2 ## schema file for OpenLDAP 2.x
3 ## Schema for storing Samba user accounts and group maps in LDAP
4 ## OIDs are owned by the Samba Team
6 ## Prerequisite schemas - uid (cosine.schema)
7 ## - displayName (inetorgperson.schema)
8 ## - gidNumber (nis.schema)
10 ## 1.3.6.1.4.1.7165.2.1.x - attributetypes
11 ## 1.3.6.1.4.1.7165.2.2.x - objectclasses
13 ## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------
15 ## Run the 'get_next_oid' bash script in this directory to find the
16 ## next available OID for attribute type and object classes.
19 ## attributetype ( 1.3.6.1.4.1.7165.2.1.XX NAME ....
20 ## objectclass ( 1.3.6.1.4.1.7165.2.2.XX NAME ....
22 ## Also ensure that new entries adhere to the declaration style
23 ## used throughout this file
25 ## <attributetype|objectclass> ( 1.3.6.1.4.1.7165.2.XX.XX NAME ....
28 ## The spaces are required for the get_next_oid script (and for
31 ## ------------------------------------------------------------------
33 ########################################################################
35 ########################################################################
40 #attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword'
41 # DESC 'LanManager Passwd'
42 # EQUALITY caseIgnoreIA5Match
43 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
45 #attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword'
47 # EQUALITY caseIgnoreIA5Match
48 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
51 ## Account flags in string format ([UWDX ])
53 #attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags'
54 # DESC 'Account Flags'
55 # EQUALITY caseIgnoreIA5Match
56 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
59 ## Password timestamps & policies
61 #attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet'
62 # DESC 'NT pwdLastSet'
63 # EQUALITY integerMatch
64 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
66 #attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime'
68 # EQUALITY integerMatch
69 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
71 #attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime'
72 # DESC 'NT logoffTime'
73 # EQUALITY integerMatch
74 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
76 #attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime'
77 # DESC 'NT kickoffTime'
78 # EQUALITY integerMatch
79 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
81 #attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange'
82 # DESC 'NT pwdCanChange'
83 # EQUALITY integerMatch
84 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
86 #attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange'
87 # DESC 'NT pwdMustChange'
88 # EQUALITY integerMatch
89 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
94 #attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive'
96 # EQUALITY caseIgnoreIA5Match
97 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
99 #attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath'
100 # DESC 'NT scriptPath'
101 # EQUALITY caseIgnoreIA5Match
102 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
104 #attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath'
105 # DESC 'NT profilePath'
106 # EQUALITY caseIgnoreIA5Match
107 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
109 #attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations'
110 # DESC 'userWorkstations'
111 # EQUALITY caseIgnoreIA5Match
112 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
114 #attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome'
116 # EQUALITY caseIgnoreIA5Match
117 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
119 #attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain'
120 # DESC 'Windows NT domain to which the user belongs'
121 # EQUALITY caseIgnoreIA5Match
122 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
125 ## user and group RID
127 #attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
129 # EQUALITY integerMatch
130 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
132 #attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
133 # DESC 'NT Group RID'
134 # EQUALITY integerMatch
135 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
138 ## The smbPasswordEntry objectclass has been depreciated in favor of the
139 ## sambaAccount objectclass
141 #objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY
142 # DESC 'Samba smbpasswd entry'
143 # MUST ( uid $ uidNumber )
144 # MAY ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags ))
146 #objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
147 # DESC 'Samba Account'
149 # MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
150 # logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
151 # displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
152 # description $ userWorkstations $ primaryGroupID $ domain ))
154 #objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
155 # DESC 'Samba Auxiliary Account'
157 # MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
158 # logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
159 # displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
160 # description $ userWorkstations $ primaryGroupID $ domain ))
162 ########################################################################
163 ## END OF HISTORICAL ##
164 ########################################################################
166 #######################################################################
167 ## Attributes used by Samba 3.0 schema ##
168 #######################################################################
173 attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
174 DESC 'LanManager Password'
175 EQUALITY caseIgnoreIA5Match
176 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
178 attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
179 DESC 'MD4 hash of the unicode password'
180 EQUALITY caseIgnoreIA5Match
181 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
184 ## Account flags in string format ([UWDX ])
186 attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
188 EQUALITY caseIgnoreIA5Match
189 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
192 ## Password timestamps & policies
194 attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
195 DESC 'Timestamp of the last password update'
196 EQUALITY integerMatch
197 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
199 attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
200 DESC 'Timestamp of when the user is allowed to update the password'
201 EQUALITY integerMatch
202 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
204 attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
205 DESC 'Timestamp of when the password will expire'
206 EQUALITY integerMatch
207 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
209 attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
210 DESC 'Timestamp of last logon'
211 EQUALITY integerMatch
212 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
214 attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
215 DESC 'Timestamp of last logoff'
216 EQUALITY integerMatch
217 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
219 attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
220 DESC 'Timestamp of when the user will be logged off automatically'
221 EQUALITY integerMatch
222 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
224 attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
225 DESC 'Bad password attempt count'
226 EQUALITY integerMatch
227 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
229 attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
230 DESC 'Time of the last bad password attempt'
231 EQUALITY integerMatch
232 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
234 attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'
236 EQUALITY caseIgnoreIA5Match
237 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
242 attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
243 DESC 'Driver letter of home directory mapping'
244 EQUALITY caseIgnoreIA5Match
245 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
247 attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
248 DESC 'Logon script path'
249 EQUALITY caseIgnoreMatch
250 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
252 attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
253 DESC 'Roaming profile path'
254 EQUALITY caseIgnoreMatch
255 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
257 attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
258 DESC 'List of user workstations the user is allowed to logon to'
259 EQUALITY caseIgnoreMatch
260 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
262 attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
263 DESC 'Home directory UNC path'
264 EQUALITY caseIgnoreMatch
265 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
267 attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
268 DESC 'Windows NT domain to which the user belongs'
269 EQUALITY caseIgnoreMatch
270 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
272 attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
274 EQUALITY caseExactMatch
275 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
277 attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
278 DESC 'Concatenated MD4 hashes of the unicode passwords used on this account'
279 EQUALITY caseIgnoreIA5Match
280 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
286 attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
288 EQUALITY caseIgnoreIA5Match
289 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
293 ## Primary group SID, compatible with ntSid
296 attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
297 DESC 'Primary Group Security ID'
298 EQUALITY caseIgnoreIA5Match
299 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
301 attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
302 DESC 'Security ID List'
303 EQUALITY caseIgnoreIA5Match
304 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
307 ## group mapping attributes
309 attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
311 EQUALITY integerMatch
312 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
315 ## Store info on the domain
318 attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
319 DESC 'Next NT rid to give our for users'
320 EQUALITY integerMatch
321 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
323 attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
324 DESC 'Next NT rid to give out for groups'
325 EQUALITY integerMatch
326 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
328 attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
329 DESC 'Next NT rid to give out for anything'
330 EQUALITY integerMatch
331 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
333 attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
334 DESC 'Base at which the samba RID generation algorithm should operate'
335 EQUALITY integerMatch
336 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
338 attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'
340 EQUALITY caseIgnoreMatch
341 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
343 attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'
345 EQUALITY caseIgnoreMatch
346 SUBSTR caseIgnoreSubstringsMatch
347 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
349 attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
350 DESC 'A boolean option'
351 EQUALITY booleanMatch
352 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
354 attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'
355 DESC 'An integer option'
356 EQUALITY integerMatch
357 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
359 attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'
360 DESC 'A string option'
361 EQUALITY caseExactIA5Match
362 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
364 attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
365 DESC 'A string list option'
366 EQUALITY caseIgnoreMatch
367 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
370 attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
373 attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
374 DESC 'Privileges List'
375 EQUALITY caseIgnoreIA5Match
376 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
378 attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
379 DESC 'Trust Password Flags'
380 EQUALITY caseIgnoreIA5Match
381 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
384 #######################################################################
385 ## objectClasses used by Samba 3.0 schema ##
386 #######################################################################
388 ## The X.500 data model (and therefore LDAPv3) says that each entry can
389 ## only have one structural objectclass. OpenLDAP 2.0 does not enforce
390 ## this currently but will in v2.1
393 ## added new objectclass (and OID) for 3.0 to help us deal with backwards
394 ## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry
396 objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
397 DESC 'Samba 3.0 Auxilary SAM Account'
398 MUST ( uid $ sambaSID )
399 MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
400 sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
401 sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
402 displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
403 sambaProfilePath $ description $ sambaUserWorkstations $
404 sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
405 sambaBadPasswordCount $ sambaBadPasswordTime $
406 sambaPasswordHistory $ sambaLogonHours))
409 ## Group mapping info
411 objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
412 DESC 'Samba Group Mapping'
413 MUST ( gidNumber $ sambaSID $ sambaGroupType )
414 MAY ( displayName $ description $ sambaSIDList ))
417 ## Whole-of-domain info
419 objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
420 DESC 'Samba Domain Information'
421 MUST ( sambaDomainName $
423 MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
424 sambaAlgorithmicRidBase ) )
426 ## used for idmap_ldap module
427 objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
428 DESC 'Pool for allocating UNIX uids/gids'
429 MUST ( uidNumber $ gidNumber ) )
432 objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
433 DESC 'Mapping from a SID to an ID'
435 MAY ( uidNumber $ gidNumber ) )
437 objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
438 DESC 'Structural Class for a SID'