From cbcd022f302adc39ecb89fba6faf72e68184c0e0 Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Fri, 2 Aug 2024 19:10:39 -0400 Subject: halfway working idm server and laptop hostclasses --- .../local/etc/X11/xorg.conf.d/terminus.conf.common | 3 + .../chromium/policies/managed/policies.json.common | 96 ++++++++ files/usr/local/etc/openldap/ldap.conf.idm_server | 9 + .../etc/openldap/schema/dnsdomain2.ldif.idm_server | 252 +++++++++++++++++++++ .../etc/openldap/schema/kerberos.ldif.idm_server | 68 ++++++ .../openldap/schema/mailservice.ldif.idm_server | 177 +++++++++++++++ .../openldap/schema/openssh-lpk.ldif.idm_server | 11 + .../etc/openldap/schema/rfc2307bis.ldif.idm_server | 246 ++++++++++++++++++++ .../local/etc/openldap/schema/sudo.ldif.idm_server | 79 +++++++ files/usr/local/etc/openldap/slapd.ldif.idm_server | 225 ++++++++++++++++++ files/usr/local/etc/pdns/pdns.conf.idm_server | 29 +++ files/usr/local/etc/pkg/repos/onprem.conf.freebsd | 6 + .../usr/local/etc/pkg/repos/onprem.conf.idm_server | 9 + .../etc/poudriere.d/idm-make.conf.pkg_repository | 34 +++ .../etc/poudriere.d/idm-pkglist.pkg_repository | 24 ++ .../etc/sudoers.d/networkmgr.roadwarrior_laptop | 1 + files/usr/local/etc/sudoers.roadwarrior_laptop | 4 + 17 files changed, 1273 insertions(+) create mode 100644 files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common create mode 100644 files/usr/local/etc/chromium/policies/managed/policies.json.common create mode 100644 files/usr/local/etc/openldap/ldap.conf.idm_server create mode 100644 files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/schema/sudo.ldif.idm_server create mode 100644 files/usr/local/etc/openldap/slapd.ldif.idm_server create mode 100644 files/usr/local/etc/pdns/pdns.conf.idm_server create mode 100644 files/usr/local/etc/pkg/repos/onprem.conf.freebsd create mode 100644 files/usr/local/etc/pkg/repos/onprem.conf.idm_server create mode 100644 files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository create mode 100644 files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository create mode 100644 files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop create mode 100644 files/usr/local/etc/sudoers.roadwarrior_laptop (limited to 'files/usr/local/etc') diff --git a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common new file mode 100644 index 0000000..d0bb2ae --- /dev/null +++ b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common @@ -0,0 +1,3 @@ +Section "Files" + FontPath "/usr/local/share/fonts/terminus-font/" +EndSection diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.common b/files/usr/local/etc/chromium/policies/managed/policies.json.common new file mode 100644 index 0000000..0e57885 --- /dev/null +++ b/files/usr/local/etc/chromium/policies/managed/policies.json.common @@ -0,0 +1,96 @@ +{ + "AdvancedProtectionAllowed": false, + "AlternateErrorPagesEnabled": false, + "AutofillCreditCardEnabled": false, + "AuthNegotiateDelegateAllowlist": "*.${domain}", + "AuthServerAllowlist": "*.${domain}", + "BackgroundModeEnabled": false, + "BlockThirdPartyCookies": true, + "BrowserGuestModeEnabled": false, + "BrowserLabsEnabled": false, + "BrowserNetworkTimeQueriesEnabled": false, + "BrowserSignin": 0, + "CloudPrintProxyEnabled": false, + "CloudReportingEnabled": false, + "DefaultBrowserSettingEnabled": false, + "DefaultCookiesSetting": 1, + "DefaultSearchProviderEnabled": true, + "DefaultSearchProviderName": "DuckDuckGo", + "DefaultSearchProviderIconURL": "https://duckduckgo.com/favicon.ico", + "DefaultSearchProviderEncodings": [ + "UTF-8" + ], + "DefaultSearchProviderSearchURL": "https://duckduckgo.com/?q={searchTerms}", + "DefaultSearchProviderSuggestURL":"https://duckduckgo.com/ac/?q={searchTerms}&type=list", + "DefaultSearchProviderNewTabURL":"https://duckduckgo.com/chrome_newtab", + "DnsOverHttpsMode": "off", + "EnableAuthNegotiatePort": true, + "EnableMediaRouter": false, + "MetricsReportingEnabled": false, + "NetworkPredictionOptions": 2, + "PasswordManagerEnabled": false, + "PaymentMethodQueryEnabled": false, + "PrivacySandboxAdMeasurementEnabled": false, + "PrivacySandboxAdTopicsEnabled": false, + "PrivacySandboxPromptEnabled": false, + "PrivacySandboxSiteEnabledAdsEnabled": false, + "PromotionalTabsEnabled": false, + "SafeBrowsingProtectionLevel": 0, + "SearchSuggestEnabled": false, + "SyncDisabled": true, + "TranslateEnabled": false, + "UrlKeyedAnonymizedDataCollectionEnabled": false, + "ManagedBookmarks": [ + { + "toplevel_name": "Internal" + }, + { + "name": "Poudriere", + "url": "http://pkg.${domain}/poudriere" + } + ], + "ExtensionSettings": { + "cjpalhdlnbpafiamejdnhcphjbkeiagm": { + "installation_mode": "force_installed", + "update_url": "https://clients2.google.com/service/update2/crx" + }, + "nngceckbapebfimnlniiiahkandclblb": { + "installation_mode": "normal_installed", + "update_url": "https://clients2.google.com/service/update2/crx" + }, + "cimiefiiaegbelhefglklhhakcgmhkai": { + "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo normal_installed; else echo allowed; fi)", + "update_url": "https://clients2.google.com/service/update2/crx" + } + }, + "3rdparty": { + "extensions": { + "cjpalhdlnbpafiamejdnhcphjbkeiagm": { + "toOverwrite": { + "filterLists": [ + "user-filters", + "ublock-filters", + "ublock-badware", + "ublock-privacy", + "ublock-abuse", + "ublock-unbreak", + "ublock-annoyances", + "easylist", + "easyprivacy", + "urlhaus-1", + "plowe-0", + "fanboy-annoyance", + "fanboy-thirdparty_social", + "adguard-spyware-url", + "ublock-quick-fixes" + ] + }, + "toAdd": { + "trustedSiteDirectives": [ + "${domain}" + ] + } + } + } + } +} diff --git a/files/usr/local/etc/openldap/ldap.conf.idm_server b/files/usr/local/etc/openldap/ldap.conf.idm_server new file mode 100644 index 0000000..3b285f7 --- /dev/null +++ b/files/usr/local/etc/openldap/ldap.conf.idm_server @@ -0,0 +1,9 @@ +URI ldapi:/// +BASE ${basedn} +USE_SASL yes +ROOTUSE_SASL yes +SASL_MECH EXTERNAL +SASL_REALM ${realm} +GSSAPI_SIGN yes +GSSAPI_ENCRYPT yes +SUDOERS_BASE ${sudo_basedn} diff --git a/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server b/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server new file mode 100644 index 0000000..f4fcd01 --- /dev/null +++ b/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server @@ -0,0 +1,252 @@ +dn: cn=dnsdomain2,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: dnsdomain2 +# A schema for storing DNS zones in LDAP +# +# ORDERING is not necessary, and some servers don't support +# integerOrderingMatch. Omit or change if you like +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' + DESC 'An integer denoting time to live' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' + DESC 'The class of a resource record' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord' + DESC 'a well known service description, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' + DESC 'domain name pointer, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' + DESC 'host information, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' + DESC 'mailbox or mail list information, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' + DESC 'text string, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord' + DESC 'for Responsible Person, RFC 1183' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' + DESC 'for AFS Data Base location, RFC 1183' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' + DESC 'Signature, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' + DESC 'Key, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord' + DESC 'Geographical Position, RFC 1712' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' + DESC 'IPv6 address, RFC 1886' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' + DESC 'Location, RFC 1876' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' + DESC 'non-existant, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' + DESC 'service location, RFC 2782' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' + DESC 'Naming Authority Pointer, RFC 2915' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' + DESC 'Key Exchange Delegation, RFC 2230' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' + DESC 'certificate, RFC 2538' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' + DESC 'A6 Record Type, RFC 2874' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' + DESC 'Non-Terminal DNS Name Redirection, RFC 2672' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord' + DESC 'Lists of Address Prefixes, RFC 3123' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' + DESC 'Delegation Signer, RFC 3658' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' + DESC 'SSH Key Fingerprint, RFC 4255' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord' + DESC 'SSH Key Fingerprint, RFC 4025' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' + DESC 'RRSIG, RFC 3755' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' + DESC 'NSEC, RFC 3755' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord' + DESC 'DNSKEY, RFC 3755' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord' + DESC 'DHCID, RFC 4701' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.50 NAME 'nSEC3Record' + DESC 'NSEC record version 3, RFC 5155' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.51 NAME 'nSEC3PARAMRecord' + DESC 'NSEC3 parameters, RFC 5155' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.52 NAME 'tLSARecord' + DESC 'TLSA certificate association, RFC 6698' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.59 NAME 'cDSRecord' + DESC 'Child DS, RFC7344' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.60 NAME 'cDNSKeyRecord' + DESC 'DNSKEY(s) the Child wants reflected in DS, RFC7344' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.61 NAME 'openPGPKeyRecord' + DESC 'OpenPGP Key, RFC7929' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.64 NAME 'SVCBRecord' + DESC 'Service binding, draft-ietf-dnsop-svcb-https-01' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65 NAME 'HTTPSRecord' + DESC 'HTTPS service binding, draft-ietf-dnsop-svcb-https-01' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord' + DESC 'Sender Policy Framework, RFC 4408' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.108 NAME 'EUI48Record' + DESC 'EUI-48 address, RFC7043' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.109 NAME 'EUI64Record' + DESC 'EUI-64 address, RFC7043' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.249 NAME 'tKeyRecord' + DESC 'Transaction Key, RFC2930' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.256 NAME 'uRIRecord' + DESC 'URI, RFC7553' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.257 NAME 'cAARecord' + DESC 'Certification Authority Restriction, RFC6844' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.32769 NAME 'dLVRecord' + DESC 'DNSSEC Lookaside Validation, RFC4431' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65226 NAME 'TYPE65226Record' + DESC '' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65534 NAME 'TYPE65534Record' + DESC '' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcObjectClasses: ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2' + SUP 'dNSDomain' STRUCTURAL + MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $ + HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $ + AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $ + AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ + NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ + DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $ + IPSECKEYRecord $ RRSIGRecord $ NSECRecord $ + DNSKEYRecord $ DHCIDRecord $ NSEC3Record $ NSEC3PARAMRecord $ + TLSARecord $ CDSRecord $ CDNSKEYRecord $ OPENPGPKEYRecord $ + SVCBRecord $ HTTPSRecord $ + SPFRecord $ EUI48Record $ EUI64Record $ TKEYRecord $ + URIRecord $ CAARecord $ DLVRecord $ TYPE65226Record $ + TYPE65534Record + ) ) diff --git a/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server b/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server new file mode 100644 index 0000000..830277d --- /dev/null +++ b/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server @@ -0,0 +1,68 @@ +# This LDIF version of the Kerberos schema can be loaded into an +# OpenLDAP database. It was originally converted semi-automatically +# from kerberos.schema using slaptest. + +dn: cn=kerberos,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: kerberos +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalts' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuthInd' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top STRUCTURAL MUST cn ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top STRUCTURAL MUST cn ) diff --git a/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server b/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server new file mode 100644 index 0000000..3cdedce --- /dev/null +++ b/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server @@ -0,0 +1,177 @@ +dn: cn=mailservice,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: mailservice +olcObjectIdentifier: {0}DebOps 1.3.6.1.4.1.53622 +olcObjectIdentifier: {1}DebOpsLDAP DebOps:42 +olcObjectIdentifier: {2}mailService DebOpsLDAP:2 +olcObjectIdentifier: {3}mailServiceAttribute mailService:3 +olcObjectIdentifier: {4}mailServiceObject mailService:4 +olcAttributeTypes: {0}( mailServiceAttribute:1 NAME 'mailAddress' DESC 'Primar + y RFC 822 email address of this recipient, can be used a + s a login identifier.' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr + ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) +olcAttributeTypes: {1}( mailServiceAttribute:2 NAME 'mailAlternateAddress' DES + C 'Alternate RFC 822 email address(es) of this recipient' EQUALITY caseIgnore + IA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121. + 1.26{256} ) +olcAttributeTypes: {2}( mailServiceAttribute:3 NAME 'mailPrivateAddress' DESC + 'A confidential RFC 822 email address of this recipient + which can be used as a login identifier.' EQUALITY caseIgnoreIA5Match SUBSTR + caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE + -VALUE ) +olcAttributeTypes: {3}( mailServiceAttribute:4 NAME 'mailContactAddress' DESC + 'RFC 822 email address of this recipient which is meant to + be public and serve as the primary contact address.' EQUALITY caseIgnoreIA + 5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 26{256} ) +olcAttributeTypes: {4}( mailServiceAttribute:5 NAME 'mailInternalAddress' DESC + 'An internal RFC 822 email address of this recipient wh + ich will be rewritten to an external email address' EQUALITY caseIgnoreIA5Mat + ch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2 + 56} SINGLE-VALUE ) +olcAttributeTypes: {5}( mailServiceAttribute:6 NAME 'mailExternalAddress' DESC + 'An external RFC 822 email address of this recipient wh + ich will be rewritten to an internal email address' EQUALITY caseIgnoreIA5Mat + ch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2 + 56} SINGLE-VALUE ) +olcAttributeTypes: {6}( mailServiceAttribute:7 NAME 'mailSenderBccTo' DESC 'RF + C 822 BCC email address(es) to add for a given mail sender' EQUALITY caseIgno + reIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 + 1.1.26{256} ) +olcAttributeTypes: {7}( mailServiceAttribute:8 NAME 'mailRecipientBccTo' DESC + 'RFC 822 BCC email address(es) to add for a given mail recipient' EQUALITY ca + seIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.26{256} ) +olcAttributeTypes: {8}( mailServiceAttribute:9 NAME 'mailForwardTo' DESC 'RFC + 822 email address(es) to forward all incoming messages to' EQUALITY caseIgnor + eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 + .1.26{256} ) +olcAttributeTypes: {9}( mailServiceAttribute:10 NAME 'mailForwardToURL' DESC ' + LDAP search URL that defines the recipients of the mail messages + sent to this mailing list' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 ) +olcAttributeTypes: {10}( mailServiceAttribute:11 NAME 'mailErrorsTo' DESC 'RFC + 822 email address(es) to use when routing error and notification + messages to the owner(s) of an email distribution list' EQUALITY ca + seIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.26{256} ) +olcAttributeTypes: {11}( mailServiceAttribute:12 NAME 'mailRequestsTo' DESC 'R + FC 822 email address(es) to use when routing request mes + sages sent to the email distribution list' EQUALITY caseIgnoreIA5Match SUBSTR + caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +olcAttributeTypes: {12}( mailServiceAttribute:13 NAME 'mailEnvelopeAddress' DE + SC 'RFC 822 envelope sender email address of a given mail user + or email distribution list' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn + oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE + ) +olcAttributeTypes: {13}( mailServiceAttribute:14 NAME 'mailRoutingAddress' DES + C 'RFC 822 email address to use when routing messages to + the SMTP MTA of this recipient' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor + eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) +olcAttributeTypes: {14}( mailServiceAttribute:15 NAME 'mailHost' DESC 'Fully Q + ualified Domain Name of the SMTP MTA that handles messag + es for this recipient' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa + tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE ) +olcAttributeTypes: {15}( mailServiceAttribute:16 NAME 'mailTransport' DESC 'MT + A mail transport method which will take care of the email delivery' EQUALITY + caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {16}( mailServiceAttribute:17 NAME 'mailUidNumber' DESC 'UI + D required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14 + 66.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {17}( mailServiceAttribute:18 NAME 'mailGidNumber' DESC 'GI + D required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14 + 66.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {18}( mailServiceAttribute:19 NAME 'mailHomeDirectory' DESC + 'The absolute path to the mail user home directory' EQUALITY caseExactIA5Mat + ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {19}( mailServiceAttribute:20 NAME 'mailMessageStore' DESC + 'The path to the mail user mailbox storage directory' EQUALITY caseExactIA5Ma + tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {20}( mailServiceAttribute:21 NAME 'mailQuota' DESC 'Mail q + uota limit in kilobytes' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {21}( mailServiceAttribute:22 NAME 'mailGroupACL' DESC 'Com + ma-separated list of mail groups a given mail user belon + gs to, used for mailbox access control' EQUALITY caseExactIA5Match SUBSTR cas + eExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {22}( mailServiceAttribute:23 NAME 'mailExpungeTrash' DESC + 'Time to automatically expunge Trash mailbox' EQUALITY caseIgnoreIA5Match SYN + TAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {23}( mailServiceAttribute:24 NAME 'mailSieveRuleSource' DE + SC 'Definition of a Sieve filter script for a given mail user' SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 ) +olcAttributeTypes: {24}( mailServiceAttribute:25 NAME 'mailSuppressErrors' DES + C 'Suppress error messages from being sent back to message originator' EQUALI + TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {25}( mailServiceAttribute:26 NAME 'mailDeliveryFile' DESC + 'Path to a file used for archiving messages sent to the distribution list' EQ + UALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {26}( mailServiceAttribute:27 NAME 'mailDeliveryOption' DES + C 'Message handling option for messages sent to a designated recipient' EQUAL + ITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {27}( mailServiceAttribute:28 NAME 'mailProgramDeliveryInfo + ' DESC 'Named programs for message post-processing' EQUALITY caseExactIA5Matc + h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {28}( mailServiceAttribute:29 NAME 'mailAuthorizedDomain' D + ESC 'Domains authorized to submit messages to the distribution list' EQUALITY + caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {29}( mailServiceAttribute:30 NAME 'mailAuthorizedSender' D + ESC 'Addresses authorized to submit messages to the distribution list' EQUALI + TY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {30}( mailServiceAttribute:31 NAME 'mailUnauthorizedDomain' + DESC 'Domains not authorized to submit messages to the distribution list' EQ + UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {31}( mailServiceAttribute:32 NAME 'mailUnauthorizedSender' + DESC 'Addresses not authorized to submit messages to the distribution list' + EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {32}( mailServiceAttribute:33 NAME 'mailRemoveHeader' DESC + 'Headers to remove from the messages sent to the mailing list' SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 ) +olcAttributeTypes: {33}( mailServiceAttribute:34 NAME 'mailAddHeader' DESC 'He + aders to add to the messages sent to the mailing list' SYNTAX 1.3.6.1.4.1.146 + 6.115.121.1.26 ) +olcAttributeTypes: {34}( mailServiceAttribute:35 NAME 'mailAntispamPolicy' DES + C 'Name of the anti-spam policy to apply to a given LDAP entry' SYNTAX 1.3.6. + 1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {35}( mailServiceAttribute:36 NAME 'mailAntivirusPolicy' DE + SC 'Name of the anti-virus policy to apply to a given LDAP entry' SYNTAX 1.3. + 6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {36}( mailServiceAttribute:37 NAME 'mailContentPolicy' DESC + 'Name of the content policy to apply to a given LDAP entry' SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.26 SINGLE-VALUE ) +olcObjectClasses: {0}( mailServiceObject:1 NAME 'mailRecipient' DESC 'The entr + y represents an entity within the organization that can re + ceive SMTP mail, such as a mail user account' SUP top AUXILIARY MUST mailAddr + ess MAY ( mailAlternateAddress $ mailPrivateAddress $ mailContactAddress $ ma + ilEnvelopeAddress $ mailRoutingAddress $ mailExternalAddress $ mailInternalAd + dress $ mailSenderBccTo $ mailRecipientBccTo $ mailHost $ mailTransport $ mai + lUidNumber $ mailGidNumber $ mailHomeDirectory $ mailMessageStore $ mailQuota + $ mailGroupACL $ mailExpungeTrash $ mailSieveRuleSource $ mailDeliveryOption + $ mailProgramDeliveryInfo $ mail $ cn $ description $ uid $ userPassword ) ) +olcObjectClasses: {1}( mailServiceObject:2 NAME 'mailAlias' DESC 'The entry re + presents an entity within the organization that defines an + email alias for mail recipients' SUP top STRUCTURAL MUST mailAddress MAY ( m + ailForwardTo $ mailForwardToURL $ mailHost $ mailTransport $ mailDeliveryFile + $ mailDeliveryOption $ mailProgramDeliveryInfo $ mail $ cn $ description $ o + wner ) ) +olcObjectClasses: {2}( mailServiceObject:3 NAME 'mailDistributionList' DESC 'T + he entry represents an entity within the organization that + can receive and forward SMTP mail, such as a mail group a + ccount (mailing list)' SUP top AUXILIARY MUST mailAddress MAY ( mailForwardTo + $ mailForwardToURL $ mailEnvelopeAddress $ mailErrorsTo $ mailRequestsTo $ m + ailSuppressErrors $ mailHost $ mailTransport $ mailDeliveryFile $ mailDeliver + yOption $ mailProgramDeliveryInfo $ mailAuthorizedDomain $ mailAuthorizedSend + er $ mailUnauthorizedDomain $ mailUnauthorizedSender $ mailRemoveHeader $ mai + lAddHeader $ mail $ cn $ description $ owner $ manager $ seeAlso ) ) +olcObjectClasses: {3}( mailServiceObject:4 NAME 'mailDomain' DESC 'The entry r + epresents an entity within the organization that defines a + n email domain' SUP domain STRUCTURAL MAY ( mailHost $ mailTransport $ mailSe + nderBccTo $ mailRecipientBccTo $ mailErrorsTo $ mailSuppressErrors $ mailAuth + orizedDomain $ mailAuthorizedSender $ mailUnauthorizedDomain $ mailUnauthoriz + edSender $ mailRemoveHeader $ mailAddHeader $ description $ owner $ manager ) + ) +olcObjectClasses: {4}( mailServiceObject:5 NAME 'mailFilter' DESC 'The entry r + epresents an entity within the organization that can filte + r email messages according to various policies' SUP top AUXILIARY MAY ( mailA + ntispamPolicy $ mailAntivirusPolicy $ mailContentPolicy $ cn $ description $ + seeAlso ) ) diff --git a/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server b/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server new file mode 100644 index 0000000..6cde0a4 --- /dev/null +++ b/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server @@ -0,0 +1,11 @@ +dn: cn=openssh-lpk,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: openssh-lpk +olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' + DESC 'MANDATORY: OpenSSH Public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY + DESC 'MANDATORY: OpenSSH LPK objectclass' + MAY ( sshPublicKey $ uid ) + ) diff --git a/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server b/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server new file mode 100644 index 0000000..83cf2be --- /dev/null +++ b/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server @@ -0,0 +1,246 @@ +dn: cn=rfc2307bis,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: rfc2307bis +### +# Extracted from: http://tools.ietf.org/html/draft-howard-rfc2307bis-02 +### +olcAttributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' + DESC 'The GECOS field; the common name' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' + DESC 'The absolute path to the home directory' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.4 NAME 'loginShell' + DESC 'The path to the login shell' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' + DESC 'Netgroup triple' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' + DESC 'Service port number' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' + DESC 'Service protocol name' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' + DESC 'IP protocol number' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' + DESC 'ONC RPC number' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' + DESC 'IPv4 addresses as a dotted decimal omitting leading + zeros or IPv6 addresses as defined in RFC2373' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' + DESC 'IP network omitting leading zeros, eg. 192.168' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' + DESC 'IP netmask omitting leading zeros, eg. 255.255.255.0' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.22 NAME 'macAddress' + DESC 'MAC address in maximal, colon separated hex + notation, eg. 00:00:92:90:ee:e2' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' + DESC 'rpc.bootparamd parameter' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.24 NAME 'bootFile' + DESC 'Boot image name' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' + DESC 'Name of a generic NIS map' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' + DESC 'A generic NIS entry' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' + DESC 'NIS public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' + DESC 'NIS secret key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' + DESC 'NIS domain' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' + DESC 'automount Map Name' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' + DESC 'Automount Key value' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' + DESC 'Automount information' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +olcObjectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY + DESC 'Abstraction of an account with POSIX attributes' + MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) + MAY ( userPassword $ loginShell $ gecos $ + description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY + DESC 'Additional attributes for shadow passwords' + MUST uid + MAY ( userPassword $ description $ + shadowLastChange $ shadowMin $ shadowMax $ + shadowWarning $ shadowInactive $ + shadowExpire $ shadowFlag ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY + DESC 'Abstraction of a group of accounts' + MUST gidNumber + MAY ( userPassword $ memberUid $ + description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL + DESC 'Abstraction an Internet Protocol service. + Maps an IP port and protocol (such as tcp or udp) + to one or more names; the distinguished value of + the cn attribute denotes the services canonical + name' + MUST ( cn $ ipServicePort $ ipServiceProtocol ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL + DESC 'Abstraction of an IP protocol. Maps a protocol number + to one or more names. The distinguished value of the cn + attribute denotes the protocol canonical name' + MUST ( cn $ ipProtocolNumber ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL + DESC 'Abstraction of an Open Network Computing (ONC) + [RFC1057] Remote Procedure Call (RPC) binding. + This class maps an ONC RPC number to a name. + The distinguished value of the cn attribute denotes + the RPC service canonical name' + MUST ( cn $ oncRpcNumber ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY + DESC 'Abstraction of a host, an IP device. The distinguished + value of the cn attribute denotes the hosts canonical + name. Device SHOULD be used as a structural class' + MUST ( cn $ ipHostNumber ) + MAY ( userPassword $ l $ description $ + manager ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL + DESC 'Abstraction of a network. The distinguished value of + the cn attribute denotes the network canonical name' + MUST ipNetworkNumber + MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL + DESC 'Abstraction of a netgroup. May refer to other + netgroups' + MUST cn + MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL + DESC 'A generic abstraction of a NIS map' + MUST nisMapName + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL + DESC 'An entry in a NIS map' + MUST ( cn $ nisMapEntry $ nisMapName ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY + DESC 'A device with a MAC address; device SHOULD be + used as a structural class' + MAY macAddress ) +olcObjectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY + DESC 'A device with boot parameters; device SHOULD be + used as a structural class' + MAY ( bootFile $ bootParameter ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY + DESC 'An object with a public and secret key' + MUST ( cn $ nisPublicKey $ nisSecretKey ) + MAY ( uidNumber $ description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY + DESC 'Associates a NIS domain with a naming context' + MUST nisDomain ) +olcObjectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL + MUST ( automountMapName ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL + DESC 'Automount information' + MUST ( automountKey $ automountInformation ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' SUP top STRUCTURAL + DESC 'A group with members (DNs)' + MUST cn + MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ + description $ member ) ) diff --git a/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server b/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server new file mode 100644 index 0000000..8948ca4 --- /dev/null +++ b/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server @@ -0,0 +1,79 @@ +dn: cn=sudoschema,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: sudoschema +# +# OpenLDAP schema file for Sudo in on-line configuration (OLC) format. +# Import using ldapadd or another suitable LDAP browser. +# Converted to OLC format by Frederic Pasteleurs +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactMatch + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo (deprecated)' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +# +olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +# +olcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) +# +olcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ + description ) + ) diff --git a/files/usr/local/etc/openldap/slapd.ldif.idm_server b/files/usr/local/etc/openldap/slapd.ldif.idm_server new file mode 100644 index 0000000..784c63a --- /dev/null +++ b/files/usr/local/etc/openldap/slapd.ldif.idm_server @@ -0,0 +1,225 @@ +# Top-level cn=config attributes. +dn: cn=config +objectClass: olcGlobal +cn: config +olcArgsFile: /var/run/openldap/slapd.args +olcPidFile: /var/run/openldap/slapd.pid +olcSaslHost: ${fqdn} +olcSaslSecProps: noanonymous,minssf=56 +olcDisallows: bind_anon +olcSecurity: ssf=56 +olcLocalSSF: 128 +olcTLSCACertificateFile: ${site_cacert_path} +olcTLSCertificateFile: ${slapd_tls_cert} +olcTLSCertificateKeyFile: ${slapd_tls_key} +olcTLSVerifyClient: allow +$(echo "$idm_server_list" | while read -r _hostname id ipv4; do + echo "olcServerID: ${id} ldaps://${ipv4}/" +done) +olcAuthzRegexp: {0}^gidNumber=[0-9]+\+uidNumber=0,cn=peercred,cn=external,cn=auth$ ${slapd_root_dn} +olcAuthzRegexp: {1}^gidNumber=[0-9]+\+uidNumber=([^,]+),cn=peercred,cn=external,cn=auth$ ldap:///${accounts_basedn}??sub?(uidNumber=\$1) +olcAuthzRegexp: {2}^uid=([^,]+),cn=(gssapi|plain|login),cn=auth$ ldap:///${accounts_basedn}??sub?(krbPrincipalName=\$1@${realm}) + +# Load dynamic modules. +dn: cn=module,cn=config +objectClass: olcModuleList +cn: module +olcModulepath: /usr/local/libexec/openldap +olcModuleload: back_mdb.la +olcModuleload: pw-sha2.la +olcModuleload: accesslog.la +olcModuleload: dynlist.la +olcModuleload: unique.la +olcModuleload: refint.la + +# Frontend configuration. Individual databases can override these settings. +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig +olcDatabase: frontend +olcPasswordHash: {SSHA512} +olcSizeLimit: ${slapd_result_size_limit} +olcRequires: authc +olcAccess: {0}to dn.base="" by * read +olcAccess: {1}to dn.base="cn=Subschema" by * read +olcAccess: {2}to * + by users read + by anonymous auth + +# Load schemas. +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file://${slapd_conf_dir}/schema/core.ldif +include: file://${slapd_conf_dir}/schema/cosine.ldif +include: file://${slapd_conf_dir}/schema/inetorgperson.ldif +include: file://${slapd_conf_dir}/schema/dyngroup.ldif +include: file://${slapd_conf_dir}/schema/rfc2307bis.ldif +include: file://${slapd_conf_dir}/schema/kerberos.ldif +include: file://${slapd_conf_dir}/schema/openssh-lpk.ldif +include: file://${slapd_conf_dir}/schema/sudo.ldif +include: file://${slapd_conf_dir}/schema/dnsdomain2.ldif +include: file://${slapd_conf_dir}/schema/mailservice.ldif + +# cn=config database configuration. +dn: olcDatabase={0}config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcRootDN: ${slapd_root_dn} + +# Default database configuration. +dn: olcDatabase={1}mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: mdb +olcDbMaxSize: ${slapd_db_max_size} +olcSuffix: ${basedn} +olcRootDN: ${slapd_root_dn} +olcDbDirectory: ${slapd_data_dir} +$(echo "$idm_server_list" | while read -r _hostname id ipv4; do +echo "olcSyncrepl: rid=00${id} + provider=ldaps://${ipv4}/ + searchbase=${basedn} + bindmethod=sasl + saslmech=external + tls_cert=${slapd_replicator_tls_cert} + tls_key=${slapd_replicator_tls_key} + tls_cacert=${site_cacert_path} + tls_reqcert=demand + type=refreshAndPersist + retry=\"5 5 60 +\" + logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\" + timeout=5 + logbase=cn=accesslog + syncdata=accesslog" +done) +olcMultiProvider: TRUE +olcDbIndex: objectClass eq +olcDbIndex: cn,uid,uidNumber,gidNumber,member,memberUid,mail,mailAddress,mailAlternateAddress,mailPrivateAddress,mailContactAddress eq +olcDbIndex: sudoUser eq +olcDbIndex: automountMapName eq +olcDbIndex: krbPrincipalName eq,pres +olcDbIndex: entryCSN,entryUUID eq +olcDbIndex: associatedDomain pres,eq,sub +olcDbIndex: description pres,eq,sub +olcLimits: {0}dn.exact=${slapd_replicator_dn} + time.soft=unlimited + time.hard=unlimited + size.soft=unlimited + size.hard=unlimited +olcLimits: {1}* + size.soft=${slapd_result_size_limit} + size.hard=${slapd_result_size_limit} + size.pr=${slapd_result_size_limit} + size.prtotal=unlimited +olcAccess: {0}to dn.base="" + by * read +olcAccess: {1}to dn.base="cn=Subschema" + by * read +olcAccess: {3}to * + by dn.exact=${slapd_replicator_dn} read + by dn.exact=uid=${idm_admin_username},${robots_basedn} manage + by group/groupOfMembers/member=cn=${idm_admin_groupname},${groups_basedn} manage + by * break +olcAccess: {4}to dn.subtree=${sudo_basedn} + by dn.children=${hosts_basedn} read + by * none +olcAccess: {5}to dn.subtree=${kdc_basedn} + by * none +olcAccess: {6}to attrs=userPassword + by self write + by anonymous auth + by * none +olcAccess: {7}to attrs=shadowLastChange,sshPublicKey + by self write + by * read +olcAccess: {8}to attrs=krbPrincipalKey + by * none +olcAccess: {9}to * + by * read + +# Accesslog database (for syncprov). +dn: olcDatabase={2}mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: mdb +olcDbDirectory: ${slapd_data_dir}/accesslog +olcSuffix: cn=accesslog +olcRootDN: ${slapd_root_dn} +olcDbMaxSize: ${slapd_accesslog_db_max_size} +olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart,reqDN eq +olcAccess: {0}to * + by dn.exact=${slapd_replicator_dn} read + by * break +olcLimits: {0}dn.exact=${slapd_replicator_dn} + time.soft=unlimited + time.hard=unlimited + size.soft=unlimited + size.hard=unlimited + +# Monitoring database. +dn: olcDatabase={3}monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcRootDN: ${slapd_root_dn} +olcMonitoring: FALSE + +# Syncprov overlay. +dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcSyncProvConfig +olcOverlay: syncprov +olcSpCheckpoint: ${slapd_syncrepl_checkpoint_ops} ${slapd_syncrepl_checkpoint_minutes} +olcSpSessionLog: ${slapd_syncrepl_session_log} + +# Accesslog overlay (for syncrepl). +dn: olcOverlay={1}accesslog,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcAccessLogConfig +olcOverlay: accesslog +olcAccessLogDB: cn=accesslog +olcAccessLogOps: writes +olcAccessLogSuccess: TRUE +olcAccessLogPurge: ${slapd_syncrepl_cleanup_age}+00:00 ${slapd_syncrepl_cleanup_interval}+00:00 + +# Dynlist overlay. +dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcDynamicList +olcOverlay: dynlist +olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfMembers* +olcDynListAttrSet: {1}labeledURIObject labeledURI uniqueMember+seeAlso@groupOfUniqueNames + +# Unique overlay. +dn: olcOverlay={3}unique,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcUniqueConfig +olcOverlay: unique +olcUniqueURI: ldap:///${accounts_basedn}?uid?sub +olcUniqueURI: ldap:///${accounts_basedn}?uidNumber?sub +olcUniqueURI: ldap:///${accounts_basedn}?krbPrincipalName?sub +olcUniqueURI: ldap:///${accounts_basedn}?mail?sub +olcUniqueURI: ldap:///${accounts_basedn}?mailAddress,mailAlternateAddress,mailPrivateAddress,mailContactAddress?sub +olcUniqueURI: ldap:///${groups_basedn}?cn?sub +olcUniqueURI: ldap:///${groups_basedn}?gidNumber?sub +olcUniqueURI: ldap:///${hosts_basedn}?cn,dc?sub +olcUniqueURI: ldap:///${services_basedn}?cn?sub +olcUniqueURI: ldap:///${sudo_basedn}?cn?sub +olcUniqueURI: ldap:///${dns_basedn}?associatedDomain?sub + +# Refint overlay. +dn: olcOverlay={4}refint,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcRefintConfig +olcOverlay: refint +olcRefintAttribute: member +olcRefintNothing: cn=config + +# Syncprov overlay for accesslog db. +dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcSyncProvConfig +olcOverlay: syncprov +olcSpNoPresent: TRUE +olcSpReloadHint: TRUE diff --git a/files/usr/local/etc/pdns/pdns.conf.idm_server b/files/usr/local/etc/pdns/pdns.conf.idm_server new file mode 100644 index 0000000..fc63bd6 --- /dev/null +++ b/files/usr/local/etc/pdns/pdns.conf.idm_server @@ -0,0 +1,29 @@ +# With SASL_MECH=EXTERNAL set in system ldap.conf, PowerDNS can be fooled +# into performing an EXTERNAL (Unix peercred) bind over the ldapi:/// domain +# socket. +# +# You must set ldap-bindmethod=gssapi (?!) for this to work. This behavior doesn't +# seem to be documented anywhere, but hey, it's nice! +ldap-host=ldapi:/// +ldap-bindmethod=gssapi + +ldap-basedn=${dns_basedn} +ldap-reconnect-attempts=2147483647 +ldap-method=simple + +launch=ldap + +local-address=127.0.0.1,::1 +local-port=${pdns_port} +distributor-threads=${pdns_distributor_threads} +receiver-threads=${pdns_receiver_threads} +reuseport=yes + +allow-axfr-ips=${pdns_allow_axfr_ips} + +cache-ttl=${pdns_cache_ttl} +query-cache-ttl=${pdns_query_cache_ttl} +negquery-cache-ttl=${pdns_negquery_cache_ttl} +zone-cache-refresh-interval=0 + +security-poll-suffix= diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.freebsd b/files/usr/local/etc/pkg/repos/onprem.conf.freebsd new file mode 100644 index 0000000..953ae20 --- /dev/null +++ b/files/usr/local/etc/pkg/repos/onprem.conf.freebsd @@ -0,0 +1,6 @@ +${site}: { + enabled: yes, + url: "http://${pkg_host}/\${ABI}/latest", + signature_type: "pubkey", + pubkey: "/usr/local/etc/ssl/repo.crt" +} diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.idm_server b/files/usr/local/etc/pkg/repos/onprem.conf.idm_server new file mode 100644 index 0000000..5ffad74 --- /dev/null +++ b/files/usr/local/etc/pkg/repos/onprem.conf.idm_server @@ -0,0 +1,9 @@ +# The "-idm" set is a special poudriere build for the IDM servers that builds +# openldap26-server with GSSAPI_BASE. This workaround is necessary to avoid a +# circular dependency with krb5 and cyrus-sasl2-gssapi. +${site}: { + enabled: yes, + url: "http://${pkg_host}/\${ABI}/latest-idm", + signature_type: "pubkey", + pubkey: "/usr/local/etc/ssl/repo.crt" +} diff --git a/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository new file mode 100644 index 0000000..1d5ce20 --- /dev/null +++ b/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository @@ -0,0 +1,34 @@ +CFLAGS=-O2 -pipe +DISABLE_LICENSES=yes +DEFAULT_VERSIONS+=${poudriere_default_versions:-} +MAKE_JOBS_NUMBER=${poudriere_make_jobs_number} + +# Global port options +OPTIONS_UNSET=TEST DEBUG GSSAPI_HEIMDAL GSSAPI_BASE GSSAPI_NONE HEIMDAL NLS DOCS AVAHI LIBWRAP MYSQL MSQLND ODBC READLINE PULSEAUDIO UPNP BASH ZSH INFO ALSA SAMBA WAYLAND PLATFORM_WAYLAND PIPEWIRE +OPTIONS_SET=GSSAPI GSSAPI_MIT NONFREE LIBEDIT + +# Per-port options +dns_powerdns_SET=OPENLDAP +dns_powerdns_UNSET=PGSQL SQLITE3 +dns_unbound_SET=TFOCL TFOSE +dns_unbound_UNSET=DOH +editors_vim_SET=CTAGS_EXUBERANT XTERM_SAVE +editors_vim_UNSET=CTAGS_BASE +net_openldap26-server_SET=DEBUG +net_openldap26-server_UNSET=SMBPWD +security_cyrus-sasl2-saslauthd_UNSET=BDB1 +security_krb5_SET=DNS_FOR_REALM LDAP +security_krb5_UNSET=KRB5_HTML KRB5_PDF +security_sudo_SET=LDAP +security_sudo_UNSET=GSSAPI_MIT +shells_bash_UNSET=PORTS_READLINE +sysutils_htop_SET=LSOF +sysutils_rsyslog8_SET=GSSAPI RELP OPENSSL +sysutils_rsyslog8_UNSET=GCRYPT +www_nginx_SET=HTTPV3 HTTPV3_QTLS HTTP_AUTH_KRB5 HTTP_AUTH_LDAP +www_nginx_UNSET=MAIL + +# We must use base kerberos to build cyrus to avoid a circular dependency with +# MIT kerberos and LDAP. +security_cyrus-sasl2-gssapi_SET=GSSAPI_BASE +security_cyrus-sasl2-gssapi_UNSET=GSSAPI_MIT diff --git a/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository new file mode 100644 index 0000000..86c102e --- /dev/null +++ b/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository @@ -0,0 +1,24 @@ +devel/git@lite +dns/bind-tools +dns/powerdns +dns/unbound +editors/vim@console +lang/python +net/nss-pam-ldapd-sasl +net/openldap26-client +net/openldap26-server +net/p5-perl-ldap +net/py-python-ldap +net/rsync +security/cyrus-sasl2-saslauthd +security/krb5 +security/pam_krb5@mit +security/pam_mkhomedir +security/sudo +sysutils/htop +sysutils/lsof +sysutils/p5-Sys-Syslog +sysutils/pwgen +sysutils/tmux +sysutils/tree +www/nginx diff --git a/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop b/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop new file mode 100644 index 0000000..04284c5 --- /dev/null +++ b/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop @@ -0,0 +1 @@ +%operator ALL=NOPASSWD: /usr/local/bin/networkmgr diff --git a/files/usr/local/etc/sudoers.roadwarrior_laptop b/files/usr/local/etc/sudoers.roadwarrior_laptop new file mode 100644 index 0000000..0c1a78c --- /dev/null +++ b/files/usr/local/etc/sudoers.roadwarrior_laptop @@ -0,0 +1,4 @@ +root ALL=(ALL:ALL) ALL +%wheel ALL=(ALL:ALL) ALL + +@includedir /usr/local/etc/sudoers.d -- cgit v1.2.3