Schema for the Security egistry Server Versio Date: 0/20/00 For questios or commets cocerig this documet, sed a email ote to dce-ldap@opegroup.org or call Doa Skibbie at 52 838-3896.
. Itroductio...3 2. Overview...4 3. Cofiguratio of the Core Schema...5 3. Cofigurig the ealm Portio of the Schema...5 3.. Creatig a ealm Schema...5 3..2 Addig ealm Extesios to a Kerberos Schema...6 3.2 Cofigurig the Pricipal ad Orgaizatio Portios of the Schema...6 3.2. Creatig a Pricipal ad Orgaizatio Schema...6 3.2.2 Addig Pricipal ad Orgaizatio Extesios to a Kerberos Schema...7 3.3 Cofigurig the Group Portio of the Schema...8 3.3. Cofigurig a Existig Etry to epreset a Group...8 3.3.2 Cofigurig a New Etry to epreset a Group...9 3.3.3 Cofigurig a New Etry to epreset a Group Alias...9 3.3.4 Cofigurig a New Etry to epreset a Temporary Group With No Members0 3.4 Cofigurig UNIX Iformatio about Pricipals ad Groups...0 3.5 Cofigurig Uique Idetifiers... 3.5. Default Method... 3.5.2 Security Mappig Method...2 3.6 Cofigurig UUID Iformatio i Pricipal Etries...3 3.7 Cofigurig UUID Iformatio i Orgaizatio Etries...3 4. Cofiguratio of Legacy Extesios to the Core Schema...4 4. Directories...5 4.2 ACLs...6 4.3 eplists...6 4.4 Database Sequetial IDs...6 4.5 User-Defied Exteded Attributes...6 5. Security Cosideratios...8 5. ACL Protectio...8 5.2 Data Privacy Protectio...8 5.3 Protectio Durig Trasmissio...8 6. Defiitios of Attributes ad Object Classes...9 6. Attribute Types...9 6.. New Attribute Types Defied i This Schema...9 6..2 Attribute Types Defied i the Netscape Schema...29 6..3 Attribute Types Defied i the Tivoli/IBM Schema...29 6.2 Object Classes...30 6.2. New Object Classes Defied i This Schema...30 6.2.2 Object Classes Defied i the Tivoli/IBM Schema...34 7. Mappigs...35 7. Mappigs Ordered by Proposed Objects ad Attributes...38 7.2 Mappigs Ordered by Objects ad Attributes...59 2
. Itroductio This documet defies a schema for storig all attributes that the security server curretly stores i its database. This icludes attributes defiig the followig objects: The at-large ad the policy for the ipals groups orgaizatios directories exteded attributes EAs exteded attribute defiitios XATTs access cotrol lists ACLs replicatio lists The schema exteds the Kerberos schema, ad this documet makes may refereces to the Kerberos schema. For iformatio about the Kerberos schema, refer to the followig documet: "Schema for the Kerberos Versio 5 KDC Server, Documet Versio 7." 3
2. Overview The schema is desiged to meet four objectives. The first objective is to exted the Kerberos schema described i the "Itroductio" of this documet. This makes it possible for Kerberos to use a existig cofiguratio ad to use a existig Kerberos cofiguratio. The secod objective is to use attributes defied by stadards orgaizatios where possible ad to provide a way of associatig attributes with exterally cofigured attributes. This makes it possible for to share commo security attributes, such as group memberships, with o- applicatios. The third objective is to provide a way of protectig keys ad other sesitive iformatio. The fourth object is ot to chage ay existig iterfaces. The followig figures illustrates the core schema. The core schema cotais all attributes i the database except for those that uses to maage its database. A sectio later i this documet provides iformatio o legacy extesios that ca be added to the core schema for users who eed all attributes defied i the schema. Ay etry startig a subtree with /Kerberos ipals ealm Krbealm ilucdes KrbealmExt Policy iicludes Ay etry represetig a policy Policy icludes UiqueID KrbMstr Key Actual master key ca be stored i ay locatio, such as a file. Pricipal Ay etry represetig a user ilcudes KrbPricipal Uix UiqueID KrbKey Log Policy icludes Ay etry startig a subtree with groups Ay etry represetig a group UiqueID Ay etry startig a subtree with orgaizatios Group Group Ay etry Org icludes represetig Policy ad a policy Ay etry represetig a UNIX Uix Kerberos object class /Kerberos object ckass object class Ay object ckass DIT directory iformatio tree coector equired forward poiter Optioal forward poiter Optioal DIT coector UiqueID show are security mappig etries, which users eed to cofigure if usig the alterate method for cofigurig uique idetifier iformatio. 4
3. Cofiguratio of the Core Schema This sectio provides a high-level descriptio of the tasks that eed to be performed to cofigure the core schema. A sectio later i this documet describes how to cofigure legacy extesios to the core schema. The descriptio i this sectio assumes the admiistrator is usig stadard Versio 3 iterfaces to do the cofiguratio tasks uless oted to the cotrary. I practice, a tool could be provided to the admiistrator that would automate may of the cofiguratio tasks. 3. Cofigurig the ealm Portio of the Schema The realm portio of the schema is the realm portio of the Kerberos schema with extesios. Therefore, a admiistrator ca cofigure the realm portio of the schema so that it ca be used by both a implemetatio of that supports the schema ad a implemetatio of Kerberos that supports the Kerberos schema. I additio, if the Kerberos schema already is cofigured, the admiistrator ca use the existig schema to defie a realm simply by addig extesios to the schema. 3.. Creatig a ealm Schema The admiistrator ca cofigure the realm portio of the schema i a similar way that the admiistrator would cofigure the realm portio of the Kerberos schema. efer to the Kerberos documet, which is refereced i the "Itroductio" of this documet. The followig are the differeces: Add the ealm rather KrbealmExt auxiliary object class ad attributes to the etry represetig the realm. ealm is a subclass of Krbealm, so ealm cotais all the Krbealm attributes. Add the Policy rather tha auxiliary object class ad attributes to the etry represetig the realm or a refereced policy etry. Policy is a subclass of, so Policy cotais all the attributes. The ealm auxiliary object class cotais two attributes that are for cofigurig orgaizatios ad groups. These two attributes are: dceorgsubtree--this attribute lists the DN of each etry uder which will search for orgaizatio etries. dcegroupsubtree--this attribute lists the DN of each etry uder which will search for group etries. The followig figure is a example. I this example, all ipals, orgaizatios, ad groups must reside uder the c=users, ou=austi subtree. 5
DN: ou=austi DN: c=users, ou=austi krbealmname=payroll,ou=austi objectclass: Krbealm krbealmname: Payroll objectclass: ealm SubTree: c=users, ou=austi dceorgsubtree: c=users, ou=austi dcegroupsubtree: c=users, ou=austi realm etry 3..2 Addig ealm Extesios to a Kerberos Schema The admiistrator ca add realm iformatio to a existig Kerberos schema by doig the followig: Add the ealm auxiliary object class ad attributes to the etry represetig the realm. Add the Policy auxiliary object class ad attributes to the etry i which the auxiliary object class ad attributes are cofigured. Cofigure the dceorgsubtree ad dcegroupsubtree attributes as previously described. 3.2 Cofigurig the Pricipal ad Orgaizatio Portios of the Schema The ipal ad orgaizatio portios of the schema cotais all iformatio that is i the ipal portio of the Kerberos schema ad exted this schema with iformatio. Therefore, a admiistrator ca cofigure the ipal ad orgaizatio portio of the schema so that it ca be used by both a implemetatio of that supports the schema ad a implemetatio of Kerberos that supports the Kerberos schema. I additio, if the Kerberos schema already is cofigured, the admiistrator ca use this same schema to defie ipals ad orgaizatios simply by addig extesios to the schema. The admiistrator eeds to ote that the schema supports a more flexible model for cofigurig policy attributes for a ipal tha the model supported by the legacy database. The admiistrator ca cofigure policy attributes for the ipal i the ipal etry, a refereced policy etry which ca be cofigured as a orgaizatio, or a combiatio of both etries. If the same policy attribute is cofigured i the both etries, uses the policy attribute i the refereced etry. The added flexibility for cofigurig policy attributes makes it easier for the admiistrator to cofigure ipals to share policy attributes with o- applicatios. 3.2. Creatig a Pricipal ad Orgaizatio Schema The admiistrator ca cofigure the ipal ad orgaizatio portio of the schema i a similar way that the admiistrator would cofigure the ipal portio of the Kerberos schema. efer to the Kerberos documet refereced i the "Itroductio" of this documet. The differeces are as follows: Add the Pricipal rather tha KrbPricipal auxiliary object class ad attributes to each etry represetig a ipal. Pricipal is a subclass of KrbPricipal, so Pricipal cotais all KrbPricipal attributes. 6
If cofigurig policy attributes i a ipal etry, add the Policy rather tha auxiliary class ad attributes to the etry represetig the ipal. As stated previously, Policy is a subclass of, so Policy cotais all attributes. If cofigurig policy attributes i a refereced policy etry, cofigure the refereced policy etry as a orgaizatio by doig the followig:. Be sure the dceorgsubtree attribute of the realm etry lists a DN of a etry uder which the refereced policy etry resides. 2. Choose a ame for a orgaizatio that is uique withi the ealm. To determie if a ame is uique, search each DN listed i the dceorgsubtree attribute of the realm etry for a dceorgname attribute that matches the chose ame. If o match is foud, the ame is uique. 3. Add the Org rather tha auxiliary class ad attributes to the refereced policy etry ad cofigure the ame of the orgaizatio i the dceorgname attribute. Org is a subclass of Policy, so Org cotais all the Policy ad attributes. I the followig example, the Mary Smith etry is cofigured as a ipal amed marys@payroll. The ipal etry refereces a policy etry, which is cofigured as a orgaizatio amed mgrsorg@payroll." Both the ipal etry ad the orgaizatio etry reside uder a subtree listed i the realm etry. DN: ou=austi DN: c=users, ou=austi DN: krbealmname=payroll, ou=austi objectclass: Krbealm objectclass: ealm Subtree: c=users, ou=austi dceorgsubtree: ou=austi DN: c=mgrs, ou=austi objectclass: passwordpolicy objectclass: <Kerberos policy attributes> objectclass: Org dceorgname: mgrsorg@payroll < ad policy attributes> DN: c=mary Smith, ou=users, ou=austi objectclass: Perso objectclass: KrbPricipal krbpricipalname: marys@payroll policyobject: c=mgrs, ou=austi objectclass: Pricipal < attributes> realm etry ipal etry orgaizatio etry 3.2.2 Addig Pricipal ad Orgaizatio Extesios to a Kerberos Schema The admiistrator ca add ipal ad orgaizatio iformatio to a existig Kerberos schema by doig the followig: Add the Pricipal auxiliary object class ad its attributes to each etry represetig a Kerberos ipal that also eeds to be cofigured as a ipal If cofigurig policy attributes i a ipal etry, add the Policy auxiliary object class ad its attributes to the ipal etry. 7
If cofigurig policy attributes i a refereced policy etry refereced with the policyobject attribute of the ipal etry, cofigure the refereced policy etry as a orgaizatio by doig the followig:. Be sure the dceorgsubtree attribute of the realm etry lists a DN of a etry uder which the refereced policy etry resides. 2. Choose a ame for a orgaizatio that is uique withi the ealm. To determie if a ame is uique, search each DN listed i the dceorgsubtree attribute of the realm etry for a dceorgname attribute that matches the chose ame. If o match is foud, the ame is uique. 3. Add the Org to the refereced policy etry ad cofigure the ame of the orgaizatio i the dceorgname attribute. 3.3 Cofigurig the Group Portio of the Schema The admiistrator ca cofigure groups usig ay combiatio of the followig methods: Cofigure a existig etry to represet a group Cofigure a ew etry to represet a group Cofigure a ew etry to represet a alias group Cofigure a ew etry to represet a temporary group with o members. 3.3. Cofigurig a Existig Etry to epreset a Group To cofigure a existig etry to represet a group, the admiistrator must do the followig:. Be sure the dcegroupsubtree attribute of the realm etry lists a DN of the existig group etry. 2. Choose a ame for a group that is uique withi the ealm usig the method previously described. 3. Add the Group auxiliary object class ad attributes to the existig group etry ad cofigure the ame of the group i the dcegroupname attribute. I the followig example, Mary Smith is a member of a mgrs group. Mary Smith is cofigured as a ipal amed marys@payroll, ad the mgrs group is cofigured as a group amed mgrsgroup@payroll. Therefore, the ipal marys@payroll is a member of the group mgrsgroup@payroll. Also ote that both the ipal ad the group reside uder subtrees listed i the realm etry. 8
DN: ou=austi DN: c=users, ou=austi DN: krbealmname=payroll, ou=austi objectclass: Krbealm objectclass: ealm Subtree: c=users, ou=austi dcegroupsubtree: ou=austi DN: c=mgrs, ou=austi objectclass: groupofnames membership: c=mary Smith, ou=users, ou=austi objectclass: Group dcegroupname:mgrsgroup@payroll < attributes> DN: c=mary Smith, ou=users, ou=austi objectclass: Perso objectclass: KrbPricipal krbpricipalname: marys@payroll policyobject: c=mgrs, ou=austi objectclass: Pricipal < attributes> realm etry ipal etry group etry 3.3.2 Cofigurig a New Etry to epreset a Group To cofigure a ew etry to represet a group, the admiistrator must do the followig:. Be sure the dcegroupsubtree attribute of the realm etry lists a DN of a etry uder which the group etry will reside. 2. Create a etry to represet the group usig a structural object class with a membership attribute. Examples are GroupOfNames ad GroupOfUiqueNames. Cofigure the membership attribute with the DN of each etry represetig a ipal that is a part of this group. 3. Choose a ame for a group that is uique withi the ealm. To determie if a ame is uique, search each DN listed i the dcegroupsubtree attribute of the realm etry for a dcegroupname attribute that matches the chose ame. If o match is foud, the ame is uique. 4. Add the Group auxiliary object class ad attributes to the group etry, ad cofigure the ame of the group i the dcegroupname attribute. 3.3.3 Cofigurig a New Etry to epreset a Group Alias To cofigure a group alias, the admiistrator eeds to do the followig:. Be sure the dcegroupsubtree attribute of the realm etry lists a DN of a etry uder which the group alias etry will reside. 2. Create a etry to represet the group alias usig ay structural object class, such as the cotaier object class. 3. Choose a ame for the group alias that is uique withi the ealm. To determie if a ame is uique, search each DN listed i the dcegroupsubtree attribute of the realm etry for a dcegroupname attribute that matches the chose ame. If o match is foud, the ame is uique. 4. Add the Group ad KrbAlias auxiliary object classes ad attributes to the group etry. Cofigure the ame of the group i the dcegroupname attribute, ad cofigure the DN of the refereced group etry i the krbaliasedobjectname attribute. 9
3.3.4 Cofigurig a New Etry to epreset a Temporary Group With No Members If the admiistrator eeds to support iterfaces that allow a group to be created before addig ay members to the group, the admiistrator will eed to create a temporary group with o members. This is ecessary because the structural object classes for creatig a actual group such as GroupOfNames require a membership attribute. To create a etry represetig a temporary group with o members, the admiistrator must do the followig:. Be sure the dcegroupsubtree attribute of the realm etry lists a DN of a etry uder which the temporary group with o members will reside. 2. Usig ay structural object class such as cotaier, create a etry to represet the temporary group with o members. 3. Choose a ame for a group that is uique withi the ealm. To determie if a ame is uique, search each DN listed i the dcegroupsubtree attribute of the realm etry for a dcegroupname attribute that matches the chose ame. If o match is foud, the ame is uique. 4. Add the Group auxiliary object class ad attributes to the etry represetig the temporary group with o members, ad cofigure the ame of the group i the dcegroupname attribute. Whe the admiistrator eeds to add the first member to the group, the admiistrator ca create a etry represetig the actual group, move the attributes from the etry represetig the temporary group with o members to the etry represetig the actual group, ad the delete the etry represetig temporary group with o members. 3.4 Cofigurig UNIX Iformatio about Pricipals ad Groups If the admiistrator wats to cofigure UNIX iformatio about a ipal or group, the admiistrator must either add the UNIX auxiliary object class ad attributes to the ipal or group etry or cofigure the dceuixobject attribute of the ipal or group etry to referece aother etry i which the UNIX iformatio is cofigured. The followig is a example i which the dceuixobject attribute refereces a etry with UNIX iformatio. DN: c=myuixacct, ou=austi <uix attributes> DN: c=mary Smith, ou=users, ou=austi objectclass: Perso objectclass: KrbPricipal krbpricipalname: marys@payroll policyobject: c=mgrs, ou=austi objectclass: Pricipal dceuixobject: myuixacct, ou=austi < attributes> ipal etry UNIX etry 0
3.5 Cofigurig Uique Idetifiers The admiistrator ca cofigure uique idetifier iformatio usig either of the followig methods: Default method Security mappig method The default method is the simplest to implemet ad offers the best performace. To use this method, the server must implemet the system-cotrolled creatorsname attribute as it is defied i the IETF FC 2252 ad implemeted i the referece platform of the Versio 3 protocol. This meas the server must add a creatorsname attribute to each etry that is created i ad allow users to read but ot modify the valued stored i this attribute. The security mappig method is used by curret implemetatios of Tivoli/IBM Policy Director ad does ot require the use of the creatorsname attribute. If a admiistrator eeds to cofigure to share uique idetifier iformatio with Tivoli/IBM Policy Director or if the admiistrator is usig a server that does ot implemet the creatorsname attribute as it is defied i IETF FC 2252 ad implemeted i the referece platform of the Versio 3 protocol, the admiistrator must use the security mappig method. The admiistrator cofigures which method the realm will use by addig a dceuiqueidcfg attribute to the realm etry with a value of either DEFAULT or SECMAP. If the realm etry does ot cotai the dceuiqueidcfg attribute, will use the default method. 3.5. Default Method Usig the default method, a trusted admiistratio tool a idetity listed i the trustedadmtool attribute of the realm etry creates a UiqueID etry uder each etry represetig a object for which the uique idetifier iformatio is beig cofigured. The trusted admiistrator creates the UiqueID etry usig a DN of "c=uiqueid" or "c=diruiqueid" ad a structural object class of UiqueID; the cofigures the UiqueID attributes. A DN of "c=uiqueid" represets a UiqueID etry for ay object except for a directory. A DN of "c=diruiqueid" represets a UiqueID etry for a directory. The UiqueID attributes are c which must cotai the value "UiqueID" or "DirUiqueID", secuuid which must cotai a UUID, ad uixid which ca optioally cotai a UNIX ID. If a user supplies a value for secuuid or uixid, the trusted admiistratio tool must verify that this value is uique. If a user does ot specify a value for secuuid or uixid, the trusted admiistratio tool must geerate this value. The followig figure is a example:
ipal etry DN: c=mary Smith, ou=users, ou=austi objectclass: Perso objectclass: KrbPricipal krbpricipalname: marys@payroll objectclass: Pricipal <attributes> UiqueID etry DN: c=uiqueid, c=mary Smith, ou=users, ou=austi objectclass: UiqueID secuuid: xxxxxxxxxxxx uixid: xxxxxxxxxxxxxx creatorsname: ServerA creator must be trusted Whe requires a UUID for a object, must get the UiqueID etry that was cofigured for the object. If the UiqueID etry does ot exist, must create the UiqueID etry, geeratig values for the secuuid ad uixid attributes. the must verify that the creator of the UiqueID etry is trusted. If so, ca get the UUID from the secuuid attribute of the UiqueID etry. Whe requires a UNIX ID for a object, must determie whether the etry represetig the object cotais a uixobject attribute. If so, must get the UNIX ID from the uid attribute of the etry refereced by the uixobject attribute. If ot, must get the UiqueID etry for the object ad verify that is trusted; the, get the UNIX ID from the uixid attribute of the UiqueID etry. 3.5.2 Security Mappig Method Usig the security mappig method, a admiistrator chooses cotaier etries uder which security mappig etries will reside for ipals, groups, ad other objects; ad cofigures the DN of each cotaier etry i the dcesecmapsubtreepric, dcesecmapsubtreegroup, ad dcesecmapsubtreeorg attributes of the realm etry. The ACLs o the cotaier etry must be set so that oly a trusted admiistrator or process ca isert etries uder this cotaier. The admiistrator the cofigures a security mappig etry for each object that requires a uique idetifier iformatio. To cofigure the security mappig etry, the admiistrator cofigures a etry with a DN of "secuuid=< UUID>", The admiistrator cofigures this usig a structural class of SecMap. The SecMap object class cotais a secuuid attribute, for storig a UUID value, ad a secdn attribute, for storig the etry represetig the object for which the uique idetifier iformatio is cofigured. If the admiistrator wats to cofigure a UNIX uique idetifier, the admiistrator ca cofigure this i the SecMap etry usig the optioal SecMapUix auxiliary object class. The followig figure is a example: 2
DN: ou=austi DN: c=users, ou=austi DN: c=mary Smith, ou=users, ou=austi objectclass: Perso objectclass: KrbPricipal krbpricipalname: marys@payroll policyobject: c=mgrs, ou=austi objectclass: Pricipal < attributes> DN: krbealmname=payroll, ou=austi objectclass: Krbealm objectclass: ealm dceuiqueidcfg: SECMAP Subtree: c=users, ou=austi dcesecmapsubtreepric: c=secure realm etry ipal etry DN: c=secure DN: secuuid=xxxxxx, c=secure objectclass: SecMap secuuid: xxxxxxxl secdn: c=mary Smith, ou=users, ou=austi objectclass: SecMapUix uixid: xxxxx SecMap etry 3.6 Cofigurig UUID Iformatio i Pricipal Etries To improve performace durig a iitial logi, the admiistrator ca cofigure the UUIDs of all groups ad foreig groups of which the ipal is a member. The admiistrator cofigures this iformatio i the ipal etry usig the dcehitmembershipuuids ad dcehitforeigmembershipuuids attributes. The admiistrator the must idicate that this cofiguratio has bee doe by cofigurig the dceishitmembershipcofigured attribute to equal TUE. Doig this will improve performace durig a iitial logi, because durig this iitial logi, the cliet ipal requests the security server to retur to the cliet ipal the UUIDs of UUIDs of all groups ad foreig groups of which the ipal is a member. The cliet ipal caches this iformatio ad uses it for subsequet EPAC requests from the privilege server. Whe the security server receives this request from the cliet ipal, it first must check the value of the dcishitmembershipcofigured attribute before returig the iformatio. If dceishitmembershipcofigured equals TUE, returs the UUIDs stored i the dcehitmembershipuuids ad dcehitforeigmembershipuuids attributes. If dceishitmembershipcofigured is ot cofigured or equals FALSE, must search the curret realm for all the local groups of which the ipal is a member ad search all the realms cofigured i the directory for all the foreig groups of which the ipal is a member; the, retur to the user the UUIDs for these groups. 3.7 Cofigurig UUID Iformatio i Orgaizatio Etries To be cosistet with the legacy database, the schema also allows the admiistrator to cofigure the dcehitmembershipuuids ad dcehitforeigmembershipuuids attributes i a orgaizatio object. However, it is ot clear whether this iformatio ever will be used. 3
4. Cofiguratio of Legacy Extesios to the Core Schema The legacy extesios to the core schema cotai defiitios for the attributes that uses to maage its database. If the admiistrator wats full support of all legacy fuctios, the admiistrator must cofigure the legacy extesios to the core schema. The admiistrator should ote that although the legacy extesios have to do with maagig a database, the legacy extesios are uderstood oly by. For example, if a user adds attributes defiig a exteded attribute, this attribute ca be iterpreted oly by meas of the iterfaces. The followig are the attributes cotaied i the legacy extesios: Attributes defiig a directory Attributes defiig a ACL Attributes defiig a eplist A attribute defiig a database sequetial ID Attributes defiig a exteded attribute The followig figure illustrates the cofiguratio of all these attributes except for database sequetial IDs. 4
Ay etry startig a subtree with /Kerberos ipals Ay etry Dir ACL ealm Krbealm ilucdes KrbealmExt UiqueID KrbMstr Key Policy iicludes ACL Ay etry represetig a policy Policy icludes Actual master key ca Actual be master stored key i ay ca locatio, be stored such i ay as a file. locatio, such as a file. Ay etry represetig a user Pricipal ilcudes KrbPricipal Uix Policy icludes ACL UiqueID KrbKey EA cotaier etry Log c=xattrs ACL UiqueID XATT Ay etry Uix represetig a UNIX Kerberos object class /Kerberos object ckass object class Ay object ckass UiqueID Ay etry startig a subtree with groups Ay etry represetig a group UiqueID DIT directory iformatio tree coector equired forward poiter Optioal forward poiter Optioal DIT coector Ay etry Ay etry startig a Dir subtree with orgaizatios Group ACL Group Ay etry Dir ACL Ay etry Org icludes represetig ACL Policy ad a policy ACL UiqueID cotaier etry c=eplist eplist UiqueID ACL 4. Directories The legacy database code allows directory objects to be cofigured i ipal, group, ad orgaizatio databases. The directory objects are used as cotaiers for ipals, groups, orgaizatios, ad other directories. Three kids of ACLs are supported for directory objects: a directory ACL, a default ACL for all object created uder the directory except for other directories, ad a default ACL for all directory objects created uder the directory. The schema supports directories through the use of the Dir auxiliary object class. The admiistrator ca add Dir ad its attributes to ay etry i the ipal, group, or orgaizatio subtree ad, by doig so, defie the etry as a directory. The admiistrator the ca cofigure ay or all of the three types of supported directory ACLs uder this etry usig the Acl object class. Whe the eviromet is fully migrated to, the admiistrator o loger requires directories. This is because the etry ca use ay etry a cotaier for other etries ad the admiistrator ca cofigure ay etry with propagatio ACLs, which will be the default for all etries created below the etry cofigured as a cotaier. 5
4.2 ACLs The legacy database code supports ACLs o all objects. The schema supports ACLs through the use of the ACL structural object class. The admiistrator ca cofigure oe or more ACLs uder each etry represetig a object. Whe the eviromet is fully migrated to, the admiistrator ca use ACLs ad o loger requires support of ACLs. 4.3 eplists The legacy database code has a replist object that is cofigured for each server i the realm. The replist object cotais iformatio to perform replicatio. The schema supports the replist objects through the use of the eplist structural object class. The admiistrator must cofigure uder the realm etry a etry to represet a replist cotaier. The admiistrator cofigures this etry usig a structural object class of eplist ad a DN of c=eplist. The, uder the replist cotaier, the admiistrator the must the eplist object class to cofigure eplists for the security server. Whe the eviromet is fully migrated to, the admiistrator ca use replicatio ad o loger requires support of replicatio. 4.4 Database Sequetial IDs The legacy database code has a database sequetial ID that is cofigured for each object. This ID is to associate oe object such as a EA with aother object such as a ipal. The schema supports the sequetial ID through the use of the LegacyDB auxiliary object class. The admiistrator must cofigure the LegacyDB object class to cofigure the dceid attribute i each etry represetig a object. Whe the eviromet is fully migrated to, the sequetial IDs are ot loger, because the relatioship betwee attributes is cofigured as part of the schema. 4.5 User-Defied Exteded Attributes The admiistrator ca add user-defied attribute extesios to the schema usig oe of two methods. The simplest method is to use the method for extedig a schema. For example, the admiistrator could use the schema iterfaces to add a telephoe umber attribute to a etry represetig a ipal. A user the could use stadard iterfaces to access the telephoe umber stored i this attribute. The secod method is to create etries cotaiig biary represetatios of exteded attributes ad istaces, called exteded attributes EAs, of the exteded attributes. The advatage of this method is that it supports legacy applicatios that make use of exteded attributes ad EAs, because users will be able to access the exteded attributes ad EAs usig stadard iterfaces. The disadvatage of usig this method is that o- applicatios will ot be able to iterpret the cotets of the exteded attributes ad EAs. If the user chooses to use the secod method, the user eeds to do the followig: 6
. Use the cotaier structural object class to cofigure a etry uder the realm etry with the relative directory ame DN of c=xatt. 2. Uder the c=xatt etry, use the XATT structural object class to cofigure a etry for each user-defied exteded attribute. Cofigure the ame of the exteded attribute i the dcexattrname attribute ad cofigure a biary represetatio of the exteded attribute defiitio i the dcexattrdef attribute. 3. Uder each etry i which a EA eeds to be attached, use the EA structural object class to cofigure the EA. Cofigure the ame of the EA i the dcexattrname attribute ad a biary represetatio of the EA value i the dcexattrvalue attribute. 7
5. Security Cosideratios The followig describes how the attributes defied i this schema are protected. 5. ACL Protectio All attributes i this schema must be protected through the use of ACLs. The followig describes how these ACLs eed to be cofigured. The UiqueID etry ca be created oly by a or trusted admiistratio tool. will igore a UiqueID etry created by ay other idetity. Whe or a trusted admiistratio tool creates a UiqueID etry, it eeds to set the ACLs o the KrbKey etry so that it ca be read ad deleted, but ot modified. The KrbLog ad KrbKey etries ca be created oly by the Kerberos KDC,, or a trusted admiistrator tool. efer to the Kerberos documet for iformatio o how the creator of these etries eeds to create these etries ad the ACLs for the etries. It is the resposibility of the admiistrator to cofigure the ACLs o the remaiig etries. 5.2 Data Privacy Protectio efer to the Kerberos documet for iformatio o how to protect the privacy of keys stored i. 5.3 Protectio Durig Trasmissio If the or admiistratio tools will be separate from, it is the resposibility of the user to cofigure the security protocol for bid operatios to the server. It is recommeded that the user choose a security protocol such as SSL that offers cliet/server autheticatio techique that is as strog or stroger tha the protocol used by for operatios, which is PC with mutual autheticatio ad data itegrity. ad the admiistratio tools are resposible for ecryptig keys before sedig the keys to the server. ad the admiistratio tools eed to use a ecryptio type that is as strog or stroger tha DES. 8
6. Defiitios of Attributes ad Object Classes This sectio provides a defiitio of the attributes ad object classes that are used i this schema. efer to the Kerberos schema documet refereced i the "Itroductio" of this documet for iformatio o the Kerberos attributes ad object classes. 6. Attribute Types 6.. New Attribute Types Defied i This Schema dceacldefealmuuid-oid NAME 'dceacldefealmuuid' SYNTAX IA5Strig EQUALITY caseexactmatch DESC 'The UUID of the default realm for this ACL.' dceacletries-oid NAME 'dceacletries' SYNTAX biary DESC 'A list of structures that defie a ACL for a ssociated object. Each structure is biary data of type rsdb_acl_etry_t ad defies a etry i the ACL.' dceaclmgrtype-oid NAME 'dceaclmgrtype' SYNTAX iteger DESC 'A value idicatig the type of ACL maager that will evaluate the ACL defied i this etry. The available types are: ***** list available types ****' dcebadorigiator dcedefaulttktlife-oid NAME 'dcedefaulttktlife' SYNTAX iteger DESC 'Default time a Kerberos TGT issued by this realm is valid.' dcedefdiracletries-oid NAME 'dcedefdiracletries' SYNTAX biary 9
DESC 'A list of structures that defie the default ACL for all directories created uder the associated directory. Each structure is biary data of type rsdb_acl_etry_t ad defies a etry i the ACL.' dcedefobjacletries-oid NAME 'dcedefdiracletries' SYNTAX biary DESC 'A list of structures that defie the default ACL for all objects created uder the associated directory. Each structure is biary data of type rsdb_acl_etry_t ad defies a etry i the ACL.' dcedirname-oid NAME 'dcedirname' SYNTAX directorystrig EQUALITY caseexactmatch DESC 'The ame of a directory. uses this attribute oly if a etry is ot cofigured to represet a ipal. If a etry is cofigured to represet a ipal, also allows the etry to represet a directory ad uses the ipal ame, which is cofigured i the krbpricipalname attribute, as the ame of the directory. dcedisabletime-oid NAME 'dcedisabletime' SYNTAX geeralizedtime DESC 'The date ad time a was disabled.' dcedomaicachestate-oid NAME 'dcedomaicachestate' SYNTAX???? DESC '????' dcefullname dcegoodorigiator dcegoodsicedate-oid NAME 'dcegoodsicedate' SYNTAX date DESC 'Date whe TGT was good.' 20
dcegroupname-oid NAME 'dcegroupname' SYNTAX directorystrig EQUALITY caseigorematch DESC 'The ame of a group.' dcegroupsubtree-oid NAME 'dcegroupsubtree' SYNTAX directorystrig EQUALITY caseigorematch DESC 'A list of DNs. Each DN cotais the etry of a subtree uder which groups for this realm reside.' dcehitforeigmembershipuuids-oid NAME 'dcehitforeigmembershipuuids' SYNTAX IA5Strig EQUALITY caseexactmatch DESC 'A list of UUID pairs. Each UUID pair idetifies a group from a foreig realm of which the ipal represeted by this etry is a member. The first UUID i the pair idetifies the UUID of the group. The secod UUID i the pair idetifies the UUID of the realm.' dcehitmembershipuuids-oid NAME 'dcehitmembershipuuids' SYNTAX IA5Strig EQUALITY caseexactmatch DESC 'A list of UUIDs. Each UUID idetifies a group i the local realm of which the ipal represeted by this etry is a member. dceid dceisequired-oid NAME 'dceisequired' SYNTAX boolea DESC 'A boolea value idicatig whether the object represeted i this etry is. If this attribute is omitted, assumes dceisequired=false.' dcejouralid-oid NAME 'dcejouralid' SYNTAX iteger 2
DESC 'The ID of a etry i the joural database.' dcekeyparts-oid NAME 'dcekeyparts' SYNTAX iteger DESC 'Oe of the followig values idetifyig the keys to objects to idetify the for the associated ipal: Pricipal oly ipal ad group 2 ipal, group, ad orgaizatio 3 If this attribute is omitted, assumes dcekeyparts= ipal oly.' dcelowuixidgroup-oid NAME 'dcelowuixidgroup' SYNTAX IA5Strig EQUALITY caseexactmatch DESC 'The lowest UNIX ID that this realm will assig to a group.' dcelowuixidorg-oid NAME 'dcelowuixidorg' SYNTAX IA5Strig EQUALITY caseexactmatch DESC 'The lowest UNIX ID that this realm will assig to a orgaizatio.' dcelowuixidperso-oid NAME 'dcelowuixidperso' SYNTAX IA5Strig EQUALITY caseexactmatch DESC 'The lowest UNIX ID that this realm will assig to a ipal.' dcemaxuixid-oid NAME 'dcemaxuixid' SYNTAX IA5Strig EQUALITY caseexactmatch DESC 'The highest UNIX ID that this realm will assig to a object.' dcemitktlife-oid NAME 'dcemitktlife' SYNTAX iteger 22
DESC 'A value idicatig the miimum time i days? that a Kerberos ticket issued by this is valid.' dceorgname-oid NAME 'dceorgname' SYNTAX directorystrig EQUALITY caseigorematch DESC 'Name of a orgaizatio.' dceorgsubtree-oid NAME 'dceorgsubtree' SYNTAX directorystrig EQUALITY caseigorematch DESC 'A list of DNs. Each DN specifies a subtree uder which orgaizatios for this realm reside.' dcepkprivatekeystorage-oid NAME 'dcepkprivatekeystorage' SYNTAX iteger DESC 'A value idicatig where the private key of a ipal is stored. Available values are: private key storage mechaism private key file' dcepolicyflags-oid NAME 'dcepolicyflags' SYNTAX iteger DESC 'A value cotaiig oe or more of the followig flags: sec_rgy_acct_admi_audit sec_rgy_acct_admi_cliet sec_rgy_acct_admi_lsuse sec_rgy_acct_admi_server' dcepreauthtype-oid NAME 'dcepreauthtype' SYNTAX iteger DESC 'A value idicatig the pre-autheticatio protocol for a ipal. Available values are: 0=o pre-autheticatio =timestamp or higher 2=third party or higher 3=public key' 23
If a cotradictio occurs betwee this attribute specifyig that a type of pre-autheticatio is value, 2, or 3 ad the useraccoutcotrol attribute specifyig that o preautheticatio is UF_DONT_EQUIE_PEAUTH flag, will require the preautheticatio specified with this attribute, sice this is the more restrictive.' dceprimarygroup-oid NAME 'dceprimarygroup' SYNTAX IA5Strig EQUALITY caseexactmatch DESC 'The UUID of the primary group to which this ipal is a member.' dceprivatekeystorage dceprojlistok-oid NAME 'dceprojlistok' SYNTAX boolea DESC 'A boolea value idicatig whether it is OK for this group to be icluded i the project list of a ipal. If this attribute is omitted, assumes dceprojlist=false.' dcepublickeyautheticatio-oid NAME 'dcepublickeyautheticatio' SYNTAX IA5Strig EQUALITY caseexactmatch DESC 'A public key that is associated with a ipal ad that is used by the autheticatio protocol to verify the sigature of the ipal whe the ipal is cofigured for public key pre-autheticatio.' dcepublickeyeciphermet-oid NAME 'dcepublickeyeciphermet' SYNTAX IA5Strig EQUALITY caseexactmatch DESC 'A public key that is associated with a ipal ad that is used by the autheticatio protocol to ecrypt the sessio key of the ipal whe the ipal is cofigured for public key pre-autheticatio.; dcepwdoverride-oid NAME 'dcepwdoverride' SYNTAX iteger DESC 'Oe of the followig values: 0=No password override =Password override' 24
dcepwdvaltype-oid NAME 'dcepwdvaltype' SYNTAX iteger DESC 'Oe of the followig values, idicatig whether the password maagemet server is to be used for this ipal ad, if so, how the password maagemet server is to be used: 0=No password maagemet server =Pricipal supplies password to be validated by password maagemet server 2=Pricipal ca either supply a password to be validated by password maagemet server or ca have password geerated by password maagemet server. 3= password maagemet server geerates password for user' dcequota-oid NAME 'dcequota' SYNTAX iteger DESC 'Maximum umber of objects that ca be added by this ipal. This attribute is supported oly whe the iterfaces are used to add objects. This attribute is ot supported whe other iterfaces such as iterfaces are used to add objects.' dceeadversio-oid NAME 'dceeadversio' SYNTAX iteger DESC 'A value idicatig the earliest versio of that ca correctly read from this database.' dceeadolyealm dceeplicaifo-oid NAME 'dceeplicaifo' SYNTAX biary DESC 'A structure of type rs_replica_mgt_item_p_t cotaiig iformatio about a replicatio list.' dceeplicatwrs-oid NAME 'dceeplicatwrs' SYNTAX IA5Strig EQUALITY 'caseexactmatch' DESC ' replicatio list towers.' 25
dcesecmapsubtreegroup-oid NAME 'dcesecmapsubtreepric' SYNTAX DN DESC 'The DN of a etry represetig a subtree uder which SecMap etries for groups are cofigured.' dcesecmapsubtreeother-oid NAME 'dcesecmapsubtreepric' SYNTAX DN DESC 'The DN of a etry represetig a subtree uder which SecMap etries for objects other tha ipals ad groups are cofigured.' dcesecmapsubtreepric-oid NAME 'dcesecmapsubtreepric' SYNTAX DN DESC 'The DN of a etry represetig a subtree uder which SecMap etries for ipals are cofigured.' dceshadowpwdok-oid NAME 'dceshadowpwdok' SYNTAX boolea DESC 'If true, o protected Uix passwords are trasmitted remotely.' dceuautheticatedquota-oid NAME 'dceuautheticatedquota' SYNTAX iteger DESC 'A value idicatig the quota for uautheticated users.' dceuboudtktsok-oid NAME 'dceuboudtktsok' SYNTAX boolea DESC 'If true, all tickets geerated from this realm are usable at ay cliet site; that is, ot boud to the host from which the cliet requested the certificate. The tickets will cotai o cliet addresses.' dceuiqueidcfg-oid 26
NAME 'dceuiqueidcfg' SYNTAX iteger DESC 'A value idicatig the cofiguratio of UUID iformatio. The followig values are available: =DEFAULT Etries of type UiqueID will be used to store UUIDs. 2=SECMAP Etries of type SecMap iwll be used to store UUIDs.' dceuixobject-oid NAME 'dceuixobject' SYNTAX directorystrig DESC 'The DN of a etry for to use i obtaiig UNIX iformatio for this ipal. If a coflict occurs betwee a attribute cofigured this ipal etry ad a attribute cofigured i the refereced etry, uses the attribute cofigured i the refereced etry.' dcewriteversio-oid NAME 'dcewriteversio' SYNTAX DESC 'A value idicatig the earliest versio of that ca correctly write to this database.' dcex500dn-oid NAME 'dcex500dn' SYNTAX directorystrig EQUALITY caseigorematch DESC dcex500dsaadmi-oid NAME 'dcex500dsaadmi' SYNTAX directorystrig EQUALITY caseigorematch DESC dcexattrdef-oid NAME 'dcexattrdef' SYNTAX biary DESC 'A structure of type rsdb_attr_schema_etry_t, which defies a exteded attribute.' 27
dcexattrname-oid NAME 'dcexattrname' SYNTAX directorystrig EQUALITY caseexactmatch DESC 'The ame of a exteded attribute defiitio.' dcexattrname-oid NAME 'dcexattrname' SYNTAX directorystrig EQUALITY caseigorematch DESC The ame of a exteded attribute. dcexattrvalue-oid NAME 'dcexattrvalue' SYNTAX biary DESC 'The value of a exteded attribute. The value is biary data of the type defied i a associated exteded attribute defiitio.' uixid-oid NAME 'uixid' SYNTAX IA5Strig EQUALITY caseexactmatch DESC 'The UNIX ID of the associated ipal. If the etry represetig the associated ipal cotais a dceuixobject attribute, ad the etry refereced by this attribute cotais a uid attribute, the UNIX ID specified i this attribute is used ad the uixid attribute is igored.' uixpwdvalid-oid NAME 'uixpwdvalid' SYNTAX boolea DESC 'If true, the UNIX password for the associated ipal is valid.' uixpwdversio-oid NAME 'uixpwdversio' SYNTAX iteger DESC 'The versio of the UNIX password for the associated ipal.' 28
6..2 Attribute Types Defied i the Netscape Schema maxfailedlogis timeexpirelockout 6..3 Attribute Types Defied i the Tivoli/IBM Schema.3.6..4..4228..4 NAME 'secacctlife' DESC ' ' SYNTAX.3.6..4..466.5.2..27.3.6..4..4228..5 NAME 'secpwdalpha' DESC ' ' SYNTAX.3.6..4..466.5.2..7.3.6..4..4228.. NAME 'secpwdmgmtbid' DESC ' ' SYNTAX.3.6..4..466.5.2..26 EQUALITY caseigoreia5match.3.6..4..4228..6 NAME 'secpwdspaces' DESC ' ' SYNTAX.3.6..4..466.5.2..7.3.6..4..4228..9 NAME 'secdn' DESC 'DN of a eperso or accessgroup' SYNTAX.3.6..4..466.5.2..2.3.6..4..4228.. NAME 'secuuid' DESC 'ItraVerse uiversally uique ID, strig as per E.G. 2495d90-be07-d-82ed-00c078500253' SYNTAX.3.6..4..466.5.2..26{37} EQUALITY caseigoreia5match 29
6.2 Object Classes 6.2. New Object Classes Defied i This Schema objectclasses: Acl-oid NAME 'Acl' DESC 'A structural object class for use i cofigurig a etry to represet a ACL for a associated object. The associated object ca be a directory, ipal, group, orgaizatio, realm policy, EA, replicatio list, or EA. The etry represetig the ACL must reside directly below the etry represetig the associated object ad the c attribute of this etry must cotai the value "Acl". The relatioship betwee the etry represetig the ACL ad the etry represetig the associated object is may-to-oe with each ACL cotaiig a differet ACL maager type.' SUP top Structural MUST c $ dceacldefealmuuid $ dceacletries $ dceaclmgrtype MAY dcedefdiracletries $ dcedefobjacletries objectclasses: Dir-oid NAME 'Dir' DESC 'A auxiliary object class for use i cofigurig a etry to represet a directory ame. Cofigurig a directory ame is oly if the etry is ot already cofigured as a ipal ad the user wats to use the directory ame for search operatios. If a etry already is cofigured as a ipal, uses the ipal ame krbpricipalname attribute as the directory ame.' SUP top Auxiliary MUST dcedirname objectclasses: EA-oid NAME 'EA' DESC 'A structural object class for use i cofigurig a etry to represet a user-defied exteded attribute EA for a ipal, group, or orgaizatio. The etry represetig the EA must reside directly below a etry represetig a ipal, group, or orgaizatio ad must cotai a forward referece to a etry represetig a XATT. The relatioship betwee the etry represetig the EA ad the etry represetig the ipal, group, or orgaizatio is may-to-oe, with each EA cofigured with a differet ame. The relatioship betwee the etry represetig the EA ad the etry represetig the XATT is may-to-oe with each EA associated with a differet ipal, group, or orgaizatio.' SUP top Auxiliary MUST dcexattrname $ dcexattrvalue objectclasses: Group-oid NAME 'Group' 30
DESC 'A auxiliary object for use i cofigurig a etry with a membership attribute to represet a group. The etry must reside uder oe of the subtrees listed i the dcegroupsubtree attribute of the etry represetig the ealm. See also the dcegroupsubtree attribute of ealm.' SUP top Auxiliary MUST dcegroupname MAY dcefullname $ dceisequired $ dceprojlistok $ dceuixobject objectclasses: LegacyDB-oid NAME 'LegacyDB' DESC 'A auxiliary object class for use i cofigurig legacy database iformatio i a etry represetig a object.' SUP top Auxiliary MAY dceid objectclasses: LogExt-oid NAME 'LogExt' DESC 'A auxiliary object class for cofigurig a existig etry represetig a Kerberos logi activity record to also represet a logi activity record. The existig etry must have bee cofigured with the KrbLog structural object class.' NAME 'Log' SUP top Auxiliary MUST dcebadorigiator $ dcedisabletime $ dcegoodorigiator objectclasses: Log-oid NAME 'Log' DESC 'A structural object class for cofigurig a etry to represet a ad Kerberos logi activity record.' SUP KrbLog Structural MUST dcebadorigiator $ dcedisabletime $ dcegoodorigiator objectclasses: SecMapExt-oid NAME 'SecMapExt' DESC 'A auxiliary object class for cofigurig additioal attributes i a etry cofigured with the SecMap structural object class. SUP top Auxiliary MAY uixid objectclasses: Org-oid NAME 'Org' 3
DESC 'A auxiliary object class for use i cofigurig a etry to represet a orgaizatio. The etry must reside uder a subtree listed i the dceorgsubtree attribute of the etry represetig the realm. See also the dceorgsubtree attribute of ealm.' SUP Policy auxiliary MUST dceorgname MAY dcefullname $ dcehitmembershipuuids $ dcehitforeigmembershipuuids objectclasses: Policy-oid NAME 'Policy' DESC 'A auxiliary object class for use i cofigurig policy attributes for a associated ipal or realm. The policy attributes ca reside i the etry represetig the ipal or realm, the etry refereced by the policyobject attribute of the etry represetig the ipal or realm, or both etries. If the same policy attribute is cofigured i both etries, the policy attribute from the etry refereced by policyobject is used. See also Pricipal ad ealm.' SUP auxiliary MUST dcepolicyflags $ dcepreauthtypes $ dcepwdvaltype $ maxfailedlogis $ secacctlife $ secpwdalpha $ secpwdmgmtbid $ secpwdspaces $ timeexpirelockout objectclasses: Pricipal-oid NAME 'Pricipal' DESC 'A auxiliary object for use i cofigurig a etry to represet a ipal. ' SUP KrbPricipal Auxiliary MAY dcehitforeigmembershipuuids $ dcefullname $ dcehitmembershipuuids $ dcejouralid $ dcekeyparts $ dceprimarygroup $ dcepublickeyautheticatio $ dcepublickeyeciphermet $ dceprivatekeystorage $ dceprojlistok $ $ dcepwdoverride $ $ dcequota $ dceuixobject $ $ dcegoodsicedate $ dceisequired $ $ dceuixobject $ dcex500dn $ dcex500dsaadmi objectclasses: ealm-oid NAME 'ealm' DESC 'A auxiliary class for use i cofigurig a etry to represet a realm. The etry also must be cofigured usig the Krbealm structural object class. See also Krbealm.' SUP KrbealmExt Auxiliary MUST MAY dcedomaicachestate $ dcegroupsubtree $ dcelowuixidgroup $ dcelowuixidorg $ dcelowuixidperso $ dcemaxuixid $ dcemitktlife $ dceorgsubtree $ dceeadolyealm $ dceeadversio $ dcesecmapsubtreepric $ dcesecmapsubtreegroup $ dcesecmapsubtreeothers $ dceshadowpwdok $ dceuautheticatedquota $ dceuboudtktsok $ dceuiqueidcfg $ dcewriteversio objectclasses: eplist-oid NAME 'eplist' 32
DESC 'A structural object class for use i cofigurig a etry to represet a replicatio list for a server i a realm. The etry represetig the replicatio list must reside directly below a replicatio list cotaier a etry with a DN of c=eplists ad a object class of cotaier. The replicatio list cotaier must reside directly below the etry represetig the associated realm ad must cotai the ame of the associated server i the realm. The relatioship betwee the etry represetig the replicatio list ad the replicatio list cotaier is may-to-oe with each replicatio list cotaiig a differet server ame. The relatioship betwee the replicatio list cotaier ad the etry represetig the realm is oe-to-oe. See also ealm.' SUP top Structural MUST dceeplicaifo $ dceeplicatwrs $ kdcservicename objectclasses: Uix-oid NAME 'Uix' DESC 'A auxiliary object class for use i cofigurig UNIX attributes for a ipal. The UNIX attributes ca reside i the etry represetig the ipal ad/or the etry refereced by the dceuixobject of the etry represetig the ipal. If the same UNIX attribute resides i two etries, uses the UNIX attribute from the etry refereced by dceuixobject.' SUP top Auxiliary MAY uixpwdvalid, gecos, homedirectory, secpwdvalid, userpassword, ixlastupdate, uixpwdversio, logishell objectclasses: XATT-oid NAME 'XATT' DESC 'A structural object class for use i cofigurig a etry to represet a user-defied exteded attribute XATT for a realm. The etry represetig the XATT must reside directly below a XATTS cotaier a etry with a DN of c=xattrs ad a object class of cotaier. The XATTS cotaier must reside directly below a etry represetig a realm. The relatioship betwee the etry represetig the XATT ad the XATTS cotaier is may-to-oe with each XATT cotaiig a differet ame. The relatioship betwee the XATTS cotaier ad the etry represetig the realm is oe-to-oe. See also ealm.' SUP top Structural MUST dcexattrdef $ dcexattrname objectclasses: UiqueID-oid NAME 'UiqueID' DESC 'A structural object class for use i cofigurig a etry to represet uique idetifier iformatio for a associated object. This object class is used oly if the dceuiqueidcfg attribute of the etry represetig the realm is set to DEFAULT. The associated object ca be a directory, ipal, group, orgaizatio, realm policy, EA, replicatio list, or XATT. The etry represetig the uique idetifier iformatio mustreside directly below the etry represetig the associated object ad must have a creator idetity that is a trusted idetity oe of the idetities listed i the kdcservicename or trustedadmtool attribute of the etry represetig the realm. I additio, the c attribute of the etry represetig the uique idetifier iformatio must cotai 33