[Pkg-openldap-devel] r1149 - in openldap/trunk: . build contrib/slapd-modules contrib/slapd-modules/smbk5pwd debian doc doc/guide doc/guide/admin doc/guide/release doc/man/man5 libraries/libldap libraries/libldap_r servers/slapd servers/slapd/back-bdb servers/slapd/back-ldap servers/slapd/back-meta servers/slapd/back-monitor servers/slapd/overlays servers/slapd/schema servers/slapd/slapi
vorlon at alioth.debian.org
vorlon at alioth.debian.org
Sat Jun 28 15:17:21 UTC 2008
tags 469232 pending
thanks
Author: vorlon
Date: 2008-06-28 15:17:20 +0000 (Sat, 28 Jun 2008)
New Revision: 1149
Added:
openldap/trunk/contrib/slapd-modules/nops/
openldap/trunk/doc/drafts/
openldap/trunk/doc/rfc/
openldap/trunk/servers/slapd/schema/collective.schema
openldap/trunk/servers/slapd/schema/corba.schema
openldap/trunk/servers/slapd/schema/core.ldif
openldap/trunk/servers/slapd/schema/core.schema
openldap/trunk/servers/slapd/schema/cosine.schema
openldap/trunk/servers/slapd/schema/java.schema
openldap/trunk/servers/slapd/schema/ppolicy.schema
Modified:
openldap/trunk/CHANGES
openldap/trunk/COPYRIGHT
openldap/trunk/build/version.var
openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
openldap/trunk/debian/changelog
openldap/trunk/doc/guide/COPYRIGHT
openldap/trunk/doc/guide/admin/access-control.sdf
openldap/trunk/doc/guide/admin/appendix-upgrading.sdf
openldap/trunk/doc/guide/admin/aspell.en.pws
openldap/trunk/doc/guide/admin/guide.html
openldap/trunk/doc/guide/admin/preface.sdf
openldap/trunk/doc/guide/admin/security.sdf
openldap/trunk/doc/guide/release/copyright.sdf
openldap/trunk/doc/man/man5/slapd-config.5
openldap/trunk/doc/man/man5/slapd.conf.5
openldap/trunk/doc/man/man5/slapo-constraint.5
openldap/trunk/doc/man/man5/slapo-refint.5
openldap/trunk/doc/man/man5/slapo-rwm.5
openldap/trunk/libraries/libldap/os-ip.c
openldap/trunk/libraries/libldap/os-local.c
openldap/trunk/libraries/libldap/request.c
openldap/trunk/libraries/libldap/result.c
openldap/trunk/libraries/libldap/t61.c
openldap/trunk/libraries/libldap_r/thr_stub.c
openldap/trunk/servers/slapd/acl.c
openldap/trunk/servers/slapd/back-bdb/attr.c
openldap/trunk/servers/slapd/back-bdb/dn2id.c
openldap/trunk/servers/slapd/back-bdb/monitor.c
openldap/trunk/servers/slapd/back-ldap/search.c
openldap/trunk/servers/slapd/back-meta/config.c
openldap/trunk/servers/slapd/back-monitor/database.c
openldap/trunk/servers/slapd/backglue.c
openldap/trunk/servers/slapd/backover.c
openldap/trunk/servers/slapd/bconfig.c
openldap/trunk/servers/slapd/daemon.c
openldap/trunk/servers/slapd/main.c
openldap/trunk/servers/slapd/overlays/constraint.c
openldap/trunk/servers/slapd/overlays/ppolicy.c
openldap/trunk/servers/slapd/overlays/refint.c
openldap/trunk/servers/slapd/overlays/syncprov.c
openldap/trunk/servers/slapd/overlays/unique.c
openldap/trunk/servers/slapd/proto-slap.h
openldap/trunk/servers/slapd/result.c
openldap/trunk/servers/slapd/schema_init.c
openldap/trunk/servers/slapd/sets.h
openldap/trunk/servers/slapd/slap.h
openldap/trunk/servers/slapd/slapi/plugin.c
openldap/trunk/servers/slapd/slapi/proto-slapi.h
openldap/trunk/servers/slapd/slapi/slapi_overlay.c
openldap/trunk/servers/slapd/syncrepl.c
Log:
new upstream release, fixes bug #469232
Modified: openldap/trunk/CHANGES
===================================================================
--- openldap/trunk/CHANGES 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/CHANGES 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,34 @@
OpenLDAP 2.4 Change Log
+OpenLDAP 2.4.10 Release (2008/06/08)
+ Fixed libldap file descriptor leak with SELinux (ITS#5507)
+ Fixed libldap ld_defconn cleanup if it was freed (ITS#5518, ITS#5525)
+ Fixed libldap msgid handling (ITS#5318)
+ Fixed libldap t61 infinite loop (ITS#5542)
+ Fixed libldap_r missing stubs (ITS#5519)
+ Fixed slapd initialization of sr_msgid, rs->sr_tag (ITS#5461)
+ Fixed slapd missing termination of integerFilter keys (ITS#5503)
+ Fixed slapd multiple attrs in URI (ITS#5516)
+ Fixed slapd sasl_ssf retrieval (ITS#5403)
+ Fixed slapd socket assert (ITS#5489)
+ Fixed slapd syncrepl cookie (ITS#5536)
+ Fixed slapd-bdb/hdb MAXPATHLEN (ITS#5531)
+ Fixed slapd-bdb indexing in single ADD/MOD (ITS#5521)
+ Fixed slapd-ldap entry_get() op-dependent behavior (ITS#5513)
+ Fixed slapd-meta quarantine crasher (ITS#5522)
+ Fixed slapo-refint to allow setting modifiers name (ITS#5505)
+ Fixed slapo-syncprov contextCSN passing on syncprov consumers (ITS#5488)
+ Fixed slapo-syncprov csn update with delta-syncrepl (ITS#5493)
+ Fixed slapo-syncprov op2.o_extra reset (ITS#5501, #5506)
+ Fixed slapo-syncprov searching wrong backend (ITS#5487)
+ Fixed slapo-syncprov sending ops without queued CSNs (ITS#5465)
+ Fixed slapo-syncprov max csn search on startup (ITS#5537)
+ Fixed slapo-unique config structs (ITS#5526)
+ Fixed slapo-unique filter terminator (ITS#5511)
+ Documentation
+ Add search privileges documentation (ITS#5512)
+ admin24 security document updates (ITS#5524)
+
OpenLDAP 2.4.9 Release (2008/05/07)
Fixed libldap to use unsigned port (ITS#5436)
Fixed libldap error message for missing close paren (ITS#5458)
Modified: openldap/trunk/COPYRIGHT
===================================================================
--- openldap/trunk/COPYRIGHT 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/COPYRIGHT 2008-06-28 15:17:20 UTC (rev 1149)
@@ -36,11 +36,11 @@
---
-Portions Copyright 1999-2007 Howard Y.H. Chu.
-Portions Copyright 1999-2007 Symas Corporation.
+Portions Copyright 1999-2008 Howard Y.H. Chu.
+Portions Copyright 1999-2008 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
-Portions Copyright 2008 Gavin Henry
-Portions Copyright 2008 Suretec Systems
+Portions Copyright 2008 Gavin Henry.
+Portions Copyright 2008 Suretec Systems.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/version.var
===================================================================
--- openldap/trunk/build/version.var 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/build/version.var 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
#! /bin/sh
-# $OpenLDAP: pkg/ldap/build/version.var,v 1.9.2.26 2008/05/07 19:26:02 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/version.var,v 1.9.2.32 2008/06/08 19:04:43 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2008 The OpenLDAP Foundation.
@@ -15,9 +15,9 @@
ol_package=OpenLDAP
ol_major=2
ol_minor=4
-ol_patch=9
-ol_api_inc=20409
+ol_patch=10
+ol_api_inc=20410
ol_api_current=2
-ol_api_revision=5
+ol_api_revision=6
ol_api_age=0
-ol_release_date="2008/05/07"
+ol_release_date="2008/06/10"
Copied: openldap/trunk/contrib/slapd-modules/nops (from rev 1148, openldap/vendor/openldap-2.4.10/contrib/slapd-modules/nops)
Modified: openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/smbk5pwd.c,v 1.17.2.10 2008/04/14 21:58:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/smbk5pwd.c,v 1.17.2.11 2008/05/27 20:01:46 quanah Exp $ */
/*
* Copyright 2004-2005 by Howard Chu, Symas Corp.
* All rights reserved.
@@ -114,7 +114,7 @@
/* From liblutil/passwd.c... */
static void lmPasswd_to_key(
const char *lmPasswd,
- des_cblock *key)
+ DES_cblock *key)
{
const unsigned char *lpw = (const unsigned char *)lmPasswd;
unsigned char *k = (unsigned char *)key;
@@ -162,10 +162,10 @@
)
{
char UcasePassword[15];
- des_cblock key;
- des_key_schedule schedule;
- des_cblock StdText = "KGS!@#$%";
- des_cblock hbuf[2];
+ DES_cblock key;
+ DES_key_schedule schedule;
+ DES_cblock StdText = "KGS!@#$%";
+ DES_cblock hbuf[2];
strncpy( UcasePassword, passwd->bv_val, 14 );
UcasePassword[14] = '\0';
Modified: openldap/trunk/debian/changelog
===================================================================
--- openldap/trunk/debian/changelog 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/debian/changelog 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,13 +1,16 @@
-openldap2.3 (2.4.9-2) UNRELEASED; urgency=low
+openldap2.3 (2.4.10-1) UNRELEASED; urgency=low
+ [ Steve Langasek ]
+ * New upstream release.
+ - Clean up ld_defconn if it was freed, fixing an assertion failure in
+ various clients. Closes: #469232.
+ * Drop spurious build-dependency on heimdal-dev, introduced accidentally
+ as part of an aborted attempt to build the smbk5pwd overlay.
+
[ Matthijs Mohlmann ]
* All manpages in category 5 were missing, wrong directory.
(Closes: #474976, #483631, #483633)
- [ Steve Langasek ]
- * Drop spurious build-dependency on heimdal-dev, introduced accidentally
- as part of an aborted attempt to build the smbk5pwd overlay.
-
-- Matthijs Mohlmann <matthijs at cacholong.nl> Fri, 30 May 2008 08:58:35 +0200
openldap2.3 (2.4.9-1) unstable; urgency=low
Copied: openldap/trunk/doc/drafts (from rev 1148, openldap/vendor/openldap-2.4.10/doc/drafts)
Modified: openldap/trunk/doc/guide/COPYRIGHT
===================================================================
--- openldap/trunk/doc/guide/COPYRIGHT 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/guide/COPYRIGHT 2008-06-28 15:17:20 UTC (rev 1149)
@@ -25,7 +25,7 @@
---
-Portions Copyright 1998-2006 Kurt D. Zeilenga.
+Portions Copyright 1998-2008 Kurt D. Zeilenga.
Portions Copyright 1998-2006 Net Boolean Incorporated.
Portions Copyright 2001-2006 IBM Corporation.
All rights reserved.
@@ -36,11 +36,11 @@
---
-Portions Copyright 1999-2007 Howard Y.H. Chu.
-Portions Copyright 1999-2007 Symas Corporation.
+Portions Copyright 1999-2008 Howard Y.H. Chu.
+Portions Copyright 1999-2008 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
-Portions Copyright 2007-2008 Gavin Henry
-Portions Copyright 2007-2008 Suretec Systems Limited.
+Portions Copyright 2008 Gavin Henry.
+Portions Copyright 2008 Suretec Systems.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/doc/guide/admin/access-control.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/access-control.sdf 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/guide/admin/access-control.sdf 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-# $OpenLDAP: pkg/openldap-guide/admin/access-control.sdf,v 1.3.2.1 2008/04/14 20:35:10 quanah Exp $
+# $OpenLDAP: pkg/openldap-guide/admin/access-control.sdf,v 1.3.2.2 2008/05/20 00:17:58 quanah Exp $
# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
@@ -137,7 +137,9 @@
There are two special {{pseudo}} attributes {{EX:entry}} and
{{EX:children}}. To read (and hence return) a target entry, the
subject must have {{EX:read}} access to the target's {{entry}}
-attribute. To add or delete an entry, the subject must have
+attribute. To perform a search, the subject must have
+{{EX:search}} access to the search base's {{entry}} attribute.
+To add or delete an entry, the subject must have
{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
have {{EX:write}} access to the entry's parent's {{EX:children}}
attribute. To rename an entry, the subject must have {{EX:write}}
@@ -552,7 +554,9 @@
There are two special {{pseudo}} attributes {{EX:entry}} and
{{EX:children}}. To read (and hence return) a target entry, the
subject must have {{EX:read}} access to the target's {{entry}}
-attribute. To add or delete an entry, the subject must have
+attribute. To perform a search, the subject must have
+{{EX:search}} access to the search base's {{entry}} attribute.
+To add or delete an entry, the subject must have
{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
have {{EX:write}} access to the entry's parent's {{EX:children}}
attribute. To rename an entry, the subject must have {{EX:write}}
Modified: openldap/trunk/doc/guide/admin/appendix-upgrading.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-upgrading.sdf 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/guide/admin/appendix-upgrading.sdf 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-upgrading.sdf,v 1.1.2.4 2008/02/11 23:26:39 kurt Exp $
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-upgrading.sdf,v 1.1.2.5 2008/05/20 00:17:58 quanah Exp $
# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
@@ -37,8 +37,24 @@
> olcReplicationInterval: value #0: <olcReplicationInterval> keyword is obsolete (ignored)
+H2: ACLs: searches require privileges on the search base
+Search operations now require "search" privileges on the "entry" pseudo-attribute of the search
+base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search
+bases.
+For example, assuming you have the following ACL:
+> access to dn.sub="ou=people,dc=example,dc=com" by * search
+
+Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL:
+
+> access to dn.base="dc=example,dc=com" attrs=entry by * search
+
+Note: The {{slapd.access}}(5) man page states that this requirement was introduced
+with OpenLDAP 2.3. However, it is the default behavior only since 2.4.
+
+
+
ADD MORE HERE
Modified: openldap/trunk/doc/guide/admin/aspell.en.pws
===================================================================
--- openldap/trunk/doc/guide/admin/aspell.en.pws 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/guide/admin/aspell.en.pws 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,12 +1,12 @@
-personal_ws-1.1 en 1598
+personal_ws-1.1 en 1634
commonName
bla
Masarati
subjectAltName
api
BhY
+olcSyncRepl
olcSyncrepl
-olcSyncRepl
adamsom
adamson
CER
@@ -38,8 +38,8 @@
dev
reqNewSuperior
librewrite
+memberof
memberOf
-memberof
BSI
updateref
buf
@@ -64,6 +64,7 @@
postread
csn
xvfB
+checkpass
neverDerefaliases
dns
DN's
@@ -87,8 +88,8 @@
eng
AttributeValue
attributevalue
+DUA
EOF
-DUA
inputfile
DSP
refreshDone
@@ -123,10 +124,10 @@
contextCSN
auditModify
auditSearch
+OpenLDAP
openldap
-OpenLDAP
+resultcode
resultCode
-resultcode
sysconfig
indices
blen
@@ -137,14 +138,17 @@
database's
iscritical
gss
+qbuaQ
ZKKuqbEKJfKSXhUbHG
invalidAttributeSyntax
subtree
Kartik
newparent
+DkMTwBl
memcalloc
ing
filtertype
+XKqkdPOmY
regcomp
ldapmodify
includedir
@@ -159,13 +163,13 @@
kdz
notAllowedOnRDN
hostport
+StartTLS
starttls
-StartTLS
ldb
servercredp
ldd
+IPv
ipv
-IPv
hyc
joe
bindmethods
@@ -189,16 +193,16 @@
directoryOperation
creatorsName
mem
+oldPasswdFile
oldpasswdfile
-oldPasswdFile
uniqueMember
krb
libpath
acknowledgements
jts
createTimestamp
+MIB
LLL
-MIB
OpenSSL
openssl
LOF
@@ -217,6 +221,7 @@
bool
LRL
CPPFLAGS
+yWpR
schemadir
desc
lud
@@ -232,14 +237,15 @@
msg
attr
caseExactOrderingMatch
+TmkzUAb
Subbarao
aeeiib
oidlen
submatches
+PEM
olc
-PEM
+OLF
PDU
-OLF
LDAPSchemaExtensionItem
auth
Pierangelo
@@ -249,6 +255,7 @@
OLP
pwdPolicyChecker
subst
+mux
singleLevel
cleartext
numattrsets
@@ -277,9 +284,9 @@
wZFQrDD
OTP
olcSizeLimit
+PRD
+sbi
pos
-sbi
-PRD
pre
sudoadm
stringal
@@ -287,6 +294,7 @@
sdf
efgh
accesslog
+PSH
sed
cond
qdescrs
@@ -296,9 +304,10 @@
sel
bvec
TBC
+HtZhZS
stringbv
+SHA
Sep
-SHA
ptr
conn
pwd
@@ -315,8 +324,8 @@
supportedSASLMechanism
supportedSASLmechanism
realnamingcontext
+UCD
SMD
-UCD
keytab
portnumber
uncached
@@ -329,8 +338,8 @@
UCS
searchDN
keytbl
+UDP
tgz
-UDP
freemods
prepend
errText
@@ -347,22 +356,22 @@
objectClassViolation
ssf
ldapfilter
+vec
+TOC
rwm
-TOC
-vec
pwdChangedTime
tls
peernamestyle
xpasswd
+SRP
tmp
-SRP
SSL
dupbv
CPUs
SRV
entrymods
+sss
rwx
-sss
reqNewRDN
nopresent
rebindproc
@@ -372,11 +381,13 @@
cron
accesslevel
accessor's
+czBJdDqS
keyval
alloc
saslpasswd
README
maxentries
+QWGWZpj
ttl
undefinedAttributeType
peercred
@@ -417,10 +428,11 @@
sudoers
pwdMaxFailure
pseudorootdn
+MezRroT
GDBM
LIBRELEASE
+DSA's
DSAs
-DSA's
realloc
booleanMatch
compareTrue
@@ -432,6 +444,7 @@
al
realself
cd
+aQ
ar
olcDatabaseConfig
de
@@ -447,6 +460,7 @@
fG
DS
fi
+EO
allmail
du
eq
@@ -477,8 +491,8 @@
iZ
ldapdelete
xyz
+rdbms
RDBMs
-rdbms
extparam
mk
ng
@@ -533,6 +547,7 @@
notAllowedOnNonLeaf
attrname
olcTLSCipherSuite
+Xr
x's
xw
octetStringMatch
@@ -541,8 +556,8 @@
LDVERSION
testAttr
backend
+backends
backend's
-backends
BerValues
Solaris
structs
@@ -554,9 +569,9 @@
policyDN
testObject
pwdMaxAge
+binddn
+bindDN
bindDn
-bindDN
-binddn
distributedOperation
schemachecking
strvals
@@ -588,6 +603,7 @@
recursivegroup
integerMatch
moduledir
+BlpQmtczb
dynstyle
bindpw
AUTHNAME
@@ -598,14 +614,14 @@
regex
SIGINT
slappasswd
+errABsObject
errAbsObject
-errABsObject
ldapexop
+objectIdentifier
objectidentifier
-objectIdentifier
deallocators
+mirrormode
MirrorMode
-mirrormode
loopDetect
SIGHUP
authMethodNotSupported
@@ -622,8 +638,8 @@
expr
syntaxes
memrealloc
+returncode
returnCode
-returncode
OpenLDAP's
exts
bitstringa
@@ -638,6 +654,7 @@
olcSchemaConfig
bitstrings
bvalues
+hmev
realdnattr
attrpair
affectsMultipleDSAs
@@ -646,8 +663,8 @@
lldap
cachesize
slapauth
+attributeType
attributetype
-attributeType
GSER
olcDbNosync
typedef
@@ -664,14 +681,16 @@
TLSVerifyClient
noidlen
LDAPNOINIT
+pwdGraceAuthnLimit
pwdGraceAuthNLimit
-pwdGraceAuthnLimit
hnPk
+userpassword
userPassword
noanonymous
LIBVERSION
symas
dcedn
+glibc
sublevel
chroot
posixGroup
@@ -682,12 +701,14 @@
someotherdomain
proxying
organisations
+IMAP
rewriteMap
monitoredInfo
+modrDN
+ModRDN
modrdn
-ModRDN
-modrDN
HREF
+DQTxCYEApdUtNXGgdUac
inline
multiproxy
reqSizeLimit
@@ -698,8 +719,8 @@
rlookups
siiiib
LTSTATIC
+timelimitExceeded
timeLimitExceeded
-timelimitExceeded
XKYnrjvGT
subtrees
unixODBC
@@ -711,8 +732,8 @@
dnstyle
inet
schemas
+pwdPolicySubentry
pwdPolicySubEntry
-pwdPolicySubentry
reqId
scanf
olcBackend
@@ -721,6 +742,7 @@
init
runtime
onelevel
+YtNFk
impl
Autoconf
stderr
@@ -737,6 +759,7 @@
pwdSafeModify
html
multimaster
+GCmfuqEvm
testrun
rewriteEngine
slapdindex
@@ -751,8 +774,8 @@
pathname
noSuchObject
proxyOld
+BerElement
berelement
-BerElement
sbiod
plugin
http
@@ -762,8 +785,8 @@
numericStringSubstringsMatch
internet
storages
+WhoAmI
whoami
-WhoAmI
criticality
addBlanks
logins
@@ -772,6 +795,7 @@
operationsError
homePhone
testTwo
+BmIwN
ldif
entryAlreadyExists
plaintext
@@ -903,6 +927,7 @@
realanonymous
invalue
refreshOnly
+pwcheck
filesystem
Naur
unwillingToPerform
@@ -924,6 +949,7 @@
logevels
AAQSkZJRgABAAAAAQABAAD
strcast
+aUihad
failover
constraintViolation
cacheable
@@ -968,6 +994,7 @@
groupOfUniqueNames
DHAVE
ludp
+oPdklp
entryUUID
ldapapiinfo
SampleLDAP
@@ -1013,12 +1040,14 @@
nelems
subord
namingViolation
+PCOq
inappropriateAuthentication
mixin
suders
syntaxOID
olcTLSCACertificateFile
IGJlZ
+userPrincipalName
TLSCipherSuite
auditlog
runningslapd
@@ -1059,6 +1088,7 @@
PIII
olcDbShmKey
substr
+testsaslauthd
reqRespControls
XXXXXXXXXX
MANSECT
@@ -1081,6 +1111,7 @@
supportedControl
addprinc
logbase
+oMxg
filterlist
generalizedTimeMatch
Google
@@ -1204,6 +1235,7 @@
entryUUIDs
reqEntries
sockbuf
+wrongpassword
olcSaslSecprops
olcSaslSecProps
dnSubtreeMatch
@@ -1296,6 +1328,7 @@
srvtab
ldapadd
sprintf
+spasswd
monitorCounterObject
Instanstantiation
olcDbConfig
@@ -1362,6 +1395,7 @@
attrvalue
deallocate
msgid
+ilOzQ
modulepath
logfile
Supr
@@ -1513,6 +1547,7 @@
dnpattern
perror
MSSQL
+VUld
SmVuc
ACIs
errmsgp
@@ -1552,8 +1587,8 @@
multi
aaa
ldaprc
+UpdateDN
updatedn
-UpdateDN
LDAPBASE
LDAPAPIFeatureInfo
authzTo
@@ -1593,7 +1628,8 @@
slimit
ali
attributeoptions
+BfQ
uidNumber
+CA's
CAs
-CA's
namingContext
Modified: openldap/trunk/doc/guide/admin/guide.html
===================================================================
--- openldap/trunk/doc/guide/admin/guide.html 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/guide/admin/guide.html 2008-06-28 15:17:20 UTC (rev 1149)
@@ -23,7 +23,7 @@
<DIV CLASS="title">
<H1 CLASS="doc-title">OpenLDAP Software 2.4 Administrator's Guide</H1>
<ADDRESS CLASS="doc-author">The OpenLDAP Project <<A HREF="http://www.openldap.org/">http://www.openldap.org/</A>></ADDRESS>
-<ADDRESS CLASS="doc-modified">7 May 2008</ADDRESS>
+<ADDRESS CLASS="doc-modified">8 June 2008</ADDRESS>
<BR CLEAR="All">
</DIV>
<DIV CLASS="contents">
@@ -388,8 +388,30 @@
<A HREF="#Authentication Methods">13.3. Authentication Methods</A><UL>
<A HREF="#"simple" method">13.3.1. "simple" method</A>
<BR>
-<A HREF="#SASL method">13.3.2. SASL method</A></UL></UL>
+<A HREF="#SASL method">13.3.2. SASL method</A></UL>
<BR>
+<A HREF="#Password Storage">13.4. Password Storage</A><UL>
+<A HREF="#SSHA password storage scheme">13.4.1. SSHA password storage scheme</A>
+<BR>
+<A HREF="#CRYPT password storage scheme">13.4.2. CRYPT password storage scheme</A>
+<BR>
+<A HREF="#MD5 password storage scheme">13.4.3. MD5 password storage scheme</A>
+<BR>
+<A HREF="#SMD5 password storage scheme">13.4.4. SMD5 password storage scheme</A>
+<BR>
+<A HREF="#SHA password storage scheme">13.4.5. SHA password storage scheme</A>
+<BR>
+<A HREF="#SASL password storage scheme">13.4.6. SASL password storage scheme</A>
+<BR>
+<A HREF="#KERBEROS password storage scheme">13.4.7. KERBEROS password storage scheme</A></UL>
+<BR>
+<A HREF="#Pass-Through authentication">13.5. Pass-Through authentication</A><UL>
+<A HREF="#Configuring slapd to use an authentication provider">13.5.1. Configuring slapd to use an authentication provider</A>
+<BR>
+<A HREF="#Configuring saslauthd">13.5.2. Configuring saslauthd</A>
+<BR>
+<A HREF="#Testing pass-through authentication">13.5.3. Testing pass-through authentication</A></UL></UL>
+<BR>
<A HREF="#Using SASL">14. Using SASL</A><UL>
<A HREF="#SASL Security Considerations">14.1. SASL Security Considerations</A>
<BR>
@@ -589,8 +611,10 @@
<A HREF="#Upgrading from 2.3.x">B. Upgrading from 2.3.x</A><UL>
<A HREF="#Monitor Backend">B.1. Monitor Backend</A>
<BR>
-<A HREF="#{{B:cn=config}} olc* attributes">B.2. <B>cn=config</B> olc* attributes</A></UL>
+<A HREF="#{{B:cn=config}} olc* attributes">B.2. <B>cn=config</B> olc* attributes</A>
<BR>
+<A HREF="#ACLs: searches require privileges on the search base">B.3. ACLs: searches require privileges on the search base</A></UL>
+<BR>
<A HREF="#Common errors encountered when using OpenLDAP Software">C. Common errors encountered when using OpenLDAP Software</A><UL>
<A HREF="#Common causes of LDAP errors">C.1. Common causes of LDAP errors</A><UL>
<A HREF="#ldap_*: Can\'t contact LDAP server">C.1.1. ldap_*: Can't contact LDAP server</A>
@@ -810,7 +834,7 @@
<A HREF="#OpenLDAP Software Copyright Notices">K. OpenLDAP Software Copyright Notices</A><UL>
<A HREF="#OpenLDAP Copyright Notice">K.1. OpenLDAP Copyright Notice</A>
<BR>
-<A HREF="#Additional Copyright Notice">K.2. Additional Copyright Notice</A>
+<A HREF="#Additional Copyright Notices">K.2. Additional Copyright Notices</A>
<BR>
<A HREF="#University of Michigan Copyright Notice">K.3. University of Michigan Copyright Notice</A></UL>
<BR>
@@ -821,9 +845,10 @@
<HR>
<H1><A NAME="Preface">Preface</A></H1>
<H2>Copyright</H2>
-<P>Copyright 1998-2007, The <A HREF="http://www.openldap.org/foundation/">OpenLDAP Foundation</A>, <EM>All Rights Reserved</EM>.</P>
+<P>Copyright 1998-2008, The <A HREF="http://www.openldap.org/foundation/">OpenLDAP Foundation</A>, <EM>All Rights Reserved</EM>.</P>
<P>Copyright 1992-1996, Regents of the <A HREF="http://www.umich.edu/">University of Michigan</A>, <EM>All Rights Reserved</EM>.</P>
<P>This document is considered a part of OpenLDAP Software. This document is subject to terms of conditions set forth in <A HREF="#OpenLDAP Software Copyright Notices">OpenLDAP Software Copyright Notices</A> and the <A HREF="#OpenLDAP Public License">OpenLDAP Public License</A>. Complete copies of the notices and associated license can be found in Appendix K and L, respectively.</P>
+<P>Portions of OpenLDAP Software and this document may be copyright by other parties and/or subject to additional restrictions. Individual source files should be consulted for additional copyright notices.</P>
<H2>Scope of this Document</H2>
<P>This document provides a guide for installing OpenLDAP Software 2.4 (<A HREF="http://www.openldap.org/software/">http://www.openldap.org/software/</A>) on <TERM>UNIX</TERM> (and UNIX-like) systems. The document is aimed at experienced system administrators with basic understanding of <TERM>LDAP</TERM>-based directory services.</P>
<P>This document is meant to be used in conjunction with other OpenLDAP information resources provided with the software package and on the project's site (<A HREF="http://www.OpenLDAP.org/">http://www.OpenLDAP.org/</A>) on the <TERM>World Wide Web</TERM>. The site makes available a number of resources.</P>
@@ -2580,7 +2605,7 @@
<PRE>
attrs=<attribute> val[.<style>]=<regex>
</PRE>
-<P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>. To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute. To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute. To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes. The complete examples at the end of this section should help clear things up.</P>
+<P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>. To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute. To perform a search, the subject must have <TT>search</TT> access to the search base's <EM>entry</EM> attribute. To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute. To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes. The complete examples at the end of this section should help clear things up.</P>
<P>Lastly, there is a special entry selector <TT>"*"</TT> that is used to select any entry. It is used when no other <TT><what></TT> selector has been provided. It's equivalent to "<TT>dn=.*</TT>"</P>
<H3><A NAME="Who to grant access to">7.2.2. Who to grant access to</A></H3>
<P>The <who> part identifies the entity or entities being granted access. Note that access is granted to "entities" not "entries." The following table summarizes entity specifiers:</P>
@@ -2934,7 +2959,7 @@
<PRE>
attrs=<attribute> val[.<style>]=<regex>
</PRE>
-<P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>. To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute. To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute. To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes. The complete examples at the end of this section should help clear things up.</P>
+<P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>. To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute. To perform a search, the subject must have <TT>search</TT> access to the search base's <EM>entry</EM> attribute. To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute. To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes. The complete examples at the end of this section should help clear things up.</P>
<P>Lastly, there is a special entry selector <TT>"*"</TT> that is used to select any entry. It is used when no other <TT><what></TT> selector has been provided. It's equivalent to "<TT>dn=.*</TT>"</P>
<H3><A NAME="Who to grant access to">7.3.2. Who to grant access to</A></H3>
<P>The <who> part identifies the entity or entities being granted access. Note that access is granted to "entities" not "entries." The following table summarizes entity specifiers:</P>
@@ -5440,7 +5465,10 @@
slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW
slapd: ALL : DENY
</PRE>
-<P>allows only incoming connections from the private network <TT>10.0.0.0</TT> and localhost (<TT>127.0.0.1</TT>) to access the directory service. Note that IP addresses are used as <EM>slapd</EM>(8) is not normally configured to perform reverse lookups.</P>
+<P>allows only incoming connections from the private network <TT>10.0.0.0</TT> and localhost (<TT>127.0.0.1</TT>) to access the directory service.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>IP addresses are used as <EM>slapd</EM>(8) is not normally configured to perform reverse lookups.
+<HR WIDTH="80%" ALIGN="Left"></P>
<P>It is noted that TCP wrappers require the connection to be accepted. As significant processing is required just to deny a connection, it is generally advised that IP firewall protection be used instead of TCP wrappers.</P>
<P>See <EM>hosts_access</EM>(5) for more information on TCP wrapper rules.</P>
<H2><A NAME="Data Integrity and Confidentiality Protection">13.2. Data Integrity and Confidentiality Protection</A></H2>
@@ -5463,7 +5491,10 @@
<LI>unauthenticated, and
<LI>user/password authenticated.</UL>
<P>Anonymous access is requested by providing no name and no password to the "simple" bind operation. Unauthenticated access is requested by providing a name but no password. Authenticated access is requested by providing a valid name and password.</P>
-<P>An anonymous bind results in an <EM>anonymous</EM> authorization association. Anonymous bind mechanism is enabled by default, but can be disabled by specifying "<TT>disallow bind_anon</TT>" in <EM>slapd.conf</EM>(5). Note that disabling the anonymous bind mechanism does not prevent anonymous access to the directory. To require authentication to access the directory, one should instead specify "<TT>require authc</TT>".</P>
+<P>An anonymous bind results in an <EM>anonymous</EM> authorization association. Anonymous bind mechanism is enabled by default, but can be disabled by specifying "<TT>disallow bind_anon</TT>" in <EM>slapd.conf</EM>(5).</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>Disabling the anonymous bind mechanism does not prevent anonymous access to the directory. To require authentication to access the directory, one should instead specify "<TT>require authc</TT>".
+<HR WIDTH="80%" ALIGN="Left"></P>
<P>An unauthenticated bind also results in an <EM>anonymous</EM> authorization association. Unauthenticated bind mechanism is disabled by default, but can be enabled by specifying "<TT>allow bind_anon_cred</TT>" in <EM>slapd.conf</EM>(5). As a number of LDAP applications mistakenly generate unauthenticated bind request when authenticated access was intended (that is, they do not ensure a password was provided), this mechanism should generally remain disabled.</P>
<P>A successful user/password authenticated bind results in a user authorization identity, the provided name, being associated with the session. User/password authenticated bind is enabled by default. However, as this mechanism itself offers no eavesdropping protection (e.g., the password is set in the clear), it is recommended that it be used only in tightly controlled systems or when the LDAP session is protected by other means (e.g., TLS, <TERM>IPsec</TERM>). Where the administrator relies on TLS to protect the password, it is recommended that unprotected authentication be disabled. This is done using the <TT>security</TT> directive's <TT>simple_bind</TT> option, which provides fine grain control over the level of confidential protection to require for <EM>simple</EM> user/password authentication. E.g., using <TT>security simple_bind=56</TT> would require <EM>simple</EM> binds to use encryption of DES equivalent or better.</P>
<P>The user/password authenticated bind mechanism can be completely disabled by setting "<TT>disallow bind_simple</TT>".</P>
@@ -5471,7 +5502,141 @@
<STRONG>Note: </STRONG>An unsuccessful bind always results in the session having an <EM>anonymous</EM> authorization association.
<HR WIDTH="80%" ALIGN="Left"></P>
<H3><A NAME="SASL method">13.3.2. SASL method</A></H3>
-<P>The LDAP <TERM>SASL</TERM> method allows use of any SASL authentication mechanism. The <A HREF="#Using SASL">Using SASL</A> discusses use of SASL.</P>
+<P>The LDAP <TERM>SASL</TERM> method allows the use of any SASL authentication mechanism. The <A HREF="#Using SASL">Using SASL</A> section discusses the use of SASL.</P>
+<H2><A NAME="Password Storage">13.4. Password Storage</A></H2>
+<P>LDAP passwords are normally stored in the <EM>userPassword</EM> attribute. <A HREF="http://www.rfc-editor.org/rfc/rfc4519.txt">RFC4519</A> specifies that passwords are not stored in encrypted (or hashed) form. This allows a wide range of password-based authentication mechanisms, such as <TT>DIGEST-MD5</TT> to be used. This is also the most interoperable storage scheme.</P>
+<P>However, it may be desirable to store a hash of password instead. <EM>slapd</EM>(8) supports a variety of storage schemes for the administrator to choose from.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>Values of password attributes, regardless of storage scheme used, should be protected as if they were clear text. Hashed passwords are subject to <EM>dictionary attacks</EM> and <EM>brute-force attacks</EM>.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<P>The <EM>userPassword</EM> attribute is allowed to have more than one value, and it is possible for each value to be stored in a different form. During authentication, <EM>slapd</EM> will iterate through the values until it finds one that matches the offered password or until it runs out of values to inspect. The storage scheme is stored as a prefix on the value, so a hashed password using the Salted SHA1 (<TT>SSHA</TT>) scheme looks like:</P>
+<PRE>
+ userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
+</PRE>
+<P>The advantage of hashed passwords is that an attacker which discovers the hash does not have direct access to the actual password. Unfortunately, as dictionary and brute force attacks are generally quite easy for attackers to successfully mount, this advantage is marginal at best (this is why all modern Unix systems use shadow password files).</P>
+<P>The disadvantages of hashed storage is that they are non-standard, may cause interoperability problem, and generally preclude the use of stronger than Simple (or SASL/PLAIN) password-based authentication mechanisms such as <TT>DIGEST-MD5</TT>.</P>
+<H3><A NAME="SSHA password storage scheme">13.4.1. SSHA password storage scheme</A></H3>
+<P>This is the salted version of the SHA scheme. It is believed to be the most secure password storage scheme supported by <EM>slapd</EM>.</P>
+<P>These values represent the same password:</P>
+<PRE>
+ userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
+ userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb
+</PRE>
+<H3><A NAME="CRYPT password storage scheme">13.4.2. CRYPT password storage scheme</A></H3>
+<P>This scheme uses the operating system's <EM>crypt(3)</EM> hash function. It normally produces the traditional Unix-style 13 character hash, but on systems with <TT>glibc2</TT> it can also generate the more secure 34-byte MD5 hash.</P>
+<PRE>
+ userPassword: {CRYPT}aUihad99hmev6
+ userPassword: {CRYPT}$1$czBJdDqS$TmkzUAb836oMxg/BmIwN.1
+</PRE>
+<P>The advantage of the CRYPT scheme is that passwords can be transferred to or from an existing Unix password file without having to know the cleartext form. Both forms of <EM>crypt</EM> include salt so they have some resistance to dictionary attacks.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>Since this scheme uses the operating system's <EM>crypt(3)</EM> hash function, it is therefore operating system specific.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<H3><A NAME="MD5 password storage scheme">13.4.3. MD5 password storage scheme</A></H3>
+<P>This scheme simply takes the MD5 hash of the password and stores it in base64 encoded form:</P>
+<PRE>
+ userPassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
+</PRE>
+<P>Although safer than cleartext storage, this is not a very secure scheme. The MD5 algorithm is fast, and because there is no salt the scheme is vulnerable to a dictionary attack.</P>
+<H3><A NAME="SMD5 password storage scheme">13.4.4. SMD5 password storage scheme</A></H3>
+<P>This improves on the basic MD5 scheme by adding salt (random data which means that there are many possible representations of a given plaintext password). For example, both of these values represent the same password:</P>
+<PRE>
+ userPassword: {SMD5}4QWGWZpj9GCmfuqEvm8HtZhZS6E=
+ userPassword: {SMD5}g2/J/7D5EO6+oPdklp5p8YtNFk4=
+</PRE>
+<H3><A NAME="SHA password storage scheme">13.4.5. SHA password storage scheme</A></H3>
+<P>Like the MD5 scheme, this simply feeds the password through an SHA hash process. SHA is thought to be more secure than MD5, but the lack of salt leaves the scheme exposed to dictionary attacks.</P>
+<PRE>
+ userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
+</PRE>
+<H3><A NAME="SASL password storage scheme">13.4.6. SASL password storage scheme</A></H3>
+<P>This is not really a password storage scheme at all. It uses the value of the <EM>userPassword</EM> attribute to delegate password verification to another process. See below for more information.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>This is not the same as using SASL to authenticate the LDAP session.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<H3><A NAME="KERBEROS password storage scheme">13.4.7. KERBEROS password storage scheme</A></H3>
+<P>This is not really a password storage scheme at all. It uses the value of the <EM>userPassword</EM> attribute to delegate password verification to Kerberos.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>This is not the same as using Kerberos authentication of the LDAP session.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<P>This scheme could be said to defeat the advantages of Kerberos by causing the Kerberos password to be exposed to the <EM>slapd</EM> server (and possibly on the network as well).</P>
+<H2><A NAME="Pass-Through authentication">13.5. Pass-Through authentication</A></H2>
+<P>Since OpenLDAP 2.0 <EM>slapd</EM> has had the ability to delegate password verification to a separate process. This uses the <EM>sasl_checkpass(3)</EM> function so it can use any back-end server that Cyrus SASL supports for checking passwords. The choice is very wide, as one option is to use <EM>saslauthd(8)</EM> which in turn can use local files, Kerberos, an IMAP server, another LDAP server, or anything supported by the PAM mechanism.</P>
+<P>The server must be built with the <TT>--enable-spasswd</TT> configuration option to enable pass-through authentication.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>This is not the same as using a SASL mechanism to authenticate the LDAP session.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<P>Pass-Through authentication works only with plaintext passwords, as used in the "simple bind" and "SASL PLAIN" authentication mechanisms.}}</P>
+<P>Pass-Through authentication is selective: it only affects users whose <EM>userPassword</EM> attribute has a value marked with the "{SASL}" scheme. The format of the attribute is:</P>
+<PRE>
+ userPassword: {SASL}username at realm
+</PRE>
+<P>The <EM>username</EM> and <EM>realm</EM> are passed to the SASL authentication mechanism and are used to identify the account whose password is to be verified. This allows arbitrary mapping between entries in OpenLDAP and accounts known to the backend authentication service.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>There is no support for changing passwords in the backend via <EM>slapd</EM>.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<P>It would be wise to use access control to prevent users from changing their passwords through LDAP where they have pass-through authentication enabled.</P>
+<H3><A NAME="Configuring slapd to use an authentication provider">13.5.1. Configuring slapd to use an authentication provider</A></H3>
+<P>Where an entry has a "{SASL}" password value, OpenLDAP delegates the whole process of validating that entry's password to Cyrus SASL. All the configuration is therefore done in SASL config files.</P>
+<P>The first file to be considered is confusingly named <EM>slapd.conf</EM> and is typically found in the SASL library directory, often <TT>/usr/lib/sasl2/slapd.conf</TT> This file governs the use of SASL when talking LDAP to <EM>slapd</EM> as well as the use of SASL backends for pass-through authentication. See <TT>options.html</TT> in the <A HREF="http://asg.web.cmu.edu/sasl/sasl-library.html">Cyrus SASL</A> docs for full details. Here is a simple example for a server that will use <EM>saslauthd</EM> to verify passwords:</P>
+<PRE>
+ mech_list: plain
+ pwcheck_method: saslauthd
+ saslauthd_path: /var/run/sasl2/mux
+</PRE>
+<H3><A NAME="Configuring saslauthd">13.5.2. Configuring saslauthd</A></H3>
+<P><EM>saslauthd</EM> is capable of using many different authentication services: see <EM>saslauthd(8)</EM> for details. A common requirement is to delegate some or all authentication to another LDAP server. Here is a sample <TT>saslauthd.conf</TT> that uses Microsoft Active Directory (AD):</P>
+<PRE>
+ ldap_servers: ldap://dc1.example.com/ ldap://dc2.example.com/
+
+ ldap_search_base: cn=Users,DC=ad,DC=example,DC=com
+ ldap_filter: (userPrincipalName=%u)
+
+ ldap_bind_dn: cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com
+ ldap_password: secret
+</PRE>
+<P>In this case, <EM>saslauthd</EM> is run with the <TT>ldap</TT> authentication mechanism and is set to combine the SASL realm with the login name:</P>
+<PRE>
+ saslauthd -a ldap -r
+</PRE>
+<P>This means that the "username at realm" string from the <EM>userPassword</EM> attribute ends up being used to search AD for "userPrincipalName=username at realm" - the password is then verified by attempting to bind to AD using the entry found by the search and the password supplied by the LDAP client.</P>
+<H3><A NAME="Testing pass-through authentication">13.5.3. Testing pass-through authentication</A></H3>
+<P>It is usually best to start with the back-end authentication provider and work through <EM>saslauthd</EM> and <EM>slapd</EM> towards the LDAP client.</P>
+<P>In the AD example above, first check that the DN and password that <EM>saslauthd</EM> will use when it connects to AD are valid:</P>
+<PRE>
+ ldapsearch -x -H ldap://dc1.example.com/ \
+ -D cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com \
+ -w secret \
+ -b '' \
+ -s base
+</PRE>
+<P>Next check that a sample AD user can be found:</P>
+<PRE>
+ ldapsearch -x -H ldap://dc1.example.com/ \
+ -D cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com \
+ -w secret \
+ -b cn=Users,DC=ad,DC=example,DC=com \
+ "(userPrincipalName=user at ad.example.com)"
+</PRE>
+<P>Check that the user can bind to AD:</P>
+<PRE>
+ ldapsearch -x -H ldap://dc1.example.com/ \
+ -D cn=user,cn=Users,DC=ad,DC=example,DC=com \
+ -w userpassword \
+ -b cn=user,cn=Users,DC=ad,DC=example,DC=com \
+ -s base \
+ "(objectclass=*)"
+</PRE>
+<P>If all that works then <EM>saslauthd</EM> should be able to do the same:</P>
+<PRE>
+ testsaslauthd -u user at ad.example.com -p userpassword
+ testsaslauthd -u user at ad.example.com -p wrongpassword
+</PRE>
+<P>Now put the magic token into an entry in OpenLDAP:</P>
+<PRE>
+ userPassword: {SASL}user at ad.example.com
+</PRE>
+<P>It should now be possible to bind to OpenLDAP using the DN of that entry and the password of the AD user.</P>
<P></P>
<HR>
<H1><A NAME="Using SASL">14. Using SASL</A></H1>
@@ -7050,6 +7215,19 @@
<PRE>
olcReplicationInterval: value #0: <olcReplicationInterval> keyword is obsolete (ignored)
</PRE>
+<H2><A NAME="ACLs: searches require privileges on the search base">B.3. ACLs: searches require privileges on the search base</A></H2>
+<P>Search operations now require "search" privileges on the "entry" pseudo-attribute of the search base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search bases.</P>
+<P>For example, assuming you have the following ACL:</P>
+<PRE>
+ access to dn.sub="ou=people,dc=example,dc=com" by * search
+</PRE>
+<P>Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL:</P>
+<PRE>
+ access to dn.base="dc=example,dc=com" attrs=entry by * search
+</PRE>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>The <EM>slapd.access</EM>(5) man page states that this requirement was introduced with OpenLDAP 2.3. However, it is the default behavior only since 2.4.
+<HR WIDTH="80%" ALIGN="Left"></P>
<P>ADD MORE HERE</P>
<P></P>
<HR>
@@ -9782,10 +9960,10 @@
<P>This work is derived from the University of Michigan LDAP v3.3 distribution. Information concerning this software is available at <<A HREF="http://www.umich.edu/~dirsvcs/ldap/ldap.html">http://www.umich.edu/~dirsvcs/ldap/ldap.html</A>>.</P>
<P>This work also contains materials derived from public sources.</P>
<P>Additional information about OpenLDAP software can be obtained at <<A HREF="http://www.OpenLDAP.org/">http://www.OpenLDAP.org/</A>>.</P>
-<H2><A NAME="Additional Copyright Notice">K.2. Additional Copyright Notice</A></H2>
+<H2><A NAME="Additional Copyright Notices">K.2. Additional Copyright Notices</A></H2>
<P>Portions Copyright 1998-2008 Kurt D. Zeilenga.<BR>Portions Copyright 1998-2006 Net Boolean Incorporated.<BR>Portions Copyright 2001-2006 IBM Corporation.<BR><EM>All rights reserved.</EM></P>
<P>Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the <A HREF="#OpenLDAP Public License">OpenLDAP Public License</A>.</P>
-<P>Portions Copyright 1999-2007 Howard Y.H. Chu.<BR>Portions Copyright 1999-2007 Symas Corporation.<BR>Portions Copyright 1998-2003 Hallvard B. Furuseth.<BR>Portions Copyright 2007-2008 Gavin Henry<BR>Portions Copyright 2007-2008 Suretec Systems Limited.<BR><EM>All rights reserved.</EM></P>
+<P>Portions Copyright 1999-2007 Howard Y.H. Chu.<BR>Portions Copyright 1999-2007 Symas Corporation.<BR>Portions Copyright 1998-2003 Hallvard B. Furuseth.<BR>Portions Copyright 2007-2008 Gavin Henry.<BR>Portions Copyright 2007-2008 Suretec Systems Limited.<BR><EM>All rights reserved.</EM></P>
<P>Redistribution and use in source and binary forms, with or without modification, are permitted provided that this notice is preserved. The names of the copyright holders may not be used to endorse or promote products derived from this software without their specific prior written permission. This software is provided ``as is'' without express or implied warranty.</P>
<H2><A NAME="University of Michigan Copyright Notice">K.3. University of Michigan Copyright Notice</A></H2>
<P>Portions Copyright 1992-1996 Regents of the University of Michigan.<BR><EM>All rights reserved.</EM></P>
Modified: openldap/trunk/doc/guide/admin/preface.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/preface.sdf 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/guide/admin/preface.sdf 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-# $OpenLDAP: pkg/openldap-guide/admin/preface.sdf,v 1.25.2.5 2008/02/11 23:26:39 kurt Exp $
+# $OpenLDAP: pkg/openldap-guide/admin/preface.sdf,v 1.25.2.6 2008/05/27 21:56:55 kurt Exp $
# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
@@ -9,7 +9,7 @@
# document's copyright
P2[notoc] Copyright
-Copyright 1998-2007, The {{ORG[expand]OLF}}, {{All Rights Reserved}}.
+Copyright 1998-2008, The {{ORG[expand]OLF}}, {{All Rights Reserved}}.
Copyright 1992-1996, Regents of the {{ORG[expand]UM}}, {{All Rights Reserved}}.
@@ -19,6 +19,9 @@
Complete copies of the notices and associated license can be found
in Appendix K and L, respectively.
+Portions of OpenLDAP Software and this document may be copyright
+by other parties and/or subject to additional restrictions. Individual
+source files should be consulted for additional copyright notices.
P2[notoc] Scope of this Document
Modified: openldap/trunk/doc/guide/admin/security.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/security.sdf 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/guide/admin/security.sdf 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,6 @@
-# $OpenLDAP: pkg/openldap-guide/admin/security.sdf,v 1.16.2.6 2008/02/11 23:26:39 kurt Exp $
+# $OpenLDAP: pkg/openldap-guide/admin/security.sdf,v 1.16.2.8 2008/05/29 16:19:01 quanah Exp $
# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
+# Portions Copyright 2008 Andrew Findlay.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Security Considerations
@@ -58,7 +59,8 @@
allows only incoming connections from the private network {{F:10.0.0.0}}
and localhost ({{F:127.0.0.1}}) to access the directory service.
-Note that IP addresses are used as {{slapd}}(8) is not normally
+
+Note: IP addresses are used as {{slapd}}(8) is not normally
configured to perform reverse lookups.
It is noted that TCP wrappers require the connection to be accepted.
@@ -127,11 +129,12 @@
An anonymous bind results in an {{anonymous}} authorization
association. Anonymous bind mechanism is enabled by default, but
can be disabled by specifying "{{EX:disallow bind_anon}}" in
-{{slapd.conf}}(5). Note that disabling the anonymous bind mechanism
-does not prevent anonymous access to the directory. To require
-authentication to access the directory, one should instead
-specify "{{EX:require authc}}".
+{{slapd.conf}}(5).
+Note: Disabling the anonymous bind mechanism does not prevent
+anonymous access to the directory. To require authentication to
+access the directory, one should instead specify "{{EX:require authc}}".
+
An unauthenticated bind also results in an {{anonymous}} authorization
association. Unauthenticated bind mechanism is disabled by default,
but can be enabled by specifying "{{EX:allow bind_anon_cred}}" in
@@ -158,12 +161,255 @@
The user/password authenticated bind mechanism can be completely
disabled by setting "{{EX:disallow bind_simple}}".
-Note: An unsuccessful bind always results in the session having
+Note: An unsuccessful bind always results in the session having
an {{anonymous}} authorization association.
H3: SASL method
-The LDAP {{TERM:SASL}} method allows use of any SASL authentication
-mechanism. The {{SECT:Using SASL}} discusses use of SASL.
+The LDAP {{TERM:SASL}} method allows the use of any SASL authentication
+mechanism. The {{SECT:Using SASL}} section discusses the use of SASL.
+H2: Password Storage
+
+LDAP passwords are normally stored in the {{userPassword}} attribute.
+{{REF:RFC4519}} specifies that passwords are not stored in encrypted
+(or hashed) form. This allows a wide range of password-based
+authentication mechanisms, such as {{EX:DIGEST-MD5}} to be used.
+This is also the most interoperable storage scheme.
+
+However, it may be desirable to store a hash of password instead.
+{{slapd}}(8) supports a variety of storage schemes for the administrator
+to choose from.
+
+Note: Values of password attributes, regardless of storage scheme
+used, should be protected as if they were clear text. Hashed
+passwords are subject to {{dictionary attacks}} and {{brute-force
+attacks}}.
+
+The {{userPassword}} attribute is allowed to have more than one value,
+and it is possible for each value to be stored in a different form.
+During authentication, {{slapd}} will iterate through the values
+until it finds one that matches the offered password or until it
+runs out of values to inspect. The storage scheme is stored as a prefix
+on the value, so a hashed password using the Salted SHA1 ({{EX:SSHA}})
+scheme looks like:
+
+> userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
+
+The advantage of hashed passwords is that an attacker which
+discovers the hash does not have direct access to the actual password.
+Unfortunately, as dictionary and brute force attacks are generally
+quite easy for attackers to successfully mount, this advantage is
+marginal at best (this is why all modern Unix systems use shadow
+password files).
+
+The disadvantages of hashed storage is that they are non-standard, may
+cause interoperability problem, and generally preclude the use
+of stronger than Simple (or SASL/PLAIN) password-based authentication
+mechanisms such as {{EX:DIGEST-MD5}}.
+
+H3: SSHA password storage scheme
+
+This is the salted version of the SHA scheme. It is believed to be the
+most secure password storage scheme supported by {{slapd}}.
+
+These values represent the same password:
+
+> userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
+> userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb
+
+H3: CRYPT password storage scheme
+
+This scheme uses the operating system's {{crypt(3)}} hash function.
+It normally produces the traditional Unix-style 13 character hash, but
+on systems with {{EX:glibc2}} it can also generate the more secure
+34-byte MD5 hash.
+
+> userPassword: {CRYPT}aUihad99hmev6
+> userPassword: {CRYPT}$1$czBJdDqS$TmkzUAb836oMxg/BmIwN.1
+
+The advantage of the CRYPT scheme is that passwords can be
+transferred to or from an existing Unix password file without having
+to know the cleartext form. Both forms of {{crypt}} include salt so
+they have some resistance to dictionary attacks.
+
+Note: Since this scheme uses the operating system's {{crypt(3)}}
+hash function, it is therefore operating system specific.
+
+H3: MD5 password storage scheme
+
+This scheme simply takes the MD5 hash of the password and stores it in
+base64 encoded form:
+
+> userPassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
+
+Although safer than cleartext storage, this is not a very secure
+scheme. The MD5 algorithm is fast, and because there is no salt the
+scheme is vulnerable to a dictionary attack.
+
+H3: SMD5 password storage scheme
+
+This improves on the basic MD5 scheme by adding salt (random data
+which means that there are many possible representations of a given
+plaintext password). For example, both of these values represent the
+same password:
+
+> userPassword: {SMD5}4QWGWZpj9GCmfuqEvm8HtZhZS6E=
+> userPassword: {SMD5}g2/J/7D5EO6+oPdklp5p8YtNFk4=
+
+H3: SHA password storage scheme
+
+Like the MD5 scheme, this simply feeds the password through an SHA
+hash process. SHA is thought to be more secure than MD5, but the lack
+of salt leaves the scheme exposed to dictionary attacks.
+
+> userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
+
+H3: SASL password storage scheme
+
+This is not really a password storage scheme at all. It uses the
+value of the {{userPassword}} attribute to delegate password
+verification to another process. See below for more information.
+
+Note: This is not the same as using SASL to authenticate the LDAP
+session.
+
+H3: KERBEROS password storage scheme
+
+This is not really a password storage scheme at all. It uses the
+value of the {{userPassword}} attribute to delegate password
+verification to Kerberos.
+
+Note: This is not the same as using Kerberos authentication of
+the LDAP session.
+
+This scheme could be said to defeat the advantages of Kerberos by
+causing the Kerberos password to be exposed to the {{slapd}} server
+(and possibly on the network as well).
+
+H2: Pass-Through authentication
+
+Since OpenLDAP 2.0 {{slapd}} has had the ability to delegate password
+verification to a separate process. This uses the {{sasl_checkpass(3)}}
+function so it can use any back-end server that Cyrus SASL supports for
+checking passwords. The choice is very wide, as one option is to use
+{{saslauthd(8)}} which in turn can use local files, Kerberos, an IMAP
+server, another LDAP server, or anything supported by the PAM mechanism.
+
+The server must be built with the {{EX:--enable-spasswd}}
+configuration option to enable pass-through authentication.
+
+Note: This is not the same as using a SASL mechanism to
+authenticate the LDAP session.
+
+Pass-Through authentication works only with plaintext passwords, as
+used in the "simple bind" and "SASL PLAIN" authentication mechanisms.}}
+
+Pass-Through authentication is selective: it only affects users whose
+{{userPassword}} attribute has a value marked with the "{SASL}"
+scheme. The format of the attribute is:
+
+> userPassword: {SASL}username at realm
+
+The {{username}} and {{realm}} are passed to the SASL authentication
+mechanism and are used to identify the account whose password is to be
+verified. This allows arbitrary mapping between entries in OpenLDAP
+and accounts known to the backend authentication service.
+
+Note: There is no support for changing passwords in the backend
+via {{slapd}}.
+
+It would be wise to use access control to prevent users from changing
+their passwords through LDAP where they have pass-through authentication
+enabled.
+
+
+H3: Configuring slapd to use an authentication provider
+
+Where an entry has a "{SASL}" password value, OpenLDAP delegates the
+whole process of validating that entry's password to Cyrus SASL. All
+the configuration is therefore done in SASL config files.
+
+The first
+file to be considered is confusingly named {{slapd.conf}} and is
+typically found in the SASL library directory, often
+{{EX:/usr/lib/sasl2/slapd.conf}} This file governs the use of SASL
+when talking LDAP to {{slapd}} as well as the use of SASL backends for
+pass-through authentication. See {{EX:options.html}} in the {{PRD:Cyrus SASL}}
+docs for full details. Here is a simple example for a server that will
+use {{saslauthd}} to verify passwords:
+
+> mech_list: plain
+> pwcheck_method: saslauthd
+> saslauthd_path: /var/run/sasl2/mux
+
+H3: Configuring saslauthd
+
+{{saslauthd}} is capable of using many different authentication
+services: see {{saslauthd(8)}} for details. A common requirement is to
+delegate some or all authentication to another LDAP server. Here is a
+sample {{EX:saslauthd.conf}} that uses Microsoft Active Directory (AD):
+
+> ldap_servers: ldap://dc1.example.com/ ldap://dc2.example.com/
+>
+> ldap_search_base: cn=Users,DC=ad,DC=example,DC=com
+> ldap_filter: (userPrincipalName=%u)
+>
+> ldap_bind_dn: cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com
+> ldap_password: secret
+
+In this case, {{saslauthd}} is run with the {{EX:ldap}} authentication
+mechanism and is set to combine the SASL realm with the login name:
+
+> saslauthd -a ldap -r
+
+This means that the "username at realm" string from the {{userPassword}}
+attribute ends up being used to search AD for
+"userPrincipalName=username at realm" - the password is then verified by
+attempting to bind to AD using the entry found by the search and the
+password supplied by the LDAP client.
+
+H3: Testing pass-through authentication
+
+It is usually best to start with the back-end authentication provider
+and work through {{saslauthd}} and {{slapd}} towards the LDAP client.
+
+In the AD example above, first check that the DN and password that
+{{saslauthd}} will use when it connects to AD are valid:
+
+> ldapsearch -x -H ldap://dc1.example.com/ \
+> -D cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com \
+> -w secret \
+> -b '' \
+> -s base
+
+Next check that a sample AD user can be found:
+
+> ldapsearch -x -H ldap://dc1.example.com/ \
+> -D cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com \
+> -w secret \
+> -b cn=Users,DC=ad,DC=example,DC=com \
+> "(userPrincipalName=user at ad.example.com)"
+
+Check that the user can bind to AD:
+
+> ldapsearch -x -H ldap://dc1.example.com/ \
+> -D cn=user,cn=Users,DC=ad,DC=example,DC=com \
+> -w userpassword \
+> -b cn=user,cn=Users,DC=ad,DC=example,DC=com \
+> -s base \
+> "(objectclass=*)"
+
+If all that works then {{saslauthd}} should be able to do the same:
+
+> testsaslauthd -u user at ad.example.com -p userpassword
+> testsaslauthd -u user at ad.example.com -p wrongpassword
+
+Now put the magic token into an entry in OpenLDAP:
+
+> userPassword: {SASL}user at ad.example.com
+
+It should now be possible to bind to OpenLDAP using the DN of that
+entry and the password of the AD user.
+
Modified: openldap/trunk/doc/guide/release/copyright.sdf
===================================================================
--- openldap/trunk/doc/guide/release/copyright.sdf 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/guide/release/copyright.sdf 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-# $OpenLDAP: pkg/openldap-guide/release/copyright.sdf,v 1.22.2.6 2008/04/14 20:51:25 quanah Exp $
+# $OpenLDAP: pkg/openldap-guide/release/copyright.sdf,v 1.22.2.7 2008/05/27 21:56:55 kurt Exp $
# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
@@ -40,7 +40,7 @@
<{{URL:http://www.OpenLDAP.org/}}>.
-H2: Additional Copyright Notice
+H2: Additional Copyright Notices
!block nofill
Portions [[copyright]] 1998-2008 Kurt D. Zeilenga.
@@ -58,7 +58,7 @@
Portions [[copyright]] 1999-2007 Howard Y.H. Chu.
Portions [[copyright]] 1999-2007 Symas Corporation.
Portions [[copyright]] 1998-2003 Hallvard B. Furuseth.
-Portions [[copyright]] 2007-2008 Gavin Henry
+Portions [[copyright]] 2007-2008 Gavin Henry.
Portions [[copyright]] 2007-2008 Suretec Systems Limited.
{{All rights reserved.}}
!endblock
Modified: openldap/trunk/doc/man/man5/slapd-config.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-config.5 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/man/man5/slapd-config.5 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,7 +1,7 @@
.TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-config.5,v 1.13.2.7 2008/02/11 23:26:39 kurt Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-config.5,v 1.13.2.9 2008/05/29 22:54:56 quanah Exp $
.SH NAME
slapd-config \- configuration backend to slapd
.SH SYNOPSIS
@@ -720,7 +720,9 @@
.B olcServerID: <integer> [<URL>]
Specify an integer ID from 0 to 4095 for this server. These IDs are
required when using multimaster replication and each master must have a
-unique ID. If the URL is provided, this directive may be specified
+unique ID. Note that this requirement also applies to separate masters
+contributing to a glued set of databases.
+If the URL is provided, this directive may be specified
multiple times, providing a complete list of participating servers
and their IDs. The fully qualified hostname of each server should be
used in the supplied URLs. The IDs are used in the "replica id" field
@@ -1585,6 +1587,8 @@
.B [sizelimit=<limit>]
.B [timelimit=<limit>]
.B [schemachecking=on|off]
+.B [network-timeout=<seconds>]
+.B [timeout=<seconds>]
.B [bindmethod=simple|sasl]
.B [binddn=<dn>]
.B [saslmech=<mech>]
@@ -1687,6 +1691,17 @@
.B schemachecking
parameter. The default is off.
+The
+.B network-timeout
+parameter sets how long the consumer will wait to establish a
+network connection to the provider. Once a connection is
+established, the
+.B timeout
+parameter determines how long the consumer will wait for the initial
+Bind request to complete. The defaults for these parameters come
+from
+.BR ldap.conf (5).
+
A
.B bindmethod
of
Modified: openldap/trunk/doc/man/man5/slapd.conf.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd.conf.5 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/man/man5/slapd.conf.5 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,7 +1,7 @@
.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd.conf.5,v 1.239.2.15 2008/02/11 23:26:40 kurt Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd.conf.5,v 1.239.2.18 2008/05/29 22:54:56 quanah Exp $
.SH NAME
slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
.SH SYNOPSIS
@@ -871,7 +871,9 @@
to 3 hexadecimal digits).
These IDs are
required when using multimaster replication and each master must have a
-unique ID. If the URL is provided, this directive may be specified
+unique ID. Note that this requirement also applies to separate masters
+contributing to a glued set of databases.
+If the URL is provided, this directive may be specified
multiple times, providing a complete list of participating servers
and their IDs. The fully qualified hostname of each server should be
used in the supplied URLs. The IDs are used in the "replica id" field
@@ -1397,67 +1399,6 @@
This option puts the database into "read-only" mode. Any attempts to
modify the database will return an "unwilling to perform" error. By
default, readonly is off.
-.HP
-.hy 0
-.B replica uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
-.B [starttls=yes|critical]
-.B [suffix=<suffix> [...]]
-.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
-.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
-.B [authcId=<authentication ID>] [authzId=<authorization ID>]
-.B [attrs[!]=<attr list>]
-.RS
-Specify a replication site for this database. Refer to the "OpenLDAP
-Administrator's Guide" for detailed information on setting up a replicated
-.B slapd
-directory service. Zero or more
-.B suffix
-instances can be used to select the subtrees that will be replicated
-(defaults to all the database).
-.B host
-is deprecated in favor of the
-.B uri
-option.
-.B uri
-allows the replica LDAP server to be specified as an LDAP URI.
-A
-.B bindmethod
-of
-.B simple
-requires the options
-.B binddn
-and
-.B credentials
-and should only be used when adequate security services
-(e.g TLS or IPSEC) are in place. A
-.B bindmethod
-of
-.B sasl
-requires the option
-.B saslmech.
-Specific security properties (as with the
-.B sasl-secprops
-keyword above) for a SASL bind can be set with the
-.B secprops
-option. A non-default SASL realm can be set with the
-.B realm
-option.
-If the
-.B mechanism
-will use Kerberos, a kerberos instance should be given in
-.B authcId.
-An
-.B attr list
-can be given after the
-.B attrs
-keyword to allow the selective replication of the listed attributes only;
-if the optional
-.B !
-mark is used, the list is considered exclusive, i.e. the listed attributes
-are not replicated.
-If an objectClass is listed, all the related attributes
-are (are not) replicated.
-.RE
.TP
.B restrict <oplist>
Specify a whitespace separated list of operations that are restricted.
@@ -1583,6 +1524,8 @@
.B [sizelimit=<limit>]
.B [timelimit=<limit>]
.B [schemachecking=on|off]
+.B [network-timeout=<seconds>]
+.B [timeout=<seconds>]
.B [bindmethod=simple|sasl]
.B [binddn=<dn>]
.B [saslmech=<mech>]
@@ -1694,6 +1637,17 @@
As a consequence, schema checking should be \fBoff\fP when partial
replication is used.
+The
+.B network-timeout
+parameter sets how long the consumer will wait to establish a
+network connection to the provider. Once a connection is
+established, the
+.B timeout
+parameter determines how long the consumer will wait for the initial
+Bind request to complete. The defaults for these parameters come
+from
+.BR ldap.conf (5).
+
A
.B bindmethod
of
Modified: openldap/trunk/doc/man/man5/slapo-constraint.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-constraint.5 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/man/man5/slapo-constraint.5 2008-06-28 15:17:20 UTC (rev 1149)
@@ -2,7 +2,7 @@
.\" Copyright 2005-2006 Hewlett-Packard Company
.\" Copyright 2006-2008 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-constraint.5,v 1.2.2.4 2008/02/12 00:20:58 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-constraint.5,v 1.2.2.5 2008/05/27 19:59:47 quanah Exp $
.SH NAME
slapo-constraint \- Attribute Constraint Overlay to slapd
.SH SYNOPSIS
@@ -31,7 +31,9 @@
Specifies the constraint which should apply to the attribute named as
the first parameter.
Two types of constraint are currently supported -
-.B regex
+.B regex ,
+.B size ,
+.B count ,
and
.BR uri .
@@ -45,6 +47,12 @@
It must not include a hostname, and it must include a list of attributes
to evaluate.
+The
+.B size
+type can be used to enfore a limit on an attribute length, and the
+.B count
+type limits the count of an attribute.
+
Any attempt to add or modify an attribute named as part of the
constraint overlay specification which does not fit the
constraint listed will fail with a
@@ -54,6 +62,8 @@
.RS
.nf
overlay constraint
+constraint_attribute jpegPhoto size 131072
+constraint_attribute userPassword count 3
constraint_attribute mail regex ^[:alnum:]+ at mydomain.com$
constraint_attribute title uri
ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
Modified: openldap/trunk/doc/man/man5/slapo-refint.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-refint.5 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/man/man5/slapo-refint.5 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,7 +1,7 @@
.TH SLAPO-REFINT 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-refint.5,v 1.5.2.4 2008/02/11 23:26:40 kurt Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-refint.5,v 1.5.2.5 2008/05/27 20:18:19 quanah Exp $
.SH NAME
slapo-refint \- Referential Integrity overlay to slapd
.SH SYNOPSIS
@@ -39,7 +39,7 @@
.B overlay
directive.
.TP
-.B refint_attributes <attribute...>
+.B refint_attributes <attribute> [...]
Specify one or more attributes for which integrity will be maintained
as described above.
.TP
@@ -49,6 +49,12 @@
where the schema requires the existence of an attribute for which referential
integrity is enforced. The attempted deletion of a required attribute will
otherwise result in an Object Class Violation, causing the request to fail.
+The string must be a valid DN.
+.TP
+.B refint_modifiersname <DN>
+Specify the DN to be used as the modifiersName of the internal modifications
+performed by the overlay.
+It defaults to "\fIcn=Referential Integrity Overlay\fP".
.B
.SH FILES
.TP
Modified: openldap/trunk/doc/man/man5/slapo-rwm.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-rwm.5 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/doc/man/man5/slapo-rwm.5 2008-06-28 15:17:20 UTC (rev 1149)
@@ -2,7 +2,7 @@
.\" Copyright 1998-2008 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" Copyright 2004, Pierangelo Masarati, All rights reserved. <ando at sys-net.it>
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-rwm.5,v 1.14.2.4 2008/02/11 23:26:40 kurt Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-rwm.5,v 1.14.2.5 2008/05/19 23:44:27 quanah Exp $
.\"
.\" Portions of this document should probably be moved to slapd-ldap(5)
.\" and maybe manual pages for librewrite.
@@ -427,8 +427,8 @@
with the `M{n}' flag.
.SH "MAPS"
-Currently, few maps are builtin and there are no provisions for developers
-to register new map types at runtime.
+Currently, few maps are builtin but additional map types may be
+registered at runtime.
Supported maps are:
.TP
@@ -470,6 +470,20 @@
can be 2 or 3 to indicate the protocol version that must be used.
The default is 3.
+.TP
+.B slapd <URI>
+The
+.B slapd
+map expands a value by performing an internal LDAP search.
+Its configuration is based on a mandatory URI, which must begin with
+.B "ldap:///"
+(i.e., it must be an LDAP URI and it must not specify a host).
+As with the
+LDAP map, the
+.B attrs
+portion must contain exactly one attribute, and if
+a multi-valued attribute is used, only the first value is considered.
+
.SH "REWRITE CONFIGURATION EXAMPLES"
.nf
# set to `off' to disable rewriting
Copied: openldap/trunk/doc/rfc (from rev 1148, openldap/vendor/openldap-2.4.10/doc/rfc)
Modified: openldap/trunk/libraries/libldap/os-ip.c
===================================================================
--- openldap/trunk/libraries/libldap/os-ip.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/libraries/libldap/os-ip.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* os-ip.c -- platform-specific TCP & UDP related code */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/os-ip.c,v 1.118.2.7 2008/04/15 00:00:36 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/os-ip.c,v 1.118.2.8 2008/05/20 00:05:30 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -36,6 +36,9 @@
#ifdef HAVE_IO_H
#include <io.h>
#endif /* HAVE_IO_H */
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
#include "ldap-int.h"
@@ -110,6 +113,9 @@
{
ber_socket_t s = socket(family, type, 0);
osip_debug(ld, "ldap_new_socket: %d\n",s,0,0);
+#ifdef FD_CLOEXEC
+ fcntl(s, F_SETFD, FD_CLOEXEC);
+#endif
return ( s );
}
Modified: openldap/trunk/libraries/libldap/os-local.c
===================================================================
--- openldap/trunk/libraries/libldap/os-local.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/libraries/libldap/os-local.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* os-local.c -- platform-specific domain socket code */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/os-local.c,v 1.44.2.3 2008/02/11 23:26:41 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/os-local.c,v 1.44.2.4 2008/05/20 00:05:30 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -47,6 +47,9 @@
#ifdef HAVE_IO_H
#include <io.h>
#endif /* HAVE_IO_H */
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
#include "ldap-int.h"
#include "ldap_defaults.h"
@@ -89,6 +92,9 @@
{
ber_socket_t s = socket(PF_LOCAL, SOCK_STREAM, 0);
oslocal_debug(ld, "ldap_new_socket: %d\n",s,0,0);
+#ifdef FD_CLOEXEC
+ fcntl(s, F_SETFD, FD_CLOEXEC);
+#endif
return ( s );
}
Modified: openldap/trunk/libraries/libldap/request.c
===================================================================
--- openldap/trunk/libraries/libldap/request.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/libraries/libldap/request.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/request.c,v 1.125.2.7 2008/02/11 23:26:41 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/request.c,v 1.125.2.8 2008/05/27 20:08:37 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -631,6 +631,9 @@
} else {
prevlc->lconn_next = tmplc->lconn_next;
}
+ if ( ld->ld_defconn == lc ) {
+ ld->ld_defconn = NULL;
+ }
break;
}
prevlc = tmplc;
@@ -675,6 +678,8 @@
if ( lc->lconn_sb != ld->ld_sb ) {
ber_sockbuf_free( lc->lconn_sb );
+ } else {
+ ber_int_sb_close( lc->lconn_sb );
}
if ( lc->lconn_rebind_queue != NULL) {
Modified: openldap/trunk/libraries/libldap/result.c
===================================================================
--- openldap/trunk/libraries/libldap/result.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/libraries/libldap/result.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* result.c - wait for an ldap result */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/result.c,v 1.124.2.10 2008/02/11 23:26:41 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/result.c,v 1.124.2.11 2008/05/28 16:20:07 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -582,6 +582,11 @@
/* id == 0 iff unsolicited notification message (RFC 4511) */
+ /* id < 0 is invalid, just toss it. FIXME: should we disconnect? */
+ if ( id < 0 ) {
+ goto retry_ber;
+ }
+
/* if it's been abandoned, toss it */
if ( id > 0 ) {
if ( ldap_abandoned( ld, id, &idx ) ) {
@@ -602,8 +607,8 @@
}
Debug( LDAP_DEBUG_ANY,
- "abandoned/discarded ld %p msgid %ld message type %s\n",
- (void *)ld, (long)id, ldap_int_msgtype2str( tag ) );
+ "abandoned/discarded ld %p msgid %d message type %s\n",
+ (void *)ld, id, ldap_int_msgtype2str( tag ) );
retry_ber:
ber_free( ber, 1 );
@@ -629,8 +634,8 @@
}
Debug( LDAP_DEBUG_ANY,
- "no request for response on ld %p msgid %ld message type %s (tossing)\n",
- (void *)ld, (long)id, msg );
+ "no request for response on ld %p msgid %d message type %s (tossing)\n",
+ (void *)ld, id, msg );
goto retry_ber;
}
@@ -652,8 +657,8 @@
}
Debug( LDAP_DEBUG_TRACE,
- "read1msg: ld %p msgid %ld message type %s\n",
- (void *)ld, (long)lr->lr_msgid, ldap_int_msgtype2str( tag ) );
+ "read1msg: ld %p msgid %d message type %s\n",
+ (void *)ld, id, ldap_int_msgtype2str( tag ) );
if ( id == 0 ) {
/* unsolicited notification message (RFC 4511) */
@@ -900,8 +905,8 @@
{
id = lr->lr_msgid;
tag = lr->lr_res_msgtype;
- Debug( LDAP_DEBUG_TRACE, "request done: ld %p msgid %ld\n",
- (void *)ld, (long) id, 0 );
+ Debug( LDAP_DEBUG_TRACE, "request done: ld %p msgid %d\n",
+ (void *)ld, id, 0 );
Debug( LDAP_DEBUG_TRACE,
"res_errno: %d, res_error: <%s>, "
"res_matched: <%s>\n",
@@ -1156,8 +1161,8 @@
goto exit;
}
- Debug( LDAP_DEBUG_TRACE, "adding response ld %p msgid %ld type %ld:\n",
- (void *)ld, (long) newmsg->lm_msgid, (long) newmsg->lm_msgtype );
+ Debug( LDAP_DEBUG_TRACE, "adding response ld %p msgid %d type %ld:\n",
+ (void *)ld, newmsg->lm_msgid, (long) newmsg->lm_msgtype );
/* part of a search response - add to end of list of entries */
l->lm_chain_tail->lm_chain = newmsg;
Modified: openldap/trunk/libraries/libldap/t61.c
===================================================================
--- openldap/trunk/libraries/libldap/t61.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/libraries/libldap/t61.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/t61.c,v 1.9.2.3 2008/02/11 23:26:41 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/t61.c,v 1.9.2.4 2008/06/02 17:20:13 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2002-2008 The OpenLDAP Foundation.
@@ -684,6 +684,8 @@
*d++ = 0x3f;
break;
}
+ i += j;
+ c += j;
}
*d = '\0';
return LDAP_SUCCESS;
Modified: openldap/trunk/libraries/libldap_r/thr_stub.c
===================================================================
--- openldap/trunk/libraries/libldap_r/thr_stub.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/libraries/libldap_r/thr_stub.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* thr_stub.c - stubs for the threads */
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_stub.c,v 1.27.2.7 2008/02/11 23:26:42 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_stub.c,v 1.27.2.8 2008/05/27 20:07:31 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -226,6 +226,16 @@
return(0);
}
+int ldap_pvt_thread_pool_pausing( ldap_pvt_thread_pool_t *tpool )
+{
+ return(0);
+}
+
+ldap_pvt_thread_pool_pausecheck( ldap_pvt_thread_pool_t *tpool )
+{
+ return(0);
+}
+
void *ldap_pvt_thread_pool_context( )
{
return(NULL);
Modified: openldap/trunk/servers/slapd/acl.c
===================================================================
--- openldap/trunk/servers/slapd/acl.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/acl.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* acl.c - routines to parse and check acl's */
-/* $OpenLDAP: pkg/ldap/servers/slapd/acl.c,v 1.303.2.15 2008/05/01 21:40:09 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/acl.c,v 1.303.2.16 2008/05/20 00:08:13 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -2049,11 +2049,11 @@
bvalsp = a->a_nvals;
}
}
- }
- if ( bvalsp ) {
- p->bvals = slap_set_join( p->cookie, p->bvals,
- ( '|' | SLAP_SET_RREF ), bvalsp );
+ if ( bvalsp ) {
+ p->bvals = slap_set_join( p->cookie, p->bvals,
+ ( '|' | SLAP_SET_RREF ), bvalsp );
+ }
}
} else {
Modified: openldap/trunk/servers/slapd/back-bdb/attr.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/attr.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/back-bdb/attr.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* attr.c - backend routines for dealing with attributes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/attr.c,v 1.36.2.3 2008/02/11 23:26:45 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/attr.c,v 1.36.2.4 2008/05/27 20:26:12 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2000-2008 The OpenLDAP Foundation.
@@ -292,6 +292,7 @@
b->ai_indexmask = b->ai_newmask;
b->ai_newmask = a->ai_newmask;
ch_free( a );
+ rc = 0;
continue;
}
fprintf( stderr,
Modified: openldap/trunk/servers/slapd/back-bdb/dn2id.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/dn2id.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/back-bdb/dn2id.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* dn2id.c - routines to deal with the dn2id index */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/dn2id.c,v 1.137.2.9 2008/04/14 19:37:25 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/dn2id.c,v 1.137.2.10 2008/05/20 00:14:04 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2000-2008 The OpenLDAP Foundation.
@@ -1156,7 +1156,11 @@
}
cx->depth--;
cx->op->o_tmpfree( save, cx->op->o_tmpmemctx );
- if ( nokids ) ei->bei_state |= CACHE_ENTRY_NO_GRANDKIDS;
+ if ( nokids ) {
+ bdb_cache_entryinfo_lock( ei );
+ ei->bei_state |= CACHE_ENTRY_NO_GRANDKIDS;
+ bdb_cache_entryinfo_unlock( ei );
+ }
}
/* Make sure caller knows it had kids! */
cx->tmp[0]=1;
Modified: openldap/trunk/servers/slapd/back-bdb/monitor.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/monitor.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/back-bdb/monitor.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* monitor.c - monitor bdb backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/monitor.c,v 1.19.2.8 2008/02/11 23:26:46 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/monitor.c,v 1.19.2.9 2008/05/26 18:57:01 ando Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2000-2008 The OpenLDAP Foundation.
@@ -395,7 +395,7 @@
{
struct berval bv, nbv;
ber_len_t pathlen = 0, len = 0;
- char path[ PATH_MAX ] = { '\0' };
+ char path[ MAXPATHLEN ] = { '\0' };
char *fname = bdb->bi_dbenv_home,
*ptr;
Modified: openldap/trunk/servers/slapd/back-ldap/search.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/search.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/back-ldap/search.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* search.c - ldap backend search function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/search.c,v 1.201.2.9 2008/02/11 23:26:46 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/search.c,v 1.201.2.10 2008/05/18 09:23:53 ando Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2008 The OpenLDAP Foundation.
@@ -773,8 +773,9 @@
ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private;
ldapconn_t *lc = NULL;
- int rc = 1,
+ int rc,
do_not_cache;
+ ber_tag_t tag;
struct berval bdn;
LDAPMessage *result = NULL,
*e = NULL;
@@ -788,12 +789,18 @@
/* Tell getconn this is a privileged op */
do_not_cache = op->o_do_not_cache;
+ tag = op->o_tag;
+ /* do not cache */
op->o_do_not_cache = 1;
- if ( !ldap_back_dobind( &lc, op, &rs, LDAP_BACK_DONTSEND ) ) {
- op->o_do_not_cache = do_not_cache;
+ /* ldap_back_entry_get() is an entry lookup, so it does not need
+ * to know what the entry is being looked up for */
+ op->o_tag = LDAP_REQ_SEARCH;
+ rc = ldap_back_dobind( &lc, op, &rs, LDAP_BACK_DONTSEND );
+ op->o_do_not_cache = do_not_cache;
+ op->o_tag = tag;
+ if ( !rc ) {
return rs.sr_err;
}
- op->o_do_not_cache = do_not_cache;
if ( at ) {
attrp = attr;
Modified: openldap/trunk/servers/slapd/back-meta/config.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/config.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/back-meta/config.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/config.c,v 1.74.2.10 2008/04/14 22:46:48 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/config.c,v 1.74.2.11 2008/05/22 16:32:56 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1999-2008 The OpenLDAP Foundation.
@@ -1239,7 +1239,7 @@
return 1;
}
- if ( mi->mi_ntargets ) {
+ if ( mi->mi_ntargets == 0 ) {
mi->mi_flags |= LDAP_BACK_F_QUARANTINE;
} else {
Modified: openldap/trunk/servers/slapd/back-monitor/database.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/database.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/back-monitor/database.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* database.c - deals with database subsystem */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/database.c,v 1.80.2.9 2008/02/11 23:26:47 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/database.c,v 1.80.2.10 2008/05/26 18:57:01 ando Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2001-2008 The OpenLDAP Foundation.
@@ -33,14 +33,6 @@
static int monitor_back_add_plugin( monitor_info_t *mi, Backend *be, Entry *e );
#endif /* defined(LDAP_SLAPI) */
-/* for PATH_MAX on some systems (e.g. Solaris) */
-#ifdef HAVE_LIMITS_H
-#include <limits.h>
-#endif /* HAVE_LIMITS_H */
-#ifndef PATH_MAX
-#define PATH_MAX 4095
-#endif /* ! PATH_MAX */
-
static int
monitor_subsys_database_modify(
Operation *op,
Modified: openldap/trunk/servers/slapd/backglue.c
===================================================================
--- openldap/trunk/servers/slapd/backglue.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/backglue.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* backglue.c - backend glue */
-/* $OpenLDAP: pkg/ldap/servers/slapd/backglue.c,v 1.112.2.11 2008/04/14 21:15:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/backglue.c,v 1.112.2.12 2008/06/02 18:00:53 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2001-2008 The OpenLDAP Foundation.
@@ -1099,7 +1099,7 @@
/* If it's not already configured, set up the overlay */
if ( !SLAP_GLUE_INSTANCE( be )) {
- rc = overlay_config( be, glue.on_bi.bi_type, -1, NULL );
+ rc = overlay_config( be, glue.on_bi.bi_type, -1, NULL, NULL);
if ( rc )
break;
}
Modified: openldap/trunk/servers/slapd/backover.c
===================================================================
--- openldap/trunk/servers/slapd/backover.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/backover.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* backover.c - backend overlay routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/backover.c,v 1.71.2.8 2008/04/24 08:13:39 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/backover.c,v 1.71.2.9 2008/06/02 18:00:53 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2003-2008 The OpenLDAP Foundation.
@@ -1143,7 +1143,7 @@
/* add an overlay to a particular backend. */
int
-overlay_config( BackendDB *be, const char *ov, int idx, BackendInfo **res )
+overlay_config( BackendDB *be, const char *ov, int idx, BackendInfo **res, ConfigReply *cr )
{
slap_overinst *on = NULL, *on2 = NULL, **prev;
slap_overinfo *oi = NULL;
@@ -1278,7 +1278,7 @@
if ( on2->on_bi.bi_db_init ) {
int rc;
be->bd_info = (BackendInfo *)on2;
- rc = on2->on_bi.bi_db_init( be, NULL );
+ rc = on2->on_bi.bi_db_init( be, cr);
be->bd_info = (BackendInfo *)oi;
if ( rc ) {
*prev = on2->on_next;
Modified: openldap/trunk/servers/slapd/bconfig.c
===================================================================
--- openldap/trunk/servers/slapd/bconfig.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/bconfig.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* bconfig.c - the config backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/bconfig.c,v 1.202.2.30 2008/04/14 22:20:28 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/bconfig.c,v 1.202.2.31 2008/06/02 18:00:53 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2005-2008 The OpenLDAP Foundation.
@@ -2140,13 +2140,13 @@
assert(0);
}
if(c->argv[1][0] == '-' && overlay_config(c->be, &c->argv[1][1],
- c->valx, &c->bi)) {
+ c->valx, &c->bi, &c->reply)) {
/* log error */
Debug( LDAP_DEBUG_ANY,
"%s: (optional) %s overlay \"%s\" configuration failed.\n",
c->log, c->be == frontendDB ? "global " : "", &c->argv[1][1]);
return 1;
- } else if(overlay_config(c->be, c->argv[1], c->valx, &c->bi)) {
+ } else if(overlay_config(c->be, c->argv[1], c->valx, &c->bi, &c->reply)) {
return(1);
}
return(0);
Modified: openldap/trunk/servers/slapd/daemon.c
===================================================================
--- openldap/trunk/servers/slapd/daemon.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/daemon.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/daemon.c,v 1.380.2.10 2008/02/11 23:26:44 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/daemon.c,v 1.380.2.12 2008/05/27 20:12:44 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -928,9 +928,9 @@
{
ldap_pvt_thread_mutex_lock( &slap_daemon.sd_mutex );
- assert( SLAP_SOCK_IS_ACTIVE( s ));
-
if ( SLAP_SOCK_IS_WRITE( s )) {
+ assert( SLAP_SOCK_IS_ACTIVE( s ));
+
SLAP_SOCK_CLR_WRITE( s );
slap_daemon.sd_nwriters--;
}
@@ -2620,7 +2620,6 @@
{
int rc;
- connections_init();
#ifdef LDAP_CONNECTIONLESS
connectionless_init();
#endif /* LDAP_CONNECTIONLESS */
Modified: openldap/trunk/servers/slapd/main.c
===================================================================
--- openldap/trunk/servers/slapd/main.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/main.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/main.c,v 1.239.2.12 2008/02/12 00:46:46 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/main.c,v 1.239.2.13 2008/05/20 00:10:40 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -929,6 +929,8 @@
*/
time( &starttime );
+ connections_init();
+
if ( slap_startup( NULL ) != 0 ) {
rc = 1;
SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 21 );
Modified: openldap/trunk/servers/slapd/overlays/constraint.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/constraint.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/overlays/constraint.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/constraint.c,v 1.2.2.7 2008/02/11 23:46:12 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/constraint.c,v 1.2.2.8 2008/05/27 19:59:47 quanah Exp $ */
/* constraint.c - Overlay to constrain attributes to certain values */
/*
* Copyright 2003-2004 Hewlett-Packard Company
@@ -41,6 +41,8 @@
#define REGEX_STR "regex"
#define URI_STR "uri"
+#define SIZE_STR "size"
+#define COUNT_STR "count"
/*
* Linked list of attribute constraints which we should enforce.
@@ -55,6 +57,8 @@
AttributeDescription *ap;
regex_t *re;
LDAPURLDesc *lud;
+ size_t size;
+ size_t count;
AttributeDescription **attrs;
struct berval val; /* constraint value */
struct berval dn;
@@ -129,6 +133,12 @@
} else if (cp->lud) {
len += STRLENOF(URI_STR);
tstr = URI_STR;
+ } else if (cp->size) {
+ len += STRLENOF(SIZE_STR);
+ tstr = SIZE_STR;
+ } else if (cp->count) {
+ len += STRLENOF(COUNT_STR);
+ tstr = COUNT_STR;
}
len += cp->val.bv_len;
@@ -216,7 +226,17 @@
return( ARG_BAD_CONF );
}
ber_str2bv( c->argv[3], 0, 1, &ap.val );
- } else if ( strcasecmp( c->argv[2], URI_STR ) == 0) {
+ } else if ( strcasecmp( c->argv[2], SIZE_STR ) == 0 ) {
+ size_t size;
+
+ if ( ( size = atoi(c->argv[3]) ) != 0 )
+ ap.size = size;
+ } else if ( strcasecmp( c->argv[2], COUNT_STR ) == 0 ) {
+ size_t count;
+
+ if ( ( count = atoi(c->argv[3]) ) != 0 )
+ ap.count = count;
+ } else if ( strcasecmp( c->argv[2], URI_STR ) == 0 ) {
int err;
err = ldap_url_parse(c->argv[3], &ap.lud);
@@ -281,6 +301,8 @@
a2->re = ap.re;
a2->val = ap.val;
a2->lud = ap.lud;
+ a2->size = ap.size;
+ a2->count = ap.count;
if ( a2->lud ) {
ber_str2bv(a2->lud->lud_dn, 0, 0, &a2->dn);
ber_str2bv(a2->lud->lud_filter, 0, 0, &a2->filter);
@@ -323,6 +345,9 @@
(regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
return 1; /* regular expression violation */
+ if ((c->size) && (bv->bv_len > c->size))
+ return 1; /* size violation */
+
if (c->lud) {
Operation nop = *op;
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
@@ -443,10 +468,21 @@
return ret;
}
+static unsigned
+constraint_count_attr(Entry *e, AttributeDescription *ad)
+{
+ struct Attribute *a;
+
+ if ((a = attr_find(e->e_attrs, ad)) != NULL)
+ return a->a_numvals;
+ return 0;
+}
+
static int
constraint_add( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
+ Backend *be = op->o_bd;
Attribute *a;
constraint *c = on->on_bi.bi_private, *cp;
BerVarray b = NULL;
@@ -469,35 +505,45 @@
if (cp->ap != a->a_desc) continue;
if ((b = a->a_vals) == NULL) continue;
- for(i=0; b[i].bv_val; i++) {
- int cv = constraint_violation( cp, &b[i], op, rs);
-
- if (cv) {
- /* violation */
- op->o_bd->bd_info = (BackendInfo *)(on->on_info);
- msg = print_message( &rsv, a->a_desc );
- send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
- ch_free(msg);
- return (rs->sr_err);
- }
- }
+ Debug(LDAP_DEBUG_TRACE,
+ "==> constraint_add, "
+ "a->a_numvals = %d, cp->count = %d\n",
+ a->a_numvals, cp->count, 0);
+
+ if ((cp->count != 0) && (a->a_numvals > cp->count))
+ goto add_violation;
+
+ for(i=0; b[i].bv_val; i++)
+ if (constraint_violation( cp, &b[i], op, rs))
+ goto add_violation;
}
}
/* Default is to just fall through to the normal processing */
return SLAP_CB_CONTINUE;
+
+add_violation:
+ op->o_bd->bd_info = (BackendInfo *)(on->on_info);
+ msg = print_message( &rsv, a->a_desc );
+ send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
+ ch_free(msg);
+ return (rs->sr_err);
}
+
static int
constraint_modify( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
+ Backend *be = op->o_bd;
constraint *c = on->on_bi.bi_private, *cp;
+ Entry *target_entry = NULL;
Modifications *m;
BerVarray b = NULL;
int i;
struct berval rsv = BER_BVC("modify breaks constraint");
char *msg;
+ Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE, "constraint_modify()", 0,0,0);
if ((m = op->orm_modlist) == NULL) {
op->o_bd->bd_info = (BackendInfo *)(on->on_info);
send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
@@ -505,34 +551,96 @@
return(rs->sr_err);
}
+ /* Do we need to count attributes? */
+ for(cp = c; cp; cp = cp->ap_next) {
+ if (cp->count != 0) {
+ int rc;
+
+ op->o_bd = on->on_info->oi_origdb;
+ rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
+ op->o_bd = be;
+
+ if (rc != 0 || target_entry == NULL) {
+ Debug(LDAP_DEBUG_TRACE,
+ "==> constraint_modify rc = %d\n",
+ rc, 0, 0);
+ goto mod_violation;
+ }
+ break;
+ }
+ }
+
for(;m; m = m->sml_next) {
+ int ce = 0;
+
+ /* Get this attribute count, if needed */
+ if (target_entry)
+ ce = constraint_count_attr(target_entry, m->sml_desc);
+
if (is_at_operational( m->sml_desc->ad_type )) continue;
if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
- (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE))
+ (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE) &&
+ (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_DELETE))
continue;
/* we only care about ADD and REPLACE modifications */
+ /* and DELETE are used to track attribute count */
if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
continue;
for(cp = c; cp; cp = cp->ap_next) {
if (cp->ap != m->sml_desc) continue;
- for(i=0; b[i].bv_val; i++) {
- int cv = constraint_violation( cp, &b[i], op, rs);
-
- if (cv) {
- /* violation */
- op->o_bd->bd_info = (BackendInfo *)(on->on_info);
- msg = print_message( &rsv, m->sml_desc );
- send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
- ch_free(msg);
- return (rs->sr_err);
+ if (cp->count != 0) {
+ int ca;
+
+ if (m->sml_op == LDAP_MOD_DELETE)
+ ce = 0;
+
+ for (ca = 0; b[ca].bv_val; ++ca);
+
+ Debug(LDAP_DEBUG_TRACE,
+ "==> constraint_modify ce = %d, "
+ "ca = %d, cp->count = %d\n",
+ ce, ca, cp->count);
+
+ if (m->sml_op == LDAP_MOD_ADD)
+ if (ca + ce > cp->count)
+ goto mod_violation;
+ if (m->sml_op == LDAP_MOD_REPLACE) {
+ if (ca > cp->count)
+ goto mod_violation;
+ ce = ca;
}
- }
+ }
+
+ /* DELETE are to be ignored beyond this point */
+ if (( m->sml_op & LDAP_MOD_OP ) == LDAP_MOD_DELETE)
+ continue;
+
+ for(i=0; b[i].bv_val; i++)
+ if (constraint_violation( cp, &b[i], op, rs))
+ goto mod_violation;
}
}
+ if (target_entry) {
+ op->o_bd = on->on_info->oi_origdb;
+ be_entry_release_r(op, target_entry);
+ op->o_bd = be;
+ }
return SLAP_CB_CONTINUE;
+mod_violation:
+ /* violation */
+ if (target_entry) {
+ op->o_bd = on->on_info->oi_origdb;
+ be_entry_release_r(op, target_entry);
+ op->o_bd = be;
+ }
+ op->o_bd->bd_info = (BackendInfo *)(on->on_info);
+ msg = print_message( &rsv, m->sml_desc );
+ send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
+ ch_free(msg);
+ return (rs->sr_err);
}
static int
Modified: openldap/trunk/servers/slapd/overlays/ppolicy.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/ppolicy.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/overlays/ppolicy.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/ppolicy.c,v 1.75.2.11 2008/02/13 01:58:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/ppolicy.c,v 1.75.2.12 2008/06/02 18:00:53 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2004-2008 The OpenLDAP Foundation.
@@ -2093,7 +2093,12 @@
for (i=0; pwd_UsSchema[i].def; i++) {
code = slap_str2ad( pwd_UsSchema[i].def, pwd_UsSchema[i].ad, &err );
if ( code ) {
- fprintf( stderr, "User Schema Load failed %d: %s\n", code, err );
+ if ( cr ){
+ snprintf( cr->msg, sizeof(cr->msg),
+ "User Schema load failed for attribute \"%s\". Error code %d: %s",
+ pwd_UsSchema[i].def, code, err );
+ fprintf( stderr, "%s\n", cr->msg );
+ }
return code;
}
}
Modified: openldap/trunk/servers/slapd/overlays/refint.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/refint.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/overlays/refint.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* refint.c - referential integrity module */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/refint.c,v 1.19.2.8 2008/04/14 20:13:41 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/refint.c,v 1.19.2.9 2008/05/27 20:18:19 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2004-2008 The OpenLDAP Foundation.
@@ -81,6 +81,8 @@
BerValue dn; /* basedn in parent, */
BerValue nothing; /* the nothing value, if needed */
BerValue nnothing; /* normalized nothingness */
+ BerValue refint_dn; /* modifier's name */
+ BerValue refint_ndn; /* normalized modifier's name */
struct re_s *qtask;
refint_q *qhead;
refint_q *qtail;
@@ -93,7 +95,8 @@
enum {
REFINT_ATTRS = 1,
- REFINT_NOTHING
+ REFINT_NOTHING,
+ REFINT_MODIFIERSNAME
};
static ConfigDriver refint_cf_gen;
@@ -110,6 +113,11 @@
"( OLcfgOvAt:11.2 NAME 'olcRefintNothing' "
"DESC 'Replacement DN to supply when needed' "
"SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
+ { "refint_modifiersName", "DN", 2, 2, 0,
+ ARG_DN|ARG_MAGIC|REFINT_MODIFIERSNAME, refint_cf_gen,
+ "( OLcfgOvAt:11.3 NAME 'olcRefintModifiersName' "
+ "DESC 'The DN to use as modifiersName' "
+ "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
};
@@ -118,7 +126,10 @@
"NAME 'olcRefintConfig' "
"DESC 'Referential integrity configuration' "
"SUP olcOverlayConfig "
- "MAY ( olcRefintAttribute $ olcRefintNothing ) )",
+ "MAY ( olcRefintAttribute "
+ "$ olcRefintNothing "
+ "$ olcRefintModifiersName "
+ ") )",
Cft_Overlay, refintcfg },
{ NULL, 0, NULL }
};
@@ -157,6 +168,17 @@
}
rc = 0;
break;
+ case REFINT_MODIFIERSNAME:
+ if ( !BER_BVISEMPTY( &dd->refint_dn )) {
+ rc = value_add_one( &c->rvalue_vals,
+ &dd->refint_dn );
+ if ( rc ) return rc;
+ rc = value_add_one( &c->rvalue_nvals,
+ &dd->refint_ndn );
+ return rc;
+ }
+ rc = 0;
+ break;
default:
abort ();
}
@@ -196,6 +218,15 @@
dd->nnothing.bv_len = 0;
rc = 0;
break;
+ case REFINT_MODIFIERSNAME:
+ if ( dd->refint_dn.bv_val )
+ ber_memfree ( dd->refint_dn.bv_val );
+ if ( dd->refint_ndn.bv_val )
+ ber_memfree ( dd->refint_ndn.bv_val );
+ dd->refint_dn.bv_len = 0;
+ dd->refint_ndn.bv_len = 0;
+ rc = 0;
+ break;
default:
abort ();
}
@@ -233,6 +264,15 @@
dd->nnothing = c->value_ndn;
rc = 0;
break;
+ case REFINT_MODIFIERSNAME:
+ if ( dd->refint_dn.bv_val )
+ ber_memfree ( dd->refint_dn.bv_val );
+ if ( dd->refint_ndn.bv_val )
+ ber_memfree ( dd->refint_ndn.bv_val );
+ dd->refint_dn = c->value_dn;
+ dd->refint_ndn = c->value_ndn;
+ rc = 0;
+ break;
default:
abort ();
}
@@ -302,6 +342,10 @@
return -1;
ber_dupbv( &id->dn, &be->be_nsuffix[0] );
}
+ if ( BER_BVISNULL( &id->refint_dn ) ) {
+ ber_dupbv( &id->refint_dn, &refint_dn );
+ ber_dupbv( &id->refint_ndn, &refint_ndn );
+ }
return(0);
}
@@ -339,6 +383,10 @@
BER_BVZERO( &id->nothing );
ch_free( id->nnothing.bv_val );
BER_BVZERO( &id->nnothing );
+ ch_free( id->refint_dn.bv_val );
+ BER_BVZERO( &id->refint_dn );
+ ch_free( id->refint_ndn.bv_val );
+ BER_BVZERO( &id->refint_ndn );
return(0);
}
@@ -580,8 +628,8 @@
m->sml_nvalues = m->sml_values+2;
BER_BVZERO( &m->sml_values[1] );
BER_BVZERO( &m->sml_nvalues[1] );
- m->sml_values[0] = refint_dn;
- m->sml_nvalues[0] = refint_ndn;
+ m->sml_values[0] = id->refint_dn;
+ m->sml_nvalues[0] = id->refint_ndn;
}
if ( !BER_BVISEMPTY( &rq->newdn ) || ( ra->next &&
ra->attr == ra->next->attr ) )
Modified: openldap/trunk/servers/slapd/overlays/syncprov.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/syncprov.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/overlays/syncprov.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/syncprov.c,v 1.147.2.22 2008/05/06 01:05:41 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/syncprov.c,v 1.147.2.29 2008/05/29 22:57:32 quanah Exp $ */
/* syncprov.c - syncrepl provider */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
@@ -404,7 +404,6 @@
slap_callback cb = {0};
Operation fop;
SlapReply frs = { REP_RESULT };
- BackendInfo *bi;
int rc;
fc->fss->s_flags ^= PS_FIND_BASE;
@@ -412,11 +411,10 @@
fop = *fc->fss->s_op;
+ fop.o_bd = fop.o_bd->bd_self;
fop.o_hdr = op->o_hdr;
- fop.o_bd = op->o_bd;
fop.o_time = op->o_time;
fop.o_tincr = op->o_tincr;
- bi = op->o_bd->bd_info;
cb.sc_response = findbase_cb;
cb.sc_private = fc;
@@ -434,8 +432,7 @@
fop.ors_filter = &generic_filter;
fop.ors_filterstr = generic_filterstr;
- rc = overlay_op_walk( &fop, &frs, op_search, on->on_info, on );
- op->o_bd->bd_info = bi;
+ rc = fop.o_bd->be_search( &fop, &frs );
} else {
ldap_pvt_thread_mutex_unlock( &fc->fss->s_mutex );
fc->fbase = 1;
@@ -500,7 +497,8 @@
Attribute *a = attr_find( rs->sr_entry->e_attrs,
slap_schema.si_ad_entryCSN );
- if ( a && ber_bvcmp( &a->a_vals[0], maxcsn ) > 0 ) {
+ if ( a && ber_bvcmp( &a->a_vals[0], maxcsn ) > 0 &&
+ slap_parse_csn_sid( &a->a_vals[0] ) == slap_serverID ) {
maxcsn->bv_len = a->a_vals[0].bv_len;
strcpy( maxcsn->bv_val, a->a_vals[0].bv_val );
}
@@ -590,7 +588,7 @@
sync_control *srs = NULL;
struct slap_limits_set fc_limits;
int i, rc = LDAP_SUCCESS, findcsn_retry = 1;
- int maxid = 0;
+ int maxid;
if ( mode != FIND_MAXCSN ) {
srs = op->o_controls[slap_cids.sc_LDAPsync];
@@ -616,14 +614,20 @@
switch( mode ) {
case FIND_MAXCSN:
cf.f_choice = LDAP_FILTER_GE;
- cf.f_av_value = si->si_ctxcsn[0];
- /* If there are multiple CSNs, use the largest */
- for ( i=1; i<si->si_numcsns; i++) {
- if ( ber_bvcmp( &cf.f_av_value, &si->si_ctxcsn[i] ) < 0 ) {
- cf.f_av_value = si->si_ctxcsn[i];
+ /* If there are multiple CSNs, use the one with our serverID */
+ for ( i=0; i<si->si_numcsns; i++) {
+ if ( slap_serverID == si->si_sids[i] ) {
maxid = i;
+ break;
}
}
+ if ( i == si->si_numcsns ) {
+ /* No match: this is multimaster, and none of the content in the DB
+ * originated locally. Treat like no CSN.
+ */
+ return LDAP_NO_SUCH_OBJECT;
+ }
+ cf.f_av_value = si->si_ctxcsn[maxid];
fop.ors_filterstr.bv_len = snprintf( buf, sizeof( buf ),
"(entryCSN>=%s)", cf.f_av_value.bv_val );
if ( fop.ors_filterstr.bv_len < 0 || fop.ors_filterstr.bv_len >= sizeof( buf ) ) {
@@ -1224,8 +1228,11 @@
}
}
- if ( fc.fscope )
+ if ( fc.fscope ) {
op2 = *ss->s_op;
+ op2.o_hdr = op->o_hdr;
+ op2.o_extra = op->o_extra;
+ }
/* check if current o_req_dn is in scope and matches filter */
if ( fc.fscope && test_filter( &op2, e, ss->s_op->ors_filter ) ==
@@ -1596,6 +1603,17 @@
cbuf[0] = '\0';
ldap_pvt_thread_rdwr_wlock( &si->si_csn_rwlock );
slap_get_commit_csn( op, &maxcsn );
+ if ( BER_BVISNULL( &maxcsn ) && SLAP_GLUE_SUBORDINATE( op->o_bd )) {
+ /* syncrepl queues the CSN values in the db where
+ * it is configured , not where the changes are made.
+ * So look for a value in the glue db if we didn't
+ * find any in this db.
+ */
+ BackendDB *be = op->o_bd;
+ op->o_bd = select_backend( &be->be_nsuffix[0], 1);
+ slap_get_commit_csn( op, &maxcsn );
+ op->o_bd = be;
+ }
if ( !BER_BVISNULL( &maxcsn ) ) {
int i, sid;
strcpy( cbuf, maxcsn.bv_val );
@@ -1616,6 +1634,10 @@
sizeof(int));
si->si_sids[i] = sid;
}
+ } else {
+ /* internal ops that aren't meant to be replicated */
+ ldap_pvt_thread_rdwr_wunlock( &si->si_csn_rwlock );
+ return SLAP_CB_CONTINUE;
}
/* Don't do any processing for consumer contextCSN updates */
@@ -1978,6 +2000,7 @@
{
searchstate *ss = op->o_callback->sc_private;
slap_overinst *on = ss->ss_on;
+ syncprov_info_t *si = (syncprov_info_t *)on->on_bi.bi_private;
sync_control *srs = op->o_controls[slap_cids.sc_LDAPsync];
if ( rs->sr_type == REP_SEARCH || rs->sr_type == REP_SEARCHREF ) {
@@ -2043,8 +2066,16 @@
rs->sr_ctrls = op->o_tmpalloc( sizeof(LDAPControl *)*2,
op->o_tmpmemctx );
rs->sr_ctrls[1] = NULL;
- rs->sr_err = syncprov_state_ctrl( op, rs, rs->sr_entry,
- LDAP_SYNC_ADD, rs->sr_ctrls, 0, 0, NULL );
+ /* If we're in delta-sync mode, always send a cookie */
+ if ( si->si_nopres && si->si_usehint && a ) {
+ struct berval cookie;
+ slap_compose_sync_cookie( op, &cookie, a->a_nvals, srs->sr_state.rid, srs->sr_state.sid );
+ rs->sr_err = syncprov_state_ctrl( op, rs, rs->sr_entry,
+ LDAP_SYNC_ADD, rs->sr_ctrls, 0, 1, &cookie );
+ } else {
+ rs->sr_err = syncprov_state_ctrl( op, rs, rs->sr_entry,
+ LDAP_SYNC_ADD, rs->sr_ctrls, 0, 0, NULL );
+ }
} else if ( rs->sr_type == REP_RESULT && rs->sr_err == LDAP_SUCCESS ) {
struct berval cookie;
@@ -2083,7 +2114,7 @@
if ( op->o_abandon ) {
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
ldap_pvt_thread_mutex_unlock( &ss->ss_so->s_mutex );
- syncprov_free_syncop( ss->ss_so );
+ /* syncprov_ab_cleanup will free this syncop */
return SLAPD_ABANDON;
} else {
Modified: openldap/trunk/servers/slapd/overlays/unique.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/unique.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/overlays/unique.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* unique.c - attribute uniqueness module */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/unique.c,v 1.20.2.5 2008/02/11 23:26:49 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/unique.c,v 1.20.2.8 2008/05/27 21:05:56 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2004-2008 The OpenLDAP Foundation.
@@ -44,16 +44,16 @@
typedef struct unique_domain_uri_s {
struct unique_domain_uri_s *next;
- struct berval *dn;
- struct berval *ndn;
- struct berval *filter;
+ struct berval dn;
+ struct berval ndn;
+ struct berval filter;
struct unique_attrs_s *attrs;
int scope;
} unique_domain_uri;
typedef struct unique_domain_s {
struct unique_domain_s *next;
- struct berval *domain_spec;
+ struct berval domain_spec;
struct unique_domain_uri_s *uri;
char ignore; /* polarity of attributes */
char strict; /* null considered unique too */
@@ -138,9 +138,9 @@
while ( uri ) {
next_uri = uri->next;
- ber_bvfree ( uri->dn );
- ber_bvfree ( uri->ndn );
- ber_bvfree ( uri->filter );
+ ch_free ( uri->dn.bv_val );
+ ch_free ( uri->ndn.bv_val );
+ ch_free ( uri->filter.bv_val );
attr = uri->attrs;
while ( attr ) {
next_attr = attr->next;
@@ -160,7 +160,7 @@
while ( domain ) {
next_domain = domain->next;
- ber_bvfree ( domain->domain_spec );
+ ch_free ( domain->domain_spec.bv_val );
unique_free_domain_uri ( domain->uri );
ch_free ( domain );
domain = next_domain;
@@ -183,11 +183,11 @@
uri = ch_calloc ( 1, sizeof ( unique_domain_uri ) );
if ( url_desc->lud_dn && url_desc->lud_dn[0] ) {
- ber_str2bv( url_desc->lud_dn, 0, 1, &bv );
+ ber_str2bv( url_desc->lud_dn, 0, 0, &bv );
rc = dnPrettyNormal( NULL,
&bv,
- uri->dn,
- uri->ndn,
+ &uri->dn,
+ &uri->ndn,
NULL );
if ( rc != LDAP_SUCCESS ) {
snprintf( c->cr_msg, sizeof( c->cr_msg ),
@@ -197,10 +197,10 @@
goto exit;
}
- if ( !dnIsSuffix ( uri->ndn, &be->be_nsuffix[0] ) ) {
+ if ( !dnIsSuffix ( &uri->ndn, &be->be_nsuffix[0] ) ) {
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"dn <%s> is not a suffix of backend base dn <%s>",
- uri->dn->bv_val,
+ uri->dn.bv_val,
be->be_nsuffix[0].bv_val );
rc = ARG_BAD_CONF;
goto exit;
@@ -239,8 +239,8 @@
if (url_desc->lud_filter) {
Filter * f;
- uri->filter = ber_str2bv( url_desc->lud_filter, 0, 1, NULL);
- f = str2filter( uri->filter->bv_val );
+ ber_str2bv( url_desc->lud_filter, 0, 1, &uri->filter );
+ f = str2filter( uri->filter.bv_val );
if ( !f ) {
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"unique: bad filter");
@@ -250,7 +250,6 @@
filter_free( f );
}
exit:
- if ( bv.bv_val ) ber_memfree ( bv.bv_val );
uri->next = *urip;
*urip = uri;
if ( rc ) {
@@ -305,7 +304,7 @@
domain_spec, 0, 0);
domain = ch_calloc ( 1, sizeof (unique_domain) );
- domain->domain_spec = ber_str2bv( domain_spec, 0, 1, NULL );
+ ber_str2bv( domain_spec, 0, 1, &domain->domain_spec );
uri_start = domain_spec;
if ( strncasecmp ( uri_start, "ignore ",
@@ -372,24 +371,23 @@
switch ( c->op ) {
case SLAP_CONFIG_EMIT:
rc = 0;
- if ( legacy && legacy->uri && legacy->uri->dn ) {
+ if ( legacy && legacy->uri && legacy->uri->dn.bv_val ) {
rc = value_add_one ( &c->rvalue_vals,
- legacy->uri->dn );
+ &legacy->uri->dn );
if ( rc ) return rc;
rc = value_add_one ( &c->rvalue_nvals,
- legacy->uri->ndn );
+ &legacy->uri->ndn );
if ( rc ) return rc;
}
break;
case LDAP_MOD_DELETE:
- assert ( legacy && legacy->uri && legacy->uri->dn );
+ assert ( legacy && legacy->uri && legacy->uri->dn.bv_val );
rc = 0;
- ber_bvfree ( legacy->uri->dn );
- ber_bvfree ( legacy->uri->ndn );
- legacy->uri->dn = NULL;
- legacy->uri->ndn = NULL;
- if ( !legacy->uri->attrs
- && !legacy->uri->dn ) {
+ ch_free ( legacy->uri->dn.bv_val );
+ ch_free ( legacy->uri->ndn.bv_val );
+ BER_BVZERO( &legacy->uri->dn );
+ BER_BVZERO( &legacy->uri->ndn );
+ if ( !legacy->uri->attrs ) {
unique_free_domain_uri ( legacy->uri );
legacy->uri = NULL;
}
@@ -425,10 +423,10 @@
}
if ( !legacy->uri )
unique_new_domain_uri_basic ( &legacy->uri, c );
- ber_bvfree ( legacy->uri->dn );
- ber_bvfree ( legacy->uri->ndn );
- legacy->uri->dn = ber_bvdup ( &c->value_dn );
- legacy->uri->ndn = ber_bvdup ( &c->value_ndn );
+ ch_free ( legacy->uri->dn.bv_val );
+ ch_free ( legacy->uri->ndn.bv_val );
+ legacy->uri->dn = c->value_dn;
+ legacy->uri->ndn = c->value_ndn;
rc = 0;
break;
default:
@@ -485,7 +483,7 @@
ch_free (attr);
}
if ( !legacy->uri->attrs
- && !legacy->uri->dn ) {
+ && !legacy->uri->dn.bv_val ) {
unique_free_domain_uri ( legacy->uri );
legacy->uri = NULL;
}
@@ -663,11 +661,8 @@
domain;
domain = domain->next ) {
rc = value_add_one ( &c->rvalue_vals,
- domain->domain_spec );
+ &domain->domain_spec );
if ( rc ) break;
- rc = value_add_one ( &c->rvalue_nvals,
- domain->domain_spec );
- if ( rc ) break;
}
break;
case LDAP_MOD_DELETE:
@@ -952,7 +947,7 @@
struct berval * dn,
int scope,
SlapReply *rs,
- char *key
+ struct berval *key
)
{
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
@@ -963,8 +958,8 @@
Debug(LDAP_DEBUG_TRACE, "==> unique_search %s\n", key, 0, 0);
- nop->ors_filter = str2filter_x(nop, key);
- ber_str2bv(key, 0, 0, &nop->ors_filterstr);
+ nop->ors_filter = str2filter_x(nop, key->bv_val);
+ nop->ors_filterstr = *key;
cb.sc_response = (slap_response*)count_attr_cb;
cb.sc_private = &uq;
@@ -986,7 +981,7 @@
nop->o_bd = on->on_info->oi_origdb;
rc = nop->o_bd->be_search(nop, &nrs);
filter_free_x(nop, nop->ors_filter);
- op->o_tmpfree( key, op->o_tmpmemctx );
+ op->o_tmpfree( key->bv_val, op->o_tmpmemctx );
if(rc != LDAP_SUCCESS && rc != LDAP_NO_SUCH_OBJECT) {
op->o_bd->bd_info = (BackendInfo *) on->on_info;
@@ -1020,6 +1015,7 @@
Operation nop = *op;
Attribute *a;
char *key, *kp;
+ struct berval bvkey;
int rc = SLAP_CB_CONTINUE;
Debug(LDAP_DEBUG_TRACE, "==> unique_add <%s>\n",
@@ -1030,7 +1026,7 @@
domain = domain->next )
{
unique_domain_uri *uri;
- int ks = 0;
+ int ks = STRLENOF("(|)");
for ( uri = domain->uri;
uri;
@@ -1038,8 +1034,8 @@
{
int len;
- if ( uri->ndn
- && !dnIsSuffix( &op->o_req_ndn, uri->ndn ))
+ if ( uri->ndn.bv_val
+ && !dnIsSuffix( &op->o_req_ndn, &uri->ndn ))
continue;
if(!(a = op->ora_e->e_attrs)) {
@@ -1061,12 +1057,15 @@
/* skip this domain-uri if it isn't involved */
if ( !ks ) continue;
- if ( uri->filter && uri->filter->bv_len )
- ks += uri->filter->bv_len + STRLENOF ("(&)");
+ /* terminating NUL */
+ ks++;
+
+ if ( uri->filter.bv_val && uri->filter.bv_len )
+ ks += uri->filter.bv_len + STRLENOF ("(&)");
kp = key = op->o_tmpalloc(ks, op->o_tmpmemctx);
- if ( uri->filter && uri->filter->bv_len ) {
- len = snprintf (kp, ks, "(&%s", uri->filter->bv_val);
+ if ( uri->filter.bv_val && uri->filter.bv_len ) {
+ len = snprintf (kp, ks, "(&%s", uri->filter.bv_val);
assert( len >= 0 && len < ks );
kp += len;
}
@@ -1086,20 +1085,22 @@
len = snprintf(kp, ks - (kp - key), ")");
assert( len >= 0 && len < ks - (kp - key) );
kp += len;
- if ( uri->filter && uri->filter->bv_len ) {
+ if ( uri->filter.bv_val && uri->filter.bv_len ) {
len = snprintf(kp, ks - (kp - key), ")");
assert( len >= 0 && len < ks - (kp - key) );
kp += len;
}
+ bvkey.bv_val = key;
+ bvkey.bv_len = kp - key;
rc = unique_search ( op,
&nop,
- uri->ndn ?
- uri->ndn :
+ uri->ndn.bv_val ?
+ &uri->ndn :
&op->o_bd->be_nsuffix[0],
uri->scope,
rs,
- key);
+ &bvkey);
if ( rc != SLAP_CB_CONTINUE ) break;
}
@@ -1124,6 +1125,7 @@
Operation nop = *op;
Modifications *m;
char *key, *kp;
+ struct berval bvkey;
int rc = SLAP_CB_CONTINUE;
Debug(LDAP_DEBUG_TRACE, "==> unique_modify <%s>\n",
@@ -1134,7 +1136,7 @@
domain = domain->next )
{
unique_domain_uri *uri;
- int ks = 0;
+ int ks = STRLENOF("(|)");
for ( uri = domain->uri;
uri;
@@ -1142,8 +1144,8 @@
{
int len;
- if ( uri->ndn
- && !dnIsSuffix( &op->o_req_ndn, uri->ndn ))
+ if ( uri->ndn.bv_val
+ && !dnIsSuffix( &op->o_req_ndn, &uri->ndn ))
continue;
if ( !(m = op->orm_modlist) ) {
@@ -1166,12 +1168,15 @@
/* skip this domain-uri if it isn't involved */
if ( !ks ) continue;
- if ( uri->filter && uri->filter->bv_len )
- ks += uri->filter->bv_len + STRLENOF ("(&)");
+ /* terminating NUL */
+ ks++;
+
+ if ( uri->filter.bv_val && uri->filter.bv_len )
+ ks += uri->filter.bv_len + STRLENOF ("(&)");
kp = key = op->o_tmpalloc(ks, op->o_tmpmemctx);
- if ( uri->filter && uri->filter->bv_len ) {
- len = snprintf(kp, ks, "(&%s", uri->filter->bv_val);
+ if ( uri->filter.bv_val && uri->filter.bv_len ) {
+ len = snprintf(kp, ks, "(&%s", uri->filter.bv_val);
assert( len >= 0 && len < ks );
kp += len;
}
@@ -1193,20 +1198,22 @@
len = snprintf(kp, ks - (kp - key), ")");
assert( len >= 0 && len < ks - (kp - key) );
kp += len;
- if ( uri->filter && uri->filter->bv_len ) {
+ if ( uri->filter.bv_val && uri->filter.bv_len ) {
len = snprintf (kp, ks - (kp - key), ")");
assert( len >= 0 && len < ks - (kp - key) );
kp += len;
}
+ bvkey.bv_val = key;
+ bvkey.bv_len = kp - key;
rc = unique_search ( op,
&nop,
- uri->ndn ?
- uri->ndn :
+ uri->ndn.bv_val ?
+ &uri->ndn :
&op->o_bd->be_nsuffix[0],
uri->scope,
rs,
- key);
+ &bvkey);
if ( rc != SLAP_CB_CONTINUE ) break;
}
@@ -1230,6 +1237,7 @@
unique_domain *domain;
Operation nop = *op;
char *key, *kp;
+ struct berval bvkey;
LDAPRDN newrdn;
struct berval bv[2];
int rc = SLAP_CB_CONTINUE;
@@ -1242,7 +1250,7 @@
domain = domain->next )
{
unique_domain_uri *uri;
- int ks = 0;
+ int ks = STRLENOF("(|)");
for ( uri = domain->uri;
uri;
@@ -1250,10 +1258,10 @@
{
int i, len;
- if ( uri->ndn
- && !dnIsSuffix( &op->o_req_ndn, uri->ndn )
+ if ( uri->ndn.bv_val
+ && !dnIsSuffix( &op->o_req_ndn, &uri->ndn )
&& (!op->orr_nnewSup
- || !dnIsSuffix( op->orr_nnewSup, uri->ndn )))
+ || !dnIsSuffix( op->orr_nnewSup, &uri->ndn )))
continue;
if ( ldap_bv2rdn_x ( &op->oq_modrdn.rs_newrdn,
@@ -1296,12 +1304,15 @@
/* skip this domain if it isn't involved */
if ( !ks ) continue;
- if ( uri->filter && uri->filter->bv_len )
- ks += uri->filter->bv_len + STRLENOF ("(&)");
+ /* terminating NUL */
+ ks++;
+
+ if ( uri->filter.bv_val && uri->filter.bv_len )
+ ks += uri->filter.bv_len + STRLENOF ("(&)");
kp = key = op->o_tmpalloc(ks, op->o_tmpmemctx);
- if ( uri->filter && uri->filter->bv_len ) {
- len = snprintf(kp, ks, "(&%s", uri->filter->bv_val);
+ if ( uri->filter.bv_val && uri->filter.bv_len ) {
+ len = snprintf(kp, ks, "(&%s", uri->filter.bv_val);
assert( len >= 0 && len < ks );
kp += len;
}
@@ -1323,20 +1334,22 @@
len = snprintf(kp, ks - (kp - key), ")");
assert( len >= 0 && len < ks - (kp - key) );
kp += len;
- if ( uri->filter && uri->filter->bv_len ) {
+ if ( uri->filter.bv_val && uri->filter.bv_len ) {
len = snprintf (kp, ks - (kp - key), ")");
assert( len >= 0 && len < ks - (kp - key) );
kp += len;
}
+ bvkey.bv_val = key;
+ bvkey.bv_len = kp - key;
rc = unique_search ( op,
&nop,
- uri->ndn ?
- uri->ndn :
+ uri->ndn.bv_val ?
+ &uri->ndn :
&op->o_bd->be_nsuffix[0],
uri->scope,
rs,
- key);
+ &bvkey);
if ( rc != SLAP_CB_CONTINUE ) break;
}
Modified: openldap/trunk/servers/slapd/proto-slap.h
===================================================================
--- openldap/trunk/servers/slapd/proto-slap.h 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/proto-slap.h 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/proto-slap.h,v 1.670.2.24 2008/04/14 22:08:32 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/proto-slap.h,v 1.670.2.25 2008/06/02 18:00:53 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -435,7 +435,7 @@
*/
LDAP_SLAPD_F (int) overlay_register LDAP_P(( slap_overinst *on ));
LDAP_SLAPD_F (int) overlay_config LDAP_P(( BackendDB *be, const char *ov,
- int idx, BackendInfo **res ));
+ int idx, BackendInfo **res, ConfigReply *cr ));
LDAP_SLAPD_F (void) overlay_destroy_one LDAP_P((
BackendDB *be,
slap_overinst *on ));
Modified: openldap/trunk/servers/slapd/result.c
===================================================================
--- openldap/trunk/servers/slapd/result.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/result.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* result.c - routines to send ldap results, errors, and referrals */
-/* $OpenLDAP: pkg/ldap/servers/slapd/result.c,v 1.289.2.13 2008/04/14 23:43:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/result.c,v 1.289.2.14 2008/05/28 16:28:18 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -627,10 +627,10 @@
rs->sr_ref = NULL;
}
+abandon:
rs->sr_tag = slap_req2res( op->o_tag );
rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0;
-abandon:
if ( rs->sr_flags & REP_REF_MUSTBEFREED ) {
if ( rs->sr_ref == NULL ) {
rs->sr_flags ^= REP_REF_MUSTBEFREED;
Copied: openldap/trunk/servers/slapd/schema/collective.schema (from rev 1148, openldap/vendor/openldap-2.4.10/servers/slapd/schema/collective.schema)
===================================================================
--- openldap/trunk/servers/slapd/schema/collective.schema (rev 0)
+++ openldap/trunk/servers/slapd/schema/collective.schema 2008-06-28 15:17:20 UTC (rev 1149)
@@ -0,0 +1,190 @@
+# collective.schema -- Collective attribute schema
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/collective.schema,v 1.12.2.3 2008/02/11 23:26:49 kurt Exp $
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2008 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (2003).
+## Please see full copyright statement below.
+
+# From RFC 3671 [portions trimmed]:
+# Collective Attributes in LDAP
+
+#Abstract
+#
+# X.500 collective attributes allow common characteristics to be shared
+# between collections of entries. This document summarizes the X.500
+# information model for collective attributes and describes use of
+# collective attributes in LDAP (Lightweight Directory Access Protocol).
+# This document provides schema definitions for collective attributes
+# for use in LDAP.
+
+#3. Collective Attribute Types
+#
+# A userApplications attribute type can be defined to be COLLECTIVE
+# [RFC2252]. This indicates that the same attribute values will appear
+# in the entries of an entry collection subject to the use of the
+# collectiveExclusions attribute and other administrative controls.
+#
+# Collective attribute types are commonly defined as subtypes of non-
+# collective attribute types. By convention, collective attributes are
+# named by prefixing the name of their non-collective supertype with
+# "c-". For example, the collective telephone attribute is named
+# c-TelephoneNumber after its non-collective supertype telephoneNumber.
+#
+# Non-collective attributes types SHALL NOT subtype collective
+# attributes.
+#
+# Collective attributes SHALL NOT be SINGLE-VALUED. Collective
+# attribute types SHALL NOT appear in the attribute types of an object
+# class definition.
+#
+# Operational attributes SHALL NOT be defined to be collective.
+#
+# The remainder of section provides a summary of collective attributes
+# derived from those defined in [X.520]. Implementations of this
+# specification SHOULD support the following collective attributes and
+# MAY support additional collective attributes.
+#
+#
+#3.1. Collective Locality Name
+#
+# The c-l attribute type specifies a locality name for a collection of
+# entries.
+#
+attributeType ( 2.5.4.7.1 NAME 'c-l'
+ SUP l COLLECTIVE )
+#
+#
+#3.2. Collective State or Province Name
+#
+# The c-st attribute type specifies a state or province name for a
+# collection of entries.
+#
+attributeType ( 2.5.4.8.1 NAME 'c-st'
+ SUP st COLLECTIVE )
+#
+#
+#3.3. Collective Street Address
+#
+# The c-street attribute type specifies a street address for a
+# collection of entries.
+#
+attributeType ( 2.5.4.9.1 NAME 'c-street'
+ SUP street COLLECTIVE )
+#
+#
+#3.4. Collective Organization Name
+#
+# The c-o attribute type specifies an organization name for a collection
+# of entries.
+#
+attributeType ( 2.5.4.10.1 NAME 'c-o'
+ SUP o COLLECTIVE )
+#
+#
+#3.5. Collective Organizational Unit Name
+#
+# The c-ou attribute type specifies an organizational unit name for a
+# collection of entries.
+#
+attributeType ( 2.5.4.11.1 NAME 'c-ou'
+ SUP ou COLLECTIVE )
+#
+#
+#3.6. Collective Postal Address
+#
+# The c-PostalAddress attribute type specifies a postal address for a
+# collection of entries.
+#
+attributeType ( 2.5.4.16.1 NAME 'c-PostalAddress'
+ SUP postalAddress COLLECTIVE )
+#
+#
+#3.7. Collective Postal Code
+#
+# The c-PostalCode attribute type specifies a postal code for a
+# collection of entries.
+#
+attributeType ( 2.5.4.17.1 NAME 'c-PostalCode'
+ SUP postalCode COLLECTIVE )
+#
+#
+#3.8. Collective Post Office Box
+#
+# The c-PostOfficeBox attribute type specifies a post office box for a
+# collection of entries.
+#
+attributeType ( 2.5.4.18.1 NAME 'c-PostOfficeBox'
+ SUP postOfficeBox COLLECTIVE )
+#
+#
+#3.9. Collective Physical Delivery Office Name
+#
+# The c-PhysicalDeliveryOfficeName attribute type specifies a physical
+# delivery office name for a collection of entries.
+#
+attributeType ( 2.5.4.19.1 NAME 'c-PhysicalDeliveryOfficeName'
+ SUP physicalDeliveryOfficeName COLLECTIVE )
+#
+#
+#3.10. Collective Telephone Number
+#
+# The c-TelephoneNumber attribute type specifies a telephone number for
+# a collection of entries.
+#
+attributeType ( 2.5.4.20.1 NAME 'c-TelephoneNumber'
+ SUP telephoneNumber COLLECTIVE )
+#
+#
+#3.11. Collective Telex Number
+#
+# The c-TelexNumber attribute type specifies a telex number for a
+# collection of entries.
+#
+attributeType ( 2.5.4.21.1 NAME 'c-TelexNumber'
+ SUP telexNumber COLLECTIVE )
+#
+#
+#3.13. Collective Facsimile Telephone Number
+#
+# The c-FacsimileTelephoneNumber attribute type specifies a facsimile
+# telephone number for a collection of entries.
+#
+attributeType ( 2.5.4.23.1 NAME 'c-FacsimileTelephoneNumber'
+ SUP facsimileTelephoneNumber COLLECTIVE )
+#
+#
+#3.14. Collective International ISDN Number
+#
+# The c-InternationalISDNNumber attribute type specifies an
+# international ISDN number for a collection of entries.
+#
+attributeType ( 2.5.4.25.1 NAME 'c-InternationalISDNNumber'
+ SUP internationalISDNNumber COLLECTIVE )
+
+# Full Copyright
+#
+# Copyright (C) The Internet Society (2003). All Rights Reserved.
+#
+# This document and translations of it may be copied and furnished
+# to others, and derivative works that comment on or otherwise explain
+# it or assist in its implmentation may be prepared, copied, published
+# and distributed, in whole or in part, without restriction of any
+# kind, provided that the above copyright notice and this paragraph
+# are included on all such copies and derivative works. However,
+# this document itself may not be modified in any way, such as by
+# removing the copyright notice or references to the Internet Society
+# or other Internet organizations, except as needed for the purpose
+# of developing Internet standards in which case the procedures for
+# copyrights defined in the Internet Standards process must be followed,
+# or as required to translate it into languages other than English.
Copied: openldap/trunk/servers/slapd/schema/corba.schema (from rev 1148, openldap/vendor/openldap-2.4.10/servers/slapd/schema/corba.schema)
===================================================================
--- openldap/trunk/servers/slapd/schema/corba.schema (rev 0)
+++ openldap/trunk/servers/slapd/schema/corba.schema 2008-06-28 15:17:20 UTC (rev 1149)
@@ -0,0 +1,239 @@
+# corba.schema -- Corba Object Schema
+# depends upon core.schema
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/corba.schema,v 1.7.2.3 2008/02/11 23:26:49 kurt Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/corba.schema,v 1.7.2.3 2008/02/11 23:26:49 kurt Exp $
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2008 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (1999).
+## Please see full copyright statement below.
+
+
+# Network Working Group V. Ryan
+# Request for Comments: 2714 R. Lee
+# Category: Informational S. Seligman
+# Sun Microsystems, Inc.
+# October 1999
+#
+#
+# Schema for Representing CORBA Object References in an LDAP Directory
+#
+# Status of this Memo
+#
+# This memo provides information for the Internet community. It does
+# not specify an Internet standard of any kind. Distribution of this
+# memo is unlimited.
+#
+# Copyright Notice
+#
+# Copyright (C) The Internet Society (1999). All Rights Reserved.
+#
+# Abstract
+#
+# CORBA [CORBA] is the Common Object Request Broker Architecture
+# defined by the Object Management Group. This document defines the
+# schema for representing CORBA object references in an LDAP directory
+# [LDAPv3].
+#
+# [trimmed]
+
+# 3. Attribute Type Definitions
+#
+# The following attribute types are defined in this document:
+#
+# corbaIor
+# corbaRepositoryId
+#
+# 3.1 corbaIor
+#
+# This attribute stores the string representation of the interoperable
+# object reference (IOR) for a CORBA object. An IOR is an opaque handle
+# for the object which contains the information necessary to locate the
+# object, even if the object is in another ORB.
+#
+# This attribute's syntax is 'IA5 String' and its case is
+# insignificant.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.1.14
+# NAME 'corbaIor'
+# DESC 'Stringified interoperable object reference of a CORBA object'
+# EQUALITY caseIgnoreIA5Match
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+# SINGLE-VALUE
+# )
+#
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.14
+ NAME 'corbaIor'
+ DESC 'Stringified interoperable object reference of a CORBA object'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE )
+
+# 3.2 corbaRepositoryId
+#
+# Each CORBA interface has a unique "repository id" (also called "type
+# id") that identifies the interface. A CORBA object has one or more
+# repository ids, one for each interface that it implements.
+#
+# The format of a repository id can be any string, but the OMG
+# specifies four standard formats:
+#
+# a. IDL-style
+#
+# IDL:Prefix/ModuleName/InterfaceName:VersionNumber
+#
+# For example, the repository id for the "NamingContext" in OMG's COS
+# Naming module is: "IDL:omg.org/CosNaming/NamingContext:1.0".
+#
+# b. RMI-style
+#
+# RMI:ClassName:HashCode[:SUID]
+#
+# This format is used by RMI-IIOP remote objects [RMI-IIOP].
+# "ClassName" is the fully qualified name of the class (for example,
+# "java.lang.String"). "HashCode" is the object's hash code (that is,
+# that obtained by invoking the "hashCode()" method). "SUID" is the
+# "stream unique identifier", which is a 64-bit number that uniquely
+# identifies the serialization version of the class; SUID is optional
+# in the repository id.
+#
+# c. DCE-style
+#
+# DCE:UUID
+#
+# This format is used for DCE/CORBA interoperability [CORBA-DCE].
+# "UUID" represents a DCE UUID.
+#
+# d. "local"
+#
+# This format is defined by the local Object Request Broker (ORB).
+#
+# The corbaRepositoryId attribute is a multivalued attribute; each
+# value records a single repository id of an interface implemented by
+# the CORBA object. This attribute need not contain a complete list of
+# the interfaces implemented by the CORBA object.
+#
+# This attribute's syntax is 'Directory String' and its case is
+# significant. The values of this attribute are encoded using UTF-8.
+# Some values may require translation from their native representation
+# in order to be correctly encoded using UTF-8.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.1.15
+# NAME 'corbaRepositoryId'
+# DESC 'Repository ids of interfaces implemented by a CORBA object'
+# EQUALITY caseExactMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+# )
+#
+#
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.15
+ NAME 'corbaRepositoryId'
+ DESC 'Repository ids of interfaces implemented by a CORBA object'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+# 4. Object Class Definitions
+#
+# The following object classes are defined in this document:
+#
+# corbaContainer
+# corbaObject
+# corbaObjectReference
+#
+# 4.1 corbaContainer
+#
+# This structural object class represents a container for a CORBA
+# object.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.2.10
+# NAME 'corbaContainer'
+# DESC 'Container for a CORBA object'
+# SUP top
+# STRUCTURAL
+# MUST ( cn )
+# )
+#
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.10
+ NAME 'corbaContainer'
+ DESC 'Container for a CORBA object'
+ SUP top
+ STRUCTURAL
+ MUST cn )
+
+# 4.2 corbaObject
+#
+# This abstract object class is the root class for representing a CORBA
+# object.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.2.9
+# NAME 'corbaObject'
+# DESC 'CORBA object representation'
+# SUP top
+# ABSTRACT
+# MAY ( corbaRepositoryId $ description )
+# )
+#
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.9
+ NAME 'corbaObject'
+ DESC 'CORBA object representation'
+ SUP top
+ ABSTRACT
+ MAY ( corbaRepositoryId $ description ) )
+
+# 4.3 corbaObjectReference
+#
+# This auxiliary object class represents a CORBA object reference. It
+# must be mixed in with a structural object class.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.2.11
+# NAME 'corbaObjectReference'
+# DESC 'CORBA interoperable object reference'
+# SUP corbaObject
+# AUXILIARY
+# MUST ( corbaIor )
+# )
+#
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.11
+ NAME 'corbaObjectReference'
+ DESC 'CORBA interoperable object reference'
+ SUP corbaObject
+ AUXILIARY
+ MUST corbaIor )
+
+# 10. Full Copyright Statement
+#
+# Copyright (C) The Internet Society (1999). All Rights Reserved.
+#
+# This document and translations of it may be copied and furnished to
+# others, and derivative works that comment on or otherwise explain it
+# or assist in its implementation may be prepared, copied, published
+# and distributed, in whole or in part, without restriction of any
+# kind, provided that the above copyright notice and this paragraph are
+# included on all such copies and derivative works. However, this
+# document itself may not be modified in any way, such as by removing
+# the copyright notice or references to the Internet Society or other
+# Internet organizations, except as needed for the purpose of
+# developing Internet standards in which case the procedures for
+# copyrights defined in the Internet Standards process must be
+# followed, or as required to translate it into languages other than
+# English.
+#
+# The limited permissions granted above are perpetual and will not be
+# revoked by the Internet Society or its successors or assigns.
+#
+# This document and the information contained herein is provided on an
+# "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+# TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+# BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+# HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+# MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copied: openldap/trunk/servers/slapd/schema/core.ldif (from rev 1148, openldap/vendor/openldap-2.4.10/servers/slapd/schema/core.ldif)
===================================================================
--- openldap/trunk/servers/slapd/schema/core.ldif (rev 0)
+++ openldap/trunk/servers/slapd/schema/core.ldif 2008-06-28 15:17:20 UTC (rev 1149)
@@ -0,0 +1,591 @@
+# OpenLDAP Core schema
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/core.ldif,v 1.2.2.5 2008/02/11 23:26:49 kurt Exp $
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2008 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (1997-2003).
+## All Rights Reserved.
+##
+## This document and translations of it may be copied and furnished to
+## others, and derivative works that comment on or otherwise explain it
+## or assist in its implementation may be prepared, copied, published
+## and distributed, in whole or in part, without restriction of any
+## kind, provided that the above copyright notice and this paragraph are
+## included on all such copies and derivative works. However, this
+## document itself may not be modified in any way, such as by removing
+## the copyright notice or references to the Internet Society or other
+## Internet organizations, except as needed for the purpose of
+## developing Internet standards in which case the procedures for
+## copyrights defined in the Internet Standards process must be
+## followed, or as required to translate it into languages other than
+## English.
+##
+## The limited permissions granted above are perpetual and will not be
+## revoked by the Internet Society or its successors or assigns.
+##
+## This document and the information contained herein is provided on an
+## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+#
+#
+#
+# Includes LDAPv3 schema items from:
+# RFC 2252/2256 (LDAPv3)
+#
+# Select standard track schema items:
+# RFC 1274 (uid/dc)
+# RFC 2079 (URI)
+# RFC 2247 (dc/dcObject)
+# RFC 2587 (PKI)
+# RFC 2589 (Dynamic Directory Services)
+#
+# Select informational schema items:
+# RFC 2377 (uidObject)
+#
+#
+# Standard attribute types from RFC 2256
+#
+dn: cn=core,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: core
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.0 NAME 'objectClass'
+# DESC 'RFC2256: object classes of the entity'
+# EQUALITY objectIdentifierMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' )
+# DESC 'RFC2256: name of aliased object'
+# EQUALITY distinguishedNameMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+#
+olcAttributeTypes: ( 2.5.4.2 NAME 'knowledgeInformation'
+ DESC 'RFC2256: knowledge information'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' )
+# DESC 'RFC2256: common name(s) for which the entity is known by'
+# SUP name )
+#
+olcAttributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surname' )
+ DESC 'RFC2256: last (family) name(s) for which the entity is known by'
+ SUP name )
+#
+olcAttributeTypes: ( 2.5.4.5 NAME 'serialNumber'
+ DESC 'RFC2256: serial number of the entity'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
+#
+# RFC 4519 definition ('countryName' in X.500 and RFC2256)
+olcAttributeTypes: ( 2.5.4.6 NAME ( 'c' 'countryName' )
+ DESC 'RFC4519: two-letter ISO-3166 country code'
+ SUP name
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
+ SINGLE-VALUE )
+#
+olcAttributeTypes: ( 2.5.4.7 NAME ( 'l' 'localityName' )
+ DESC 'RFC2256: locality which this object resides in'
+ SUP name )
+#
+olcAttributeTypes: ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' )
+ DESC 'RFC2256: state or province which this object resides in'
+ SUP name )
+#
+olcAttributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetAddress' )
+ DESC 'RFC2256: street address of this object'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+#
+olcAttributeTypes: ( 2.5.4.10 NAME ( 'o' 'organizationName' )
+ DESC 'RFC2256: organization this object belongs to'
+ SUP name )
+#
+olcAttributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' )
+ DESC 'RFC2256: organizational unit this object belongs to'
+ SUP name )
+#
+olcAttributeTypes: ( 2.5.4.12 NAME 'title'
+ DESC 'RFC2256: title associated with the entity'
+ SUP name )
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.13 NAME 'description'
+# DESC 'RFC2256: descriptive information'
+# EQUALITY caseIgnoreMatch
+# SUBSTR caseIgnoreSubstringsMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
+#
+# Deprecated by enhancedSearchGuide
+olcAttributeTypes: ( 2.5.4.14 NAME 'searchGuide'
+ DESC 'RFC2256: search guide, deprecated by enhancedSearchGuide'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
+#
+olcAttributeTypes: ( 2.5.4.15 NAME 'businessCategory'
+ DESC 'RFC2256: business category'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+#
+olcAttributeTypes: ( 2.5.4.16 NAME 'postalAddress'
+ DESC 'RFC2256: postal address'
+ EQUALITY caseIgnoreListMatch
+ SUBSTR caseIgnoreListSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+#
+olcAttributeTypes: ( 2.5.4.17 NAME 'postalCode'
+ DESC 'RFC2256: postal code'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
+#
+olcAttributeTypes: ( 2.5.4.18 NAME 'postOfficeBox'
+ DESC 'RFC2256: Post Office Box'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
+#
+olcAttributeTypes: ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
+ DESC 'RFC2256: Physical Delivery Office Name'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+#
+olcAttributeTypes: ( 2.5.4.20 NAME 'telephoneNumber'
+ DESC 'RFC2256: Telephone Number'
+ EQUALITY telephoneNumberMatch
+ SUBSTR telephoneNumberSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
+#
+olcAttributeTypes: ( 2.5.4.21 NAME 'telexNumber'
+ DESC 'RFC2256: Telex Number'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
+#
+olcAttributeTypes: ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
+ DESC 'RFC2256: Teletex Terminal Identifier'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
+#
+olcAttributeTypes: ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' )
+ DESC 'RFC2256: Facsimile (Fax) Telephone Number'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
+#
+olcAttributeTypes: ( 2.5.4.24 NAME 'x121Address'
+ DESC 'RFC2256: X.121 Address'
+ EQUALITY numericStringMatch
+ SUBSTR numericStringSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
+#
+olcAttributeTypes: ( 2.5.4.25 NAME 'internationaliSDNNumber'
+ DESC 'RFC2256: international ISDN number'
+ EQUALITY numericStringMatch
+ SUBSTR numericStringSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )
+#
+olcAttributeTypes: ( 2.5.4.26 NAME 'registeredAddress'
+ DESC 'RFC2256: registered postal address'
+ SUP postalAddress
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+#
+olcAttributeTypes: ( 2.5.4.27 NAME 'destinationIndicator'
+ DESC 'RFC2256: destination indicator'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
+#
+olcAttributeTypes: ( 2.5.4.28 NAME 'preferredDeliveryMethod'
+ DESC 'RFC2256: preferred delivery method'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
+ SINGLE-VALUE )
+#
+olcAttributeTypes: ( 2.5.4.29 NAME 'presentationAddress'
+ DESC 'RFC2256: presentation address'
+ EQUALITY presentationAddressMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.43
+ SINGLE-VALUE )
+#
+olcAttributeTypes: ( 2.5.4.30 NAME 'supportedApplicationContext'
+ DESC 'RFC2256: supported application context'
+ EQUALITY objectIdentifierMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+#
+olcAttributeTypes: ( 2.5.4.31 NAME 'member'
+ DESC 'RFC2256: member of a group'
+ SUP distinguishedName )
+#
+olcAttributeTypes: ( 2.5.4.32 NAME 'owner'
+ DESC 'RFC2256: owner (of the object)'
+ SUP distinguishedName )
+#
+olcAttributeTypes: ( 2.5.4.33 NAME 'roleOccupant'
+ DESC 'RFC2256: occupant of role'
+ SUP distinguishedName )
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.34 NAME 'seeAlso'
+# DESC 'RFC2256: DN of related object'
+# SUP distinguishedName )
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.35 NAME 'userPassword'
+# DESC 'RFC2256/2307: password of user'
+# EQUALITY octetStringMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
+#
+# Must be transferred using ;binary
+# with certificateExactMatch rule (per X.509)
+olcAttributeTypes: ( 2.5.4.36 NAME 'userCertificate'
+ DESC 'RFC2256: X.509 user certificate, use ;binary'
+ EQUALITY certificateExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
+#
+# Must be transferred using ;binary
+# with certificateExactMatch rule (per X.509)
+olcAttributeTypes: ( 2.5.4.37 NAME 'cACertificate'
+ DESC 'RFC2256: X.509 CA certificate, use ;binary'
+ EQUALITY certificateExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
+#
+# Must be transferred using ;binary
+olcAttributeTypes: ( 2.5.4.38 NAME 'authorityRevocationList'
+ DESC 'RFC2256: X.509 authority revocation list, use ;binary'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+#
+# Must be transferred using ;binary
+olcAttributeTypes: ( 2.5.4.39 NAME 'certificateRevocationList'
+ DESC 'RFC2256: X.509 certificate revocation list, use ;binary'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+#
+# Must be stored and requested in the binary form
+olcAttributeTypes: ( 2.5.4.40 NAME 'crossCertificatePair'
+ DESC 'RFC2256: X.509 cross certificate pair, use ;binary'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
+#
+# 2.5.4.41 is defined above as it's used for subtyping
+#olcAttributeTypes: ( 2.5.4.41 NAME 'name'
+# EQUALITY caseIgnoreMatch
+# SUBSTR caseIgnoreSubstringsMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+#
+olcAttributeTypes: ( 2.5.4.42 NAME ( 'givenName' 'gn' )
+ DESC 'RFC2256: first name(s) for which the entity is known by'
+ SUP name )
+#
+olcAttributeTypes: ( 2.5.4.43 NAME 'initials'
+ DESC 'RFC2256: initials of some or all of names, but not the surname(s).'
+ SUP name )
+#
+olcAttributeTypes: ( 2.5.4.44 NAME 'generationQualifier'
+ DESC 'RFC2256: name qualifier indicating a generation'
+ SUP name )
+#
+olcAttributeTypes: ( 2.5.4.45 NAME 'x500UniqueIdentifier'
+ DESC 'RFC2256: X.500 unique identifier'
+ EQUALITY bitStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
+#
+olcAttributeTypes: ( 2.5.4.46 NAME 'dnQualifier'
+ DESC 'RFC2256: DN qualifier'
+ EQUALITY caseIgnoreMatch
+ ORDERING caseIgnoreOrderingMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
+#
+olcAttributeTypes: ( 2.5.4.47 NAME 'enhancedSearchGuide'
+ DESC 'RFC2256: enhanced search guide'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
+#
+olcAttributeTypes: ( 2.5.4.48 NAME 'protocolInformation'
+ DESC 'RFC2256: protocol information'
+ EQUALITY protocolInformationMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
+#
+# 2.5.4.49 is defined above as it's used for subtyping
+#olcAttributeTypes: ( 2.5.4.49 NAME 'distinguishedName'
+# EQUALITY distinguishedNameMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+#
+olcAttributeTypes: ( 2.5.4.50 NAME 'uniqueMember'
+ DESC 'RFC2256: unique member of a group'
+ EQUALITY uniqueMemberMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
+#
+olcAttributeTypes: ( 2.5.4.51 NAME 'houseIdentifier'
+ DESC 'RFC2256: house identifier'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+#
+# Must be transferred using ;binary
+olcAttributeTypes: ( 2.5.4.52 NAME 'supportedAlgorithms'
+ DESC 'RFC2256: supported algorithms'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
+#
+# Must be transferred using ;binary
+olcAttributeTypes: ( 2.5.4.53 NAME 'deltaRevocationList'
+ DESC 'RFC2256: delta revocation list; use ;binary'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+#
+olcAttributeTypes: ( 2.5.4.54 NAME 'dmdName'
+ DESC 'RFC2256: name of DMD'
+ SUP name )
+#
+olcAttributeTypes: ( 2.5.4.65 NAME 'pseudonym'
+ DESC 'X.520(4th): pseudonym for the object'
+ SUP name )
+#
+# Standard object classes from RFC2256
+#
+# system schema
+#olcObjectClasses: ( 2.5.6.1 NAME 'alias'
+# DESC 'RFC2256: an alias'
+# SUP top STRUCTURAL
+# MUST aliasedObjectName )
+#
+olcObjectClasses: ( 2.5.6.2 NAME 'country'
+ DESC 'RFC2256: a country'
+ SUP top STRUCTURAL
+ MUST c
+ MAY ( searchGuide $ description ) )
+#
+olcObjectClasses: ( 2.5.6.3 NAME 'locality'
+ DESC 'RFC2256: a locality'
+ SUP top STRUCTURAL
+ MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.4 NAME 'organization'
+ DESC 'RFC2256: an organization'
+ SUP top STRUCTURAL
+ MUST o
+ MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+ x121Address $ registeredAddress $ destinationIndicator $
+ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ telephoneNumber $ internationaliSDNNumber $
+ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.5 NAME 'organizationalUnit'
+ DESC 'RFC2256: an organizational unit'
+ SUP top STRUCTURAL
+ MUST ou
+ MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+ x121Address $ registeredAddress $ destinationIndicator $
+ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ telephoneNumber $ internationaliSDNNumber $
+ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.6 NAME 'person'
+ DESC 'RFC2256: a person'
+ SUP top STRUCTURAL
+ MUST ( sn $ cn )
+ MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
+#
+olcObjectClasses: ( 2.5.6.7 NAME 'organizationalPerson'
+ DESC 'RFC2256: an organizational person'
+ SUP person STRUCTURAL
+ MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $
+ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ telephoneNumber $ internationaliSDNNumber $
+ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) )
+#
+olcObjectClasses: ( 2.5.6.8 NAME 'organizationalRole'
+ DESC 'RFC2256: an organizational role'
+ SUP top STRUCTURAL
+ MUST cn
+ MAY ( x121Address $ registeredAddress $ destinationIndicator $
+ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
+ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
+ postOfficeBox $ postalCode $ postalAddress $
+ physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.9 NAME 'groupOfNames'
+ DESC 'RFC2256: a group of names (DNs)'
+ SUP top STRUCTURAL
+ MUST ( member $ cn )
+ MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
+#
+olcObjectClasses: ( 2.5.6.10 NAME 'residentialPerson'
+ DESC 'RFC2256: an residential person'
+ SUP person STRUCTURAL
+ MUST l
+ MAY ( businessCategory $ x121Address $ registeredAddress $
+ destinationIndicator $ preferredDeliveryMethod $ telexNumber $
+ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $
+ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $
+ postOfficeBox $ postalCode $ postalAddress $
+ physicalDeliveryOfficeName $ st $ l ) )
+#
+olcObjectClasses: ( 2.5.6.11 NAME 'applicationProcess'
+ DESC 'RFC2256: an application process'
+ SUP top STRUCTURAL
+ MUST cn
+ MAY ( seeAlso $ ou $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.12 NAME 'applicationEntity'
+ DESC 'RFC2256: an application entity'
+ SUP top STRUCTURAL
+ MUST ( presentationAddress $ cn )
+ MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $
+ description ) )
+#
+olcObjectClasses: ( 2.5.6.13 NAME 'dSA'
+ DESC 'RFC2256: a directory system agent (a server)'
+ SUP applicationEntity STRUCTURAL
+ MAY knowledgeInformation )
+#
+olcObjectClasses: ( 2.5.6.14 NAME 'device'
+ DESC 'RFC2256: a device'
+ SUP top STRUCTURAL
+ MUST cn
+ MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser'
+ DESC 'RFC2256: a strong authentication user'
+ SUP top AUXILIARY
+ MUST userCertificate )
+#
+olcObjectClasses: ( 2.5.6.16 NAME 'certificationAuthority'
+ DESC 'RFC2256: a certificate authority'
+ SUP top AUXILIARY
+ MUST ( authorityRevocationList $ certificateRevocationList $
+ cACertificate ) MAY crossCertificatePair )
+#
+olcObjectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames'
+ DESC 'RFC2256: a group of unique names (DN and Unique Identifier)'
+ SUP top STRUCTURAL
+ MUST ( uniqueMember $ cn )
+ MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
+#
+olcObjectClasses: ( 2.5.6.18 NAME 'userSecurityInformation'
+ DESC 'RFC2256: a user security information'
+ SUP top AUXILIARY
+ MAY ( supportedAlgorithms ) )
+#
+olcObjectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2'
+ SUP certificationAuthority
+ AUXILIARY MAY ( deltaRevocationList ) )
+#
+olcObjectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint'
+ SUP top STRUCTURAL
+ MUST ( cn )
+ MAY ( certificateRevocationList $ authorityRevocationList $
+ deltaRevocationList ) )
+#
+olcObjectClasses: ( 2.5.6.20 NAME 'dmd'
+ SUP top STRUCTURAL
+ MUST ( dmdName )
+ MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+ x121Address $ registeredAddress $ destinationIndicator $
+ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
+ street $ postOfficeBox $ postalCode $ postalAddress $
+ physicalDeliveryOfficeName $ st $ l $ description ) )
+#
+#
+# Object Classes from RFC 2587
+#
+olcObjectClasses: ( 2.5.6.21 NAME 'pkiUser'
+ DESC 'RFC2587: a PKI user'
+ SUP top AUXILIARY
+ MAY userCertificate )
+#
+olcObjectClasses: ( 2.5.6.22 NAME 'pkiCA'
+ DESC 'RFC2587: PKI certificate authority'
+ SUP top AUXILIARY
+ MAY ( authorityRevocationList $ certificateRevocationList $
+ cACertificate $ crossCertificatePair ) )
+#
+olcObjectClasses: ( 2.5.6.23 NAME 'deltaCRL'
+ DESC 'RFC2587: PKI user'
+ SUP top AUXILIARY
+ MAY deltaRevocationList )
+#
+#
+# Standard Track URI label schema from RFC 2079
+# system schema
+#olcAttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI'
+# DESC 'RFC2079: Uniform Resource Identifier with optional label'
+# EQUALITY caseExactMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+#
+olcObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject'
+ DESC 'RFC2079: object that contains the URI attribute type'
+ MAY ( labeledURI )
+ SUP top AUXILIARY )
+#
+#
+# Derived from RFC 1274, but with new "short names"
+#
+#olcAttributeTypes: ( 0.9.2342.19200300.100.1.1
+# NAME ( 'uid' 'userid' )
+# DESC 'RFC1274: user identifier'
+# EQUALITY caseIgnoreMatch
+# SUBSTR caseIgnoreSubstringsMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+#
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.3
+ NAME ( 'mail' 'rfc822Mailbox' )
+ DESC 'RFC1274: RFC822 Mailbox'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+#
+olcObjectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
+ DESC 'RFC1274: simple security object'
+ SUP top AUXILIARY
+ MUST userPassword )
+#
+# RFC 1274 + RFC 2247
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.25
+ NAME ( 'dc' 'domainComponent' )
+ DESC 'RFC1274/2247: domain component'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+#
+# RFC 2247
+olcObjectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
+ DESC 'RFC2247: domain component object'
+ SUP top AUXILIARY MUST dc )
+#
+# RFC 2377
+olcObjectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject'
+ DESC 'RFC2377: uid object'
+ SUP top AUXILIARY MUST uid )
+#
+# From COSINE Pilot
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.37
+ NAME 'associatedDomain'
+ DESC 'RFC1274: domain associated with object'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+# RFC 2459 -- deprecated in favor of 'mail' (in cosine.schema)
+olcAttributeTypes: ( 1.2.840.113549.1.9.1
+ NAME ( 'email' 'emailAddress' 'pkcs9email' )
+ DESC 'RFC3280: legacy attribute for email addresses in DNs'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+#
Copied: openldap/trunk/servers/slapd/schema/core.schema (from rev 1148, openldap/vendor/openldap-2.4.10/servers/slapd/schema/core.schema)
===================================================================
--- openldap/trunk/servers/slapd/schema/core.schema (rev 0)
+++ openldap/trunk/servers/slapd/schema/core.schema 2008-06-28 15:17:20 UTC (rev 1149)
@@ -0,0 +1,610 @@
+# OpenLDAP Core schema
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/core.schema,v 1.88.2.6 2008/02/11 23:26:49 kurt Exp $
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2008 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (1997-2006).
+## All Rights Reserved.
+##
+## This document and translations of it may be copied and furnished to
+## others, and derivative works that comment on or otherwise explain it
+## or assist in its implementation may be prepared, copied, published
+## and distributed, in whole or in part, without restriction of any
+## kind, provided that the above copyright notice and this paragraph are
+## included on all such copies and derivative works. However, this
+## document itself may not be modified in any way, such as by removing
+## the copyright notice or references to the Internet Society or other
+## Internet organizations, except as needed for the purpose of
+## developing Internet standards in which case the procedures for
+## copyrights defined in the Internet Standards process must be
+## followed, or as required to translate it into languages other than
+## English.
+##
+## The limited permissions granted above are perpetual and will not be
+## revoked by the Internet Society or its successors or assigns.
+##
+## This document and the information contained herein is provided on an
+## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+#
+#
+# Includes LDAPv3 schema items from:
+# RFC 2252/2256 (LDAPv3)
+#
+# Select standard track schema items:
+# RFC 1274 (uid/dc)
+# RFC 2079 (URI)
+# RFC 2247 (dc/dcObject)
+# RFC 2587 (PKI)
+# RFC 2589 (Dynamic Directory Services)
+# RFC 4524 (associatedDomain)
+#
+# Select informational schema items:
+# RFC 2377 (uidObject)
+
+#
+# Standard attribute types from RFC 2256
+#
+
+# system schema
+#attributetype ( 2.5.4.0 NAME 'objectClass'
+# DESC 'RFC2256: object classes of the entity'
+# EQUALITY objectIdentifierMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+
+# system schema
+#attributetype ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' )
+# DESC 'RFC2256: name of aliased object'
+# EQUALITY distinguishedNameMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+
+attributetype ( 2.5.4.2 NAME 'knowledgeInformation'
+ DESC 'RFC2256: knowledge information'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+
+# system schema
+#attributetype ( 2.5.4.3 NAME ( 'cn' 'commonName' )
+# DESC 'RFC2256: common name(s) for which the entity is known by'
+# SUP name )
+
+attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' )
+ DESC 'RFC2256: last (family) name(s) for which the entity is known by'
+ SUP name )
+
+attributetype ( 2.5.4.5 NAME 'serialNumber'
+ DESC 'RFC2256: serial number of the entity'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
+
+# RFC 4519 definition ('countryName' in X.500 and RFC2256)
+attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' )
+ DESC 'RFC4519: two-letter ISO-3166 country code'
+ SUP name
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
+ SINGLE-VALUE )
+
+#attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' )
+# DESC 'RFC2256: ISO-3166 country 2-letter code'
+# SUP name SINGLE-VALUE )
+
+attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' )
+ DESC 'RFC2256: locality which this object resides in'
+ SUP name )
+
+attributetype ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' )
+ DESC 'RFC2256: state or province which this object resides in'
+ SUP name )
+
+attributetype ( 2.5.4.9 NAME ( 'street' 'streetAddress' )
+ DESC 'RFC2256: street address of this object'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+attributetype ( 2.5.4.10 NAME ( 'o' 'organizationName' )
+ DESC 'RFC2256: organization this object belongs to'
+ SUP name )
+
+attributetype ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' )
+ DESC 'RFC2256: organizational unit this object belongs to'
+ SUP name )
+
+attributetype ( 2.5.4.12 NAME 'title'
+ DESC 'RFC2256: title associated with the entity'
+ SUP name )
+
+# system schema
+#attributetype ( 2.5.4.13 NAME 'description'
+# DESC 'RFC2256: descriptive information'
+# EQUALITY caseIgnoreMatch
+# SUBSTR caseIgnoreSubstringsMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
+
+# Deprecated by enhancedSearchGuide
+attributetype ( 2.5.4.14 NAME 'searchGuide'
+ DESC 'RFC2256: search guide, deprecated by enhancedSearchGuide'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
+
+attributetype ( 2.5.4.15 NAME 'businessCategory'
+ DESC 'RFC2256: business category'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+attributetype ( 2.5.4.16 NAME 'postalAddress'
+ DESC 'RFC2256: postal address'
+ EQUALITY caseIgnoreListMatch
+ SUBSTR caseIgnoreListSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+
+attributetype ( 2.5.4.17 NAME 'postalCode'
+ DESC 'RFC2256: postal code'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
+
+attributetype ( 2.5.4.18 NAME 'postOfficeBox'
+ DESC 'RFC2256: Post Office Box'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
+
+attributetype ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
+ DESC 'RFC2256: Physical Delivery Office Name'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+attributetype ( 2.5.4.20 NAME 'telephoneNumber'
+ DESC 'RFC2256: Telephone Number'
+ EQUALITY telephoneNumberMatch
+ SUBSTR telephoneNumberSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
+
+attributetype ( 2.5.4.21 NAME 'telexNumber'
+ DESC 'RFC2256: Telex Number'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
+
+attributetype ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
+ DESC 'RFC2256: Teletex Terminal Identifier'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
+
+attributetype ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' )
+ DESC 'RFC2256: Facsimile (Fax) Telephone Number'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
+
+attributetype ( 2.5.4.24 NAME 'x121Address'
+ DESC 'RFC2256: X.121 Address'
+ EQUALITY numericStringMatch
+ SUBSTR numericStringSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
+
+attributetype ( 2.5.4.25 NAME 'internationaliSDNNumber'
+ DESC 'RFC2256: international ISDN number'
+ EQUALITY numericStringMatch
+ SUBSTR numericStringSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )
+
+attributetype ( 2.5.4.26 NAME 'registeredAddress'
+ DESC 'RFC2256: registered postal address'
+ SUP postalAddress
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+
+attributetype ( 2.5.4.27 NAME 'destinationIndicator'
+ DESC 'RFC2256: destination indicator'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
+
+attributetype ( 2.5.4.28 NAME 'preferredDeliveryMethod'
+ DESC 'RFC2256: preferred delivery method'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
+ SINGLE-VALUE )
+
+attributetype ( 2.5.4.29 NAME 'presentationAddress'
+ DESC 'RFC2256: presentation address'
+ EQUALITY presentationAddressMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.43
+ SINGLE-VALUE )
+
+attributetype ( 2.5.4.30 NAME 'supportedApplicationContext'
+ DESC 'RFC2256: supported application context'
+ EQUALITY objectIdentifierMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+
+attributetype ( 2.5.4.31 NAME 'member'
+ DESC 'RFC2256: member of a group'
+ SUP distinguishedName )
+
+attributetype ( 2.5.4.32 NAME 'owner'
+ DESC 'RFC2256: owner (of the object)'
+ SUP distinguishedName )
+
+attributetype ( 2.5.4.33 NAME 'roleOccupant'
+ DESC 'RFC2256: occupant of role'
+ SUP distinguishedName )
+
+# system schema
+#attributetype ( 2.5.4.34 NAME 'seeAlso'
+# DESC 'RFC2256: DN of related object'
+# SUP distinguishedName )
+
+# system schema
+#attributetype ( 2.5.4.35 NAME 'userPassword'
+# DESC 'RFC2256/2307: password of user'
+# EQUALITY octetStringMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
+
+# Must be transferred using ;binary
+# with certificateExactMatch rule (per X.509)
+attributetype ( 2.5.4.36 NAME 'userCertificate'
+ DESC 'RFC2256: X.509 user certificate, use ;binary'
+ EQUALITY certificateExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
+
+# Must be transferred using ;binary
+# with certificateExactMatch rule (per X.509)
+attributetype ( 2.5.4.37 NAME 'cACertificate'
+ DESC 'RFC2256: X.509 CA certificate, use ;binary'
+ EQUALITY certificateExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
+
+# Must be transferred using ;binary
+attributetype ( 2.5.4.38 NAME 'authorityRevocationList'
+ DESC 'RFC2256: X.509 authority revocation list, use ;binary'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+
+# Must be transferred using ;binary
+attributetype ( 2.5.4.39 NAME 'certificateRevocationList'
+ DESC 'RFC2256: X.509 certificate revocation list, use ;binary'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+
+# Must be stored and requested in the binary form
+attributetype ( 2.5.4.40 NAME 'crossCertificatePair'
+ DESC 'RFC2256: X.509 cross certificate pair, use ;binary'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
+
+# system schema
+#attributetype ( 2.5.4.41 NAME 'name'
+# EQUALITY caseIgnoreMatch
+# SUBSTR caseIgnoreSubstringsMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+
+attributetype ( 2.5.4.42 NAME ( 'givenName' 'gn' )
+ DESC 'RFC2256: first name(s) for which the entity is known by'
+ SUP name )
+
+attributetype ( 2.5.4.43 NAME 'initials'
+ DESC 'RFC2256: initials of some or all of names, but not the surname(s).'
+ SUP name )
+
+attributetype ( 2.5.4.44 NAME 'generationQualifier'
+ DESC 'RFC2256: name qualifier indicating a generation'
+ SUP name )
+
+attributetype ( 2.5.4.45 NAME 'x500UniqueIdentifier'
+ DESC 'RFC2256: X.500 unique identifier'
+ EQUALITY bitStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
+
+attributetype ( 2.5.4.46 NAME 'dnQualifier'
+ DESC 'RFC2256: DN qualifier'
+ EQUALITY caseIgnoreMatch
+ ORDERING caseIgnoreOrderingMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
+
+attributetype ( 2.5.4.47 NAME 'enhancedSearchGuide'
+ DESC 'RFC2256: enhanced search guide'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
+
+attributetype ( 2.5.4.48 NAME 'protocolInformation'
+ DESC 'RFC2256: protocol information'
+ EQUALITY protocolInformationMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
+
+# system schema
+#attributetype ( 2.5.4.49 NAME 'distinguishedName'
+# EQUALITY distinguishedNameMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+attributetype ( 2.5.4.50 NAME 'uniqueMember'
+ DESC 'RFC2256: unique member of a group'
+ EQUALITY uniqueMemberMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
+
+attributetype ( 2.5.4.51 NAME 'houseIdentifier'
+ DESC 'RFC2256: house identifier'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+
+# Must be transferred using ;binary
+attributetype ( 2.5.4.52 NAME 'supportedAlgorithms'
+ DESC 'RFC2256: supported algorithms'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
+
+# Must be transferred using ;binary
+attributetype ( 2.5.4.53 NAME 'deltaRevocationList'
+ DESC 'RFC2256: delta revocation list; use ;binary'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+
+attributetype ( 2.5.4.54 NAME 'dmdName'
+ DESC 'RFC2256: name of DMD'
+ SUP name )
+
+attributetype ( 2.5.4.65 NAME 'pseudonym'
+ DESC 'X.520(4th): pseudonym for the object'
+ SUP name )
+
+# Standard object classes from RFC2256
+
+# system schema
+#objectclass ( 2.5.6.0 NAME 'top'
+# DESC 'RFC2256: top of the superclass chain'
+# ABSTRACT
+# MUST objectClass )
+
+# system schema
+#objectclass ( 2.5.6.1 NAME 'alias'
+# DESC 'RFC2256: an alias'
+# SUP top STRUCTURAL
+# MUST aliasedObjectName )
+
+objectclass ( 2.5.6.2 NAME 'country'
+ DESC 'RFC2256: a country'
+ SUP top STRUCTURAL
+ MUST c
+ MAY ( searchGuide $ description ) )
+
+objectclass ( 2.5.6.3 NAME 'locality'
+ DESC 'RFC2256: a locality'
+ SUP top STRUCTURAL
+ MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
+
+objectclass ( 2.5.6.4 NAME 'organization'
+ DESC 'RFC2256: an organization'
+ SUP top STRUCTURAL
+ MUST o
+ MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+ x121Address $ registeredAddress $ destinationIndicator $
+ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ telephoneNumber $ internationaliSDNNumber $
+ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
+
+objectclass ( 2.5.6.5 NAME 'organizationalUnit'
+ DESC 'RFC2256: an organizational unit'
+ SUP top STRUCTURAL
+ MUST ou
+ MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+ x121Address $ registeredAddress $ destinationIndicator $
+ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ telephoneNumber $ internationaliSDNNumber $
+ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
+
+objectclass ( 2.5.6.6 NAME 'person'
+ DESC 'RFC2256: a person'
+ SUP top STRUCTURAL
+ MUST ( sn $ cn )
+ MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
+
+objectclass ( 2.5.6.7 NAME 'organizationalPerson'
+ DESC 'RFC2256: an organizational person'
+ SUP person STRUCTURAL
+ MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $
+ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ telephoneNumber $ internationaliSDNNumber $
+ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) )
+
+objectclass ( 2.5.6.8 NAME 'organizationalRole'
+ DESC 'RFC2256: an organizational role'
+ SUP top STRUCTURAL
+ MUST cn
+ MAY ( x121Address $ registeredAddress $ destinationIndicator $
+ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
+ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
+ postOfficeBox $ postalCode $ postalAddress $
+ physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
+
+objectclass ( 2.5.6.9 NAME 'groupOfNames'
+ DESC 'RFC2256: a group of names (DNs)'
+ SUP top STRUCTURAL
+ MUST ( member $ cn )
+ MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
+
+objectclass ( 2.5.6.10 NAME 'residentialPerson'
+ DESC 'RFC2256: an residential person'
+ SUP person STRUCTURAL
+ MUST l
+ MAY ( businessCategory $ x121Address $ registeredAddress $
+ destinationIndicator $ preferredDeliveryMethod $ telexNumber $
+ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $
+ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $
+ postOfficeBox $ postalCode $ postalAddress $
+ physicalDeliveryOfficeName $ st $ l ) )
+
+objectclass ( 2.5.6.11 NAME 'applicationProcess'
+ DESC 'RFC2256: an application process'
+ SUP top STRUCTURAL
+ MUST cn
+ MAY ( seeAlso $ ou $ l $ description ) )
+
+objectclass ( 2.5.6.12 NAME 'applicationEntity'
+ DESC 'RFC2256: an application entity'
+ SUP top STRUCTURAL
+ MUST ( presentationAddress $ cn )
+ MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $
+ description ) )
+
+objectclass ( 2.5.6.13 NAME 'dSA'
+ DESC 'RFC2256: a directory system agent (a server)'
+ SUP applicationEntity STRUCTURAL
+ MAY knowledgeInformation )
+
+objectclass ( 2.5.6.14 NAME 'device'
+ DESC 'RFC2256: a device'
+ SUP top STRUCTURAL
+ MUST cn
+ MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
+
+objectclass ( 2.5.6.15 NAME 'strongAuthenticationUser'
+ DESC 'RFC2256: a strong authentication user'
+ SUP top AUXILIARY
+ MUST userCertificate )
+
+objectclass ( 2.5.6.16 NAME 'certificationAuthority'
+ DESC 'RFC2256: a certificate authority'
+ SUP top AUXILIARY
+ MUST ( authorityRevocationList $ certificateRevocationList $
+ cACertificate ) MAY crossCertificatePair )
+
+objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames'
+ DESC 'RFC2256: a group of unique names (DN and Unique Identifier)'
+ SUP top STRUCTURAL
+ MUST ( uniqueMember $ cn )
+ MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
+
+objectclass ( 2.5.6.18 NAME 'userSecurityInformation'
+ DESC 'RFC2256: a user security information'
+ SUP top AUXILIARY
+ MAY ( supportedAlgorithms ) )
+
+objectclass ( 2.5.6.16.2 NAME 'certificationAuthority-V2'
+ SUP certificationAuthority
+ AUXILIARY MAY ( deltaRevocationList ) )
+
+objectclass ( 2.5.6.19 NAME 'cRLDistributionPoint'
+ SUP top STRUCTURAL
+ MUST ( cn )
+ MAY ( certificateRevocationList $ authorityRevocationList $
+ deltaRevocationList ) )
+
+objectclass ( 2.5.6.20 NAME 'dmd'
+ SUP top STRUCTURAL
+ MUST ( dmdName )
+ MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+ x121Address $ registeredAddress $ destinationIndicator $
+ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
+ street $ postOfficeBox $ postalCode $ postalAddress $
+ physicalDeliveryOfficeName $ st $ l $ description ) )
+
+#
+# Object Classes from RFC 2587
+#
+objectclass ( 2.5.6.21 NAME 'pkiUser'
+ DESC 'RFC2587: a PKI user'
+ SUP top AUXILIARY
+ MAY userCertificate )
+
+objectclass ( 2.5.6.22 NAME 'pkiCA'
+ DESC 'RFC2587: PKI certificate authority'
+ SUP top AUXILIARY
+ MAY ( authorityRevocationList $ certificateRevocationList $
+ cACertificate $ crossCertificatePair ) )
+
+objectclass ( 2.5.6.23 NAME 'deltaCRL'
+ DESC 'RFC2587: PKI user'
+ SUP top AUXILIARY
+ MAY deltaRevocationList )
+
+#
+# Standard Track URI label schema from RFC 2079
+# system schema
+#attributetype ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI'
+# DESC 'RFC2079: Uniform Resource Identifier with optional label'
+# EQUALITY caseExactMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+objectclass ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject'
+ DESC 'RFC2079: object that contains the URI attribute type'
+ SUP top AUXILIARY
+ MAY ( labeledURI ) )
+
+#
+# Derived from RFC 1274, but with new "short names"
+#
+#attributetype ( 0.9.2342.19200300.100.1.1
+# NAME ( 'uid' 'userid' )
+# DESC 'RFC1274: user identifier'
+# EQUALITY caseIgnoreMatch
+# SUBSTR caseIgnoreSubstringsMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+attributetype ( 0.9.2342.19200300.100.1.3
+ NAME ( 'mail' 'rfc822Mailbox' )
+ DESC 'RFC1274: RFC822 Mailbox'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+
+objectclass ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
+ DESC 'RFC1274: simple security object'
+ SUP top AUXILIARY
+ MUST userPassword )
+
+# RFC 1274 + RFC 2247
+attributetype ( 0.9.2342.19200300.100.1.25
+ NAME ( 'dc' 'domainComponent' )
+ DESC 'RFC1274/2247: domain component'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+# RFC 2247
+objectclass ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
+ DESC 'RFC2247: domain component object'
+ SUP top AUXILIARY MUST dc )
+
+# RFC 2377
+objectclass ( 1.3.6.1.1.3.1 NAME 'uidObject'
+ DESC 'RFC2377: uid object'
+ SUP top AUXILIARY MUST uid )
+
+# RFC 4524
+# The 'associatedDomain' attribute specifies DNS [RFC1034][RFC2181]
+# host names [RFC1123] that are associated with an object. That is,
+# values of this attribute should conform to the following ABNF:
+#
+# domain = root / label *( DOT label )
+# root = SPACE
+# label = LETDIG [ *61( LETDIG / HYPHEN ) LETDIG ]
+# LETDIG = %x30-39 / %x41-5A / %x61-7A ; "0" - "9" / "A"-"Z" / "a"-"z"
+# SPACE = %x20 ; space (" ")
+# HYPHEN = %x2D ; hyphen ("-")
+# DOT = %x2E ; period (".")
+attributetype ( 0.9.2342.19200300.100.1.37
+ NAME 'associatedDomain'
+ DESC 'RFC1274: domain associated with object'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# RFC 2459 -- deprecated in favor of 'mail' (in cosine.schema)
+attributetype ( 1.2.840.113549.1.9.1
+ NAME ( 'email' 'emailAddress' 'pkcs9email' )
+ DESC 'RFC3280: legacy attribute for email addresses in DNs'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+
Copied: openldap/trunk/servers/slapd/schema/cosine.schema (from rev 1148, openldap/vendor/openldap-2.4.10/servers/slapd/schema/cosine.schema)
===================================================================
--- openldap/trunk/servers/slapd/schema/cosine.schema (rev 0)
+++ openldap/trunk/servers/slapd/schema/cosine.schema 2008-06-28 15:17:20 UTC (rev 1149)
@@ -0,0 +1,2571 @@
+# RFC1274: Cosine and Internet X.500 schema
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/cosine.schema,v 1.23.2.3 2008/02/11 23:26:49 kurt Exp $
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2008 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+# RFC1274: Cosine and Internet X.500 schema
+#
+# This file contains LDAPv3 schema derived from X.500 COSINE "pilot"
+# schema. As this schema was defined for X.500(89), some
+# oddities were introduced in the mapping to LDAPv3. The
+# mappings were based upon: draft-ietf-asid-ldapv3-attributes-03.txt
+# (a work in progress)
+#
+# Note: It seems that the pilot schema evolved beyond what was
+# described in RFC1274. However, this document attempts to describes
+# RFC1274 as published.
+#
+# Depends on core.schema
+
+
+# Network Working Group P. Barker
+# Request for Comments: 1274 S. Kille
+# University College London
+# November 1991
+#
+# The COSINE and Internet X.500 Schema
+#
+# [trimmed]
+#
+# Abstract
+#
+# This document suggests an X.500 Directory Schema, or Naming
+# Architecture, for use in the COSINE and Internet X.500 pilots. The
+# schema is independent of any specific implementation. As well as
+# indicating support for the standard object classes and attributes, a
+# large number of generally useful object classes and attributes are
+# also defined. An appendix to this document includes a machine
+# processable version of the schema.
+#
+# [trimmed]
+
+# 7. Object Identifiers
+#
+# Some additional object identifiers are defined for this schema.
+# These are also reproduced in Appendix C.
+#
+# data OBJECT IDENTIFIER ::= {ccitt 9}
+# pss OBJECT IDENTIFIER ::= {data 2342}
+# ucl OBJECT IDENTIFIER ::= {pss 19200300}
+# pilot OBJECT IDENTIFIER ::= {ucl 100}
+#
+# pilotAttributeType OBJECT IDENTIFIER ::= {pilot 1}
+# pilotAttributeSyntax OBJECT IDENTIFIER ::= {pilot 3}
+# pilotObjectClass OBJECT IDENTIFIER ::= {pilot 4}
+# pilotGroups OBJECT IDENTIFIER ::= {pilot 10}
+#
+# iA5StringSyntax OBJECT IDENTIFIER ::= {pilotAttributeSyntax 4}
+# caseIgnoreIA5StringSyntax OBJECT IDENTIFIER ::=
+# {pilotAttributeSyntax 5}
+#
+# 8. Object Classes
+# [relocated after 9]
+
+#
+# 9. Attribute Types
+#
+# 9.1. X.500 standard attribute types
+#
+# A number of generally useful attribute types are defined in X.520,
+# and these are supported. Refer to that document for descriptions of
+# the suggested usage of these attribute types. The ASN.1 for these
+# attribute types is reproduced for completeness in Appendix C.
+#
+# 9.2. X.400 standard attribute types
+#
+# The standard X.400 attribute types are supported. See X.402 for full
+# details. The ASN.1 for these attribute types is reproduced in
+# Appendix C.
+#
+# 9.3. COSINE/Internet attribute types
+#
+# This section describes all the attribute types defined for use in the
+# COSINE and Internet pilots. Descriptions are given as to the
+# suggested usage of these attribute types. The ASN.1 for these
+# attribute types is reproduced in Appendix C.
+#
+# 9.3.1. Userid
+#
+# The Userid attribute type specifies a computer system login name.
+#
+# userid ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-user-identifier))
+# ::= {pilotAttributeType 1}
+#
+#(in core.schema)
+##attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' )
+## EQUALITY caseIgnoreMatch
+## SUBSTR caseIgnoreSubstringsMatch
+## SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.2. Text Encoded O/R Address
+#
+# The Text Encoded O/R Address attribute type specifies a text encoding
+# of an X.400 O/R address, as specified in RFC 987. The use of this
+# attribute is deprecated as the attribute is intended for interim use
+# only. This attribute will be the first candidate for the attribute
+# expiry mechanisms!
+#
+# textEncodedORAddress ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-text-encoded-or-address))
+# ::= {pilotAttributeType 2}
+#
+attributetype ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORAddress'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.3. RFC 822 Mailbox
+#
+# The RFC822 Mailbox attribute type specifies an electronic mailbox
+# attribute following the syntax specified in RFC 822. Note that this
+# attribute should not be used for greybook or other non-Internet order
+# mailboxes.
+#
+# rfc822Mailbox ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreIA5StringSyntax
+# (SIZE (1 .. ub-rfc822-mailbox))
+# ::= {pilotAttributeType 3}
+#
+#(in core.schema)
+##attributetype ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' )
+## EQUALITY caseIgnoreIA5Match
+## SUBSTR caseIgnoreIA5SubstringsMatch
+## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+
+# 9.3.4. Information
+#
+# The Information attribute type specifies any general information
+# pertinent to an object. It is recommended that specific usage of
+# this attribute type is avoided, and that specific requirements are
+# met by other (possibly additional) attribute types.
+#
+# info ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-information))
+# ::= {pilotAttributeType 4}
+#
+attributetype ( 0.9.2342.19200300.100.1.4 NAME 'info'
+ DESC 'RFC1274: general information'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
+
+
+# 9.3.5. Favourite Drink
+#
+# The Favourite Drink attribute type specifies the favourite drink of
+# an object (or person).
+#
+# favouriteDrink ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-favourite-drink))
+# ::= {pilotAttributeType 5}
+#
+attributetype ( 0.9.2342.19200300.100.1.5
+ NAME ( 'drink' 'favouriteDrink' )
+ DESC 'RFC1274: favorite drink'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.6. Room Number
+#
+# The Room Number attribute type specifies the room number of an
+# object. Note that the commonName attribute should be used for naming
+# room objects.
+#
+# roomNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-room-number))
+# ::= {pilotAttributeType 6}
+#
+attributetype ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber'
+ DESC 'RFC1274: room number'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.7. Photo
+#
+# The Photo attribute type specifies a "photograph" for an object.
+# This should be encoded in G3 fax as explained in recommendation T.4,
+# with an ASN.1 wrapper to make it compatible with an X.400 BodyPart as
+# defined in X.420.
+#
+# IMPORT G3FacsimileBodyPart FROM { mhs-motis ipms modules
+# information-objects }
+#
+# photo ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# CHOICE {
+# g3-facsimile [3] G3FacsimileBodyPart
+# }
+# (SIZE (1 .. ub-photo))
+# ::= {pilotAttributeType 7}
+#
+attributetype ( 0.9.2342.19200300.100.1.7 NAME 'photo'
+ DESC 'RFC1274: photo (G3 fax)'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.23{25000} )
+
+# 9.3.8. User Class
+#
+# The User Class attribute type specifies a category of computer user.
+# The semantics placed on this attribute are for local interpretation.
+# Examples of current usage od this attribute in academia are
+# undergraduate student, researcher, lecturer, etc. Note that the
+# organizationalStatus attribute may now often be preferred as it makes
+# no distinction between computer users and others.
+#
+# userClass ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-user-class))
+# ::= {pilotAttributeType 8}
+#
+attributetype ( 0.9.2342.19200300.100.1.8 NAME 'userClass'
+ DESC 'RFC1274: category of user'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.9. Host
+#
+# The Host attribute type specifies a host computer.
+#
+# host ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-host))
+# ::= {pilotAttributeType 9}
+#
+attributetype ( 0.9.2342.19200300.100.1.9 NAME 'host'
+ DESC 'RFC1274: host computer'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.10. Manager
+#
+# The Manager attribute type specifies the manager of an object
+# represented by an entry.
+#
+# manager ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 10}
+#
+attributetype ( 0.9.2342.19200300.100.1.10 NAME 'manager'
+ DESC 'RFC1274: DN of manager'
+ EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+# 9.3.11. Document Identifier
+#
+# The Document Identifier attribute type specifies a unique identifier
+# for a document.
+#
+# documentIdentifier ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-document-identifier))
+# ::= {pilotAttributeType 11}
+#
+attributetype ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier'
+ DESC 'RFC1274: unique identifier of document'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.12. Document Title
+#
+# The Document Title attribute type specifies the title of a document.
+#
+# documentTitle ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-document-title))
+# ::= {pilotAttributeType 12}
+#
+attributetype ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle'
+ DESC 'RFC1274: title of document'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.13. Document Version
+#
+# The Document Version attribute type specifies the version number of a
+# document.
+#
+# documentVersion ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-document-version))
+# ::= {pilotAttributeType 13}
+#
+attributetype ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion'
+ DESC 'RFC1274: version of document'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.14. Document Author
+#
+# The Document Author attribute type specifies the distinguished name
+# of the author of a document.
+#
+# documentAuthor ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 14}
+#
+attributetype ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor'
+ DESC 'RFC1274: DN of author of document'
+ EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+# 9.3.15. Document Location
+#
+# The Document Location attribute type specifies the location of the
+# document original.
+#
+# documentLocation ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-document-location))
+# ::= {pilotAttributeType 15}
+#
+attributetype ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation'
+ DESC 'RFC1274: location of document original'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.16. Home Telephone Number
+#
+# The Home Telephone Number attribute type specifies a home telephone
+# number associated with a person. Attribute values should follow the
+# agreed format for international telephone numbers: i.e., "+44 71 123
+# 4567".
+#
+# homeTelephoneNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# telephoneNumberSyntax
+# ::= {pilotAttributeType 20}
+#
+attributetype ( 0.9.2342.19200300.100.1.20
+ NAME ( 'homePhone' 'homeTelephoneNumber' )
+ DESC 'RFC1274: home telephone number'
+ EQUALITY telephoneNumberMatch
+ SUBSTR telephoneNumberSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
+
+# 9.3.17. Secretary
+#
+# The Secretary attribute type specifies the secretary of a person.
+# The attribute value for Secretary is a distinguished name.
+#
+# secretary ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 21}
+#
+attributetype ( 0.9.2342.19200300.100.1.21 NAME 'secretary'
+ DESC 'RFC1274: DN of secretary'
+ EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+# 9.3.18. Other Mailbox
+#
+# The Other Mailbox attribute type specifies values for electronic
+# mailbox types other than X.400 and rfc822.
+#
+# otherMailbox ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# SEQUENCE {
+# mailboxType PrintableString, -- e.g. Telemail
+# mailbox IA5String -- e.g. X378:Joe
+# }
+# ::= {pilotAttributeType 22}
+#
+attributetype ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.39 )
+
+# 9.3.19. Last Modified Time
+#
+# The Last Modified Time attribute type specifies the last time, in UTC
+# time, that an entry was modified. Ideally, this attribute should be
+# maintained by the DSA.
+#
+# lastModifiedTime ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# uTCTimeSyntax
+# ::= {pilotAttributeType 23}
+#
+## Deprecated in favor of modifyTimeStamp
+#attributetype ( 0.9.2342.19200300.100.1.23 NAME 'lastModifiedTime'
+# DESC 'RFC1274: time of last modify, replaced by modifyTimestamp'
+# OBSOLETE
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.53
+# USAGE directoryOperation )
+
+# 9.3.20. Last Modified By
+#
+# The Last Modified By attribute specifies the distinguished name of
+# the last user to modify the associated entry. Ideally, this
+# attribute should be maintained by the DSA.
+#
+# lastModifiedBy ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 24}
+#
+## Deprecated in favor of modifiersName
+#attributetype ( 0.9.2342.19200300.100.1.24 NAME 'lastModifiedBy'
+# DESC 'RFC1274: last modifier, replaced by modifiersName'
+# OBSOLETE
+# EQUALITY distinguishedNameMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+# USAGE directoryOperation )
+
+# 9.3.21. Domain Component
+#
+# The Domain Component attribute type specifies a DNS/NRS domain. For
+# example, "uk" or "ac".
+#
+# domainComponent ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreIA5StringSyntax
+# SINGLE VALUE
+# ::= {pilotAttributeType 25}
+#
+##(in core.schema)
+##attributetype ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainComponent' )
+## EQUALITY caseIgnoreIA5Match
+## SUBSTR caseIgnoreIA5SubstringsMatch
+## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+# 9.3.22. DNS ARecord
+#
+# The A Record attribute type specifies a type A (Address) DNS resource
+# record [6] [7].
+#
+# aRecord ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# DNSRecordSyntax
+# ::= {pilotAttributeType 26}
+#
+## incorrect syntax?
+attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+## missing from RFC1274
+## incorrect syntax?
+attributetype ( 0.9.2342.19200300.100.1.27 NAME 'mDRecord'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# 9.3.23. MX Record
+#
+# The MX Record attribute type specifies a type MX (Mail Exchange) DNS
+# resource record [6] [7].
+#
+# mXRecord ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# DNSRecordSyntax
+# ::= {pilotAttributeType 28}
+#
+## incorrect syntax!!
+attributetype ( 0.9.2342.19200300.100.1.28 NAME 'mXRecord'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# 9.3.24. NS Record
+#
+# The NS Record attribute type specifies an NS (Name Server) DNS
+# resource record [6] [7].
+#
+# nSRecord ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# DNSRecordSyntax
+# ::= {pilotAttributeType 29}
+#
+## incorrect syntax!!
+attributetype ( 0.9.2342.19200300.100.1.29 NAME 'nSRecord'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# 9.3.25. SOA Record
+#
+# The SOA Record attribute type specifies a type SOA (Start of
+# Authority) DNS resorce record [6] [7].
+#
+# sOARecord ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# DNSRecordSyntax
+# ::= {pilotAttributeType 30}
+#
+## incorrect syntax!!
+attributetype ( 0.9.2342.19200300.100.1.30 NAME 'sOARecord'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# 9.3.26. CNAME Record
+#
+# The CNAME Record attribute type specifies a type CNAME (Canonical
+# Name) DNS resource record [6] [7].
+#
+# cNAMERecord ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# iA5StringSyntax
+# ::= {pilotAttributeType 31}
+#
+## incorrect syntax!!
+attributetype ( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# 9.3.27. Associated Domain
+#
+# The Associated Domain attribute type specifies a DNS or NRS domain
+# which is associated with an object in the DIT. For example, the entry
+# in the DIT with a distinguished name "C=GB, O=University College
+# London" would have an associated domain of "UCL.AC.UK. Note that all
+# domains should be represented in rfc822 order. See [3] for more
+# details of usage of this attribute.
+#
+# associatedDomain ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreIA5StringSyntax
+# ::= {pilotAttributeType 37}
+#
+#attributetype ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain'
+# EQUALITY caseIgnoreIA5Match
+# SUBSTR caseIgnoreIA5SubstringsMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# 9.3.28. Associated Name
+#
+# The Associated Name attribute type specifies an entry in the
+# organisational DIT associated with a DNS/NRS domain. See [3] for
+# more details of usage of this attribute.
+#
+# associatedName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 38}
+#
+attributetype ( 0.9.2342.19200300.100.1.38 NAME 'associatedName'
+ DESC 'RFC1274: DN of entry associated with domain'
+ EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+# 9.3.29. Home postal address
+#
+# The Home postal address attribute type specifies a home postal
+# address for an object. This should be limited to up to 6 lines of 30
+# characters each.
+#
+# homePostalAddress ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# postalAddress
+# MATCHES FOR EQUALITY
+# ::= {pilotAttributeType 39}
+#
+attributetype ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress'
+ DESC 'RFC1274: home postal address'
+ EQUALITY caseIgnoreListMatch
+ SUBSTR caseIgnoreListSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+
+# 9.3.30. Personal Title
+#
+# The Personal Title attribute type specifies a personal title for a
+# person. Examples of personal titles are "Ms", "Dr", "Prof" and "Rev".
+#
+# personalTitle ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-personal-title))
+# ::= {pilotAttributeType 40}
+#
+attributetype ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle'
+ DESC 'RFC1274: personal title'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.31. Mobile Telephone Number
+#
+# The Mobile Telephone Number attribute type specifies a mobile
+# telephone number associated with a person. Attribute values should
+# follow the agreed format for international telephone numbers: i.e.,
+# "+44 71 123 4567".
+#
+# mobileTelephoneNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# telephoneNumberSyntax
+# ::= {pilotAttributeType 41}
+#
+attributetype ( 0.9.2342.19200300.100.1.41
+ NAME ( 'mobile' 'mobileTelephoneNumber' )
+ DESC 'RFC1274: mobile telephone number'
+ EQUALITY telephoneNumberMatch
+ SUBSTR telephoneNumberSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
+
+# 9.3.32. Pager Telephone Number
+#
+# The Pager Telephone Number attribute type specifies a pager telephone
+# number for an object. Attribute values should follow the agreed
+# format for international telephone numbers: i.e., "+44 71 123 4567".
+#
+# pagerTelephoneNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# telephoneNumberSyntax
+# ::= {pilotAttributeType 42}
+#
+attributetype ( 0.9.2342.19200300.100.1.42
+ NAME ( 'pager' 'pagerTelephoneNumber' )
+ DESC 'RFC1274: pager telephone number'
+ EQUALITY telephoneNumberMatch
+ SUBSTR telephoneNumberSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
+
+# 9.3.33. Friendly Country Name
+#
+# The Friendly Country Name attribute type specifies names of countries
+# in human readable format. The standard attribute country name must
+# be one of the two-letter codes defined in ISO 3166.
+#
+# friendlyCountryName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# ::= {pilotAttributeType 43}
+#
+attributetype ( 0.9.2342.19200300.100.1.43
+ NAME ( 'co' 'friendlyCountryName' )
+ DESC 'RFC1274: friendly country name'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+# 9.3.34. Unique Identifier
+#
+# The Unique Identifier attribute type specifies a "unique identifier"
+# for an object represented in the Directory. The domain within which
+# the identifier is unique, and the exact semantics of the identifier,
+# are for local definition. For a person, this might be an
+# institution-wide payroll number. For an organisational unit, it
+# might be a department code.
+#
+# uniqueIdentifier ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-unique-identifier))
+# ::= {pilotAttributeType 44}
+#
+attributetype ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier'
+ DESC 'RFC1274: unique identifer'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.35. Organisational Status
+#
+# The Organisational Status attribute type specifies a category by
+# which a person is often referred to in an organisation. Examples of
+# usage in academia might include undergraduate student, researcher,
+# lecturer, etc.
+#
+# A Directory administrator should probably consider carefully the
+# distinctions between this and the title and userClass attributes.
+#
+# organizationalStatus ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-organizational-status))
+# ::= {pilotAttributeType 45}
+#
+attributetype ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus'
+ DESC 'RFC1274: organizational status'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.36. Janet Mailbox
+#
+# The Janet Mailbox attribute type specifies an electronic mailbox
+# attribute following the syntax specified in the Grey Book of the
+# Coloured Book series. This attribute is intended for the convenience
+# of U.K users unfamiliar with rfc822 and little-endian mail addresses.
+# Entries using this attribute MUST also include an rfc822Mailbox
+# attribute.
+#
+# janetMailbox ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreIA5StringSyntax
+# (SIZE (1 .. ub-janet-mailbox))
+# ::= {pilotAttributeType 46}
+#
+attributetype ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox'
+ DESC 'RFC1274: Janet mailbox'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+
+# 9.3.37. Mail Preference Option
+#
+# An attribute to allow users to indicate a preference for inclusion of
+# their names on mailing lists (electronic or physical). The absence
+# of such an attribute should be interpreted as if the attribute was
+# present with value "no-list-inclusion". This attribute should be
+# interpreted by anyone using the directory to derive mailing lists,
+# and its value respected.
+#
+# mailPreferenceOption ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX ENUMERATED {
+# no-list-inclusion(0),
+# any-list-inclusion(1), -- may be added to any lists
+# professional-list-inclusion(2)
+# -- may be added to lists
+# -- which the list provider
+# -- views as related to the
+# -- users professional inter-
+# -- ests, perhaps evaluated
+# -- from the business of the
+# -- organisation or keywords
+# -- in the entry.
+# }
+# ::= {pilotAttributeType 47}
+#
+attributetype ( 0.9.2342.19200300.100.1.47
+ NAME 'mailPreferenceOption'
+ DESC 'RFC1274: mail preference option'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+# 9.3.38. Building Name
+#
+# The Building Name attribute type specifies the name of the building
+# where an organisation or organisational unit is based.
+#
+# buildingName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-building-name))
+# ::= {pilotAttributeType 48}
+#
+attributetype ( 0.9.2342.19200300.100.1.48 NAME 'buildingName'
+ DESC 'RFC1274: name of building'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# 9.3.39. DSA Quality
+#
+# The DSA Quality attribute type specifies the purported quality of a
+# DSA. It allows a DSA manager to indicate the expected level of
+# availability of the DSA. See [8] for details of the syntax.
+#
+# dSAQuality ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX DSAQualitySyntax
+# SINGLE VALUE
+# ::= {pilotAttributeType 49}
+#
+attributetype ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality'
+ DESC 'RFC1274: DSA Quality'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.19 SINGLE-VALUE )
+
+# 9.3.40. Single Level Quality
+#
+# The Single Level Quality attribute type specifies the purported data
+# quality at the level immediately below in the DIT. See [8] for
+# details of the syntax.
+#
+# singleLevelQuality ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX DataQualitySyntax
+# SINGLE VALUE
+# ::= {pilotAttributeType 50}
+#
+attributetype ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality'
+ DESC 'RFC1274: Single Level Quality'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE )
+
+# 9.3.41. Subtree Minimum Quality
+#
+# The Subtree Minimum Quality attribute type specifies the purported
+# minimum data quality for a DIT subtree. See [8] for more discussion
+# and details of the syntax.
+#
+# subtreeMinimumQuality ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX DataQualitySyntax
+# SINGLE VALUE
+# -- Defaults to singleLevelQuality
+# ::= {pilotAttributeType 51}
+#
+attributetype ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQuality'
+ DESC 'RFC1274: Subtree Mininum Quality'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE )
+
+# 9.3.42. Subtree Maximum Quality
+#
+# The Subtree Maximum Quality attribute type specifies the purported
+# maximum data quality for a DIT subtree. See [8] for more discussion
+# and details of the syntax.
+#
+# subtreeMaximumQuality ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX DataQualitySyntax
+# SINGLE VALUE
+# -- Defaults to singleLevelQuality
+# ::= {pilotAttributeType 52}
+#
+attributetype ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQuality'
+ DESC 'RFC1274: Subtree Maximun Quality'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE )
+
+# 9.3.43. Personal Signature
+#
+# The Personal Signature attribute type allows for a representation of
+# a person's signature. This should be encoded in G3 fax as explained
+# in recommendation T.4, with an ASN.1 wrapper to make it compatible
+# with an X.400 BodyPart as defined in X.420.
+#
+# IMPORT G3FacsimileBodyPart FROM { mhs-motis ipms modules
+# information-objects }
+#
+# personalSignature ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# CHOICE {
+# g3-facsimile [3] G3FacsimileBodyPart
+# }
+# (SIZE (1 .. ub-personal-signature))
+# ::= {pilotAttributeType 53}
+#
+attributetype ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature'
+ DESC 'RFC1274: Personal Signature (G3 fax)'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.23 )
+
+# 9.3.44. DIT Redirect
+#
+# The DIT Redirect attribute type is used to indicate that the object
+# described by one entry now has a newer entry in the DIT. The entry
+# containing the redirection attribute should be expired after a
+# suitable grace period. This attribute may be used when an individual
+# changes his/her place of work, and thus acquires a new organisational
+# DN.
+#
+# dITRedirect ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 54}
+#
+attributetype ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect'
+ DESC 'RFC1274: DIT Redirect'
+ EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+# 9.3.45. Audio
+#
+# The Audio attribute type allows the storing of sounds in the
+# Directory. The attribute uses a u-law encoded sound file as used by
+# the "play" utility on a Sun 4. This is an interim format.
+#
+# audio ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# Audio
+# (SIZE (1 .. ub-audio))
+# ::= {pilotAttributeType 55}
+#
+attributetype ( 0.9.2342.19200300.100.1.55 NAME 'audio'
+ DESC 'RFC1274: audio (u-law)'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.4{25000} )
+
+# 9.3.46. Publisher of Document
+#
+#
+# The Publisher of Document attribute is the person and/or organization
+# that published a document.
+#
+# documentPublisher ATTRIBUTE
+# WITH ATTRIBUTE SYNTAX caseIgnoreStringSyntax
+# ::= {pilotAttributeType 56}
+#
+attributetype ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher'
+ DESC 'RFC1274: publisher of document'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+# 9.4. Generally useful syntaxes
+#
+# caseIgnoreIA5StringSyntax ATTRIBUTE-SYNTAX
+# IA5String
+# MATCHES FOR EQUALITY SUBSTRINGS
+#
+# iA5StringSyntax ATTRIBUTE-SYNTAX
+# IA5String
+# MATCHES FOR EQUALITY SUBSTRINGS
+#
+#
+# -- Syntaxes to support the DNS attributes
+#
+# DNSRecordSyntax ATTRIBUTE-SYNTAX
+# IA5String
+# MATCHES FOR EQUALITY
+#
+#
+# NRSInformationSyntax ATTRIBUTE-SYNTAX
+# NRSInformation
+# MATCHES FOR EQUALITY
+#
+#
+# NRSInformation ::= SET {
+# [0] Context,
+# [1] Address-space-id,
+# routes [2] SEQUENCE OF SEQUENCE {
+# Route-cost,
+# Addressing-info }
+# }
+#
+#
+# 9.5. Upper bounds on length of attribute values
+#
+#
+# ub-document-identifier INTEGER ::= 256
+#
+# ub-document-location INTEGER ::= 256
+#
+# ub-document-title INTEGER ::= 256
+#
+# ub-document-version INTEGER ::= 256
+#
+# ub-favourite-drink INTEGER ::= 256
+#
+# ub-host INTEGER ::= 256
+#
+# ub-information INTEGER ::= 2048
+#
+# ub-unique-identifier INTEGER ::= 256
+#
+# ub-personal-title INTEGER ::= 256
+#
+# ub-photo INTEGER ::= 250000
+#
+# ub-rfc822-mailbox INTEGER ::= 256
+#
+# ub-room-number INTEGER ::= 256
+#
+# ub-text-or-address INTEGER ::= 256
+#
+# ub-user-class INTEGER ::= 256
+#
+# ub-user-identifier INTEGER ::= 256
+#
+# ub-organizational-status INTEGER ::= 256
+#
+# ub-janet-mailbox INTEGER ::= 256
+#
+# ub-building-name INTEGER ::= 256
+#
+# ub-personal-signature ::= 50000
+#
+# ub-audio INTEGER ::= 250000
+#
+
+# [back to 8]
+# 8. Object Classes
+#
+# 8.1. X.500 standard object classes
+#
+# A number of generally useful object classes are defined in X.521, and
+# these are supported. Refer to that document for descriptions of the
+# suggested usage of these object classes. The ASN.1 for these object
+# classes is reproduced for completeness in Appendix C.
+#
+# 8.2. X.400 standard object classes
+#
+# A number of object classes defined in X.400 are supported. Refer to
+# X.402 for descriptions of the usage of these object classes. The
+# ASN.1 for these object classes is reproduced for completeness in
+# Appendix C.
+#
+# 8.3. COSINE/Internet object classes
+#
+# This section attempts to fuse together the object classes designed
+# for use in the COSINE and Internet pilot activities. Descriptions
+# are given of the suggested usage of these object classes. The ASN.1
+# for these object classes is also reproduced in Appendix C.
+#
+# 8.3.1. Pilot Object
+#
+# The PilotObject object class is used as a sub-class to allow some
+# common, useful attributes to be assigned to entries of all other
+# object classes.
+#
+# pilotObject OBJECT-CLASS
+# SUBCLASS OF top
+# MAY CONTAIN {
+# info,
+# photo,
+# manager,
+# uniqueIdentifier,
+# lastModifiedTime,
+# lastModifiedBy,
+# dITRedirect,
+# audio}
+# ::= {pilotObjectClass 3}
+#
+#objectclass ( 0.9.2342.19200300.100.4.3 NAME 'pilotObject'
+# DESC 'RFC1274: pilot object'
+# SUP top AUXILIARY
+# MAY ( info $ photo $ manager $ uniqueIdentifier $
+# lastModifiedTime $ lastModifiedBy $ dITRedirect $ audio )
+# )
+
+# 8.3.2. Pilot Person
+#
+# The PilotPerson object class is used as a sub-class of person, to
+# allow the use of a number of additional attributes to be assigned to
+# entries of object class person.
+#
+# pilotPerson OBJECT-CLASS
+# SUBCLASS OF person
+# MAY CONTAIN {
+# userid,
+# textEncodedORAddress,
+# rfc822Mailbox,
+# favouriteDrink,
+# roomNumber,
+# userClass,
+# homeTelephoneNumber,
+# homePostalAddress,
+# secretary,
+# personalTitle,
+# preferredDeliveryMethod,
+# businessCategory,
+# janetMailbox,
+# otherMailbox,
+# mobileTelephoneNumber,
+# pagerTelephoneNumber,
+# organizationalStatus,
+# mailPreferenceOption,
+# personalSignature}
+# ::= {pilotObjectClass 4}
+#
+objectclass ( 0.9.2342.19200300.100.4.4
+ NAME ( 'pilotPerson' 'newPilotPerson' )
+ SUP person STRUCTURAL
+ MAY ( userid $ textEncodedORAddress $ rfc822Mailbox $
+ favouriteDrink $ roomNumber $ userClass $
+ homeTelephoneNumber $ homePostalAddress $ secretary $
+ personalTitle $ preferredDeliveryMethod $ businessCategory $
+ janetMailbox $ otherMailbox $ mobileTelephoneNumber $
+ pagerTelephoneNumber $ organizationalStatus $
+ mailPreferenceOption $ personalSignature )
+ )
+
+# 8.3.3. Account
+#
+# The Account object class is used to define entries representing
+# computer accounts. The userid attribute should be used for naming
+# entries of this object class.
+#
+# account OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# userid}
+# MAY CONTAIN {
+# description,
+# seeAlso,
+# localityName,
+# organizationName,
+# organizationalUnitName,
+# host}
+# ::= {pilotObjectClass 5}
+#
+objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account'
+ SUP top STRUCTURAL
+ MUST userid
+ MAY ( description $ seeAlso $ localityName $
+ organizationName $ organizationalUnitName $ host )
+ )
+
+# 8.3.4. Document
+#
+# The Document object class is used to define entries which represent
+# documents.
+#
+# document OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# documentIdentifier}
+# MAY CONTAIN {
+# commonName,
+# description,
+# seeAlso,
+# localityName,
+# organizationName,
+# organizationalUnitName,
+# documentTitle,
+# documentVersion,
+# documentAuthor,
+# documentLocation,
+# documentPublisher}
+# ::= {pilotObjectClass 6}
+#
+objectclass ( 0.9.2342.19200300.100.4.6 NAME 'document'
+ SUP top STRUCTURAL
+ MUST documentIdentifier
+ MAY ( commonName $ description $ seeAlso $ localityName $
+ organizationName $ organizationalUnitName $
+ documentTitle $ documentVersion $ documentAuthor $
+ documentLocation $ documentPublisher )
+ )
+
+# 8.3.5. Room
+#
+# The Room object class is used to define entries representing rooms.
+# The commonName attribute should be used for naming pentries of this
+# object class.
+#
+# room OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# commonName}
+# MAY CONTAIN {
+# roomNumber,
+# description,
+# seeAlso,
+# telephoneNumber}
+# ::= {pilotObjectClass 7}
+#
+objectclass ( 0.9.2342.19200300.100.4.7 NAME 'room'
+ SUP top STRUCTURAL
+ MUST commonName
+ MAY ( roomNumber $ description $ seeAlso $ telephoneNumber )
+ )
+
+# 8.3.6. Document Series
+#
+# The Document Series object class is used to define an entry which
+# represents a series of documents (e.g., The Request For Comments
+# papers).
+#
+# documentSeries OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# commonName}
+# MAY CONTAIN {
+# description,
+# seeAlso,
+# telephoneNumber,
+# localityName,
+# organizationName,
+# organizationalUnitName}
+# ::= {pilotObjectClass 9}
+#
+objectclass ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries'
+ SUP top STRUCTURAL
+ MUST commonName
+ MAY ( description $ seeAlso $ telephonenumber $
+ localityName $ organizationName $ organizationalUnitName )
+ )
+
+# 8.3.7. Domain
+#
+# The Domain object class is used to define entries which represent DNS
+# or NRS domains. The domainComponent attribute should be used for
+# naming entries of this object class. The usage of this object class
+# is described in more detail in [3].
+#
+# domain OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# domainComponent}
+# MAY CONTAIN {
+# associatedName,
+# organizationName,
+# organizationalAttributeSet}
+# ::= {pilotObjectClass 13}
+#
+objectclass ( 0.9.2342.19200300.100.4.13 NAME 'domain'
+ SUP top STRUCTURAL
+ MUST domainComponent
+ MAY ( associatedName $ organizationName $ description $
+ businessCategory $ seeAlso $ searchGuide $ userPassword $
+ localityName $ stateOrProvinceName $ streetAddress $
+ physicalDeliveryOfficeName $ postalAddress $ postalCode $
+ postOfficeBox $ streetAddress $
+ facsimileTelephoneNumber $ internationalISDNNumber $
+ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $
+ preferredDeliveryMethod $ destinationIndicator $
+ registeredAddress $ x121Address )
+ )
+
+# 8.3.8. RFC822 Local Part
+#
+# The RFC822 Local Part object class is used to define entries which
+# represent the local part of RFC822 mail addresses. This treats this
+# part of an RFC822 address as a domain. The usage of this object
+# class is described in more detail in [3].
+#
+# rFC822localPart OBJECT-CLASS
+# SUBCLASS OF domain
+# MAY CONTAIN {
+# commonName,
+# surname,
+# description,
+# seeAlso,
+# telephoneNumber,
+# postalAttributeSet,
+# telecommunicationAttributeSet}
+# ::= {pilotObjectClass 14}
+#
+objectclass ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart'
+ SUP domain STRUCTURAL
+ MAY ( commonName $ surname $ description $ seeAlso $ telephoneNumber $
+ physicalDeliveryOfficeName $ postalAddress $ postalCode $
+ postOfficeBox $ streetAddress $
+ facsimileTelephoneNumber $ internationalISDNNumber $
+ telephoneNumber $ teletexTerminalIdentifier $
+ telexNumber $ preferredDeliveryMethod $ destinationIndicator $
+ registeredAddress $ x121Address )
+ )
+
+# 8.3.9. DNS Domain
+#
+# The DNS Domain (Domain NameServer) object class is used to define
+# entries for DNS domains. The usage of this object class is described
+# in more detail in [3].
+#
+# dNSDomain OBJECT-CLASS
+# SUBCLASS OF domain
+# MAY CONTAIN {
+# ARecord,
+# MDRecord,
+# MXRecord,
+# NSRecord,
+# SOARecord,
+# CNAMERecord}
+# ::= {pilotObjectClass 15}
+#
+objectclass ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain'
+ SUP domain STRUCTURAL
+ MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $
+ SOARecord $ CNAMERecord )
+ )
+
+# 8.3.10. Domain Related Object
+#
+# The Domain Related Object object class is used to define entries
+# which represent DNS/NRS domains which are "equivalent" to an X.500
+# domain: e.g., an organisation or organisational unit. The usage of
+# this object class is described in more detail in [3].
+#
+# domainRelatedObject OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# associatedDomain}
+# ::= {pilotObjectClass 17}
+#
+objectclass ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject'
+ DESC 'RFC1274: an object related to an domain'
+ SUP top AUXILIARY
+ MUST associatedDomain )
+
+# 8.3.11. Friendly Country
+#
+# The Friendly Country object class is used to define country entries
+# in the DIT. The object class is used to allow friendlier naming of
+# countries than that allowed by the object class country. The naming
+# attribute of object class country, countryName, has to be a 2 letter
+# string defined in ISO 3166.
+#
+# friendlyCountry OBJECT-CLASS
+# SUBCLASS OF country
+# MUST CONTAIN {
+# friendlyCountryName}
+# ::= {pilotObjectClass 18}
+#
+objectclass ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry'
+ SUP country STRUCTURAL
+ MUST friendlyCountryName )
+
+# 8.3.12. Simple Security Object
+#
+# The Simple Security Object object class is used to allow an entry to
+# have a userPassword attribute when an entry's principal object
+# classes do not allow userPassword as an attribute type.
+#
+# simpleSecurityObject OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# userPassword }
+# ::= {pilotObjectClass 19}
+#
+## (in core.schema)
+## objectclass ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
+## SUP top AUXILIARY
+## MUST userPassword )
+
+# 8.3.13. Pilot Organization
+#
+# The PilotOrganization object class is used as a sub-class of
+# organization and organizationalUnit to allow a number of additional
+# attributes to be assigned to entries of object classes organization
+# and organizationalUnit.
+#
+# pilotOrganization OBJECT-CLASS
+# SUBCLASS OF organization, organizationalUnit
+# MAY CONTAIN {
+# buildingName}
+# ::= {pilotObjectClass 20}
+#
+objectclass ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization'
+ SUP ( organization $ organizationalUnit ) STRUCTURAL
+ MAY buildingName )
+
+# 8.3.14. Pilot DSA
+#
+# The PilotDSA object class is used as a sub-class of the dsa object
+# class to allow additional attributes to be assigned to entries for
+# DSAs.
+#
+# pilotDSA OBJECT-CLASS
+# SUBCLASS OF dsa
+# MUST CONTAIN {
+# dSAQuality}
+# ::= {pilotObjectClass 21}
+#
+objectclass ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA'
+ SUP dsa STRUCTURAL
+ MAY dSAQuality )
+
+# 8.3.15. Quality Labelled Data
+#
+# The Quality Labelled Data object class is used to allow the
+# assignment of the data quality attributes to subtrees in the DIT.
+#
+# See [8] for more details.
+#
+# qualityLabelledData OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# dSAQuality}
+# MAY CONTAIN {
+# subtreeMinimumQuality,
+# subtreeMaximumQuality}
+# ::= {pilotObjectClass 22}
+objectclass ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData'
+ SUP top AUXILIARY
+ MUST dsaQuality
+ MAY ( subtreeMinimumQuality $ subtreeMaximumQuality )
+ )
+
+
+# References
+#
+# [1] CCITT/ISO, "X.500, The Directory - overview of concepts,
+# models and services, CCITT /ISO IS 9594.
+#
+# [2] Kille, S., "The THORN and RARE X.500 Naming Architecture, in
+# University College London, Department of Computer Science
+# Research Note 89/48, May 1989.
+#
+# [3] Kille, S., "X.500 and Domains", RFC 1279, University College
+# London, November 1991.
+#
+# [4] Rose, M., "PSI/NYSERNet White Pages Pilot Project: Status
+# Report", Technical Report 90-09-10-1, published by NYSERNet
+# Inc, 1990.
+#
+# [5] Craigie, J., "UK Academic Community Directory Service Pilot
+# Project, pp. 305-310 in Computer Networks and ISDN Systems
+# 17 (1989), published by North Holland.
+#
+# [6] Mockapetris, P., "Domain Names - Concepts and Facilities",
+# RFC 1034, USC/Information Sciences Institute, November 1987.
+#
+# [7] Mockapetris, P., "Domain Names - Implementation and
+# Specification, RFC 1035, USC/Information Sciences Institute,
+# November 1987.
+#
+# [8] Kille, S., "Handling QOS (Quality of service) in the
+# Directory," publication in process, March 1991.
+#
+#
+# APPENDIX C - Summary of all Object Classes and Attribute Types
+#
+# -- Some Important Object Identifiers
+#
+# data OBJECT IDENTIFIER ::= {ccitt 9}
+# pss OBJECT IDENTIFIER ::= {data 2342}
+# ucl OBJECT IDENTIFIER ::= {pss 19200300}
+# pilot OBJECT IDENTIFIER ::= {ucl 100}
+#
+# pilotAttributeType OBJECT IDENTIFIER ::= {pilot 1}
+# pilotAttributeSyntax OBJECT IDENTIFIER ::= {pilot 3}
+# pilotObjectClass OBJECT IDENTIFIER ::= {pilot 4}
+# pilotGroups OBJECT IDENTIFIER ::= {pilot 10}
+#
+# iA5StringSyntax OBJECT IDENTIFIER ::= {pilotAttributeSyntax 4}
+# caseIgnoreIA5StringSyntax OBJECT IDENTIFIER ::=
+# {pilotAttributeSyntax 5}
+#
+# -- Standard Object Classes
+#
+# top OBJECT-CLASS
+# MUST CONTAIN {
+# objectClass}
+# ::= {objectClass 0}
+#
+#
+# alias OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# aliasedObjectName}
+# ::= {objectClass 1}
+#
+#
+# country OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# countryName}
+# MAY CONTAIN {
+# description,
+# searchGuide}
+# ::= {objectClass 2}
+#
+#
+# locality OBJECT-CLASS
+# SUBCLASS OF top
+# MAY CONTAIN {
+# description,
+# localityName,
+# stateOrProvinceName,
+# searchGuide,
+# seeAlso,
+# streetAddress}
+# ::= {objectClass 3}
+#
+#
+# organization OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# organizationName}
+# MAY CONTAIN {
+# organizationalAttributeSet}
+# ::= {objectClass 4}
+#
+#
+# organizationalUnit OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# organizationalUnitName}
+# MAY CONTAIN {
+# organizationalAttributeSet}
+# ::= {objectClass 5}
+#
+#
+# person OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# commonName,
+# surname}
+# MAY CONTAIN {
+# description,
+# seeAlso,
+# telephoneNumber,
+# userPassword}
+# ::= {objectClass 6}
+#
+#
+# organizationalPerson OBJECT-CLASS
+# SUBCLASS OF person
+# MAY CONTAIN {
+# localeAttributeSet,
+# organizationalUnitName,
+# postalAttributeSet,
+# telecommunicationAttributeSet,
+# title}
+# ::= {objectClass 7}
+#
+#
+# organizationalRole OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# commonName}
+# MAY CONTAIN {
+# description,
+# localeAttributeSet,
+# organizationalUnitName,
+# postalAttributeSet,
+# preferredDeliveryMethod,
+# roleOccupant,
+# seeAlso,
+# telecommunicationAttributeSet}
+# ::= {objectClass 8}
+#
+#
+# groupOfNames OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# commonName,
+# member}
+# MAY CONTAIN {
+# description,
+# organizationName,
+# organizationalUnitName,
+# owner,
+# seeAlso,
+# businessCategory}
+# ::= {objectClass 9}
+#
+#
+# residentialPerson OBJECT-CLASS
+# SUBCLASS OF person
+# MUST CONTAIN {
+# localityName}
+# MAY CONTAIN {
+# localeAttributeSet,
+# postalAttributeSet,
+# preferredDeliveryMethod,
+# telecommunicationAttributeSet,
+# businessCategory}
+# ::= {objectClass 10}
+#
+#
+# applicationProcess OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# commonName}
+# MAY CONTAIN {
+# description,
+# localityName,
+# organizationalUnitName,
+# seeAlso}
+# ::= {objectClass 11}
+#
+#
+# applicationEntity OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# commonName,
+# presentationAddress}
+# MAY CONTAIN {
+# description,
+# localityName,
+# organizationName,
+# organizationalUnitName,
+# seeAlso,
+# supportedApplicationContext}
+# ::= {objectClass 12}
+#
+#
+# dSA OBJECT-CLASS
+# SUBCLASS OF applicationEntity
+# MAY CONTAIN {
+# knowledgeInformation}
+# ::= {objectClass 13}
+#
+#
+# device OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# commonName}
+# MAY CONTAIN {
+# description,
+# localityName,
+# organizationName,
+# organizationalUnitName,
+# owner,
+# seeAlso,
+# serialNumber}
+# ::= {objectClass 14}
+#
+#
+# strongAuthenticationUser OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# userCertificate}
+# ::= {objectClass 15}
+#
+#
+# certificationAuthority OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# cACertificate,
+# certificateRevocationList,
+# authorityRevocationList}
+# MAY CONTAIN {
+# crossCertificatePair}
+# ::= {objectClass 16}
+#
+# -- Standard MHS Object Classes
+#
+# mhsDistributionList OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# commonName,
+# mhsDLSubmitPermissions,
+# mhsORAddresses}
+# MAY CONTAIN {
+# description,
+# organizationName,
+# organizationalUnitName,
+# owner,
+# seeAlso,
+# mhsDeliverableContentTypes,
+# mhsdeliverableEits,
+# mhsDLMembers,
+# mhsPreferredDeliveryMethods}
+# ::= {mhsObjectClass 0}
+#
+#
+# mhsMessageStore OBJECT-CLASS
+# SUBCLASS OF applicationEntity
+# MAY CONTAIN {
+# description,
+# owner,
+# mhsSupportedOptionalAttributes,
+# mhsSupportedAutomaticActions,
+# mhsSupportedContentTypes}
+# ::= {mhsObjectClass 1}
+#
+#
+# mhsMessageTransferAgent OBJECT-CLASS
+# SUBCLASS OF applicationEntity
+# MAY CONTAIN {
+# description,
+# owner,
+# mhsDeliverableContentLength}
+# ::= {mhsObjectClass 2}
+#
+#
+# mhsOrganizationalUser OBJECT-CLASS
+# SUBCLASS OF organizationalPerson
+# MUST CONTAIN {
+# mhsORAddresses}
+# MAY CONTAIN {
+# mhsDeliverableContentLength,
+# mhsDeliverableContentTypes,
+# mhsDeliverableEits,
+# mhsMessageStoreName,
+# mhsPreferredDeliveryMethods }
+# ::= {mhsObjectClass 3}
+#
+#
+# mhsResidentialUser OBJECT-CLASS
+# SUBCLASS OF residentialPerson
+# MUST CONTAIN {
+# mhsORAddresses}
+# MAY CONTAIN {
+# mhsDeliverableContentLength,
+# mhsDeliverableContentTypes,
+# mhsDeliverableEits,
+# mhsMessageStoreName,
+# mhsPreferredDeliveryMethods }
+# ::= {mhsObjectClass 4}
+#
+#
+# mhsUserAgent OBJECT-CLASS
+# SUBCLASS OF applicationEntity
+# MAY CONTAIN {
+# mhsDeliverableContentLength,
+# mhsDeliverableContentTypes,
+# mhsDeliverableEits,
+# mhsORAddresses,
+# owner}
+# ::= {mhsObjectClass 5}
+#
+#
+#
+#
+# -- Pilot Object Classes
+#
+# pilotObject OBJECT-CLASS
+# SUBCLASS OF top
+# MAY CONTAIN {
+# info,
+# photo,
+# manager,
+# uniqueIdentifier,
+# lastModifiedTime,
+# lastModifiedBy,
+# dITRedirect,
+# audio}
+# ::= {pilotObjectClass 3}
+# pilotPerson OBJECT-CLASS
+# SUBCLASS OF person
+# MAY CONTAIN {
+# userid,
+# textEncodedORAddress,
+# rfc822Mailbox,
+# favouriteDrink,
+# roomNumber,
+# userClass,
+# homeTelephoneNumber,
+# homePostalAddress,
+# secretary,
+# personalTitle,
+# preferredDeliveryMethod,
+# businessCategory,
+# janetMailbox,
+# otherMailbox,
+# mobileTelephoneNumber,
+# pagerTelephoneNumber,
+# organizationalStatus,
+# mailPreferenceOption,
+# personalSignature}
+# ::= {pilotObjectClass 4}
+#
+#
+# account OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# userid}
+# MAY CONTAIN {
+# description,
+# seeAlso,
+# localityName,
+# organizationName,
+# organizationalUnitName,
+# host}
+# ::= {pilotObjectClass 5}
+#
+#
+# document OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# documentIdentifier}
+# MAY CONTAIN {
+# commonName,
+# description,
+# seeAlso,
+# localityName,
+# organizationName,
+# organizationalUnitName,
+# documentTitle,
+# documentVersion,
+# documentAuthor,
+# documentLocation,
+# documentPublisher}
+# ::= {pilotObjectClass 6}
+#
+#
+# room OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# commonName}
+# MAY CONTAIN {
+# roomNumber,
+# description,
+# seeAlso,
+# telephoneNumber}
+# ::= {pilotObjectClass 7}
+#
+#
+# documentSeries OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# commonName}
+# MAY CONTAIN {
+# description,
+# seeAlso,
+# telephoneNumber,
+# localityName,
+# organizationName,
+# organizationalUnitName}
+# ::= {pilotObjectClass 9}
+#
+#
+# domain OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# domainComponent}
+# MAY CONTAIN {
+# associatedName,
+# organizationName,
+# organizationalAttributeSet}
+# ::= {pilotObjectClass 13}
+#
+#
+# rFC822localPart OBJECT-CLASS
+# SUBCLASS OF domain
+# MAY CONTAIN {
+# commonName,
+# surname,
+# description,
+# seeAlso,
+# telephoneNumber,
+# postalAttributeSet,
+# telecommunicationAttributeSet}
+# ::= {pilotObjectClass 14}
+#
+#
+# dNSDomain OBJECT-CLASS
+# SUBCLASS OF domain
+# MAY CONTAIN {
+# ARecord,
+# MDRecord,
+# MXRecord,
+# NSRecord,
+# SOARecord,
+# CNAMERecord}
+# ::= {pilotObjectClass 15}
+#
+#
+# domainRelatedObject OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# associatedDomain}
+# ::= {pilotObjectClass 17}
+#
+#
+# friendlyCountry OBJECT-CLASS
+# SUBCLASS OF country
+# MUST CONTAIN {
+# friendlyCountryName}
+# ::= {pilotObjectClass 18}
+#
+#
+# simpleSecurityObject OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# userPassword }
+# ::= {pilotObjectClass 19}
+#
+#
+# pilotOrganization OBJECT-CLASS
+# SUBCLASS OF organization, organizationalUnit
+# MAY CONTAIN {
+# buildingName}
+# ::= {pilotObjectClass 20}
+#
+#
+# pilotDSA OBJECT-CLASS
+# SUBCLASS OF dsa
+# MUST CONTAIN {
+# dSAQuality}
+# ::= {pilotObjectClass 21}
+#
+#
+# qualityLabelledData OBJECT-CLASS
+# SUBCLASS OF top
+# MUST CONTAIN {
+# dSAQuality}
+# MAY CONTAIN {
+# subtreeMinimumQuality,
+# subtreeMaximumQuality}
+# ::= {pilotObjectClass 22}
+#
+#
+#
+#
+# -- Standard Attribute Types
+#
+# objectClass ObjectClass
+# ::= {attributeType 0}
+#
+#
+# aliasedObjectName AliasedObjectName
+# ::= {attributeType 1}
+#
+#
+# knowledgeInformation ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreString
+# ::= {attributeType 2}
+#
+#
+# commonName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-common-name))
+# ::= {attributeType 3}
+#
+#
+# surname ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-surname))
+# ::= {attributeType 4}
+#
+#
+# serialNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX printableStringSyntax
+# (SIZE (1..ub-serial-number))
+# ::= {attributeType 5}
+#
+#
+# countryName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX PrintableString
+# (SIZE (1..ub-country-code))
+# SINGLE VALUE
+# ::= {attributeType 6}
+#
+#
+# localityName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-locality-name))
+# ::= {attributeType 7}
+#
+#
+# stateOrProvinceName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-state-name))
+# ::= {attributeType 8}
+#
+#
+# streetAddress ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-street-address))
+# ::= {attributeType 9}
+#
+#
+# organizationName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-organization-name))
+# ::= {attributeType 10}
+#
+#
+# organizationalUnitName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-organizational-unit-name))
+# ::= {attributeType 11}
+#
+#
+# title ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-title))
+# ::= {attributeType 12}
+#
+#
+# description ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-description))
+# ::= {attributeType 13}
+#
+#
+# searchGuide ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX Guide
+# ::= {attributeType 14}
+#
+#
+# businessCategory ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-business-category))
+# ::= {attributeType 15}
+#
+#
+# postalAddress ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX PostalAddress
+# MATCHES FOR EQUALITY
+# ::= {attributeType 16}
+#
+#
+# postalCode ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-postal-code))
+# ::= {attributeType 17}
+#
+#
+# postOfficeBox ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-post-office-box))
+# ::= {attributeType 18}
+#
+#
+# physicalDeliveryOfficeName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax
+# (SIZE (1..ub-physical-office-name))
+# ::= {attributeType 19}
+#
+#
+# telephoneNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX telephoneNumberSyntax
+# (SIZE (1..ub-telephone-number))
+# ::= {attributeType 20}
+#
+#
+# telexNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX TelexNumber
+# (SIZE (1..ub-telex))
+# ::= {attributeType 21}
+#
+#
+# teletexTerminalIdentifier ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX TeletexTerminalIdentifier
+# (SIZE (1..ub-teletex-terminal-id))
+# ::= {attributeType 22}
+#
+#
+# facsimileTelephoneNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX FacsimileTelephoneNumber
+# ::= {attributeType 23}
+#
+#
+# x121Address ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX NumericString
+# (SIZE (1..ub-x121-address))
+# ::= {attributeType 24}
+#
+#
+# internationaliSDNNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX NumericString
+# (SIZE (1..ub-isdn-address))
+# ::= {attributeType 25}
+#
+#
+# registeredAddress ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX PostalAddress
+# ::= {attributeType 26}
+#
+#
+# destinationIndicator ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX PrintableString
+# (SIZE (1..ub-destination-indicator))
+# MATCHES FOR EQUALITY SUBSTRINGS
+# ::= {attributeType 27}
+#
+#
+# preferredDeliveryMethod ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX deliveryMethod
+# ::= {attributeType 28}
+#
+#
+# presentationAddress ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX PresentationAddress
+# MATCHES FOR EQUALITY
+# ::= {attributeType 29}
+#
+#
+# supportedApplicationContext ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX objectIdentifierSyntax
+# ::= {attributeType 30}
+#
+#
+# member ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax
+# ::= {attributeType 31}
+#
+#
+# owner ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax
+# ::= {attributeType 32}
+#
+#
+# roleOccupant ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax
+# ::= {attributeType 33}
+#
+#
+# seeAlso ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax
+# ::= {attributeType 34}
+#
+#
+# userPassword ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX Userpassword
+# ::= {attributeType 35}
+#
+#
+# userCertificate ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX UserCertificate
+# ::= {attributeType 36}
+#
+#
+# cACertificate ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX cACertificate
+# ::= {attributeType 37}
+#
+#
+# authorityRevocationList ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX AuthorityRevocationList
+# ::= {attributeType 38}
+#
+#
+# certificateRevocationList ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX CertificateRevocationList
+# ::= {attributeType 39}
+#
+#
+# crossCertificatePair ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX CrossCertificatePair
+# ::= {attributeType 40}
+#
+#
+#
+#
+# -- Standard MHS Attribute Types
+#
+# mhsDeliverableContentLength ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX integer
+# ::= {mhsAttributeType 0}
+#
+#
+# mhsDeliverableContentTypes ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX oID
+# ::= {mhsAttributeType 1}
+#
+#
+# mhsDeliverableEits ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX oID
+# ::= {mhsAttributeType 2}
+#
+#
+# mhsDLMembers ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX oRName
+# ::= {mhsAttributeType 3}
+#
+#
+# mhsDLSubmitPermissions ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX dLSubmitPermission
+# ::= {mhsAttributeType 4}
+#
+#
+# mhsMessageStoreName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX dN
+# ::= {mhsAttributeType 5}
+#
+#
+# mhsORAddresses ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX oRAddress
+# ::= {mhsAttributeType 6}
+#
+#
+# mhsPreferredDeliveryMethods ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX deliveryMethod
+# ::= {mhsAttributeType 7}
+#
+#
+# mhsSupportedAutomaticActions ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX oID
+# ::= {mhsAttributeType 8}
+#
+#
+# mhsSupportedContentTypes ATTRIBUTE
+#
+# WITH ATTRIBUTE-SYNTAX oID
+# ::= {mhsAttributeType 9}
+#
+#
+# mhsSupportedOptionalAttributes ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX oID
+# ::= {mhsAttributeType 10}
+#
+#
+#
+#
+# -- Pilot Attribute Types
+#
+# userid ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-user-identifier))
+# ::= {pilotAttributeType 1}
+#
+#
+# textEncodedORAddress ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-text-encoded-or-address))
+# ::= {pilotAttributeType 2}
+#
+#
+# rfc822Mailbox ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreIA5StringSyntax
+# (SIZE (1 .. ub-rfc822-mailbox))
+# ::= {pilotAttributeType 3}
+#
+#
+# info ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-information))
+# ::= {pilotAttributeType 4}
+#
+#
+# favouriteDrink ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-favourite-drink))
+# ::= {pilotAttributeType 5}
+#
+#
+# roomNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-room-number))
+# ::= {pilotAttributeType 6}
+#
+#
+# photo ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# CHOICE {
+# g3-facsimile [3] G3FacsimileBodyPart
+# }
+# (SIZE (1 .. ub-photo))
+# ::= {pilotAttributeType 7}
+#
+#
+# userClass ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-user-class))
+# ::= {pilotAttributeType 8}
+#
+#
+# host ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-host))
+# ::= {pilotAttributeType 9}
+#
+#
+# manager ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 10}
+#
+#
+# documentIdentifier ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-document-identifier))
+# ::= {pilotAttributeType 11}
+#
+#
+# documentTitle ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-document-title))
+# ::= {pilotAttributeType 12}
+#
+#
+# documentVersion ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-document-version))
+# ::= {pilotAttributeType 13}
+#
+#
+# documentAuthor ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 14}
+#
+#
+# documentLocation ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-document-location))
+# ::= {pilotAttributeType 15}
+#
+#
+# homeTelephoneNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# telephoneNumberSyntax
+# ::= {pilotAttributeType 20}
+#
+#
+# secretary ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 21}
+#
+#
+# otherMailbox ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# SEQUENCE {
+# mailboxType PrintableString, -- e.g. Telemail
+# mailbox IA5String -- e.g. X378:Joe
+# }
+# ::= {pilotAttributeType 22}
+#
+#
+# lastModifiedTime ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# uTCTimeSyntax
+# ::= {pilotAttributeType 23}
+#
+#
+# lastModifiedBy ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 24}
+#
+#
+# domainComponent ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreIA5StringSyntax
+# SINGLE VALUE
+# ::= {pilotAttributeType 25}
+#
+#
+# aRecord ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# DNSRecordSyntax
+# ::= {pilotAttributeType 26}
+#
+#
+# mXRecord ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# DNSRecordSyntax
+# ::= {pilotAttributeType 28}
+#
+#
+# nSRecord ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# DNSRecordSyntax
+# ::= {pilotAttributeType 29}
+#
+# sOARecord ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# DNSRecordSyntax
+# ::= {pilotAttributeType 30}
+#
+#
+# cNAMERecord ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# iA5StringSyntax
+# ::= {pilotAttributeType 31}
+#
+#
+# associatedDomain ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreIA5StringSyntax
+# ::= {pilotAttributeType 37}
+#
+#
+# associatedName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 38}
+#
+#
+# homePostalAddress ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# postalAddress
+# MATCHES FOR EQUALITY
+# ::= {pilotAttributeType 39}
+#
+#
+# personalTitle ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-personal-title))
+# ::= {pilotAttributeType 40}
+#
+#
+# mobileTelephoneNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# telephoneNumberSyntax
+# ::= {pilotAttributeType 41}
+#
+#
+# pagerTelephoneNumber ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# telephoneNumberSyntax
+# ::= {pilotAttributeType 42}
+#
+#
+# friendlyCountryName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# ::= {pilotAttributeType 43}
+#
+#
+# uniqueIdentifier ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-unique-identifier))
+# ::= {pilotAttributeType 44}
+#
+#
+# organizationalStatus ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-organizational-status))
+# ::= {pilotAttributeType 45}
+#
+#
+# janetMailbox ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreIA5StringSyntax
+# (SIZE (1 .. ub-janet-mailbox))
+# ::= {pilotAttributeType 46}
+#
+#
+# mailPreferenceOption ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX ENUMERATED {
+# no-list-inclusion(0),
+# any-list-inclusion(1), -- may be added to any lists
+# professional-list-inclusion(2)
+# -- may be added to lists
+# -- which the list provider
+# -- views as related to the
+# -- users professional inter-
+# -- ests, perhaps evaluated
+# -- from the business of the
+# -- organisation or keywords
+# -- in the entry.
+# }
+# ::= {pilotAttributeType 47}
+#
+#
+# buildingName ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# caseIgnoreStringSyntax
+# (SIZE (1 .. ub-building-name))
+# ::= {pilotAttributeType 48}
+#
+#
+# dSAQuality ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX DSAQualitySyntax
+# SINGLE VALUE
+# ::= {pilotAttributeType 49}
+#
+#
+# singleLevelQuality ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX DataQualitySyntax
+# SINGLE VALUE
+#
+#
+# subtreeMinimumQuality ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX DataQualitySyntax
+# SINGLE VALUE
+# -- Defaults to singleLevelQuality
+# ::= {pilotAttributeType 51}
+#
+#
+# subtreeMaximumQuality ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX DataQualitySyntax
+# SINGLE VALUE
+# -- Defaults to singleLevelQuality
+# ::= {pilotAttributeType 52}
+#
+#
+# personalSignature ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# CHOICE {
+# g3-facsimile [3] G3FacsimileBodyPart
+# }
+# (SIZE (1 .. ub-personal-signature))
+# ::= {pilotAttributeType 53}
+#
+#
+# dITRedirect ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# distinguishedNameSyntax
+# ::= {pilotAttributeType 54}
+#
+#
+# audio ATTRIBUTE
+# WITH ATTRIBUTE-SYNTAX
+# Audio
+# (SIZE (1 .. ub-audio))
+# ::= {pilotAttributeType 55}
+#
+# documentPublisher ATTRIBUTE
+# WITH ATTRIBUTE SYNTAX caseIgnoreStringSyntax
+# ::= {pilotAttributeType 56}
+#
+#
+#
+# -- Generally useful syntaxes
+#
+#
+# caseIgnoreIA5StringSyntax ATTRIBUTE-SYNTAX
+# IA5String
+# MATCHES FOR EQUALITY SUBSTRINGS
+#
+#
+# iA5StringSyntax ATTRIBUTE-SYNTAX
+# IA5String
+# MATCHES FOR EQUALITY SUBSTRINGS
+#
+#
+# -- Syntaxes to support the DNS attributes
+#
+# DNSRecordSyntax ATTRIBUTE-SYNTAX
+# IA5String
+# MATCHES FOR EQUALITY
+#
+#
+# NRSInformationSyntax ATTRIBUTE-SYNTAX
+# NRSInformation
+# MATCHES FOR EQUALITY
+#
+#
+# NRSInformation ::= SET {
+# [0] Context,
+# [1] Address-space-id,
+# routes [2] SEQUENCE OF SEQUENCE {
+# Route-cost,
+# Addressing-info }
+# }
+#
+#
+# -- Upper bounds on length of attribute values
+#
+#
+# ub-document-identifier INTEGER ::= 256
+#
+# ub-document-location INTEGER ::= 256
+#
+# ub-document-title INTEGER ::= 256
+#
+# ub-document-version INTEGER ::= 256
+#
+# ub-favourite-drink INTEGER ::= 256
+#
+# ub-host INTEGER ::= 256
+#
+# ub-information INTEGER ::= 2048
+#
+# ub-unique-identifier INTEGER ::= 256
+#
+# ub-personal-title INTEGER ::= 256
+#
+# ub-photo INTEGER ::= 250000
+#
+# ub-rfc822-mailbox INTEGER ::= 256
+#
+# ub-room-number INTEGER ::= 256
+#
+# ub-text-or-address INTEGER ::= 256
+#
+# ub-user-class INTEGER ::= 256
+#
+# ub-user-identifier INTEGER ::= 256
+#
+# ub-organizational-status INTEGER ::= 256
+#
+# ub-janet-mailbox INTEGER ::= 256
+#
+# ub-building-name INTEGER ::= 256
+#
+# ub-personal-signature ::= 50000
+#
+# ub-audio INTEGER ::= 250000
+#
+# [remainder of memo trimmed]
+
Copied: openldap/trunk/servers/slapd/schema/java.schema (from rev 1148, openldap/vendor/openldap-2.4.10/servers/slapd/schema/java.schema)
===================================================================
--- openldap/trunk/servers/slapd/schema/java.schema (rev 0)
+++ openldap/trunk/servers/slapd/schema/java.schema 2008-06-28 15:17:20 UTC (rev 1149)
@@ -0,0 +1,403 @@
+# java.schema -- Java Object Schema
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/java.schema,v 1.7.2.3 2008/02/11 23:26:49 kurt Exp $
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2008 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+# Java Object Schema (defined in RFC 2713)
+# depends upon core.schema
+#
+
+# Network Working Group V. Ryan
+# Request for Comments: 2713 S. Seligman
+# Category: Informational R. Lee
+# Sun Microsystems, Inc.
+# October 1999
+#
+#
+# Schema for Representing Java(tm) Objects in an LDAP Directory
+#
+# Status of this Memo
+#
+# This memo provides information for the Internet community. It does
+# not specify an Internet standard of any kind. Distribution of this
+# memo is unlimited.
+#
+# Copyright Notice
+#
+# Copyright (C) The Internet Society (1999). All Rights Reserved.
+#
+# Abstract
+#
+# This document defines the schema for representing Java(tm) objects in
+# an LDAP directory [LDAPv3]. It defines schema elements to represent
+# a Java serialized object [Serial], a Java marshalled object [RMI], a
+# Java remote object [RMI], and a JNDI reference [JNDI].
+#
+
+# [trimmed]
+
+# 3 Attribute Type Definitions
+#
+# The following attribute types are defined in this document:
+#
+# javaClassName
+# javaClassNames
+# javaCodebase
+# javaSerializedData
+# javaFactory
+# javaReferenceAddress
+# javaDoc
+#
+# 3.1 javaClassName
+#
+# This attribute stores the fully qualified name of the Java object's
+# "distinguished" class or interface (for example, "java.lang.String").
+# It is a single-valued attribute. This attribute's syntax is '
+# Directory String' and its case is significant.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.1.6
+# NAME 'javaClassName'
+# DESC 'Fully qualified name of distinguished Java class or
+# interface'
+# EQUALITY caseExactMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+# SINGLE-VALUE
+# )
+#
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.6
+ NAME 'javaClassName'
+ DESC 'Fully qualified name of distinguished Java class or interface'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+
+# 3.2 javaCodebase
+#
+# This attribute stores the Java class definition's locations. It
+# specifies the locations from which to load the class definition for
+# the class specified by the javaClassName attribute. Each value of
+# the attribute contains an ordered list of URLs, separated by spaces.
+# For example, a value of "url1 url2 url3" means that the three
+# (possibly interdependent) URLs (url1, url2, and url3) form the
+# codebase for loading in the Java class definition.
+#
+# If the javaCodebase attribute contains more than one value, each
+# value is an independent codebase. That is, there is no relationship
+# between the URLs in one value and those in another; each value can be
+# viewed as an alternate source for loading the Java class definition.
+# See [Java] for information regarding class loading.
+#
+# This attribute's syntax is 'IA5 String' and its case is significant.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.1.7
+# NAME 'javaCodebase'
+# DESC 'URL(s) specifying the location of class definition'
+# EQUALITY caseExactIA5Match
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+# )
+#
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.7
+ NAME 'javaCodebase'
+ DESC 'URL(s) specifying the location of class definition'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# 3.3 javaClassNames
+#
+# This attribute stores the Java object's fully qualified class or
+# interface names (for example, "java.lang.String"). It is a
+# multivalued attribute. When more than one value is present, each is
+# the name of a class or interface, or ancestor class or interface, of
+# this object.
+#
+# This attribute's syntax is 'Directory String' and its case is
+# significant.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.1.13
+# NAME 'javaClassNames'
+# DESC 'Fully qualified Java class or interface name'
+# EQUALITY caseExactMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+# )
+#
+#
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.13
+ NAME 'javaClassNames'
+ DESC 'Fully qualified Java class or interface name'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+# 3.4 javaSerializedData
+#
+# This attribute stores the serialized form of a Java object. The
+# serialized form is described in [Serial].
+#
+# This attribute's syntax is 'Octet String'.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.1.8
+# NAME 'javaSerializedData
+# DESC 'Serialized form of a Java object'
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+# SINGLE-VALUE
+# )
+#
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.8
+ NAME 'javaSerializedData'
+ DESC 'Serialized form of a Java object'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+ SINGLE-VALUE )
+
+# 3.5 javaFactory
+#
+# This attribute stores the fully qualified class name of the object
+# factory (for example, "com.wiz.jndi.WizObjectFactory") that can be
+# used to create an instance of the object identified by the
+# javaClassName attribute.
+#
+# This attribute's syntax is 'Directory String' and its case is
+# significant.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.1.10
+# NAME 'javaFactory'
+# DESC 'Fully qualified Java class name of a JNDI object factory'
+# EQUALITY caseExactMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+# SINGLE-VALUE
+# )
+#
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.10
+ NAME 'javaFactory'
+ DESC 'Fully qualified Java class name of a JNDI object factory'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+
+# 3.6 javaReferenceAddress
+#
+# This attribute represents the sequence of addresses of a JNDI
+# reference. Each of its values represents one address, a Java object
+# of type javax.naming.RefAddr. Its value is a concatenation of the
+# address type and address contents, preceded by a sequence number (the
+# order of addresses in a JNDI reference is significant). For example:
+#
+# #0#TypeA#ValA
+# #1#TypeB#ValB
+# #2#TypeC##rO0ABXNyABpq...
+#
+# In more detail, the value is encoded as follows:
+#
+# The delimiter is the first character of the value. For readability
+# the character '#' is recommended when it is not otherwise used
+# anywhere in the value, but any character may be used subject to
+# restrictions given below.
+#
+# The first delimiter is followed by the sequence number. The sequence
+# number of an address is its position in the JNDI reference, with the
+# first address being numbered 0. It is represented by its shortest
+# string form, in decimal notation.
+#
+# The sequence number is followed by a delimiter, then by the address
+# type, and then by another delimiter. If the address is of Java class
+# javax.naming.StringRefAddr, then this delimiter is followed by the
+# value of the address contents (which is a string). Otherwise, this
+# delimiter is followed immediately by another delimiter, and then by
+# the Base64 encoding of the serialized form of the entire address.
+#
+# The delimiter may be any character other than a digit or a character
+# contained in the address type. In addition, if the address contents
+# is a string, the delimiter may not be the first character of that
+# string.
+#
+# This attribute's syntax is 'Directory String' and its case is
+# significant. It can contain multiple values.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.1.11
+# NAME 'javaReferenceAddress'
+# DESC 'Addresses associated with a JNDI Reference'
+# EQUALITY caseExactMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+# )
+#
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.11
+ NAME 'javaReferenceAddress'
+ DESC 'Addresses associated with a JNDI Reference'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+# 3.7 javaDoc
+#
+# This attribute stores a pointer to the Java documentation for the
+# class. It's value is a URL. For example, the following URL points to
+# the specification of the java.lang.String class:
+# http://java.sun.com/products/jdk/1.2/docs/api/java/lang/String.html
+#
+# This attribute's syntax is 'IA5 String' and its case is significant.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.1.12
+# NAME 'javaDoc'
+# DESC 'The Java documentation for the class'
+# EQUALITY caseExactIA5Match
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+# )
+#
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.12
+ NAME 'javaDoc'
+ DESC 'The Java documentation for the class'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# 4 Object Class Definitions
+#
+# The following object classes are defined in this document:
+#
+# javaContainer
+# javaObject
+# javaSerializedObject
+# javaMarshalledObject
+# javaNamingReference
+#
+# 4.1 javaContainer
+#
+# This structural object class represents a container for a Java
+# object.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.2.1
+# NAME 'javaContainer'
+# DESC 'Container for a Java object'
+# SUP top
+# STRUCTURAL
+# MUST ( cn )
+# )
+#
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.1
+ NAME 'javaContainer'
+ DESC 'Container for a Java object'
+ SUP top
+ STRUCTURAL
+ MUST cn )
+
+# 4.2 javaObject
+#
+# This abstract object class represents a Java object. A javaObject
+# cannot exist in the directory; only auxiliary or structural
+# subclasses of it can exist in the directory.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.2.4
+# NAME 'javaObject'
+# DESC 'Java object representation'
+# SUP top
+# ABSTRACT
+# MUST ( javaClassName )
+# MAY ( javaClassNames $
+# javaCodebase $
+# javaDoc $
+# description )
+# )
+#
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.4
+ NAME 'javaObject'
+ DESC 'Java object representation'
+ SUP top
+ ABSTRACT
+ MUST javaClassName
+ MAY ( javaClassNames $ javaCodebase $
+ javaDoc $ description ) )
+
+# 4.3 javaSerializedObject
+#
+# This auxiliary object class represents a Java serialized object. It
+# must be mixed in with a structural object class.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.2.5
+# NAME 'javaSerializedObject'
+# DESC 'Java serialized object'
+# SUP javaObject
+# AUXILIARY
+# MUST ( javaSerializedData )
+# )
+#
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.5
+ NAME 'javaSerializedObject'
+ DESC 'Java serialized object'
+ SUP javaObject
+ AUXILIARY
+ MUST javaSerializedData )
+
+# 4.4 javaMarshalledObject
+#
+# This auxiliary object class represents a Java marshalled object. It
+# must be mixed in with a structural object class.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.2.8
+# NAME 'javaMarshalledObject'
+# DESC 'Java marshalled object'
+# SUP javaObject
+# AUXILIARY
+# MUST ( javaSerializedData )
+# )
+#
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.8
+ NAME 'javaMarshalledObject'
+ DESC 'Java marshalled object'
+ SUP javaObject
+ AUXILIARY
+ MUST javaSerializedData )
+
+# 4.5 javaNamingReference
+#
+# This auxiliary object class represents a JNDI reference. It must be
+# mixed in with a structural object class.
+#
+# ( 1.3.6.1.4.1.42.2.27.4.2.7
+# NAME 'javaNamingReference'
+# DESC 'JNDI reference'
+# SUP javaObject
+# AUXILIARY
+# MAY ( javaReferenceAddress $
+# javaFactory )
+# )
+#
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.7
+ NAME 'javaNamingReference'
+ DESC 'JNDI reference'
+ SUP javaObject
+ AUXILIARY
+ MAY ( javaReferenceAddress $ javaFactory ) )
+
+# Full Copyright Statement
+#
+# Copyright (C) The Internet Society (1999). All Rights Reserved.
+#
+# This document and translations of it may be copied and furnished to
+# others, and derivative works that comment on or otherwise explain it
+# or assist in its implementation may be prepared, copied, published
+# and distributed, in whole or in part, without restriction of any
+# kind, provided that the above copyright notice and this paragraph are
+# included on all such copies and derivative works. However, this
+# document itself may not be modified in any way, such as by removing
+# the copyright notice or references to the Internet Society or other
+# Internet organizations, except as needed for the purpose of
+# developing Internet standards in which case the procedures for
+# copyrights defined in the Internet Standards process must be
+# followed, or as required to translate it into languages other than
+# English.
+#
+# The limited permissions granted above are perpetual and will not be
+# revoked by the Internet Society or its successors or assigns.
+#
+# This document and the information contained herein is provided on an
+# "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+# TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+# BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+# HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+# MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copied: openldap/trunk/servers/slapd/schema/ppolicy.schema (from rev 1148, openldap/vendor/openldap-2.4.10/servers/slapd/schema/ppolicy.schema)
===================================================================
--- openldap/trunk/servers/slapd/schema/ppolicy.schema (rev 0)
+++ openldap/trunk/servers/slapd/schema/ppolicy.schema 2008-06-28 15:17:20 UTC (rev 1149)
@@ -0,0 +1,531 @@
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/ppolicy.schema,v 1.7.2.3 2008/02/11 23:26:49 kurt Exp $
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 2004-2008 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (2004).
+## Please see full copyright statement below.
+
+# Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
+# Password Policy for LDAP Directories
+# With extensions from Hewlett-Packard:
+# pwdCheckModule etc.
+
+# Contents of this file are subject to change (including deletion)
+# without notice.
+#
+# Not recommended for production use!
+# Use with extreme caution!
+
+#Network Working Group J. Sermersheim
+#Internet-Draft Novell, Inc
+#Expires: April 24, 2005 L. Poitou
+# Sun Microsystems
+# October 24, 2004
+#
+#
+# Password Policy for LDAP Directories
+# draft-behera-ldap-password-policy-08.txt
+#
+#Status of this Memo
+#
+# This document is an Internet-Draft and is subject to all provisions
+# of section 3 of RFC 3667. By submitting this Internet-Draft, each
+# author represents that any applicable patent or other IPR claims of
+# which he or she is aware have been or will be disclosed, and any of
+# which he or she become aware will be disclosed, in accordance with
+# RFC 3668.
+#
+# Internet-Drafts are working documents of the Internet Engineering
+# Task Force (IETF), its areas, and its working groups. Note that
+# other groups may also distribute working documents as
+# Internet-Drafts.
+#
+# Internet-Drafts are draft documents valid for a maximum of six months
+# and may be updated, replaced, or obsoleted by other documents at any
+# time. It is inappropriate to use Internet-Drafts as reference
+# material or to cite them other than as "work in progress."
+#
+# The list of current Internet-Drafts can be accessed at
+# http://www.ietf.org/ietf/1id-abstracts.txt.
+#
+# The list of Internet-Draft Shadow Directories can be accessed at
+# http://www.ietf.org/shadow.html.
+#
+# This Internet-Draft will expire on April 24, 2005.
+#
+#Copyright Notice
+#
+# Copyright (C) The Internet Society (2004).
+#
+#Abstract
+#
+# Password policy as described in this document is a set of rules that
+# controls how passwords are used and administered in Lightweight
+# Directory Access Protocol (LDAP) based directories. In order to
+# improve the security of LDAP directories and make it difficult for
+# password cracking programs to break into directories, it is desirable
+# to enforce a set of rules on password usage. These rules are made to
+#
+# [trimmed]
+#
+#5. Schema used for Password Policy
+#
+# The schema elements defined here fall into two general categories. A
+# password policy object class is defined which contains a set of
+# administrative password policy attributes, and a set of operational
+# attributes are defined that hold general password policy state
+# information for each user.
+#
+#5.2 Attribute Types used in the pwdPolicy ObjectClass
+#
+# Following are the attribute types used by the pwdPolicy object class.
+#
+#5.2.1 pwdAttribute
+#
+# This holds the name of the attribute to which the password policy is
+# applied. For example, the password policy may be applied to the
+# userPassword attribute.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
+ NAME 'pwdAttribute'
+ EQUALITY objectIdentifierMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+
+#5.2.2 pwdMinAge
+#
+# This attribute holds the number of seconds that must elapse between
+# modifications to the password. If this attribute is not present, 0
+# seconds is assumed.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
+ NAME 'pwdMinAge'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.3 pwdMaxAge
+#
+# This attribute holds the number of seconds after which a modified
+# password will expire.
+#
+# If this attribute is not present, or if the value is 0 the password
+# does not expire. If not 0, the value must be greater than or equal
+# to the value of the pwdMinAge.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
+ NAME 'pwdMaxAge'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.4 pwdInHistory
+#
+# This attribute specifies the maximum number of used passwords stored
+# in the pwdHistory attribute.
+#
+# If this attribute is not present, or if the value is 0, used
+# passwords are not stored in the pwdHistory attribute and thus may be
+# reused.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
+ NAME 'pwdInHistory'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.5 pwdCheckQuality
+#
+# {TODO: Consider changing the syntax to OID. Each OID will list a
+# quality rule (like min len, # of special characters, etc). These
+# rules can be specified outsid ethis document.}
+#
+# {TODO: Note that even though this is meant to be a check that happens
+# during password modification, it may also be allowed to happen during
+# authN. This is useful for situations where the password is encrypted
+# when modified, but decrypted when used to authN.}
+#
+# This attribute indicates how the password quality will be verified
+# while being modified or added. If this attribute is not present, or
+# if the value is '0', quality checking will not be enforced. A value
+# of '1' indicates that the server will check the quality, and if the
+# server is unable to check it (due to a hashed password or other
+# reasons) it will be accepted. A value of '2' indicates that the
+# server will check the quality, and if the server is unable to verify
+# it, it will return an error refusing the password.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
+ NAME 'pwdCheckQuality'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.6 pwdMinLength
+#
+# When quality checking is enabled, this attribute holds the minimum
+# number of characters that must be used in a password. If this
+# attribute is not present, no minimum password length will be
+# enforced. If the server is unable to check the length (due to a
+# hashed password or otherwise), the server will, depending on the
+# value of the pwdCheckQuality attribute, either accept the password
+# without checking it ('0' or '1') or refuse it ('2').
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
+ NAME 'pwdMinLength'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.7 pwdExpireWarning
+#
+# This attribute specifies the maximum number of seconds before a
+# password is due to expire that expiration warning messages will be
+# returned to an authenticating user.
+#
+# If this attribute is not present, or if the value is 0 no warnings
+# will be returned. If not 0, the value must be smaller than the value
+# of the pwdMaxAge attribute.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
+ NAME 'pwdExpireWarning'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.8 pwdGraceAuthNLimit
+#
+# This attribute specifies the number of times an expired password can
+# be used to authenticate. If this attribute is not present or if the
+# value is 0, authentication will fail.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
+ NAME 'pwdGraceAuthNLimit'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.9 pwdLockout
+#
+# This attribute indicates, when its value is "TRUE", that the password
+# may not be used to authenticate after a specified number of
+# consecutive failed bind attempts. The maximum number of consecutive
+# failed bind attempts is specified in pwdMaxFailure.
+#
+# If this attribute is not present, or if the value is "FALSE", the
+# password may be used to authenticate when the number of failed bind
+# attempts has been reached.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
+ NAME 'pwdLockout'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
+
+#5.2.10 pwdLockoutDuration
+#
+# This attribute holds the number of seconds that the password cannot
+# be used to authenticate due to too many failed bind attempts. If
+# this attribute is not present, or if the value is 0 the password
+# cannot be used to authenticate until reset by a password
+# administrator.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
+ NAME 'pwdLockoutDuration'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.11 pwdMaxFailure
+#
+# This attribute specifies the number of consecutive failed bind
+# attempts after which the password may not be used to authenticate.
+# If this attribute is not present, or if the value is 0, this policy
+# is not checked, and the value of pwdLockout will be ignored.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
+ NAME 'pwdMaxFailure'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.12 pwdFailureCountInterval
+#
+# This attribute holds the number of seconds after which the password
+# failures are purged from the failure counter, even though no
+# successful authentication occurred.
+#
+# If this attribute is not present, or if its value is 0, the failure
+# counter is only reset by a successful authentication.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
+ NAME 'pwdFailureCountInterval'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.13 pwdMustChange
+#
+# This attribute specifies with a value of "TRUE" that users must
+# change their passwords when they first bind to the directory after a
+# password is set or reset by a password administrator. If this
+# attribute is not present, or if the value is "FALSE", users are not
+# required to change their password upon binding after the password
+# administrator sets or resets the password. This attribute is not set
+# due to any actions specified by this document, it is typically set by
+# a password administrator after resetting a user's password.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
+ NAME 'pwdMustChange'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
+
+#5.2.14 pwdAllowUserChange
+#
+# This attribute indicates whether users can change their own
+# passwords, although the change operation is still subject to access
+# control. If this attribute is not present, a value of "TRUE" is
+# assumed. This attribute is intended to be used in the absense of an
+# access control mechanism.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
+ NAME 'pwdAllowUserChange'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
+
+#5.2.15 pwdSafeModify
+#
+# This attribute specifies whether or not the existing password must be
+# sent along with the new password when being changed. If this
+# attribute is not present, a "FALSE" value is assumed.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
+ NAME 'pwdSafeModify'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
+
+# HP extensions
+#
+# pwdCheckModule
+#
+# This attribute names a user-defined loadable module that provides
+# a check_password() function. If pwdCheckQuality is set to '1' or '2'
+# this function will be called after all of the internal password
+# quality checks have been passed. The function has this prototype:
+#
+# int check_password( char *password, char **errormessage, void *arg )
+#
+# The function should return LDAP_SUCCESS for a valid password.
+
+attributetype ( 1.3.6.1.4.1.4754.1.99.1
+ NAME 'pwdCheckModule'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ DESC 'Loadable module that instantiates "check_password() function'
+ SINGLE-VALUE )
+
+objectclass ( 1.3.6.1.4.1.4754.2.99.1
+ NAME 'pwdPolicyChecker'
+ SUP top
+ AUXILIARY
+ MAY ( pwdCheckModule ) )
+
+#5.1 The pwdPolicy Object Class
+#
+# This object class contains the attributes defining a password policy
+# in effect for a set of users. Section 10 describes the
+# administration of this object, and the relationship between it and
+# particular objects.
+#
+objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
+ NAME 'pwdPolicy'
+ SUP top
+ AUXILIARY
+ MUST ( pwdAttribute )
+ MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
+ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
+ $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
+ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
+
+#5.3 Attribute Types for Password Policy State Information
+#
+# Password policy state information must be maintained for each user.
+# The information is located in each user entry as a set of operational
+# attributes. These operational attributes are: pwdChangedTime,
+# pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
+# pwdReset, pwdPolicySubEntry.
+#
+#5.3.1 Password Policy State Attribute Option
+#
+# Since the password policy could apply to several attributes used to
+# store passwords, each of the above operational attributes must have
+# an option to specify which pwdAttribute it applies to. The password
+# policy option is defined as the following:
+#
+# pwd-<passwordAttribute>
+#
+# where passwordAttribute a string following the OID syntax
+# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
+# (short name) MUST be used.
+#
+# For example, if the pwdPolicy object has for pwdAttribute
+# "userPassword" then the pwdChangedTime operational attribute, in a
+# user entry, will be:
+#
+# pwdChangedTime;pwd-userPassword: 20000103121520Z
+#
+# This attribute option follows sub-typing semantics. If a client
+# requests a password policy state attribute to be returned in a search
+# operation, and does not specify an option, all subtypes of that
+# policy state attribute are returned.
+#
+#5.3.2 pwdChangedTime
+#
+# This attribute specifies the last time the entry's password was
+# changed. This is used by the password expiration policy. If this
+# attribute does not exist, the password will never expire.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.16
+# NAME 'pwdChangedTime'
+# DESC 'The time the password was last changed'
+# EQUALITY generalizedTimeMatch
+# ORDERING generalizedTimeOrderingMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+# SINGLE-VALUE
+# USAGE directoryOperation )
+#
+#5.3.3 pwdAccountLockedTime
+#
+# This attribute holds the time that the user's account was locked. A
+# locked account means that the password may no longer be used to
+# authenticate. A 000001010000Z value means that the account has been
+# locked permanently, and that only a password administrator can unlock
+# the account.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.17
+# NAME 'pwdAccountLockedTime'
+# DESC 'The time an user account was locked'
+# EQUALITY generalizedTimeMatch
+# ORDERING generalizedTimeOrderingMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+# SINGLE-VALUE
+# USAGE directoryOperation )
+#
+#5.3.4 pwdFailureTime
+#
+# This attribute holds the timestamps of the consecutive authentication
+# failures.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.19
+# NAME 'pwdFailureTime'
+# DESC 'The timestamps of the last consecutive authentication
+# failures'
+# EQUALITY generalizedTimeMatch
+# ORDERING generalizedTimeOrderingMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+# USAGE directoryOperation )
+#
+#5.3.5 pwdHistory
+#
+# This attribute holds a history of previously used passwords. Values
+# of this attribute are transmitted in string format as given by the
+# following ABNF:
+#
+# pwdHistory = time "#" syntaxOID "#" length "#" data
+#
+# time = <generalizedTimeString as specified in 6.14
+# of [RFC2252]>
+#
+# syntaxOID = numericoid ; the string representation of the
+# ; dotted-decimal OID that defines the
+# ; syntax used to store the password.
+# ; numericoid is described in 4.1
+# ; of [RFC2252].
+#
+# length = numericstring ; the number of octets in data.
+# ; numericstring is described in 4.1
+# ; of [RFC2252].
+#
+# data = <octets representing the password in the format
+# specified by syntaxOID>.
+#
+# This format allows the server to store, and transmit a history of
+# passwords that have been used. In order for equality matching to
+# function properly, the time field needs to adhere to a consistent
+# format. For this purpose, the time field MUST be in GMT format.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.20
+# NAME 'pwdHistory'
+# DESC 'The history of user s passwords'
+# EQUALITY octetStringMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+# USAGE directoryOperation )
+#
+#5.3.6 pwdGraceUseTime
+#
+# This attribute holds the timestamps of grace authentications after a
+# password has expired.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.21
+# NAME 'pwdGraceUseTime'
+# DESC 'The timestamps of the grace authentication after the
+# password has expired'
+# EQUALITY generalizedTimeMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+#
+#5.3.7 pwdReset
+#
+# This attribute holds a flag to indicate (when TRUE) that the password
+# has been updated by the password administrator and must be changed by
+# the user on first authentication.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.22
+# NAME 'pwdReset'
+# DESC 'The indication that the password has been reset'
+# EQUALITY booleanMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+# SINGLE-VALUE
+# USAGE directoryOperation )
+#
+#5.3.8 pwdPolicySubentry
+#
+# This attribute points to the pwdPolicy subentry in effect for this
+# object.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.23
+# NAME 'pwdPolicySubentry'
+# DESC 'The pwdPolicy subentry in effect for this object'
+# EQUALITY distinguishedNameMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+# SINGLE-VALUE
+# USAGE directoryOperation )
+#
+#
+#Disclaimer of Validity
+#
+# This document and the information contained herein are provided on an
+# "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+# OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+# ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+# INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+# INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+# WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+#
+#
+#Copyright Statement
+#
+# Copyright (C) The Internet Society (2004). This document is subject
+# to the rights, licenses and restrictions contained in BCP 78, and
+# except as set forth therein, the authors retain all their rights.
+
Modified: openldap/trunk/servers/slapd/schema_init.c
===================================================================
--- openldap/trunk/servers/slapd/schema_init.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/schema_init.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* schema_init.c - init builtin schema */
-/* $OpenLDAP: pkg/ldap/servers/slapd/schema_init.c,v 1.386.2.20 2008/04/14 20:01:31 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/schema_init.c,v 1.386.2.21 2008/05/20 00:00:56 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -2273,6 +2273,8 @@
keys[0].bv_len = index_intlen;
keys[0].bv_val = slap_sl_malloc( index_intlen, ctx );
+ keys[1].bv_len = 0;
+ keys[1].bv_val = NULL;
iv.bv_len = value->bv_len < index_intlen_strlen + INDEX_INTLEN_CHOP-1
? value->bv_len : index_intlen_strlen + INDEX_INTLEN_CHOP-1;
Modified: openldap/trunk/servers/slapd/sets.h
===================================================================
--- openldap/trunk/servers/slapd/sets.h 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/sets.h 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/sets.h,v 1.21.2.3 2008/02/11 23:26:44 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/sets.h,v 1.21.2.4 2008/05/20 00:09:30 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -53,7 +53,7 @@
* it is ORed with SLAP_SET_RREFARR
* - the same applies to the lset with SLAP_SET_LREFVAL and SLAP_SET_LREFARR
* - it is assumed that SLAP_SET_REFVAL implies SLAP_SET_REFARR,
- * i.e. the former is checked only if the latter is defined.
+ * i.e. the former is checked only if the latter is set.
*/
#define SLAP_SET_RREFARR SLAP_SET_REFARR
Modified: openldap/trunk/servers/slapd/slap.h
===================================================================
--- openldap/trunk/servers/slapd/slap.h 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/slap.h 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* slap.h - stand alone ldap server include file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/slap.h,v 1.764.2.26 2008/04/24 08:13:39 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slap.h,v 1.764.2.27 2008/05/20 00:07:05 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2008 The OpenLDAP Foundation.
@@ -1371,8 +1371,8 @@
#define ACL_PRIV_SET(m,p) do { (m) |= (p); } while(0)
#define ACL_PRIV_CLR(m,p) do { (m) &= ~(p); } while(0)
-#define ACL_INIT(m) ACL_PRIV_ASSIGN(m, ACL_PRIV_NONE)
-#define ACL_INVALIDATE(m) ACL_PRIV_ASSIGN(m, ACL_PRIV_INVALID)
+#define ACL_INIT(m) ACL_PRIV_ASSIGN((m), ACL_PRIV_NONE)
+#define ACL_INVALIDATE(m) ACL_PRIV_ASSIGN((m), ACL_PRIV_INVALID)
#define ACL_GRANT(m,a) ACL_PRIV_ISSET((m),ACL_ACCESS2PRIV(a))
@@ -2687,7 +2687,7 @@
#define send_ldap_error( op, rs, err, text ) do { \
(rs)->sr_err = err; (rs)->sr_text = text; \
- (op->o_conn->c_send_ldap_result)( op, rs ); \
+ ((op)->o_conn->c_send_ldap_result)( op, rs ); \
} while (0)
#define send_ldap_discon( op, rs, err, text ) do { \
(rs)->sr_err = err; (rs)->sr_text = text; \
Modified: openldap/trunk/servers/slapd/slapi/plugin.c
===================================================================
--- openldap/trunk/servers/slapd/slapi/plugin.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/slapi/plugin.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/plugin.c,v 1.43.2.5 2008/02/11 23:26:49 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/plugin.c,v 1.43.2.6 2008/06/02 18:00:53 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2002-2008 The OpenLDAP Foundation.
@@ -21,10 +21,11 @@
*/
#include "portable.h"
-#include <ldap_pvt_thread.h>
-#include <slap.h>
-#include <slapi.h>
-#include <lutil.h>
+#include "ldap_pvt_thread.h"
+#include "slap.h"
+#include "config.h"
+#include "slapi.h"
+#include "lutil.h"
/*
* Note: if ltdl.h is not available, slapi should not be compiled
@@ -645,8 +646,10 @@
/* automatically instantiate overlay if necessary */
if ( !slapi_over_is_inst( be ) ) {
- if ( slapi_over_config( be ) != 0 ) {
- fprintf( stderr, "Failed to instantiate SLAPI overlay\n");
+ ConfigReply cr = { 0 };
+ if ( slapi_over_config( be, &cr ) != 0 ) {
+ fprintf( stderr, "Failed to instantiate SLAPI overlay: "
+ "err=%d msg=\"%s\"\n", cr.err, cr.msg );
return -1;
}
}
Modified: openldap/trunk/servers/slapd/slapi/proto-slapi.h
===================================================================
--- openldap/trunk/servers/slapd/slapi/proto-slapi.h 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/slapi/proto-slapi.h 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/proto-slapi.h,v 1.47.2.3 2008/02/11 23:26:49 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/proto-slapi.h,v 1.47.2.4 2008/06/02 18:00:53 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2002-2008 The OpenLDAP Foundation.
@@ -83,7 +83,7 @@
/* slapi_overlay.c */
LDAP_SLAPI_F (int) slapi_over_is_inst LDAP_P((BackendDB *));
-LDAP_SLAPI_F (int) slapi_over_config LDAP_P((BackendDB *));
+LDAP_SLAPI_F (int) slapi_over_config LDAP_P((BackendDB *, ConfigReply *));
LDAP_END_DECL
Modified: openldap/trunk/servers/slapd/slapi/slapi_overlay.c
===================================================================
--- openldap/trunk/servers/slapd/slapi/slapi_overlay.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/slapi/slapi_overlay.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* slapi_overlay.c - SLAPI overlay */
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_overlay.c,v 1.40.2.6 2008/02/11 23:26:49 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_overlay.c,v 1.40.2.7 2008/06/02 18:00:53 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2001-2008 The OpenLDAP Foundation.
@@ -916,7 +916,7 @@
return overlay_is_inst( be, SLAPI_OVERLAY_NAME );
}
-int slapi_over_config( BackendDB *be )
+int slapi_over_config( BackendDB *be, ConfigReply *cr )
{
if ( slapi_over_initialized == 0 ) {
int rc;
@@ -940,7 +940,7 @@
slapi_over_initialized = 1;
}
- return overlay_config( be, SLAPI_OVERLAY_NAME, -1, NULL );
+ return overlay_config( be, SLAPI_OVERLAY_NAME, -1, NULL, cr );
}
#endif /* LDAP_SLAPI */
Modified: openldap/trunk/servers/slapd/syncrepl.c
===================================================================
--- openldap/trunk/servers/slapd/syncrepl.c 2008-06-28 09:30:18 UTC (rev 1148)
+++ openldap/trunk/servers/slapd/syncrepl.c 2008-06-28 15:17:20 UTC (rev 1149)
@@ -1,5 +1,5 @@
/* syncrepl.c -- Replication Engine which uses the LDAP Sync protocol */
-/* $OpenLDAP: pkg/ldap/servers/slapd/syncrepl.c,v 1.254.2.32 2008/05/01 22:01:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/syncrepl.c,v 1.254.2.34 2008/05/29 22:54:56 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2003-2008 The OpenLDAP Foundation.
@@ -568,16 +568,23 @@
op->o_tls_ssf = ldap_pvt_tls_get_strength( ssl );
}
#endif /* HAVE_TLS */
- ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &op->o_sasl_ssf );
+ {
+ ber_len_t ssf; /* ITS#5403, 3864 LDAP_OPT_X_SASL_SSF probably ought
+ to use sasl_ssf_t but currently uses ber_len_t */
+ ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &ssf );
+ op->o_sasl_ssf = ssf;
+ }
op->o_ssf = ( op->o_sasl_ssf > op->o_tls_ssf )
? op->o_sasl_ssf : op->o_tls_ssf;
ldap_set_option( si->si_ld, LDAP_OPT_TIMELIMIT, &si->si_tlimit );
si->si_syncCookie.rid = si->si_rid;
- si->si_syncCookie.sid = SLAP_SINGLE_SHADOW( si->si_be ) ? -1 :
- slap_serverID;
+ /* whenever there are multiple data sources possible, advertise sid */
+ si->si_syncCookie.sid = ( SLAP_MULTIMASTER( si->si_be ) || si->si_be != si->si_wbe ) ?
+ slap_serverID : -1;
+
/* We've just started up, or the remote server hasn't sent us
* any meaningful state.
*/
@@ -1235,7 +1242,8 @@
*
* Typically there is a single syncprov mastering the entire
* glued tree. In that case, our contextCSN updates should
- * go to the master DB.
+ * go to the master DB. But if there is no syncprov on the
+ * master DB, then nothing special is needed here.
*
* Alternatively, there may be individual syncprov overlays
* on each glued branch. In that case, each syncprov only
@@ -1244,7 +1252,11 @@
*/
if ( !si->si_wbe ) {
if ( SLAP_GLUE_SUBORDINATE( be ) && !overlay_is_inst( be, "syncprov" )) {
- si->si_wbe = select_backend( &be->be_nsuffix[0], 1 );
+ BackendDB * top_be = select_backend( &be->be_nsuffix[0], 1 );
+ if ( overlay_is_inst( top_be, "syncprov" ))
+ si->si_wbe = select_backend( &be->be_nsuffix[0], 1 );
+ else
+ si->si_wbe = be;
} else {
si->si_wbe = be;
}
More information about the Pkg-openldap-devel
mailing list