3 # - [PP] Now version controlled in db.d.o git repository, also see debian/changelog - 2009
4 # - [PP] Now version controlled in db.d.o bzr repository - 2007-12-25
7 # - [HE] Add 'purpose', 'physicalHost' to debianServer - 2007-12-25
8 # - [zobel] Add 'VoIP' - 2008-05-10
9 # - [luk] Add 'subGroup' to group - 2008-11-22
12 # - Add 'gender' and 'birthDate' to debianDeveloper
13 # - Add 'mailDisableMessage' to debianAccount
14 # - Add 'mailDisableMessage', 'mailCallout', 'mailGreylisting', 'mailRBL',
15 # 'mailRHSBL', and 'mailWhitelist' to debianDeveloper and debianRoleAccount
18 # - Add 'access' as a MAY for debianServer objectclass.
19 # - Make activity-from a UTF-8 string rather than ASCII.
20 # - add new debianRoleAccount objectclass.
23 # - Add 'access' as a MAY for debianDeveloper objectclass.
24 # - Add 'gid' attribute.
25 # - Make homeDirectory a MAY not MUST for debianAccount.
26 # - drop userPassword and memberUID MAYs from debianGroup.
27 # - add SUP top STRUCTURAL to debianGroup.
30 # - add a UTF8-enabled 'gecos' attribute type, conflicts with RFC2307
31 # - add debianAccount, which is roughly equivalent to posixAccount but
32 # permits UTF8 gecos fields
33 # - add debianGroup, which is the same as above but for posixGroup
36 # - Remove labeledURI, jpegPhoto from the list of supported
37 # attributes; using inetOrgPerson instead of organizationalPerson as
38 # a structural objectclass gives us both of these, and several other
39 # attributes that may be useful.
40 # - Add echelon attributes for MIA work to the debiandeveloper
41 # objectclass. (accountcomment,accountstatus)
42 # - Add specification for debianServer objectclass, used for Debian
46 # - grammarfied 'allowedHosts' to 'allowedHost' as
47 # 1.3.6.1.4.1.9586.100.4.2.12.
48 # - add 'privateSub' as 1.3.6.1.4.1.9586.100.4.4.5.
49 # - add 'jabberJID' as 1.3.6.1.4.1.9586.100.4.2.13.
50 # - change 'icqUIN' to an integer type (see? I told you it wasn't
51 # approved for use yet! ;)
57 # Project: db.debian.org
58 # Contact: Debian directory administrators <admin@db.debian.org>
62 # enterprise.Debian.project.userdir / 1.3.6.1.4.1.9586.100.4
64 # .1 - public LDAP objectClasses
68 # .2 - public LDAP attributeTypes
77 # .9 - middlename (mn)
79 # .11 - supplementaryGid
100 # .32 - mailDisableMessage
106 # .38 - mailContentInspectionAction
108 # .3 - experimental LDAP objectClasses
109 # .1 - debianDeveloper
111 # .3 - debianRoleAccount
113 # .4 - experimental LDAP attributeTypes
114 # .1 - allowedHosts - OBSOLETED
117 # .4 - keyFingerPrint
119 # .6 - accountComment
121 # .8 - perform callouts
122 # .9 - perform greylisting
127 # Public attribute types
128 attributetype ( 1.3.6.1.4.1.9586.100.4.2.1
130 DESC 'textual form of an SSH public key compatible with authorized_keys'
131 EQUALITY caseIgnoreMatch
132 SUBSTR caseIgnoreSubstringsMatch
133 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
135 attributetype ( 1.3.6.1.4.1.9586.100.4.2.2
137 DESC 'last known activity from user email address'
138 EQUALITY caseExactMatch
139 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
141 attributetype ( 1.3.6.1.4.1.9586.100.4.2.3
143 DESC 'last known activity from user PGP key'
144 EQUALITY caseExactIA5Match
145 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
147 attributetype ( 1.3.6.1.4.1.9586.100.4.2.4
149 DESC 'user-editable comment'
150 EQUALITY caseExactIA5Match
151 SUBSTR caseIgnoreIA5SubstringsMatch
152 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
154 attributetype ( 1.3.6.1.4.1.9586.100.4.2.5
156 DESC 'UIN for ICQ instant messaging system'
157 EQUALITY integerMatch
158 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
160 attributetype ( 1.3.6.1.4.1.9586.100.4.2.6
162 DESC 'Internet Relay Chat nickname'
163 EQUALITY caseIgnoreIA5Match
164 SUBSTR caseIgnoreIA5SubstringsMatch
165 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
167 attributetype ( 1.3.6.1.4.1.9586.100.4.2.7
169 DESC 'latitude coordinate'
170 EQUALITY caseExactIA5Match
171 SUBSTR caseExactIA5SubstringsMatch
172 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
174 attributetype ( 1.3.6.1.4.1.9586.100.4.2.8
176 DESC 'longitude coordinate'
177 EQUALITY caseExactIA5Match
178 SUBSTR caseExactIA5SubstringsMatch
179 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
181 attributetype ( 1.3.6.1.4.1.9586.100.4.2.9
182 NAME ( 'mn' 'middlename' )
185 attributetype ( 1.3.6.1.4.1.9586.100.4.2.10
187 DESC 'vacation message'
188 EQUALITY caseIgnoreMatch
189 SUBSTR caseIgnoreSubstringsMatch
190 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
192 attributetype ( 1.3.6.1.4.1.9586.100.4.2.11
193 NAME 'supplementaryGid'
194 DESC 'additional Unix group id of user'
195 EQUALITY caseIgnoreMatch
196 SUBSTR caseIgnoreSubstringsMatch
197 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
199 attributetype ( 1.3.6.1.4.1.9586.100.4.2.12
201 DESC 'host name this account is allowed access to'
202 EQUALITY caseIgnoreIA5Match
203 SUBSTR caseIgnoreIA5SubstringsMatch
204 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
206 attributetype ( 1.3.6.1.4.1.9586.100.4.2.13
208 DESC 'JID for Jabber instant messaging protocol'
209 EQUALITY caseIgnoreIA5Match
210 SUBSTR caseIgnoreIA5SubstringsMatch
211 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
213 attributetype ( 1.3.6.1.4.1.9586.100.4.2.14
215 DESC 'nature of access allowed to server'
216 EQUALITY caseIgnoreMatch
217 SUBSTR caseIgnoreSubstringsMatch
218 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
220 attributetype ( 1.3.6.1.4.1.9586.100.4.2.15
222 DESC 'email address of server administrator'
223 EQUALITY caseIgnoreIA5Match
224 SUBSTR caseIgnoreIA5SubstringsMatch
225 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
227 attributetype ( 1.3.6.1.4.1.9586.100.4.2.16
229 DESC 'hardware architecture of server'
230 EQUALITY caseIgnoreIA5Match
231 SUBSTR caseIgnoreIA5SubstringsMatch
232 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
234 attributetype ( 1.3.6.1.4.1.9586.100.4.2.17
236 DESC 'type of network connection for server'
237 EQUALITY caseIgnoreMatch
238 SUBSTR caseIgnoreSubstringsMatch
239 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
241 attributetype ( 1.3.6.1.4.1.9586.100.4.2.18
243 DESC 'amount of disk space available to server'
244 EQUALITY caseIgnoreMatch
245 SUBSTR caseIgnoreSubstringsMatch
246 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )
248 attributetype ( 1.3.6.1.4.1.9586.100.4.2.19
250 DESC 'host OS distribution'
251 EQUALITY caseIgnoreIA5Match
252 SUBSTR caseIgnoreIA5SubstringsMatch
253 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
255 #attributetype ( 1.3.6.1.4.1.9586.100.4.2.20
257 # DESC '(short) host name of server'
258 # EQUALITY caseIgnoreIA5Match
259 # SUBSTR caseIgnoreIA5SubstringsMatch
260 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )
262 attributetype ( 1.3.6.1.4.1.9586.100.4.2.21
264 DESC 'FQDN of the server'
265 EQUALITY caseIgnoreIA5Match
266 SUBSTR caseIgnoreIA5SubstringsMatch
267 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
269 attributetype ( 1.3.6.1.4.1.9586.100.4.2.22
271 DESC 'description of physical hardware'
272 EQUALITY caseIgnoreMatch
273 SUBSTR caseIgnoreSubstringsMatch
274 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE )
276 attributetype ( 1.3.6.1.4.1.9586.100.4.2.23
278 DESC 'amount of RAM available to server'
279 EQUALITY caseIgnoreMatch
280 SUBSTR caseIgnoreSubstringsMatch
281 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )
283 attributetype ( 1.3.6.1.4.1.9586.100.4.2.24
285 DESC 'name of the sponsor of this server'
286 EQUALITY caseIgnoreMatch
287 SUBSTR caseIgnoreSubstringsMatch
288 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
290 attributetype ( 1.3.6.1.4.1.9586.100.4.2.25
292 DESC 'email address of sponsoring server administrator'
293 EQUALITY caseIgnoreIA5Match
294 SUBSTR caseIgnoreIA5SubstringsMatch
295 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
297 attributetype ( 1.3.6.1.4.1.9586.100.4.2.26
299 DESC 'textual form of an SSH public host key compatible with known_hosts'
300 EQUALITY caseIgnoreMatch
301 SUBSTR caseIgnoreSubstringsMatch
302 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
304 attributetype ( 1.3.6.1.4.1.9586.100.4.2.27
306 DESC 'administrative status of server'
307 EQUALITY caseIgnoreMatch
308 SUBSTR caseIgnoreSubstringsMatch
309 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
311 attributetype ( 1.3.6.1.4.1.9586.100.4.2.28
313 DESC 'The GECOS field; the common name'
314 EQUALITY caseIgnoreMatch
315 SUBSTR caseIgnoreSubstringsMatch
316 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
318 attributetype ( 1.3.6.1.4.1.9586.100.4.2.29
321 EQUALITY caseExactIA5Match
322 SUBSTR caseExactIA5SubstringsMatch
323 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
325 attributetype ( 1.3.6.1.4.1.9586.100.4.2.30
327 DESC 'ISO 5218 representation of human gender'
328 EQUALITY integerMatch
330 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{1} )
332 attributetype ( 1.3.6.1.4.1.9586.100.4.2.31
334 DESC 'Date of birth in YYYYMMDD format'
335 EQUALITY numericStringMatch
337 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{8} )
339 attributetype ( 1.3.6.1.4.1.9586.100.4.2.32
340 NAME 'mailDisableMessage'
341 DESC 'Message returned when all mail is disabled'
342 EQUALITY caseIgnoreIA5Match
343 SUBSTR caseIgnoreIA5SubstringsMatch
344 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
346 attributetype ( 1.3.6.1.4.1.9586.100.4.2.33
348 DESC 'purposes of this server'
349 EQUALITY caseIgnoreMatch
350 SUBSTR caseIgnoreSubstringsMatch
351 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
353 attributetype ( 1.3.6.1.4.1.9586.100.4.2.34
355 DESC 'FQDN of the physical host of this virtual server'
356 EQUALITY caseIgnoreIA5Match
357 SUBSTR caseIgnoreIA5SubstringsMatch
359 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
361 attributetype ( 1.3.6.1.4.1.9586.100.4.2.35
363 DESC 'VoIP URL to communicate with that person'
364 EQUALITY caseIgnoreIA5Match
365 SUBSTR caseIgnoreIA5SubstringsMatch
366 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
368 attributetype ( 1.3.6.1.4.1.9586.100.4.2.36
371 EQUALITY octetStringMatch
372 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
374 attributetype ( 1.3.6.1.4.1.9586.100.4.2.37
376 DESC 'name of other group for which membership implied by memberschip to this group'
377 EQUALITY caseIgnoreIA5Match
378 SUBSTR caseIgnoreIA5SubstringsMatch
379 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
382 # Public object classes
384 objectclass ( 1.3.6.1.4.1.9586.100.4.1.1
386 DESC 'Abstraction of an account with POSIX attributes and UTF8 support'
388 MUST ( cn $ uid $ uidNumber $ gidNumber )
389 MAY ( userPassword $ loginShell $ gecos $ homeDirectory $ description $ mailDisableMessage $ sudoPassword ) )
391 objectclass ( 1.3.6.1.4.1.9586.100.4.1.2
394 DESC 'attributes used for Debian groups'
395 MUST ( gid $ gidNumber )
396 MAY ( description $ subGroup ) )
398 # Experimental attribute types
400 # There are existing schemas for doing DNS in LDAP; would one of
401 # these be better? c.f. draft-miller-dns-ldap-schema-00 (expired)
402 attributetype ( 1.3.6.1.4.1.9586.100.4.4.2
404 DESC 'DNS zone record for user'
405 EQUALITY octetStringMatch
406 SUBSTR caseIgnoreSubstringsMatch
407 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
409 # rfc822mailbox (RFC1274) is recommended as a replacement for this in
411 attributetype ( 1.3.6.1.4.1.9586.100.4.4.3
413 DESC 'forwarding address for email sent to this account'
414 EQUALITY caseIgnoreIA5Match
415 SUBSTR caseIgnoreIA5SubstringsMatch
416 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
418 # Network Associates also has a schema for PGP keys / key IDs which may
419 # or may not be applicable:
420 # http://www.openldap.org/lists/openldap-devel/200010/msg00071.html
421 attributetype ( 1.3.6.1.4.1.9586.100.4.4.4
422 NAME 'keyFingerPrint'
423 EQUALITY caseIgnoreMatch
424 SUBSTR caseIgnoreSubstringsMatch
425 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
427 # Rather Debian-specific, not useful to the public.
428 attributetype ( 1.3.6.1.4.1.9586.100.4.4.5
430 DESC 'email subscription address for debian-private mailing list'
431 EQUALITY caseIgnoreIA5Match
432 SUBSTR caseIgnoreIA5SubstringsMatch
433 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
435 # Echelon attributes; re-evaluate later
436 attributetype ( 1.3.6.1.4.1.9586.100.4.4.6
437 NAME 'accountComment'
438 DESC 'additional comments regarding the account status'
439 EQUALITY caseIgnoreIA5Match
440 SUBSTR caseIgnoreIA5SubstringsMatch
441 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
443 attributetype ( 1.3.6.1.4.1.9586.100.4.4.7
445 DESC 'Debian developer account status'
446 EQUALITY caseIgnoreIA5Match
447 SUBSTR caseIgnoreIA5SubstringsMatch
448 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
450 # mail attributes; not public information
451 attributetype ( 1.3.6.1.4.1.9586.100.4.4.8
453 DESC 'Whether or not to require a successful callout attempt on email delivery'
454 EQUALITY booleanMatch
455 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
457 attributetype ( 1.3.6.1.4.1.9586.100.4.4.9
458 NAME 'mailGreylisting'
459 DESC 'Whether or not to perform greylisting on email delivery'
460 EQUALITY booleanMatch
461 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
463 attributetype ( 1.3.6.1.4.1.9586.100.4.4.11
465 DESC 'RBL sites to check at SMTP accept time'
466 EQUALITY caseIgnoreIA5Match
467 SUBSTR caseIgnoreIA5SubstringsMatch
468 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
470 attributetype ( 1.3.6.1.4.1.9586.100.4.4.12
472 DESC 'RHSBL sites to check at SMTP accept time'
473 EQUALITY caseIgnoreIA5Match
474 SUBSTR caseIgnoreIA5SubstringsMatch
475 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
477 attributetype ( 1.3.6.1.4.1.9586.100.4.4.13
479 DESC 'sites to whitelist from additional SMTP accept time checks'
480 EQUALITY caseIgnoreIA5Match
481 SUBSTR caseIgnoreIA5SubstringsMatch
482 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
484 attributetype ( 1.3.6.1.4.1.9586.100.4.2.38
485 NAME 'mailContentInspectionAction'
486 DESC 'what to do on content inspection hits'
487 EQUALITY caseIgnoreIA5Match
488 SUBSTR caseIgnoreIA5SubstringsMatch
489 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
492 # Experimental objectclasses:
494 objectclass ( 1.3.6.1.4.1.9586.100.4.3.1
495 NAME 'debianDeveloper'
496 DESC 'additional account attributes used by Debian'
498 MUST ( uid $ cn $ sn )
499 MAY ( accountComment $ accountStatus $ activity-from $
500 activity-pgp $ allowedHost $ comment $ countryName $
501 dnsZoneEntry $ emailForward $ icqUin $ ircNick $
502 jabberJID $ keyFingerPrint $ latitude $ longitude $ mn $
503 onVacation $ privateSub $ sshRSAAuthKey $ supplementaryGid $
504 access $ gender $ birthDate $ mailCallout $ mailGreylisting $
505 mailRBL $ mailRHSBL $ mailWhitelist $ VoIP $ mailContentInspectionAction
508 objectclass ( 1.3.6.1.4.1.9586.100.4.3.2
510 DESC 'Internet-connected server associated with Debian'
512 MUST ( host $ hostname )
513 MAY ( c $ access $ admin $ architecture $ bandwidth $ description $ disk $
514 distribution $ l $ machine $ memory $ sponsor $
515 sponsor-admin $ sshRSAHostKey $ status $ purpose $ physicalHost
518 objectclass ( 1.3.6.1.4.1.9586.100.4.3.3
519 NAME 'debianRoleAccount'
520 DESC 'Abstraction of an account with POSIX attributes and UTF8 support'
521 SUP account STRUCTURAL
522 MAY ( emailForward $ supplementaryGid $ allowedHost $ labeledURI $
523 mailCallout $ mailGreylisting $ mailRBL $ mailRHSBL $
524 mailWhitelist $ dnsZoneEntry $ mailContentInspectionAction