1 ## schema file for Fedora/RedHat Directory Server
3 ## NOTE: this file can be copied as 60samba.ldif into your instance schema
5 ## cp samba-schema-FDS.ldif /etc/dirsrv/slapd-<instance-name>/schema/60schema.ldif
7 ## Schema for storing Samba user accounts and group maps in LDAP
8 ## OIDs are owned by the Samba Team
10 ## Prerequisite schemas - uid (cosine.schema)
11 ## - displayName (inetorgperson.schema)
12 ## - gidNumber (nis.schema)
14 ## 1.3.6.1.4.1.7165.2.1.x - attributeTypess
15 ## 1.3.6.1.4.1.7165.2.2.x - objectClasseses
18 ## 1.3.6.1.4.1.7165.2.3.1.x - attributeTypess
19 ## 1.3.6.1.4.1.7165.2.3.2.x - objectClasseses
22 ## 1.3.6.1.4.1.7165.4.1.x - attributeTypess
23 ## 1.3.6.1.4.1.7165.4.2.x - objectClasseses
24 ## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
25 ## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
26 ## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
30 #######################################################################
31 ## Attributes used by Samba 3.0 schema ##
32 #######################################################################
35 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.24 NAME
'sambaLMPassword' DESC
'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE
-VALUE
)
36 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.25 NAME
'sambaNTPassword' DESC
'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE
-VALUE
)
38 ## Account flags in string format ([UWDX ])
40 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.26 NAME
'sambaAcctFlags' DESC
'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE
-VALUE
)
42 ## Password timestamps & policies
44 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.27 NAME
'sambaPwdLastSet' DESC
'Timestamp of the last password update' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
45 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.28 NAME
'sambaPwdCanChange' DESC
'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
46 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.29 NAME
'sambaPwdMustChange' DESC
'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
47 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.30 NAME
'sambaLogonTime' DESC
'Timestamp of last logon' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
48 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.31 NAME
'sambaLogoffTime' DESC
'Timestamp of last logoff' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
49 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.32 NAME
'sambaKickoffTime' DESC
'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
50 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.48 NAME
'sambaBadPasswordCount' DESC
'Bad password attempt count' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
51 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.49 NAME
'sambaBadPasswordTime' DESC
'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
52 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.55 NAME
'sambaLogonHours' DESC
'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE
-VALUE
)
56 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.33 NAME
'sambaHomeDrive' DESC
'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE
-VALUE
)
57 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.34 NAME
'sambaLogonScript' DESC
'Logon script path' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE
-VALUE
)
58 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.35 NAME
'sambaProfilePath' DESC
'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE
-VALUE
)
59 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.36 NAME
'sambaUserWorkstations' DESC
'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE
-VALUE
)
60 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.37 NAME
'sambaHomePath' DESC
'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{128} )
61 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.38 NAME
'sambaDomainName' DESC
'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{128} )
62 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.47 NAME
'sambaMungedDial' DESC
'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{1050} )
63 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.54 NAME
'sambaPasswordHistory' DESC
'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{32} )
67 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.20 NAME
'sambaSID' DESC
'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE
-VALUE
)
69 ## Primary group SID, compatible with ntSid
71 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.23 NAME
'sambaPrimaryGroupSID' DESC
'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE
-VALUE
)
72 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.51 NAME
'sambaSIDList' DESC
'Security ID List' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{64} )
74 ## group mapping attributes
76 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.19 NAME
'sambaGroupType' DESC
'NT Group Type' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
78 ## Store info on the domain
80 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.21 NAME
'sambaNextUserRid' DESC
'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
81 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.22 NAME
'sambaNextGroupRid' DESC
'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
82 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.39 NAME
'sambaNextRid' DESC
'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
83 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.40 NAME
'sambaAlgorithmicRidBase' DESC
'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
84 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.41 NAME
'sambaShareName' DESC
'Share Name' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 SINGLE
-VALUE
)
85 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.42 NAME
'sambaOptionName' DESC
'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{256} )
86 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.43 NAME
'sambaBoolOption' DESC
'A boolean option' EQUALITY booleanMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.7 SINGLE
-VALUE
)
87 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.44 NAME
'sambaIntegerOption' DESC
'An integer option' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
88 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.45 NAME
'sambaStringOption' DESC
'A string option' EQUALITY caseExactIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 SINGLE
-VALUE
)
89 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.46 NAME
'sambaStringListOption' DESC
'A string list option' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
90 ##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
93 ##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
94 ## DESC 'Privileges List'
95 ## EQUALITY caseIgnoreIA5Match
96 ## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
97 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.53 NAME
'sambaTrustFlags' DESC
'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 )
98 # "min password length"
99 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.58 NAME
'sambaMinPwdLength' DESC
'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
101 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.59 NAME
'sambaPwdHistoryLength' DESC
'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
102 # "user must logon to change password"
103 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.60 NAME
'sambaLogonToChgPwd' DESC
'Force Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
104 # "maximum password age"
105 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.61 NAME
'sambaMaxPwdAge' DESC
'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
106 # "minimum password age"
107 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.62 NAME
'sambaMinPwdAge' DESC
'Minimum password age, in seconds (default: 0 => allow immediate password change)' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
109 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.63 NAME
'sambaLockoutDuration' DESC
'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
110 # "reset count minutes"
111 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.64 NAME
'sambaLockoutObservationWindow' DESC
'Reset time after lockout in minutes (default: 30)' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
112 # "bad lockout attempt"
113 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.65 NAME
'sambaLockoutThreshold' DESC
'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
115 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.66 NAME
'sambaForceLogoff' DESC
'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
116 # "refuse machine password change"
117 attributeTypes
: ( 1.3.6.1.4.1.7165.2.1.67 NAME
'sambaRefuseMachinePwdChange' DESC
'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE
-VALUE
)
119 #######################################################################
120 ## objectClasses: used by Samba 3.0 schema ##
121 #######################################################################
123 ## The X.500 data model (and therefore LDAPv3) says that each entry can
124 ## only have one structural objectClasses. OpenLDAP 2.0 does not enforce
125 ## this currently but will in v2.1
127 ## added new objectClasses: (and OID) for 3.0 to help us deal with backwards
128 ## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry
130 objectClasses
: ( 1.3.6.1.4.1.7165.2.2.6 NAME
'sambaSamAccount' SUP
top AUXILIARY DESC
'Samba 3.0 Auxilary SAM Account' MUST
( uid $ sambaSID
) MAY
( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $
description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours
))
132 ## Group mapping info
134 objectClasses
: ( 1.3.6.1.4.1.7165.2.2.4 NAME
'sambaGroupMapping' SUP
top AUXILIARY DESC
'Samba Group Mapping' MUST
( gidNumber $ sambaSID $ sambaGroupType
) MAY
( displayName $
description $ sambaSIDList
))
136 ## Trust password for trust relationships (any kind)
138 objectClasses
: ( 1.3.6.1.4.1.7165.2.2.14 NAME
'sambaTrustPassword' SUP
top STRUCTURAL DESC
'Samba Trust Password' MUST
( sambaDomainName $ sambaNTPassword $ sambaTrustFlags
) MAY
( sambaSID $ sambaPwdLastSet
))
140 ## Whole-of-domain info
142 objectClasses
: ( 1.3.6.1.4.1.7165.2.2.5 NAME
'sambaDomain' SUP
top STRUCTURAL DESC
'Samba Domain Information' MUST
( sambaDomainName $ sambaSID
) MAY
( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange
))
144 ## used for idmap_ldap module
146 objectClasses
: ( 1.3.6.1.4.1.7165.2.2.7 NAME
'sambaUnixIdPool' SUP
top AUXILIARY DESC
'Pool for allocating UNIX uids/gids' MUST
( uidNumber $ gidNumber
) )
147 objectClasses
: ( 1.3.6.1.4.1.7165.2.2.8 NAME
'sambaIdmapEntry' SUP
top AUXILIARY DESC
'Mapping from a SID to an ID' MUST
( sambaSID
) MAY
( uidNumber $ gidNumber
) )
148 objectClasses
: ( 1.3.6.1.4.1.7165.2.2.9 NAME
'sambaSidEntry' SUP
top STRUCTURAL DESC
'Structural Class for a SID' MUST
( sambaSID
) )
149 objectClasses
: ( 1.3.6.1.4.1.7165.2.2.10 NAME
'sambaConfig' SUP
top AUXILIARY DESC
'Samba Configuration Section' MAY
( description ) )
150 objectClasses
: ( 1.3.6.1.4.1.7165.2.2.11 NAME
'sambaShare' SUP
top STRUCTURAL DESC
'Samba Share Section' MUST
( sambaShareName
) MAY
( description ) )
151 objectClasses
: ( 1.3.6.1.4.1.7165.2.2.12 NAME
'sambaConfigOption' SUP
top STRUCTURAL DESC
'Samba Configuration Option' MUST
( sambaOptionName
) MAY
( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $
description ) )
152 ## retired during privilege rewrite
153 ##objectClasses: ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
154 ## DESC 'Samba Privilege'
156 ## MAY ( sambaPrivilegeList ) )