Merge branch 'master' of git+ssh://db.debian.org/git/userdir-ldap

[mirror/userdir-ldap.git] / userdir-ldap.schema

# Revision history:
#
#   - [PP] Now version controlled in db.d.o git repository, also see debian/changelog - 2009
#   - [PP] Now version controlled in db.d.o bzr repository - 2007-12-25
#
# long time ago:
#   - [HE] Add 'purpose', 'physicalHost' to debianServer - 2007-12-25
#   - [zobel] Add 'VoIP' - 2008-05-10
#   - [luk] Add 'subGroup' to group - 2008-11-22
#
# 0.7 [RM]
#   - Add 'gender' and 'birthDate' to debianDeveloper
#   - Add 'mailDisableMessage' to debianAccount
#   - Add 'mailDisableMessage', 'mailCallout', 'mailGreylisting', 'mailRBL',
#         'mailRHSBL', and 'mailWhitelist' to debianDeveloper and debianRoleAccount
# 
# 0.6 [JT]
#   - Add 'access' as a MAY for debianServer objectclass.
#   - Make activity-from a UTF-8 string rather than ASCII.
#   - add new debianRoleAccount objectclass.
#
# 0.5 [JT]
#   - Add 'access' as a MAY for debianDeveloper objectclass.
#   - Add 'gid' attribute.
#   - Make homeDirectory a MAY not MUST for debianAccount.
#   - drop userPassword and memberUID MAYs from debianGroup.
#   - add SUP top STRUCTURAL to debianGroup.
#
# 0.4
#   - add a UTF8-enabled 'gecos' attribute type, conflicts with RFC2307
#   - add debianAccount, which is roughly equivalent to posixAccount but
#     permits UTF8 gecos fields
#   - add debianGroup, which is the same as above but for posixGroup
#
# 0.3
#   - Remove labeledURI, jpegPhoto from the list of supported 
#     attributes; using inetOrgPerson instead of organizationalPerson as
#     a structural objectclass gives us both of these, and several other 
#     attributes that may be useful.
#   - Add echelon attributes for MIA work to the debiandeveloper
#     objectclass. (accountcomment,accountstatus)
#   - Add specification for debianServer objectclass, used for Debian 
#     server listings
#
# 0.2
#   - grammarfied 'allowedHosts' to 'allowedHost' as
#      1.3.6.1.4.1.9586.100.4.2.12.
#   - add 'privateSub' as 1.3.6.1.4.1.9586.100.4.4.5.
#   - add 'jabberJID' as 1.3.6.1.4.1.9586.100.4.2.13.
#   - change 'icqUIN' to an integer type (see? I told you it wasn't
#     approved for use yet! ;)
#
# 0.1
#   - initial revision
#
#
# Project: db.debian.org
# Contact: Debian directory administrators <admin@db.debian.org>
# Type:    X.500/LDAP
# Section: Project
#
# enterprise.Debian.project.userdir / 1.3.6.1.4.1.9586.100.4
#
# .1 - public LDAP objectClasses
#   .1 - debianAccount
#   .2 - debianGroup
#
# .2 - public LDAP attributeTypes
#   .1 - sshRSAAuthKey
#   .2 - activity-from
#   .3 - activity-pgp
#   .4 - comment
#   .5 - icqUin
#   .6 - ircNick
#   .7 - latitude
#   .8 - longitude
#   .9 - middlename (mn)
#   .10 - onVacation
#   .11 - supplementaryGid
#   .12 - allowedHost
#   .13 - jabberJID
#   .14 - access
#   .15 - admin
#   .16 - architecture
#   .17 - bandwidth
#   .18 - disk
#   .19 - distribution
#   .20 - host
#   .21 - hostname
#   .22 - machine
#   .23 - memory
#   .24 - sponsor
#   .25 - sponsor-admin
#   .26 - sshRSAHostKey
#   .27 - status
#   .28 - gecos
#   .29 - gid
#   .30 - gender
#   .31 - birthdate
#   .32 - mailDisableMessage
#   .33 - purpose
#   .34 - physicalHost
#   .35 - VoIP
#   .36 - sudoPassword
#   .37 - subGroup
#   .38 - mailContentInspectionAction
#   .39 - allowedGroups
#   .40 - exportOptions
#   .41 - sshdistAuthKeysHost
#   .42 - dnsTTL
#   .43 - webPassword
#   .44 - voipPassword
#
# .3 - experimental LDAP objectClasses
#   .1 - debianDeveloper
#   .2 - debianServer
#   .3 - debianRoleAccount
# 
# .4 - experimental LDAP attributeTypes
#   .1 - allowedHosts - OBSOLETED
#   .2 - dnsZoneEntry
#   .3 - emailForward
#   .4 - keyFingerPrint
#   .5 - privateSub
#   .6 - accountComment
#   .7 - accountStatus
#   .8 - perform callouts
#   .9 - perform greylisting
#   .11 - DNS RBL
#   .12 - RHS RBL
#   .13 - whitelist
#   .14 - bATVToken
#   .15 - mailDefaultOptions
#   .16 - mailPreserveSuffixSeparator

# Public attribute types
attributetype ( 1.3.6.1.4.1.9586.100.4.2.1 
        NAME 'sshRSAAuthKey'
        DESC 'textual form of an SSH public key compatible with authorized_keys'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.2
        NAME 'activity-from'
        DESC 'last known activity from user email address'
        EQUALITY caseExactMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.3
        NAME 'activity-pgp'
        DESC 'last known activity from user PGP key'
        EQUALITY caseExactIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.4
        NAME 'comment'
        DESC 'user-editable comment'
        EQUALITY caseExactIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.5
        NAME 'icqUin'
        DESC 'UIN for ICQ instant messaging system'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.6
        NAME 'ircNick'
        DESC 'Internet Relay Chat nickname'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.7
        NAME 'latitude'
        DESC 'latitude coordinate'
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.8
        NAME 'longitude'
        DESC 'longitude coordinate'
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.9
        NAME ( 'mn' 'middlename' )
        SUP name )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.10
        NAME 'onVacation'
        DESC 'vacation message'   
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.11
        NAME 'supplementaryGid'
        DESC 'additional Unix group id of user'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.12
        NAME 'allowedHost'
        DESC 'host name this account is allowed access to'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.13
        NAME 'jabberJID'
        DESC 'JID for Jabber instant messaging protocol'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.14
        NAME 'access'
        DESC 'nature of access allowed to server'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.15
        NAME 'admin'
        DESC 'email address of server administrator'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.16
        NAME 'architecture'
        DESC 'hardware architecture of server'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.17
        NAME 'bandwidth'
        DESC 'type of network connection for server'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.18
        NAME 'disk'
        DESC 'amount of disk space available to server'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.19
        NAME 'distribution'
        DESC 'host OS distribution'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.9586.100.4.2.20
#       NAME 'host'
#       DESC '(short) host name of server'
#       EQUALITY caseIgnoreIA5Match
#       SUBSTR caseIgnoreIA5SubstringsMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.21
        NAME 'hostname'
        DESC 'FQDN of the server'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.22
        NAME 'machine'
        DESC 'description of physical hardware'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.23
        NAME 'memory'
        DESC 'amount of RAM available to server'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.24
        NAME 'sponsor'
        DESC 'name of the sponsor of this server'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.25
        NAME 'sponsor-admin'
        DESC 'email address of sponsoring server administrator'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.26
        NAME 'sshRSAHostKey'
        DESC 'textual form of an SSH public host key compatible with known_hosts'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.27
        NAME 'status'
        DESC 'administrative status of server'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.28
        NAME 'gecos'
        DESC 'The GECOS field; the common name'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.29
        NAME 'gid'
        DESC 'Group Name'
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.30
        NAME 'gender'
        DESC 'ISO 5218 representation of human gender'
        EQUALITY integerMatch
        SINGLE-VALUE
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{1} )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.31
        NAME 'birthDate'
        DESC 'Date of birth in YYYYMMDD format'
        EQUALITY numericStringMatch
        SINGLE-VALUE
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{8} )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.32
        NAME 'mailDisableMessage'
        DESC 'Message returned when all mail is disabled'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.33
        NAME 'purpose'
        DESC 'purposes of this server'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.34
        NAME 'physicalHost'
        DESC 'FQDN of the physical host of this virtual server'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SINGLE-VALUE
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.35
        NAME 'VoIP'
        DESC 'VoIP URL to communicate with that person'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.36
        NAME 'sudoPassword'
        DESC 'sudo password'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.37
        NAME 'subGroup'
        DESC 'name of other group for which membership implied by memberschip to this group'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

# more attributes below
attributetype ( 1.3.6.1.4.1.9586.100.4.2.39
        NAME 'allowedGroups'
        DESC 'Groups that have access to a host'
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.40
        NAME 'exportOptions'
        DESC 'export options for servers'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.43
        NAME 'webPassword'
        DESC 'web password for SSO'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.44
        NAME 'voipPassword'
        DESC 'password for voip.debian.org'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# Experimental attribute types

# There are existing schemas for doing DNS in LDAP; would one of
# these be better?  c.f. draft-miller-dns-ldap-schema-00 (expired)
attributetype ( 1.3.6.1.4.1.9586.100.4.4.2
        NAME 'dnsZoneEntry'
        DESC 'DNS zone record for user'
        EQUALITY octetStringMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# rfc822mailbox (RFC1274) is recommended as a replacement for this in
# general.
attributetype ( 1.3.6.1.4.1.9586.100.4.4.3
        NAME 'emailForward'
        DESC 'forwarding address for email sent to this account'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)

# Network Associates also has a schema for PGP keys / key IDs which may
# or may not be applicable:
# http://www.openldap.org/lists/openldap-devel/200010/msg00071.html
attributetype ( 1.3.6.1.4.1.9586.100.4.4.4 
        NAME 'keyFingerPrint'
        EQUALITY caseIgnoreMatch  
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.15 )

# Rather Debian-specific, not useful to the public.
attributetype ( 1.3.6.1.4.1.9586.100.4.4.5 
        NAME 'privateSub'
        DESC 'email subscription address for debian-private mailing list'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)

# Echelon attributes; re-evaluate later
attributetype ( 1.3.6.1.4.1.9586.100.4.4.6
        NAME 'accountComment'
        DESC 'additional comments regarding the account status'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.9586.100.4.4.7
        NAME 'accountStatus'
        DESC 'Debian developer account status'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

# mail attributes; not public information
attributetype ( 1.3.6.1.4.1.9586.100.4.4.8
        NAME 'mailCallout'
        DESC 'Whether or not to require a successful callout attempt on email delivery'
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.4.9
        NAME 'mailGreylisting'
        DESC 'Whether or not to perform greylisting on email delivery'
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.4.11
        NAME 'mailRBL'
        DESC 'RBL sites to check at SMTP accept time'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.9586.100.4.4.12
        NAME 'mailRHSBL'
        DESC 'RHSBL sites to check at SMTP accept time'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.9586.100.4.4.13
        NAME 'mailWhitelist'
        DESC 'sites to whitelist from additional SMTP accept time checks'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.9586.100.4.4.14
        NAME 'bATVToken'
        DESC 'Token for BATV'
        EQUALITY caseExactMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.4.15
        NAME 'mailDefaultOptions'
        DESC 'Whether or not to use a default set of anti-spam options'
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.4.16
        NAME 'mailPreserveSuffixSeparator'
        DESC 'suffix serparator'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1} )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.38
        NAME 'mailContentInspectionAction'
        DESC 'what to do on content inspection hits'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9586.100.4.2.41
        NAME ( 'sshdistAuthKeysHost' )
        SUP ipHostNumber )

attributetype ( 1.3.6.1.4.1.9586.100.4.4.42
        NAME 'dnsTTL'
        DESC 'DNS Time To Live value'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

# Public object classes

objectclass ( 1.3.6.1.4.1.9586.100.4.1.1
        NAME 'debianAccount'
        DESC 'Abstraction of an account with POSIX attributes and UTF8 support'
        SUP top AUXILIARY
        MUST ( cn $ uid $ uidNumber $ gidNumber )
        MAY ( userPassword $ loginShell $ gecos $ homeDirectory $ description $ mailDisableMessage $ sudoPassword $ webPassword $ voipPassword ) )

objectclass ( 1.3.6.1.4.1.9586.100.4.1.2
        NAME 'debianGroup'
        SUP top STRUCTURAL
        DESC 'attributes used for Debian groups'
        MUST ( gid $ gidNumber )
        MAY ( cn $ description $ subGroup $ accountStatus ) )

# Experimental objectclasses:

objectclass ( 1.3.6.1.4.1.9586.100.4.3.1
        NAME 'debianDeveloper'
        DESC 'additional account attributes used by Debian'
        SUP top AUXILIARY
        MUST ( uid $ cn $ sn )
        MAY ( accountComment $ accountStatus $ activity-from $
              activity-pgp $ allowedHost $ comment $ countryName $
              dnsZoneEntry $ emailForward $ icqUin $ ircNick $
              jabberJID $ keyFingerPrint $ latitude $ longitude $ mn $
              onVacation $ privateSub $ sshRSAAuthKey $ supplementaryGid $
              access $ gender $ birthDate $ mailCallout $ mailGreylisting $
              mailRBL $ mailRHSBL $ mailWhitelist $ VoIP $ mailContentInspectionAction $
              bATVToken $ mailDefaultOptions $ mailPreserveSuffixSeparator
        ) )

objectclass ( 1.3.6.1.4.1.9586.100.4.3.2
        NAME 'debianServer'
        DESC 'Internet-connected server associated with Debian'
        SUP top STRUCTURAL
        MUST ( host $ hostname )
        MAY ( c $ access $ admin $ architecture $ bandwidth $ description $ disk $
              distribution $ l $ machine $ memory $ sponsor $
              sponsor-admin $ status $ physicalHost $ ipHostNumber $ dnsTTL $
              sshRSAHostKey $ purpose $ allowedGroups $ exportOptions $ MXRecord $
              sshdistAuthKeysHost
        ) )

objectclass ( 1.3.6.1.4.1.9586.100.4.3.3
        NAME 'debianRoleAccount'
        DESC 'Abstraction of an account with POSIX attributes and UTF8 support'
        SUP account STRUCTURAL
        MAY ( emailForward $ supplementaryGid $ allowedHost $ labeledURI $
              mailCallout $ mailGreylisting $ mailRBL $ mailRHSBL $
              mailWhitelist $ dnsZoneEntry $ mailContentInspectionAction $
              bATVToken $ mailDefaultOptions $ sshRSAAuthKey $ mailPreserveSuffixSeparator
        ) )