summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--confskel/Makefile.am5
-rw-r--r--confskel/heimdal/heimdal.defaults2
-rw-r--r--confskel/heimdal/kdc.conf16
-rw-r--r--confskel/heimdal/krb5.conf13
-rw-r--r--confskel/openldap/ldap/slapd.defaults64
-rw-r--r--confskel/openldap/ldif/config.ldif41
-rw-r--r--confskel/openldap/ldif/moduleConfig.ldif16
-rw-r--r--confskel/openldap/ldif/olcConfig.ldif18
-rw-r--r--confskel/openldap/ldif/schema.ldif812
-rw-r--r--confskel/openldap/skel.ldif2
-rw-r--r--confskel/sasl/saslauthd.defaults54
-rw-r--r--confskel/sasl/slapd.conf4
-rw-r--r--debian/control2
-rw-r--r--src/ldapcontroller.cpp402
-rw-r--r--src/ldapcontroller.h8
-rw-r--r--src/realmwizard.cpp3
16 files changed, 1403 insertions, 59 deletions
diff --git a/confskel/Makefile.am b/confskel/Makefile.am
index a865f16..c97578a 100644
--- a/confskel/Makefile.am
+++ b/confskel/Makefile.am
@@ -10,4 +10,7 @@ ldapconfskeldir = $(ldapskeldir)/ldap
ldapconfskel_DATA = openldap/ldap/*
ldapldifskeldir = $(ldapskeldir)/ldif
-ldapldifskel_DATA = openldap/ldif/* \ No newline at end of file
+ldapldifskel_DATA = openldap/ldif/*
+
+saslskeldir = $(confskeldir)/sasl
+saslskel_DATA = sasl/* \ No newline at end of file
diff --git a/confskel/heimdal/heimdal.defaults b/confskel/heimdal/heimdal.defaults
index 616f509..ce60dd5 100644
--- a/confskel/heimdal/heimdal.defaults
+++ b/confskel/heimdal/heimdal.defaults
@@ -2,7 +2,7 @@
START="yes"
KDC_ENABLED="yes"
-KDC_PARAMS=""
+KDC_PARAMS="--config-file=/etc/heimdal-kdc/kdc.conf"
KPASSWDD_ENABLED="yes"
KPASSWDD_PARAMS=""
diff --git a/confskel/heimdal/kdc.conf b/confskel/heimdal/kdc.conf
index 62d6fb3..96f3a8d 100644
--- a/confskel/heimdal/kdc.conf
+++ b/confskel/heimdal/kdc.conf
@@ -1,8 +1,12 @@
[kdc]
-logging = FILE:/var/log/heimdal-kdc.log
-enable-pkinit = yes
-pki-identity = FILE:/etc/trinity/ldap/tde-ca/public/@@@KDCSERVER@@@.pki.crt,/etc/trinity/ldap/tde-ca/private/@@@KDCSERVER@@@.pki.key
-pki-anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem
-pki-allow-proxy-certificate = false
-acl_file = /etc/heimdal-kdc/kadmind.acl
+ logging = FILE:/var/log/heimdal-kdc.log
+ enable-pkinit = yes
+ pkinit_identity = FILE:/etc/trinity/ldap/tde-ca/public/@@@KDCSERVER@@@.pki.crt,/etc/trinity/ldap/tde-ca/private/@@@KDCSERVER@@@.pki.key
+ pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem
+ pkinit_allow-proxy-certificate = false
+ acl_file = /etc/heimdal-kdc/kadmind.acl
+ database = {
+ dbname = ldap:@@@REALM_DCNAME@@@
+ acl_file = /etc/heimdal-kdc/kadmind.acl
+ } \ No newline at end of file
diff --git a/confskel/heimdal/krb5.conf b/confskel/heimdal/krb5.conf
index 9185177..e76a90f 100644
--- a/confskel/heimdal/krb5.conf
+++ b/confskel/heimdal/krb5.conf
@@ -1,8 +1,6 @@
[libdefaults]
ticket_lifetime = 86400
default_realm = @@@REALM_UCNAME@@@
- default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
- default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5
[appdefaults]
pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem
@@ -21,17 +19,6 @@
@@@REALM_LCNAME@@@ = @@@REALM_UCNAME@@@
.@@@REALM_LCNAME@@@ = @@@REALM_UCNAME@@@
-[kdc]
- enable-pkinit = yes
- pkinit_identity = FILE:/etc/trinity/ldap/tde-ca/public/@@@KDCSERVER@@@.pki.crt,/etc/trinity/ldap/tde-ca/private/@@@KDCSERVER@@@.pki.key
- pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem
- pkinit_allow-proxy-certificate = false
-
- database = {
- dbname = ldap:@@@REALM_DCNAME@@@
- acl_file = /etc/heimdal-kdc/kadmind.acl
- }
-
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
diff --git a/confskel/openldap/ldap/slapd.defaults b/confskel/openldap/ldap/slapd.defaults
index 91ddb31..60ab088 100644
--- a/confskel/openldap/ldap/slapd.defaults
+++ b/confskel/openldap/ldap/slapd.defaults
@@ -1,25 +1,45 @@
-###
-# Enable the daemon.
-###
-START="yes"
-
-###
-# Keytab
-###
-export KRB5_KTNAME=/etc/ldap/ldap.keytab
-
-###
-# Services
-###
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF="/etc/ldap/slapd.d"
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="@@@LDAP_USER_NAME@@@"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="@@@LDAP_GROUP_NAME@@@"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
-###
-# Additional Options
-# @todo: pass user & group for service.
-###
-SLAPD_OPTIONS=""
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work). Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
-###
-# SLAPD Configuration
-###
-SLAPD_CONF="/etc/ldap/slapd.d"
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work). Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab). To use a different keytab file,
+# uncomment this line and change the path.
+export KRB5_KTNAME=@@@LDAP_KEYTAB_FILE@@@
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
diff --git a/confskel/openldap/ldif/config.ldif b/confskel/openldap/ldif/config.ldif
new file mode 100644
index 0000000..9e05b86
--- /dev/null
+++ b/confskel/openldap/ldif/config.ldif
@@ -0,0 +1,41 @@
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcConfigFile: /etc/ldap/slapd.conf
+olcConfigDir: /tmp/ldap
+olcArgsFile: /var/run/slapd/slapd.args
+olcAttributeOptions: lang-
+olcAuthzPolicy: none
+olcAuthzRegexp: uid=([^,]+),cn=@@@REALM_LCNAME@@@,cn=gssapi,cn=auth uid=$1,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@
+olcConcurrency: 0
+olcConnMaxPending: 100
+olcConnMaxPendingAuth: 1000
+olcGentleHUP: FALSE
+olcIdleTimeout: 0
+olcIndexSubstrIfMaxLen: 4
+olcIndexSubstrIfMinLen: 2
+olcIndexSubstrAnyLen: 4
+olcIndexSubstrAnyStep: 2
+olcIndexIntLen: 4
+olcLocalSSF: 71
+olcLogLevel: Stats
+olcPidFile: /var/run/slapd/slapd.pid
+olcReadOnly: FALSE
+olcReverseLookup: FALSE
+olcSaslHost: @@@ADMINSERVER@@@
+olcSaslRealm: @@@REALM_UCNAME@@@
+olcSaslSecProps: noplain,noanonymous
+olcSockbufMaxIncoming: 262143
+olcSockbufMaxIncomingAuth: 16777215
+olcThreads: 16
+#olcTLSCertificateFile: /etc/trinity/ldap/tde-ca/public/@@@ADMINSERVER@@@.crt
+#olcTLSCertificateKeyFile: /etc/trinity/ldap/tde-ca/private/@@@ADMINSERVER@@@.key
+olcTLSVerifyClient: never
+olcToolThreads: 1
+olcWriteTimeout: 0
+structuralObjectClass: olcGlobal
+creatorsName: cn=config
+createTimestamp: @@@TIMESTAMP@@@Z
+entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000
+modifiersName: cn=config
+modifyTimestamp: @@@TIMESTAMP@@@Z
diff --git a/confskel/openldap/ldif/moduleConfig.ldif b/confskel/openldap/ldif/moduleConfig.ldif
new file mode 100644
index 0000000..e4d9bb0
--- /dev/null
+++ b/confskel/openldap/ldif/moduleConfig.ldif
@@ -0,0 +1,16 @@
+dn: cn=module{0}
+objectClass: olcModuleList
+cn: module{0}
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: {0}back_hdb
+olcModuleLoad: {1}syncprov
+olcModuleLoad: {2}back_monitor
+olcModuleLoad: {3}auditlog
+olcModuleLoad: {4}unique
+olcModuleLoad: {5}ppolicy
+structuralObjectClass: olcModuleList
+creatorsName: cn=config
+createTimestamp: @@@TIMESTAMP@@@Z
+entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000
+modifiersName: cn=config
+modifyTimestamp: @@@TIMESTAMP@@@Z
diff --git a/confskel/openldap/ldif/olcConfig.ldif b/confskel/openldap/ldif/olcConfig.ldif
new file mode 100644
index 0000000..86d5267
--- /dev/null
+++ b/confskel/openldap/ldif/olcConfig.ldif
@@ -0,0 +1,18 @@
+dn: olcDatabase={0}config
+objectClass: olcDatabaseConfig
+olcDatabase: {0}config
+olcAccess: {0}to * by * none
+olcAddContentAcl: TRUE
+olcLastMod: TRUE
+olcMaxDerefDepth: 15
+olcReadOnly: FALSE
+olcRootDN: cn=config
+olcRootPW: {SHA}@@@ROOTPW_SHA@@@
+olcSyncUseSubentry: FALSE
+olcMonitoring: FALSE
+structuralObjectClass: olcDatabaseConfig
+creatorsName: cn=config
+createTimestamp: @@@TIMESTAMP@@@Z
+entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000
+modifiersName: cn=config
+modifyTimestamp: @@@TIMESTAMP@@@Z
diff --git a/confskel/openldap/ldif/schema.ldif b/confskel/openldap/ldif/schema.ldif
new file mode 100644
index 0000000..b8a7529
--- /dev/null
+++ b/confskel/openldap/ldif/schema.ldif
@@ -0,0 +1,812 @@
+dn: cn=schema
+objectClass: olcSchemaConfig
+cn: schema
+olcObjectIdentifier: OLcfg 1.3.6.1.4.1.4203.1.12.2
+olcObjectIdentifier: OLcfgAt OLcfg:3
+olcObjectIdentifier: OLcfgGlAt OLcfgAt:0
+olcObjectIdentifier: OLcfgBkAt OLcfgAt:1
+olcObjectIdentifier: OLcfgDbAt OLcfgAt:2
+olcObjectIdentifier: OLcfgOvAt OLcfgAt:3
+olcObjectIdentifier: OLcfgCtAt OLcfgAt:4
+olcObjectIdentifier: OLcfgOc OLcfg:4
+olcObjectIdentifier: OLcfgGlOc OLcfgOc:0
+olcObjectIdentifier: OLcfgBkOc OLcfgOc:1
+olcObjectIdentifier: OLcfgDbOc OLcfgOc:2
+olcObjectIdentifier: OLcfgOvOc OLcfgOc:3
+olcObjectIdentifier: OLcfgCtOc OLcfgOc:4
+olcObjectIdentifier: OMsyn 1.3.6.1.4.1.1466.115.121.1
+olcObjectIdentifier: OMsBoolean OMsyn:7
+olcObjectIdentifier: OMsDN OMsyn:12
+olcObjectIdentifier: OMsDirectoryString OMsyn:15
+olcObjectIdentifier: OMsIA5String OMsyn:26
+olcObjectIdentifier: OMsInteger OMsyn:27
+olcObjectIdentifier: OMsOID OMsyn:38
+olcObjectIdentifier: OMsOctetString OMsyn:40
+olcObjectIdentifier: olmAttributes 1.3.6.1.4.1.4203.666.1.55
+olcObjectIdentifier: olmSubSystemAttributes olmAttributes:0
+olcObjectIdentifier: olmGenericAttributes olmSubSystemAttributes:0
+olcObjectIdentifier: olmDatabaseAttributes olmSubSystemAttributes:1
+olcObjectIdentifier: olmObjectClasses 1.3.6.1.4.1.4203.666.3.16
+olcObjectIdentifier: olmSubSystemObjectClasses olmObjectClasses:0
+olcObjectIdentifier: olmGenericObjectClasses olmSubSystemObjectClasses:0
+olcObjectIdentifier: olmDatabaseObjectClasses olmSubSystemObjectClasses:1
+olcObjectIdentifier: olmBDBAttributes olmDatabaseAttributes:1
+olcObjectIdentifier: olmBDBObjectClasses olmDatabaseObjectClasses:1
+olcAttributeTypes: ( 2.5.4.0 NAME 'objectClass' DESC 'RFC4512: object classes
+ of the entity' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.38 )
+olcAttributeTypes: ( 2.5.21.9 NAME 'structuralObjectClass' DESC 'RFC4512: stru
+ ctural object class of entry' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4
+ .1.1466.115.121.1.38 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperati
+ on )
+olcAttributeTypes: ( 2.5.18.1 NAME 'createTimestamp' DESC 'RFC4512: time which
+ object was created' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOr
+ deringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFIC
+ ATION USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' DESC 'RFC4512: time which
+ object was last modified' EQUALITY generalizedTimeMatch ORDERING generalized
+ TimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-M
+ ODIFICATION USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.18.3 NAME 'creatorsName' DESC 'RFC4512: name of creat
+ or' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SING
+ LE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.18.4 NAME 'modifiersName' DESC 'RFC4512: name of last
+ modifier' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.18.9 NAME 'hasSubordinates' DESC 'X.501: entry has ch
+ ildren' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALU
+ E NO-USER-MODIFICATION USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.18.10 NAME 'subschemaSubentry' DESC 'RFC4512: name of
+ controlling subschema entry' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.
+ 4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperat
+ ion )
+olcAttributeTypes: ( 1.3.6.1.1.20 NAME 'entryDN' DESC 'DN of the entry' EQUALI
+ TY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE N
+ O-USER-MODIFICATION USAGE directoryOperation )
+olcAttributeTypes: ( 1.3.6.1.1.16.4 NAME 'entryUUID' DESC 'UUID of the entry'
+ EQUALITY UUIDMatch ORDERING UUIDOrderingMatch SYNTAX 1.3.6.1.1.16.1 SINGLE-VA
+ LUE NO-USER-MODIFICATION USAGE directoryOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change seq
+ uence number of the entry content' EQUALITY CSNMatch ORDERING CSNOrderingMatc
+ h SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} SINGLE-VALUE NO-USER-MODIFICATION US
+ AGE directoryOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.13 NAME 'namingCSN' DESC 'change s
+ equence number of the entry naming (RDN)' EQUALITY CSNMatch ORDERING CSNOrder
+ ingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} SINGLE-VALUE NO-USER-MODIFICA
+ TION USAGE directoryOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.23 NAME 'syncreplCookie' DESC 'syn
+ crepl Cookie for shadow copy' EQUALITY octetStringMatch ORDERING octetStringO
+ rderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE NO-USER-MODIFI
+ CATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.25 NAME 'contextCSN' DESC 'the lar
+ gest committed CSN of a context' EQUALITY CSNMatch ORDERING CSNOrderingMatch
+ SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} NO-USER-MODIFICATION USAGE dSAOperatio
+ n )
+olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer' DESC 'RFC4512
+ : alternative servers' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 USAGE dSAOperatio
+ n )
+olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts' DESC 'RF
+ C4512: naming contexts' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE dSAOperati
+ on )
+olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl' DESC
+ 'RFC4512: supported controls' SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAO
+ peration )
+olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension' DESC
+ 'RFC4512: supported extended operations' SYNTAX 1.3.6.1.4.1.1466.115.121.1.3
+ 8 USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion' D
+ ESC 'RFC4512: supported LDAP versions' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 U
+ SAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms
+ ' DESC 'RFC4512: supported SASL mechanisms' SYNTAX 1.3.6.1.4.1.1466.115.121.1
+ .15 USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.1.3.5 NAME 'supportedFeatures' DESC 'RFC
+ 4512: features supported by the server' EQUALITY objectIdentifierMatch SYNTAX
+ 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.10 NAME 'monitorContext' DESC 'mon
+ itor context' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.1.12.2.1 NAME 'configContext' DESC 'conf
+ ig context' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
+ .12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.1.4 NAME 'vendorName' DESC 'RFC3045: name of impl
+ ementation vendor' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 15 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.1.5 NAME 'vendorVersion' DESC 'RFC3045: version o
+ f implementation' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
+ 5 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 2.5.18.5 NAME 'administrativeRole' DESC 'RFC3672: adminis
+ trative role' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
+ 1.38 USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.18.6 NAME 'subtreeSpecification' DESC 'RFC3672: subtr
+ ee specification' SYNTAX 1.3.6.1.4.1.1466.115.121.1.45 SINGLE-VALUE USAGE dir
+ ectoryOperation )
+olcAttributeTypes: ( 2.5.21.1 NAME 'dITStructureRules' DESC 'RFC4512: DIT stru
+ cture rules' EQUALITY integerFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.
+ 121.1.17 USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.21.2 NAME 'dITContentRules' DESC 'RFC4512: DIT conten
+ t rules' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466
+ .115.121.1.16 USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.21.4 NAME 'matchingRules' DESC 'RFC4512: matching rul
+ es' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.
+ 121.1.30 USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.21.5 NAME 'attributeTypes' DESC 'RFC4512: attribute t
+ ypes' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.11
+ 5.121.1.3 USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.21.6 NAME 'objectClasses' DESC 'RFC4512: object class
+ es' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.
+ 121.1.37 USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.21.7 NAME 'nameForms' DESC 'RFC4512: name forms ' EQU
+ ALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.3
+ 5 USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.21.8 NAME 'matchingRuleUse' DESC 'RFC4512: matching r
+ ule uses' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.31 USAGE directoryOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes' DESC 'RFC
+ 4512: LDAP syntaxes' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.
+ 6.1.4.1.1466.115.121.1.54 USAGE directoryOperation )
+olcAttributeTypes: ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' ) D
+ ESC 'RFC4512: name of aliased object' EQUALITY distinguishedNameMatch SYNTAX
+ 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113730.3.1.34 NAME 'ref' DESC 'RFC3296: subord
+ inate referral URL' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
+ .15 USAGE distributedOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.1.3.1 NAME 'entry' DESC 'OpenLDAP ACL en
+ try pseudo-attribute' SYNTAX 1.3.6.1.4.1.4203.1.1.1 SINGLE-VALUE NO-USER-MODI
+ FICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.1.3.2 NAME 'children' DESC 'OpenLDAP ACL
+ children pseudo-attribute' SYNTAX 1.3.6.1.4.1.4203.1.1.1 SINGLE-VALUE NO-USE
+ R-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.8 NAME ( 'authzTo' 'saslAuthzTo' )
+ DESC 'proxy authorization targets' EQUALITY authzMatch SYNTAX 1.3.6.1.4.1.42
+ 03.666.2.7 USAGE distributedOperation X-ORDERED 'VALUES' )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.9 NAME ( 'authzFrom' 'saslAuthzFro
+ m' ) DESC 'proxy authorization sources' EQUALITY authzMatch SYNTAX 1.3.6.1.4.
+ 1.4203.666.2.7 USAGE distributedOperation X-ORDERED 'VALUES' )
+olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.119.3 NAME 'entryTtl' DESC 'RFC2589:
+ entry time-to-live' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-USE
+ R-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.1466.101.119.4 NAME 'dynamicSubtrees' DESC 'R
+ FC2589: dynamic subtrees' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFI
+ CATION USAGE dSAOperation )
+olcAttributeTypes: ( 2.5.4.49 NAME 'distinguishedName' DESC 'RFC4519: common s
+ upertype of DN attributes' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1
+ .1466.115.121.1.12 )
+olcAttributeTypes: ( 2.5.4.41 NAME 'name' DESC 'RFC4519: common supertype of n
+ ame attributes' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN
+ TAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+olcAttributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' ) DESC 'RFC4519: common
+ name(s) for which the entity is known by' SUP name )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'R
+ FC4519: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrings
+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' DESC 'RFC2307: An intege
+ r uniquely identifying a user in an administrative domain' EQUALITY integerMa
+ tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' DESC 'RFC2307: An intege
+ r uniquely identifying a group in an administrative domain' EQUALITY integerM
+ atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.5.4.35 NAME 'userPassword' DESC 'RFC4519/2307: password
+ of user' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128}
+ )
+olcAttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uni
+ form Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX
+ 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.5.4.13 NAME 'description' DESC 'RFC4519: descriptive in
+ formation' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1
+ .3.6.1.4.1.1466.115.121.1.15{1024} )
+olcAttributeTypes: ( 2.5.4.34 NAME 'seeAlso' DESC 'RFC4519: DN of related obje
+ ct' SUP distinguishedName )
+olcAttributeTypes: ( OLcfgGlAt:78 NAME 'olcConfigFile' DESC 'File for slapd co
+ nfiguration directives' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SI
+ NGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:79 NAME 'olcConfigDir' DESC 'Directory for slap
+ d configuration backend' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString S
+ INGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:1 NAME 'olcAccess' DESC 'Access Control List' E
+ QUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )
+olcAttributeTypes: ( OLcfgGlAt:86 NAME 'olcAddContentAcl' DESC 'Check ACLs aga
+ inst content of Add ops' SYNTAX OMsBoolean SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:2 NAME 'olcAllows' DESC 'Allowed set of depreca
+ ted features' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgGlAt:3 NAME 'olcArgsFile' DESC 'File for slapd comma
+ nd line options' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VA
+ LUE )
+olcAttributeTypes: ( OLcfgGlAt:5 NAME 'olcAttributeOptions' EQUALITY caseIgnor
+ eMatch SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgGlAt:4 NAME 'olcAttributeTypes' DESC 'OpenLDAP attri
+ buteTypes' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALU
+ ES' )
+olcAttributeTypes: ( OLcfgGlAt:6 NAME 'olcAuthIDRewrite' EQUALITY caseIgnoreMa
+ tch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )
+olcAttributeTypes: ( OLcfgGlAt:7 NAME 'olcAuthzPolicy' EQUALITY caseIgnoreMatc
+ h SYNTAX OMsDirectoryString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:8 NAME 'olcAuthzRegexp' EQUALITY caseIgnoreMatc
+ h SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )
+olcAttributeTypes: ( OLcfgGlAt:9 NAME 'olcBackend' DESC 'A type of backend' EQ
+ UALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VALUE X-ORDERED 'SIBL
+ INGS' )
+olcAttributeTypes: ( OLcfgGlAt:10 NAME 'olcConcurrency' SYNTAX OMsInteger SING
+ LE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:11 NAME 'olcConnMaxPending' SYNTAX OMsInteger S
+ INGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:12 NAME 'olcConnMaxPendingAuth' SYNTAX OMsInteg
+ er SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:13 NAME 'olcDatabase' DESC 'The backend type fo
+ r a database instance' SUP olcBackend SINGLE-VALUE X-ORDERED 'SIBLINGS' )
+olcAttributeTypes: ( OLcfgGlAt:14 NAME 'olcDefaultSearchBase' SYNTAX OMsDN SIN
+ GLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:15 NAME 'olcDisallows' EQUALITY caseIgnoreMatch
+ SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgGlAt:16 NAME 'olcDitContentRules' DESC 'OpenLDAP DIT
+ content rules' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED
+ 'VALUES' )
+olcAttributeTypes: ( OLcfgGlAt:17 NAME 'olcGentleHUP' SYNTAX OMsBoolean SINGLE
+ -VALUE )
+olcAttributeTypes: ( OLcfgDbAt:0.17 NAME 'olcHidden' SYNTAX OMsBoolean SINGLE-
+ VALUE )
+olcAttributeTypes: ( OLcfgGlAt:18 NAME 'olcIdleTimeout' SYNTAX OMsInteger SING
+ LE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:19 NAME 'olcInclude' SUP labeledURI )
+olcAttributeTypes: ( OLcfgGlAt:20 NAME 'olcIndexSubstrIfMinLen' SYNTAX OMsInte
+ ger SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:21 NAME 'olcIndexSubstrIfMaxLen' SYNTAX OMsInte
+ ger SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:22 NAME 'olcIndexSubstrAnyLen' SYNTAX OMsIntege
+ r SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:23 NAME 'olcIndexSubstrAnyStep' SYNTAX OMsInteg
+ er SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:84 NAME 'olcIndexIntLen' SYNTAX OMsInteger SING
+ LE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:0.4 NAME 'olcLastMod' SYNTAX OMsBoolean SINGLE-
+ VALUE )
+olcAttributeTypes: ( OLcfgGlAt:85 NAME 'olcLdapSyntaxes' DESC 'OpenLDAP ldapSy
+ ntax' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )
+olcAttributeTypes: ( OLcfgDbAt:0.5 NAME 'olcLimits' EQUALITY caseIgnoreMatch S
+ YNTAX OMsDirectoryString X-ORDERED 'VALUES' )
+olcAttributeTypes: ( OLcfgGlAt:26 NAME 'olcLocalSSF' SYNTAX OMsInteger SINGLE-
+ VALUE )
+olcAttributeTypes: ( OLcfgGlAt:27 NAME 'olcLogFile' SYNTAX OMsDirectoryString
+ SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:28 NAME 'olcLogLevel' EQUALITY caseIgnoreMatch
+ SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgDbAt:0.6 NAME 'olcMaxDerefDepth' SYNTAX OMsInteger S
+ INGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:0.16 NAME 'olcMirrorMode' SYNTAX OMsBoolean SIN
+ GLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:30 NAME 'olcModuleLoad' EQUALITY caseIgnoreMatc
+ h SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )
+olcAttributeTypes: ( OLcfgGlAt:31 NAME 'olcModulePath' SYNTAX OMsDirectoryStri
+ ng SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:0.18 NAME 'olcMonitoring' SYNTAX OMsBoolean SIN
+ GLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:32 NAME 'olcObjectClasses' DESC 'OpenLDAP objec
+ t classes' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALU
+ ES' )
+olcAttributeTypes: ( OLcfgGlAt:33 NAME 'olcObjectIdentifier' EQUALITY caseIgno
+ reMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )
+olcAttributeTypes: ( OLcfgGlAt:34 NAME 'olcOverlay' SUP olcDatabase SINGLE-VAL
+ UE X-ORDERED 'SIBLINGS' )
+olcAttributeTypes: ( OLcfgGlAt:35 NAME 'olcPasswordCryptSaltFormat' SYNTAX OMs
+ DirectoryString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:36 NAME 'olcPasswordHash' EQUALITY caseIgnoreMa
+ tch SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgGlAt:37 NAME 'olcPidFile' SYNTAX OMsDirectoryString
+ SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:38 NAME 'olcPlugin' EQUALITY caseIgnoreMatch SY
+ NTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgGlAt:39 NAME 'olcPluginLogFile' SYNTAX OMsDirectoryS
+ tring SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:40 NAME 'olcReadOnly' SYNTAX OMsBoolean SINGLE-
+ VALUE )
+olcAttributeTypes: ( OLcfgGlAt:41 NAME 'olcReferral' SUP labeledURI SINGLE-VAL
+ UE )
+olcAttributeTypes: ( OLcfgDbAt:0.7 NAME 'olcReplica' SUP labeledURI EQUALITY c
+ aseIgnoreMatch X-ORDERED 'VALUES' )
+olcAttributeTypes: ( OLcfgGlAt:43 NAME 'olcReplicaArgsFile' SYNTAX OMsDirector
+ yString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:44 NAME 'olcReplicaPidFile' SYNTAX OMsDirectory
+ String SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:45 NAME 'olcReplicationInterval' SYNTAX OMsInte
+ ger SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:46 NAME 'olcReplogFile' SYNTAX OMsDirectoryStri
+ ng SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:47 NAME 'olcRequires' EQUALITY caseIgnoreMatch
+ SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgGlAt:48 NAME 'olcRestrict' EQUALITY caseIgnoreMatch
+ SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgGlAt:49 NAME 'olcReverseLookup' SYNTAX OMsBoolean SI
+ NGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:0.8 NAME 'olcRootDN' EQUALITY distinguishedName
+ Match SYNTAX OMsDN SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:51 NAME 'olcRootDSE' EQUALITY caseIgnoreMatch S
+ YNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgDbAt:0.9 NAME 'olcRootPW' SYNTAX OMsDirectoryString
+ SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:89 NAME 'olcSaslAuxprops' SYNTAX OMsDirectorySt
+ ring SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:53 NAME 'olcSaslHost' SYNTAX OMsDirectoryString
+ SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:54 NAME 'olcSaslRealm' SYNTAX OMsDirectoryStrin
+ g SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:56 NAME 'olcSaslSecProps' SYNTAX OMsDirectorySt
+ ring SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:58 NAME 'olcSchemaDN' EQUALITY distinguishedNam
+ eMatch SYNTAX OMsDN SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:59 NAME 'olcSecurity' EQUALITY caseIgnoreMatch
+ SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgGlAt:81 NAME 'olcServerID' EQUALITY caseIgnoreMatch
+ SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgGlAt:60 NAME 'olcSizeLimit' SYNTAX OMsDirectoryStrin
+ g SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:61 NAME 'olcSockbufMaxIncoming' SYNTAX OMsInteg
+ er SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:62 NAME 'olcSockbufMaxIncomingAuth' SYNTAX OMsI
+ nteger SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:83 NAME 'olcSortVals' DESC 'Attributes whose va
+ lues will always be sorted' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryStrin
+ g )
+olcAttributeTypes: ( OLcfgDbAt:0.15 NAME 'olcSubordinate' SYNTAX OMsDirectoryS
+ tring SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:0.10 NAME 'olcSuffix' EQUALITY distinguishedNam
+ eMatch SYNTAX OMsDN )
+olcAttributeTypes: ( OLcfgDbAt:0.19 NAME 'olcSyncUseSubentry' DESC 'Store sync
+ context in a subentry' SYNTAX OMsBoolean SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:0.11 NAME 'olcSyncrepl' EQUALITY caseIgnoreMatc
+ h SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )
+olcAttributeTypes: ( OLcfgGlAt:90 NAME 'olcTCPBuffer' DESC 'Custom TCP buffer
+ size' SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgGlAt:66 NAME 'olcThreads' SYNTAX OMsInteger SINGLE-V
+ ALUE )
+olcAttributeTypes: ( OLcfgGlAt:67 NAME 'olcTimeLimit' SYNTAX OMsDirectoryStrin
+ g )
+olcAttributeTypes: ( OLcfgGlAt:68 NAME 'olcTLSCACertificateFile' SYNTAX OMsDir
+ ectoryString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:69 NAME 'olcTLSCACertificatePath' SYNTAX OMsDir
+ ectoryString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:70 NAME 'olcTLSCertificateFile' SYNTAX OMsDirec
+ toryString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:71 NAME 'olcTLSCertificateKeyFile' SYNTAX OMsDi
+ rectoryString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:72 NAME 'olcTLSCipherSuite' SYNTAX OMsDirectory
+ String SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:73 NAME 'olcTLSCRLCheck' SYNTAX OMsDirectoryStr
+ ing SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:82 NAME 'olcTLSCRLFile' SYNTAX OMsDirectoryStri
+ ng SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:74 NAME 'olcTLSRandFile' SYNTAX OMsDirectoryStr
+ ing SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:75 NAME 'olcTLSVerifyClient' SYNTAX OMsDirector
+ yString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' SYNTAX OMsDirectory
+ String SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:87 NAME 'olcTLSProtocolMin' SYNTAX OMsDirectory
+ String SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgGlAt:80 NAME 'olcToolThreads' SYNTAX OMsInteger SING
+ LE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:0.12 NAME 'olcUpdateDN' SYNTAX OMsDN SINGLE-VAL
+ UE )
+olcAttributeTypes: ( OLcfgDbAt:0.13 NAME 'olcUpdateRef' SUP labeledURI EQUALIT
+ Y caseIgnoreMatch )
+olcAttributeTypes: ( OLcfgGlAt:88 NAME 'olcWriteTimeout' SYNTAX OMsInteger SIN
+ GLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:0.1 NAME 'olcDbDirectory' DESC 'Directory for d
+ atabase content' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VA
+ LUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.5 NAME 'OpenLDAPaci' DESC 'OpenLDA
+ P access control information (experimental)' EQUALITY OpenLDAPaciMatch SYNTAX
+ 1.3.6.1.4.1.4203.666.2.1 USAGE directoryOperation )
+olcAttributeTypes: ( OLcfgDbAt:1.11 NAME 'olcDbCacheFree' DESC 'Number of extr
+ a entries to free when max is reached' SYNTAX OMsInteger SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:1.1 NAME 'olcDbCacheSize' DESC 'Entry cache siz
+ e in entries' SYNTAX OMsInteger SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:1.2 NAME 'olcDbCheckpoint' DESC 'Database check
+ point interval in kbytes and minutes' SYNTAX OMsDirectoryString SINGLE-VALUE
+ )
+olcAttributeTypes: ( OLcfgDbAt:1.16 NAME 'olcDbChecksum' DESC 'Enable database
+ checksum validation' SYNTAX OMsBoolean SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:1.13 NAME 'olcDbCryptFile' DESC 'Pathname of fi
+ le containing the DB encryption key' SYNTAX OMsDirectoryString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:1.14 NAME 'olcDbCryptKey' DESC 'DB encryption k
+ ey' SYNTAX OMsOctetString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:1.3 NAME 'olcDbConfig' DESC 'BerkeleyDB DB_CONF
+ IG configuration directives' SYNTAX OMsIA5String X-ORDERED 'VALUES' )
+olcAttributeTypes: ( OLcfgDbAt:1.4 NAME 'olcDbNoSync' DESC 'Disable synchronou
+ s database writes' SYNTAX OMsBoolean SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:1.15 NAME 'olcDbPageSize' DESC 'Page size of sp
+ ecified DB, in Kbytes' EQUALITY caseExactMatch SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgDbAt:1.5 NAME 'olcDbDirtyRead' DESC 'Allow reads of
+ uncommitted data' SYNTAX OMsBoolean SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:1.12 NAME 'olcDbDNcacheSize' DESC 'DN cache siz
+ e' SYNTAX OMsInteger SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:1.6 NAME 'olcDbIDLcacheSize' DESC 'IDL cache si
+ ze in IDLs' SYNTAX OMsInteger SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:0.2 NAME 'olcDbIndex' DESC 'Attribute index par
+ ameters' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgDbAt:1.7 NAME 'olcDbLinearIndex' DESC 'Index attribu
+ tes one at a time' SYNTAX OMsBoolean SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:1.8 NAME 'olcDbLockDetect' DESC 'Deadlock detec
+ tion algorithm' SYNTAX OMsDirectoryString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:0.3 NAME 'olcDbMode' DESC 'Unix permissions of
+ database files' SYNTAX OMsDirectoryString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:1.9 NAME 'olcDbSearchStack' DESC 'Depth of sear
+ ch stack in IDLs' SYNTAX OMsInteger SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgDbAt:1.10 NAME 'olcDbShmKey' DESC 'Key for shared me
+ mory region' SYNTAX OMsInteger SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgOvAt:1.1 NAME 'olcSpCheckpoint' DESC 'ContextCSN che
+ ckpoint interval in ops and minutes' SYNTAX OMsDirectoryString SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgOvAt:1.2 NAME 'olcSpSessionlog' DESC 'Session log si
+ ze in ops' SYNTAX OMsInteger SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgOvAt:1.3 NAME 'olcSpNoPresent' DESC 'Omit Present ph
+ ase processing' SYNTAX OMsBoolean SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgOvAt:1.4 NAME 'olcSpReloadHint' DESC 'Observe Reload
+ Hint in Request control' SYNTAX OMsBoolean SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.1 NAME 'monitoredInfo' DESC 'mo
+ nitored info' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTA
+ X 1.3.6.1.4.1.1466.115.121.1.15{32768} NO-USER-MODIFICATION USAGE dSAOperatio
+ n )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.2 NAME 'managedInfo' DESC 'moni
+ tor managed info' SUP name )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.3 NAME 'monitorCounter' DESC 'm
+ onitor counter' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.
+ 3.6.1.4.1.1466.115.121.1.27 NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.4 NAME 'monitorOpCompleted' DES
+ C 'monitor completed operations' SUP monitorCounter NO-USER-MODIFICATION USAG
+ E dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.5 NAME 'monitorOpInitiated' DES
+ C 'monitor initiated operations' SUP monitorCounter NO-USER-MODIFICATION USAG
+ E dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.6 NAME 'monitorConnectionNumber
+ ' DESC 'monitor connection number' SUP monitorCounter NO-USER-MODIFICATION US
+ AGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.7 NAME 'monitorConnectionAuthzD
+ N' DESC 'monitor connection authorization DN' EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION USAGE dSAOperation
+ )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.8 NAME 'monitorConnectionLocalA
+ ddress' DESC 'monitor connection local address' SUP monitoredInfo NO-USER-MOD
+ IFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.9 NAME 'monitorConnectionPeerAd
+ dress' DESC 'monitor connection peer address' SUP monitoredInfo NO-USER-MODIF
+ ICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.10 NAME 'monitorTimestamp' DESC
+ 'monitor timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOr
+ deringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFIC
+ ATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.11 NAME 'monitorOverlay' DESC '
+ name of overlays defined for a given database' SUP monitoredInfo NO-USER-MODI
+ FICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.12 NAME 'readOnly' DESC 'read/w
+ rite status of a given database' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.7 SINGLE-VALUE USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.13 NAME 'restrictedOperation' D
+ ESC 'name of restricted operation for a given database' SUP managedInfo )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.14 NAME 'monitorConnectionProto
+ col' DESC 'monitor connection protocol' SUP monitoredInfo NO-USER-MODIFICATIO
+ N USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.15 NAME 'monitorConnectionOpsRe
+ ceived' DESC 'monitor number of operations received by the connection' SUP mo
+ nitorCounter NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.16 NAME 'monitorConnectionOpsEx
+ ecuting' DESC 'monitor number of operations in execution within the connectio
+ n' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.17 NAME 'monitorConnectionOpsPe
+ nding' DESC 'monitor number of pending operations within the connection' SUP
+ monitorCounter NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.18 NAME 'monitorConnectionOpsCo
+ mpleted' DESC 'monitor number of operations completed within the connection'
+ SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.19 NAME 'monitorConnectionGet'
+ DESC 'number of times connection_get() was called so far' SUP monitorCounter
+ NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.20 NAME 'monitorConnectionRead'
+ DESC 'number of times connection_read() was called so far' SUP monitorCounte
+ r NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.21 NAME 'monitorConnectionWrite
+ ' DESC 'number of times connection_write() was called so far' SUP monitorCoun
+ ter NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.22 NAME 'monitorConnectionMask'
+ DESC 'monitor connection mask' SUP monitoredInfo NO-USER-MODIFICATION USAGE
+ dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.23 NAME 'monitorConnectionListe
+ ner' DESC 'monitor connection listener' SUP monitoredInfo NO-USER-MODIFICATIO
+ N USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.24 NAME 'monitorConnectionPeerD
+ omain' DESC 'monitor connection peer domain' SUP monitoredInfo NO-USER-MODIFI
+ CATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.25 NAME 'monitorConnectionStart
+ Time' DESC 'monitor connection start time' SUP monitorTimestamp SINGLE-VALUE
+ NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.26 NAME 'monitorConnectionActiv
+ ityTime' DESC 'monitor connection activity time' SUP monitorTimestamp SINGLE-
+ VALUE NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.27 NAME 'monitorIsShadow' DESC
+ 'TRUE if the database is shadow' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.7 SINGLE-VALUE USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.28 NAME 'monitorUpdateRef' DESC
+ 'update referral for shadow databases' SUP monitoredInfo SINGLE-VALUE USAGE
+ dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.29 NAME 'monitorRuntimeConfig'
+ DESC 'TRUE if component allows runtime configuration' EQUALITY booleanMatch S
+ YNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE USAGE dSAOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.30 NAME 'monitorSuperiorDN' DES
+ C 'monitor superior DN' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.14
+ 66.115.121.1.12 NO-USER-MODIFICATION USAGE dSAOperation )
+olcAttributeTypes: ( OLcfgOvAt:15.1 NAME 'olcAuditlogFile' DESC 'Filename for
+ auditlogging' SYNTAX OMsDirectoryString )
+olcAttributeTypes: ( OLcfgOvAt:10.1 NAME 'olcUniqueBase' DESC 'Subtree for uni
+ queness searches' EQUALITY distinguishedNameMatch SYNTAX OMsDN SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgOvAt:10.2 NAME 'olcUniqueIgnore' DESC 'Attributes fo
+ r which uniqueness shall not be enforced' EQUALITY caseIgnoreMatch ORDERING c
+ aseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX OMsDirectorySt
+ ring )
+olcAttributeTypes: ( OLcfgOvAt:10.3 NAME 'olcUniqueAttribute' DESC 'Attributes
+ for which uniqueness shall be enforced' EQUALITY caseIgnoreMatch ORDERING ca
+ seIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX OMsDirectoryStr
+ ing )
+olcAttributeTypes: ( OLcfgOvAt:10.4 NAME 'olcUniqueStrict' DESC 'Enforce uniqu
+ eness of null values' EQUALITY booleanMatch SYNTAX OMsBoolean SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgOvAt:10.5 NAME 'olcUniqueURI' DESC 'List of keywords
+ and LDAP URIs for a uniqueness domain' EQUALITY caseExactMatch ORDERING case
+ ExactOrderingMatch SUBSTR caseExactSubstringsMatch SYNTAX OMsDirectoryString
+ )
+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.16 NAME 'pwdChangedTime' DESC 'Th
+ e time the password was last changed' EQUALITY generalizedTimeMatch ORDERING
+ generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALU
+ E NO-USER-MODIFICATION USAGE directoryOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime' DE
+ SC 'The time an user account was locked' EQUALITY generalizedTimeMatch ORDERI
+ NG generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-V
+ ALUE USAGE directoryOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.19 NAME 'pwdFailureTime' DESC 'Th
+ e timestamps of the last consecutive authentication failures' EQUALITY genera
+ lizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.24 NO-USER-MODIFICATION USAGE directoryOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.20 NAME 'pwdHistory' DESC 'The hi
+ story of users passwords' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.1
+ 15.121.1.40 NO-USER-MODIFICATION USAGE directoryOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.21 NAME 'pwdGraceUseTime' DESC 'T
+ he timestamps of the grace login once the password has expired' EQUALITY gene
+ ralizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 NO-USER-MODIFICATION US
+ AGE directoryOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.22 NAME 'pwdReset' DESC 'The indi
+ cation that the password has been reset' EQUALITY booleanMatch SYNTAX 1.3.6.1
+ .4.1.1466.115.121.1.7 SINGLE-VALUE USAGE directoryOperation )
+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC
+ 'The pwdPolicy subentry in effect for this object' EQUALITY distinguishedName
+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE USAGE directoryOperat
+ ion )
+olcAttributeTypes: ( OLcfgOvAt:12.1 NAME 'olcPPolicyDefault' DESC 'DN of a pwd
+ Policy object for uncustomized objects' SYNTAX OMsDN SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgOvAt:12.2 NAME 'olcPPolicyHashCleartext' DESC 'Hash
+ passwords on add or modify' SYNTAX OMsBoolean SINGLE-VALUE )
+olcAttributeTypes: ( OLcfgOvAt:12.4 NAME 'olcPPolicyForwardUpdates' DESC 'Allo
+ w policy state updates to be forwarded via updateref' SYNTAX OMsBoolean SINGL
+ E-VALUE )
+olcAttributeTypes: ( OLcfgOvAt:12.3 NAME 'olcPPolicyUseLockout' DESC 'Warn cli
+ ents with AccountLocked' SYNTAX OMsBoolean SINGLE-VALUE )
+olcAttributeTypes: ( olmBDBAttributes:1 NAME 'olmBDBEntryCache' DESC 'Number o
+ f items in Entry Cache' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOper
+ ation )
+olcAttributeTypes: ( olmBDBAttributes:2 NAME 'olmBDBDNCache' DESC 'Number of i
+ tems in DN Cache' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation
+ )
+olcAttributeTypes: ( olmBDBAttributes:3 NAME 'olmBDBIDLCache' DESC 'Number of
+ items in IDL Cache' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperatio
+ n )
+olcAttributeTypes: ( olmBDBAttributes:4 NAME 'olmDbDirectory' DESC 'Path name
+ of the directory where the database environment resides' SUP monitoredInfo NO
+ -USER-MODIFICATION USAGE dSAOperation )
+olcObjectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABST
+ RACT MUST objectClass )
+olcObjectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC
+ 'RFC4512: extensible object' SUP top AUXILIARY )
+olcObjectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC4512: an alias' SUP top STRU
+ CTURAL MUST aliasedObjectName )
+olcObjectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'namedref: na
+ med subordinate referral' SUP top STRUCTURAL MUST ref )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.1.4.1 NAME ( 'OpenLDAProotDSE' 'LDAProotD
+ SE' ) DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn )
+olcObjectClasses: ( 2.5.17.0 NAME 'subentry' DESC 'RFC3672: subentry' SUP top
+ STRUCTURAL MUST ( cn $ subtreeSpecification ) )
+olcObjectClasses: ( 2.5.20.1 NAME 'subschema' DESC 'RFC4512: controlling subsc
+ hema (sub)entry' AUXILIARY MAY ( dITStructureRules $ nameForms $ dITContentRu
+ les $ objectClasses $ attributeTypes $ matchingRules $ matchingRuleUse ) )
+olcObjectClasses: ( 1.3.6.1.4.1.1466.101.119.2 NAME 'dynamicObject' DESC 'RFC2
+ 589: Dynamic Object' SUP top AUXILIARY )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.4 NAME 'glue' DESC 'Glue Entry' SUP
+ top STRUCTURAL )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.5 NAME 'syncConsumerSubentry' DESC
+ 'Persistent Info for SyncRepl Consumer' AUXILIARY MAY syncreplCookie )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.6 NAME 'syncProviderSubentry' DESC
+ 'Persistent Info for SyncRepl Producer' AUXILIARY MAY contextCSN )
+olcObjectClasses: ( OLcfgGlOc:0 NAME 'olcConfig' DESC 'OpenLDAP configuration
+ object' SUP top ABSTRACT )
+olcObjectClasses: ( OLcfgGlOc:1 NAME 'olcGlobal' DESC 'OpenLDAP Global configu
+ ration options' SUP olcConfig STRUCTURAL MAY ( cn $ olcConfigFile $ olcConfig
+ Dir $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAuthIDRewrite $ olcA
+ uthzPolicy $ olcAuthzRegexp $ olcConcurrency $ olcConnMaxPending $ olcConnMax
+ PendingAuth $ olcDisallows $ olcGentleHUP $ olcIdleTimeout $ olcIndexSubstrIf
+ MaxLen $ olcIndexSubstrIfMinLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnySte
+ p $ olcIndexIntLen $ olcLocalSSF $ olcLogFile $ olcLogLevel $ olcPasswordCryp
+ tSaltFormat $ olcPasswordHash $ olcPidFile $ olcPluginLogFile $ olcReadOnly $
+ olcReferral $ olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $
+ olcRootDSE $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps
+ $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSockbufMaxIncoming $ olcSockb
+ ufMaxIncomingAuth $ olcTCPBuffer $ olcThreads $ olcTimeLimit $ olcTLSCACertif
+ icateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertifica
+ teKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerif
+ yClient $ olcTLSDHParamFile $ olcTLSCRLFile $ olcToolThreads $ olcWriteTimeou
+ t $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitConten
+ tRules $ olcLdapSyntaxes ) )
+olcObjectClasses: ( OLcfgGlOc:2 NAME 'olcSchemaConfig' DESC 'OpenLDAP schema o
+ bject' SUP olcConfig STRUCTURAL MAY ( cn $ olcObjectIdentifier $ olcAttribute
+ Types $ olcObjectClasses $ olcDitContentRules $ olcLdapSyntaxes ) )
+olcObjectClasses: ( OLcfgGlOc:3 NAME 'olcBackendConfig' DESC 'OpenLDAP Backend
+ -specific options' SUP olcConfig STRUCTURAL MUST olcBackend )
+olcObjectClasses: ( OLcfgGlOc:4 NAME 'olcDatabaseConfig' DESC 'OpenLDAP Databa
+ se-specific options' SUP olcConfig STRUCTURAL MUST olcDatabase MAY ( olcHidde
+ n $ olcSuffix $ olcSubordinate $ olcAccess $ olcAddContentAcl $ olcLastMod $
+ olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ olcRepl
+ icaArgsFile $ olcReplicaPidFile $ olcReplicationInterval $ olcReplogFile $ ol
+ cRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $
+ olcSizeLimit $ olcSyncUseSubentry $ olcSyncrepl $ olcTimeLimit $ olcUpdateDN
+ $ olcUpdateRef $ olcMirrorMode $ olcMonitoring ) )
+olcObjectClasses: ( OLcfgGlOc:5 NAME 'olcOverlayConfig' DESC 'OpenLDAP Overlay
+ -specific options' SUP olcConfig STRUCTURAL MUST olcOverlay )
+olcObjectClasses: ( OLcfgGlOc:6 NAME 'olcIncludeFile' DESC 'OpenLDAP configura
+ tion include file' SUP olcConfig STRUCTURAL MUST olcInclude MAY ( cn $ olcRoo
+ tDSE ) )
+olcObjectClasses: ( OLcfgGlOc:7 NAME 'olcFrontendConfig' DESC 'OpenLDAP fronte
+ nd configuration' AUXILIARY MAY ( olcDefaultSearchBase $ olcPasswordHash $ ol
+ cSortVals ) )
+olcObjectClasses: ( OLcfgGlOc:8 NAME 'olcModuleList' DESC 'OpenLDAP dynamic mo
+ dule info' SUP olcConfig STRUCTURAL MAY ( cn $ olcModulePath $ olcModuleLoad
+ ) )
+olcObjectClasses: ( OLcfgDbOc:2.1 NAME 'olcLdifConfig' DESC 'LDIF backend conf
+ iguration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory )
+olcObjectClasses: ( OLcfgDbOc:1.2 NAME 'olcHdbConfig' DESC 'HDB backend config
+ uration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCach
+ eSize $ olcDbCheckpoint $ olcDbConfig $ olcDbCryptFile $ olcDbCryptKey $ olcD
+ bNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex
+ $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFr
+ ee $ olcDbDNcacheSize $ olcDbPageSize ) )
+olcObjectClasses: ( OLcfgOvOc:1.1 NAME 'olcSyncProvConfig' DESC 'SyncRepl Prov
+ ider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ o
+ lcSpSessionlog $ olcSpNoPresent $ olcSpReloadHint ) )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.1 NAME 'monitor' DESC 'OpenLDAP
+ system monitoring' SUP top STRUCTURAL MUST cn MAY ( description $ seeAlso $ l
+ abeledURI $ monitoredInfo $ managedInfo $ monitorOverlay ) )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.2 NAME 'monitorServer' DESC 'Ser
+ ver monitoring root entry' SUP monitor STRUCTURAL )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.3 NAME 'monitorContainer' DESC '
+ monitor container class' SUP monitor STRUCTURAL )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.4 NAME 'monitorCounterObject' DE
+ SC 'monitor counter class' SUP monitor STRUCTURAL )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.5 NAME 'monitorOperation' DESC '
+ monitor operation class' SUP monitor STRUCTURAL )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.6 NAME 'monitorConnection' DESC
+ 'monitor connection class' SUP monitor STRUCTURAL )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.7 NAME 'managedObject' DESC 'mon
+ itor managed entity class' SUP monitor STRUCTURAL )
+olcObjectClasses: ( 1.3.6.1.4.1.4203.666.3.16.8 NAME 'monitoredObject' DESC 'm
+ onitor monitored entity class' SUP monitor STRUCTURAL )
+olcObjectClasses: ( OLcfgDbOc:4.1 NAME 'olcMonitorConfig' DESC 'Monitor backen
+ d configuration' SUP olcDatabaseConfig STRUCTURAL )
+olcObjectClasses: ( OLcfgOvOc:15.1 NAME 'olcAuditlogConfig' DESC 'Auditlog con
+ figuration' SUP olcOverlayConfig STRUCTURAL MAY olcAuditlogFile )
+olcObjectClasses: ( OLcfgOvOc:10.1 NAME 'olcUniqueConfig' DESC 'Attribute valu
+ e uniqueness configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcUniqueBa
+ se $ olcUniqueIgnore $ olcUniqueAttribute $ olcUniqueStrict $ olcUniqueURI )
+ )
+olcObjectClasses: ( OLcfgOvOc:12.1 NAME 'olcPPolicyConfig' DESC 'Password Poli
+ cy configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcPPolicyDefault $ o
+ lcPPolicyHashCleartext $ olcPPolicyUseLockout $ olcPPolicyForwardUpdates ) )
+olcObjectClasses: ( olmBDBObjectClasses:1 NAME 'olmBDBDatabase' SUP top AUXILI
+ ARY MAY ( olmBDBEntryCache $ olmBDBDNCache $ olmBDBIDLCache $ olmDbDirectory
+ ) )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.1 DESC 'ACI Item' X-BINARY-TRANS
+ FER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.2 DESC 'Access Point' X-NOT-HUMA
+ N-READABLE 'TRUE' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.3 DESC 'Attribute Type Descripti
+ on' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.4 DESC 'Audio' X-NOT-HUMAN-READA
+ BLE 'TRUE' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary' X-NOT-HUMAN-READ
+ ABLE 'TRUE' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.7 DESC 'Boolean' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' X-BINARY-TR
+ ANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'Certificate List' X-BINA
+ RY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'Certificate Pair' X-BIN
+ ARY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.11.10.2.1 DESC 'X.509 AttributeCertifi
+ cate' X-BINARY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.12 DESC 'Distinguished Name' )
+olcLdapSyntaxes: ( 1.2.36.79672281.1.5.0 DESC 'RDN' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.13 DESC 'Data Quality' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.14 DESC 'Delivery Method' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.15 DESC 'Directory String' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.16 DESC 'DIT Content Rule Descri
+ ption' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.17 DESC 'DIT Structure Rule Desc
+ ription' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.19 DESC 'DSA Quality' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.20 DESC 'DSE Type' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.21 DESC 'Enhanced Guide' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.22 DESC 'Facsimile Telephone Num
+ ber' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.23 DESC 'Fax' X-NOT-HUMAN-READAB
+ LE 'TRUE' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.24 DESC 'Generalized Time' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.25 DESC 'Guide' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.26 DESC 'IA5 String' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.27 DESC 'Integer' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.28 DESC 'JPEG' X-NOT-HUMAN-READA
+ BLE 'TRUE' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.29 DESC 'Master And Shadow Acces
+ s Points' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.30 DESC 'Matching Rule Descripti
+ on' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.31 DESC 'Matching Rule Use Descr
+ iption' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.32 DESC 'Mail Preference' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.33 DESC 'MHS OR Address' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.34 DESC 'Name And Optional UID'
+ )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.35 DESC 'Name Form Description'
+ )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.37 DESC 'Object Class Descriptio
+ n' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.38 DESC 'OID' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.39 DESC 'Other Mailbox' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.41 DESC 'Postal Address' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.42 DESC 'Protocol Information' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.43 DESC 'Presentation Address' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.44 DESC 'Printable String' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.11 DESC 'Country String' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.45 DESC 'SubtreeSpecification' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' X-
+ BINARY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.50 DESC 'Telephone Number' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.51 DESC 'Teletex Terminal Identi
+ fier' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.54 DESC 'LDAP Syntax Description
+ ' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.55 DESC 'Modify Rights' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.56 DESC 'LDAP Schema Definition'
+ )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.57 DESC 'LDAP Schema Description
+ ' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.58 DESC 'Substring Assertion' )
+olcLdapSyntaxes: ( 1.3.6.1.1.1.0.0 DESC 'RFC2307 NIS Netgroup Triple' )
+olcLdapSyntaxes: ( 1.3.6.1.1.1.0.1 DESC 'RFC2307 Boot Parameter' )
+olcLdapSyntaxes: ( 1.3.6.1.1.15.1 DESC 'Certificate Exact Assertion' )
+olcLdapSyntaxes: ( 1.3.6.1.1.15.2 DESC 'Certificate Assertion' )
+olcLdapSyntaxes: ( 1.3.6.1.1.15.3 DESC 'Certificate Pair Exact Assertion' )
+olcLdapSyntaxes: ( 1.3.6.1.1.15.4 DESC 'Certificate Pair Assertion' )
+olcLdapSyntaxes: ( 1.3.6.1.1.15.5 DESC 'Certificate List Exact Assertion' )
+olcLdapSyntaxes: ( 1.3.6.1.1.15.6 DESC 'Certificate List Assertion' )
+olcLdapSyntaxes: ( 1.3.6.1.1.15.7 DESC 'Algorithm Identifier' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.11.10.2.2 DESC 'AttributeCertificate E
+ xact Assertion' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.11.10.2.3 DESC 'AttributeCertificate A
+ ssertion' )
+olcLdapSyntaxes: ( 1.3.6.1.1.16.1 DESC 'UUID' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.11.2.1 DESC 'CSN' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.11.2.4 DESC 'CSN SID' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )
+olcLdapSyntaxes: ( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )
+structuralObjectClass: olcSchemaConfig
+creatorsName: cn=config
+createTimestamp: @@@TIMESTAMP@@@Z
+entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000
+modifiersName: cn=config
+modifyTimestamp: @@@TIMESTAMP@@@Z
diff --git a/confskel/openldap/skel.ldif b/confskel/openldap/skel.ldif
index da66b0a..34d615b 100644
--- a/confskel/openldap/skel.ldif
+++ b/confskel/openldap/skel.ldif
@@ -211,8 +211,8 @@ ou: Administrative
sn: Administrator
title: Administrator
uid: @@@ADMINUSER@@@
-userPassword: {SHA}@@@ADMINPW_SHA@@@
uidNumber: 999
+userPassword: {SASL}@@@ADMINUSER@@@@@@@REALM_UCNAME@@@
tdeBuiltinAccount: TRUE
emsmodules: kerberos
emsmodules: posix
diff --git a/confskel/sasl/saslauthd.defaults b/confskel/sasl/saslauthd.defaults
new file mode 100644
index 0000000..c6277d6
--- /dev/null
+++ b/confskel/sasl/saslauthd.defaults
@@ -0,0 +1,54 @@
+#
+# TDE settings for saslauthd daemon
+#
+
+# Should saslauthd run automatically on startup? (default: no)
+START=yes
+
+# Description of this saslauthd instance. Recommended.
+# (suggestion: SASL Authentication Daemon)
+DESC="SASL Authentication Daemon"
+
+# Short name of this saslauthd instance. Strongly recommended.
+# (suggestion: saslauthd)
+NAME="saslauthd"
+
+# Which authentication mechanisms should saslauthd use? (default: pam)
+#
+# Available options in this Debian package:
+# getpwent -- use the getpwent() library function
+# kerberos5 -- use Kerberos 5
+# pam -- use PAM
+# rimap -- use a remote IMAP server
+# shadow -- use the local shadow password file
+# sasldb -- use the local sasldb database file
+# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
+#
+# Only one option may be used at a time. See the saslauthd man page
+# for more information.
+#
+# Example: MECHANISMS="pam"
+MECHANISMS="kerberos5"
+
+# Additional options for this mechanism. (default: none)
+# See the saslauthd man page for information about mech-specific options.
+MECH_OPTIONS=""
+
+# How many saslauthd processes should we run? (default: 5)
+# A value of 0 will fork a new process for each connection.
+THREADS=5
+
+# Other options (default: -c -m /var/run/saslauthd)
+# Note: You MUST specify the -m option or saslauthd won't run!
+#
+# WARNING: DO NOT SPECIFY THE -d OPTION.
+# The -d option will cause saslauthd to run in the foreground instead of as
+# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
+# to run saslauthd in debug mode, please run it by hand to be safe.
+#
+# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
+# See the saslauthd man page and the output of 'saslauthd -h' for general
+# information about these options.
+#
+# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
+OPTIONS="-c -m /var/run/saslauthd"
diff --git a/confskel/sasl/slapd.conf b/confskel/sasl/slapd.conf
new file mode 100644
index 0000000..f89c483
--- /dev/null
+++ b/confskel/sasl/slapd.conf
@@ -0,0 +1,4 @@
+#mech_list: GSSAPI EXTERNAL
+#mech_list: PLAIN LOGIN GSSAPI EXTERNAL
+pwcheck_method: saslauthd
+saslauthd_path: /var/run/saslauthd/mux
diff --git a/debian/control b/debian/control
index c8eca75..f597450 100644
--- a/debian/control
+++ b/debian/control
@@ -7,6 +7,6 @@ Standards-Version: 3.8.4
Package: kcontrol-ldap-controller-trinity
Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, heimdal-clients, heimdal-kdc, slapd
+Depends: ${shlibs:Depends}, ${misc:Depends}, heimdal-clients, heimdal-kdc, slapd, libsasl2-modules-gssapi-heimdal, sasl2-bin
Description: LDAP realm controller module for the TDE control center
LDAP Controller is a TDE control center module to configure an LDAP Realm Controller
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index 3f553be..3d679a0 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -21,6 +21,7 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
+#include <pwd.h>
#include <tqlayout.h>
@@ -54,6 +55,15 @@
// FIXME
// Connect this to CMake/Automake
#define KDE_CONFDIR "/etc/trinity"
+#define LDAP_KEYTAB_FILE "/etc/ldap/ldap.keytab"
+
+// FIXME
+// This assumes Debian!
+// RedHat would be "/etc/sysconfig/ldap"
+#define LDAP_DEFAULT_FILE "/etc/default/slapd"
+#define HEIMDAL_DEFAULT_FILE "/etc/default/heimdal-kdc"
+#define SASL_DEFAULT_FILE "/etc/default/saslauthd"
+#define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf"
#define ROLE_WORKSTATION 0
#define ROLE_REALM_CONTROLLER 1
@@ -93,6 +103,11 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
m_fqdn = getMachineFQDN();
+ // FIXME
+ // This assumes Debian!
+ m_ldapUserName = "openldap";
+ m_ldapGroupName = "openldap";
+
load();
if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) {
@@ -230,7 +245,7 @@ void LDAPController::save() {
load();
}
-void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1) {
+void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1, TQString ldapusername=TQString::null, TQString ldapgroupname=TQString::null) {
SHA1 sha;
sha.process(rootPassword, strlen(rootPassword));
TQString rootpw_hash = sha.base64Hash();
@@ -280,6 +295,9 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
line.replace("@@@REALM_SIMPLE_CP_NAME@@@", simpledcnamecap);
line.replace("@@@REALM_SIMPLE_LC_NAME@@@", simpledcname.lower());
line.replace("@@@TIMESTAMP@@@", timestamp);
+ line.replace("@@@LDAP_KEYTAB_FILE@@@", LDAP_KEYTAB_FILE);
+ line.replace("@@@LDAP_USER_NAME@@@", ldapusername);
+ line.replace("@@@LDAP_GROUP_NAME@@@", ldapgroupname);
if (ldifSchemaNumber >= 0) {
line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber));
}
@@ -294,18 +312,38 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
}
}
else {
- KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(infile), i18n("Internal Failure"));
+ //KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(outfile), i18n("Internal Failure"));
+ printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout);
}
}
else {
- KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
+ //KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
+ printf("[INTERNAL FAILURE] Unable to open template schema file %s\n\r", infile.ascii()); fflush(stdout);
}
// Keep UI responsive
tqApp->processEvents();
}
-int LDAPController::controlHeimdalServer(sc_command command) {
+int LDAPController::controlSASLServer(sc_command command) {
+ if (command == SC_START) {
+ // FIXME
+ // This assumes Debian!
+ return system("/etc/init.d/saslauthd start");
+ }
+ if (command == SC_STOP) {
+ // FIXME
+ // This assumes Debian!
+ return system("/etc/init.d/saslauthd stop");
+ }
+ if (command == SC_RESTART) {
+ // FIXME
+ // This assumes Debian!
+ return system("/etc/init.d/saslauthd restart");
+ }
+}
+
+int LDAPController::controlHeimdalServer(sc_command command, uid_t userid, gid_t groupid) {
if (command == SC_START) {
// FIXME
// This assumes Debian!
@@ -321,6 +359,22 @@ int LDAPController::controlHeimdalServer(sc_command command) {
// This assumes Debian!
return system("/etc/init.d/heimdal-kdc restart");
}
+ if (command == SC_PURGE) {
+ controlHeimdalServer(SC_STOP);
+ system("rm -f " + TQString(LDAP_KEYTAB_FILE));
+ // FIXME
+ // This assumes Debian
+ system("rm -f /etc/krb5.keytab");
+ system("rm -rf /var/lib/heimdal-kdc/*");
+ }
+ if (command == SC_SETDBPERMS) {
+ if ((userid > 0) && (groupid > 0)) {
+ TQString command;
+ command = TQString("chgrp %1 " + TQString(LDAP_KEYTAB_FILE)).arg(groupid);
+ system(command.ascii());
+ chmod(LDAP_KEYTAB_FILE, S_IRUSR|S_IWUSR|S_IRGRP);
+ }
+ }
}
int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t groupid) {
@@ -344,7 +398,7 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
// FIXME
// This assumes Debian!
system("rm -rf /var/lib/ldap/*");
- system("rm -rf /etc/ldap/slapd.d/cn=config/cn=schema/*");
+ system("rm -rf /etc/ldap/slapd.d/*");
}
if (command == SC_SETDBPERMS) {
if ((userid > 0) && (groupid > 0)) {
@@ -355,6 +409,10 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
system(command.ascii());
command = TQString("chgrp -R %1 /var/lib/ldap/*").arg(groupid);
system(command.ascii());
+ command = TQString("chown -R %1 /etc/ldap/slapd.d/*").arg(userid);
+ system(command.ascii());
+ command = TQString("chgrp -R %1 /etc/ldap/slapd.d/*").arg(groupid);
+ system(command.ascii());
}
}
return -2;
@@ -421,6 +479,225 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err
return 1; // Failure
}
+int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr) {
+ TQCString command = "kadmin";
+ QCStringList args;
+ args << TQCString("-l");
+
+ TQString hoststring = "host/"+kerberosHost;
+
+ TQString prompt;
+ PtyProcess kadminProc;
+ kadminProc.exec(command, args);
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt == "kadmin>") {
+ kadminProc.writeLine(TQCString("ext "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else if (prompt.endsWith("Principal does not exist")) {
+ kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ // Use all defaults
+ while (prompt != "kadmin>") {
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else {
+ // Extract whatever default is in the [brackets] and feed it back to kadmin
+ TQString defaultParam;
+ int leftbracket = prompt.find("[");
+ int rightbracket = prompt.find("]");
+ if ((leftbracket >= 0) && (rightbracket >= 0)) {
+ leftbracket++;
+ defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket);
+ }
+ kadminProc.writeLine(TQCString(defaultParam), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ }
+ kadminProc.writeLine(TQCString("ext "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt != "kadmin>") {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+ else if (prompt == "kadmin>") {
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+
+ // Failure
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed.";
+ return 1; // Failure
+}
+
+int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, TQString ldapHost, TQString *errstr) {
+ TQCString command = "kadmin";
+ QCStringList args;
+ args << TQCString("-l");
+
+ TQString hoststring = ldapProcessOwnerName+"/"+ldapHost;
+
+ TQString prompt;
+ PtyProcess kadminProc;
+ kadminProc.exec(command, args);
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt == "kadmin>") {
+ kadminProc.writeLine(TQCString("ext --keytab="+TQString(LDAP_KEYTAB_FILE)+" "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else if (prompt.endsWith("Principal does not exist")) {
+ kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ // Use all defaults
+ while (prompt != "kadmin>") {
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else {
+ // Extract whatever default is in the [brackets] and feed it back to kadmin
+ TQString defaultParam;
+ int leftbracket = prompt.find("[");
+ int rightbracket = prompt.find("]");
+ if ((leftbracket >= 0) && (rightbracket >= 0)) {
+ leftbracket++;
+ defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket);
+ }
+ kadminProc.writeLine(TQCString(defaultParam), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ }
+ kadminProc.writeLine(TQCString("ext --keytab="+TQString(LDAP_KEYTAB_FILE)+" "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt != "kadmin>") {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+ else if (prompt == "kadmin>") {
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+
+ // Failure
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed.";
+ return 1; // Failure
+}
+
+int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr) {
+ if (user.password == "") {
+ return 0;
+ }
+
+ TQCString command = "kadmin";
+ QCStringList args;
+ args << TQCString("-l") << TQCString("-r") << TQCString(user.realm.upper());
+
+ TQString prompt;
+ PtyProcess kadminProc;
+ kadminProc.exec(command, args);
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt == "kadmin>") {
+ kadminProc.writeLine(TQCString("passwd "+user.username), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else if ((prompt.endsWith(" Password:")) && (prompt.startsWith(TQString(user.username + "@")))) {
+ kadminProc.writeLine(user.password, true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if ((prompt.endsWith(" Password:")) && (prompt.startsWith("Verify"))) {
+ kadminProc.writeLine(user.password, true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ if (prompt != "kadmin>") {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+ else if (prompt == "kadmin>") {
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+
+ // Failure
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed.";
+ return 1; // Failure
+}
+
int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) {
int ldifSchemaNumber;
@@ -449,6 +726,12 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
pdialog.setStatusMessage(i18n("Stopping servers..."));
+ // Stop SASL
+ if (controlSASLServer(SC_STOP) != 0) {
+ if (errstr) *errstr = i18n("Unable to stop SASL server");
+ pdialog.closeDialog();
+ return -1;
+ }
// Stop Heimdal
if (controlHeimdalServer(SC_STOP) != 0) {
if (errstr) *errstr = i18n("Unable to stop Kerberos server");
@@ -464,6 +747,7 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
pdialog.setStatusMessage(i18n("Purging existing LDAP database..."));
tqApp->processEvents();
+ controlHeimdalServer(SC_PURGE);
controlLDAPServer(SC_PURGE);
pdialog.setStatusMessage(i18n("Installing new LDAP schema..."));
@@ -475,24 +759,60 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
mkdir(TQString(destDir + "ldap/slapd.d/cn=config").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
mkdir(TQString(destDir + "ldap/slapd.d/cn=config/cn=schema").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
- replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", destDir + "heimdal.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+ // Heimdal
+ replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", HEIMDAL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "heimdal-kdc/kadmind.acl", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+// RAJA DEBUG
+// if (system("kstash --random-key") != 0) {
+// if (errstr) *errstr = i18n("Unable to create Kerberos foundational key");
+// pdialog.closeDialog();
+// return -1;
+// }
+
+ // OpenLDAP
replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
// replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
- replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", destDir + "ldap/slapd.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+ replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", LDAP_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, -1, -1, m_ldapUserName, m_ldapGroupName);
+
+ // SASL
+ replacePlaceholdersInFile(templateDir + "sasl/saslauthd.defaults", SASL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+ replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+
+ // FIXME
+ // This assumes Debian!
+ // Grant LDAP access to SASL mux pipe
+ system("dpkg-statoverride --remove --quiet /var/run/saslauthd");
+ system(TQString("dpkg-statoverride --add root %1 710 /var/run/saslauthd").arg(m_ldapGroupName).ascii());
+
+ // FIXME
+ // This assumes Debian!
+ system("ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl");
+ system("ln -s /etc/heimdal-kdc/kdc.conf /var/lib/heimdal-kdc/kdc.conf");
struct stat sb;
uid_t slapd_uid = 0;
gid_t slapd_gid = 0;
- if (stat(destDir + "ldap/slapd.d/cn=config/cn=schema", &sb) == 0) {
- slapd_uid = sb.st_uid;
- slapd_gid = sb.st_gid;
- }
+
+ // Get LDAP user uid/gid
+ struct passwd *pwd;
+ pwd = getpwnam(m_ldapUserName);
+ slapd_uid = pwd->pw_uid;
+ slapd_gid = pwd->pw_gid;
+
+// RAJA FIXME
+// SECURITY
+// The ldapi:/// socket in /var/run/ldap is world readable/writable
+// This means anyone with access to the server running LDAP can dump the KRB5 keys!!!!
// Base database configuration
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/config.ldif", destDir + "ldap/slapd.d/" + TQString("cn=config.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid);
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/schema.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=schema.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid);
+ ldifSchemaNumber = 0;
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/olcConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}config.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/moduleConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=module{%1}.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
ldifSchemaNumber = 1;
replacePlaceholdersInFile(templateDir + "openldap/ldif/olcDatabase.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
@@ -565,11 +885,31 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
TQString errorstring;
if (initializeNewKerberosRealm(realmconfig.name.upper(), &errorstring) != 0) {
- if (errstr) *errstr = i18n("Unable to initialize Kerberos database<p>").append(errorstring);
+ if (errstr) *errstr = i18n("Unable to initialize Kerberos database").append(errorstring);
pdialog.closeDialog();
return -1;
}
+ if (addHostEntryToKerberosRealm(realmconfig.kdc, &errorstring) != 0) {
+ if (errstr) *errstr = i18n("Unable to add KDC server entry to Kerberos database").arg(m_ldapUserName).append(errorstring);
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ if (addLDAPEntryToKerberosRealm(m_ldapUserName, realmconfig.admin_server, &errorstring) != 0) {
+ if (errstr) *errstr = i18n("Unable to add %1 entry to Kerberos database").arg(m_ldapUserName).append(errorstring);
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ if (addLDAPEntryToKerberosRealm("ldap", realmconfig.admin_server, &errorstring) != 0) {
+ if (errstr) *errstr = i18n("Unable to add LDAP entry to Kerberos database").append(errorstring);
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ controlHeimdalServer(SC_SETDBPERMS, slapd_uid, slapd_gid);
+
// Move all those new Heimdal entries to the correct tree/branch
TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower());
TQString basedcname = "dc=" + domainChunks.join(",dc=");
@@ -588,6 +928,20 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
delete ldap_mgr;
delete credentials;
+ // Set @@@ADMINUSER@@@ password in kadmin
+ LDAPCredentials adminuser;
+ adminuser.username = adminUserName;
+ adminuser.password = adminPassword;
+ adminuser.realm = realmconfig.name.upper();
+ if (setKerberosPasswordForUser(adminuser, &errorstring) != 0) {
+ if (errstr) *errstr = i18n("Unable to set user password in Kerberos database").append(errorstring);
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ pdialog.setStatusMessage(i18n("Configuring local system..."));
+ tqApp->processEvents();
+
// Write the TDE realm configuration file
LDAPRealmConfigList realms;
realms.insert(realmconfig.name, realmconfig);
@@ -595,9 +949,31 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
m_systemconfig->writeEntry("DefaultRealm", realmconfig.name);
m_systemconfig->sync();
- pdialog.setStatusMessage(i18n("Configuring local system..."));
LDAPManager::writeLDAPConfFile(realmconfig);
+ pdialog.setStatusMessage(i18n("(Re)starting servers..."));
+ tqApp->processEvents();
+
+ // Restart slapd
+ if (controlLDAPServer(SC_RESTART) != 0) {
+ if (errstr) *errstr = i18n("Unable to restart LDAP server");
+ pdialog.closeDialog();
+ return -1;
+ }
+ // Restart Heimdal
+ if (controlHeimdalServer(SC_RESTART) != 0) {
+ if (errstr) *errstr = i18n("Unable to restart Kerberos server");
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ // Start SASL
+ if (controlSASLServer(SC_START) != 0) {
+ if (errstr) *errstr = i18n("Unable to start SASL server");
+ pdialog.closeDialog();
+ return -1;
+ }
+
// RAJA FIXME
pdialog.closeDialog();
}
diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h
index d831c72..1fad5f8 100644
--- a/src/ldapcontroller.h
+++ b/src/ldapcontroller.h
@@ -69,9 +69,13 @@ class LDAPController: public KCModule
void processLockouts();
private:
- int controlHeimdalServer(sc_command command);
+ int controlSASLServer(sc_command command);
+ int controlHeimdalServer(sc_command command, uid_t userid=-1, gid_t groupid=-1);
int controlLDAPServer(sc_command command, uid_t userid=-1, gid_t groupid=-1);
int initializeNewKerberosRealm(TQString realmName, TQString *errstr);
+ int addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, TQString ldapHost, TQString *errstr);
+ int addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr);
+ int setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr);
private:
KAboutData *myAboutData;
@@ -81,6 +85,8 @@ class LDAPController: public KCModule
TQString m_fqdn;
int m_prevRole;
+ TQString m_ldapUserName;
+ TQString m_ldapGroupName;
};
#endif // _LDAPCONTROLLER_H_
diff --git a/src/realmwizard.cpp b/src/realmwizard.cpp
index 184fb57..a0f4ced 100644
--- a/src/realmwizard.cpp
+++ b/src/realmwizard.cpp
@@ -94,6 +94,9 @@ RealmWizard::RealmWizard(LDAPController* controller, TQString fqdn, TQWidget *pa
// Other setup
finishpage->ldapAdminRealm->setEnabled(false);
+ // Kerberos won't work unless the DNS suffix matches the realm name
+ realmpage->txtRealmName->setEnabled(false);
+
setFinishEnabled(TQWizard::page(2), true);
setPosition();