halfway working idm server and laptop hostclasses

author: Cullum Smith <cullum@sacredheartsc.com> 2024-08-02 19:10:39 -0400
committer: Cullum Smith <cullum@sacredheartsc.com> 2024-08-02 19:10:39 -0400
commit: cbcd022f302adc39ecb89fba6faf72e68184c0e0 (patch)
tree: a5ab154e08fa3c4fa110b09d3475736c66840c8b /files/usr/local/etc/openldap
parent: ceb339370d7a0cc4a83fe54103a650dfb3f72261 (diff)
download: infrastructure-cbcd022f302adc39ecb89fba6faf72e68184c0e0.tar.gz
8 files changed, 1067 insertions, 0 deletions
diff --git a/files/usr/local/etc/openldap/ldap.conf.idm_server b/files/usr/local/etc/openldap/ldap.conf.idm_server
new file mode 100644
index 0000000..3b285f7
--- /dev/null
+++ b/files/usr/local/etc/openldap/ldap.conf.idm_server
@@ -0,0 +1,9 @@
+URI            ldapi:///
+BASE           ${basedn}
+USE_SASL       yes
+ROOTUSE_SASL   yes
+SASL_MECH      EXTERNAL
+SASL_REALM     ${realm}
+GSSAPI_SIGN    yes
+GSSAPI_ENCRYPT yes
+SUDOERS_BASE   ${sudo_basedn}
diff --git a/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server b/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server
new file mode 100644
index 0000000..f4fcd01
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server
@@ -0,0 +1,252 @@
+dn: cn=dnsdomain2,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: dnsdomain2
+# A schema for storing DNS zones in LDAP
+#
+# ORDERING is not necessary, and some servers don't support
+# integerOrderingMatch. Omit or change if you like
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.0.0  NAME 'dNSTTL'
+  DESC 'An integer denoting time to live'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
+  DESC 'The class of a resource record'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord'
+  DESC 'a well known service description, RFC 1035'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
+  DESC 'domain name pointer, RFC 1035'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
+  DESC 'host information, RFC 1035'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
+  DESC 'mailbox or mail list information, RFC 1035'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
+  DESC 'text string, RFC 1035'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord'
+  DESC 'for Responsible Person, RFC 1183'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
+  DESC 'for AFS Data Base location, RFC 1183'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
+  DESC 'Signature, RFC 2535'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
+  DESC 'Key, RFC 2535'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord'
+  DESC 'Geographical Position, RFC 1712'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
+  DESC 'IPv6 address, RFC 1886'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
+  DESC 'Location, RFC 1876'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
+  DESC 'non-existant, RFC 2535'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
+  DESC 'service location, RFC 2782'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
+  DESC 'Naming Authority Pointer, RFC 2915'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
+  DESC 'Key Exchange Delegation, RFC 2230'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
+  DESC 'certificate, RFC 2538'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
+  DESC 'A6 Record Type, RFC 2874'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
+  DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord'
+  DESC 'Lists of Address Prefixes, RFC 3123'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
+  DESC 'Delegation Signer, RFC 3658'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
+  DESC 'SSH Key Fingerprint, RFC 4255'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord'
+  DESC 'SSH Key Fingerprint, RFC 4025'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
+  DESC 'RRSIG, RFC 3755'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
+  DESC 'NSEC, RFC 3755'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord'
+  DESC 'DNSKEY, RFC 3755'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord'
+  DESC 'DHCID, RFC 4701'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.50 NAME 'nSEC3Record'
+  DESC 'NSEC record version 3, RFC 5155'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.51 NAME 'nSEC3PARAMRecord'
+  DESC 'NSEC3 parameters, RFC 5155'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.52 NAME 'tLSARecord'
+  DESC 'TLSA certificate association, RFC 6698'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.59 NAME 'cDSRecord'
+  DESC 'Child DS, RFC7344'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.60 NAME 'cDNSKeyRecord'
+  DESC 'DNSKEY(s) the Child wants reflected in DS, RFC7344'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.61 NAME 'openPGPKeyRecord'
+  DESC 'OpenPGP Key, RFC7929'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.64 NAME 'SVCBRecord'
+  DESC 'Service binding, draft-ietf-dnsop-svcb-https-01'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65 NAME 'HTTPSRecord'
+  DESC 'HTTPS service binding, draft-ietf-dnsop-svcb-https-01'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord'
+  DESC 'Sender Policy Framework, RFC 4408'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.108 NAME 'EUI48Record'
+  DESC 'EUI-48 address, RFC7043'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.109 NAME 'EUI64Record'
+  DESC 'EUI-64 address, RFC7043'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.249 NAME 'tKeyRecord'
+  DESC 'Transaction Key, RFC2930'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.256 NAME 'uRIRecord'
+  DESC 'URI, RFC7553'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.257 NAME 'cAARecord'
+  DESC 'Certification Authority Restriction, RFC6844'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.32769 NAME 'dLVRecord'
+  DESC 'DNSSEC Lookaside Validation, RFC4431'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65226 NAME 'TYPE65226Record'
+  DESC ''
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65534 NAME 'TYPE65534Record'
+  DESC ''
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcObjectClasses: ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2'
+  SUP 'dNSDomain' STRUCTURAL
+  MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $
+  HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $
+  AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $
+  AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
+  NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
+  DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $
+  IPSECKEYRecord $ RRSIGRecord $ NSECRecord $
+  DNSKEYRecord $ DHCIDRecord $ NSEC3Record $ NSEC3PARAMRecord $
+  TLSARecord $ CDSRecord $ CDNSKEYRecord $ OPENPGPKEYRecord $
+  SVCBRecord $ HTTPSRecord $
+  SPFRecord $ EUI48Record $ EUI64Record $ TKEYRecord $
+  URIRecord $ CAARecord $ DLVRecord $ TYPE65226Record $
+  TYPE65534Record
+  ) )
diff --git a/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server b/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server
new file mode 100644
index 0000000..830277d
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server
@@ -0,0 +1,68 @@
+# This LDIF version of the Kerberos schema can be loaded into an
+# OpenLDAP database.  It was originally converted semi-automatically
+# from kerberos.schema using slaptest.
+
+dn: cn=kerberos,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: kerberos
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalts' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuthInd' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top STRUCTURAL MUST cn )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top STRUCTURAL MUST cn )
diff --git a/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server b/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server
new file mode 100644
index 0000000..3cdedce
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server
@@ -0,0 +1,177 @@
+dn: cn=mailservice,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: mailservice
+olcObjectIdentifier: {0}DebOps 1.3.6.1.4.1.53622
+olcObjectIdentifier: {1}DebOpsLDAP DebOps:42
+olcObjectIdentifier: {2}mailService DebOpsLDAP:2
+olcObjectIdentifier: {3}mailServiceAttribute mailService:3
+olcObjectIdentifier: {4}mailServiceObject mailService:4
+olcAttributeTypes: {0}( mailServiceAttribute:1 NAME 'mailAddress' DESC 'Primar
+ y RFC 822 email address of this recipient, can be                      used a
+ s a login identifier.' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr
+ ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
+olcAttributeTypes: {1}( mailServiceAttribute:2 NAME 'mailAlternateAddress' DES
+ C 'Alternate RFC 822 email address(es) of this recipient' EQUALITY caseIgnore
+ IA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
+ 1.26{256} )
+olcAttributeTypes: {2}( mailServiceAttribute:3 NAME 'mailPrivateAddress' DESC 
+ 'A confidential RFC 822 email address of this recipient                      
+ which can be used as a login identifier.' EQUALITY caseIgnoreIA5Match SUBSTR 
+ caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE
+ -VALUE )
+olcAttributeTypes: {3}( mailServiceAttribute:4 NAME 'mailContactAddress' DESC 
+ 'RFC 822 email address of this recipient which is meant to                   
+    be public and serve as the primary contact address.' EQUALITY caseIgnoreIA
+ 5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 26{256} )
+olcAttributeTypes: {4}( mailServiceAttribute:5 NAME 'mailInternalAddress' DESC
+  'An internal RFC 822 email address of this recipient                      wh
+ ich will be rewritten to an external email address' EQUALITY caseIgnoreIA5Mat
+ ch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2
+ 56} SINGLE-VALUE )
+olcAttributeTypes: {5}( mailServiceAttribute:6 NAME 'mailExternalAddress' DESC
+  'An external RFC 822 email address of this recipient                      wh
+ ich will be rewritten to an internal email address' EQUALITY caseIgnoreIA5Mat
+ ch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2
+ 56} SINGLE-VALUE )
+olcAttributeTypes: {6}( mailServiceAttribute:7 NAME 'mailSenderBccTo' DESC 'RF
+ C 822 BCC email address(es) to add for a given mail sender' EQUALITY caseIgno
+ reIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12
+ 1.1.26{256} )
+olcAttributeTypes: {7}( mailServiceAttribute:8 NAME 'mailRecipientBccTo' DESC 
+ 'RFC 822 BCC email address(es) to add for a given mail recipient' EQUALITY ca
+ seIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.26{256} )
+olcAttributeTypes: {8}( mailServiceAttribute:9 NAME 'mailForwardTo' DESC 'RFC 
+ 822 email address(es) to forward all incoming messages to' EQUALITY caseIgnor
+ eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.26{256} )
+olcAttributeTypes: {9}( mailServiceAttribute:10 NAME 'mailForwardToURL' DESC '
+ LDAP search URL that defines the recipients of the mail messages             
+          sent to this mailing list' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1
+ .4.1.1466.115.121.1.26 )
+olcAttributeTypes: {10}( mailServiceAttribute:11 NAME 'mailErrorsTo' DESC 'RFC
+  822 email address(es) to use when routing error and notification            
+           messages to the owner(s) of an email distribution list' EQUALITY ca
+ seIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.26{256} )
+olcAttributeTypes: {11}( mailServiceAttribute:12 NAME 'mailRequestsTo' DESC 'R
+ FC 822 email address(es) to use when routing request                      mes
+ sages sent to the email distribution list' EQUALITY caseIgnoreIA5Match SUBSTR
+  caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+olcAttributeTypes: {12}( mailServiceAttribute:13 NAME 'mailEnvelopeAddress' DE
+ SC 'RFC 822 envelope sender email address of a given mail user               
+        or email distribution list' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
+ oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE 
+ )
+olcAttributeTypes: {13}( mailServiceAttribute:14 NAME 'mailRoutingAddress' DES
+ C 'RFC 822 email address to use when routing messages to                     
+  the SMTP MTA of this recipient' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor
+ eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
+olcAttributeTypes: {14}( mailServiceAttribute:15 NAME 'mailHost' DESC 'Fully Q
+ ualified Domain Name of the SMTP MTA that                      handles messag
+ es for this recipient' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa
+ tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE )
+olcAttributeTypes: {15}( mailServiceAttribute:16 NAME 'mailTransport' DESC 'MT
+ A mail transport method which will take care of the email delivery' EQUALITY 
+ caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {16}( mailServiceAttribute:17 NAME 'mailUidNumber' DESC 'UI
+ D required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14
+ 66.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {17}( mailServiceAttribute:18 NAME 'mailGidNumber' DESC 'GI
+ D required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14
+ 66.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {18}( mailServiceAttribute:19 NAME 'mailHomeDirectory' DESC
+  'The absolute path to the mail user home directory' EQUALITY caseExactIA5Mat
+ ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {19}( mailServiceAttribute:20 NAME 'mailMessageStore' DESC 
+ 'The path to the mail user mailbox storage directory' EQUALITY caseExactIA5Ma
+ tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {20}( mailServiceAttribute:21 NAME 'mailQuota' DESC 'Mail q
+ uota limit in kilobytes' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {21}( mailServiceAttribute:22 NAME 'mailGroupACL' DESC 'Com
+ ma-separated list of mail groups a given mail user                      belon
+ gs to, used for mailbox access control' EQUALITY caseExactIA5Match SUBSTR cas
+ eExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {22}( mailServiceAttribute:23 NAME 'mailExpungeTrash' DESC 
+ 'Time to automatically expunge Trash mailbox' EQUALITY caseIgnoreIA5Match SYN
+ TAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {23}( mailServiceAttribute:24 NAME 'mailSieveRuleSource' DE
+ SC 'Definition of a Sieve filter script for a given mail user' SYNTAX 1.3.6.1
+ .4.1.1466.115.121.1.26 )
+olcAttributeTypes: {24}( mailServiceAttribute:25 NAME 'mailSuppressErrors' DES
+ C 'Suppress error messages from being sent back to message originator' EQUALI
+ TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {25}( mailServiceAttribute:26 NAME 'mailDeliveryFile' DESC 
+ 'Path to a file used for archiving messages sent to the distribution list' EQ
+ UALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {26}( mailServiceAttribute:27 NAME 'mailDeliveryOption' DES
+ C 'Message handling option for messages sent to a designated recipient' EQUAL
+ ITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {27}( mailServiceAttribute:28 NAME 'mailProgramDeliveryInfo
+ ' DESC 'Named programs for message post-processing' EQUALITY caseExactIA5Matc
+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {28}( mailServiceAttribute:29 NAME 'mailAuthorizedDomain' D
+ ESC 'Domains authorized to submit messages to the distribution list' EQUALITY
+  caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {29}( mailServiceAttribute:30 NAME 'mailAuthorizedSender' D
+ ESC 'Addresses authorized to submit messages to the distribution list' EQUALI
+ TY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {30}( mailServiceAttribute:31 NAME 'mailUnauthorizedDomain'
+  DESC 'Domains not authorized to submit messages to the distribution list' EQ
+ UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {31}( mailServiceAttribute:32 NAME 'mailUnauthorizedSender'
+  DESC 'Addresses not authorized to submit messages to the distribution list' 
+ EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {32}( mailServiceAttribute:33 NAME 'mailRemoveHeader' DESC 
+ 'Headers to remove from the messages sent to the mailing list' SYNTAX 1.3.6.1
+ .4.1.1466.115.121.1.26 )
+olcAttributeTypes: {33}( mailServiceAttribute:34 NAME 'mailAddHeader' DESC 'He
+ aders to add to the messages sent to the mailing list' SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.26 )
+olcAttributeTypes: {34}( mailServiceAttribute:35 NAME 'mailAntispamPolicy' DES
+ C 'Name of the anti-spam policy to apply to a given LDAP entry' SYNTAX 1.3.6.
+ 1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {35}( mailServiceAttribute:36 NAME 'mailAntivirusPolicy' DE
+ SC 'Name of the anti-virus policy to apply to a given LDAP entry' SYNTAX 1.3.
+ 6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {36}( mailServiceAttribute:37 NAME 'mailContentPolicy' DESC
+  'Name of the content policy to apply to a given LDAP entry' SYNTAX 1.3.6.1.4
+ .1.1466.115.121.1.26 SINGLE-VALUE )
+olcObjectClasses: {0}( mailServiceObject:1 NAME 'mailRecipient' DESC 'The entr
+ y represents an entity within the organization that                    can re
+ ceive SMTP mail, such as a mail user account' SUP top AUXILIARY MUST mailAddr
+ ess MAY ( mailAlternateAddress $ mailPrivateAddress $ mailContactAddress $ ma
+ ilEnvelopeAddress $ mailRoutingAddress $ mailExternalAddress $ mailInternalAd
+ dress $ mailSenderBccTo $ mailRecipientBccTo $ mailHost $ mailTransport $ mai
+ lUidNumber $ mailGidNumber $ mailHomeDirectory $ mailMessageStore $ mailQuota
+  $ mailGroupACL $ mailExpungeTrash $ mailSieveRuleSource $ mailDeliveryOption
+  $ mailProgramDeliveryInfo $ mail $ cn $ description $ uid $ userPassword ) )
+olcObjectClasses: {1}( mailServiceObject:2 NAME 'mailAlias' DESC 'The entry re
+ presents an entity within the organization that                    defines an
+  email alias for mail recipients' SUP top STRUCTURAL MUST mailAddress MAY ( m
+ ailForwardTo $ mailForwardToURL $ mailHost $ mailTransport $ mailDeliveryFile
+  $ mailDeliveryOption $ mailProgramDeliveryInfo $ mail $ cn $ description $ o
+ wner ) )
+olcObjectClasses: {2}( mailServiceObject:3 NAME 'mailDistributionList' DESC 'T
+ he entry represents an entity within the organization that                   
+  can receive and forward SMTP mail, such as a mail                    group a
+ ccount (mailing list)' SUP top AUXILIARY MUST mailAddress MAY ( mailForwardTo
+  $ mailForwardToURL $ mailEnvelopeAddress $ mailErrorsTo $ mailRequestsTo $ m
+ ailSuppressErrors $ mailHost $ mailTransport $ mailDeliveryFile $ mailDeliver
+ yOption $ mailProgramDeliveryInfo $ mailAuthorizedDomain $ mailAuthorizedSend
+ er $ mailUnauthorizedDomain $ mailUnauthorizedSender $ mailRemoveHeader $ mai
+ lAddHeader $ mail $ cn $ description $ owner $ manager $ seeAlso ) )
+olcObjectClasses: {3}( mailServiceObject:4 NAME 'mailDomain' DESC 'The entry r
+ epresents an entity within the organization that                    defines a
+ n email domain' SUP domain STRUCTURAL MAY ( mailHost $ mailTransport $ mailSe
+ nderBccTo $ mailRecipientBccTo $ mailErrorsTo $ mailSuppressErrors $ mailAuth
+ orizedDomain $ mailAuthorizedSender $ mailUnauthorizedDomain $ mailUnauthoriz
+ edSender $ mailRemoveHeader $ mailAddHeader $ description $ owner $ manager )
+  )
+olcObjectClasses: {4}( mailServiceObject:5 NAME 'mailFilter' DESC 'The entry r
+ epresents an entity within the organization that                    can filte
+ r email messages according to various policies' SUP top AUXILIARY MAY ( mailA
+ ntispamPolicy $ mailAntivirusPolicy $ mailContentPolicy $ cn $ description $ 
+ seeAlso ) )
diff --git a/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server b/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server
new file mode 100644
index 0000000..6cde0a4
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server
@@ -0,0 +1,11 @@
+dn: cn=openssh-lpk,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: openssh-lpk
+olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
+    DESC 'MANDATORY: OpenSSH Public key'
+    EQUALITY octetStringMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
+    DESC 'MANDATORY: OpenSSH LPK objectclass'
+    MAY ( sshPublicKey $ uid )
+    )
diff --git a/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server b/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server
new file mode 100644
index 0000000..83cf2be
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server
@@ -0,0 +1,246 @@
+dn: cn=rfc2307bis,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: rfc2307bis
+###
+# Extracted from: http://tools.ietf.org/html/draft-howard-rfc2307bis-02
+###
+olcAttributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos'
+  DESC 'The GECOS field; the common name'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
+  DESC 'The absolute path to the home directory'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
+  DESC 'The path to the login shell'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
+  EQUALITY caseExactMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
+  EQUALITY caseExactMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
+  DESC 'Netgroup triple'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
+  DESC 'Service port number'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
+  DESC 'Service protocol name'
+  EQUALITY caseIgnoreMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
+  DESC 'IP protocol number'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
+  DESC 'ONC RPC number'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
+  DESC 'IPv4 addresses as a dotted decimal omitting leading
+  zeros or IPv6 addresses as defined in RFC2373'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
+  DESC 'IP network omitting leading zeros, eg. 192.168'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
+  DESC 'IP netmask omitting leading zeros, eg. 255.255.255.0'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
+  DESC 'MAC address in maximal, colon separated hex
+  notation, eg. 00:00:92:90:ee:e2'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
+  DESC 'rpc.bootparamd parameter'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
+  DESC 'Boot image name'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
+  DESC 'Name of a generic NIS map'
+  EQUALITY caseIgnoreMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
+  DESC 'A generic NIS entry'
+  EQUALITY caseExactMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024}
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
+  DESC 'NIS public key'
+  EQUALITY octetStringMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
+  DESC 'NIS secret key'
+  EQUALITY octetStringMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
+  DESC 'NIS domain'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
+  DESC 'automount Map Name'
+  EQUALITY caseExactMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
+  DESC 'Automount Key value'
+  EQUALITY caseExactMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+  SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
+  DESC 'Automount information'
+  EQUALITY caseExactMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+  SINGLE-VALUE )
+olcObjectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
+  DESC 'Abstraction of an account with POSIX attributes'
+  MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
+  MAY ( userPassword $ loginShell $ gecos $
+  description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
+  DESC 'Additional attributes for shadow passwords'
+  MUST uid
+  MAY ( userPassword $ description $
+  shadowLastChange $ shadowMin $ shadowMax $
+  shadowWarning $ shadowInactive $
+  shadowExpire $ shadowFlag ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
+  DESC 'Abstraction of a group of accounts'
+  MUST gidNumber
+  MAY ( userPassword $ memberUid $
+  description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL
+  DESC 'Abstraction an Internet Protocol service.
+  Maps an IP port and protocol (such as tcp or udp)
+  to one or more names; the distinguished value of
+  the cn attribute denotes the services canonical
+  name'
+  MUST ( cn $ ipServicePort $ ipServiceProtocol )
+  MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
+  DESC 'Abstraction of an IP protocol. Maps a protocol number
+  to one or more names. The distinguished value of the cn
+  attribute denotes the protocol canonical name'
+  MUST ( cn $ ipProtocolNumber )
+  MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL
+  DESC 'Abstraction of an Open Network Computing (ONC)
+  [RFC1057] Remote Procedure Call (RPC) binding.
+  This class maps an ONC RPC number to a name.
+  The distinguished value of the cn attribute denotes
+  the RPC service canonical name'
+  MUST ( cn $ oncRpcNumber )
+  MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
+  DESC 'Abstraction of a host, an IP device. The distinguished
+  value of the cn attribute denotes the hosts canonical
+  name. Device SHOULD be used as a structural class'
+  MUST ( cn $ ipHostNumber )
+  MAY ( userPassword $ l $ description $
+  manager ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
+  DESC 'Abstraction of a network. The distinguished value of
+  the cn attribute denotes the network canonical name'
+  MUST ipNetworkNumber
+  MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
+  DESC 'Abstraction of a netgroup. May refer to other
+  netgroups'
+  MUST cn
+  MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL
+  DESC 'A generic abstraction of a NIS map'
+  MUST nisMapName
+  MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL
+  DESC 'An entry in a NIS map'
+  MUST ( cn $ nisMapEntry $ nisMapName ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
+  DESC 'A device with a MAC address; device SHOULD be
+  used as a structural class'
+  MAY macAddress )
+olcObjectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
+  DESC 'A device with boot parameters; device SHOULD be
+  used as a structural class'
+  MAY ( bootFile $ bootParameter ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
+  DESC 'An object with a public and secret key'
+  MUST ( cn $ nisPublicKey $ nisSecretKey )
+  MAY ( uidNumber $ description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
+  DESC 'Associates a NIS domain with a naming context'
+  MUST nisDomain )
+olcObjectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
+  MUST ( automountMapName )
+  MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
+  DESC 'Automount information'
+  MUST ( automountKey $ automountInformation )
+  MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' SUP top STRUCTURAL
+  DESC 'A group with members (DNs)'
+  MUST cn
+  MAY ( businessCategory $ seeAlso $ owner $ ou $ o $
+  description $ member ) )
diff --git a/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server b/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server
new file mode 100644
index 0000000..8948ca4
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server
@@ -0,0 +1,79 @@
+dn: cn=sudoschema,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: sudoschema
+#
+# OpenLDAP schema file for Sudo in on-line configuration (OLC) format.
+# Import using ldapadd or another suitable LDAP browser.
+# Converted to OLC format by Frederic Pasteleurs <frederic@askarel.be>
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1
+    NAME 'sudoUser'
+    DESC 'User(s) who may  run sudo'
+    EQUALITY caseExactMatch
+    SUBSTR caseExactSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2
+    NAME 'sudoHost'
+    DESC 'Host(s) who may run sudo'
+    EQUALITY caseExactIA5Match
+    SUBSTR caseExactIA5SubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3
+    NAME 'sudoCommand'
+    DESC 'Command(s) to be executed by sudo'
+    EQUALITY caseExactIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4
+    NAME 'sudoRunAs'
+    DESC 'User(s) impersonated by sudo (deprecated)'
+    EQUALITY caseExactIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5
+    NAME 'sudoOption'
+    DESC 'Options(s) followed by sudo'
+    EQUALITY caseExactIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6
+    NAME 'sudoRunAsUser'
+    DESC 'User(s) impersonated by sudo'
+    EQUALITY caseExactMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7
+    NAME 'sudoRunAsGroup'
+    DESC 'Group(s) impersonated by sudo'
+    EQUALITY caseExactMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8
+    NAME 'sudoNotBefore'
+    DESC 'Start of time interval for which the entry is valid'
+    EQUALITY generalizedTimeMatch
+    ORDERING generalizedTimeOrderingMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9
+    NAME 'sudoNotAfter'
+    DESC 'End of time interval for which the entry is valid'
+    EQUALITY generalizedTimeMatch
+    ORDERING generalizedTimeOrderingMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+#
+olcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10
+    NAME 'sudoOrder'
+    DESC 'an integer to order the sudoRole entries'
+    EQUALITY integerMatch
+    ORDERING integerOrderingMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+#
+olcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+    DESC 'Sudoer Entries'
+    MUST ( cn )
+    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $
+        description )
+    )
diff --git a/files/usr/local/etc/openldap/slapd.ldif.idm_server b/files/usr/local/etc/openldap/slapd.ldif.idm_server
new file mode 100644
index 0000000..784c63a
--- /dev/null
+++ b/files/usr/local/etc/openldap/slapd.ldif.idm_server
@@ -0,0 +1,225 @@
+# Top-level cn=config attributes.
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcArgsFile: /var/run/openldap/slapd.args
+olcPidFile: /var/run/openldap/slapd.pid
+olcSaslHost: ${fqdn}
+olcSaslSecProps: noanonymous,minssf=56
+olcDisallows: bind_anon
+olcSecurity: ssf=56
+olcLocalSSF: 128
+olcTLSCACertificateFile: ${site_cacert_path}
+olcTLSCertificateFile: ${slapd_tls_cert}
+olcTLSCertificateKeyFile: ${slapd_tls_key}
+olcTLSVerifyClient: allow
+$(echo "$idm_server_list" | while read -r _hostname id ipv4; do
+    echo "olcServerID: ${id} ldaps://${ipv4}/"
+done)
+olcAuthzRegexp: {0}^gidNumber=[0-9]+\+uidNumber=0,cn=peercred,cn=external,cn=auth$ ${slapd_root_dn}
+olcAuthzRegexp: {1}^gidNumber=[0-9]+\+uidNumber=([^,]+),cn=peercred,cn=external,cn=auth$ ldap:///${accounts_basedn}??sub?(uidNumber=\$1)
+olcAuthzRegexp: {2}^uid=([^,]+),cn=(gssapi|plain|login),cn=auth$ ldap:///${accounts_basedn}??sub?(krbPrincipalName=\$1@${realm})
+
+# Load dynamic modules.
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulepath: /usr/local/libexec/openldap
+olcModuleload: back_mdb.la
+olcModuleload: pw-sha2.la
+olcModuleload: accesslog.la
+olcModuleload: dynlist.la
+olcModuleload: unique.la
+olcModuleload: refint.la
+
+# Frontend configuration. Individual databases can override these settings.
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcFrontendConfig
+olcDatabase: frontend
+olcPasswordHash: {SSHA512}
+olcSizeLimit: ${slapd_result_size_limit}
+olcRequires: authc
+olcAccess: {0}to dn.base="" by * read
+olcAccess: {1}to dn.base="cn=Subschema" by * read
+olcAccess: {2}to *
+  by users read
+  by anonymous auth
+
+# Load schemas.
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file://${slapd_conf_dir}/schema/core.ldif
+include: file://${slapd_conf_dir}/schema/cosine.ldif
+include: file://${slapd_conf_dir}/schema/inetorgperson.ldif
+include: file://${slapd_conf_dir}/schema/dyngroup.ldif
+include: file://${slapd_conf_dir}/schema/rfc2307bis.ldif
+include: file://${slapd_conf_dir}/schema/kerberos.ldif
+include: file://${slapd_conf_dir}/schema/openssh-lpk.ldif
+include: file://${slapd_conf_dir}/schema/sudo.ldif
+include: file://${slapd_conf_dir}/schema/dnsdomain2.ldif
+include: file://${slapd_conf_dir}/schema/mailservice.ldif
+
+# cn=config database configuration.
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcRootDN: ${slapd_root_dn}
+
+# Default database configuration.
+dn: olcDatabase={1}mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: mdb
+olcDbMaxSize: ${slapd_db_max_size}
+olcSuffix: ${basedn}
+olcRootDN: ${slapd_root_dn}
+olcDbDirectory: ${slapd_data_dir}
+$(echo "$idm_server_list" | while read -r _hostname id ipv4; do
+echo "olcSyncrepl: rid=00${id}
+  provider=ldaps://${ipv4}/
+  searchbase=${basedn}
+  bindmethod=sasl
+  saslmech=external
+  tls_cert=${slapd_replicator_tls_cert}
+  tls_key=${slapd_replicator_tls_key}
+  tls_cacert=${site_cacert_path}
+  tls_reqcert=demand
+  type=refreshAndPersist
+  retry=\"5 5 60 +\"
+  logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\"
+  timeout=5
+  logbase=cn=accesslog
+  syncdata=accesslog"
+done)
+olcMultiProvider: TRUE
+olcDbIndex: objectClass eq
+olcDbIndex: cn,uid,uidNumber,gidNumber,member,memberUid,mail,mailAddress,mailAlternateAddress,mailPrivateAddress,mailContactAddress eq
+olcDbIndex: sudoUser eq
+olcDbIndex: automountMapName eq
+olcDbIndex: krbPrincipalName eq,pres
+olcDbIndex: entryCSN,entryUUID eq
+olcDbIndex: associatedDomain pres,eq,sub
+olcDbIndex: description pres,eq,sub
+olcLimits: {0}dn.exact=${slapd_replicator_dn}
+  time.soft=unlimited
+  time.hard=unlimited
+  size.soft=unlimited
+  size.hard=unlimited
+olcLimits: {1}*
+  size.soft=${slapd_result_size_limit}
+  size.hard=${slapd_result_size_limit}
+  size.pr=${slapd_result_size_limit}
+  size.prtotal=unlimited
+olcAccess: {0}to dn.base=""
+  by * read
+olcAccess: {1}to dn.base="cn=Subschema"
+  by * read
+olcAccess: {3}to *
+  by dn.exact=${slapd_replicator_dn} read
+  by dn.exact=uid=${idm_admin_username},${robots_basedn} manage
+  by group/groupOfMembers/member=cn=${idm_admin_groupname},${groups_basedn} manage
+  by * break
+olcAccess: {4}to dn.subtree=${sudo_basedn}
+  by dn.children=${hosts_basedn} read
+  by * none
+olcAccess: {5}to dn.subtree=${kdc_basedn}
+  by * none
+olcAccess: {6}to attrs=userPassword
+  by self write
+  by anonymous auth
+  by * none
+olcAccess: {7}to attrs=shadowLastChange,sshPublicKey
+  by self write
+  by * read
+olcAccess: {8}to attrs=krbPrincipalKey
+  by * none
+olcAccess: {9}to *
+  by * read
+
+# Accesslog database (for syncprov).
+dn: olcDatabase={2}mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: mdb
+olcDbDirectory: ${slapd_data_dir}/accesslog
+olcSuffix: cn=accesslog
+olcRootDN: ${slapd_root_dn}
+olcDbMaxSize: ${slapd_accesslog_db_max_size}
+olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart,reqDN eq
+olcAccess: {0}to *
+  by dn.exact=${slapd_replicator_dn} read
+  by * break
+olcLimits: {0}dn.exact=${slapd_replicator_dn}
+  time.soft=unlimited
+  time.hard=unlimited
+  size.soft=unlimited
+  size.hard=unlimited
+
+# Monitoring database.
+dn: olcDatabase={3}monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcRootDN: ${slapd_root_dn}
+olcMonitoring: FALSE
+
+# Syncprov overlay.
+dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+olcSpCheckpoint: ${slapd_syncrepl_checkpoint_ops} ${slapd_syncrepl_checkpoint_minutes}
+olcSpSessionLog: ${slapd_syncrepl_session_log}
+
+# Accesslog overlay (for syncrepl).
+dn: olcOverlay={1}accesslog,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcAccessLogConfig
+olcOverlay: accesslog
+olcAccessLogDB: cn=accesslog
+olcAccessLogOps: writes
+olcAccessLogSuccess: TRUE
+olcAccessLogPurge: ${slapd_syncrepl_cleanup_age}+00:00 ${slapd_syncrepl_cleanup_interval}+00:00
+
+# Dynlist overlay.
+dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcDynamicList
+olcOverlay: dynlist
+olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfMembers*
+olcDynListAttrSet: {1}labeledURIObject labeledURI uniqueMember+seeAlso@groupOfUniqueNames
+
+# Unique overlay.
+dn: olcOverlay={3}unique,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcUniqueConfig
+olcOverlay: unique
+olcUniqueURI: ldap:///${accounts_basedn}?uid?sub
+olcUniqueURI: ldap:///${accounts_basedn}?uidNumber?sub
+olcUniqueURI: ldap:///${accounts_basedn}?krbPrincipalName?sub
+olcUniqueURI: ldap:///${accounts_basedn}?mail?sub
+olcUniqueURI: ldap:///${accounts_basedn}?mailAddress,mailAlternateAddress,mailPrivateAddress,mailContactAddress?sub
+olcUniqueURI: ldap:///${groups_basedn}?cn?sub
+olcUniqueURI: ldap:///${groups_basedn}?gidNumber?sub
+olcUniqueURI: ldap:///${hosts_basedn}?cn,dc?sub
+olcUniqueURI: ldap:///${services_basedn}?cn?sub
+olcUniqueURI: ldap:///${sudo_basedn}?cn?sub
+olcUniqueURI: ldap:///${dns_basedn}?associatedDomain?sub
+
+# Refint overlay.
+dn: olcOverlay={4}refint,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+olcOverlay: refint
+olcRefintAttribute: member
+olcRefintNothing: cn=config
+
+# Syncprov overlay for accesslog db.
+dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+olcSpNoPresent: TRUE
+olcSpReloadHint: TRUE
author	Cullum Smith <cullum@sacredheartsc.com>	2024-08-02 19:10:39 -0400
committer	Cullum Smith <cullum@sacredheartsc.com>	2024-08-02 19:10:39 -0400
commit	cbcd022f302adc39ecb89fba6faf72e68184c0e0 (patch)
tree	a5ab154e08fa3c4fa110b09d3475736c66840c8b /files/usr/local/etc/openldap
parent	ceb339370d7a0cc4a83fe54103a650dfb3f72261 (diff)
download	infrastructure-cbcd022f302adc39ecb89fba6faf72e68184c0e0.tar.gz