From cbcd022f302adc39ecb89fba6faf72e68184c0e0 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Fri, 2 Aug 2024 19:10:39 -0400
Subject: halfway working idm server and laptop hostclasses
---
.../local/etc/X11/xorg.conf.d/terminus.conf.common | 3 +
.../chromium/policies/managed/policies.json.common | 96 ++++++++
files/usr/local/etc/openldap/ldap.conf.idm_server | 9 +
.../etc/openldap/schema/dnsdomain2.ldif.idm_server | 252 +++++++++++++++++++++
.../etc/openldap/schema/kerberos.ldif.idm_server | 68 ++++++
.../openldap/schema/mailservice.ldif.idm_server | 177 +++++++++++++++
.../openldap/schema/openssh-lpk.ldif.idm_server | 11 +
.../etc/openldap/schema/rfc2307bis.ldif.idm_server | 246 ++++++++++++++++++++
.../local/etc/openldap/schema/sudo.ldif.idm_server | 79 +++++++
files/usr/local/etc/openldap/slapd.ldif.idm_server | 225 ++++++++++++++++++
files/usr/local/etc/pdns/pdns.conf.idm_server | 29 +++
files/usr/local/etc/pkg/repos/onprem.conf.freebsd | 6 +
.../usr/local/etc/pkg/repos/onprem.conf.idm_server | 9 +
.../etc/poudriere.d/idm-make.conf.pkg_repository | 34 +++
.../etc/poudriere.d/idm-pkglist.pkg_repository | 24 ++
.../etc/sudoers.d/networkmgr.roadwarrior_laptop | 1 +
files/usr/local/etc/sudoers.roadwarrior_laptop | 4 +
17 files changed, 1273 insertions(+)
create mode 100644 files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common
create mode 100644 files/usr/local/etc/chromium/policies/managed/policies.json.common
create mode 100644 files/usr/local/etc/openldap/ldap.conf.idm_server
create mode 100644 files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server
create mode 100644 files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server
create mode 100644 files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server
create mode 100644 files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server
create mode 100644 files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server
create mode 100644 files/usr/local/etc/openldap/schema/sudo.ldif.idm_server
create mode 100644 files/usr/local/etc/openldap/slapd.ldif.idm_server
create mode 100644 files/usr/local/etc/pdns/pdns.conf.idm_server
create mode 100644 files/usr/local/etc/pkg/repos/onprem.conf.freebsd
create mode 100644 files/usr/local/etc/pkg/repos/onprem.conf.idm_server
create mode 100644 files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository
create mode 100644 files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository
create mode 100644 files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop
create mode 100644 files/usr/local/etc/sudoers.roadwarrior_laptop
(limited to 'files/usr/local/etc')
diff --git a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common
new file mode 100644
index 0000000..d0bb2ae
--- /dev/null
+++ b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common
@@ -0,0 +1,3 @@
+Section "Files"
+ FontPath "/usr/local/share/fonts/terminus-font/"
+EndSection
diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.common b/files/usr/local/etc/chromium/policies/managed/policies.json.common
new file mode 100644
index 0000000..0e57885
--- /dev/null
+++ b/files/usr/local/etc/chromium/policies/managed/policies.json.common
@@ -0,0 +1,96 @@
+{
+ "AdvancedProtectionAllowed": false,
+ "AlternateErrorPagesEnabled": false,
+ "AutofillCreditCardEnabled": false,
+ "AuthNegotiateDelegateAllowlist": "*.${domain}",
+ "AuthServerAllowlist": "*.${domain}",
+ "BackgroundModeEnabled": false,
+ "BlockThirdPartyCookies": true,
+ "BrowserGuestModeEnabled": false,
+ "BrowserLabsEnabled": false,
+ "BrowserNetworkTimeQueriesEnabled": false,
+ "BrowserSignin": 0,
+ "CloudPrintProxyEnabled": false,
+ "CloudReportingEnabled": false,
+ "DefaultBrowserSettingEnabled": false,
+ "DefaultCookiesSetting": 1,
+ "DefaultSearchProviderEnabled": true,
+ "DefaultSearchProviderName": "DuckDuckGo",
+ "DefaultSearchProviderIconURL": "https://duckduckgo.com/favicon.ico",
+ "DefaultSearchProviderEncodings": [
+ "UTF-8"
+ ],
+ "DefaultSearchProviderSearchURL": "https://duckduckgo.com/?q={searchTerms}",
+ "DefaultSearchProviderSuggestURL":"https://duckduckgo.com/ac/?q={searchTerms}&type=list",
+ "DefaultSearchProviderNewTabURL":"https://duckduckgo.com/chrome_newtab",
+ "DnsOverHttpsMode": "off",
+ "EnableAuthNegotiatePort": true,
+ "EnableMediaRouter": false,
+ "MetricsReportingEnabled": false,
+ "NetworkPredictionOptions": 2,
+ "PasswordManagerEnabled": false,
+ "PaymentMethodQueryEnabled": false,
+ "PrivacySandboxAdMeasurementEnabled": false,
+ "PrivacySandboxAdTopicsEnabled": false,
+ "PrivacySandboxPromptEnabled": false,
+ "PrivacySandboxSiteEnabledAdsEnabled": false,
+ "PromotionalTabsEnabled": false,
+ "SafeBrowsingProtectionLevel": 0,
+ "SearchSuggestEnabled": false,
+ "SyncDisabled": true,
+ "TranslateEnabled": false,
+ "UrlKeyedAnonymizedDataCollectionEnabled": false,
+ "ManagedBookmarks": [
+ {
+ "toplevel_name": "Internal"
+ },
+ {
+ "name": "Poudriere",
+ "url": "http://pkg.${domain}/poudriere"
+ }
+ ],
+ "ExtensionSettings": {
+ "cjpalhdlnbpafiamejdnhcphjbkeiagm": {
+ "installation_mode": "force_installed",
+ "update_url": "https://clients2.google.com/service/update2/crx"
+ },
+ "nngceckbapebfimnlniiiahkandclblb": {
+ "installation_mode": "normal_installed",
+ "update_url": "https://clients2.google.com/service/update2/crx"
+ },
+ "cimiefiiaegbelhefglklhhakcgmhkai": {
+ "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo normal_installed; else echo allowed; fi)",
+ "update_url": "https://clients2.google.com/service/update2/crx"
+ }
+ },
+ "3rdparty": {
+ "extensions": {
+ "cjpalhdlnbpafiamejdnhcphjbkeiagm": {
+ "toOverwrite": {
+ "filterLists": [
+ "user-filters",
+ "ublock-filters",
+ "ublock-badware",
+ "ublock-privacy",
+ "ublock-abuse",
+ "ublock-unbreak",
+ "ublock-annoyances",
+ "easylist",
+ "easyprivacy",
+ "urlhaus-1",
+ "plowe-0",
+ "fanboy-annoyance",
+ "fanboy-thirdparty_social",
+ "adguard-spyware-url",
+ "ublock-quick-fixes"
+ ]
+ },
+ "toAdd": {
+ "trustedSiteDirectives": [
+ "${domain}"
+ ]
+ }
+ }
+ }
+ }
+}
diff --git a/files/usr/local/etc/openldap/ldap.conf.idm_server b/files/usr/local/etc/openldap/ldap.conf.idm_server
new file mode 100644
index 0000000..3b285f7
--- /dev/null
+++ b/files/usr/local/etc/openldap/ldap.conf.idm_server
@@ -0,0 +1,9 @@
+URI ldapi:///
+BASE ${basedn}
+USE_SASL yes
+ROOTUSE_SASL yes
+SASL_MECH EXTERNAL
+SASL_REALM ${realm}
+GSSAPI_SIGN yes
+GSSAPI_ENCRYPT yes
+SUDOERS_BASE ${sudo_basedn}
diff --git a/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server b/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server
new file mode 100644
index 0000000..f4fcd01
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/dnsdomain2.ldif.idm_server
@@ -0,0 +1,252 @@
+dn: cn=dnsdomain2,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: dnsdomain2
+# A schema for storing DNS zones in LDAP
+#
+# ORDERING is not necessary, and some servers don't support
+# integerOrderingMatch. Omit or change if you like
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
+ DESC 'An integer denoting time to live'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
+ DESC 'The class of a resource record'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord'
+ DESC 'a well known service description, RFC 1035'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
+ DESC 'domain name pointer, RFC 1035'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
+ DESC 'host information, RFC 1035'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
+ DESC 'mailbox or mail list information, RFC 1035'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
+ DESC 'text string, RFC 1035'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord'
+ DESC 'for Responsible Person, RFC 1183'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
+ DESC 'for AFS Data Base location, RFC 1183'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
+ DESC 'Signature, RFC 2535'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
+ DESC 'Key, RFC 2535'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord'
+ DESC 'Geographical Position, RFC 1712'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
+ DESC 'IPv6 address, RFC 1886'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
+ DESC 'Location, RFC 1876'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
+ DESC 'non-existant, RFC 2535'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
+ DESC 'service location, RFC 2782'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
+ DESC 'Naming Authority Pointer, RFC 2915'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
+ DESC 'Key Exchange Delegation, RFC 2230'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
+ DESC 'certificate, RFC 2538'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
+ DESC 'A6 Record Type, RFC 2874'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
+ DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord'
+ DESC 'Lists of Address Prefixes, RFC 3123'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
+ DESC 'Delegation Signer, RFC 3658'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
+ DESC 'SSH Key Fingerprint, RFC 4255'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord'
+ DESC 'SSH Key Fingerprint, RFC 4025'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
+ DESC 'RRSIG, RFC 3755'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
+ DESC 'NSEC, RFC 3755'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord'
+ DESC 'DNSKEY, RFC 3755'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord'
+ DESC 'DHCID, RFC 4701'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.50 NAME 'nSEC3Record'
+ DESC 'NSEC record version 3, RFC 5155'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.51 NAME 'nSEC3PARAMRecord'
+ DESC 'NSEC3 parameters, RFC 5155'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.52 NAME 'tLSARecord'
+ DESC 'TLSA certificate association, RFC 6698'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.59 NAME 'cDSRecord'
+ DESC 'Child DS, RFC7344'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.60 NAME 'cDNSKeyRecord'
+ DESC 'DNSKEY(s) the Child wants reflected in DS, RFC7344'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.61 NAME 'openPGPKeyRecord'
+ DESC 'OpenPGP Key, RFC7929'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.64 NAME 'SVCBRecord'
+ DESC 'Service binding, draft-ietf-dnsop-svcb-https-01'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65 NAME 'HTTPSRecord'
+ DESC 'HTTPS service binding, draft-ietf-dnsop-svcb-https-01'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord'
+ DESC 'Sender Policy Framework, RFC 4408'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.108 NAME 'EUI48Record'
+ DESC 'EUI-48 address, RFC7043'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.109 NAME 'EUI64Record'
+ DESC 'EUI-64 address, RFC7043'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.249 NAME 'tKeyRecord'
+ DESC 'Transaction Key, RFC2930'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.256 NAME 'uRIRecord'
+ DESC 'URI, RFC7553'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.257 NAME 'cAARecord'
+ DESC 'Certification Authority Restriction, RFC6844'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.32769 NAME 'dLVRecord'
+ DESC 'DNSSEC Lookaside Validation, RFC4431'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65226 NAME 'TYPE65226Record'
+ DESC ''
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.4.1.2428.20.1.65534 NAME 'TYPE65534Record'
+ DESC ''
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcObjectClasses: ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2'
+ SUP 'dNSDomain' STRUCTURAL
+ MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $
+ HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $
+ AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $
+ AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
+ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
+ DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $
+ IPSECKEYRecord $ RRSIGRecord $ NSECRecord $
+ DNSKEYRecord $ DHCIDRecord $ NSEC3Record $ NSEC3PARAMRecord $
+ TLSARecord $ CDSRecord $ CDNSKEYRecord $ OPENPGPKEYRecord $
+ SVCBRecord $ HTTPSRecord $
+ SPFRecord $ EUI48Record $ EUI64Record $ TKEYRecord $
+ URIRecord $ CAARecord $ DLVRecord $ TYPE65226Record $
+ TYPE65534Record
+ ) )
diff --git a/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server b/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server
new file mode 100644
index 0000000..830277d
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/kerberos.ldif.idm_server
@@ -0,0 +1,68 @@
+# This LDIF version of the Kerberos schema can be loaded into an
+# OpenLDAP database. It was originally converted semi-automatically
+# from kerberos.schema using slaptest.
+
+dn: cn=kerberos,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: kerberos
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalts' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuthInd' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top STRUCTURAL MUST cn )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top STRUCTURAL MUST cn )
diff --git a/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server b/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server
new file mode 100644
index 0000000..3cdedce
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/mailservice.ldif.idm_server
@@ -0,0 +1,177 @@
+dn: cn=mailservice,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: mailservice
+olcObjectIdentifier: {0}DebOps 1.3.6.1.4.1.53622
+olcObjectIdentifier: {1}DebOpsLDAP DebOps:42
+olcObjectIdentifier: {2}mailService DebOpsLDAP:2
+olcObjectIdentifier: {3}mailServiceAttribute mailService:3
+olcObjectIdentifier: {4}mailServiceObject mailService:4
+olcAttributeTypes: {0}( mailServiceAttribute:1 NAME 'mailAddress' DESC 'Primar
+ y RFC 822 email address of this recipient, can be used a
+ s a login identifier.' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr
+ ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
+olcAttributeTypes: {1}( mailServiceAttribute:2 NAME 'mailAlternateAddress' DES
+ C 'Alternate RFC 822 email address(es) of this recipient' EQUALITY caseIgnore
+ IA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
+ 1.26{256} )
+olcAttributeTypes: {2}( mailServiceAttribute:3 NAME 'mailPrivateAddress' DESC
+ 'A confidential RFC 822 email address of this recipient
+ which can be used as a login identifier.' EQUALITY caseIgnoreIA5Match SUBSTR
+ caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE
+ -VALUE )
+olcAttributeTypes: {3}( mailServiceAttribute:4 NAME 'mailContactAddress' DESC
+ 'RFC 822 email address of this recipient which is meant to
+ be public and serve as the primary contact address.' EQUALITY caseIgnoreIA
+ 5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 26{256} )
+olcAttributeTypes: {4}( mailServiceAttribute:5 NAME 'mailInternalAddress' DESC
+ 'An internal RFC 822 email address of this recipient wh
+ ich will be rewritten to an external email address' EQUALITY caseIgnoreIA5Mat
+ ch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2
+ 56} SINGLE-VALUE )
+olcAttributeTypes: {5}( mailServiceAttribute:6 NAME 'mailExternalAddress' DESC
+ 'An external RFC 822 email address of this recipient wh
+ ich will be rewritten to an internal email address' EQUALITY caseIgnoreIA5Mat
+ ch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{2
+ 56} SINGLE-VALUE )
+olcAttributeTypes: {6}( mailServiceAttribute:7 NAME 'mailSenderBccTo' DESC 'RF
+ C 822 BCC email address(es) to add for a given mail sender' EQUALITY caseIgno
+ reIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12
+ 1.1.26{256} )
+olcAttributeTypes: {7}( mailServiceAttribute:8 NAME 'mailRecipientBccTo' DESC
+ 'RFC 822 BCC email address(es) to add for a given mail recipient' EQUALITY ca
+ seIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.26{256} )
+olcAttributeTypes: {8}( mailServiceAttribute:9 NAME 'mailForwardTo' DESC 'RFC
+ 822 email address(es) to forward all incoming messages to' EQUALITY caseIgnor
+ eIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.26{256} )
+olcAttributeTypes: {9}( mailServiceAttribute:10 NAME 'mailForwardToURL' DESC '
+ LDAP search URL that defines the recipients of the mail messages
+ sent to this mailing list' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1
+ .4.1.1466.115.121.1.26 )
+olcAttributeTypes: {10}( mailServiceAttribute:11 NAME 'mailErrorsTo' DESC 'RFC
+ 822 email address(es) to use when routing error and notification
+ messages to the owner(s) of an email distribution list' EQUALITY ca
+ seIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.26{256} )
+olcAttributeTypes: {11}( mailServiceAttribute:12 NAME 'mailRequestsTo' DESC 'R
+ FC 822 email address(es) to use when routing request mes
+ sages sent to the email distribution list' EQUALITY caseIgnoreIA5Match SUBSTR
+ caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+olcAttributeTypes: {12}( mailServiceAttribute:13 NAME 'mailEnvelopeAddress' DE
+ SC 'RFC 822 envelope sender email address of a given mail user
+ or email distribution list' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
+ oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE
+ )
+olcAttributeTypes: {13}( mailServiceAttribute:14 NAME 'mailRoutingAddress' DES
+ C 'RFC 822 email address to use when routing messages to
+ the SMTP MTA of this recipient' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor
+ eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
+olcAttributeTypes: {14}( mailServiceAttribute:15 NAME 'mailHost' DESC 'Fully Q
+ ualified Domain Name of the SMTP MTA that handles messag
+ es for this recipient' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa
+ tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE )
+olcAttributeTypes: {15}( mailServiceAttribute:16 NAME 'mailTransport' DESC 'MT
+ A mail transport method which will take care of the email delivery' EQUALITY
+ caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {16}( mailServiceAttribute:17 NAME 'mailUidNumber' DESC 'UI
+ D required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14
+ 66.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {17}( mailServiceAttribute:18 NAME 'mailGidNumber' DESC 'GI
+ D required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.14
+ 66.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {18}( mailServiceAttribute:19 NAME 'mailHomeDirectory' DESC
+ 'The absolute path to the mail user home directory' EQUALITY caseExactIA5Mat
+ ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {19}( mailServiceAttribute:20 NAME 'mailMessageStore' DESC
+ 'The path to the mail user mailbox storage directory' EQUALITY caseExactIA5Ma
+ tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {20}( mailServiceAttribute:21 NAME 'mailQuota' DESC 'Mail q
+ uota limit in kilobytes' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {21}( mailServiceAttribute:22 NAME 'mailGroupACL' DESC 'Com
+ ma-separated list of mail groups a given mail user belon
+ gs to, used for mailbox access control' EQUALITY caseExactIA5Match SUBSTR cas
+ eExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {22}( mailServiceAttribute:23 NAME 'mailExpungeTrash' DESC
+ 'Time to automatically expunge Trash mailbox' EQUALITY caseIgnoreIA5Match SYN
+ TAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {23}( mailServiceAttribute:24 NAME 'mailSieveRuleSource' DE
+ SC 'Definition of a Sieve filter script for a given mail user' SYNTAX 1.3.6.1
+ .4.1.1466.115.121.1.26 )
+olcAttributeTypes: {24}( mailServiceAttribute:25 NAME 'mailSuppressErrors' DES
+ C 'Suppress error messages from being sent back to message originator' EQUALI
+ TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {25}( mailServiceAttribute:26 NAME 'mailDeliveryFile' DESC
+ 'Path to a file used for archiving messages sent to the distribution list' EQ
+ UALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {26}( mailServiceAttribute:27 NAME 'mailDeliveryOption' DES
+ C 'Message handling option for messages sent to a designated recipient' EQUAL
+ ITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {27}( mailServiceAttribute:28 NAME 'mailProgramDeliveryInfo
+ ' DESC 'Named programs for message post-processing' EQUALITY caseExactIA5Matc
+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {28}( mailServiceAttribute:29 NAME 'mailAuthorizedDomain' D
+ ESC 'Domains authorized to submit messages to the distribution list' EQUALITY
+ caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {29}( mailServiceAttribute:30 NAME 'mailAuthorizedSender' D
+ ESC 'Addresses authorized to submit messages to the distribution list' EQUALI
+ TY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {30}( mailServiceAttribute:31 NAME 'mailUnauthorizedDomain'
+ DESC 'Domains not authorized to submit messages to the distribution list' EQ
+ UALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {31}( mailServiceAttribute:32 NAME 'mailUnauthorizedSender'
+ DESC 'Addresses not authorized to submit messages to the distribution list'
+ EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {32}( mailServiceAttribute:33 NAME 'mailRemoveHeader' DESC
+ 'Headers to remove from the messages sent to the mailing list' SYNTAX 1.3.6.1
+ .4.1.1466.115.121.1.26 )
+olcAttributeTypes: {33}( mailServiceAttribute:34 NAME 'mailAddHeader' DESC 'He
+ aders to add to the messages sent to the mailing list' SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.26 )
+olcAttributeTypes: {34}( mailServiceAttribute:35 NAME 'mailAntispamPolicy' DES
+ C 'Name of the anti-spam policy to apply to a given LDAP entry' SYNTAX 1.3.6.
+ 1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {35}( mailServiceAttribute:36 NAME 'mailAntivirusPolicy' DE
+ SC 'Name of the anti-virus policy to apply to a given LDAP entry' SYNTAX 1.3.
+ 6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {36}( mailServiceAttribute:37 NAME 'mailContentPolicy' DESC
+ 'Name of the content policy to apply to a given LDAP entry' SYNTAX 1.3.6.1.4
+ .1.1466.115.121.1.26 SINGLE-VALUE )
+olcObjectClasses: {0}( mailServiceObject:1 NAME 'mailRecipient' DESC 'The entr
+ y represents an entity within the organization that can re
+ ceive SMTP mail, such as a mail user account' SUP top AUXILIARY MUST mailAddr
+ ess MAY ( mailAlternateAddress $ mailPrivateAddress $ mailContactAddress $ ma
+ ilEnvelopeAddress $ mailRoutingAddress $ mailExternalAddress $ mailInternalAd
+ dress $ mailSenderBccTo $ mailRecipientBccTo $ mailHost $ mailTransport $ mai
+ lUidNumber $ mailGidNumber $ mailHomeDirectory $ mailMessageStore $ mailQuota
+ $ mailGroupACL $ mailExpungeTrash $ mailSieveRuleSource $ mailDeliveryOption
+ $ mailProgramDeliveryInfo $ mail $ cn $ description $ uid $ userPassword ) )
+olcObjectClasses: {1}( mailServiceObject:2 NAME 'mailAlias' DESC 'The entry re
+ presents an entity within the organization that defines an
+ email alias for mail recipients' SUP top STRUCTURAL MUST mailAddress MAY ( m
+ ailForwardTo $ mailForwardToURL $ mailHost $ mailTransport $ mailDeliveryFile
+ $ mailDeliveryOption $ mailProgramDeliveryInfo $ mail $ cn $ description $ o
+ wner ) )
+olcObjectClasses: {2}( mailServiceObject:3 NAME 'mailDistributionList' DESC 'T
+ he entry represents an entity within the organization that
+ can receive and forward SMTP mail, such as a mail group a
+ ccount (mailing list)' SUP top AUXILIARY MUST mailAddress MAY ( mailForwardTo
+ $ mailForwardToURL $ mailEnvelopeAddress $ mailErrorsTo $ mailRequestsTo $ m
+ ailSuppressErrors $ mailHost $ mailTransport $ mailDeliveryFile $ mailDeliver
+ yOption $ mailProgramDeliveryInfo $ mailAuthorizedDomain $ mailAuthorizedSend
+ er $ mailUnauthorizedDomain $ mailUnauthorizedSender $ mailRemoveHeader $ mai
+ lAddHeader $ mail $ cn $ description $ owner $ manager $ seeAlso ) )
+olcObjectClasses: {3}( mailServiceObject:4 NAME 'mailDomain' DESC 'The entry r
+ epresents an entity within the organization that defines a
+ n email domain' SUP domain STRUCTURAL MAY ( mailHost $ mailTransport $ mailSe
+ nderBccTo $ mailRecipientBccTo $ mailErrorsTo $ mailSuppressErrors $ mailAuth
+ orizedDomain $ mailAuthorizedSender $ mailUnauthorizedDomain $ mailUnauthoriz
+ edSender $ mailRemoveHeader $ mailAddHeader $ description $ owner $ manager )
+ )
+olcObjectClasses: {4}( mailServiceObject:5 NAME 'mailFilter' DESC 'The entry r
+ epresents an entity within the organization that can filte
+ r email messages according to various policies' SUP top AUXILIARY MAY ( mailA
+ ntispamPolicy $ mailAntivirusPolicy $ mailContentPolicy $ cn $ description $
+ seeAlso ) )
diff --git a/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server b/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server
new file mode 100644
index 0000000..6cde0a4
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/openssh-lpk.ldif.idm_server
@@ -0,0 +1,11 @@
+dn: cn=openssh-lpk,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: openssh-lpk
+olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
+ DESC 'MANDATORY: OpenSSH Public key'
+ EQUALITY octetStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MAY ( sshPublicKey $ uid )
+ )
diff --git a/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server b/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server
new file mode 100644
index 0000000..83cf2be
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/rfc2307bis.ldif.idm_server
@@ -0,0 +1,246 @@
+dn: cn=rfc2307bis,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: rfc2307bis
+###
+# Extracted from: http://tools.ietf.org/html/draft-howard-rfc2307bis-02
+###
+olcAttributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos'
+ DESC 'The GECOS field; the common name'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
+ DESC 'The absolute path to the home directory'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
+ DESC 'The path to the login shell'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
+ DESC 'Netgroup triple'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
+ DESC 'Service port number'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
+ DESC 'Service protocol name'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
+ DESC 'IP protocol number'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
+ DESC 'ONC RPC number'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
+ DESC 'IPv4 addresses as a dotted decimal omitting leading
+ zeros or IPv6 addresses as defined in RFC2373'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
+ DESC 'IP network omitting leading zeros, eg. 192.168'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
+ DESC 'IP netmask omitting leading zeros, eg. 255.255.255.0'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
+ DESC 'MAC address in maximal, colon separated hex
+ notation, eg. 00:00:92:90:ee:e2'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
+ DESC 'rpc.bootparamd parameter'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
+ DESC 'Boot image name'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
+ DESC 'Name of a generic NIS map'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
+ DESC 'A generic NIS entry'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024}
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
+ DESC 'NIS public key'
+ EQUALITY octetStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
+ DESC 'NIS secret key'
+ EQUALITY octetStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
+ DESC 'NIS domain'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
+ DESC 'automount Map Name'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
+ DESC 'Automount Key value'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
+ DESC 'Automount information'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+olcObjectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
+ DESC 'Abstraction of an account with POSIX attributes'
+ MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
+ MAY ( userPassword $ loginShell $ gecos $
+ description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
+ DESC 'Additional attributes for shadow passwords'
+ MUST uid
+ MAY ( userPassword $ description $
+ shadowLastChange $ shadowMin $ shadowMax $
+ shadowWarning $ shadowInactive $
+ shadowExpire $ shadowFlag ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
+ DESC 'Abstraction of a group of accounts'
+ MUST gidNumber
+ MAY ( userPassword $ memberUid $
+ description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL
+ DESC 'Abstraction an Internet Protocol service.
+ Maps an IP port and protocol (such as tcp or udp)
+ to one or more names; the distinguished value of
+ the cn attribute denotes the services canonical
+ name'
+ MUST ( cn $ ipServicePort $ ipServiceProtocol )
+ MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
+ DESC 'Abstraction of an IP protocol. Maps a protocol number
+ to one or more names. The distinguished value of the cn
+ attribute denotes the protocol canonical name'
+ MUST ( cn $ ipProtocolNumber )
+ MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL
+ DESC 'Abstraction of an Open Network Computing (ONC)
+ [RFC1057] Remote Procedure Call (RPC) binding.
+ This class maps an ONC RPC number to a name.
+ The distinguished value of the cn attribute denotes
+ the RPC service canonical name'
+ MUST ( cn $ oncRpcNumber )
+ MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
+ DESC 'Abstraction of a host, an IP device. The distinguished
+ value of the cn attribute denotes the hosts canonical
+ name. Device SHOULD be used as a structural class'
+ MUST ( cn $ ipHostNumber )
+ MAY ( userPassword $ l $ description $
+ manager ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
+ DESC 'Abstraction of a network. The distinguished value of
+ the cn attribute denotes the network canonical name'
+ MUST ipNetworkNumber
+ MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
+ DESC 'Abstraction of a netgroup. May refer to other
+ netgroups'
+ MUST cn
+ MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL
+ DESC 'A generic abstraction of a NIS map'
+ MUST nisMapName
+ MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL
+ DESC 'An entry in a NIS map'
+ MUST ( cn $ nisMapEntry $ nisMapName ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
+ DESC 'A device with a MAC address; device SHOULD be
+ used as a structural class'
+ MAY macAddress )
+olcObjectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
+ DESC 'A device with boot parameters; device SHOULD be
+ used as a structural class'
+ MAY ( bootFile $ bootParameter ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
+ DESC 'An object with a public and secret key'
+ MUST ( cn $ nisPublicKey $ nisSecretKey )
+ MAY ( uidNumber $ description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
+ DESC 'Associates a NIS domain with a naming context'
+ MUST nisDomain )
+olcObjectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
+ MUST ( automountMapName )
+ MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
+ DESC 'Automount information'
+ MUST ( automountKey $ automountInformation )
+ MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' SUP top STRUCTURAL
+ DESC 'A group with members (DNs)'
+ MUST cn
+ MAY ( businessCategory $ seeAlso $ owner $ ou $ o $
+ description $ member ) )
diff --git a/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server b/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server
new file mode 100644
index 0000000..8948ca4
--- /dev/null
+++ b/files/usr/local/etc/openldap/schema/sudo.ldif.idm_server
@@ -0,0 +1,79 @@
+dn: cn=sudoschema,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: sudoschema
+#
+# OpenLDAP schema file for Sudo in on-line configuration (OLC) format.
+# Import using ldapadd or another suitable LDAP browser.
+# Converted to OLC format by Frederic Pasteleurs <frederic@askarel.be>
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactMatch
+ SUBSTR caseExactSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo (deprecated)'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+#
+olcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+#
+olcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $
+ description )
+ )
diff --git a/files/usr/local/etc/openldap/slapd.ldif.idm_server b/files/usr/local/etc/openldap/slapd.ldif.idm_server
new file mode 100644
index 0000000..784c63a
--- /dev/null
+++ b/files/usr/local/etc/openldap/slapd.ldif.idm_server
@@ -0,0 +1,225 @@
+# Top-level cn=config attributes.
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcArgsFile: /var/run/openldap/slapd.args
+olcPidFile: /var/run/openldap/slapd.pid
+olcSaslHost: ${fqdn}
+olcSaslSecProps: noanonymous,minssf=56
+olcDisallows: bind_anon
+olcSecurity: ssf=56
+olcLocalSSF: 128
+olcTLSCACertificateFile: ${site_cacert_path}
+olcTLSCertificateFile: ${slapd_tls_cert}
+olcTLSCertificateKeyFile: ${slapd_tls_key}
+olcTLSVerifyClient: allow
+$(echo "$idm_server_list" | while read -r _hostname id ipv4; do
+ echo "olcServerID: ${id} ldaps://${ipv4}/"
+done)
+olcAuthzRegexp: {0}^gidNumber=[0-9]+\+uidNumber=0,cn=peercred,cn=external,cn=auth$ ${slapd_root_dn}
+olcAuthzRegexp: {1}^gidNumber=[0-9]+\+uidNumber=([^,]+),cn=peercred,cn=external,cn=auth$ ldap:///${accounts_basedn}??sub?(uidNumber=\$1)
+olcAuthzRegexp: {2}^uid=([^,]+),cn=(gssapi|plain|login),cn=auth$ ldap:///${accounts_basedn}??sub?(krbPrincipalName=\$1@${realm})
+
+# Load dynamic modules.
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulepath: /usr/local/libexec/openldap
+olcModuleload: back_mdb.la
+olcModuleload: pw-sha2.la
+olcModuleload: accesslog.la
+olcModuleload: dynlist.la
+olcModuleload: unique.la
+olcModuleload: refint.la
+
+# Frontend configuration. Individual databases can override these settings.
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcFrontendConfig
+olcDatabase: frontend
+olcPasswordHash: {SSHA512}
+olcSizeLimit: ${slapd_result_size_limit}
+olcRequires: authc
+olcAccess: {0}to dn.base="" by * read
+olcAccess: {1}to dn.base="cn=Subschema" by * read
+olcAccess: {2}to *
+ by users read
+ by anonymous auth
+
+# Load schemas.
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file://${slapd_conf_dir}/schema/core.ldif
+include: file://${slapd_conf_dir}/schema/cosine.ldif
+include: file://${slapd_conf_dir}/schema/inetorgperson.ldif
+include: file://${slapd_conf_dir}/schema/dyngroup.ldif
+include: file://${slapd_conf_dir}/schema/rfc2307bis.ldif
+include: file://${slapd_conf_dir}/schema/kerberos.ldif
+include: file://${slapd_conf_dir}/schema/openssh-lpk.ldif
+include: file://${slapd_conf_dir}/schema/sudo.ldif
+include: file://${slapd_conf_dir}/schema/dnsdomain2.ldif
+include: file://${slapd_conf_dir}/schema/mailservice.ldif
+
+# cn=config database configuration.
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcRootDN: ${slapd_root_dn}
+
+# Default database configuration.
+dn: olcDatabase={1}mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: mdb
+olcDbMaxSize: ${slapd_db_max_size}
+olcSuffix: ${basedn}
+olcRootDN: ${slapd_root_dn}
+olcDbDirectory: ${slapd_data_dir}
+$(echo "$idm_server_list" | while read -r _hostname id ipv4; do
+echo "olcSyncrepl: rid=00${id}
+ provider=ldaps://${ipv4}/
+ searchbase=${basedn}
+ bindmethod=sasl
+ saslmech=external
+ tls_cert=${slapd_replicator_tls_cert}
+ tls_key=${slapd_replicator_tls_key}
+ tls_cacert=${site_cacert_path}
+ tls_reqcert=demand
+ type=refreshAndPersist
+ retry=\"5 5 60 +\"
+ logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\"
+ timeout=5
+ logbase=cn=accesslog
+ syncdata=accesslog"
+done)
+olcMultiProvider: TRUE
+olcDbIndex: objectClass eq
+olcDbIndex: cn,uid,uidNumber,gidNumber,member,memberUid,mail,mailAddress,mailAlternateAddress,mailPrivateAddress,mailContactAddress eq
+olcDbIndex: sudoUser eq
+olcDbIndex: automountMapName eq
+olcDbIndex: krbPrincipalName eq,pres
+olcDbIndex: entryCSN,entryUUID eq
+olcDbIndex: associatedDomain pres,eq,sub
+olcDbIndex: description pres,eq,sub
+olcLimits: {0}dn.exact=${slapd_replicator_dn}
+ time.soft=unlimited
+ time.hard=unlimited
+ size.soft=unlimited
+ size.hard=unlimited
+olcLimits: {1}*
+ size.soft=${slapd_result_size_limit}
+ size.hard=${slapd_result_size_limit}
+ size.pr=${slapd_result_size_limit}
+ size.prtotal=unlimited
+olcAccess: {0}to dn.base=""
+ by * read
+olcAccess: {1}to dn.base="cn=Subschema"
+ by * read
+olcAccess: {3}to *
+ by dn.exact=${slapd_replicator_dn} read
+ by dn.exact=uid=${idm_admin_username},${robots_basedn} manage
+ by group/groupOfMembers/member=cn=${idm_admin_groupname},${groups_basedn} manage
+ by * break
+olcAccess: {4}to dn.subtree=${sudo_basedn}
+ by dn.children=${hosts_basedn} read
+ by * none
+olcAccess: {5}to dn.subtree=${kdc_basedn}
+ by * none
+olcAccess: {6}to attrs=userPassword
+ by self write
+ by anonymous auth
+ by * none
+olcAccess: {7}to attrs=shadowLastChange,sshPublicKey
+ by self write
+ by * read
+olcAccess: {8}to attrs=krbPrincipalKey
+ by * none
+olcAccess: {9}to *
+ by * read
+
+# Accesslog database (for syncprov).
+dn: olcDatabase={2}mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: mdb
+olcDbDirectory: ${slapd_data_dir}/accesslog
+olcSuffix: cn=accesslog
+olcRootDN: ${slapd_root_dn}
+olcDbMaxSize: ${slapd_accesslog_db_max_size}
+olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart,reqDN eq
+olcAccess: {0}to *
+ by dn.exact=${slapd_replicator_dn} read
+ by * break
+olcLimits: {0}dn.exact=${slapd_replicator_dn}
+ time.soft=unlimited
+ time.hard=unlimited
+ size.soft=unlimited
+ size.hard=unlimited
+
+# Monitoring database.
+dn: olcDatabase={3}monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcRootDN: ${slapd_root_dn}
+olcMonitoring: FALSE
+
+# Syncprov overlay.
+dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+olcSpCheckpoint: ${slapd_syncrepl_checkpoint_ops} ${slapd_syncrepl_checkpoint_minutes}
+olcSpSessionLog: ${slapd_syncrepl_session_log}
+
+# Accesslog overlay (for syncrepl).
+dn: olcOverlay={1}accesslog,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcAccessLogConfig
+olcOverlay: accesslog
+olcAccessLogDB: cn=accesslog
+olcAccessLogOps: writes
+olcAccessLogSuccess: TRUE
+olcAccessLogPurge: ${slapd_syncrepl_cleanup_age}+00:00 ${slapd_syncrepl_cleanup_interval}+00:00
+
+# Dynlist overlay.
+dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcDynamicList
+olcOverlay: dynlist
+olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfMembers*
+olcDynListAttrSet: {1}labeledURIObject labeledURI uniqueMember+seeAlso@groupOfUniqueNames
+
+# Unique overlay.
+dn: olcOverlay={3}unique,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcUniqueConfig
+olcOverlay: unique
+olcUniqueURI: ldap:///${accounts_basedn}?uid?sub
+olcUniqueURI: ldap:///${accounts_basedn}?uidNumber?sub
+olcUniqueURI: ldap:///${accounts_basedn}?krbPrincipalName?sub
+olcUniqueURI: ldap:///${accounts_basedn}?mail?sub
+olcUniqueURI: ldap:///${accounts_basedn}?mailAddress,mailAlternateAddress,mailPrivateAddress,mailContactAddress?sub
+olcUniqueURI: ldap:///${groups_basedn}?cn?sub
+olcUniqueURI: ldap:///${groups_basedn}?gidNumber?sub
+olcUniqueURI: ldap:///${hosts_basedn}?cn,dc?sub
+olcUniqueURI: ldap:///${services_basedn}?cn?sub
+olcUniqueURI: ldap:///${sudo_basedn}?cn?sub
+olcUniqueURI: ldap:///${dns_basedn}?associatedDomain?sub
+
+# Refint overlay.
+dn: olcOverlay={4}refint,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+olcOverlay: refint
+olcRefintAttribute: member
+olcRefintNothing: cn=config
+
+# Syncprov overlay for accesslog db.
+dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+olcSpNoPresent: TRUE
+olcSpReloadHint: TRUE
diff --git a/files/usr/local/etc/pdns/pdns.conf.idm_server b/files/usr/local/etc/pdns/pdns.conf.idm_server
new file mode 100644
index 0000000..fc63bd6
--- /dev/null
+++ b/files/usr/local/etc/pdns/pdns.conf.idm_server
@@ -0,0 +1,29 @@
+# With SASL_MECH=EXTERNAL set in system ldap.conf, PowerDNS can be fooled
+# into performing an EXTERNAL (Unix peercred) bind over the ldapi:/// domain
+# socket.
+#
+# You must set ldap-bindmethod=gssapi (?!) for this to work. This behavior doesn't
+# seem to be documented anywhere, but hey, it's nice!
+ldap-host=ldapi:///
+ldap-bindmethod=gssapi
+
+ldap-basedn=${dns_basedn}
+ldap-reconnect-attempts=2147483647
+ldap-method=simple
+
+launch=ldap
+
+local-address=127.0.0.1,::1
+local-port=${pdns_port}
+distributor-threads=${pdns_distributor_threads}
+receiver-threads=${pdns_receiver_threads}
+reuseport=yes
+
+allow-axfr-ips=${pdns_allow_axfr_ips}
+
+cache-ttl=${pdns_cache_ttl}
+query-cache-ttl=${pdns_query_cache_ttl}
+negquery-cache-ttl=${pdns_negquery_cache_ttl}
+zone-cache-refresh-interval=0
+
+security-poll-suffix=
diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.freebsd b/files/usr/local/etc/pkg/repos/onprem.conf.freebsd
new file mode 100644
index 0000000..953ae20
--- /dev/null
+++ b/files/usr/local/etc/pkg/repos/onprem.conf.freebsd
@@ -0,0 +1,6 @@
+${site}: {
+ enabled: yes,
+ url: "http://${pkg_host}/\${ABI}/latest",
+ signature_type: "pubkey",
+ pubkey: "/usr/local/etc/ssl/repo.crt"
+}
diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.idm_server b/files/usr/local/etc/pkg/repos/onprem.conf.idm_server
new file mode 100644
index 0000000..5ffad74
--- /dev/null
+++ b/files/usr/local/etc/pkg/repos/onprem.conf.idm_server
@@ -0,0 +1,9 @@
+# The "-idm" set is a special poudriere build for the IDM servers that builds
+# openldap26-server with GSSAPI_BASE. This workaround is necessary to avoid a
+# circular dependency with krb5 and cyrus-sasl2-gssapi.
+${site}: {
+ enabled: yes,
+ url: "http://${pkg_host}/\${ABI}/latest-idm",
+ signature_type: "pubkey",
+ pubkey: "/usr/local/etc/ssl/repo.crt"
+}
diff --git a/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository
new file mode 100644
index 0000000..1d5ce20
--- /dev/null
+++ b/files/usr/local/etc/poudriere.d/idm-make.conf.pkg_repository
@@ -0,0 +1,34 @@
+CFLAGS=-O2 -pipe
+DISABLE_LICENSES=yes
+DEFAULT_VERSIONS+=${poudriere_default_versions:-}
+MAKE_JOBS_NUMBER=${poudriere_make_jobs_number}
+
+# Global port options
+OPTIONS_UNSET=TEST DEBUG GSSAPI_HEIMDAL GSSAPI_BASE GSSAPI_NONE HEIMDAL NLS DOCS AVAHI LIBWRAP MYSQL MSQLND ODBC READLINE PULSEAUDIO UPNP BASH ZSH INFO ALSA SAMBA WAYLAND PLATFORM_WAYLAND PIPEWIRE
+OPTIONS_SET=GSSAPI GSSAPI_MIT NONFREE LIBEDIT
+
+# Per-port options
+dns_powerdns_SET=OPENLDAP
+dns_powerdns_UNSET=PGSQL SQLITE3
+dns_unbound_SET=TFOCL TFOSE
+dns_unbound_UNSET=DOH
+editors_vim_SET=CTAGS_EXUBERANT XTERM_SAVE
+editors_vim_UNSET=CTAGS_BASE
+net_openldap26-server_SET=DEBUG
+net_openldap26-server_UNSET=SMBPWD
+security_cyrus-sasl2-saslauthd_UNSET=BDB1
+security_krb5_SET=DNS_FOR_REALM LDAP
+security_krb5_UNSET=KRB5_HTML KRB5_PDF
+security_sudo_SET=LDAP
+security_sudo_UNSET=GSSAPI_MIT
+shells_bash_UNSET=PORTS_READLINE
+sysutils_htop_SET=LSOF
+sysutils_rsyslog8_SET=GSSAPI RELP OPENSSL
+sysutils_rsyslog8_UNSET=GCRYPT
+www_nginx_SET=HTTPV3 HTTPV3_QTLS HTTP_AUTH_KRB5 HTTP_AUTH_LDAP
+www_nginx_UNSET=MAIL
+
+# We must use base kerberos to build cyrus to avoid a circular dependency with
+# MIT kerberos and LDAP.
+security_cyrus-sasl2-gssapi_SET=GSSAPI_BASE
+security_cyrus-sasl2-gssapi_UNSET=GSSAPI_MIT
diff --git a/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository
new file mode 100644
index 0000000..86c102e
--- /dev/null
+++ b/files/usr/local/etc/poudriere.d/idm-pkglist.pkg_repository
@@ -0,0 +1,24 @@
+devel/git@lite
+dns/bind-tools
+dns/powerdns
+dns/unbound
+editors/vim@console
+lang/python
+net/nss-pam-ldapd-sasl
+net/openldap26-client
+net/openldap26-server
+net/p5-perl-ldap
+net/py-python-ldap
+net/rsync
+security/cyrus-sasl2-saslauthd
+security/krb5
+security/pam_krb5@mit
+security/pam_mkhomedir
+security/sudo
+sysutils/htop
+sysutils/lsof
+sysutils/p5-Sys-Syslog
+sysutils/pwgen
+sysutils/tmux
+sysutils/tree
+www/nginx
diff --git a/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop b/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop
new file mode 100644
index 0000000..04284c5
--- /dev/null
+++ b/files/usr/local/etc/sudoers.d/networkmgr.roadwarrior_laptop
@@ -0,0 +1 @@
+%operator ALL=NOPASSWD: /usr/local/bin/networkmgr
diff --git a/files/usr/local/etc/sudoers.roadwarrior_laptop b/files/usr/local/etc/sudoers.roadwarrior_laptop
new file mode 100644
index 0000000..0c1a78c
--- /dev/null
+++ b/files/usr/local/etc/sudoers.roadwarrior_laptop
@@ -0,0 +1,4 @@
+root ALL=(ALL:ALL) ALL
+%wheel ALL=(ALL:ALL) ALL
+
+@includedir /usr/local/etc/sudoers.d
--
cgit v1.2.3