDn $ radiusSimultaneousUs e $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEnd point $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration $ dialupAccess $ radiusNASIpAddress $ radiusReplyMessage ) ) olcObjectClasses: {1}( 1.3.6.1.4.1.3317.4.3.2.2 NAME 'radiusObjectProfile' DES C 'A Container Objectclass to be used for creating radius profile object' SUP top STRUCTURAL MUST cn MAY ( uid $ userPassword $ description ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f freeradius.ldif
Pure FTP
To control Pure-FTPd users, home directories, quotas, bandwidth, etc. via the directory, load the file below. It was converted from the original, located in /usr/share/doc/pure-ftpd-common/pureftpd.schema
on an Ubuntu system once the pure-ftpd-common
package has been installed.
- pureftpd.ldif
dn: cn=pureftpd,cn=schema,cn=config objectClass: olcSchemaConfig cn: pureftpd olcAttributeTypes: {0}( 1.3.6.1.4.1.6981.11.3.1 NAME 'FTPQuotaFiles' DESC 'Quo ta (in number of files) for an FTP user' EQUALITY integerMatch SYNTAX 1.3.6.1 .4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {1}( 1.3.6.1.4.1.6981.11.3.2 NAME 'FTPQuotaMBytes' DESC 'Qu ota (in megabytes) for an FTP user' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1. 1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.6981.11.3.3 NAME 'FTPUploadRatio' DESC 'Ra tio (compared with FTPRatioDown) for uploaded files' EQUALITY integerMatch SY NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.6981.11.3.4 NAME 'FTPDownloadRatio' DESC ' Ratio (compared with FTPRatioUp) for downloaded files' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.6981.11.3.5 NAME 'FTPUploadBandwidth' DESC 'Bandwidth (in KB/s) to limit upload speeds to' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.6981.11.3.6 NAME 'FTPDownloadBandwidth' DE SC 'Bandwidth (in KB/s) to limit download speeds to' EQUALITY integerMatch SY NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.6981.11.3.7 NAME 'FTPStatus' DESC 'Account status: enabled or disabled' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1. 1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.6981.11.3.8 NAME 'FTPuid' DESC 'System uid (overrides uidNumber if present)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.6981.11.3.9 NAME 'FTPgid' DESC 'System uid (overrides gidNumber if present)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.27 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.6981.11.2.3 NAME 'PureFTPdUser' DESC 'PureF TPd user with optional quota, throttling and ratio' SUP top AUXILIARY MAY ( F TPStatus $ FTPQuotaFiles $ FTPQuotaMBytes $ FTPUploadRatio $ FTPDownloadRatio $ FTPUploadBandwidth $ FTPDownloadBandwidth $ FTPuid $ FTPgid ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f pureftpd.ldif
SAMBA v3
To run as a SAMBA domain controller and/or share files and printers with Windows systems, download the file below. It was converted from the original, located in /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz
on an Ubuntu system once the samba-doc
package has been installed.
The file has been modified to include the attributes acctFlags, pwdLastSet, logonTime, logoffTime, kickoffTime, homeDrive, scriptPath, profilePath, userWorkstations, smbHome, rid and primaryGroupID from the SAMBA v2 configuration as these are used by the Apple OSX schema. This should not cause any problems whether you intend supporting Macs or not but leaves the option open.
- samba.ldif
dn: cn=samba,cn=schema,cn=config objectClass: olcSchemaConfig cn: samba olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} S INGLE-VALUE ) olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' DESC 'NT pwdL astSet' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL UE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' DESC 'NT logon Time' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime' DESC 'NT logo ffTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL UE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' DESC 'NT kic koffTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-V ALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' DESC 'NT home Drive' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SI NGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath' DESC 'NT scr iptPath' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255 } SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath' DESC 'NT pr ofilePath' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2 55} SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' DESC ' userWorkstations' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 .1.26{255} SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' DESC 'smbHome' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' DESC 'NT rid' EQUA LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' DESC 'N T Group RID' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL E-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC ' LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115. 121.1.26{32} SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC ' MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1. 4.1.1466.115.121.1.26{32} SINGLE-VALUE ) olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'A ccount Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.2 6{16} SINGLE-VALUE ) olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC ' Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4 .1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY inte gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DES C 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'T imestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.27 SINGLE-VALUE ) olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC ' Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.27 SINGLE-VALUE ) olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY intege rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14 66.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC ' Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 {42} SINGLE-VALUE ) olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1. 3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15{255} SINGLE-VALUE ) olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15{255} SINGLE-VALUE ) olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15{128} ) olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC ' Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC ' Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.15{1050} ) olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D ESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4. 1.1466.115.121.1.26{64} SINGLE-VALUE ) olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. 26{64} ) olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING LE-VALUE ) olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1. 1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase ' DESC 'Base at which the samba RID generation algorithm should operate' EQUA LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING LE-VALUE ) olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC ' Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC ' A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S INGLE-VALUE ) olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 .27 SINGLE-VALUE ) olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 .1.26 SINGLE-VALUE ) olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.15 ) olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC ' Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115 .121.1.26 ) olcAttributeTypes: {47}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {48}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {49}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {50}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M aximum password age, in seconds (default: -1 => never expire passwords)' EQUA LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {51}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M inimum password age, in seconds (default: 0 => allow immediate password chang e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {52}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {53}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {54}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {55}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {56}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {57}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octe tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcAttributeTypes: {58}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextP assword' DESC 'Previous clear text password (used for trusted domain password s)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) ) olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou pType ) MAY ( displayName $ description $ sambaSIDList ) ) olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) ) olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPasswor d' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomain Name $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviou sClearTextPassword ) olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange ) ) olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb er ) ) olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g idNumber ) ) olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc tural Class for a SID' SUP top STRUCTURAL MUST sambaSID ) olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba Configuration Section' SUP top AUXILIARY MAY description ) olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description ) olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sa mbaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoptio n $ description ) )
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f samba.ldif
Apple OS X
To support Apple Macintosh computers and their policies via Workgroup Manager, download the two files below. They have been converted from the originals found in /etc/openldap/schema/
on any Mac running OS X Lion (10.7).
The apple.schema file has been modified to include the attributes authAuthority, apple-user-homeDirectory and apple-acl-entry. The definition authAuthority has been moved to the beginning of the file, prior to its use. The object class apple-user has been extended to include the attribute apple-user-homeDirectory.
- apple_auxillary.ldif
dn: cn=apple_auxillary,cn=schema,cn=config objectClass: olcSchemaConfig cn: apple_auxillary olcAttributeTypes: {0}( 1.2.840.113556.1.4.867 NAME 'altSecurityIdentities' EQ UALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.14 66.115.121.1.15 ) olcAttributeTypes: {1}( 1.2.840.113556.1.4.771 NAME 'servicePrincipalName' EQU ALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.15 )
- apple.ldif
dn: cn=apple,cn=schema,cn=config objectClass: olcSchemaConfig cn: apple olcAttributeTypes: {0}( 1.3.6.1.4.1.63.1000.1.1.2.16.1 NAME 'authAuthority' DE SC 'password server authentication authority' EQUALITY caseExactIA5Match SUBS TR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.250.1.60 NAME 'ttl' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.63.1000.1.1.1.1.6 NAME 'apple-user-homeurl ' DESC 'home directory URL' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Sub stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.63.1000.1.1.1.1.7 NAME 'apple-user-class' DESC 'user class' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.63.1000.1.1.1.1.8 NAME 'apple-user-homequo ta' DESC 'home directory quota' EQUALITY caseExactIA5Match SUBSTR caseExactIA 5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.63.1000.1.1.1.1.9 NAME 'apple-user-mailatt ribute' DESC 'mail attribute' EQUALITY caseExactMatch SUBSTR caseExactSubstri ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.63.1000.1.1.1.1.10 NAME 'apple-mcxflags' D ESC 'mcx flags' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTA X 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.63.1000.1.1.1.1.16 NAME ( 'apple-mcxsettin gs' 'apple-mcxsettings2' ) DESC 'mcx settings' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {8}( 1.3.6.1.4.1.63.1000.1.1.1.1.12 NAME 'apple-user-pictur e' DESC 'picture' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.63.1000.1.1.1.1.13 NAME 'apple-user-printa ttribute' DESC 'print attribute' EQUALITY caseExactMatch SUBSTR caseExactSubs tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.63.1000.1.1.1.1.14 NAME 'apple-user-admin limits' DESC 'admin limits' EQUALITY caseExactMatch SUBSTR caseExactSubstring sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.63.1000.1.1.1.1.15 NAME 'apple-user-authe nticationhint' DESC 'password hint' EQUALITY caseExactMatch SUBSTR caseExactS ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.63.1000.1.1.1.1.17 NAME 'apple-user-homes oftquota' DESC 'home directory soft quota' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.63.1000.1.1.1.1.18 NAME 'apple-user-passw ordpolicy' DESC 'password policy options' EQUALITY caseExactMatch SUBSTR case ExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {14}( 1.3.6.1.4.1.63.1000.1.1.1.1.19 NAME 'apple-keyword' D ESC 'keywords' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {15}( 1.3.6.1.4.1.63.1000.1.1.1.1.20 NAME 'apple-generatedu id' DESC 'generated unique ID' EQUALITY caseExactMatch SUBSTR caseExactSubstr ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {16}( 1.3.6.1.4.1.63.1000.1.1.1.1.21 NAME 'apple-imhandle' DESC 'IM handle (service:account name)' EQUALITY caseExactMatch SUBSTR caseEx actSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {17}( 1.3.6.1.4.1.63.1000.1.1.1.1.22 NAME 'apple-webloguri' DESC 'Weblog URI' EQUALITY caseIgnoreMatch SUBSTR caseExactSubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {18}( 1.3.6.1.4.1.63.1000.1.1.1.1.23 NAME 'apple-mapcoordin ates' DESC 'Map Coordinates' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {19}( 1.3.6.1.4.1.63.1000.1.1.1.1.24 NAME 'apple-postaladdr esses' DESC 'Postal Addresses' EQUALITY caseExactIA5Match SUBSTR caseExactIA5 SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {20}( 1.3.6.1.4.1.63.1000.1.1.1.1.25 NAME 'apple-phoneconta cts' DESC 'Phone Contacts' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {21}( 1.3.6.1.4.1.63.1000.1.1.1.1.26 NAME 'apple-emailconta cts' DESC 'EMail Contacts' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {22}( 1.3.6.1.4.1.63.1000.1.1.1.1.27 NAME 'apple-birthday' DESC 'Birthday' EQUALITY generalizedTimeMatch SUBSTR caseExactIA5SubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) olcAttributeTypes: {23}( 1.3.6.1.4.1.63.1000.1.1.1.1.28 NAME 'apple-relationsh ips' DESC 'Relationships' EQUALITY caseExactMatch SUBSTR caseExactSubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {24}( 1.3.6.1.4.1.63.1000.1.1.1.1.29 NAME 'apple-company' D ESC 'company' EQUALITY caseIgnoreMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {25}( 1.3.6.1.4.1.63.1000.1.1.1.1.30 NAME 'apple-nickname' DESC 'nickname' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTA X 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {26}( 1.3.6.1.4.1.63.1000.1.1.1.1.31 NAME 'apple-mapuri' DE SC 'Map URI' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SY NTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {27}( 1.3.6.1.4.1.63.1000.1.1.1.1.32 NAME 'apple-mapguid' D ESC 'map GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {28}( 1.3.6.1.4.1.63.1000.1.1.1.1.33 NAME 'apple-serviceslo cator' DESC 'Calendar Principal URI' EQUALITY caseExactMatch SUBSTR caseExact SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {29}( 1.3.6.1.4.1.63.1000.1.1.1.1.34 NAME 'apple-organizati oninfo' DESC 'Originization Info data' EQUALITY caseExactMatch SUBSTR caseExa ctSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {30}( 1.3.6.1.4.1.63.1000.1.1.1.1.35 NAME 'apple-namesuffix ' DESC 'namesuffix' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {31}( 1.3.6.1.4.1.63.1000.1.1.1.1.36 NAME 'apple-primarycom puterlist' DESC 'primary computer list' EQUALITY caseExactMatch SUBSTR caseEx actSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {32}( 1.3.6.1.4.1.63.1000.1.1.1.1.100 NAME 'apple-user-home Directory' DESC 'The absolute path to the home directory' EQUALITY caseExactI A5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {33}( 1.3.6.1.4.1.63.1000.1.1.1.14.1 NAME 'apple-group-home url' DESC 'group home url' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {34}( 1.3.6.1.4.1.63.1000.1.1.1.14.2 NAME 'apple-group-home owner' DESC 'group home owner settings' EQUALITY caseExactIA5Match SUBSTR cas eExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {35}( 1.3.6.1.4.1.63.1000.1.1.1.14.5 NAME 'apple-group-real name' DESC 'group real name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstr ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {36}( 1.3.6.1.4.1.63.1000.1.1.1.14.6 NAME 'apple-group-nest edgroup' DESC 'group real name' EQUALITY caseExactMatch SUBSTR caseExactSubst ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {37}( 1.3.6.1.4.1.63.1000.1.1.1.14.7 NAME 'apple-group-memb erguid' DESC 'group real name' EQUALITY caseExactMatch SUBSTR caseExactSubstr ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {38}( 1.3.6.1.4.1.63.1000.1.1.1.14.8 NAME 'apple-group-serv ices' DESC 'group services' EQUALITY caseExactMatch SUBSTR caseExactSubstring sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {39}( 1.3.6.1.4.1.63.1000.1.1.1.14.9 NAME 'apple-contactgui d' DESC 'contact GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {40}( 1.3.6.1.4.1.63.1000.1.1.1.14.10 NAME 'apple-ownerguid ' DESC 'owner GUID' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {41}( 1.3.6.1.4.1.63.1000.1.1.1.14.11 NAME 'apple-primaryco mputerguid' DESC 'primary computer GUID' EQUALITY caseExactMatch SUBSTR caseE xactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {42}( 1.3.6.1.4.1.63.1000.1.1.1.14.12 NAME 'apple-group-exp andednestedgroup' DESC 'expanded nested group list' EQUALITY caseExactMatch S UBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {43}( 1.3.6.1.4.1.63.1000.1.1.1.14.13 NAME 'apple-selfwrite ' DESC 'selfwrite flag' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {44}( 1.3.6.1.4.1.63.1000.1.1.1.14.14 NAME 'apple-locale-re lay' DESC 'designated locale relay server for replication' EQUALITY caseExact Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {45}( 1.3.6.1.4.1.63.1000.1.1.1.14.15 NAME 'apple-locale-su bnets' DESC 'subnets associated with a locale' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {46}( 1.3.6.1.4.1.63.1000.1.1.1.3.8 NAME 'apple-machine-sof tware' DESC 'installed system software' EQUALITY caseIgnoreIA5Match SUBSTR ca seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {47}( 1.3.6.1.4.1.63.1000.1.1.1.3.9 NAME 'apple-machine-har dware' DESC 'system hardware description' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {48}( 1.3.6.1.4.1.63.1000.1.1.1.3.10 NAME 'apple-machine-se rves' DESC 'NetInfo Domain Server Binding' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {49}( 1.3.6.1.4.1.63.1000.1.1.1.3.11 NAME 'apple-machine-su ffix' DESC 'DIT suffix' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {50}( 1.3.6.1.4.1.63.1000.1.1.1.3.12 NAME 'apple-machine-co ntactperson' DESC 'Name of contact person/owner of this machine' EQUALITY cas eIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 ) olcAttributeTypes: {51}( 1.3.6.1.4.1.63.1000.1.1.1.22.1 NAME 'attributeTypesCo nfig' DESC 'RFC2252: attribute types' EQUALITY caseExactMatch SUBSTR caseExac tSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {52}( 1.3.6.1.4.1.63.1000.1.1.1.22.2 NAME 'objectClassesCon fig' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4 .1.1466.115.121.1.15 ) olcAttributeTypes: {53}( 1.3.6.1.4.1.63.1000.1.1.1.8.1 NAME 'mountDirectory' D ESC 'mount path' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {54}( 1.3.6.1.4.1.63.1000.1.1.1.8.2 NAME 'mountType' DESC ' mount VFS type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {55}( 1.3.6.1.4.1.63.1000.1.1.1.8.3 NAME 'mountOption' DESC 'mount options' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {56}( 1.3.6.1.4.1.63.1000.1.1.1.8.4 NAME 'mountDumpFrequenc y' DESC 'mount dump frequency' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreI A5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {57}( 1.3.6.1.4.1.63.1000.1.1.1.8.5 NAME 'mountPassNo' DESC 'mount passno' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {58}( 1.3.6.1.4.1.63.1000.1.1.1.9.1 NAME 'apple-printer-att ributes' DESC 'printer attributes in /etc/printcap format' EQUALITY caseIgnor eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.26 ) olcAttributeTypes: {59}( 1.3.6.1.4.1.63.1000.1.1.1.9.2 NAME 'apple-printer-lpr host' DESC 'printer LPR host name' EQUALITY caseIgnoreMatch SUBSTR caseIgnore SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {60}( 1.3.6.1.4.1.63.1000.1.1.1.9.3 NAME 'apple-printer-lpr queue' DESC 'printer LPR queue' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSub stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {61}( 1.3.6.1.4.1.63.1000.1.1.1.9.4 NAME 'apple-printer-typ e' DESC 'printer type' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {62}( 1.3.6.1.4.1.63.1000.1.1.1.9.5 NAME 'apple-printer-not e' DESC 'printer note' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {63}( 1.3.6.1.4.1.63.1000.1.1.1.10.2 NAME 'apple-realname' DESC 'real name' EQUALITY caseIgnoreMatch SUBSTR caseExactSubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {64}( 1.3.6.1.4.1.63.1000.1.1.1.10.3 NAME 'apple-networkvie w' DESC 'Network view for the computer' EQUALITY caseExactMatch SUBSTR caseEx actSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {65}( 1.3.6.1.4.1.63.1000.1.1.1.10.4 NAME 'apple-category' DESC 'Category for the computer or neighborhood' EQUALITY caseExactMatch SUBS TR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {66}( 1.3.6.1.4.1.63.1000.1.1.1.10.5 NAME 'apple-srv' DESC 'List of services to advertize via srv records' EQUALITY caseExactMatch SUBST R caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {67}( 1.3.6.1.4.1.63.1000.1.1.1.10.6 NAME 'apple-primary-lo cale' DESC 'primary locale for replication' EQUALITY caseExactMatch SYNTAX 1. 3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {68}( 1.3.6.1.4.1.63.1000.1.1.1.10.7 NAME 'apple-parentloca les' DESC 'parent locale' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 ) olcAttributeTypes: {69}( 1.3.6.1.4.1.63.1000.1.1.1.10.8 NAME 'apple-networkint erfaces' DESC 'list of available network interfaces' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {70}( 1.3.6.1.4.1.63.1000.1.1.1.11.3 NAME 'apple-computers' DESC 'computers' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {71}( 1.3.6.1.4.1.63.1000.1.1.1.11.4 NAME 'apple-computer-l ist-groups' DESC 'groups' EQUALITY caseExactMatch SUBSTR caseExactSubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {72}( 1.3.6.1.4.1.63.1000.1.1.1.17.1 NAME 'apple-xmlplist' DESC 'XML plist data' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {73}( 1.3.6.1.4.1.63.1000.1.1.1.19.2 NAME 'apple-service-ur l' DESC 'URL of service' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substr ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {74}( 1.3.6.1.4.1.63.1000.1.1.1.19.6 NAME 'apple-serviceinf o' DESC 'service related information' EQUALITY caseExactMatch SUBSTR caseExac tSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {75}( 1.3.6.1.4.1.63.1000.1.1.1.19.7 NAME 'apple-hwuuid' DE SC 'Hardware uuid of computer' EQUALITY caseExactMatch SUBSTR caseExactSubstr ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {76}( 1.3.6.1.4.1.63.1000.1.1.1.19.8 NAME 'apple-ldap-serve rid' DESC 'ID used by LDAP' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.27 SINGLE-VALUE ) olcAttributeTypes: {77}( 1.3.6.1.4.1.63.1000.1.1.1.12.1 NAME 'apple-password-s erver-location' DESC 'password server location' EQUALITY caseExactIA5Match SU BSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- VALUE ) olcAttributeTypes: {78}( 1.3.6.1.4.1.63.1000.1.1.1.12.2 NAME 'apple-data-stamp ' DESC 'data stamp' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {79}( 1.3.6.1.4.1.63.1000.1.1.1.12.3 NAME 'apple-config-rea lname' DESC 'config real name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5 SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {80}( 1.3.6.1.4.1.63.1000.1.1.1.12.4 NAME 'apple-password-s erver-list' DESC 'password server replication plist' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-V ALUE ) olcAttributeTypes: {81}( 1.3.6.1.4.1.63.1000.1.1.1.12.5 NAME 'apple-ldap-repli ca' DESC 'LDAP replication list' EQUALITY caseExactMatch SUBSTR caseExactSubs tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {82}( 1.3.6.1.4.1.63.1000.1.1.1.12.6 NAME 'apple-ldap-writa ble-replica' DESC 'LDAP writable replication list' EQUALITY caseExactMatch SU BSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {83}( 1.3.6.1.4.1.63.1000.1.1.1.12.7 NAME 'apple-kdc-authke y' DESC 'KDC master key RSA encrypted with realm public key' EQUALITY caseExa ctMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {84}( 1.3.6.1.4.1.63.1000.1.1.1.12.8 NAME 'apple-kdc-config data' DESC 'Contents of the kdc.conf file' EQUALITY caseExactMatch SUBSTR cas eExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {85}( 1.3.6.1.4.1.63.1000.1.1.1.12.9 NAME 'apple-last-serve rid' DESC 'Last serverID used' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {86}( 1.3.6.1.4.1.63.1000.1.1.1.15.1 NAME 'apple-preset-use r-is-admin' DESC 'flag indicating whether the preset user is an administrator ' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6. 1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {87}( 1.3.6.1.4.1.63.1000.1.1.1.18.1 NAME 'apple-dns-domain ' DESC 'DNS domain' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {88}( 1.3.6.1.4.1.63.1000.1.1.1.18.2 NAME 'apple-dns-namese rver' DESC 'DNS name server list' EQUALITY caseExactMatch SUBSTR caseExactSub stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {89}( 1.3.6.1.4.1.63.1000.1.1.1.19.1 NAME 'apple-service-ty pe' DESC 'type of service' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subs tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {90}( 1.3.6.1.4.1.63.1000.1.1.1.19.3 NAME 'apple-service-po rt' DESC 'Service port number' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.27 ) olcAttributeTypes: {91}( 1.3.6.1.4.1.63.1000.1.1.1.19.4 NAME 'apple-dnsname' D ESC 'DNS name' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {92}( 1.3.6.1.4.1.63.1000.1.1.1.19.5 NAME 'apple-service-lo cation' DESC 'Service location' EQUALITY caseExactMatch SUBSTR caseExactSubst ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {93}( 1.3.6.1.4.1.63.1000.1.1.1.20.1 NAME 'apple-nodepathxm l' DESC 'XML plist of directory node path' EQUALITY caseExactMatch SUBSTR cas eExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {94}( 1.3.6.1.4.1.63.1000.1.1.1.20.2 NAME 'apple-neighborho odalias' DESC 'XML plist referring to another neighborhood record' EQUALITY c aseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 ) olcAttributeTypes: {95}( 1.3.6.1.4.1.63.1000.1.1.1.20.3 NAME 'apple-computeral ias' DESC 'XML plist referring to a computer record' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {96}( 1.3.6.1.4.1.63.1000.1.1.1.21.1 NAME 'apple-acl-entry' DESC 'acl entry' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {97}( 1.3.6.1.4.1.63.1000.1.1.1.23.1 NAME 'apple-resource-t ype' DESC 'resource type' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Subst ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {98}( 1.3.6.1.4.1.63.1000.1.1.1.23.2 NAME 'apple-resource-i nfo' DESC 'resource info' EQUALITY caseExactMatch SUBSTR caseExactSubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {99}( 1.3.6.1.4.1.63.1000.1.1.1.23.3 NAME 'apple-capacity' DESC 'capacity' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SI NGLE-VALUE ) olcAttributeTypes: {100}( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'autom ount Map Name' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S INGLE-VALUE ) olcAttributeTypes: {101}( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING LE-VALUE ) olcAttributeTypes: {102}( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'A utomount information' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 SINGLE-VALUE ) olcAttributeTypes: {103}( 1.3.6.1.1.1.1.35 NAME 'lastLoginTime' EQUALITY gener alizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) olcAttributeTypes: {104}( 1.3.6.1.1.1.1.36 NAME 'passwordModDate' EQUALITY gen eralizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) olcAttributeTypes: {105}( 1.3.6.1.1.1.1.37 NAME 'authGUID' EQUALITY caseIgnore Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S INGLE-VALUE ) olcAttributeTypes: {106}( 1.3.6.1.1.1.1.38 NAME 'loginFailedAttempts' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {107}( 1.3.6.1.1.1.1.39 NAME 'userLinkage' EQUALITY caseIgn oreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 SINGLE-VALUE ) olcAttributeTypes: {108}( 1.3.6.1.1.1.1.40 NAME 'disableReason' EQUALITY caseI gnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {109}( 1.3.6.1.1.1.1.42 NAME 'cmusaslsecretSMBNT' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) olcAttributeTypes: {110}( 1.3.6.1.1.1.1.43 NAME 'cmusaslsecretSMBLM' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) olcAttributeTypes: {111}( 1.3.6.1.1.1.1.44 NAME 'cmusaslsecretDIGEST-MD5' EQUA LITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) olcAttributeTypes: {112}( 1.3.6.1.1.1.1.45 NAME 'cmusaslsecretCRAM-MD5' EQUALI TY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) olcAttributeTypes: {113}( 1.3.6.1.1.1.1.46 NAME 'cmusaslsecretPPS' EQUALITY oc tetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) olcAttributeTypes: {114}( 1.3.6.1.1.1.1.47 NAME 'KerberosRealmName' EQUALITY c aseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {115}( 1.3.6.1.1.1.1.48 NAME 'KerberosPrincName' EQUALITY c aseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {116}( 1.3.6.1.1.1.1.49 NAME 'password' EQUALITY octetStrin gMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) olcAttributeTypes: {117}( 1.3.6.1.1.1.1.50 NAME 'adminGroups' SYNTAX 1.3.6.1.4 .1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {118}( 1.3.6.1.1.1.1.55 NAME 'creationDate' EQUALITY genera lizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) olcAttributeTypes: {119}( 1.3.6.1.1.1.1.56 NAME 'historyData' EQUALITY octetSt ringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) olcAttributeTypes: {120}( 1.3.6.1.1.1.1.86 NAME 'draft-krbPrincipalName' DESC 'Canonical principal name' EQUALITY caseExactIA5Match SUBSTR caseExactSubstri ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {121}( 1.3.6.1.1.1.1.87 NAME 'draft-krbRealmName' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcAttributeTypes: {122}( 1.3.6.1.1.1.1.88 NAME 'draft-krbPrincipalAliases' SU P draft-krbPrincipalName ) olcAttributeTypes: {123}( 1.3.6.1.1.1.1.89 NAME 'draft-krbTicketMaxLife' EQUAL ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.27 SINGLE-VALUE ) olcAttributeTypes: {124}( 1.3.6.1.1.1.1.90 NAME 'draft-krbTicketMaxRenewal' EQ UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.27 SINGLE-VALUE ) olcAttributeTypes: {125}( 1.3.6.1.1.1.1.91 NAME 'draft-krbEncSaltTypes' EQUALI TY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {126}( 1.3.6.1.1.1.1.92 NAME 'draft-krbKeySet' EQUALITY oct etStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcAttributeTypes: {127}( 1.3.6.1.1.1.1.93 NAME 'draft-krbKeyVersion' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 .27 SINGLE-VALUE ) olcAttributeTypes: {128}( 1.3.6.1.1.1.1.94 NAME 'draft-krbPrincipalRealm' DESC 'DN of krbRealm entry' SUP distinguishedName ) olcAttributeTypes: {129}( 1.3.6.1.1.1.1.95 NAME 'draft-krbTicketPolicy' EQUALI TY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {130}( 1.3.6.1.1.1.1.96 NAME 'draft-krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcAttributeTypes: {131}( 1.3.6.1.1.1.1.98 NAME 'draft-krbPrincipalACL' EQUALI TY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {132}( 1.3.6.1.1.1.1.97 NAME 'crschallenge' EQUALITY caseIg noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {133}( 1.3.6.1.1.1.1.103 NAME 'ownerGUIDList' DESC 'compute r account owner GUID' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.15 ) olcAttributeTypes: {134}( 1.3.6.1.1.1.1.76 NAME 'weakAuthMethod' EQUALITY case IgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {135}( 1.3.6.1.1.1.1.77 NAME 'PWSPrivateKey' EQUALITY octet StringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) olcAttributeTypes: {136}( 1.3.6.1.1.1.1.78 NAME 'PWSPublicKey' EQUALITY caseIg noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {137}( 1.3.6.1.1.1.1.79 NAME 'apple-transactionID' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {138}( 1.3.6.1.1.1.1.80 NAME 'apple-pkiStatus' EQUALITY int egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {139}( 1.3.6.1.1.1.1.81 NAME 'apple-failInfo' EQUALITY inte gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {140}( 1.3.6.1.1.1.1.82 NAME 'apple-certificateSigningReque st' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 SINGLE -VALUE ) olcAttributeTypes: {141}( 1.3.6.1.1.1.1.83 NAME 'apple-device-guid' EQUALITY c aseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {142}( 1.3.6.1.1.1.1.84 NAME 'apple-issuer' EQUALITY caseIg noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {143}( 1.3.6.1.1.1.1.85 NAME 'apple-serialNumber' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {144}( 1.3.6.1.1.1.1.99 NAME 'apple-revocationReason' EQUAL ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {145}( 1.3.6.1.1.1.1.100 NAME 'apple-revocationDate' EQUALI TY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) olcAttributeTypes: {146}( 1.3.6.1.1.1.1.101 NAME 'apple-validNotBefore' EQUALI TY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) olcAttributeTypes: {147}( 1.3.6.1.1.1.1.102 NAME 'apple-validNotAfter' EQUALIT Y generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) olcObjectClasses: {0}( 1.2.840.113556.1.3.23 NAME 'container' SUP top STRUCTUR AL MUST cn ) olcObjectClasses: {1}( 1.3.6.1.4.1.250.3.18 NAME 'cacheObject' DESC 'Auxiliary object class to hold TTL caching information' SUP top AUXILIARY MAY ttl ) olcObjectClasses: {2}( 1.3.6.1.4.1.63.1000.1.1.2.1 NAME 'apple-user' DESC 'app le user account' SUP top AUXILIARY MAY ( apple-user-homeurl $ apple-user-clas s $ apple-user-homequota $ apple-user-mailattribute $ apple-user-printattribu te $ apple-mcxflags $ apple-mcxsettings $ apple-user-adminlimits $ apple-user -picture $ apple-user-authenticationhint $ apple-user-homesoftquota $ apple-u ser-passwordpolicy $ apple-keyword $ apple-generateduid $ apple-imhandle $ ap ple-webloguri $ authAuthority $ acctFlags $ pwdLastSet $ logonTime $ logoffTi me $ kickoffTime $ homeDrive $ scriptPath $ profilePath $ userWorkstations $ smbHome $ rid $ apple-user-homeDirectory $ primaryGroupID $ sambaSID $ sambaP rimaryGroupSID $ userCertificate $ userPKCS12 $ jpegPhoto $ apple-nickname $ apple-namesuffix $ apple-birthday $ apple-relationships $ apple-organizationi nfo $ apple-phonecontacts $ apple-emailcontacts $ apple-postaladdresses $ app le-mapcoordinates $ apple-mapuri $ apple-mapguid $ apple-serviceslocator $ al tSecurityIdentities ) ) olcObjectClasses: {3}( 1.3.6.1.4.1.63.1000.1.1.2.14 NAME 'apple-group' DESC 'g roup account' SUP top AUXILIARY MAY ( apple-group-homeurl $ apple-group-homeo wner $ apple-mcxflags $ apple-mcxsettings $ apple-group-realname $ apple-user -picture $ apple-keyword $ apple-generateduid $ apple-group-nestedgroup $ app le-group-memberguid $ mail $ rid $ sambaSID $ ttl $ jpegPhoto $ apple-group-s ervices $ apple-contactguid $ apple-ownerguid $ labeledURI $ apple-locale-rel ay $ apple-locale-subnets $ apple-serviceslocator ) ) olcObjectClasses: {4}( 1.3.6.1.4.1.63.1000.1.1.2.3 NAME 'apple-machine' SUP to p AUXILIARY MAY ( apple-machine-software $ apple-machine-hardware $ apple-mac hine-serves $ apple-machine-suffix $ apple-machine-contactperson ) ) olcObjectClasses: {5}( 1.3.6.1.4.1.63.1000.1.1.2.8 NAME 'mount' SUP top STRUCT URAL MUST cn MAY ( mountDirectory $ mountType $ mountOption $ mountDumpFreque ncy $ mountPassNo ) ) olcObjectClasses: {6}( 1.3.6.1.4.1.63.1000.1.1.2.9 NAME 'apple-printer' SUP to p STRUCTURAL MUST cn MAY ( apple-printer-attributes $ apple-printer-lprhost $ apple-printer-lprqueue $ apple-printer-type $ apple-printer-note ) ) olcObjectClasses: {7}( 1.3.6.1.4.1.63.1000.1.1.2.10 NAME 'apple-computer' DESC 'computer' SUP top STRUCTURAL MUST cn MAY ( apple-realname $ description $ m acAddress $ apple-category $ apple-computer-list-groups $ apple-keyword $ app le-mcxflags $ apple-mcxsettings $ apple-networkview $ apple-xmlplist $ apple- service-url $ apple-serviceinfo $ apple-serviceslocator $ apple-primarycomput erlist $ apple-ldap-serverid $ authAuthority $ uidNumber $ gidNumber $ apple- generateduid $ ttl $ acctFlags $ pwdLastSet $ logonTime $ logoffTime $ kickof fTime $ rid $ primaryGroupID $ sambaSID $ sambaPrimaryGroupSID $ owner $ appl e-ownerguid $ apple-contactguid $ ipHostNumber $ bootFile $ apple-hwuuid $ ap ple-srv $ apple-primary-locale $ apple-parentlocales $ apple-networkinterface s $ userCertificate $ userPKCS12 ) ) olcObjectClasses: {8}( 1.3.6.1.4.1.63.1000.1.1.2.11 NAME 'apple-computer-list' DESC 'computer list' SUP top STRUCTURAL MUST cn MAY ( apple-mcxflags $ apple -mcxsettings $ apple-computer-list-groups $ apple-computers $ apple-generated uid $ apple-keyword ) ) olcObjectClasses: {9}( 1.3.6.1.4.1.63.1000.1.1.2.12 NAME 'apple-configuration' DESC 'configuration' SUP top STRUCTURAL MAY ( cn $ apple-config-realname $ a pple-data-stamp $ apple-password-server-location $ apple-password-server-list $ apple-ldap-replica $ apple-ldap-writable-replica $ apple-keyword $ apple-k dc-authkey $ apple-kdc-configdata $ apple-xmlplist $ ttl $ apple-last-serveri d ) ) olcObjectClasses: {10}( 1.3.6.1.4.1.63.1000.1.1.2.13 NAME 'apple-preset-comput er-list' DESC 'preset computer list' SUP top STRUCTURAL MUST cn MAY ( apple-m cxflags $ apple-mcxsettings $ apple-computer-list-groups $ apple-keyword ) ) olcObjectClasses: {11}( 1.3.6.1.4.1.63.1000.1.1.2.25 NAME 'apple-preset-comput er' DESC 'preset computer' SUP top STRUCTURAL MUST cn MAY ( apple-mcxflags $ apple-mcxsettings $ apple-computer-list-groups $ apple-primarycomputerlist $ description $ apple-networkview $ apple-keyword ) ) olcObjectClasses: {12}( 1.3.6.1.4.1.63.1000.1.1.2.26 NAME 'apple-preset-comput er-group' DESC 'preset computer group' SUP top STRUCTURAL MUST cn MAY ( gidNu mber $ memberUID $ apple-mcxflags $ apple-mcxsettings $ apple-group-nestedgro up $ description $ jpegPhoto $ apple-keyword ) ) olcObjectClasses: {13}( 1.3.6.1.4.1.63.1000.1.1.3.14 NAME 'apple-preset-group' DESC 'preset group' SUP top STRUCTURAL MUST cn MAY ( memberUid $ gidNumber $ description $ apple-group-homeurl $ apple-group-homeowner $ apple-mcxflags $ apple-mcxsettings $ apple-group-realname $ apple-keyword $ apple-group-neste dgroup $ apple-group-memberguid $ ttl $ jpegPhoto $ apple-group-services $ la beledURI $ apple-serviceslocator ) ) olcObjectClasses: {14}( 1.3.6.1.4.1.63.1000.1.1.2.15 NAME 'apple-preset-user' DESC 'preset user' SUP top STRUCTURAL MUST cn MAY ( uid $ memberUid $ gidNumb er $ homeDirectory $ apple-user-homeurl $ apple-user-homequota $ apple-user-h omesoftquota $ apple-user-mailattribute $ apple-user-printattribute $ apple-m cxflags $ apple-mcxsettings $ apple-user-adminlimits $ apple-user-passwordpol icy $ userPassword $ apple-user-picture $ apple-keyword $ loginShell $ descri ption $ shadowLastChange $ shadowExpire $ authAuthority $ homeDrive $ scriptP ath $ profilePath $ smbHome $ apple-preset-user-is-admin $ jpegPhoto $ apple- relationships $ apple-phonecontacts $ apple-emailcontacts $ apple-postaladdre sses $ apple-mapcoordinates $ apple-serviceslocator ) ) olcObjectClasses: {15}( 1.3.6.1.4.1.63.1000.1.1.2.16 NAME 'authAuthorityObject ' SUP top AUXILIARY MAY authAuthority ) olcObjectClasses: {16}( 1.3.6.1.4.1.63.1000.1.1.2.17 NAME 'apple-serverassista nt-config' SUP top STRUCTURAL MUST cn MAY apple-xmlplist ) olcObjectClasses: {17}( 1.3.6.1.4.1.63.1000.1.1.2.18 NAME 'apple-location' SUP top AUXILIARY MUST cn MAY ( apple-dns-domain $ apple-dns-nameserver ) ) olcObjectClasses: {18}( 1.3.6.1.4.1.63.1000.1.1.2.19 NAME 'apple-service' SUP top STRUCTURAL MUST ( cn $ apple-service-type ) MAY ( ipHostNumber $ descript ion $ apple-service-location $ apple-service-url $ apple-service-port $ apple -dnsname $ apple-keyword ) ) olcObjectClasses: {19}( 1.3.6.1.4.1.63.1000.1.1.2.20 NAME 'apple-neighborhood' SUP top STRUCTURAL MUST cn MAY ( description $ apple-generateduid $ apple-ca tegory $ apple-nodepathxml $ apple-neighborhoodalias $ apple-computeralias $ apple-keyword $ apple-realname $ apple-xmlplist $ ttl ) ) olcObjectClasses: {20}( 1.3.6.1.4.1.63.1000.1.1.2.21 NAME 'apple-acl' SUP top STRUCTURAL MUST ( cn $ apple-acl-entry ) ) olcObjectClasses: {21}( 1.3.6.1.4.1.63.1000.1.1.2.23 NAME 'apple-resource' SUP top STRUCTURAL MUST cn MAY ( apple-realname $ description $ jpegPhoto $ appl e-keyword $ apple-generateduid $ apple-contactguid $ apple-ownerguid $ apple- resource-info $ apple-resource-type $ apple-capacity $ labeledURI $ apple-map uri $ apple-serviceslocator $ apple-phonecontacts $ c $ apple-mapguid $ apple -mapcoordinates $ apple-xmlplist ) ) olcObjectClasses: {22}( 1.3.6.1.4.1.63.1000.1.1.2.24 NAME 'apple-augment' SUP top STRUCTURAL MUST cn ) olcObjectClasses: {23}( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURA L MUST automountMapName MAY description ) olcObjectClasses: {24}( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description ) olcObjectClasses: {25}( 1.3.6.1.4.1.63.1000.1.1.2.27 NAME 'apple-user-info' SU P top STRUCTURAL MAY ( apple-namesuffix $ apple-phonecontacts $ apple-emailco ntacts $ apple-postaladdresses $ telephoneNumber $ mobile $ facsimileTelephon eNumber $ pager $ l $ st $ c $ postalCode $ postalAddress $ street $ apple-im handle $ loginShell $ jpegPhoto $ apple-user-picture $ description $ userCert ificate $ userPKCS12 ) ) olcObjectClasses: {26}( 1.3.6.1.4.1.63.1000.1.1.2.31 NAME 'apple-computer-info ' SUP top STRUCTURAL MAY ( apple-serviceinfo $ apple-serviceslocator $ apple- keyword $ userCertificate $ userPKCS12 ) ) olcObjectClasses: {27}( 1.3.6.1.4.1.63.1000.1.1.2.28 NAME 'pwsAuthdata' STRUCT URAL MUST authGUID MAY ( uid $ authGUID $ passwordModDate $ lastLoginTime $ l oginFailedAttempts $ disableReason $ apple-user-passwordpolicy $ adminGroups $ cmusaslsecretSMBNT $ cmusaslsecretSMBLM $ cmusaslsecretDIGEST-MD5 $ cmusasl secretCRAM-MD5 $ cmusaslsecretPPS $ KerberosRealmName $ KerberosPrincName $ p assword $ creationDate $ historyData $ draft-krbPrincipalName $ draft-krbReal mName $ draft-krbPrincipalAliases $ draft-krbTicketMaxLife $ draft-krbTicketM axRenewal $ draft-krbEncSaltTypes $ draft-krbKeySet $ draft-krbKeyVersion $ d raft-krbPrincipalRealm $ draft-krbTicketPolicy $ draft-krbExtraData $ draft-k rbPrincipalACL $ crschallenge $ userLinkage $ ownerGUIDList ) ) olcObjectClasses: {28}( 1.3.6.1.4.1.63.1000.1.1.2.29 NAME 'pwPolicy' STRUCTURA L MUST cn MAY ( apple-user-passwordpolicy $ weakAuthMethod ) ) olcObjectClasses: {29}( 1.3.6.1.4.1.63.1000.1.1.2.30 NAME 'pwAuthData' SUP con tainer STRUCTURAL MAY ( PWSPrivateKey $ PWSPublicKey ) ) olcObjectClasses: {30}( 1.3.6.1.4.1.63.1000.1.1.2.33 NAME 'apple-certificateRe questInfo' SUP top STRUCTURAL MUST ( apple-transactionID $ apple-pkiStatus ) MAY ( apple-failInfo $ apple-issuer $ apple-serialNumber $ userCertificate $ apple-certificateSigningRequest $ apple-device-guid $ apple-xmlplist $ apple- revocationReason $ apple-revocationDate $ apple-validNotBefore $ apple-validN otAfter ) )
Apply the schema modifications with the following commands:
ldapadd -Y EXTERNAL -H ldapi:/// -f apple_auxillary.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f apple.ldif
Configuration
Once the schema has been established, it is necessary to set a password on the configuration directory tree and create a second tree, which will hold the data relevant to the application that hook into LDAP. The directory will have an administration account (cn=admin,dc=example,dc=com) with read/write access to both trees. Firstly we must create a password for this account:
slappasswd -s <password>
Where <password>
is a secure password you wish to use for full access to LDAP. The result will be a string similar to {SSHA}xeunX6dBrnhdEIZ/bPvr819tqM7SJQTo
, which must be inserted as <slappasswd_output>
when the following file is downloaded:
- backend.ldif
# Load dynamic backend modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb # Database settings dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=example,dc=com olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=example,dc=com olcRootPW: <slappaswd_output> olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
Once downloaded and the password hash inserted in the appropriate place, create the new directory tree:
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
We must now populate our new directory tree with the structure and user information to make it useful to us. In the example below we create the administrator (cn=admin,dc=example,dc=com) and a single Standard User (uid=user1,dc=people,dc=example,dc=com):
- example.com.ldif
dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Example Organisation dc: Example description: LDAP Example dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: <slappaswd_output> dn: ou=apps,dc=example,dc=com objectClass: organizationalUnit ou: apps dn: ou=computers,dc=example,dc=com objectClass: organizationalUnit ou: computers dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: uid=user1,ou=people,dc=example,dc=com cn: Standard User displayname: Standard User gecos: Standard User gidnumber: 5000 givenname: Standard homedirectory: /home/user1 initials: SU l: London loginshell: /bin/bash mail: user1@example.com o: Example Company objectclass: inetOrgPerson objectclass: posixAccount sn: User uid: user1 uidnumber: 5000 userpassword: <slappasswd_output> dn: cn=group1,ou=groups,dc=example,dc=com objectClass: posixGroup cn: group1 gidNumber: 5000
We have now set a password on the LDAP database, so to import this file we must use the following syntax and enter the directory administrator's password we hashed above when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif
Sudo
To configure the directory to mimic the behaviour of a standard /etc/sudoers
file, import the file below. Further details of the specification and configuration of sudo via LDAP can be found on the man page.
- sudo.apps.example.com.ldif
dn: ou=sudo,ou=apps,dc=example,dc=com objectClass: organizationalUnit ou: sudo dn: cn=defaults,ou=sudo,ou=apps,dc=example,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: env_reset dn: cn=%admin,ou=sudo,ou=apps,dc=example,dc=com objectClass: top objectClass: sudoRole cn: %admin sudoUser: %admin sudoHost: ALL sudoCommand: ALL
To import this file we must use the following command and enter the directory administrator's password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f sudo.apps.example.com.ldif
To improve the performance of sudoers lookups via LDAP, we must add an additional index:
- sudo_index.ldif
dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: sudoUser eq
Make the index changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f sudo_index.ldif
Password Policy
Import the file below to configure the directory to support password policy enforcement for parameters such as length, age, failed logons, lockout, etc. Further details of this directory overlay can be found in the OpenLDAP documentation.
The default policy created here forces users to change their password every 28 days, with a minimum length of 8 characters. They are warned 3 days prior to their password expiry and allowed a further 3 logins once it expires. Invalid login attempts are tracked and 5 within 5 minutes will lock the account out for half an hour.
- policies.example.com.ldif
dn: ou=policies,dc=example,dc=com objectClass: organizationalUnit ou: policies dn: cn=default,ou=policies,dc=example,dc=com objectClass: device objectClass: pwdPolicy cn: default pwdAllowUserChange: TRUE pwdAttribute: 2.5.4.35 pwdCheckQuality: 0 pwdExpireWarning: 259200 pwdFailureCountInterval: 300 pwdGraceAuthNLimit: 3 pwdInHistory: 12 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxAge: 2419200 pwdMaxFailure: 5 pwdMinLength: 8 pwdMustChange: TRUE pwdSafeModify: FALSE
To import this file we must use the following command and enter the directory administrator's password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f policies.example.com.ldif
To load the password policy overlay and point it to the default policy, we must download the following file:
- overlay_ppolicy.ldif
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: ppolicy dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE
Make the configuration changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f overlay_ppolicy.ldif
Postfix
To allow Postfix mail addresses and aliases to be configured via the LDAP directory, import the file below.
- mail.apps.example.com.ldif
dn: ou=mail,ou=apps,dc=example,dc=com objectclass: organizationalUnit ou: mail dn: ou=aliases,ou=mail,ou=apps,dc=example,dc=com objectclass: organizationalUnit ou: aliases dn: cn=abuse@example.com,ou=aliases,ou=mail,ou=apps,dc=example,dc=com cn: abuse@example.com objectclass: groupOfUniqueNames uniquemember: uid=user1,ou=people,dc=example,dc=com dn: cn=postmaster@example.com,ou=aliases,ou=mail,ou=apps,dc=example,dc=com cn: postmaster@example.com objectclass: groupOfUniqueNames uniquemember: uid=user1,ou=people,dc=example,dc=com
To import this file we must use the following command and enter the directory administrator's password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f mail.apps.example.com.ldif
To improve the performance of e-mail address lookups via LDAP, we must add an additional index:
- postfix_index.ldif
dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: mail eq,subinitial
Make the index changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f postfix_index.ldif
SAMBA v3
To improve the performance of SAMBA domain and user lookups via LDAP, we must add some additional indices:
- samba_index.ldif
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub
Make the index changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_index.ldif
Apple OS X
To support Apple Macs in native Open Directory mode, we must mimic the structure of the Apple directory by importing the file below.
- macosx.example.com.ldif
dn: ou=macosx,dc=example,dc=com ou: macosx objectClass: organizationalUnit description: Holds metadata for OS X Server dn: cn=mounts,ou=macosx,dc=example,dc=com cn: mounts objectClass: container dn: cn=accesscontrols,ou=macosx,dc=example,dc=com cn: accesscontrols objectClass: container dn: cn=certificateauthorities,ou=macosx,dc=example,dc=com cn: certificateauthorities objectClass: container dn: cn=computers,ou=macosx,dc=example,dc=com cn: computers objectClass: container dn: cn=computer_groups,ou=macosx,dc=example,dc=com cn: computer_groups objectClass: container dn: cn=computer_lists,ou=macosx,dc=example,dc=com cn: computer_lists objectClass: container dn: cn=config,ou=macosx,dc=example,dc=com cn: config objectClass: container dn: cn=locations,ou=macosx,dc=example,dc=com cn: locations objectClass: container dn: cn=machines,ou=macosx,dc=example,dc=com cn: machines objectClass: container dn: cn=neighborhoods,ou=macosx,dc=example,dc=com cn: neighborhoods objectClass: container dn: cn=people,ou=macosx,dc=example,dc=com cn: people objectClass: container dn: cn=presets_computer_lists,ou=macosx,dc=example,dc=com cn: presets_computer_lists objectClass: container dn: cn=presets_groups,ou=macosx,dc=example,dc=com cn: presets_groups objectClass: container dn: cn=presets_users,ou=macosx,dc=example,dc=com cn: presets_users objectClass: container dn: cn=printers,ou=macosx,dc=example,dc=com cn: printers objectClass: container dn: cn=augments,ou=macosx,dc=example,dc=com cn: augments objectClass: container dn: cn=autoserversetup,ou=macosx,dc=example,dc=com cn: autoserversetup objectClass: container dn: cn=filemakerservers,ou=macosx,dc=example,dc=com cn: filemakerservers objectClass: container dn: cn=resources,ou=macosx,dc=example,dc=com cn: resources objectClass: container dn: cn=places,ou=macosx,dc=example,dc=com cn: places objectClass: container dn: cn=maps,ou=macosx,dc=example,dc=com cn: maps objectClass: container dn: cn=presets_computers,ou=macosx,dc=example,dc=com cn: presets_computers objectClass: container dn: cn=presets_computer_groups,ou=macosx,dc=example,dc=com cn: presets_computer_groups objectClass: container dn: cn=automountMap,ou=macosx,dc=example,dc=com cn: automountMap objectClass: container dn: ou=macosxodconfig,cn=config,ou=macosx,dc=example,dc=com ou: macosxodconfig objectClass: organizationalUnit dn: cn=mcx_cache,cn=config,ou=macosx,dc=example,dc=com cn: mcx_cache objectClass: apple-configuration dn: cn=ldapreplicas,cn=config,ou=macosx,dc=example,dc=com cn: ldapreplicas objectClass: apple-configuration dn: cn=passwordserver,cn=config,ou=macosx,dc=example,dc=com cn: passwordserver objectClass: apple-configuration dn: cn=macosxodpolicy,cn=config,ou=macosx,dc=example,dc=com cn: macosxodpolicy objectClass: apple-configuration dn: cn=CollabServices,cn=config,ou=macosx,dc=example,dc=com cn: CollabServices objectClass: apple-configuration dn: cn=CIFSServer,cn=config,ou=macosx,dc=example,dc=com cn: CIFSServer objectClass: apple-configuration dn: cn=KerberosKDC,cn=config,ou=macosx,dc=example,dc=com cn: KerberosKDC objectClass: apple-configuration dn: cn=KerberosClient,cn=config,ou=macosx,dc=example,dc=com cn: KerberosClient objectClass: apple-configuration dn: cn=Home_Dir_Items,cn=config,ou=macosx,dc=example,dc=com cn: Home_Dir_Items objectClass: apple-configuration dn: cn=Group_Dir_Items,cn=config,ou=macosx,dc=example,dc=com cn: Group_Dir_Items objectClass: apple-configuration
To import this file we must use the following command and enter the directory administrator's password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f macosx.example.com.ldif
Security
Due to the nature of the information frequently held in the LDAP directory, it is essential that we protect access to it and reduce the chances of eavesdropping.
TLS/SSL
Many applications will use the LDAP simple bind mechanism, which transmits the username and password in clear text over the network. Where this is an internal, trusted network or via a VPN, this might just about be acceptable. In all other cases we will use TLS to encrypt the data before it is sent. As OpenLDAP on Ubuntu (and Debian) is compiled against GnuTLS libraries, we must install their certificate tools:
apt-get install gnutls-bin
Now we must generate a secure private key and certificate signing request (CSR) to pass to our certificate authority (CA):
certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/severname.example.com.key adduser openldap ssl-cert chgrp ssl-cert /etc/ssl/private/severname.example.com.key chmod 640 /etc/ssl/private/severname.example.com.key certtool --generate-request --load-privkey /etc/ssl/private/severname.example.com.key --outfile servername.example.com.csr Generating a PKCS #10 certificate request... Country name (2 chars): GB Organization name: Example Company Organizational unit name: Locality name: Basingstoke State or province name: Hampshire Common name: servername.example.com UID: Enter a dnsName of the subject of the certificate: servername.example.com Enter a dnsName of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Enter a challenge password: Does the certificate belong to an authority? (y/N): Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y Is this a TLS web client certificate? (y/N): Is this also a TLS web server certificate? (y/N): y
Copy the contents of the resulting servername.example.com.csr
file to your CA (in our case we used StartSSL) and ask them to certify it for you. Depending on the authority used this should require proof of identity and possibly the removal of some money. Once your key has been certified, save the certificate in /etc/ssl/certs/servername.example.com.pem
.
It is now necessary to create a certificate chain file, which will be used to verify our new server certificate up to the CA's root. In our case we were issued a Class 1 Server certificate, which is one level below StartCom's root. Create /etc/ssl/certs/StartCom_Class_1_Server.pem
, paste into it the contents of https://www.startssl.com/certs/sub.class1.server.ca.pem followed by https://www.startssl.com/certs/ca.pem and then save the file.
The following file is then needed to enable TLS:
- tls_enable.ldif
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/StartCom_Class_1_Server.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/servername.example.com.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/servername.example.com.key - add: olcTLSCipherSuite olcTLSCipherSuite: SECURE256 - add: olcTLSVerifyClient olcTLSVerifyClient: never
Make the security changes with the following commands:
ldapmodify -Y EXTERNAL -H ldapi:/// -f tls_enable.ldif
Edit /etc/default/slapd
and update the SLAPD_SERVICES
option:
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Finally, restart slapd and test that TLS is operational:
service slapd restart gnutls-cli-debug -p 636 localhost
Listening Interfaces
Often an LDAP server has multiple network interfaces, bound to different LANs or VLANs. It can be advantageous to limit the interfaces slapd listens on. In the example below unencrypted connections are allowed from the local machine only and
To restrict the listening interfaces, edit /etc/default/slapd
and update the SLAPD_SERVICES
option:
SLAPD_SERVICES="ldap://127.0.0.1/ ldapi:/// ldaps://192.0.2.1/"
Then restart slapd and check which interfaces it is listening on:
service slapd restart netstat -tlpn | grep slapd
Testing and Tools
Once you have added the schema and data, it is necessary to stop LDAP, re-build its indices, restart it and check the system log for any problems:
service slapd stop slapindex chown -R openldap:openldap /var/lib/ldap service slapd start
Examine the tail of /var/log/syslog
for any errors or warnings being reported by the slapd
process.
If you would like to see which schema modifications have been loaded, type
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn