From cbcd022f302adc39ecb89fba6faf72e68184c0e0 Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Fri, 2 Aug 2024 19:10:39 -0400 Subject: halfway working idm server and laptop hostclasses --- docs/10-bootstrapping.md | 131 ++++++++++- files/etc/devd/lid-close.conf.laptop | 6 + files/etc/devd/lid-close.conf.roadwarrior_laptop | 1 + files/etc/devd/thinkpad-brightness.conf.laptop | 13 ++ .../thinkpad-brightness.conf.roadwarrior_laptop | 1 + files/etc/rc.local.laptop | 1 + files/etc/rc.local.roadwarrior_laptop | 1 + files/etc/ssh/ssh_config.roadwarrior_laptop | 1 + .../local/etc/X11/xorg.conf.d/terminus.conf.common | 3 + .../chromium/policies/managed/policies.json.common | 96 ++++++++ files/usr/local/etc/openldap/ldap.conf.idm_server | 9 + .../etc/openldap/schema/dnsdomain2.ldif.idm_server | 252 +++++++++++++++++++++ .../etc/openldap/schema/kerberos.ldif.idm_server | 68 ++++++ .../openldap/schema/mailservice.ldif.idm_server | 177 +++++++++++++++ .../openldap/schema/openssh-lpk.ldif.idm_server | 11 + .../etc/openldap/schema/rfc2307bis.ldif.idm_server | 246 ++++++++++++++++++++ .../local/etc/openldap/schema/sudo.ldif.idm_server | 79 +++++++ files/usr/local/etc/openldap/slapd.ldif.idm_server | 225 ++++++++++++++++++ files/usr/local/etc/pdns/pdns.conf.idm_server | 29 +++ files/usr/local/etc/pkg/repos/onprem.conf.freebsd | 6 + .../usr/local/etc/pkg/repos/onprem.conf.idm_server | 9 + .../etc/poudriere.d/idm-make.conf.pkg_repository | 34 +++ .../etc/poudriere.d/idm-pkglist.pkg_repository | 24 ++ .../etc/sudoers.d/networkmgr.roadwarrior_laptop | 1 + files/usr/local/etc/sudoers.roadwarrior_laptop | 4 + .../lib/firefox/distribution/policies.json.common | 163 +++++++++++++ .../local/lib/libreoffice/program/sofficerc.common | 18 ++ files/usr/local/lib/sasl2/slapd.conf.idm_server | 3 + files/usr/local/libexec/lid-close.laptop | 4 + .../usr/local/libexec/lid-close.roadwarrior_laptop | 1 + .../local/libexec/poudriere-cron.pkg_repository | 1 + files/usr/local/libexec/thinkpad-brightness.laptop | 31 +++ .../libexec/thinkpad-brightness.roadwarrior_laptop | 1 + hostclasses | 1 + lib/10-core | 29 ++- lib/60-ldap | 56 +++++ scripts/common/10-root-user | 7 - scripts/common/10-vars | 31 +++ scripts/common/20-dns | 9 - scripts/common/20-root-user | 7 + scripts/common/30-dns | 9 + scripts/hostclass/desktop | 98 ++++++++ scripts/hostclass/idm_server/10-slapd | 165 ++++++++++++++ scripts/hostclass/idm_server/20-powerdns | 114 ++++++++++ scripts/hostclass/idm_server/30-kdc | 12 + scripts/hostclass/idm_server/90-idm | 9 + scripts/hostclass/laptop | 15 ++ scripts/hostclass/pkg_repository | 6 +- scripts/hostclass/roadwarrior_laptop/10-desktop | 1 + scripts/hostclass/roadwarrior_laptop/20-laptop | 1 + .../hostclass/roadwarrior_laptop/30-roadwarrior | 6 + scripts/hostname/rlaptop1 | 21 ++ scripts/os/freebsd/30-ssh | 1 + scripts/os/freebsd/40-pkg | 2 +- vars/common | 24 +- vars/hostclass/idm_server | 9 + vars/hostclass/roadwarrior_laptop | 2 + vars/hostname/rlaptop1 | 3 + vars/os/freebsd | 4 + 59 files changed, 2260 insertions(+), 32 deletions(-) create mode 100644 files/etc/devd/lid-close.conf.laptop create mode 120000 files/etc/devd/lid-close.conf.roadwarrior_laptop create mode 100644 files/etc/devd/thinkpad-brightness.conf.laptop create mode 120000 files/etc/devd/thinkpad-brightness.conf.roadwarrior_laptop create mode 100644 files/etc/rc.local.laptop create mode 120000 files/etc/rc.local.roadwarrior_laptop create mode 120000 files/etc/ssh/ssh_config.roadwarrior_laptop create mode 100644 files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common create mode 100644 files/usr/local/etc/chromium/policies/managed/policies.json.common create mode 100644 files/usr/local/etc/openldap/ldap.conf.idm_server create mode 100644 files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/schema/sudo.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/slapd.ldif.idm_server create mode 100644 files/usr/local/etc/pdns/pdns.conf.idm_server create mode 100644 files/usr/local/etc/pkg/repos/onprem.conf.freebsd create mode 100644 files/usr/local/etc/pkg/repos/onprem.conf.idm_server create mode 100644 files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository create mode 100644 files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository create mode 100644 files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop create mode 100644 files/usr/local/etc/sudoers.roadwarrior_laptop create mode 100644 files/usr/local/lib/firefox/distribution/policies.json.common create mode 100644 files/usr/local/lib/libreoffice/program/sofficerc.common create mode 100644 files/usr/local/lib/sasl2/slapd.conf.idm_server create mode 100644 files/usr/local/libexec/lid-close.laptop create mode 120000 files/usr/local/libexec/lid-close.roadwarrior_laptop create mode 100644 files/usr/local/libexec/thinkpad-brightness.laptop create mode 120000 files/usr/local/libexec/thinkpad-brightness.roadwarrior_laptop create mode 100644 lib/60-ldap delete mode 100644 scripts/common/10-root-user create mode 100644 scripts/common/10-vars delete mode 100644 scripts/common/20-dns create mode 100644 scripts/common/20-root-user create mode 100644 scripts/common/30-dns create mode 100644 scripts/hostclass/desktop create mode 100644 scripts/hostclass/idm_server/10-slapd create mode 100644 scripts/hostclass/idm_server/20-powerdns create mode 100644 scripts/hostclass/idm_server/30-kdc create mode 100644 scripts/hostclass/idm_server/90-idm create mode 100644 scripts/hostclass/laptop create mode 120000 scripts/hostclass/roadwarrior_laptop/10-desktop create mode 120000 scripts/hostclass/roadwarrior_laptop/20-laptop create mode 100644 scripts/hostclass/roadwarrior_laptop/30-roadwarrior create mode 100644 scripts/hostname/rlaptop1 create mode 100644 vars/hostclass/idm_server create mode 100644 vars/hostclass/roadwarrior_laptop create mode 100644 vars/hostname/rlaptop1 diff --git a/docs/10-bootstrapping.md b/docs/10-bootstrapping.md index 05f8867..cda5c80 100644 --- a/docs/10-bootstrapping.md +++ b/docs/10-bootstrapping.md @@ -41,13 +41,13 @@ all the necessary packages and serve them over HTTP. On the FreeBSD hypervisor, use `jailctl` to create a jail for the `pkg` repo. The following command will create a jail named `pkg1` with VLAN tag `199`, -IP address `10.11.199.4`, 32G memory limit, 256G disk quota, and 32 CPU cores. +IP address `10.99.99.4`, 32G memory limit, 256G disk quota, and 32 CPU cores. Note that running `poudriere` in a jail requires many custom jail options, which are also set with this command. alcatraz1# jailctl create \ -v 199 \ - -a 10.11.199.4 \ + -a 10.99.99.4 \ -k ~/id_ed25519.pub \ -c 64-95 \ -m 32g \ @@ -70,7 +70,132 @@ are also set with this command. Now you are ready to build all the packages and create the repository. `boxconf` assumes that any host named `pkg[0-1]` has the `pkg_repository` hostclass. - ./boxconf -e idm_bootstrap=true 10.11.199.4 + ./boxconf -e idm_bootstrap=true 10.99.99.4 Substitute whatever IP you chose for the `pkg1` jail as necessary. Note that it will take a while to build all the packages for the first time. + + +## Step 3: The IDM Servers + +Next, we'll build the IDM jails. While you technically only need one, you should +build at least two so that you can reboot one of them without causing a DNS +outage for your entire environment. + + +### Create the Jails + +Let's two jails named `idm1` and `idm2`. Note that `boxconf` assumes any host +named `idm[0-9]` has the `idm_server` hostclass. + + alcatraz1# jailctl create \ + -v 199 \ + -a 10.99.99.2 \ + -k ~/id_ed25519.pub \ + -c 2-3 \ + -m 4g \ + -q 32G \ + idm1 freebsd14 + + alcatraz1# jailctl create \ + -v 199 \ + -a 10.99.99.3 \ + -k ~/id_ed25519.pub \ + -c 4-5 \ + -m 4g \ + -q 32G \ + idm2 freebsd14 + + +## Set Boxconf Variables + +Before continuing, you'll need to tailor `site/vars/common` to your +environment: + + - The `domain` variable must contain your internal domain name. Eg: + + domain=idm.example.com + + - The `pkg_host_ip` variable must contain the IP address of the `pkg1` jail: + + pkg_host_ip=10.99.99.4 + + - The `idm_server_list` variable must contain a newline-separated list of + IDM server hostnames, along with their associated LDAP server ID and IP address. + These should be the IPs of the jails you just created. + + The server ID can be any number 1-9, as long as it is unique for each host + and you never, ever change it. Eg: + + idm_server_list="\ + idm1 1 10.99.99.2 + idm2 2 10.99.99.3" + + - The `reverse_dns_zones` variable must contain a space-separated list of + all the reverse DNS zones in your environment. Eg: + + reverse_dns_zones="\ + 99.99.10.in-addr.arpa + 88.99.10.in-addr.arpa" + + Note: only 3-octet IPv4 zones are supported (`10.in-addr.arpa` won't work). + + +## Create TLS Certificates + +We will also need some TLS certificates for the LDAP servers. These certificates +allow for secure replication between the LDAP daemons on the IDM servers. + +First, initialize the PKI. This will create a root certificate authority with +a name contraint for hostnames underneath your internal domain. + +*However,* the LDAP servers replicate using their IP addresses, rather than DNS +names. Therefore, you will need to specify additional constraints for the IP +address of each IDM server. Eg: + + ./pki init \ + -c IP:10.99.0.0/255.255.0.0 \ + idm.example.com + +Next, create server certificates for each IDM server. Each certificate will +need three SANs: + + - The FQDN of the IDM server. + - The IP of the IDM server. + - The bare domain name (we'll make this a multi-valued A record later). + +Eg: + + ./pki cert -d 3650 idm1 slapd idm1.idm.example.com IP:10.99.99.2 idm.example.com + ./pki cert -d 3650 idm2 slapd idm2.idm.example.com IP:10.99.99.3 idm.example.com + +Finally, create a client certificate for the OpenLDAP replicator DN. Eg: + + ./pki client-cert -d 3650 idm1 replicator cn=replicator,dc=idm,dc=example,dc=com + ./pki client-cert -d 3650 idm2 replicator cn=replicator,dc=idm,dc=example,dc=com + + +## Configure the IDM servers. + +Now, you're ready to build the IDM servers! + +The first server in the `$idm_server_list` is somewhat special, as the +`boxconf` scripts will use that one to create all the initial LDAP objects. +So make sure you configure that one first. + + ./boxconf -s 10.99.99.2 -e idm_bootstrap=true idm1 + ./boxconf -s 10.99.99.3 -e idm_bootstrap=true idm2 + + +## Verify LDAP replication, DNS, etc. + +If everything is working, you should get the same result from each of the +following `dig` queries: + + $ dig +short @10.99.99.2 idm.example.com + 10.99.99.3 + 10.99.99.2 + + $ dig +short @10.99.99.3 idm.example.com + 10.99.99.3 + 10.99.99.2 diff --git a/files/etc/devd/lid-close.conf.laptop b/files/etc/devd/lid-close.conf.laptop new file mode 100644 index 0000000..751c546 --- /dev/null +++ b/files/etc/devd/lid-close.conf.laptop @@ -0,0 +1,6 @@ +notify 20 { + match "system" "ACPI"; + match "subsystem" "Lid"; + match "notify" "0x00"; + action "/usr/local/libexec/lid-close"; +}; diff --git a/files/etc/devd/lid-close.conf.roadwarrior_laptop b/files/etc/devd/lid-close.conf.roadwarrior_laptop new file mode 120000 index 0000000..b6dd50e --- /dev/null +++ b/files/etc/devd/lid-close.conf.roadwarrior_laptop @@ -0,0 +1 @@ +lid-close.conf.laptop \ No newline at end of file diff --git a/files/etc/devd/thinkpad-brightness.conf.laptop b/files/etc/devd/thinkpad-brightness.conf.laptop new file mode 100644 index 0000000..24bd750 --- /dev/null +++ b/files/etc/devd/thinkpad-brightness.conf.laptop @@ -0,0 +1,13 @@ +notify 20 { +  match "system" "ACPI"; +  match "subsystem" "IBM"; +  match "notify" "0x10"; +  action "/usr/local/libexec/thinkpad-brightness up"; +}; + +notify 20 { +  match "system" "ACPI"; +  match "subsystem" "IBM"; +  match "notify" "0x11"; +  action "/usr/local/libexec/thinkpad-brightness down"; +}; diff --git a/files/etc/devd/thinkpad-brightness.conf.roadwarrior_laptop b/files/etc/devd/thinkpad-brightness.conf.roadwarrior_laptop new file mode 120000 index 0000000..77502f3 --- /dev/null +++ b/files/etc/devd/thinkpad-brightness.conf.roadwarrior_laptop @@ -0,0 +1 @@ +thinkpad-brightness.conf.laptop \ No newline at end of file diff --git a/files/etc/rc.local.laptop b/files/etc/rc.local.laptop new file mode 100644 index 0000000..d3b9958 --- /dev/null +++ b/files/etc/rc.local.laptop @@ -0,0 +1 @@ +usbconfig | awk -F: '{ print $1 }' | xargs -rtn1 -I% usbconfig -d % power_save diff --git a/files/etc/rc.local.roadwarrior_laptop b/files/etc/rc.local.roadwarrior_laptop new file mode 120000 index 0000000..e86eca1 --- /dev/null +++ b/files/etc/rc.local.roadwarrior_laptop @@ -0,0 +1 @@ +rc.local.laptop \ No newline at end of file diff --git a/files/etc/ssh/ssh_config.roadwarrior_laptop b/files/etc/ssh/ssh_config.roadwarrior_laptop new file mode 120000 index 0000000..338cdba --- /dev/null +++ b/files/etc/ssh/ssh_config.roadwarrior_laptop @@ -0,0 +1 @@ +ssh_config.no_idm \ No newline at end of file diff --git a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common new file mode 100644 index 0000000..d0bb2ae --- /dev/null +++ b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common @@ -0,0 +1,3 @@ +Section "Files" + FontPath "/usr/local/share/fonts/terminus-font/" +EndSection diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.common b/files/usr/local/etc/chromium/policies/managed/policies.json.common new file mode 100644 index 0000000..0e57885 --- /dev/null +++ b/files/usr/local/etc/chromium/policies/managed/policies.json.common @@ -0,0 +1,96 @@ +{ + "AdvancedProtectionAllowed": false, + "AlternateErrorPagesEnabled": false, + "AutofillCreditCardEnabled": false, + "AuthNegotiateDelegateAllowlist": "*.${domain}", + "AuthServerAllowlist": "*.${domain}", + "BackgroundModeEnabled": false, + "BlockThirdPartyCookies": true, + "BrowserGuestModeEnabled": false, + "BrowserLabsEnabled": false, + "BrowserNetworkTimeQueriesEnabled": false, + "BrowserSignin": 0, + "CloudPrintProxyEnabled": false, + "CloudReportingEnabled": false, + "DefaultBrowserSettingEnabled": false, + "DefaultCookiesSetting": 1, + "DefaultSearchProviderEnabled": true, + "DefaultSearchProviderName": "DuckDuckGo", + "DefaultSearchProviderIconURL": "https://duckduckgo.com/favicon.ico", + "DefaultSearchProviderEncodings": [ + "UTF-8" + ], + "DefaultSearchProviderSearchURL": "https://duckduckgo.com/?q={searchTerms}", + "DefaultSearchProviderSuggestURL":"https://duckduckgo.com/ac/?q={searchTerms}&type=list", + "DefaultSearchProviderNewTabURL":"https://duckduckgo.com/chrome_newtab", + "DnsOverHttpsMode": "off", + "EnableAuthNegotiatePort": true, + "EnableMediaRouter": false, + "MetricsReportingEnabled": false, + "NetworkPredictionOptions": 2, + "PasswordManagerEnabled": false, + "PaymentMethodQueryEnabled": false, + "PrivacySandboxAdMeasurementEnabled": false, + "PrivacySandboxAdTopicsEnabled": false, + "PrivacySandboxPromptEnabled": false, + "PrivacySandboxSiteEnabledAdsEnabled": false, + "PromotionalTabsEnabled": false, + "SafeBrowsingProtectionLevel": 0, + "SearchSuggestEnabled": false, + "SyncDisabled": true, + "TranslateEnabled": false, + "UrlKeyedAnonymizedDataCollectionEnabled": false, + "ManagedBookmarks": [ + { + "toplevel_name": "Internal" + }, + { + "name": "Poudriere", + "url": "http://pkg.${domain}/poudriere" + } + ], + "ExtensionSettings": { + "cjpalhdlnbpafiamejdnhcphjbkeiagm": { + "installation_mode": "force_installed", + "update_url": "https://clients2.google.com/service/update2/crx" + }, + "nngceckbapebfimnlniiiahkandclblb": { + "installation_mode": "normal_installed", + "update_url": "https://clients2.google.com/service/update2/crx" + }, + "cimiefiiaegbelhefglklhhakcgmhkai": { + "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo normal_installed; else echo allowed; fi)", + "update_url": "https://clients2.google.com/service/update2/crx" + } + }, + "3rdparty": { + "extensions": { + "cjpalhdlnbpafiamejdnhcphjbkeiagm": { + "toOverwrite": { + "filterLists": [ + "user-filters", + "ublock-filters", + "ublock-badware", + "ublock-privacy", + "ublock-abuse", + "ublock-unbreak", + "ublock-annoyances", + "easylist", + "easyprivacy", + "urlhaus-1", + "plowe-0", + "fanboy-annoyance", + "fanboy-thirdparty_social", + "adguard-spyware-url", + "ublock-quick-fixes" + ] + }, + "toAdd": { + "trustedSiteDirectives": [ + "${domain}" + ] + } + } + } + } +} diff --git a/files/usr/local/etc/openldap/ldap.conf.idm_server b/files/usr/local/etc/openldap/ldap.conf.idm_server new file mode 100644 index 0000000..3b285f7 --- /dev/null +++ b/files/usr/local/etc/openldap/ldap.conf.idm_server @@ -0,0 +1,9 @@ +URI ldapi:/// +BASE ${basedn} +USE_SASL yes +ROOTUSE_SASL yes +SASL_MECH EXTERNAL +SASL_REALM ${realm} +GSSAPI_SIGN yes +GSSAPI_ENCRYPT yes +SUDOERS_BASE ${sudo_basedn} diff --git a/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server b/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server new file mode 100644 index 0000000..f4fcd01 --- /dev/null +++ b/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server @@ -0,0 +1,252 @@ +dn: cn=dnsdomain2,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: dnsdomain2 +# A schema for storing DNS zones in LDAP +# +# ORDERING is not necessary, and some servers don't support +# integerOrderingMatch. Omit or change if you like +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' + DESC 'An integer denoting time to live' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' + DESC 'The class of a resource record' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord' + DESC 'a well known service description, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' + DESC 'domain name pointer, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' + DESC 'host information, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' + DESC 'mailbox or mail list information, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' + DESC 'text string, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord' + DESC 'for Responsible Person, RFC 1183' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' + DESC 'for AFS Data Base location, RFC 1183' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' + DESC 'Signature, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' + DESC 'Key, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord' + DESC 'Geographical Position, RFC 1712' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' + DESC 'IPv6 address, RFC 1886' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' + DESC 'Location, RFC 1876' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' + DESC 'non-existant, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' + DESC 'service location, RFC 2782' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' + DESC 'Naming Authority Pointer, RFC 2915' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' + DESC 'Key Exchange Delegation, RFC 2230' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' + DESC 'certificate, RFC 2538' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' + DESC 'A6 Record Type, RFC 2874' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' + DESC 'Non-Terminal DNS Name Redirection, RFC 2672' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord' + DESC 'Lists of Address Prefixes, RFC 3123' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' + DESC 'Delegation Signer, RFC 3658' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' + DESC 'SSH Key Fingerprint, RFC 4255' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord' + DESC 'SSH Key Fingerprint, RFC 4025' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' + DESC 'RRSIG, RFC 3755' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' + DESC 'NSEC, RFC 3755' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord' + DESC 'DNSKEY, RFC 3755' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord' + DESC 'DHCID, RFC 4701' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.50 NAME 'nSEC3Record' + DESC 'NSEC record version 3, RFC 5155' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.51 NAME 'nSEC3PARAMRecord' + DESC 'NSEC3 parameters, RFC 5155' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.52 NAME 'tLSARecord' + DESC 'TLSA certificate association, RFC 6698' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.59 NAME 'cDSRecord' + DESC 'Child DS, RFC7344' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.60 NAME 'cDNSKeyRecord' + DESC 'DNSKEY(s) the Child wants reflected in DS, RFC7344' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.61 NAME 'openPGPKeyRecord' + DESC 'OpenPGP Key, RFC7929' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.64 NAME 'SVCBRecord' + DESC 'Service binding, draft-ietf-dnsop-svcb-https-01' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65 NAME 'HTTPSRecord' + DESC 'HTTPS service binding, draft-ietf-dnsop-svcb-https-01' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord' + DESC 'Sender Policy Framework, RFC 4408' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.108 NAME 'EUI48Record' + DESC 'EUI-48 address, RFC7043' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.109 NAME 'EUI64Record' + DESC 'EUI-64 address, RFC7043' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.249 NAME 'tKeyRecord' + DESC 'Transaction Key, RFC2930' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.256 NAME 'uRIRecord' + DESC 'URI, RFC7553' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.257 NAME 'cAARecord' + DESC 'Certification Authority Restriction, RFC6844' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.32769 NAME 'dLVRecord' + DESC 'DNSSEC Lookaside Validation, RFC4431' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65226 NAME 'TYPE65226Record' + DESC '' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65534 NAME 'TYPE65534Record' + DESC '' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcObjectClasses: ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2' + SUP 'dNSDomain' STRUCTURAL + MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $ + HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $ + AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $ + AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ + NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ + DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $ + IPSECKEYRecord $ RRSIGRecord $ NSECRecord $ + DNSKEYRecord $ DHCIDRecord $ NSEC3Record $ NSEC3PARAMRecord $ + TLSARecord $ CDSRecord $ CDNSKEYRecord $ OPENPGPKEYRecord $ + SVCBRecord $ HTTPSRecord $ + SPFRecord $ EUI48Record $ EUI64Record $ TKEYRecord $ + URIRecord $ CAARecord $ DLVRecord $ TYPE65226Record $ + TYPE65534Record + ) ) diff --git a/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server b/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server new file mode 100644 index 0000000..830277d --- /dev/null +++ b/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server @@ -0,0 +1,68 @@ +# This LDIF version of the Kerberos schema can be loaded into an +# OpenLDAP database. It was originally converted semi-automatically +# from kerberos.schema using slaptest. + +dn: cn=kerberos,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: kerberos +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalts' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuthInd' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top STRUCTURAL MUST cn ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top STRUCTURAL MUST cn ) diff --git a/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server b/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server new file mode 100644 index 0000000..3cdedce --- /dev/null +++ b/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server @@ -0,0 +1,177 @@ +dn: cn=mailservice,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: mailservice +olcObjectIdentifier: {0}DebOps 1.3.6.1.4.1.53622 +olcObjectIdentifier: {1}DebOpsLDAP DebOps:42 +olcObjectIdentifier: {2}mailService DebOpsLDAP:2 +olcObjectIdentifier: {3}mailServiceAttribute mailService:3 +olcObjectIdentifier: {4}mailServiceObject mailService:4 +olcAttributeTypes: {0}( mailServiceAttribute:1 NAME 'mailAddress' DESC 'Primar + y RFC 822 email address of this recipient, can be used a + s a login identifier.' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr + ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) +olcAttributeTypes: {1}( mailServiceAttribute:2 NAME 'mailAlternateAddress' DES + C 'Alternate RFC 822 email address(es) of this recipient' EQUALITY caseIgnore + IA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121. + 1.26{256} ) +olcAttributeTypes: {2}( mailServiceAttribute:3 NAME 'mailPrivateAddress' DESC + 'A confidential RFC 822 email address of this recipient + which can be used as a login identifier.' EQUALITY caseIgnoreIA5Match SUBSTR + caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE + -VALUE ) +olcAttributeTypes: {3}( mailServiceAttribute:4 NAME 'mailContactAddress' DESC + 'RFC 822 email address of this recipient which is meant to + be public and serve as the primary contact address.' EQUALITY caseIgnoreIA + 5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 26{256} ) +olcAttributeTypes: {4}( mailServiceAttribute:5 NAME 'mailInternalAddress' DESC + 'An internal RFC 822 email address of this recipient wh + ich will be rewritten to an external email address' EQUALITY caseIgnoreIA5Mat + ch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2 + 56} SINGLE-VALUE ) +olcAttributeTypes: {5}( mailServiceAttribute:6 NAME 'mailExternalAddress' DESC + 'An external RFC 822 email address of this recipient wh + ich will be rewritten to an internal email address' EQUALITY caseIgnoreIA5Mat + ch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2 + 56} SINGLE-VALUE ) +olcAttributeTypes: {6}( mailServiceAttribute:7 NAME 'mailSenderBccTo' DESC 'RF + C 822 BCC email address(es) to add for a given mail sender' EQUALITY caseIgno + reIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 + 1.1.26{256} ) +olcAttributeTypes: {7}( mailServiceAttribute:8 NAME 'mailRecipientBccTo' DESC + 'RFC 822 BCC email address(es) to add for a given mail recipient' EQUALITY ca + seIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.26{256} ) +olcAttributeTypes: {8}( mailServiceAttribute:9 NAME 'mailForwardTo' DESC 'RFC + 822 email address(es) to forward all incoming messages to' EQUALITY caseIgnor + eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 + .1.26{256} ) +olcAttributeTypes: {9}( mailServiceAttribute:10 NAME 'mailForwardToURL' DESC ' + LDAP search URL that defines the recipients of the mail messages + sent to this mailing list' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 ) +olcAttributeTypes: {10}( mailServiceAttribute:11 NAME 'mailErrorsTo' DESC 'RFC + 822 email address(es) to use when routing error and notification + messages to the owner(s) of an email distribution list' EQUALITY ca + seIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.26{256} ) +olcAttributeTypes: {11}( mailServiceAttribute:12 NAME 'mailRequestsTo' DESC 'R + FC 822 email address(es) to use when routing request mes + sages sent to the email distribution list' EQUALITY caseIgnoreIA5Match SUBSTR + caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +olcAttributeTypes: {12}( mailServiceAttribute:13 NAME 'mailEnvelopeAddress' DE + SC 'RFC 822 envelope sender email address of a given mail user + or email distribution list' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn + oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE + ) +olcAttributeTypes: {13}( mailServiceAttribute:14 NAME 'mailRoutingAddress' DES + C 'RFC 822 email address to use when routing messages to + the SMTP MTA of this recipient' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor + eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) +olcAttributeTypes: {14}( mailServiceAttribute:15 NAME 'mailHost' DESC 'Fully Q + ualified Domain Name of the SMTP MTA that handles messag + es for this recipient' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa + tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE ) +olcAttributeTypes: {15}( mailServiceAttribute:16 NAME 'mailTransport' DESC 'MT + A mail transport method which will take care of the email delivery' EQUALITY + caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {16}( mailServiceAttribute:17 NAME 'mailUidNumber' DESC 'UI + D required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14 + 66.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {17}( mailServiceAttribute:18 NAME 'mailGidNumber' DESC 'GI + D required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14 + 66.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {18}( mailServiceAttribute:19 NAME 'mailHomeDirectory' DESC + 'The absolute path to the mail user home directory' EQUALITY caseExactIA5Mat + ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {19}( mailServiceAttribute:20 NAME 'mailMessageStore' DESC + 'The path to the mail user mailbox storage directory' EQUALITY caseExactIA5Ma + tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {20}( mailServiceAttribute:21 NAME 'mailQuota' DESC 'Mail q + uota limit in kilobytes' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {21}( mailServiceAttribute:22 NAME 'mailGroupACL' DESC 'Com + ma-separated list of mail groups a given mail user belon + gs to, used for mailbox access control' EQUALITY caseExactIA5Match SUBSTR cas + eExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {22}( mailServiceAttribute:23 NAME 'mailExpungeTrash' DESC + 'Time to automatically expunge Trash mailbox' EQUALITY caseIgnoreIA5Match SYN + TAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {23}( mailServiceAttribute:24 NAME 'mailSieveRuleSource' DE + SC 'Definition of a Sieve filter script for a given mail user' SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 ) +olcAttributeTypes: {24}( mailServiceAttribute:25 NAME 'mailSuppressErrors' DES + C 'Suppress error messages from being sent back to message originator' EQUALI + TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {25}( mailServiceAttribute:26 NAME 'mailDeliveryFile' DESC + 'Path to a file used for archiving messages sent to the distribution list' EQ + UALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {26}( mailServiceAttribute:27 NAME 'mailDeliveryOption' DES + C 'Message handling option for messages sent to a designated recipient' EQUAL + ITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {27}( mailServiceAttribute:28 NAME 'mailProgramDeliveryInfo + ' DESC 'Named programs for message post-processing' EQUALITY caseExactIA5Matc + h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {28}( mailServiceAttribute:29 NAME 'mailAuthorizedDomain' D + ESC 'Domains authorized to submit messages to the distribution list' EQUALITY + caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {29}( mailServiceAttribute:30 NAME 'mailAuthorizedSender' D + ESC 'Addresses authorized to submit messages to the distribution list' EQUALI + TY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {30}( mailServiceAttribute:31 NAME 'mailUnauthorizedDomain' + DESC 'Domains not authorized to submit messages to the distribution list' EQ + UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {31}( mailServiceAttribute:32 NAME 'mailUnauthorizedSender' + DESC 'Addresses not authorized to submit messages to the distribution list' + EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {32}( mailServiceAttribute:33 NAME 'mailRemoveHeader' DESC + 'Headers to remove from the messages sent to the mailing list' SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 ) +olcAttributeTypes: {33}( mailServiceAttribute:34 NAME 'mailAddHeader' DESC 'He + aders to add to the messages sent to the mailing list' SYNTAX 1.3.6.1.4.1.146 + 6.115.121.1.26 ) +olcAttributeTypes: {34}( mailServiceAttribute:35 NAME 'mailAntispamPolicy' DES + C 'Name of the anti-spam policy to apply to a given LDAP entry' SYNTAX 1.3.6. + 1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {35}( mailServiceAttribute:36 NAME 'mailAntivirusPolicy' DE + SC 'Name of the anti-virus policy to apply to a given LDAP entry' SYNTAX 1.3. + 6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {36}( mailServiceAttribute:37 NAME 'mailContentPolicy' DESC + 'Name of the content policy to apply to a given LDAP entry' SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.26 SINGLE-VALUE ) +olcObjectClasses: {0}( mailServiceObject:1 NAME 'mailRecipient' DESC 'The entr + y represents an entity within the organization that can re + ceive SMTP mail, such as a mail user account' SUP top AUXILIARY MUST mailAddr + ess MAY ( mailAlternateAddress $ mailPrivateAddress $ mailContactAddress $ ma + ilEnvelopeAddress $ mailRoutingAddress $ mailExternalAddress $ mailInternalAd + dress $ mailSenderBccTo $ mailRecipientBccTo $ mailHost $ mailTransport $ mai + lUidNumber $ mailGidNumber $ mailHomeDirectory $ mailMessageStore $ mailQuota + $ mailGroupACL $ mailExpungeTrash $ mailSieveRuleSource $ mailDeliveryOption + $ mailProgramDeliveryInfo $ mail $ cn $ description $ uid $ userPassword ) ) +olcObjectClasses: {1}( mailServiceObject:2 NAME 'mailAlias' DESC 'The entry re + presents an entity within the organization that defines an + email alias for mail recipients' SUP top STRUCTURAL MUST mailAddress MAY ( m + ailForwardTo $ mailForwardToURL $ mailHost $ mailTransport $ mailDeliveryFile + $ mailDeliveryOption $ mailProgramDeliveryInfo $ mail $ cn $ description $ o + wner ) ) +olcObjectClasses: {2}( mailServiceObject:3 NAME 'mailDistributionList' DESC 'T + he entry represents an entity within the organization that + can receive and forward SMTP mail, such as a mail group a + ccount (mailing list)' SUP top AUXILIARY MUST mailAddress MAY ( mailForwardTo + $ mailForwardToURL $ mailEnvelopeAddress $ mailErrorsTo $ mailRequestsTo $ m + ailSuppressErrors $ mailHost $ mailTransport $ mailDeliveryFile $ mailDeliver + yOption $ mailProgramDeliveryInfo $ mailAuthorizedDomain $ mailAuthorizedSend + er $ mailUnauthorizedDomain $ mailUnauthorizedSender $ mailRemoveHeader $ mai + lAddHeader $ mail $ cn $ description $ owner $ manager $ seeAlso ) ) +olcObjectClasses: {3}( mailServiceObject:4 NAME 'mailDomain' DESC 'The entry r + epresents an entity within the organization that defines a + n email domain' SUP domain STRUCTURAL MAY ( mailHost $ mailTransport $ mailSe + nderBccTo $ mailRecipientBccTo $ mailErrorsTo $ mailSuppressErrors $ mailAuth + orizedDomain $ mailAuthorizedSender $ mailUnauthorizedDomain $ mailUnauthoriz + edSender $ mailRemoveHeader $ mailAddHeader $ description $ owner $ manager ) + ) +olcObjectClasses: {4}( mailServiceObject:5 NAME 'mailFilter' DESC 'The entry r + epresents an entity within the organization that can filte + r email messages according to various policies' SUP top AUXILIARY MAY ( mailA + ntispamPolicy $ mailAntivirusPolicy $ mailContentPolicy $ cn $ description $ + seeAlso ) ) diff --git a/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server b/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server new file mode 100644 index 0000000..6cde0a4 --- /dev/null +++ b/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server @@ -0,0 +1,11 @@ +dn: cn=openssh-lpk,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: openssh-lpk +olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' + DESC 'MANDATORY: OpenSSH Public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY + DESC 'MANDATORY: OpenSSH LPK objectclass' + MAY ( sshPublicKey $ uid ) + ) diff --git a/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server b/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server new file mode 100644 index 0000000..83cf2be --- /dev/null +++ b/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server @@ -0,0 +1,246 @@ +dn: cn=rfc2307bis,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: rfc2307bis +### +# Extracted from: http://tools.ietf.org/html/draft-howard-rfc2307bis-02 +### +olcAttributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' + DESC 'The GECOS field; the common name' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' + DESC 'The absolute path to the home directory' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.4 NAME 'loginShell' + DESC 'The path to the login shell' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' + DESC 'Netgroup triple' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' + DESC 'Service port number' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' + DESC 'Service protocol name' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' + DESC 'IP protocol number' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' + DESC 'ONC RPC number' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' + DESC 'IPv4 addresses as a dotted decimal omitting leading + zeros or IPv6 addresses as defined in RFC2373' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' + DESC 'IP network omitting leading zeros, eg. 192.168' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' + DESC 'IP netmask omitting leading zeros, eg. 255.255.255.0' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.22 NAME 'macAddress' + DESC 'MAC address in maximal, colon separated hex + notation, eg. 00:00:92:90:ee:e2' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' + DESC 'rpc.bootparamd parameter' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.24 NAME 'bootFile' + DESC 'Boot image name' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' + DESC 'Name of a generic NIS map' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' + DESC 'A generic NIS entry' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' + DESC 'NIS public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' + DESC 'NIS secret key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' + DESC 'NIS domain' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' + DESC 'automount Map Name' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' + DESC 'Automount Key value' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' + DESC 'Automount information' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcObjectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY + DESC 'Abstraction of an account with POSIX attributes' + MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) + MAY ( userPassword $ loginShell $ gecos $ + description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY + DESC 'Additional attributes for shadow passwords' + MUST uid + MAY ( userPassword $ description $ + shadowLastChange $ shadowMin $ shadowMax $ + shadowWarning $ shadowInactive $ + shadowExpire $ shadowFlag ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY + DESC 'Abstraction of a group of accounts' + MUST gidNumber + MAY ( userPassword $ memberUid $ + description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL + DESC 'Abstraction an Internet Protocol service. + Maps an IP port and protocol (such as tcp or udp) + to one or more names; the distinguished value of + the cn attribute denotes the services canonical + name' + MUST ( cn $ ipServicePort $ ipServiceProtocol ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL + DESC 'Abstraction of an IP protocol. Maps a protocol number + to one or more names. The distinguished value of the cn + attribute denotes the protocol canonical name' + MUST ( cn $ ipProtocolNumber ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL + DESC 'Abstraction of an Open Network Computing (ONC) + [RFC1057] Remote Procedure Call (RPC) binding. + This class maps an ONC RPC number to a name. + The distinguished value of the cn attribute denotes + the RPC service canonical name' + MUST ( cn $ oncRpcNumber ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY + DESC 'Abstraction of a host, an IP device. The distinguished + value of the cn attribute denotes the hosts canonical + name. Device SHOULD be used as a structural class' + MUST ( cn $ ipHostNumber ) + MAY ( userPassword $ l $ description $ + manager ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL + DESC 'Abstraction of a network. The distinguished value of + the cn attribute denotes the network canonical name' + MUST ipNetworkNumber + MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL + DESC 'Abstraction of a netgroup. May refer to other + netgroups' + MUST cn + MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL + DESC 'A generic abstraction of a NIS map' + MUST nisMapName + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL + DESC 'An entry in a NIS map' + MUST ( cn $ nisMapEntry $ nisMapName ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY + DESC 'A device with a MAC address; device SHOULD be + used as a structural class' + MAY macAddress ) +olcObjectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY + DESC 'A device with boot parameters; device SHOULD be + used as a structural class' + MAY ( bootFile $ bootParameter ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY + DESC 'An object with a public and secret key' + MUST ( cn $ nisPublicKey $ nisSecretKey ) + MAY ( uidNumber $ description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY + DESC 'Associates a NIS domain with a naming context' + MUST nisDomain ) +olcObjectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL + MUST ( automountMapName ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL + DESC 'Automount information' + MUST ( automountKey $ automountInformation ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' SUP top STRUCTURAL + DESC 'A group with members (DNs)' + MUST cn + MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ + description $ member ) ) diff --git a/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server b/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server new file mode 100644 index 0000000..8948ca4 --- /dev/null +++ b/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server @@ -0,0 +1,79 @@ +dn: cn=sudoschema,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: sudoschema +# +# OpenLDAP schema file for Sudo in on-line configuration (OLC) format. +# Import using ldapadd or another suitable LDAP browser. +# Converted to OLC format by Frederic Pasteleurs +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactMatch + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo (deprecated)' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +# +olcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) +# +olcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ + description ) + ) diff --git a/files/usr/local/etc/openldap/slapd.ldif.idm_server b/files/usr/local/etc/openldap/slapd.ldif.idm_server new file mode 100644 index 0000000..784c63a --- /dev/null +++ b/files/usr/local/etc/openldap/slapd.ldif.idm_server @@ -0,0 +1,225 @@ +# Top-level cn=config attributes. +dn: cn=config +objectClass: olcGlobal +cn: config +olcArgsFile: /var/run/openldap/slapd.args +olcPidFile: /var/run/openldap/slapd.pid +olcSaslHost: ${fqdn} +olcSaslSecProps: noanonymous,minssf=56 +olcDisallows: bind_anon +olcSecurity: ssf=56 +olcLocalSSF: 128 +olcTLSCACertificateFile: ${site_cacert_path} +olcTLSCertificateFile: ${slapd_tls_cert} +olcTLSCertificateKeyFile: ${slapd_tls_key} +olcTLSVerifyClient: allow +$(echo "$idm_server_list" | while read -r _hostname id ipv4; do + echo "olcServerID: ${id} ldaps://${ipv4}/" +done) +olcAuthzRegexp: {0}^gidNumber=[0-9]+\+uidNumber=0,cn=peercred,cn=external,cn=auth$ ${slapd_root_dn} +olcAuthzRegexp: {1}^gidNumber=[0-9]+\+uidNumber=([^,]+),cn=peercred,cn=external,cn=auth$ ldap:///${accounts_basedn}??sub?(uidNumber=\$1) +olcAuthzRegexp: {2}^uid=([^,]+),cn=(gssapi|plain|login),cn=auth$ ldap:///${accounts_basedn}??sub?(krbPrincipalName=\$1@${realm}) + +# Load dynamic modules. +dn: cn=module,cn=config +objectClass: olcModuleList +cn: module +olcModulepath: /usr/local/libexec/openldap +olcModuleload: back_mdb.la +olcModuleload: pw-sha2.la +olcModuleload: accesslog.la +olcModuleload: dynlist.la +olcModuleload: unique.la +olcModuleload: refint.la + +# Frontend configuration. Individual databases can override these settings. +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig +olcDatabase: frontend +olcPasswordHash: {SSHA512} +olcSizeLimit: ${slapd_result_size_limit} +olcRequires: authc +olcAccess: {0}to dn.base="" by * read +olcAccess: {1}to dn.base="cn=Subschema" by * read +olcAccess: {2}to * + by users read + by anonymous auth + +# Load schemas. +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file://${slapd_conf_dir}/schema/core.ldif +include: file://${slapd_conf_dir}/schema/cosine.ldif +include: file://${slapd_conf_dir}/schema/inetorgperson.ldif +include: file://${slapd_conf_dir}/schema/dyngroup.ldif +include: file://${slapd_conf_dir}/schema/rfc2307bis.ldif +include: file://${slapd_conf_dir}/schema/kerberos.ldif +include: file://${slapd_conf_dir}/schema/openssh-lpk.ldif +include: file://${slapd_conf_dir}/schema/sudo.ldif +include: file://${slapd_conf_dir}/schema/dnsdomain2.ldif +include: file://${slapd_conf_dir}/schema/mailservice.ldif + +# cn=config database configuration. +dn: olcDatabase={0}config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcRootDN: ${slapd_root_dn} + +# Default database configuration. +dn: olcDatabase={1}mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: mdb +olcDbMaxSize: ${slapd_db_max_size} +olcSuffix: ${basedn} +olcRootDN: ${slapd_root_dn} +olcDbDirectory: ${slapd_data_dir} +$(echo "$idm_server_list" | while read -r _hostname id ipv4; do +echo "olcSyncrepl: rid=00${id} + provider=ldaps://${ipv4}/ + searchbase=${basedn} + bindmethod=sasl + saslmech=external + tls_cert=${slapd_replicator_tls_cert} + tls_key=${slapd_replicator_tls_key} + tls_cacert=${site_cacert_path} + tls_reqcert=demand + type=refreshAndPersist + retry=\"5 5 60 +\" + logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\" + timeout=5 + logbase=cn=accesslog + syncdata=accesslog" +done) +olcMultiProvider: TRUE +olcDbIndex: objectClass eq +olcDbIndex: cn,uid,uidNumber,gidNumber,member,memberUid,mail,mailAddress,mailAlternateAddress,mailPrivateAddress,mailContactAddress eq +olcDbIndex: sudoUser eq +olcDbIndex: automountMapName eq +olcDbIndex: krbPrincipalName eq,pres +olcDbIndex: entryCSN,entryUUID eq +olcDbIndex: associatedDomain pres,eq,sub +olcDbIndex: description pres,eq,sub +olcLimits: {0}dn.exact=${slapd_replicator_dn} + time.soft=unlimited + time.hard=unlimited + size.soft=unlimited + size.hard=unlimited +olcLimits: {1}* + size.soft=${slapd_result_size_limit} + size.hard=${slapd_result_size_limit} + size.pr=${slapd_result_size_limit} + size.prtotal=unlimited +olcAccess: {0}to dn.base="" + by * read +olcAccess: {1}to dn.base="cn=Subschema" + by * read +olcAccess: {3}to * + by dn.exact=${slapd_replicator_dn} read + by dn.exact=uid=${idm_admin_username},${robots_basedn} manage + by group/groupOfMembers/member=cn=${idm_admin_groupname},${groups_basedn} manage + by * break +olcAccess: {4}to dn.subtree=${sudo_basedn} + by dn.children=${hosts_basedn} read + by * none +olcAccess: {5}to dn.subtree=${kdc_basedn} + by * none +olcAccess: {6}to attrs=userPassword + by self write + by anonymous auth + by * none +olcAccess: {7}to attrs=shadowLastChange,sshPublicKey + by self write + by * read +olcAccess: {8}to attrs=krbPrincipalKey + by * none +olcAccess: {9}to * + by * read + +# Accesslog database (for syncprov). +dn: olcDatabase={2}mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: mdb +olcDbDirectory: ${slapd_data_dir}/accesslog +olcSuffix: cn=accesslog +olcRootDN: ${slapd_root_dn} +olcDbMaxSize: ${slapd_accesslog_db_max_size} +olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart,reqDN eq +olcAccess: {0}to * + by dn.exact=${slapd_replicator_dn} read + by * break +olcLimits: {0}dn.exact=${slapd_replicator_dn} + time.soft=unlimited + time.hard=unlimited + size.soft=unlimited + size.hard=unlimited + +# Monitoring database. +dn: olcDatabase={3}monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcRootDN: ${slapd_root_dn} +olcMonitoring: FALSE + +# Syncprov overlay. +dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcSyncProvConfig +olcOverlay: syncprov +olcSpCheckpoint: ${slapd_syncrepl_checkpoint_ops} ${slapd_syncrepl_checkpoint_minutes} +olcSpSessionLog: ${slapd_syncrepl_session_log} + +# Accesslog overlay (for syncrepl). +dn: olcOverlay={1}accesslog,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcAccessLogConfig +olcOverlay: accesslog +olcAccessLogDB: cn=accesslog +olcAccessLogOps: writes +olcAccessLogSuccess: TRUE +olcAccessLogPurge: ${slapd_syncrepl_cleanup_age}+00:00 ${slapd_syncrepl_cleanup_interval}+00:00 + +# Dynlist overlay. +dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcDynamicList +olcOverlay: dynlist +olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfMembers* +olcDynListAttrSet: {1}labeledURIObject labeledURI uniqueMember+seeAlso@groupOfUniqueNames + +# Unique overlay. +dn: olcOverlay={3}unique,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcUniqueConfig +olcOverlay: unique +olcUniqueURI: ldap:///${accounts_basedn}?uid?sub +olcUniqueURI: ldap:///${accounts_basedn}?uidNumber?sub +olcUniqueURI: ldap:///${accounts_basedn}?krbPrincipalName?sub +olcUniqueURI: ldap:///${accounts_basedn}?mail?sub +olcUniqueURI: ldap:///${accounts_basedn}?mailAddress,mailAlternateAddress,mailPrivateAddress,mailContactAddress?sub +olcUniqueURI: ldap:///${groups_basedn}?cn?sub +olcUniqueURI: ldap:///${groups_basedn}?gidNumber?sub +olcUniqueURI: ldap:///${hosts_basedn}?cn,dc?sub +olcUniqueURI: ldap:///${services_basedn}?cn?sub +olcUniqueURI: ldap:///${sudo_basedn}?cn?sub +olcUniqueURI: ldap:///${dns_basedn}?associatedDomain?sub + +# Refint overlay. +dn: olcOverlay={4}refint,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcRefintConfig +olcOverlay: refint +olcRefintAttribute: member +olcRefintNothing: cn=config + +# Syncprov overlay for accesslog db. +dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcSyncProvConfig +olcOverlay: syncprov +olcSpNoPresent: TRUE +olcSpReloadHint: TRUE diff --git a/files/usr/local/etc/pdns/pdns.conf.idm_server b/files/usr/local/etc/pdns/pdns.conf.idm_server new file mode 100644 index 0000000..fc63bd6 --- /dev/null +++ b/files/usr/local/etc/pdns/pdns.conf.idm_server @@ -0,0 +1,29 @@ +# With SASL_MECH=EXTERNAL set in system ldap.conf, PowerDNS can be fooled +# into performing an EXTERNAL (Unix peercred) bind over the ldapi:/// domain +# socket. +# +# You must set ldap-bindmethod=gssapi (?!) for this to work. This behavior doesn't +# seem to be documented anywhere, but hey, it's nice! +ldap-host=ldapi:/// +ldap-bindmethod=gssapi + +ldap-basedn=${dns_basedn} +ldap-reconnect-attempts=2147483647 +ldap-method=simple + +launch=ldap + +local-address=127.0.0.1,::1 +local-port=${pdns_port} +distributor-threads=${pdns_distributor_threads} +receiver-threads=${pdns_receiver_threads} +reuseport=yes + +allow-axfr-ips=${pdns_allow_axfr_ips} + +cache-ttl=${pdns_cache_ttl} +query-cache-ttl=${pdns_query_cache_ttl} +negquery-cache-ttl=${pdns_negquery_cache_ttl} +zone-cache-refresh-interval=0 + +security-poll-suffix= diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.freebsd b/files/usr/local/etc/pkg/repos/onprem.conf.freebsd new file mode 100644 index 0000000..953ae20 --- /dev/null +++ b/files/usr/local/etc/pkg/repos/onprem.conf.freebsd @@ -0,0 +1,6 @@ +${site}: { + enabled: yes, + url: "http://${pkg_host}/\${ABI}/latest", + signature_type: "pubkey", + pubkey: "/usr/local/etc/ssl/repo.crt" +} diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.idm_server b/files/usr/local/etc/pkg/repos/onprem.conf.idm_server new file mode 100644 index 0000000..5ffad74 --- /dev/null +++ b/files/usr/local/etc/pkg/repos/onprem.conf.idm_server @@ -0,0 +1,9 @@ +# The "-idm" set is a special poudriere build for the IDM servers that builds +# openldap26-server with GSSAPI_BASE. This workaround is necessary to avoid a +# circular dependency with krb5 and cyrus-sasl2-gssapi. +${site}: { + enabled: yes, + url: "http://${pkg_host}/\${ABI}/latest-idm", + signature_type: "pubkey", + pubkey: "/usr/local/etc/ssl/repo.crt" +} diff --git a/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository new file mode 100644 index 0000000..1d5ce20 --- /dev/null +++ b/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository @@ -0,0 +1,34 @@ +CFLAGS=-O2 -pipe +DISABLE_LICENSES=yes +DEFAULT_VERSIONS+=${poudriere_default_versions:-} +MAKE_JOBS_NUMBER=${poudriere_make_jobs_number} + +# Global port options +OPTIONS_UNSET=TEST DEBUG GSSAPI_HEIMDAL GSSAPI_BASE GSSAPI_NONE HEIMDAL NLS DOCS AVAHI LIBWRAP MYSQL MSQLND ODBC READLINE PULSEAUDIO UPNP BASH ZSH INFO ALSA SAMBA WAYLAND PLATFORM_WAYLAND PIPEWIRE +OPTIONS_SET=GSSAPI GSSAPI_MIT NONFREE LIBEDIT + +# Per-port options +dns_powerdns_SET=OPENLDAP +dns_powerdns_UNSET=PGSQL SQLITE3 +dns_unbound_SET=TFOCL TFOSE +dns_unbound_UNSET=DOH +editors_vim_SET=CTAGS_EXUBERANT XTERM_SAVE +editors_vim_UNSET=CTAGS_BASE +net_openldap26-server_SET=DEBUG +net_openldap26-server_UNSET=SMBPWD +security_cyrus-sasl2-saslauthd_UNSET=BDB1 +security_krb5_SET=DNS_FOR_REALM LDAP +security_krb5_UNSET=KRB5_HTML KRB5_PDF +security_sudo_SET=LDAP +security_sudo_UNSET=GSSAPI_MIT +shells_bash_UNSET=PORTS_READLINE +sysutils_htop_SET=LSOF +sysutils_rsyslog8_SET=GSSAPI RELP OPENSSL +sysutils_rsyslog8_UNSET=GCRYPT +www_nginx_SET=HTTPV3 HTTPV3_QTLS HTTP_AUTH_KRB5 HTTP_AUTH_LDAP +www_nginx_UNSET=MAIL + +# We must use base kerberos to build cyrus to avoid a circular dependency with +# MIT kerberos and LDAP. +security_cyrus-sasl2-gssapi_SET=GSSAPI_BASE +security_cyrus-sasl2-gssapi_UNSET=GSSAPI_MIT diff --git a/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository new file mode 100644 index 0000000..86c102e --- /dev/null +++ b/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository @@ -0,0 +1,24 @@ +devel/git@lite +dns/bind-tools +dns/powerdns +dns/unbound +editors/vim@console +lang/python +net/nss-pam-ldapd-sasl +net/openldap26-client +net/openldap26-server +net/p5-perl-ldap +net/py-python-ldap +net/rsync +security/cyrus-sasl2-saslauthd +security/krb5 +security/pam_krb5@mit +security/pam_mkhomedir +security/sudo +sysutils/htop +sysutils/lsof +sysutils/p5-Sys-Syslog +sysutils/pwgen +sysutils/tmux +sysutils/tree +www/nginx diff --git a/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop b/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop new file mode 100644 index 0000000..04284c5 --- /dev/null +++ b/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop @@ -0,0 +1 @@ +%operator ALL=NOPASSWD: /usr/local/bin/networkmgr diff --git a/files/usr/local/etc/sudoers.roadwarrior_laptop b/files/usr/local/etc/sudoers.roadwarrior_laptop new file mode 100644 index 0000000..0c1a78c --- /dev/null +++ b/files/usr/local/etc/sudoers.roadwarrior_laptop @@ -0,0 +1,4 @@ +root ALL=(ALL:ALL) ALL +%wheel ALL=(ALL:ALL) ALL + +@includedir /usr/local/etc/sudoers.d diff --git a/files/usr/local/lib/firefox/distribution/policies.json.common b/files/usr/local/lib/firefox/distribution/policies.json.common new file mode 100644 index 0000000..96d463c --- /dev/null +++ b/files/usr/local/lib/firefox/distribution/policies.json.common @@ -0,0 +1,163 @@ +{ + "policies": { + "ExtensionSettings": { + "uBlock0@raymondhill.net": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi", + "installation_mode": "force_installed" + }, + "{446900e4-71c2-419f-a6a7-df9c091e268b}": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi", + "installation_mode": "normal_installed" + }, + "7esoorv3@alefvanoon.anonaddy.me": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/libredirect/latest.xpi", + "installation_mode": "normal_installed" + }, + "{9cbd40c5-5275-443e-811b-dc57d8c7c5d2}": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/kde-default-breeze/latest.xpi", + "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo 'normal_installed'; else echo 'allowed'; fi)" + }, + "plasma-browser-integration@kde.org": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi", + "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo normal_installed; else echo allowed; fi)" + } + }, + "3rdparty": { + "Extensions": { + "uBlock0@raymondhill.net": { + "toOverwrite": { + "filterLists": [ + "user-filters", + "ublock-filters", + "ublock-badware", + "ublock-privacy", + "ublock-abuse", + "ublock-unbreak", + "ublock-annoyances", + "easylist", + "easyprivacy", + "urlhaus-1", + "plowe-0", + "fanboy-annoyance", + "fanboy-thirdparty_social", + "adguard-spyware-url", + "ublock-quick-fixes" + ] + }, + "toAdd": { + "trustedSiteDirectives": [ + "${domain}" + ] + } + } + } + }, + "UserMessaging": { + "WhatsNew": false, + "ExtensionRecommendations": false, + "UrlbarInterventions": false, + "SkipOnboarding": true + }, + "OverridePostUpdatePage": "", + "OverrideFirstRunPage": "", + "EnableTrackingProtection": { + "Value": false, + "Cryptomining": false, + "Fingerprinting": false, + "Locked": false + }, + "Cookies": { + "Behavior": "reject-tracker-and-partition-foreign", + "BehaviorPrivateBrowsing": "reject-tracker-and-partition-foreign" + }, + "Authentication": { + "SPNEGO": ["${domain}"], + "AllowNonFQDN": { + "SPNEGO": true + }, + "AllowProxies": { + "SPNEGO": true + } + }, + "NoDefaultBookmarks": true, + "DisablePocket": true, + "DisableAppUpdate": true, + "CaptivePortal": false, + "Certificates": { + "Install": [ + "${site_cacert_path}" + ] + }, + "DisableFeedbackCommands": true, + "DisableFirefoxAccounts": true, + "DisableFirefoxStudies": true, + "DisableTelemetry": true, + "DontCheckDefaultBrowser": true, + "OfferToSaveLoginsDefault": false, + "DNSOverHTTPS": { + "Enabled": false + }, + "SearchSuggestEnabled": false, + "Homepage": { + "URL": "about:home", + "StartPage": "homepage" + }, + "FirefoxHome": { + "Search": true, + "TopSites": false, + "SponsoredTopSites": false, + "Highlights": false, + "Pocket": false, + "SponsoredPocket": false, + "Snippets": false + }, + "ManagedBookmarks": [ + { + "toplevel_name": "Intranet" + }, + { + "url": "http://pkg.${domain}/poudriere/", + "name": "Poudriere" + } + ], + "ExtensionUpdate": true, + "Preferences": { + "dom.security.https_only_mode": { + "Value": true, + "Status": "locked" + }, + "dom.push.connection.enabled": { + "Value": false, + "Status": "default" + }, + "privacy.trackingprotection.socialtracking.enabled": { + "Value": false, + "Status": "locked" + }, + "browser.urlbar.suggest.quicksuggest.nonsponsored": { + "Value": false, + "Status": "locked" + }, + "browser.urlbar.suggest.quicksuggest.sponsored": { + "Value": false, + "Status": "locked" + }, + "browser.toolbars.bookmarks.visibility": { + "Value": "newtab", + "Status": "default" + }, + "browser.safebrowsing.malware.enabled": { + "Value": false, + "Status": "locked" + }, + "browser.safebrowsing.phishing.enabled": { + "Value": false, + "Status": "locked" + }, + "browser.safebrowsing.downloads.enabled": { + "Value": false, + "Status": "locked" + } + } + } +} diff --git a/files/usr/local/lib/libreoffice/program/sofficerc.common b/files/usr/local/lib/libreoffice/program/sofficerc.common new file mode 100644 index 0000000..77574a4 --- /dev/null +++ b/files/usr/local/lib/libreoffice/program/sofficerc.common @@ -0,0 +1,18 @@ +[Bootstrap] +CrashDirectory=${$BRAND_BASE_DIR/program/bootstraprc:UserInstallation}/crash +CrashDumpEnable=true +HideEula=1 +Logo=0 +NativeProgress=false +ProgressBarColor=0,0,0 +ProgressFrameColor=102,102,102 +ProgressPosition=30,145 +ProgressSize=385,8 +ProgressTextBaseline=170 +ProgressTextColor=0,0,0 +SecureUserConfig=true +SecureUserConfigCompress=true +SecureUserConfigExtensions=true +SecureUserConfigMode=1 +SecureUserConfigNumCopies=2 +URE_BOOTSTRAP=${ORIGIN}/fundamentalrc diff --git a/files/usr/local/lib/sasl2/slapd.conf.idm_server b/files/usr/local/lib/sasl2/slapd.conf.idm_server new file mode 100644 index 0000000..56836c1 --- /dev/null +++ b/files/usr/local/lib/sasl2/slapd.conf.idm_server @@ -0,0 +1,3 @@ +mech_list: gssapi external plain login +pwcheck_method: saslauthd +saslauthd_path: ${saslauthd_runtime_dir}/mux diff --git a/files/usr/local/libexec/lid-close.laptop b/files/usr/local/libexec/lid-close.laptop new file mode 100644 index 0000000..acbd93e --- /dev/null +++ b/files/usr/local/libexec/lid-close.laptop @@ -0,0 +1,4 @@ +#!/bin/sh + +/usr/bin/pkill -USR1 xidle +/usr/sbin/acpiconf -s3 diff --git a/files/usr/local/libexec/lid-close.roadwarrior_laptop b/files/usr/local/libexec/lid-close.roadwarrior_laptop new file mode 120000 index 0000000..698096f --- /dev/null +++ b/files/usr/local/libexec/lid-close.roadwarrior_laptop @@ -0,0 +1 @@ +lid-close.laptop \ No newline at end of file diff --git a/files/usr/local/libexec/poudriere-cron.pkg_repository b/files/usr/local/libexec/poudriere-cron.pkg_repository index f0291ec..0d713a9 100644 --- a/files/usr/local/libexec/poudriere-cron.pkg_repository +++ b/files/usr/local/libexec/poudriere-cron.pkg_repository @@ -9,6 +9,7 @@ poudriere ports -u -p "$ports_tree" > /dev/null for jail in "$@"; do poudriere jail -u -j "$jail" > /dev/null + poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/pkglist-idm -p "$ports_tree" -z idm > /dev/null poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/pkglist -p "$ports_tree" > /dev/null done diff --git a/files/usr/local/libexec/thinkpad-brightness.laptop b/files/usr/local/libexec/thinkpad-brightness.laptop new file mode 100644 index 0000000..16cc01a --- /dev/null +++ b/files/usr/local/libexec/thinkpad-brightness.laptop @@ -0,0 +1,31 @@ +#!/bin/sh + +cur=$(/usr/bin/backlight -q) + +case $1 in + up) + if [ "$cur" -ge 50 ]; then + delta=10 + elif [ "$cur" -ge 10 ]; then + delta=5 + else + delta=2 + fi + + /usr/bin/backlight incr "$delta" + ;; + down) + if [ "$cur" -le 10 ]; then + delta=2 + elif [ "$cur" -le 50 ]; then + delta=5 + else + delta=10 + fi + + /usr/bin/backlight decr "$delta" + ;; + *) + exit 1 + ;; +esac diff --git a/files/usr/local/libexec/thinkpad-brightness.roadwarrior_laptop b/files/usr/local/libexec/thinkpad-brightness.roadwarrior_laptop new file mode 120000 index 0000000..d1bcb34 --- /dev/null +++ b/files/usr/local/libexec/thinkpad-brightness.roadwarrior_laptop @@ -0,0 +1 @@ +thinkpad-brightness.laptop \ No newline at end of file diff --git a/hostclasses b/hostclasses index 7d4274e..cebd7af 100644 --- a/hostclasses +++ b/hostclasses @@ -6,6 +6,7 @@ imap_server ^imap[0-9] dev_server ^dev[0-9] radius_server ^radius[0-9] laptop ^laptop[0-9] +roadwarrior_laptop ^rlaptop[0-9] postgresql_server ^postgres[0-9] dav_server ^dav[0-9] bitwarden_server ^bitwarden[0-9] diff --git a/lib/10-core b/lib/10-core index a97340d..bd4e80a 100644 --- a/lib/10-core +++ b/lib/10-core @@ -81,6 +81,19 @@ _boxconf_decrypt(){ fi } +_boxconf_decrypt_key(){ + # Decrypt an OpenSSL key file using the vault password. + # $1 = encrypted key file + # $2 = plaintext output file (or stdout if unset) + _boxconf_get_vault_password + + if [ $# -gt 1 ]; then + PASS=$BOXCONF_VAULT_PASSWORD openssl ec -in "$1" -out "$2" -passin env:PASS + else + PASS=$BOXCONF_VAULT_PASSWORD openssl ec -in "$1" -passin env:PASS + fi +} + _boxconf_is_encrypted(){ # Check if a given file is encrypted. head -n1 "$1" | grep -q '^Salted__' @@ -144,7 +157,7 @@ _boxconf_stage(){ set -f _bcs_relevant_files=$(find -L "$BOXCONF_ROOT" -type f -and \( \ -path "${BOXCONF_CA_DIR}/ca.crt" \ - -or -path "${BOXCONF_CA_DIR}/${_bcs_hostname}" \ + -or -path "${BOXCONF_CA_DIR}/${_bcs_hostname}/*" \ -or -path "${BOXCONF_VAR_DIR}/common" \ -or -path "${BOXCONF_VAR_DIR}/common/*" \ -or -path "${BOXCONF_VAR_DIR}/os/*" \ @@ -202,18 +215,20 @@ _boxconf_stage(){ set -- $_bcs_relevant_files IFS=$OIFS - for _bc_stage_fullpath; do + for _bcs_fullpath; do # Calculate the file's path relative to the BOXCONF_ROOT. - _bc_stage_relpath=${_bc_stage_fullpath#${BOXCONF_ROOT}/} + _bcs_relpath=${_bcs_fullpath#${BOXCONF_ROOT}/} # Create the file's parent directories (if any) in the stage dir. - mkdir -p "${_bcs_stagedir}/$(dirname "$_bc_stage_relpath")" + mkdir -p "${_bcs_stagedir}/$(dirname "$_bcs_relpath")" # Copy the file to the stage dir, decrypting if necessary. - if _boxconf_is_encrypted "$_bc_stage_fullpath"; then - _boxconf_decrypt "$_bc_stage_fullpath" "${_bcs_stagedir}/${_bc_stage_relpath}" + if _boxconf_is_encrypted "$_bcs_fullpath"; then + _boxconf_decrypt "$_bcs_fullpath" "${_bcs_stagedir}/${_bcs_relpath}" + elif head -n1 "$_bcs_fullpath" | grep -Fxq -- '-----BEGIN ENCRYPTED PRIVATE KEY-----'; then + _boxconf_decrypt_key "$_bcs_fullpath" "${_bcs_stagedir}/${_bcs_relpath}" else - cp -p "$_bc_stage_fullpath" "${_bcs_stagedir}/${_bc_stage_relpath}" + cp -p "$_bcs_fullpath" "${_bcs_stagedir}/${_bcs_relpath}" fi done } diff --git a/lib/60-ldap b/lib/60-ldap new file mode 100644 index 0000000..bc5bcff --- /dev/null +++ b/lib/60-ldap @@ -0,0 +1,56 @@ +#!/bin/sh + +ldap_add(){ + # Add a DN if it doesn't already exist. Takes ldif-formatted attributes on stdin. + # $1 = the DN + _ldap_add_dn=$1; shift + if ldapsearch -QLLL -s base -b "$_ldap_add_dn" dn > /dev/null 2>&1; then + log "${_ldap_add_dn} already exists" + else + { printf 'dn: %s\n' "$_ldap_add_dn"; cat; } | ldapadd -Q "$@" + fi +} + +ldap_modify(){ + # Modify a DN. Takes ldif-formatted attributes on stdin. + # $1 = the DN + _ldap_modify_dn=$1; shift + { printf 'dn: %s\nchangetype: modify\n' "$_ldap_modify_dn"; cat; } | ldapmodify -Q "$@" +} + +ldap_delete(){ + # Delete a DN. + # $1 = the DN + ldapdelete -Q "$@" +} + +ldap_add_attribute(){ + # Add a single attribute value to an object if it's not already present. + # $1 = DN + # $2 = attribute + # $3 = value + ldap_search -b "$1" -s base "(${2}=${3})" dn | grep -q '^dn:' || ldap_modify "$1" < 4 )); then else nginx_worker_processes=$nproc fi - -if [ "${idm_bootstrap:-}" = true ]; then - resolvers=$bootstrap_resolvers -fi diff --git a/vars/hostclass/idm_server b/vars/hostclass/idm_server new file mode 100644 index 0000000..eec6d1c --- /dev/null +++ b/vars/hostclass/idm_server @@ -0,0 +1,9 @@ +#!/bin/sh + +allowed_tcp_ports='ssh ldap ldaps domain kerberos-sec kerberos-adm' +allowed_udp_ports='domain kerberos-sec kpasswd' + +ssh_authorized_keys_user=nobody + +unbound_blocklists="\ +https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/pro.plus.blacklist.conf" diff --git a/vars/hostclass/roadwarrior_laptop b/vars/hostclass/roadwarrior_laptop new file mode 100644 index 0000000..99f8b9c --- /dev/null +++ b/vars/hostclass/roadwarrior_laptop @@ -0,0 +1,2 @@ +#!/bin/sh +resolvers=$bootstrap_resolvers diff --git a/vars/hostname/rlaptop1 b/vars/hostname/rlaptop1 new file mode 100644 index 0000000..0eb1518 --- /dev/null +++ b/vars/hostname/rlaptop1 @@ -0,0 +1,3 @@ +#!/bin/sh + +desktop_type=i3 diff --git a/vars/os/freebsd b/vars/os/freebsd index 0d4a6fb..17e7edb 100644 --- a/vars/os/freebsd +++ b/vars/os/freebsd @@ -10,7 +10,11 @@ intel_epp=50 export ASSUME_ALWAYS_YES=yes acme_standalone_port=9080 acme_uid=169 +keytab_dir=/var/db/keytabs nfscbd_port=7745 +python_version=311 +saslauthd_runtime_dir=/var/run/saslauthd +saslauthd_user=cyrus site_cacert_path=/usr/local/etc/ssl/certs/ca.crt ssh_host_key_dir=/var/db/ssh -- cgit v1.2.3