3 # - [PP] Now version controlled in db.d.o git repository, also see debian/changelog - 2009
4 # - [PP] Now version controlled in db.d.o bzr repository - 2007-12-25
7 # - [HE] Add 'purpose', 'physicalHost' to debianServer - 2007-12-25
8 # - [zobel] Add 'VoIP' - 2008-05-10
9 # - [luk] Add 'subGroup' to group - 2008-11-22
12 # - Add 'gender' and 'birthDate' to debianDeveloper
13 # - Add 'mailDisableMessage' to debianAccount
14 # - Add 'mailDisableMessage', 'mailCallout', 'mailGreylisting', 'mailRBL',
15 # 'mailRHSBL', and 'mailWhitelist' to debianDeveloper and debianRoleAccount
18 # - Add 'access' as a MAY for debianServer objectclass.
19 # - Make activity-from a UTF-8 string rather than ASCII.
20 # - add new debianRoleAccount objectclass.
23 # - Add 'access' as a MAY for debianDeveloper objectclass.
24 # - Add 'gid' attribute.
25 # - Make homeDirectory a MAY not MUST for debianAccount.
26 # - drop userPassword and memberUID MAYs from debianGroup.
27 # - add SUP top STRUCTURAL to debianGroup.
30 # - add a UTF8-enabled 'gecos' attribute type, conflicts with RFC2307
31 # - add debianAccount, which is roughly equivalent to posixAccount but
32 # permits UTF8 gecos fields
33 # - add debianGroup, which is the same as above but for posixGroup
36 # - Remove labeledURI, jpegPhoto from the list of supported
37 # attributes; using inetOrgPerson instead of organizationalPerson as
38 # a structural objectclass gives us both of these, and several other
39 # attributes that may be useful.
40 # - Add echelon attributes for MIA work to the debiandeveloper
41 # objectclass. (accountcomment,accountstatus)
42 # - Add specification for debianServer objectclass, used for Debian
46 # - grammarfied 'allowedHosts' to 'allowedHost' as
47 # 1.3.6.1.4.1.9586.100.4.2.12.
48 # - add 'privateSub' as 1.3.6.1.4.1.9586.100.4.4.5.
49 # - add 'jabberJID' as 1.3.6.1.4.1.9586.100.4.2.13.
50 # - change 'icqUIN' to an integer type (see? I told you it wasn't
51 # approved for use yet! ;)
57 # Project: db.debian.org
58 # Contact: Debian directory administrators <admin@db.debian.org>
62 # enterprise.Debian.project.userdir / 1.3.6.1.4.1.9586.100.4
64 # .1 - public LDAP objectClasses
68 # .2 - public LDAP attributeTypes
77 # .9 - middlename (mn)
79 # .11 - supplementaryGid
100 # .32 - mailDisableMessage
106 # .38 - mailContentInspectionAction
107 # .39 - allowedGroups
108 # .40 - exportOptions
109 # .41 - sshdistAuthKeysHost
113 # .3 - experimental LDAP objectClasses
114 # .1 - debianDeveloper
116 # .3 - debianRoleAccount
118 # .4 - experimental LDAP attributeTypes
119 # .1 - allowedHosts - OBSOLETED
122 # .4 - keyFingerPrint
124 # .6 - accountComment
126 # .8 - perform callouts
127 # .9 - perform greylisting
132 # .15 - mailDefaultOptions
134 # Public attribute types
135 attributetype ( 1.3.6.1.4.1.9586.100.4.2.1
137 DESC 'textual form of an SSH public key compatible with authorized_keys'
138 EQUALITY caseIgnoreMatch
139 SUBSTR caseIgnoreSubstringsMatch
140 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
142 attributetype ( 1.3.6.1.4.1.9586.100.4.2.2
144 DESC 'last known activity from user email address'
145 EQUALITY caseExactMatch
146 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
148 attributetype ( 1.3.6.1.4.1.9586.100.4.2.3
150 DESC 'last known activity from user PGP key'
151 EQUALITY caseExactIA5Match
152 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
154 attributetype ( 1.3.6.1.4.1.9586.100.4.2.4
156 DESC 'user-editable comment'
157 EQUALITY caseExactIA5Match
158 SUBSTR caseIgnoreIA5SubstringsMatch
159 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
161 attributetype ( 1.3.6.1.4.1.9586.100.4.2.5
163 DESC 'UIN for ICQ instant messaging system'
164 EQUALITY integerMatch
165 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
167 attributetype ( 1.3.6.1.4.1.9586.100.4.2.6
169 DESC 'Internet Relay Chat nickname'
170 EQUALITY caseIgnoreIA5Match
171 SUBSTR caseIgnoreIA5SubstringsMatch
172 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
174 attributetype ( 1.3.6.1.4.1.9586.100.4.2.7
176 DESC 'latitude coordinate'
177 EQUALITY caseExactIA5Match
178 SUBSTR caseExactIA5SubstringsMatch
179 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
181 attributetype ( 1.3.6.1.4.1.9586.100.4.2.8
183 DESC 'longitude coordinate'
184 EQUALITY caseExactIA5Match
185 SUBSTR caseExactIA5SubstringsMatch
186 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
188 attributetype ( 1.3.6.1.4.1.9586.100.4.2.9
189 NAME ( 'mn' 'middlename' )
192 attributetype ( 1.3.6.1.4.1.9586.100.4.2.10
194 DESC 'vacation message'
195 EQUALITY caseIgnoreMatch
196 SUBSTR caseIgnoreSubstringsMatch
197 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
199 attributetype ( 1.3.6.1.4.1.9586.100.4.2.11
200 NAME 'supplementaryGid'
201 DESC 'additional Unix group id of user'
202 EQUALITY caseIgnoreMatch
203 SUBSTR caseIgnoreSubstringsMatch
204 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
206 attributetype ( 1.3.6.1.4.1.9586.100.4.2.12
208 DESC 'host name this account is allowed access to'
209 EQUALITY caseIgnoreIA5Match
210 SUBSTR caseIgnoreIA5SubstringsMatch
211 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
213 attributetype ( 1.3.6.1.4.1.9586.100.4.2.13
215 DESC 'JID for Jabber instant messaging protocol'
216 EQUALITY caseIgnoreIA5Match
217 SUBSTR caseIgnoreIA5SubstringsMatch
218 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
220 attributetype ( 1.3.6.1.4.1.9586.100.4.2.14
222 DESC 'nature of access allowed to server'
223 EQUALITY caseIgnoreMatch
224 SUBSTR caseIgnoreSubstringsMatch
225 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
227 attributetype ( 1.3.6.1.4.1.9586.100.4.2.15
229 DESC 'email address of server administrator'
230 EQUALITY caseIgnoreIA5Match
231 SUBSTR caseIgnoreIA5SubstringsMatch
232 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
234 attributetype ( 1.3.6.1.4.1.9586.100.4.2.16
236 DESC 'hardware architecture of server'
237 EQUALITY caseIgnoreIA5Match
238 SUBSTR caseIgnoreIA5SubstringsMatch
239 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
241 attributetype ( 1.3.6.1.4.1.9586.100.4.2.17
243 DESC 'type of network connection for server'
244 EQUALITY caseIgnoreMatch
245 SUBSTR caseIgnoreSubstringsMatch
246 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
248 attributetype ( 1.3.6.1.4.1.9586.100.4.2.18
250 DESC 'amount of disk space available to server'
251 EQUALITY caseIgnoreMatch
252 SUBSTR caseIgnoreSubstringsMatch
253 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )
255 attributetype ( 1.3.6.1.4.1.9586.100.4.2.19
257 DESC 'host OS distribution'
258 EQUALITY caseIgnoreIA5Match
259 SUBSTR caseIgnoreIA5SubstringsMatch
260 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
262 #attributetype ( 1.3.6.1.4.1.9586.100.4.2.20
264 # DESC '(short) host name of server'
265 # EQUALITY caseIgnoreIA5Match
266 # SUBSTR caseIgnoreIA5SubstringsMatch
267 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )
269 attributetype ( 1.3.6.1.4.1.9586.100.4.2.21
271 DESC 'FQDN of the server'
272 EQUALITY caseIgnoreIA5Match
273 SUBSTR caseIgnoreIA5SubstringsMatch
274 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
276 attributetype ( 1.3.6.1.4.1.9586.100.4.2.22
278 DESC 'description of physical hardware'
279 EQUALITY caseIgnoreMatch
280 SUBSTR caseIgnoreSubstringsMatch
281 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE )
283 attributetype ( 1.3.6.1.4.1.9586.100.4.2.23
285 DESC 'amount of RAM available to server'
286 EQUALITY caseIgnoreMatch
287 SUBSTR caseIgnoreSubstringsMatch
288 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )
290 attributetype ( 1.3.6.1.4.1.9586.100.4.2.24
292 DESC 'name of the sponsor of this server'
293 EQUALITY caseIgnoreMatch
294 SUBSTR caseIgnoreSubstringsMatch
295 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
297 attributetype ( 1.3.6.1.4.1.9586.100.4.2.25
299 DESC 'email address of sponsoring server administrator'
300 EQUALITY caseIgnoreIA5Match
301 SUBSTR caseIgnoreIA5SubstringsMatch
302 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
304 attributetype ( 1.3.6.1.4.1.9586.100.4.2.26
306 DESC 'textual form of an SSH public host key compatible with known_hosts'
307 EQUALITY caseIgnoreMatch
308 SUBSTR caseIgnoreSubstringsMatch
309 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
311 attributetype ( 1.3.6.1.4.1.9586.100.4.2.27
313 DESC 'administrative status of server'
314 EQUALITY caseIgnoreMatch
315 SUBSTR caseIgnoreSubstringsMatch
316 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
318 attributetype ( 1.3.6.1.4.1.9586.100.4.2.28
320 DESC 'The GECOS field; the common name'
321 EQUALITY caseIgnoreMatch
322 SUBSTR caseIgnoreSubstringsMatch
323 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
325 attributetype ( 1.3.6.1.4.1.9586.100.4.2.29
328 EQUALITY caseExactIA5Match
329 SUBSTR caseExactIA5SubstringsMatch
330 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
332 attributetype ( 1.3.6.1.4.1.9586.100.4.2.30
334 DESC 'ISO 5218 representation of human gender'
335 EQUALITY integerMatch
337 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{1} )
339 attributetype ( 1.3.6.1.4.1.9586.100.4.2.31
341 DESC 'Date of birth in YYYYMMDD format'
342 EQUALITY numericStringMatch
344 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{8} )
346 attributetype ( 1.3.6.1.4.1.9586.100.4.2.32
347 NAME 'mailDisableMessage'
348 DESC 'Message returned when all mail is disabled'
349 EQUALITY caseIgnoreIA5Match
350 SUBSTR caseIgnoreIA5SubstringsMatch
351 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
353 attributetype ( 1.3.6.1.4.1.9586.100.4.2.33
355 DESC 'purposes of this server'
356 EQUALITY caseIgnoreMatch
357 SUBSTR caseIgnoreSubstringsMatch
358 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
360 attributetype ( 1.3.6.1.4.1.9586.100.4.2.34
362 DESC 'FQDN of the physical host of this virtual server'
363 EQUALITY caseIgnoreIA5Match
364 SUBSTR caseIgnoreIA5SubstringsMatch
366 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
368 attributetype ( 1.3.6.1.4.1.9586.100.4.2.35
370 DESC 'VoIP URL to communicate with that person'
371 EQUALITY caseIgnoreIA5Match
372 SUBSTR caseIgnoreIA5SubstringsMatch
373 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
375 attributetype ( 1.3.6.1.4.1.9586.100.4.2.36
378 EQUALITY octetStringMatch
379 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
381 attributetype ( 1.3.6.1.4.1.9586.100.4.2.37
383 DESC 'name of other group for which membership implied by memberschip to this group'
384 EQUALITY caseIgnoreIA5Match
385 SUBSTR caseIgnoreIA5SubstringsMatch
386 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
388 # more attributes below
389 attributetype ( 1.3.6.1.4.1.9586.100.4.2.39
391 DESC 'Groups that have access to a host'
392 EQUALITY caseExactIA5Match
393 SUBSTR caseExactIA5SubstringsMatch
394 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
396 attributetype ( 1.3.6.1.4.1.9586.100.4.2.40
398 DESC 'export options for servers'
399 EQUALITY caseIgnoreIA5Match
400 SUBSTR caseIgnoreIA5SubstringsMatch
401 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
403 attributetype ( 1.3.6.1.4.1.9586.100.4.2.43
405 DESC 'web password for SSO'
406 EQUALITY octetStringMatch
407 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
409 # Experimental attribute types
411 # There are existing schemas for doing DNS in LDAP; would one of
412 # these be better? c.f. draft-miller-dns-ldap-schema-00 (expired)
413 attributetype ( 1.3.6.1.4.1.9586.100.4.4.2
415 DESC 'DNS zone record for user'
416 EQUALITY octetStringMatch
417 SUBSTR caseIgnoreSubstringsMatch
418 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
420 # rfc822mailbox (RFC1274) is recommended as a replacement for this in
422 attributetype ( 1.3.6.1.4.1.9586.100.4.4.3
424 DESC 'forwarding address for email sent to this account'
425 EQUALITY caseIgnoreIA5Match
426 SUBSTR caseIgnoreIA5SubstringsMatch
427 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
429 # Network Associates also has a schema for PGP keys / key IDs which may
430 # or may not be applicable:
431 # http://www.openldap.org/lists/openldap-devel/200010/msg00071.html
432 attributetype ( 1.3.6.1.4.1.9586.100.4.4.4
433 NAME 'keyFingerPrint'
434 EQUALITY caseIgnoreMatch
435 SUBSTR caseIgnoreSubstringsMatch
436 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
438 # Rather Debian-specific, not useful to the public.
439 attributetype ( 1.3.6.1.4.1.9586.100.4.4.5
441 DESC 'email subscription address for debian-private mailing list'
442 EQUALITY caseIgnoreIA5Match
443 SUBSTR caseIgnoreIA5SubstringsMatch
444 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
446 # Echelon attributes; re-evaluate later
447 attributetype ( 1.3.6.1.4.1.9586.100.4.4.6
448 NAME 'accountComment'
449 DESC 'additional comments regarding the account status'
450 EQUALITY caseIgnoreIA5Match
451 SUBSTR caseIgnoreIA5SubstringsMatch
452 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
454 attributetype ( 1.3.6.1.4.1.9586.100.4.4.7
456 DESC 'Debian developer account status'
457 EQUALITY caseIgnoreIA5Match
458 SUBSTR caseIgnoreIA5SubstringsMatch
459 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
461 # mail attributes; not public information
462 attributetype ( 1.3.6.1.4.1.9586.100.4.4.8
464 DESC 'Whether or not to require a successful callout attempt on email delivery'
465 EQUALITY booleanMatch
466 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
468 attributetype ( 1.3.6.1.4.1.9586.100.4.4.9
469 NAME 'mailGreylisting'
470 DESC 'Whether or not to perform greylisting on email delivery'
471 EQUALITY booleanMatch
472 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
474 attributetype ( 1.3.6.1.4.1.9586.100.4.4.11
476 DESC 'RBL sites to check at SMTP accept time'
477 EQUALITY caseIgnoreIA5Match
478 SUBSTR caseIgnoreIA5SubstringsMatch
479 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
481 attributetype ( 1.3.6.1.4.1.9586.100.4.4.12
483 DESC 'RHSBL sites to check at SMTP accept time'
484 EQUALITY caseIgnoreIA5Match
485 SUBSTR caseIgnoreIA5SubstringsMatch
486 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
488 attributetype ( 1.3.6.1.4.1.9586.100.4.4.13
490 DESC 'sites to whitelist from additional SMTP accept time checks'
491 EQUALITY caseIgnoreIA5Match
492 SUBSTR caseIgnoreIA5SubstringsMatch
493 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
495 attributetype ( 1.3.6.1.4.1.9586.100.4.4.14
497 DESC 'Token for BATV'
498 EQUALITY caseExactMatch
499 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
501 attributetype ( 1.3.6.1.4.1.9586.100.4.4.15
502 NAME 'mailDefaultOptions'
503 DESC 'Whether or not to use a default set of anti-spam options'
504 EQUALITY booleanMatch
505 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
507 attributetype ( 1.3.6.1.4.1.9586.100.4.2.38
508 NAME 'mailContentInspectionAction'
509 DESC 'what to do on content inspection hits'
510 EQUALITY caseIgnoreIA5Match
511 SUBSTR caseIgnoreIA5SubstringsMatch
512 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
514 attributetype ( 1.3.6.1.4.1.9586.100.4.2.41
515 NAME ( 'sshdistAuthKeysHost' )
518 attributetype ( 1.3.6.1.4.1.9586.100.4.4.42
520 DESC 'DNS Time To Live value'
521 EQUALITY caseIgnoreIA5Match
522 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
524 # Public object classes
526 objectclass ( 1.3.6.1.4.1.9586.100.4.1.1
528 DESC 'Abstraction of an account with POSIX attributes and UTF8 support'
530 MUST ( cn $ uid $ uidNumber $ gidNumber )
531 MAY ( userPassword $ loginShell $ gecos $ homeDirectory $ description $ mailDisableMessage $ sudoPassword $ webPassword ) )
533 objectclass ( 1.3.6.1.4.1.9586.100.4.1.2
536 DESC 'attributes used for Debian groups'
537 MUST ( gid $ gidNumber )
538 MAY ( cn $ description $ subGroup $ accountStatus ) )
540 # Experimental objectclasses:
542 objectclass ( 1.3.6.1.4.1.9586.100.4.3.1
543 NAME 'debianDeveloper'
544 DESC 'additional account attributes used by Debian'
546 MUST ( uid $ cn $ sn )
547 MAY ( accountComment $ accountStatus $ activity-from $
548 activity-pgp $ allowedHost $ comment $ countryName $
549 dnsZoneEntry $ emailForward $ icqUin $ ircNick $
550 jabberJID $ keyFingerPrint $ latitude $ longitude $ mn $
551 onVacation $ privateSub $ sshRSAAuthKey $ supplementaryGid $
552 access $ gender $ birthDate $ mailCallout $ mailGreylisting $
553 mailRBL $ mailRHSBL $ mailWhitelist $ VoIP $ mailContentInspectionAction $
554 bATVToken $ mailDefaultOptions
557 objectclass ( 1.3.6.1.4.1.9586.100.4.3.2
559 DESC 'Internet-connected server associated with Debian'
561 MUST ( host $ hostname )
562 MAY ( c $ access $ admin $ architecture $ bandwidth $ description $ disk $
563 distribution $ l $ machine $ memory $ sponsor $
564 sponsor-admin $ status $ physicalHost $ ipHostNumber $ dnsTTL $
565 sshRSAHostKey $ purpose $ allowedGroups $ exportOptions $ MXRecord $
569 objectclass ( 1.3.6.1.4.1.9586.100.4.3.3
570 NAME 'debianRoleAccount'
571 DESC 'Abstraction of an account with POSIX attributes and UTF8 support'
572 SUP account STRUCTURAL
573 MAY ( emailForward $ supplementaryGid $ allowedHost $ labeledURI $
574 mailCallout $ mailGreylisting $ mailRBL $ mailRHSBL $
575 mailWhitelist $ dnsZoneEntry $ mailContentInspectionAction $
576 bATVToken $ mailDefaultOptions $ sshRSAAuthKey