diff --git a/confskel/Makefile.am b/confskel/Makefile.am index a865f16..c97578a 100644 --- a/confskel/Makefile.am +++ b/confskel/Makefile.am @@ -10,4 +10,7 @@ ldapconfskeldir = $(ldapskeldir)/ldap ldapconfskel_DATA = openldap/ldap/* ldapldifskeldir = $(ldapskeldir)/ldif -ldapldifskel_DATA = openldap/ldif/* \ No newline at end of file +ldapldifskel_DATA = openldap/ldif/* + +saslskeldir = $(confskeldir)/sasl +saslskel_DATA = sasl/* \ No newline at end of file diff --git a/confskel/heimdal/heimdal.defaults b/confskel/heimdal/heimdal.defaults index 616f509..ce60dd5 100644 --- a/confskel/heimdal/heimdal.defaults +++ b/confskel/heimdal/heimdal.defaults @@ -2,7 +2,7 @@ START="yes" KDC_ENABLED="yes" -KDC_PARAMS="" +KDC_PARAMS="--config-file=/etc/heimdal-kdc/kdc.conf" KPASSWDD_ENABLED="yes" KPASSWDD_PARAMS="" diff --git a/confskel/heimdal/kdc.conf b/confskel/heimdal/kdc.conf index 62d6fb3..96f3a8d 100644 --- a/confskel/heimdal/kdc.conf +++ b/confskel/heimdal/kdc.conf @@ -1,8 +1,12 @@ [kdc] -logging = FILE:/var/log/heimdal-kdc.log -enable-pkinit = yes -pki-identity = FILE:/etc/trinity/ldap/tde-ca/public/@@@KDCSERVER@@@.pki.crt,/etc/trinity/ldap/tde-ca/private/@@@KDCSERVER@@@.pki.key -pki-anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem -pki-allow-proxy-certificate = false -acl_file = /etc/heimdal-kdc/kadmind.acl + logging = FILE:/var/log/heimdal-kdc.log + enable-pkinit = yes + pkinit_identity = FILE:/etc/trinity/ldap/tde-ca/public/@@@KDCSERVER@@@.pki.crt,/etc/trinity/ldap/tde-ca/private/@@@KDCSERVER@@@.pki.key + pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem + pkinit_allow-proxy-certificate = false + acl_file = /etc/heimdal-kdc/kadmind.acl + database = { + dbname = ldap:@@@REALM_DCNAME@@@ + acl_file = /etc/heimdal-kdc/kadmind.acl + } \ No newline at end of file diff --git a/confskel/heimdal/krb5.conf b/confskel/heimdal/krb5.conf index 9185177..e76a90f 100644 --- a/confskel/heimdal/krb5.conf +++ b/confskel/heimdal/krb5.conf @@ -1,8 +1,6 @@ [libdefaults] ticket_lifetime = 86400 default_realm = @@@REALM_UCNAME@@@ - default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 - default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5 [appdefaults] pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem @@ -21,17 +19,6 @@ @@@REALM_LCNAME@@@ = @@@REALM_UCNAME@@@ .@@@REALM_LCNAME@@@ = @@@REALM_UCNAME@@@ -[kdc] - enable-pkinit = yes - pkinit_identity = FILE:/etc/trinity/ldap/tde-ca/public/@@@KDCSERVER@@@.pki.crt,/etc/trinity/ldap/tde-ca/private/@@@KDCSERVER@@@.pki.key - pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem - pkinit_allow-proxy-certificate = false - - database = { - dbname = ldap:@@@REALM_DCNAME@@@ - acl_file = /etc/heimdal-kdc/kadmind.acl - } - [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log diff --git a/confskel/openldap/ldap/slapd.defaults b/confskel/openldap/ldap/slapd.defaults index 91ddb31..60ab088 100644 --- a/confskel/openldap/ldap/slapd.defaults +++ b/confskel/openldap/ldap/slapd.defaults @@ -1,25 +1,45 @@ -### -# Enable the daemon. -### -START="yes" - -### -# Keytab -### -export KRB5_KTNAME=/etc/ldap/ldap.keytab - -### -# Services -### +# Default location of the slapd.conf file or slapd.d cn=config directory. If +# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to +# /etc/ldap/slapd.conf). +SLAPD_CONF="/etc/ldap/slapd.d" + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="@@@LDAP_USER_NAME@@@" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="@@@LDAP_GROUP_NAME@@@" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by +# default) +SLAPD_PIDFILE= + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///" -### -# Additional Options -# @todo: pass user & group for service. -### -SLAPD_OPTIONS="" +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normally +# started at boot. +#SLAPD_NO_START=1 -### -# SLAPD Configuration -### -SLAPD_CONF="/etc/ldap/slapd.d" +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +export KRB5_KTNAME=@@@LDAP_KEYTAB_FILE@@@ + +# Additional options to pass to slapd +SLAPD_OPTIONS="" diff --git a/confskel/openldap/ldif/config.ldif b/confskel/openldap/ldif/config.ldif new file mode 100644 index 0000000..9e05b86 --- /dev/null +++ b/confskel/openldap/ldif/config.ldif @@ -0,0 +1,41 @@ +dn: cn=config +objectClass: olcGlobal +cn: config +olcConfigFile: /etc/ldap/slapd.conf +olcConfigDir: /tmp/ldap +olcArgsFile: /var/run/slapd/slapd.args +olcAttributeOptions: lang- +olcAuthzPolicy: none +olcAuthzRegexp: uid=([^,]+),cn=@@@REALM_LCNAME@@@,cn=gssapi,cn=auth uid=$1,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@ +olcConcurrency: 0 +olcConnMaxPending: 100 +olcConnMaxPendingAuth: 1000 +olcGentleHUP: FALSE +olcIdleTimeout: 0 +olcIndexSubstrIfMaxLen: 4 +olcIndexSubstrIfMinLen: 2 +olcIndexSubstrAnyLen: 4 +olcIndexSubstrAnyStep: 2 +olcIndexIntLen: 4 +olcLocalSSF: 71 +olcLogLevel: Stats +olcPidFile: /var/run/slapd/slapd.pid +olcReadOnly: FALSE +olcReverseLookup: FALSE +olcSaslHost: @@@ADMINSERVER@@@ +olcSaslRealm: @@@REALM_UCNAME@@@ +olcSaslSecProps: noplain,noanonymous +olcSockbufMaxIncoming: 262143 +olcSockbufMaxIncomingAuth: 16777215 +olcThreads: 16 +#olcTLSCertificateFile: /etc/trinity/ldap/tde-ca/public/@@@ADMINSERVER@@@.crt +#olcTLSCertificateKeyFile: /etc/trinity/ldap/tde-ca/private/@@@ADMINSERVER@@@.key +olcTLSVerifyClient: never +olcToolThreads: 1 +olcWriteTimeout: 0 +structuralObjectClass: olcGlobal +creatorsName: cn=config +createTimestamp: @@@TIMESTAMP@@@Z +entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 +modifiersName: cn=config +modifyTimestamp: @@@TIMESTAMP@@@Z diff --git a/confskel/openldap/ldif/moduleConfig.ldif b/confskel/openldap/ldif/moduleConfig.ldif new file mode 100644 index 0000000..e4d9bb0 --- /dev/null +++ b/confskel/openldap/ldif/moduleConfig.ldif @@ -0,0 +1,16 @@ +dn: cn=module{0} +objectClass: olcModuleList +cn: module{0} +olcModulePath: /usr/lib/ldap +olcModuleLoad: {0}back_hdb +olcModuleLoad: {1}syncprov +olcModuleLoad: {2}back_monitor +olcModuleLoad: {3}auditlog +olcModuleLoad: {4}unique +olcModuleLoad: {5}ppolicy +structuralObjectClass: olcModuleList +creatorsName: cn=config +createTimestamp: @@@TIMESTAMP@@@Z +entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 +modifiersName: cn=config +modifyTimestamp: @@@TIMESTAMP@@@Z diff --git a/confskel/openldap/ldif/olcConfig.ldif b/confskel/openldap/ldif/olcConfig.ldif new file mode 100644 index 0000000..86d5267 --- /dev/null +++ b/confskel/openldap/ldif/olcConfig.ldif @@ -0,0 +1,18 @@ +dn: olcDatabase={0}config +objectClass: olcDatabaseConfig +olcDatabase: {0}config +olcAccess: {0}to * by * none +olcAddContentAcl: TRUE +olcLastMod: TRUE +olcMaxDerefDepth: 15 +olcReadOnly: FALSE +olcRootDN: cn=config +olcRootPW: {SHA}@@@ROOTPW_SHA@@@ +olcSyncUseSubentry: FALSE +olcMonitoring: FALSE +structuralObjectClass: olcDatabaseConfig +creatorsName: cn=config +createTimestamp: @@@TIMESTAMP@@@Z +entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 +modifiersName: cn=config +modifyTimestamp: @@@TIMESTAMP@@@Z diff --git a/confskel/openldap/ldif/schema.ldif b/confskel/openldap/ldif/schema.ldif new file mode 100644 index 0000000..b8a7529 --- /dev/null +++ b/confskel/openldap/ldif/schema.ldif @@ -0,0 +1,812 @@ +dn: cn=schema +objectClass: olcSchemaConfig +cn: schema +olcObjectIdentifier: OLcfg 1.3.6.1.4.1.4203.1.12.2 +olcObjectIdentifier: OLcfgAt OLcfg:3 +olcObjectIdentifier: OLcfgGlAt OLcfgAt:0 +olcObjectIdentifier: OLcfgBkAt OLcfgAt:1 +olcObjectIdentifier: OLcfgDbAt OLcfgAt:2 +olcObjectIdentifier: OLcfgOvAt OLcfgAt:3 +olcObjectIdentifier: OLcfgCtAt OLcfgAt:4 +olcObjectIdentifier: OLcfgOc OLcfg:4 +olcObjectIdentifier: OLcfgGlOc OLcfgOc:0 +olcObjectIdentifier: OLcfgBkOc OLcfgOc:1 +olcObjectIdentifier: OLcfgDbOc OLcfgOc:2 +olcObjectIdentifier: OLcfgOvOc OLcfgOc:3 +olcObjectIdentifier: OLcfgCtOc OLcfgOc:4 +olcObjectIdentifier: OMsyn 1.3.6.1.4.1.1466.115.121.1 +olcObjectIdentifier: OMsBoolean OMsyn:7 +olcObjectIdentifier: OMsDN OMsyn:12 +olcObjectIdentifier: OMsDirectoryString OMsyn:15 +olcObjectIdentifier: OMsIA5String OMsyn:26 +olcObjectIdentifier: OMsInteger OMsyn:27 +olcObjectIdentifier: OMsOID OMsyn:38 +olcObjectIdentifier: OMsOctetString OMsyn:40 +olcObjectIdentifier: olmAttributes 1.3.6.1.4.1.4203.666.1.55 +olcObjectIdentifier: olmSubSystemAttributes olmAttributes:0 +olcObjectIdentifier: olmGenericAttributes olmSubSystemAttributes:0 +olcObjectIdentifier: olmDatabaseAttributes olmSubSystemAttributes:1 +olcObjectIdentifier: olmObjectClasses 1.3.6.1.4.1.4203.666.3.16 +olcObjectIdentifier: olmSubSystemObjectClasses olmObjectClasses:0 +olcObjectIdentifier: olmGenericObjectClasses olmSubSystemObjectClasses:0 +olcObjectIdentifier: olmDatabaseObjectClasses olmSubSystemObjectClasses:1 +olcObjectIdentifier: olmBDBAttributes olmDatabaseAttributes:1 +olcObjectIdentifier: olmBDBObjectClasses olmDatabaseObjectClasses:1 +olcAttributeTypes: ( 2.5.4.0 NAME 'objectClass' DESC 'RFC4512: object classes + of the entity' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121 + .1.38 ) +olcAttributeTypes: ( 2.5.21.9 NAME 'structuralObjectClass' DESC 'RFC4512: stru + ctural object class of entry' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.38 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperati + on ) +olcAttributeTypes: ( 2.5.18.1 NAME 'createTimestamp' DESC 'RFC4512: time which + object was created' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOr + deringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFIC + ATION USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' DESC 'RFC4512: time which + object was last modified' EQUALITY generalizedTimeMatch ORDERING generalized + TimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-M + ODIFICATION USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.18.3 NAME 'creatorsName' DESC 'RFC4512: name of creat + or' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SING + LE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.18.4 NAME 'modifiersName' DESC 'RFC4512: name of last + modifier' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.18.9 NAME 'hasSubordinates' DESC 'X.501: entry has ch + ildren' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALU + E NO-USER-MODIFICATION USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.18.10 NAME 'subschemaSubentry' DESC 'RFC4512: name of + controlling subschema entry' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1. + 4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperat + ion ) +olcAttributeTypes: ( 1.3.6.1.1.20 NAME 'entryDN' DESC 'DN of the entry' EQUALI + TY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE N + O-USER-MODIFICATION USAGE directoryOperation ) +olcAttributeTypes: ( 1.3.6.1.1.16.4 NAME 'entryUUID' DESC 'UUID of the entry' + EQUALITY UUIDMatch ORDERING UUIDOrderingMatch SYNTAX 1.3.6.1.1.16.1 SINGLE-VA + LUE NO-USER-MODIFICATION USAGE directoryOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change seq + uence number of the entry content' EQUALITY CSNMatch ORDERING CSNOrderingMatc + h SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} SINGLE-VALUE NO-USER-MODIFICATION US + AGE directoryOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.13 NAME 'namingCSN' DESC 'change s + equence number of the entry naming (RDN)' EQUALITY CSNMatch ORDERING CSNOrder + ingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} SINGLE-VALUE NO-USER-MODIFICA + TION USAGE directoryOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.23 NAME 'syncreplCookie' DESC 'syn + crepl Cookie for shadow copy' EQUALITY octetStringMatch ORDERING octetStringO + rderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE NO-USER-MODIFI + CATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.25 NAME 'contextCSN' DESC 'the lar + gest committed CSN of a context' EQUALITY CSNMatch ORDERING CSNOrderingMatch + SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} NO-USER-MODIFICATION USAGE dSAOperatio + n ) +olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer' DESC 'RFC4512 + : alternative servers' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 USAGE dSAOperatio + n ) +olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts' DESC 'RF + C4512: naming contexts' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE dSAOperati + on ) +olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl' DESC + 'RFC4512: supported controls' SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAO + peration ) +olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension' DESC + 'RFC4512: supported extended operations' SYNTAX 1.3.6.1.4.1.1466.115.121.1.3 + 8 USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion' D + ESC 'RFC4512: supported LDAP versions' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 U + SAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms + ' DESC 'RFC4512: supported SASL mechanisms' SYNTAX 1.3.6.1.4.1.1466.115.121.1 + .15 USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.1.3.5 NAME 'supportedFeatures' DESC 'RFC + 4512: features supported by the server' EQUALITY objectIdentifierMatch SYNTAX + 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.10 NAME 'monitorContext' DESC 'mon + itor context' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121 + .1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.1.12.2.1 NAME 'configContext' DESC 'conf + ig context' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 + .12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.1.4 NAME 'vendorName' DESC 'RFC3045: name of impl + ementation vendor' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 15 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.1.5 NAME 'vendorVersion' DESC 'RFC3045: version o + f implementation' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 + 5 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 2.5.18.5 NAME 'administrativeRole' DESC 'RFC3672: adminis + trative role' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121. + 1.38 USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.18.6 NAME 'subtreeSpecification' DESC 'RFC3672: subtr + ee specification' SYNTAX 1.3.6.1.4.1.1466.115.121.1.45 SINGLE-VALUE USAGE dir + ectoryOperation ) +olcAttributeTypes: ( 2.5.21.1 NAME 'dITStructureRules' DESC 'RFC4512: DIT stru + cture rules' EQUALITY integerFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115. + 121.1.17 USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.21.2 NAME 'dITContentRules' DESC 'RFC4512: DIT conten + t rules' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466 + .115.121.1.16 USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.21.4 NAME 'matchingRules' DESC 'RFC4512: matching rul + es' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115. + 121.1.30 USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.21.5 NAME 'attributeTypes' DESC 'RFC4512: attribute t + ypes' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.11 + 5.121.1.3 USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.21.6 NAME 'objectClasses' DESC 'RFC4512: object class + es' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115. + 121.1.37 USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.21.7 NAME 'nameForms' DESC 'RFC4512: name forms ' EQU + ALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.3 + 5 USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.21.8 NAME 'matchingRuleUse' DESC 'RFC4512: matching r + ule uses' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.146 + 6.115.121.1.31 USAGE directoryOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes' DESC 'RFC + 4512: LDAP syntaxes' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3. + 6.1.4.1.1466.115.121.1.54 USAGE directoryOperation ) +olcAttributeTypes: ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' ) D + ESC 'RFC4512: name of aliased object' EQUALITY distinguishedNameMatch SYNTAX + 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113730.3.1.34 NAME 'ref' DESC 'RFC3296: subord + inate referral URL' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 + .15 USAGE distributedOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.1.3.1 NAME 'entry' DESC 'OpenLDAP ACL en + try pseudo-attribute' SYNTAX 1.3.6.1.4.1.4203.1.1.1 SINGLE-VALUE NO-USER-MODI + FICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.1.3.2 NAME 'children' DESC 'OpenLDAP ACL + children pseudo-attribute' SYNTAX 1.3.6.1.4.1.4203.1.1.1 SINGLE-VALUE NO-USE + R-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.8 NAME ( 'authzTo' 'saslAuthzTo' ) + DESC 'proxy authorization targets' EQUALITY authzMatch SYNTAX 1.3.6.1.4.1.42 + 03.666.2.7 USAGE distributedOperation X-ORDERED 'VALUES' ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.9 NAME ( 'authzFrom' 'saslAuthzFro + m' ) DESC 'proxy authorization sources' EQUALITY authzMatch SYNTAX 1.3.6.1.4. + 1.4203.666.2.7 USAGE distributedOperation X-ORDERED 'VALUES' ) +olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.119.3 NAME 'entryTtl' DESC 'RFC2589: + entry time-to-live' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-USE + R-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.119.4 NAME 'dynamicSubtrees' DESC 'R + FC2589: dynamic subtrees' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFI + CATION USAGE dSAOperation ) +olcAttributeTypes: ( 2.5.4.49 NAME 'distinguishedName' DESC 'RFC4519: common s + upertype of DN attributes' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1 + .1466.115.121.1.12 ) +olcAttributeTypes: ( 2.5.4.41 NAME 'name' DESC 'RFC4519: common supertype of n + ame attributes' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN + TAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) +olcAttributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' ) DESC 'RFC4519: common + name(s) for which the entity is known by' SUP name ) +olcAttributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'R + FC4519: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrings + Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' DESC 'RFC2307: An intege + r uniquely identifying a user in an administrative domain' EQUALITY integerMa + tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' DESC 'RFC2307: An intege + r uniquely identifying a group in an administrative domain' EQUALITY integerM + atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.5.4.35 NAME 'userPassword' DESC 'RFC4519/2307: password + of user' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} + ) +olcAttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uni + form Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX + 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.5.4.13 NAME 'description' DESC 'RFC4519: descriptive in + formation' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1 + .3.6.1.4.1.1466.115.121.1.15{1024} ) +olcAttributeTypes: ( 2.5.4.34 NAME 'seeAlso' DESC 'RFC4519: DN of related obje + ct' SUP distinguishedName ) +olcAttributeTypes: ( OLcfgGlAt:78 NAME 'olcConfigFile' DESC 'File for slapd co + nfiguration directives' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SI + NGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:79 NAME 'olcConfigDir' DESC 'Directory for slap + d configuration backend' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString S + INGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:1 NAME 'olcAccess' DESC 'Access Control List' E + QUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) +olcAttributeTypes: ( OLcfgGlAt:86 NAME 'olcAddContentAcl' DESC 'Check ACLs aga + inst content of Add ops' SYNTAX OMsBoolean SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:2 NAME 'olcAllows' DESC 'Allowed set of depreca + ted features' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgGlAt:3 NAME 'olcArgsFile' DESC 'File for slapd comma + nd line options' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VA + LUE ) +olcAttributeTypes: ( OLcfgGlAt:5 NAME 'olcAttributeOptions' EQUALITY caseIgnor + eMatch SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgGlAt:4 NAME 'olcAttributeTypes' DESC 'OpenLDAP attri + buteTypes' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALU + ES' ) +olcAttributeTypes: ( OLcfgGlAt:6 NAME 'olcAuthIDRewrite' EQUALITY caseIgnoreMa + tch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) +olcAttributeTypes: ( OLcfgGlAt:7 NAME 'olcAuthzPolicy' EQUALITY caseIgnoreMatc + h SYNTAX OMsDirectoryString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:8 NAME 'olcAuthzRegexp' EQUALITY caseIgnoreMatc + h SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) +olcAttributeTypes: ( OLcfgGlAt:9 NAME 'olcBackend' DESC 'A type of backend' EQ + UALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VALUE X-ORDERED 'SIBL + INGS' ) +olcAttributeTypes: ( OLcfgGlAt:10 NAME 'olcConcurrency' SYNTAX OMsInteger SING + LE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:11 NAME 'olcConnMaxPending' SYNTAX OMsInteger S + INGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:12 NAME 'olcConnMaxPendingAuth' SYNTAX OMsInteg + er SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:13 NAME 'olcDatabase' DESC 'The backend type fo + r a database instance' SUP olcBackend SINGLE-VALUE X-ORDERED 'SIBLINGS' ) +olcAttributeTypes: ( OLcfgGlAt:14 NAME 'olcDefaultSearchBase' SYNTAX OMsDN SIN + GLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:15 NAME 'olcDisallows' EQUALITY caseIgnoreMatch + SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgGlAt:16 NAME 'olcDitContentRules' DESC 'OpenLDAP DIT + content rules' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED + 'VALUES' ) +olcAttributeTypes: ( OLcfgGlAt:17 NAME 'olcGentleHUP' SYNTAX OMsBoolean SINGLE + -VALUE ) +olcAttributeTypes: ( OLcfgDbAt:0.17 NAME 'olcHidden' SYNTAX OMsBoolean SINGLE- + VALUE ) +olcAttributeTypes: ( OLcfgGlAt:18 NAME 'olcIdleTimeout' SYNTAX OMsInteger SING + LE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:19 NAME 'olcInclude' SUP labeledURI ) +olcAttributeTypes: ( OLcfgGlAt:20 NAME 'olcIndexSubstrIfMinLen' SYNTAX OMsInte + ger SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:21 NAME 'olcIndexSubstrIfMaxLen' SYNTAX OMsInte + ger SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:22 NAME 'olcIndexSubstrAnyLen' SYNTAX OMsIntege + r SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:23 NAME 'olcIndexSubstrAnyStep' SYNTAX OMsInteg + er SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:84 NAME 'olcIndexIntLen' SYNTAX OMsInteger SING + LE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:0.4 NAME 'olcLastMod' SYNTAX OMsBoolean SINGLE- + VALUE ) +olcAttributeTypes: ( OLcfgGlAt:85 NAME 'olcLdapSyntaxes' DESC 'OpenLDAP ldapSy + ntax' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) +olcAttributeTypes: ( OLcfgDbAt:0.5 NAME 'olcLimits' EQUALITY caseIgnoreMatch S + YNTAX OMsDirectoryString X-ORDERED 'VALUES' ) +olcAttributeTypes: ( OLcfgGlAt:26 NAME 'olcLocalSSF' SYNTAX OMsInteger SINGLE- + VALUE ) +olcAttributeTypes: ( OLcfgGlAt:27 NAME 'olcLogFile' SYNTAX OMsDirectoryString + SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:28 NAME 'olcLogLevel' EQUALITY caseIgnoreMatch + SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgDbAt:0.6 NAME 'olcMaxDerefDepth' SYNTAX OMsInteger S + INGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:0.16 NAME 'olcMirrorMode' SYNTAX OMsBoolean SIN + GLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:30 NAME 'olcModuleLoad' EQUALITY caseIgnoreMatc + h SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) +olcAttributeTypes: ( OLcfgGlAt:31 NAME 'olcModulePath' SYNTAX OMsDirectoryStri + ng SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:0.18 NAME 'olcMonitoring' SYNTAX OMsBoolean SIN + GLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:32 NAME 'olcObjectClasses' DESC 'OpenLDAP objec + t classes' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALU + ES' ) +olcAttributeTypes: ( OLcfgGlAt:33 NAME 'olcObjectIdentifier' EQUALITY caseIgno + reMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) +olcAttributeTypes: ( OLcfgGlAt:34 NAME 'olcOverlay' SUP olcDatabase SINGLE-VAL + UE X-ORDERED 'SIBLINGS' ) +olcAttributeTypes: ( OLcfgGlAt:35 NAME 'olcPasswordCryptSaltFormat' SYNTAX OMs + DirectoryString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:36 NAME 'olcPasswordHash' EQUALITY caseIgnoreMa + tch SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgGlAt:37 NAME 'olcPidFile' SYNTAX OMsDirectoryString + SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:38 NAME 'olcPlugin' EQUALITY caseIgnoreMatch SY + NTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgGlAt:39 NAME 'olcPluginLogFile' SYNTAX OMsDirectoryS + tring SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:40 NAME 'olcReadOnly' SYNTAX OMsBoolean SINGLE- + VALUE ) +olcAttributeTypes: ( OLcfgGlAt:41 NAME 'olcReferral' SUP labeledURI SINGLE-VAL + UE ) +olcAttributeTypes: ( OLcfgDbAt:0.7 NAME 'olcReplica' SUP labeledURI EQUALITY c + aseIgnoreMatch X-ORDERED 'VALUES' ) +olcAttributeTypes: ( OLcfgGlAt:43 NAME 'olcReplicaArgsFile' SYNTAX OMsDirector + yString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:44 NAME 'olcReplicaPidFile' SYNTAX OMsDirectory + String SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:45 NAME 'olcReplicationInterval' SYNTAX OMsInte + ger SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:46 NAME 'olcReplogFile' SYNTAX OMsDirectoryStri + ng SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:47 NAME 'olcRequires' EQUALITY caseIgnoreMatch + SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgGlAt:48 NAME 'olcRestrict' EQUALITY caseIgnoreMatch + SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgGlAt:49 NAME 'olcReverseLookup' SYNTAX OMsBoolean SI + NGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:0.8 NAME 'olcRootDN' EQUALITY distinguishedName + Match SYNTAX OMsDN SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:51 NAME 'olcRootDSE' EQUALITY caseIgnoreMatch S + YNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgDbAt:0.9 NAME 'olcRootPW' SYNTAX OMsDirectoryString + SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:89 NAME 'olcSaslAuxprops' SYNTAX OMsDirectorySt + ring SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:53 NAME 'olcSaslHost' SYNTAX OMsDirectoryString + SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:54 NAME 'olcSaslRealm' SYNTAX OMsDirectoryStrin + g SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:56 NAME 'olcSaslSecProps' SYNTAX OMsDirectorySt + ring SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:58 NAME 'olcSchemaDN' EQUALITY distinguishedNam + eMatch SYNTAX OMsDN SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:59 NAME 'olcSecurity' EQUALITY caseIgnoreMatch + SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgGlAt:81 NAME 'olcServerID' EQUALITY caseIgnoreMatch + SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgGlAt:60 NAME 'olcSizeLimit' SYNTAX OMsDirectoryStrin + g SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:61 NAME 'olcSockbufMaxIncoming' SYNTAX OMsInteg + er SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:62 NAME 'olcSockbufMaxIncomingAuth' SYNTAX OMsI + nteger SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:83 NAME 'olcSortVals' DESC 'Attributes whose va + lues will always be sorted' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryStrin + g ) +olcAttributeTypes: ( OLcfgDbAt:0.15 NAME 'olcSubordinate' SYNTAX OMsDirectoryS + tring SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:0.10 NAME 'olcSuffix' EQUALITY distinguishedNam + eMatch SYNTAX OMsDN ) +olcAttributeTypes: ( OLcfgDbAt:0.19 NAME 'olcSyncUseSubentry' DESC 'Store sync + context in a subentry' SYNTAX OMsBoolean SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:0.11 NAME 'olcSyncrepl' EQUALITY caseIgnoreMatc + h SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) +olcAttributeTypes: ( OLcfgGlAt:90 NAME 'olcTCPBuffer' DESC 'Custom TCP buffer + size' SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgGlAt:66 NAME 'olcThreads' SYNTAX OMsInteger SINGLE-V + ALUE ) +olcAttributeTypes: ( OLcfgGlAt:67 NAME 'olcTimeLimit' SYNTAX OMsDirectoryStrin + g ) +olcAttributeTypes: ( OLcfgGlAt:68 NAME 'olcTLSCACertificateFile' SYNTAX OMsDir + ectoryString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:69 NAME 'olcTLSCACertificatePath' SYNTAX OMsDir + ectoryString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:70 NAME 'olcTLSCertificateFile' SYNTAX OMsDirec + toryString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:71 NAME 'olcTLSCertificateKeyFile' SYNTAX OMsDi + rectoryString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:72 NAME 'olcTLSCipherSuite' SYNTAX OMsDirectory + String SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:73 NAME 'olcTLSCRLCheck' SYNTAX OMsDirectoryStr + ing SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:82 NAME 'olcTLSCRLFile' SYNTAX OMsDirectoryStri + ng SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:74 NAME 'olcTLSRandFile' SYNTAX OMsDirectoryStr + ing SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:75 NAME 'olcTLSVerifyClient' SYNTAX OMsDirector + yString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' SYNTAX OMsDirectory + String SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:87 NAME 'olcTLSProtocolMin' SYNTAX OMsDirectory + String SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgGlAt:80 NAME 'olcToolThreads' SYNTAX OMsInteger SING + LE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:0.12 NAME 'olcUpdateDN' SYNTAX OMsDN SINGLE-VAL + UE ) +olcAttributeTypes: ( OLcfgDbAt:0.13 NAME 'olcUpdateRef' SUP labeledURI EQUALIT + Y caseIgnoreMatch ) +olcAttributeTypes: ( OLcfgGlAt:88 NAME 'olcWriteTimeout' SYNTAX OMsInteger SIN + GLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:0.1 NAME 'olcDbDirectory' DESC 'Directory for d + atabase content' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VA + LUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.5 NAME 'OpenLDAPaci' DESC 'OpenLDA + P access control information (experimental)' EQUALITY OpenLDAPaciMatch SYNTAX + 1.3.6.1.4.1.4203.666.2.1 USAGE directoryOperation ) +olcAttributeTypes: ( OLcfgDbAt:1.11 NAME 'olcDbCacheFree' DESC 'Number of extr + a entries to free when max is reached' SYNTAX OMsInteger SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:1.1 NAME 'olcDbCacheSize' DESC 'Entry cache siz + e in entries' SYNTAX OMsInteger SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:1.2 NAME 'olcDbCheckpoint' DESC 'Database check + point interval in kbytes and minutes' SYNTAX OMsDirectoryString SINGLE-VALUE + ) +olcAttributeTypes: ( OLcfgDbAt:1.16 NAME 'olcDbChecksum' DESC 'Enable database + checksum validation' SYNTAX OMsBoolean SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:1.13 NAME 'olcDbCryptFile' DESC 'Pathname of fi + le containing the DB encryption key' SYNTAX OMsDirectoryString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:1.14 NAME 'olcDbCryptKey' DESC 'DB encryption k + ey' SYNTAX OMsOctetString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:1.3 NAME 'olcDbConfig' DESC 'BerkeleyDB DB_CONF + IG configuration directives' SYNTAX OMsIA5String X-ORDERED 'VALUES' ) +olcAttributeTypes: ( OLcfgDbAt:1.4 NAME 'olcDbNoSync' DESC 'Disable synchronou + s database writes' SYNTAX OMsBoolean SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:1.15 NAME 'olcDbPageSize' DESC 'Page size of sp + ecified DB, in Kbytes' EQUALITY caseExactMatch SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgDbAt:1.5 NAME 'olcDbDirtyRead' DESC 'Allow reads of + uncommitted data' SYNTAX OMsBoolean SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:1.12 NAME 'olcDbDNcacheSize' DESC 'DN cache siz + e' SYNTAX OMsInteger SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:1.6 NAME 'olcDbIDLcacheSize' DESC 'IDL cache si + ze in IDLs' SYNTAX OMsInteger SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:0.2 NAME 'olcDbIndex' DESC 'Attribute index par + ameters' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgDbAt:1.7 NAME 'olcDbLinearIndex' DESC 'Index attribu + tes one at a time' SYNTAX OMsBoolean SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:1.8 NAME 'olcDbLockDetect' DESC 'Deadlock detec + tion algorithm' SYNTAX OMsDirectoryString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:0.3 NAME 'olcDbMode' DESC 'Unix permissions of + database files' SYNTAX OMsDirectoryString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:1.9 NAME 'olcDbSearchStack' DESC 'Depth of sear + ch stack in IDLs' SYNTAX OMsInteger SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgDbAt:1.10 NAME 'olcDbShmKey' DESC 'Key for shared me + mory region' SYNTAX OMsInteger SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgOvAt:1.1 NAME 'olcSpCheckpoint' DESC 'ContextCSN che + ckpoint interval in ops and minutes' SYNTAX OMsDirectoryString SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgOvAt:1.2 NAME 'olcSpSessionlog' DESC 'Session log si + ze in ops' SYNTAX OMsInteger SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgOvAt:1.3 NAME 'olcSpNoPresent' DESC 'Omit Present ph + ase processing' SYNTAX OMsBoolean SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgOvAt:1.4 NAME 'olcSpReloadHint' DESC 'Observe Reload + Hint in Request control' SYNTAX OMsBoolean SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.1 NAME 'monitoredInfo' DESC 'mo + nitored info' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTA + X 1.3.6.1.4.1.1466.115.121.1.15{32768} NO-USER-MODIFICATION USAGE dSAOperatio + n ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.2 NAME 'managedInfo' DESC 'moni + tor managed info' SUP name ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.3 NAME 'monitorCounter' DESC 'm + onitor counter' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1. + 3.6.1.4.1.1466.115.121.1.27 NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.4 NAME 'monitorOpCompleted' DES + C 'monitor completed operations' SUP monitorCounter NO-USER-MODIFICATION USAG + E dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.5 NAME 'monitorOpInitiated' DES + C 'monitor initiated operations' SUP monitorCounter NO-USER-MODIFICATION USAG + E dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.6 NAME 'monitorConnectionNumber + ' DESC 'monitor connection number' SUP monitorCounter NO-USER-MODIFICATION US + AGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.7 NAME 'monitorConnectionAuthzD + N' DESC 'monitor connection authorization DN' EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION USAGE dSAOperation + ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.8 NAME 'monitorConnectionLocalA + ddress' DESC 'monitor connection local address' SUP monitoredInfo NO-USER-MOD + IFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.9 NAME 'monitorConnectionPeerAd + dress' DESC 'monitor connection peer address' SUP monitoredInfo NO-USER-MODIF + ICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.10 NAME 'monitorTimestamp' DESC + 'monitor timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOr + deringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFIC + ATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.11 NAME 'monitorOverlay' DESC ' + name of overlays defined for a given database' SUP monitoredInfo NO-USER-MODI + FICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.12 NAME 'readOnly' DESC 'read/w + rite status of a given database' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.146 + 6.115.121.1.7 SINGLE-VALUE USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.13 NAME 'restrictedOperation' D + ESC 'name of restricted operation for a given database' SUP managedInfo ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.14 NAME 'monitorConnectionProto + col' DESC 'monitor connection protocol' SUP monitoredInfo NO-USER-MODIFICATIO + N USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.15 NAME 'monitorConnectionOpsRe + ceived' DESC 'monitor number of operations received by the connection' SUP mo + nitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.16 NAME 'monitorConnectionOpsEx + ecuting' DESC 'monitor number of operations in execution within the connectio + n' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.17 NAME 'monitorConnectionOpsPe + nding' DESC 'monitor number of pending operations within the connection' SUP + monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.18 NAME 'monitorConnectionOpsCo + mpleted' DESC 'monitor number of operations completed within the connection' + SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.19 NAME 'monitorConnectionGet' + DESC 'number of times connection_get() was called so far' SUP monitorCounter + NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.20 NAME 'monitorConnectionRead' + DESC 'number of times connection_read() was called so far' SUP monitorCounte + r NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.21 NAME 'monitorConnectionWrite + ' DESC 'number of times connection_write() was called so far' SUP monitorCoun + ter NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.22 NAME 'monitorConnectionMask' + DESC 'monitor connection mask' SUP monitoredInfo NO-USER-MODIFICATION USAGE + dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.23 NAME 'monitorConnectionListe + ner' DESC 'monitor connection listener' SUP monitoredInfo NO-USER-MODIFICATIO + N USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.24 NAME 'monitorConnectionPeerD + omain' DESC 'monitor connection peer domain' SUP monitoredInfo NO-USER-MODIFI + CATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.25 NAME 'monitorConnectionStart + Time' DESC 'monitor connection start time' SUP monitorTimestamp SINGLE-VALUE + NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.26 NAME 'monitorConnectionActiv + ityTime' DESC 'monitor connection activity time' SUP monitorTimestamp SINGLE- + VALUE NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.27 NAME 'monitorIsShadow' DESC + 'TRUE if the database is shadow' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.146 + 6.115.121.1.7 SINGLE-VALUE USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.28 NAME 'monitorUpdateRef' DESC + 'update referral for shadow databases' SUP monitoredInfo SINGLE-VALUE USAGE + dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.29 NAME 'monitorRuntimeConfig' + DESC 'TRUE if component allows runtime configuration' EQUALITY booleanMatch S + YNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE USAGE dSAOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.30 NAME 'monitorSuperiorDN' DES + C 'monitor superior DN' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.14 + 66.115.121.1.12 NO-USER-MODIFICATION USAGE dSAOperation ) +olcAttributeTypes: ( OLcfgOvAt:15.1 NAME 'olcAuditlogFile' DESC 'Filename for + auditlogging' SYNTAX OMsDirectoryString ) +olcAttributeTypes: ( OLcfgOvAt:10.1 NAME 'olcUniqueBase' DESC 'Subtree for uni + queness searches' EQUALITY distinguishedNameMatch SYNTAX OMsDN SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgOvAt:10.2 NAME 'olcUniqueIgnore' DESC 'Attributes fo + r which uniqueness shall not be enforced' EQUALITY caseIgnoreMatch ORDERING c + aseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX OMsDirectorySt + ring ) +olcAttributeTypes: ( OLcfgOvAt:10.3 NAME 'olcUniqueAttribute' DESC 'Attributes + for which uniqueness shall be enforced' EQUALITY caseIgnoreMatch ORDERING ca + seIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX OMsDirectoryStr + ing ) +olcAttributeTypes: ( OLcfgOvAt:10.4 NAME 'olcUniqueStrict' DESC 'Enforce uniqu + eness of null values' EQUALITY booleanMatch SYNTAX OMsBoolean SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgOvAt:10.5 NAME 'olcUniqueURI' DESC 'List of keywords + and LDAP URIs for a uniqueness domain' EQUALITY caseExactMatch ORDERING case + ExactOrderingMatch SUBSTR caseExactSubstringsMatch SYNTAX OMsDirectoryString + ) +olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.16 NAME 'pwdChangedTime' DESC 'Th + e time the password was last changed' EQUALITY generalizedTimeMatch ORDERING + generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALU + E NO-USER-MODIFICATION USAGE directoryOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime' DE + SC 'The time an user account was locked' EQUALITY generalizedTimeMatch ORDERI + NG generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-V + ALUE USAGE directoryOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.19 NAME 'pwdFailureTime' DESC 'Th + e timestamps of the last consecutive authentication failures' EQUALITY genera + lizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.24 NO-USER-MODIFICATION USAGE directoryOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.20 NAME 'pwdHistory' DESC 'The hi + story of users passwords' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.1 + 15.121.1.40 NO-USER-MODIFICATION USAGE directoryOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.21 NAME 'pwdGraceUseTime' DESC 'T + he timestamps of the grace login once the password has expired' EQUALITY gene + ralizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 NO-USER-MODIFICATION US + AGE directoryOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.22 NAME 'pwdReset' DESC 'The indi + cation that the password has been reset' EQUALITY booleanMatch SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.7 SINGLE-VALUE USAGE directoryOperation ) +olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC + 'The pwdPolicy subentry in effect for this object' EQUALITY distinguishedName + Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE USAGE directoryOperat + ion ) +olcAttributeTypes: ( OLcfgOvAt:12.1 NAME 'olcPPolicyDefault' DESC 'DN of a pwd + Policy object for uncustomized objects' SYNTAX OMsDN SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgOvAt:12.2 NAME 'olcPPolicyHashCleartext' DESC 'Hash + passwords on add or modify' SYNTAX OMsBoolean SINGLE-VALUE ) +olcAttributeTypes: ( OLcfgOvAt:12.4 NAME 'olcPPolicyForwardUpdates' DESC 'Allo + w policy state updates to be forwarded via updateref' SYNTAX OMsBoolean SINGL + E-VALUE ) +olcAttributeTypes: ( OLcfgOvAt:12.3 NAME 'olcPPolicyUseLockout' DESC 'Warn cli + ents with AccountLocked' SYNTAX OMsBoolean SINGLE-VALUE ) +olcAttributeTypes: ( olmBDBAttributes:1 NAME 'olmBDBEntryCache' DESC 'Number o + f items in Entry Cache' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOper + ation ) +olcAttributeTypes: ( olmBDBAttributes:2 NAME 'olmBDBDNCache' DESC 'Number of i + tems in DN Cache' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation + ) +olcAttributeTypes: ( olmBDBAttributes:3 NAME 'olmBDBIDLCache' DESC 'Number of + items in IDL Cache' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperatio + n ) +olcAttributeTypes: ( olmBDBAttributes:4 NAME 'olmDbDirectory' DESC 'Path name + of the directory where the database environment resides' SUP monitoredInfo NO + -USER-MODIFICATION USAGE dSAOperation ) +olcObjectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABST + RACT MUST objectClass ) +olcObjectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC + 'RFC4512: extensible object' SUP top AUXILIARY ) +olcObjectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC4512: an alias' SUP top STRU + CTURAL MUST aliasedObjectName ) +olcObjectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'namedref: na + med subordinate referral' SUP top STRUCTURAL MUST ref ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.1.4.1 NAME ( 'OpenLDAProotDSE' 'LDAProotD + SE' ) DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn ) +olcObjectClasses: ( 2.5.17.0 NAME 'subentry' DESC 'RFC3672: subentry' SUP top + STRUCTURAL MUST ( cn $ subtreeSpecification ) ) +olcObjectClasses: ( 2.5.20.1 NAME 'subschema' DESC 'RFC4512: controlling subsc + hema (sub)entry' AUXILIARY MAY ( dITStructureRules $ nameForms $ dITContentRu + les $ objectClasses $ attributeTypes $ matchingRules $ matchingRuleUse ) ) +olcObjectClasses: ( 1.3.6.1.4.1.1466.101.119.2 NAME 'dynamicObject' DESC 'RFC2 + 589: Dynamic Object' SUP top AUXILIARY ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.4 NAME 'glue' DESC 'Glue Entry' SUP + top STRUCTURAL ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.5 NAME 'syncConsumerSubentry' DESC + 'Persistent Info for SyncRepl Consumer' AUXILIARY MAY syncreplCookie ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.6 NAME 'syncProviderSubentry' DESC + 'Persistent Info for SyncRepl Producer' AUXILIARY MAY contextCSN ) +olcObjectClasses: ( OLcfgGlOc:0 NAME 'olcConfig' DESC 'OpenLDAP configuration + object' SUP top ABSTRACT ) +olcObjectClasses: ( OLcfgGlOc:1 NAME 'olcGlobal' DESC 'OpenLDAP Global configu + ration options' SUP olcConfig STRUCTURAL MAY ( cn $ olcConfigFile $ olcConfig + Dir $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAuthIDRewrite $ olcA + uthzPolicy $ olcAuthzRegexp $ olcConcurrency $ olcConnMaxPending $ olcConnMax + PendingAuth $ olcDisallows $ olcGentleHUP $ olcIdleTimeout $ olcIndexSubstrIf + MaxLen $ olcIndexSubstrIfMinLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnySte + p $ olcIndexIntLen $ olcLocalSSF $ olcLogFile $ olcLogLevel $ olcPasswordCryp + tSaltFormat $ olcPasswordHash $ olcPidFile $ olcPluginLogFile $ olcReadOnly $ + olcReferral $ olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ + olcRootDSE $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps + $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSockbufMaxIncoming $ olcSockb + ufMaxIncomingAuth $ olcTCPBuffer $ olcThreads $ olcTimeLimit $ olcTLSCACertif + icateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertifica + teKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerif + yClient $ olcTLSDHParamFile $ olcTLSCRLFile $ olcToolThreads $ olcWriteTimeou + t $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitConten + tRules $ olcLdapSyntaxes ) ) +olcObjectClasses: ( OLcfgGlOc:2 NAME 'olcSchemaConfig' DESC 'OpenLDAP schema o + bject' SUP olcConfig STRUCTURAL MAY ( cn $ olcObjectIdentifier $ olcAttribute + Types $ olcObjectClasses $ olcDitContentRules $ olcLdapSyntaxes ) ) +olcObjectClasses: ( OLcfgGlOc:3 NAME 'olcBackendConfig' DESC 'OpenLDAP Backend + -specific options' SUP olcConfig STRUCTURAL MUST olcBackend ) +olcObjectClasses: ( OLcfgGlOc:4 NAME 'olcDatabaseConfig' DESC 'OpenLDAP Databa + se-specific options' SUP olcConfig STRUCTURAL MUST olcDatabase MAY ( olcHidde + n $ olcSuffix $ olcSubordinate $ olcAccess $ olcAddContentAcl $ olcLastMod $ + olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ olcRepl + icaArgsFile $ olcReplicaPidFile $ olcReplicationInterval $ olcReplogFile $ ol + cRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $ + olcSizeLimit $ olcSyncUseSubentry $ olcSyncrepl $ olcTimeLimit $ olcUpdateDN + $ olcUpdateRef $ olcMirrorMode $ olcMonitoring ) ) +olcObjectClasses: ( OLcfgGlOc:5 NAME 'olcOverlayConfig' DESC 'OpenLDAP Overlay + -specific options' SUP olcConfig STRUCTURAL MUST olcOverlay ) +olcObjectClasses: ( OLcfgGlOc:6 NAME 'olcIncludeFile' DESC 'OpenLDAP configura + tion include file' SUP olcConfig STRUCTURAL MUST olcInclude MAY ( cn $ olcRoo + tDSE ) ) +olcObjectClasses: ( OLcfgGlOc:7 NAME 'olcFrontendConfig' DESC 'OpenLDAP fronte + nd configuration' AUXILIARY MAY ( olcDefaultSearchBase $ olcPasswordHash $ ol + cSortVals ) ) +olcObjectClasses: ( OLcfgGlOc:8 NAME 'olcModuleList' DESC 'OpenLDAP dynamic mo + dule info' SUP olcConfig STRUCTURAL MAY ( cn $ olcModulePath $ olcModuleLoad + ) ) +olcObjectClasses: ( OLcfgDbOc:2.1 NAME 'olcLdifConfig' DESC 'LDIF backend conf + iguration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory ) +olcObjectClasses: ( OLcfgDbOc:1.2 NAME 'olcHdbConfig' DESC 'HDB backend config + uration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCach + eSize $ olcDbCheckpoint $ olcDbConfig $ olcDbCryptFile $ olcDbCryptKey $ olcD + bNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex + $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFr + ee $ olcDbDNcacheSize $ olcDbPageSize ) ) +olcObjectClasses: ( OLcfgOvOc:1.1 NAME 'olcSyncProvConfig' DESC 'SyncRepl Prov + ider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ o + lcSpSessionlog $ olcSpNoPresent $ olcSpReloadHint ) ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.1 NAME 'monitor' DESC 'OpenLDAP + system monitoring' SUP top STRUCTURAL MUST cn MAY ( description $ seeAlso $ l + abeledURI $ monitoredInfo $ managedInfo $ monitorOverlay ) ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.2 NAME 'monitorServer' DESC 'Ser + ver monitoring root entry' SUP monitor STRUCTURAL ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.3 NAME 'monitorContainer' DESC ' + monitor container class' SUP monitor STRUCTURAL ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.4 NAME 'monitorCounterObject' DE + SC 'monitor counter class' SUP monitor STRUCTURAL ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.5 NAME 'monitorOperation' DESC ' + monitor operation class' SUP monitor STRUCTURAL ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.6 NAME 'monitorConnection' DESC + 'monitor connection class' SUP monitor STRUCTURAL ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.7 NAME 'managedObject' DESC 'mon + itor managed entity class' SUP monitor STRUCTURAL ) +olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.8 NAME 'monitoredObject' DESC 'm + onitor monitored entity class' SUP monitor STRUCTURAL ) +olcObjectClasses: ( OLcfgDbOc:4.1 NAME 'olcMonitorConfig' DESC 'Monitor backen + d configuration' SUP olcDatabaseConfig STRUCTURAL ) +olcObjectClasses: ( OLcfgOvOc:15.1 NAME 'olcAuditlogConfig' DESC 'Auditlog con + figuration' SUP olcOverlayConfig STRUCTURAL MAY olcAuditlogFile ) +olcObjectClasses: ( OLcfgOvOc:10.1 NAME 'olcUniqueConfig' DESC 'Attribute valu + e uniqueness configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcUniqueBa + se $ olcUniqueIgnore $ olcUniqueAttribute $ olcUniqueStrict $ olcUniqueURI ) + ) +olcObjectClasses: ( OLcfgOvOc:12.1 NAME 'olcPPolicyConfig' DESC 'Password Poli + cy configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcPPolicyDefault $ o + lcPPolicyHashCleartext $ olcPPolicyUseLockout $ olcPPolicyForwardUpdates ) ) +olcObjectClasses: ( olmBDBObjectClasses:1 NAME 'olmBDBDatabase' SUP top AUXILI + ARY MAY ( olmBDBEntryCache $ olmBDBDNCache $ olmBDBIDLCache $ olmDbDirectory + ) ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.1 DESC 'ACI Item' X-BINARY-TRANS + FER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.2 DESC 'Access Point' X-NOT-HUMA + N-READABLE 'TRUE' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.3 DESC 'Attribute Type Descripti + on' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.4 DESC 'Audio' X-NOT-HUMAN-READA + BLE 'TRUE' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary' X-NOT-HUMAN-READ + ABLE 'TRUE' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.7 DESC 'Boolean' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' X-BINARY-TR + ANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'Certificate List' X-BINA + RY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'Certificate Pair' X-BIN + ARY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.11.10.2.1 DESC 'X.509 AttributeCertifi + cate' X-BINARY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.12 DESC 'Distinguished Name' ) +olcLdapSyntaxes: ( 1.2.36.79672281.1.5.0 DESC 'RDN' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.13 DESC 'Data Quality' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.14 DESC 'Delivery Method' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.15 DESC 'Directory String' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.16 DESC 'DIT Content Rule Descri + ption' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.17 DESC 'DIT Structure Rule Desc + ription' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.19 DESC 'DSA Quality' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.20 DESC 'DSE Type' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.21 DESC 'Enhanced Guide' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.22 DESC 'Facsimile Telephone Num + ber' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.23 DESC 'Fax' X-NOT-HUMAN-READAB + LE 'TRUE' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.24 DESC 'Generalized Time' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.25 DESC 'Guide' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.26 DESC 'IA5 String' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.27 DESC 'Integer' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.28 DESC 'JPEG' X-NOT-HUMAN-READA + BLE 'TRUE' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.29 DESC 'Master And Shadow Acces + s Points' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.30 DESC 'Matching Rule Descripti + on' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.31 DESC 'Matching Rule Use Descr + iption' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.32 DESC 'Mail Preference' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.33 DESC 'MHS OR Address' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.34 DESC 'Name And Optional UID' + ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.35 DESC 'Name Form Description' + ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.37 DESC 'Object Class Descriptio + n' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.38 DESC 'OID' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.39 DESC 'Other Mailbox' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.41 DESC 'Postal Address' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.42 DESC 'Protocol Information' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.43 DESC 'Presentation Address' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.44 DESC 'Printable String' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.11 DESC 'Country String' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.45 DESC 'SubtreeSpecification' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' X- + BINARY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.50 DESC 'Telephone Number' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.51 DESC 'Teletex Terminal Identi + fier' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.54 DESC 'LDAP Syntax Description + ' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.55 DESC 'Modify Rights' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.56 DESC 'LDAP Schema Definition' + ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.57 DESC 'LDAP Schema Description + ' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.58 DESC 'Substring Assertion' ) +olcLdapSyntaxes: ( 1.3.6.1.1.1.0.0 DESC 'RFC2307 NIS Netgroup Triple' ) +olcLdapSyntaxes: ( 1.3.6.1.1.1.0.1 DESC 'RFC2307 Boot Parameter' ) +olcLdapSyntaxes: ( 1.3.6.1.1.15.1 DESC 'Certificate Exact Assertion' ) +olcLdapSyntaxes: ( 1.3.6.1.1.15.2 DESC 'Certificate Assertion' ) +olcLdapSyntaxes: ( 1.3.6.1.1.15.3 DESC 'Certificate Pair Exact Assertion' ) +olcLdapSyntaxes: ( 1.3.6.1.1.15.4 DESC 'Certificate Pair Assertion' ) +olcLdapSyntaxes: ( 1.3.6.1.1.15.5 DESC 'Certificate List Exact Assertion' ) +olcLdapSyntaxes: ( 1.3.6.1.1.15.6 DESC 'Certificate List Assertion' ) +olcLdapSyntaxes: ( 1.3.6.1.1.15.7 DESC 'Algorithm Identifier' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.11.10.2.2 DESC 'AttributeCertificate E + xact Assertion' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.11.10.2.3 DESC 'AttributeCertificate A + ssertion' ) +olcLdapSyntaxes: ( 1.3.6.1.1.16.1 DESC 'UUID' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.11.2.1 DESC 'CSN' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.11.2.4 DESC 'CSN SID' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' ) +olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' ) +structuralObjectClass: olcSchemaConfig +creatorsName: cn=config +createTimestamp: @@@TIMESTAMP@@@Z +entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 +modifiersName: cn=config +modifyTimestamp: @@@TIMESTAMP@@@Z diff --git a/confskel/openldap/skel.ldif b/confskel/openldap/skel.ldif index da66b0a..34d615b 100644 --- a/confskel/openldap/skel.ldif +++ b/confskel/openldap/skel.ldif @@ -211,8 +211,8 @@ ou: Administrative sn: Administrator title: Administrator uid: @@@ADMINUSER@@@ -userPassword: {SHA}@@@ADMINPW_SHA@@@ uidNumber: 999 +userPassword: {SASL}@@@ADMINUSER@@@@@@@REALM_UCNAME@@@ tdeBuiltinAccount: TRUE emsmodules: kerberos emsmodules: posix diff --git a/confskel/sasl/saslauthd.defaults b/confskel/sasl/saslauthd.defaults new file mode 100644 index 0000000..c6277d6 --- /dev/null +++ b/confskel/sasl/saslauthd.defaults @@ -0,0 +1,54 @@ +# +# TDE settings for saslauthd daemon +# + +# Should saslauthd run automatically on startup? (default: no) +START=yes + +# Description of this saslauthd instance. Recommended. +# (suggestion: SASL Authentication Daemon) +DESC="SASL Authentication Daemon" + +# Short name of this saslauthd instance. Strongly recommended. +# (suggestion: saslauthd) +NAME="saslauthd" + +# Which authentication mechanisms should saslauthd use? (default: pam) +# +# Available options in this Debian package: +# getpwent -- use the getpwent() library function +# kerberos5 -- use Kerberos 5 +# pam -- use PAM +# rimap -- use a remote IMAP server +# shadow -- use the local shadow password file +# sasldb -- use the local sasldb database file +# ldap -- use LDAP (configuration is in /etc/saslauthd.conf) +# +# Only one option may be used at a time. See the saslauthd man page +# for more information. +# +# Example: MECHANISMS="pam" +MECHANISMS="kerberos5" + +# Additional options for this mechanism. (default: none) +# See the saslauthd man page for information about mech-specific options. +MECH_OPTIONS="" + +# How many saslauthd processes should we run? (default: 5) +# A value of 0 will fork a new process for each connection. +THREADS=5 + +# Other options (default: -c -m /var/run/saslauthd) +# Note: You MUST specify the -m option or saslauthd won't run! +# +# WARNING: DO NOT SPECIFY THE -d OPTION. +# The -d option will cause saslauthd to run in the foreground instead of as +# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish +# to run saslauthd in debug mode, please run it by hand to be safe. +# +# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. +# See the saslauthd man page and the output of 'saslauthd -h' for general +# information about these options. +# +# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" +OPTIONS="-c -m /var/run/saslauthd" diff --git a/confskel/sasl/slapd.conf b/confskel/sasl/slapd.conf new file mode 100644 index 0000000..f89c483 --- /dev/null +++ b/confskel/sasl/slapd.conf @@ -0,0 +1,4 @@ +#mech_list: GSSAPI EXTERNAL +#mech_list: PLAIN LOGIN GSSAPI EXTERNAL +pwcheck_method: saslauthd +saslauthd_path: /var/run/saslauthd/mux diff --git a/debian/control b/debian/control index c8eca75..f597450 100644 --- a/debian/control +++ b/debian/control @@ -7,6 +7,6 @@ Standards-Version: 3.8.4 Package: kcontrol-ldap-controller-trinity Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, heimdal-clients, heimdal-kdc, slapd +Depends: ${shlibs:Depends}, ${misc:Depends}, heimdal-clients, heimdal-kdc, slapd, libsasl2-modules-gssapi-heimdal, sasl2-bin Description: LDAP realm controller module for the TDE control center LDAP Controller is a TDE control center module to configure an LDAP Realm Controller diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 3f553be..3d679a0 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -21,6 +21,7 @@ #include #include #include +#include #include @@ -54,6 +55,15 @@ // FIXME // Connect this to CMake/Automake #define KDE_CONFDIR "/etc/trinity" +#define LDAP_KEYTAB_FILE "/etc/ldap/ldap.keytab" + +// FIXME +// This assumes Debian! +// RedHat would be "/etc/sysconfig/ldap" +#define LDAP_DEFAULT_FILE "/etc/default/slapd" +#define HEIMDAL_DEFAULT_FILE "/etc/default/heimdal-kdc" +#define SASL_DEFAULT_FILE "/etc/default/saslauthd" +#define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf" #define ROLE_WORKSTATION 0 #define ROLE_REALM_CONTROLLER 1 @@ -93,6 +103,11 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin m_fqdn = getMachineFQDN(); + // FIXME + // This assumes Debian! + m_ldapUserName = "openldap"; + m_ldapGroupName = "openldap"; + load(); if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) { @@ -230,7 +245,7 @@ void LDAPController::save() { load(); } -void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1) { +void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1, TQString ldapusername=TQString::null, TQString ldapgroupname=TQString::null) { SHA1 sha; sha.process(rootPassword, strlen(rootPassword)); TQString rootpw_hash = sha.base64Hash(); @@ -280,6 +295,9 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi line.replace("@@@REALM_SIMPLE_CP_NAME@@@", simpledcnamecap); line.replace("@@@REALM_SIMPLE_LC_NAME@@@", simpledcname.lower()); line.replace("@@@TIMESTAMP@@@", timestamp); + line.replace("@@@LDAP_KEYTAB_FILE@@@", LDAP_KEYTAB_FILE); + line.replace("@@@LDAP_USER_NAME@@@", ldapusername); + line.replace("@@@LDAP_GROUP_NAME@@@", ldapgroupname); if (ldifSchemaNumber >= 0) { line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber)); } @@ -294,18 +312,38 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi } } else { - KMessageBox::error(0, i18n("Unable to open output schema file %1 for writing").arg(infile), i18n("Internal Failure")); + //KMessageBox::error(0, i18n("Unable to open output schema file %1 for writing").arg(outfile), i18n("Internal Failure")); + printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout); } } else { - KMessageBox::error(0, i18n("Unable to open template schema file %1").arg(infile), i18n("Internal Failure")); + //KMessageBox::error(0, i18n("Unable to open template schema file %1").arg(infile), i18n("Internal Failure")); + printf("[INTERNAL FAILURE] Unable to open template schema file %s\n\r", infile.ascii()); fflush(stdout); } // Keep UI responsive tqApp->processEvents(); } -int LDAPController::controlHeimdalServer(sc_command command) { +int LDAPController::controlSASLServer(sc_command command) { + if (command == SC_START) { + // FIXME + // This assumes Debian! + return system("/etc/init.d/saslauthd start"); + } + if (command == SC_STOP) { + // FIXME + // This assumes Debian! + return system("/etc/init.d/saslauthd stop"); + } + if (command == SC_RESTART) { + // FIXME + // This assumes Debian! + return system("/etc/init.d/saslauthd restart"); + } +} + +int LDAPController::controlHeimdalServer(sc_command command, uid_t userid, gid_t groupid) { if (command == SC_START) { // FIXME // This assumes Debian! @@ -321,6 +359,22 @@ int LDAPController::controlHeimdalServer(sc_command command) { // This assumes Debian! return system("/etc/init.d/heimdal-kdc restart"); } + if (command == SC_PURGE) { + controlHeimdalServer(SC_STOP); + system("rm -f " + TQString(LDAP_KEYTAB_FILE)); + // FIXME + // This assumes Debian + system("rm -f /etc/krb5.keytab"); + system("rm -rf /var/lib/heimdal-kdc/*"); + } + if (command == SC_SETDBPERMS) { + if ((userid > 0) && (groupid > 0)) { + TQString command; + command = TQString("chgrp %1 " + TQString(LDAP_KEYTAB_FILE)).arg(groupid); + system(command.ascii()); + chmod(LDAP_KEYTAB_FILE, S_IRUSR|S_IWUSR|S_IRGRP); + } + } } int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t groupid) { @@ -344,7 +398,7 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr // FIXME // This assumes Debian! system("rm -rf /var/lib/ldap/*"); - system("rm -rf /etc/ldap/slapd.d/cn=config/cn=schema/*"); + system("rm -rf /etc/ldap/slapd.d/*"); } if (command == SC_SETDBPERMS) { if ((userid > 0) && (groupid > 0)) { @@ -355,6 +409,10 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr system(command.ascii()); command = TQString("chgrp -R %1 /var/lib/ldap/*").arg(groupid); system(command.ascii()); + command = TQString("chown -R %1 /etc/ldap/slapd.d/*").arg(userid); + system(command.ascii()); + command = TQString("chgrp -R %1 /etc/ldap/slapd.d/*").arg(groupid); + system(command.ascii()); } } return -2; @@ -421,6 +479,225 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err return 1; // Failure } +int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr) { + TQCString command = "kadmin"; + QCStringList args; + args << TQCString("-l"); + + TQString hoststring = "host/"+kerberosHost; + + TQString prompt; + PtyProcess kadminProc; + kadminProc.exec(command, args); + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if (prompt == "kadmin>") { + kadminProc.writeLine(TQCString("ext "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else if (prompt.endsWith("Principal does not exist")) { + kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + // Use all defaults + while (prompt != "kadmin>") { + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else { + // Extract whatever default is in the [brackets] and feed it back to kadmin + TQString defaultParam; + int leftbracket = prompt.find("["); + int rightbracket = prompt.find("]"); + if ((leftbracket >= 0) && (rightbracket >= 0)) { + leftbracket++; + defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket); + } + kadminProc.writeLine(TQCString(defaultParam), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + } + kadminProc.writeLine(TQCString("ext "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt != "kadmin>") { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + else if (prompt == "kadmin>") { + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + + // Failure + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; + return 1; // Failure +} + +int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, TQString ldapHost, TQString *errstr) { + TQCString command = "kadmin"; + QCStringList args; + args << TQCString("-l"); + + TQString hoststring = ldapProcessOwnerName+"/"+ldapHost; + + TQString prompt; + PtyProcess kadminProc; + kadminProc.exec(command, args); + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if (prompt == "kadmin>") { + kadminProc.writeLine(TQCString("ext --keytab="+TQString(LDAP_KEYTAB_FILE)+" "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else if (prompt.endsWith("Principal does not exist")) { + kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + // Use all defaults + while (prompt != "kadmin>") { + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else { + // Extract whatever default is in the [brackets] and feed it back to kadmin + TQString defaultParam; + int leftbracket = prompt.find("["); + int rightbracket = prompt.find("]"); + if ((leftbracket >= 0) && (rightbracket >= 0)) { + leftbracket++; + defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket); + } + kadminProc.writeLine(TQCString(defaultParam), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + } + kadminProc.writeLine(TQCString("ext --keytab="+TQString(LDAP_KEYTAB_FILE)+" "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt != "kadmin>") { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + else if (prompt == "kadmin>") { + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + + // Failure + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; + return 1; // Failure +} + +int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr) { + if (user.password == "") { + return 0; + } + + TQCString command = "kadmin"; + QCStringList args; + args << TQCString("-l") << TQCString("-r") << TQCString(user.realm.upper()); + + TQString prompt; + PtyProcess kadminProc; + kadminProc.exec(command, args); + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if (prompt == "kadmin>") { + kadminProc.writeLine(TQCString("passwd "+user.username), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else if ((prompt.endsWith(" Password:")) && (prompt.startsWith(TQString(user.username + "@")))) { + kadminProc.writeLine(user.password, true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if ((prompt.endsWith(" Password:")) && (prompt.startsWith("Verify"))) { + kadminProc.writeLine(user.password, true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + if (prompt != "kadmin>") { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + else if (prompt == "kadmin>") { + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + + // Failure + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; + return 1; // Failure +} + int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) { int ldifSchemaNumber; @@ -449,6 +726,12 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME pdialog.setStatusMessage(i18n("Stopping servers...")); + // Stop SASL + if (controlSASLServer(SC_STOP) != 0) { + if (errstr) *errstr = i18n("Unable to stop SASL server"); + pdialog.closeDialog(); + return -1; + } // Stop Heimdal if (controlHeimdalServer(SC_STOP) != 0) { if (errstr) *errstr = i18n("Unable to stop Kerberos server"); @@ -464,6 +747,7 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME pdialog.setStatusMessage(i18n("Purging existing LDAP database...")); tqApp->processEvents(); + controlHeimdalServer(SC_PURGE); controlLDAPServer(SC_PURGE); pdialog.setStatusMessage(i18n("Installing new LDAP schema...")); @@ -475,24 +759,60 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME mkdir(TQString(destDir + "ldap/slapd.d/cn=config").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); mkdir(TQString(destDir + "ldap/slapd.d/cn=config/cn=schema").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); - replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", destDir + "heimdal.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + // Heimdal + replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", HEIMDAL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "heimdal-kdc/kadmind.acl", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); +// RAJA DEBUG +// if (system("kstash --random-key") != 0) { +// if (errstr) *errstr = i18n("Unable to create Kerberos foundational key"); +// pdialog.closeDialog(); +// return -1; +// } + + // OpenLDAP replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); // replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); - replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", destDir + "ldap/slapd.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", LDAP_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, -1, -1, m_ldapUserName, m_ldapGroupName); + + // SASL + replacePlaceholdersInFile(templateDir + "sasl/saslauthd.defaults", SASL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + + // FIXME + // This assumes Debian! + // Grant LDAP access to SASL mux pipe + system("dpkg-statoverride --remove --quiet /var/run/saslauthd"); + system(TQString("dpkg-statoverride --add root %1 710 /var/run/saslauthd").arg(m_ldapGroupName).ascii()); + + // FIXME + // This assumes Debian! + system("ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl"); + system("ln -s /etc/heimdal-kdc/kdc.conf /var/lib/heimdal-kdc/kdc.conf"); struct stat sb; uid_t slapd_uid = 0; gid_t slapd_gid = 0; - if (stat(destDir + "ldap/slapd.d/cn=config/cn=schema", &sb) == 0) { - slapd_uid = sb.st_uid; - slapd_gid = sb.st_gid; - } + + // Get LDAP user uid/gid + struct passwd *pwd; + pwd = getpwnam(m_ldapUserName); + slapd_uid = pwd->pw_uid; + slapd_gid = pwd->pw_gid; + +// RAJA FIXME +// SECURITY +// The ldapi:/// socket in /var/run/ldap is world readable/writable +// This means anyone with access to the server running LDAP can dump the KRB5 keys!!!! // Base database configuration + replacePlaceholdersInFile(templateDir + "openldap/ldif/config.ldif", destDir + "ldap/slapd.d/" + TQString("cn=config.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid); + replacePlaceholdersInFile(templateDir + "openldap/ldif/schema.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=schema.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid); + ldifSchemaNumber = 0; + replacePlaceholdersInFile(templateDir + "openldap/ldif/olcConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}config.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); + replacePlaceholdersInFile(templateDir + "openldap/ldif/moduleConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=module{%1}.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); ldifSchemaNumber = 1; replacePlaceholdersInFile(templateDir + "openldap/ldif/olcDatabase.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); @@ -565,11 +885,31 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME TQString errorstring; if (initializeNewKerberosRealm(realmconfig.name.upper(), &errorstring) != 0) { - if (errstr) *errstr = i18n("Unable to initialize Kerberos database

").append(errorstring); + if (errstr) *errstr = i18n("Unable to initialize Kerberos database").append(errorstring); pdialog.closeDialog(); return -1; } + if (addHostEntryToKerberosRealm(realmconfig.kdc, &errorstring) != 0) { + if (errstr) *errstr = i18n("Unable to add KDC server entry to Kerberos database").arg(m_ldapUserName).append(errorstring); + pdialog.closeDialog(); + return -1; + } + + if (addLDAPEntryToKerberosRealm(m_ldapUserName, realmconfig.admin_server, &errorstring) != 0) { + if (errstr) *errstr = i18n("Unable to add %1 entry to Kerberos database").arg(m_ldapUserName).append(errorstring); + pdialog.closeDialog(); + return -1; + } + + if (addLDAPEntryToKerberosRealm("ldap", realmconfig.admin_server, &errorstring) != 0) { + if (errstr) *errstr = i18n("Unable to add LDAP entry to Kerberos database").append(errorstring); + pdialog.closeDialog(); + return -1; + } + + controlHeimdalServer(SC_SETDBPERMS, slapd_uid, slapd_gid); + // Move all those new Heimdal entries to the correct tree/branch TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower()); TQString basedcname = "dc=" + domainChunks.join(",dc="); @@ -588,6 +928,20 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME delete ldap_mgr; delete credentials; + // Set @@@ADMINUSER@@@ password in kadmin + LDAPCredentials adminuser; + adminuser.username = adminUserName; + adminuser.password = adminPassword; + adminuser.realm = realmconfig.name.upper(); + if (setKerberosPasswordForUser(adminuser, &errorstring) != 0) { + if (errstr) *errstr = i18n("Unable to set user password in Kerberos database").append(errorstring); + pdialog.closeDialog(); + return -1; + } + + pdialog.setStatusMessage(i18n("Configuring local system...")); + tqApp->processEvents(); + // Write the TDE realm configuration file LDAPRealmConfigList realms; realms.insert(realmconfig.name, realmconfig); @@ -595,9 +949,31 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME m_systemconfig->writeEntry("DefaultRealm", realmconfig.name); m_systemconfig->sync(); - pdialog.setStatusMessage(i18n("Configuring local system...")); LDAPManager::writeLDAPConfFile(realmconfig); + pdialog.setStatusMessage(i18n("(Re)starting servers...")); + tqApp->processEvents(); + + // Restart slapd + if (controlLDAPServer(SC_RESTART) != 0) { + if (errstr) *errstr = i18n("Unable to restart LDAP server"); + pdialog.closeDialog(); + return -1; + } + // Restart Heimdal + if (controlHeimdalServer(SC_RESTART) != 0) { + if (errstr) *errstr = i18n("Unable to restart Kerberos server"); + pdialog.closeDialog(); + return -1; + } + + // Start SASL + if (controlSASLServer(SC_START) != 0) { + if (errstr) *errstr = i18n("Unable to start SASL server"); + pdialog.closeDialog(); + return -1; + } + // RAJA FIXME pdialog.closeDialog(); } diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h index d831c72..1fad5f8 100644 --- a/src/ldapcontroller.h +++ b/src/ldapcontroller.h @@ -69,9 +69,13 @@ class LDAPController: public KCModule void processLockouts(); private: - int controlHeimdalServer(sc_command command); + int controlSASLServer(sc_command command); + int controlHeimdalServer(sc_command command, uid_t userid=-1, gid_t groupid=-1); int controlLDAPServer(sc_command command, uid_t userid=-1, gid_t groupid=-1); int initializeNewKerberosRealm(TQString realmName, TQString *errstr); + int addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, TQString ldapHost, TQString *errstr); + int addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr); + int setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr); private: KAboutData *myAboutData; @@ -81,6 +85,8 @@ class LDAPController: public KCModule TQString m_fqdn; int m_prevRole; + TQString m_ldapUserName; + TQString m_ldapGroupName; }; #endif // _LDAPCONTROLLER_H_ diff --git a/src/realmwizard.cpp b/src/realmwizard.cpp index 184fb57..a0f4ced 100644 --- a/src/realmwizard.cpp +++ b/src/realmwizard.cpp @@ -94,6 +94,9 @@ RealmWizard::RealmWizard(LDAPController* controller, TQString fqdn, TQWidget *pa // Other setup finishpage->ldapAdminRealm->setEnabled(false); + // Kerberos won't work unless the DNS suffix matches the realm name + realmpage->txtRealmName->setEnabled(false); + setFinishEnabled(TQWizard::page(2), true); setPosition();