[debian-edu-commits] debian-edu/ 01/01: ldap-schemas/kerberos.schema: Update from krb5-kdc-ldap 1.16-1.

Mike Gabriel sunweaver at debian.org
Sun May 20 11:12:28 BST 2018 

This is an automated email from the git hooks/post-receive script.

sunweaver pushed a commit to branch master
in repository debian-edu-config.

commit f9c528f6b843df4c0741a9b1b3722809a78c5d43
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Sun May 20 10:12:07 2018 +0000

    ldap-schemas/kerberos.schema: Update from krb5-kdc-ldap 1.16-1.
---
 debian/changelog             |  4 +++
 ldap-schemas/kerberos.schema | 83 ++++++++++++++++++++++++++++++++++++--------
 2 files changed, 73 insertions(+), 14 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 2d93852..4d7a344 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
 debian-edu-config (2.10.27) UNRELEASED; urgency=medium
 
+  [ Wolfgang Schweer ]
   * share/debian-edu-config/d-i/pre-pkgsel:
      - Leave network configuration to NetworkManager also on workstations.
        This should ensure that NetworkManager.wait-online.service works like
@@ -8,6 +9,9 @@ debian-edu-config (2.10.27) UNRELEASED; urgency=medium
     cf3/cf.desktop-networked.
   * cf3/promises.cf: Include cf.desktop-networked at an early execution stage.
 
+  [ Mike Gabriel ]
+  * ldap-schemas/kerberos.schema: Update from krb5-kdc-ldap 1.16-1.
+
  -- Wolfgang Schweer <wschweer at arcor.de>  Wed, 16 May 2018 15:57:41 +0200
 
 debian-edu-config (2.10.26) unstable; urgency=medium
diff --git a/ldap-schemas/kerberos.schema b/ldap-schemas/kerberos.schema
index 65e07d6..52036a1 100644
--- a/ldap-schemas/kerberos.schema
+++ b/ldap-schemas/kerberos.schema
@@ -34,7 +34,7 @@
 
 
 ########################################################################
-# 		      Attribute Type Definitions                       #
+#                     Attribute Type Definitions                       #
 ########################################################################
 
 ##### This is the principal name in the RFC 1964 specified format
@@ -42,7 +42,7 @@
 attributetype ( 2.16.840.1.113719.1.301.4.1.1
                 NAME 'krbPrincipalName'
                 EQUALITY caseExactIA5Match
-		SUBSTR caseExactSubstringsMatch
+                SUBSTR caseExactSubstringsMatch
                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 
 ##### If there are multiple krbPrincipalName values for an entry, this
@@ -92,8 +92,8 @@ attributetype ( 2.16.840.1.113719.1.301.4.6.1
 ##### The values (0x00000001 - 0x00800000) are reserved for standards and 
 ##### values (0x01000000 - 0x80000000) can be used for proprietary extensions.
 ##### The flags and values as per RFC 4120 and MIT implementation are,
-##### DISALLOW_POSTDATED	0x00000001
-##### DISALLOW_FORWARDABLE	0x00000002
+##### DISALLOW_POSTDATED        0x00000001
+##### DISALLOW_FORWARDABLE      0x00000002
 ##### DISALLOW_TGT_BASED        0x00000004
 ##### DISALLOW_RENEWABLE        0x00000008
 ##### DISALLOW_PROXIABLE        0x00000010
@@ -297,6 +297,42 @@ attributetype ( 1.3.6.1.4.1.5322.21.2.3
                 SINGLE-VALUE)
 
 
+##### Policy attribute flags
+
+attributetype ( 1.2.840.113554.1.4.1.6.2
+                NAME 'krbPwdAttributes'
+                EQUALITY integerMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+                SINGLE-VALUE)
+
+
+##### Policy maximum ticket lifetime
+
+attributetype ( 1.2.840.113554.1.4.1.6.3
+                NAME 'krbPwdMaxLife'
+                EQUALITY integerMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+                SINGLE-VALUE)
+
+
+##### Policy maximum ticket renewable lifetime
+
+attributetype ( 1.2.840.113554.1.4.1.6.4
+                NAME 'krbPwdMaxRenewableLife'
+                EQUALITY integerMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+                SINGLE-VALUE)
+
+
+##### Allowed enctype:salttype combinations for key changes
+
+attributetype ( 1.2.840.113554.1.4.1.6.5
+                NAME 'krbPwdAllowedKeysalts'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE)
+
+
 ##### FDN pointing to a Kerberos Password Policy object
 
 attributetype ( 2.16.840.1.113719.1.301.4.36.1
@@ -445,6 +481,13 @@ attributetype ( 2.16.840.1.113719.1.301.4.45.1
                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
                 SINGLE-VALUE)
 
+##### The time at which the principal was last administratively unlocked.
+
+attributetype ( 1.3.6.1.4.1.5322.21.2.5
+                NAME 'krbLastAdminUnlock'
+                EQUALITY generalizedTimeMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+                SINGLE-VALUE)
 
 ##### This attribute holds the kerberos master key.
 ##### This can be used to encrypt principal keys. 
@@ -533,6 +576,18 @@ attributetype ( 2.16.840.1.113719.1.301.4.53.1
                 EQUALITY distinguishedNameMatch
                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
 
+
+##### A list of authentication indicator strings, one of which must be satisfied
+##### to authenticate to the principal as a service.
+##### FreeIPA OID:
+#####  joint-iso-ccitt(3) country(16) us(840) organization(1) netscape(113730)
+#####  ldap(3) freeipa(8) krb5(15) attributes(2)
+attributetype ( 2.16.840.1.113730.3.8.15.2.1
+                NAME 'krbPrincipalAuthInd'
+                EQUALITY caseExactMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+
+
 ##### A list of services to which a service principal can delegate.
 attributetype ( 1.3.6.1.4.1.5322.21.2.4
                 NAME 'krbAllowedToDelegateTo'
@@ -542,7 +597,7 @@ attributetype ( 1.3.6.1.4.1.5322.21.2.4
 
 ########################################################################
 ########################################################################
-# 		        Object Class Definitions                       #
+#                       Object Class Definitions                       #
 ########################################################################
 
 #### This is a kerberos container for all the realms in a tree.
@@ -550,7 +605,7 @@ attributetype ( 1.3.6.1.4.1.5322.21.2.4
 objectclass ( 2.16.840.1.113719.1.301.6.1.1
                 NAME 'krbContainer'
                 SUP top
-		STRUCTURAL
+                STRUCTURAL
                 MUST ( cn ) )
 
 
@@ -559,7 +614,7 @@ objectclass ( 2.16.840.1.113719.1.301.6.1.1
 objectclass ( 2.16.840.1.113719.1.301.6.2.1
                 NAME 'krbRealmContainer'
                 SUP top
-		STRUCTURAL
+                STRUCTURAL
                 MUST ( cn )
                 MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) )
 
@@ -589,7 +644,7 @@ objectclass ( 2.16.840.1.113719.1.301.6.3.1
 objectclass ( 2.16.840.1.113719.1.301.6.4.1
                 NAME 'krbKdcService'
                 SUP krbService
-		STRUCTURAL )
+                STRUCTURAL )
 
 
 ##### Representative object for the Kerberos Password server to bind into a LDAP directory
@@ -599,7 +654,7 @@ objectclass ( 2.16.840.1.113719.1.301.6.4.1
 objectclass ( 2.16.840.1.113719.1.301.6.5.1
                 NAME 'krbPwdService'
                 SUP krbService
-		STRUCTURAL )
+                STRUCTURAL )
 
 
 ###### The principal data auxiliary class. Holds principal information
@@ -607,9 +662,9 @@ objectclass ( 2.16.840.1.113719.1.301.6.5.1
 
 objectclass ( 2.16.840.1.113719.1.301.6.8.1
                 NAME 'krbPrincipalAux'
-		SUP top
+                SUP top
                 AUXILIARY
-                MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo ) )
+                MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) )
 
 
 ###### This class is used to create additional principals and stand alone principals.
@@ -618,7 +673,7 @@ objectclass ( 2.16.840.1.113719.1.301.6.9.1
                 NAME 'krbPrincipal'
                 SUP top
                 MUST ( krbPrincipalName )
-		MAY ( krbObjectReferences ) )
+                MAY ( krbObjectReferences ) )
 
 
 ###### The principal references auxiliary class. Holds all principals referred
@@ -637,7 +692,7 @@ objectclass ( 2.16.840.1.113719.1.301.6.11.1
 objectclass ( 2.16.840.1.113719.1.301.6.13.1
                 NAME 'krbAdmService'
                 SUP krbService 
-		STRUCTURAL )
+                STRUCTURAL )
 
 
 ##### The krbPwdPolicy object is a template password policy that 
@@ -649,7 +704,7 @@ objectclass ( 2.16.840.1.113719.1.301.6.14.1
                 NAME 'krbPwdPolicy' 
                 SUP top
                 MUST ( cn )
-                MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration ) )
+                MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
 
 
 ##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git

More information about the debian-edu-commits mailing list