Appendix A Schemas
To support Solaris LDAP Naming clients, some Solaris specific schemas and some schemas defined by IETF are required.
This appendix has the following organization:
IETF Schemas
LDAP requires two schemas defined by IETF: the revised RFC 2307 Network Information Service schema and the LDAP mailgroups Internet draft.
RFC 2307 Network Information Service Schema
The LDAP servers must be configured to support the revised RFC 2307.
Note –
Internet-Drafts are draft documents valid for a maximum of six months and might be updated, replaced, or obsoleted by other documents at any time
The nisSchema OID is 1.3.6.1.1. The RFC 2307 Attributes are:
( nisSchema.1.0 NAME 'uidNumber'
DESC 'An integer uniquely identifying a user in an
administrative domain'
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.1 NAME 'gidNumber'
DESC 'An integer uniquely identifying a group in an
administrative domain'
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.2 NAME 'gecos'
DESC 'The GECOS field; the common name'
EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String' SINGLE-VALUE )
( nisSchema.1.3 NAME 'homeDirectory'
DESC 'The absolute path to the home directory'
EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE )
( nisSchema.1.4 NAME 'loginShell'
DESC 'The path to the login shell'
EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE )
( nisSchema.1.5 NAME 'shadowLastChange'
EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.6 NAME 'shadowMin'
EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.7 NAME 'shadowMax'
EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.8 NAME 'shadowWarning'
EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.9 NAME 'shadowInactive'
EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.10 NAME 'shadowExpire'
EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.11 NAME 'shadowFlag'
EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.12 NAME 'memberUid'
EQUALITY caseExactIA5Match
SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX 'IA5String' )
( nisSchema.1.13 NAME 'memberNisNetgroup'
EQUALITY caseExactIA5Match
SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX 'IA5String' )
( nisSchema.1.14 NAME 'nisNetgroupTriple'
DESC 'Netgroup triple'
SYNTAX 'nisNetgroupTripleSyntax' )
( nisSchema.1.15 NAME 'ipServicePort'
EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.16 NAME 'ipServiceProtocol'
SUP name )
( nisSchema.1.17 NAME 'ipProtocolNumber'
EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.18 NAME 'oncRpcNumber'
EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( nisSchema.1.19 NAME 'ipHostNumber'
DESC 'IP address as a dotted decimal, eg. 192.168.1.1
omitting leading zeros'
SUP name )
( nisSchema.1.20 NAME 'ipNetworkNumber'
DESC 'IP network as a dotted decimal, eg. 192.168,
omitting leading zeros'
SUP name SINGLE-VALUE )
( nisSchema.1.21 NAME 'ipNetmaskNumber'
DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0,
omitting leading zeros'
EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' SINGLE-VALUE )
( nisSchema.1.22 NAME 'macAddress'
DESC 'MAC address in maximal, colon separated hex
notation, eg. 00:00:92:90:ee:e2'
EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' )
( nisSchema.1.23 NAME 'bootParameter'
DESC 'rpc.bootparamd parameter'
SYNTAX 'bootParameterSyntax' )
( nisSchema.1.24 NAME 'bootFile'
DESC 'Boot image name'
EQUALITY caseExactIA5Match
SYNTAX 'IA5String' )
( nisSchema.1.26 NAME 'nisMapName'
SUP name )
( nisSchema.1.27 NAME 'nisMapEntry'
EQUALITY caseExactIA5Match
SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX 'IA5String{1024}' SINGLE-VALUE )
( nisSchema.1.28 NAME 'nisPublicKey'
DESC 'NIS public key'
SYNTAX 'nisPublicKeySyntax' )
( nisSchema.1.29 NAME 'nisSecretKey'
DESC 'NIS secret key'
SYNTAX 'nisSecretKeySyntax' )
( nisSchema.1.30 NAME 'nisDomain'
DESC 'NIS domain'
SYNTAX 'IA5String' )
|
The nisSchema OID is 1.3.6.1.1. The RFC 2307 Objectclasses are:
( nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY
DESC 'Abstraction of an account with POSIX attributes'
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
MAY ( userPassword $ loginShell $ gecos $ description ) )
( nisSchema.2.1 NAME 'shadowAccount' SUP top AUXILIARY
DESC 'Additional attributes for shadow passwords'
MUST uid
MAY ( userPassword $ shadowLastChange $ shadowMin
shadowMax $ shadowWarning $ shadowInactive $
shadowExpire $ shadowFlag $ description ) )
( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL
DESC 'Abstraction of a group of accounts'
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ description ) )
( nisSchema.2.3 NAME 'ipService' SUP top STRUCTURAL
DESC 'Abstraction an Internet Protocol service.
Maps an IP port and protocol (such as tcp or udp)
to one or more names; the distinguished value of
the cn attribute denotes the service's canonical
name'
MUST ( cn $ ipServicePort $ ipServiceProtocol )
MAY ( description ) )
( nisSchema.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
DESC 'Abstraction of an IP protocol. Maps a protocol number
to one or more names. The distinguished value of the cn
attribute denotes the protocol's canonical name'
MUST ( cn $ ipProtocolNumber )
MAY description )
( nisSchema.2.5 NAME 'oncRpc' SUP top STRUCTURAL
DESC 'Abstraction of an Open Network Computing (ONC)
[RFC1057] Remote Procedure Call (RPC) binding.
This class maps an ONC RPC number to a name.
The distinguished value of the cn attribute denotes
the RPC service's canonical name'
MUST ( cn $ oncRpcNumber $ description )
MAY description )
( nisSchema.2.6 NAME 'ipHost' SUP top AUXILIARY
DESC 'Abstraction of a host, an IP device. The distinguished
value of the cn attribute denotes the host's canonical
name. Device SHOULD be used as a structural class'
MUST ( cn $ ipHostNumber )
MAY ( l $ description $ manager $ userPassword ) )
( nisSchema.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
DESC 'Abstraction of a network. The distinguished value of
the cn attribute denotes the network's canonical name'
MUST ipNetworkNumber
MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
( nisSchema.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
DESC 'Abstraction of a netgroup. May refer to other netgroups'
MUST cn
MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
( nisSchema.2.9 NAME 'nisMap' SUP top STRUCTURAL
DESC 'A generic abstraction of a NIS map'
MUST nisMapName
MAY description )
( nisSchema.2.10 NAME 'nisObject' SUP top STRUCTURAL
DESC 'An entry in a NIS map'
MUST ( cn $ nisMapEntry $ nisMapName )
MAY description )
( nisSchema.2.11 NAME 'ieee802Device' SUP top AUXILIARY
DESC 'A device with a MAC address; device SHOULD be
used as a structural class'
MAY macAddress )
( nisSchema.2.12 NAME 'bootableDevice' SUP top AUXILIARY
DESC 'A device with boot parameters; device SHOULD be
used as a structural class'
MAY ( bootFile $ bootParameter ) )
( nisSchema.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
DESC 'An object with a public and secret key'
MUST ( cn $ nisPublicKey $ nisSecretKey )
MAY ( uidNumber $ description ) )
( nisSchema.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
DESC 'Associates a NIS domain with a naming context'
MUST nisDomain )
|
Mail Alias Schema
The LDAP servers must be configured to support mail alias information. Mail alias information uses the schema defined by the LDAP Mailgroups Internet draft, formerly known as the draft-steinback-ldap-mailgroups draft. Until a new schema becomes available, Solaris LDAP clients will continue to use this schema for mail alias information.
Note –
Internet-Drafts are draft documents valid for a maximum of six months and might be updated, replaced, or obsoleted by other documents at any time
The original LDAP Mailgroups schema contains a large number of attributes and object classes. Only two attributes and a single object class are used by Solaris clients. These are listed below
The mail alias Attributes are:
( 0.9.2342.19200300.100.1.3 NAME 'mail' DESC 'RFC822 email address for this person' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String(256)' SINGLE-VALUE ) ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' DESC 'RFC822 mail address of email only member of group' EQUALITY CaseIgnoreIA5Match SYNTAX 'IA5String(256)' ) |
The mail alias Objectclass is:
( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP top STRUCTURAL MUST mail MAY ( cn $ mailAlternateAddress $ mailHost $ mailRequireAuth $ mgrpAddHeader $ mgrpAllowedBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterModeration $ mgrpDeliverTo $ mgrpErrorsTo $ mgrpModerator $ mgrpMsgMaxSize $ mgrpMsgRejectAction $ mgrpMsgRejectText $ mgrpNoMatchAddrs $ mgrpRemoveHeader $ mgrpRFC822MailMember ) ) |
Solaris Schemas
The schemas required for the Solaris operating environment are the:
- Extended user accounting schema.
- Role based access control schema.
- Solaris client naming profile schema.
- projects schema
Extended User Accounting Schema
/etc/user_attr is a local source of extended attributes associated with users and roles. For more information see user_attr(4).
The extended user accounting Attributes are:
( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' DESC 'Unique ID for a Solaris Project entry' EQUALITY integerMatch SYNTAX INTEGER SINGLE ) ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' DESC 'Name of a Solaris Project entry' EQUALITY caseExactIA5Match SYNTAX IA5String SINGLE ) ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' DESC 'Attributes of a Solaris Project entry' EQUALITY caseExactIA5Match SYNTAX IA5String ) ( 1.3.6.1.4.1.42.2.27.5.1.30 NAME 'memberGid' DESC 'Posix Group Name' EQUALITY caseExactIA5Match SYNTAX 'IA5String' ) |
The extended user accounting Objectclass is:
( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP top STRUCTURAL MUST ( SolarisProjectID $ SolarisProjectName ) MAY ( memberUid $ memberGid $ description $ SolarisProjectAttr ) ) |
Role Based Access Control Schema
/etc/user_attr is a local source of extended attributes associated with users and roles. For more information see user_attr(4).
The role based access control Attributes are:
( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' DESC 'Semi-colon separated key=value pairs of attributes' EQUALITY caseIgnoreIA5Match SUBSTRINGS caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' DESC 'Short description about an entry, used by GUIs' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' DESC 'Detail description about an entry' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' DESC 'Solaris kernel security policy' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' DESC 'Type of object defined in profile' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' DESC 'Identifier of object defined in profile' EQUALITY caseExactIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' DESC 'Per-user login attributes' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisReserved1' DESC 'Reserved for future use' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisReserved2' DESC 'Reserved for future use' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) |
The role based access control Objectclassses are:
( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP top AUXILIARY
DESC 'User attributes'
MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $ \
SolarisAttrReserved2 $ SolarisAttrKeyValue ) )
( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP top STRUCTURAL
DESC 'Authorizations data'
MUST cn
MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ \
SolarisAttrShortDesc $ SolarisAttrLongDesc $ \
SolarisAttrKeyValue ) )
( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP top STRUCTURAL
DESC 'Profiles data'
MUST cn
MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ \
SolarisAttrLongDesc $ SolarisAttrKeyValue ) )
( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP top AUXILIARY
DESC 'Profiles execution attributes'
MAY ( SolarisKernelSecurityPolicy $ SolarisProfileType $ \
SolarisAttrReserved1 $ SolarisAttrReserved2 $ \
SolarisProfileId $ SolarisAttrKeyValue ) )
|
Solaris Client Naming Profile Schema
/etc/user_attr is a local source of extended attributes associated with users, roles, and profiles. For more information see user_attr(4).
/etc/security/prof_attr is a local source for execution profile names, descriptions, and other attributes of execution profiles. For more information see prof_attr(4).
The Solaris client naming profile Attributes are:
( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers'
DESC 'LDAP Server address eg. 76.234.3.1:389'
EQUALITY caseIgnoreIA5Match
SYNTAX SolarisLDAPServerSyntax)
( 1.3.6.1.4.1.42.2.27.5.1.16
NAME 'SolarisSearchBaseDN'
DESC 'Search Base Distinguished Name'
EQUALITY distinguishedNameMatch
SYNTAX DN SINGLE-VALUE)
( 1.3.6.1.4.1.42.2.27.5.1.17
NAME 'SolarisCacheTTL'
DESC 'TTL value for the Domain information eg. 1w, 2d, 3h, 10m, or 5s'
EQUALITY caseIgnoreMatch
SYNTAX IA5String SINGLE-VALUE)
( 1.3.6.1.4.1.42.2.27.5.1.18
NAME 'SolarisBindDN'
DESC 'DN to be used to bind to the directory as proxy'
EQUALITY distinguishedNameMatch
SYNTAX DN SINGLE-VALUE)
( 1.3.6.1.4.1.42.2.27.5.1.19
NAME 'SolarisBindPassword'
DESC 'Password for bindDN to authenticate to the directory'
EQUALITY caseExactIA5Match
SYNTAX OctetString SINGLE-VALUE)
( 1.3.6.1.4.1.42.2.27.5.1.20
NAME 'SolarisAuthMethod'
DESC 'Authentication method to be used eg. "NS_LDAP_AUTH_NONE",
"NS_LDAP_AUTH_SIMPLE" or "NS_LDAP_AUTH_SASL_CRAM_MD5"'
EQUALITY caseIgnoreIA5Match
SYNTAX IA5String)
( 1.3.6.1.4.1.42.2.27.5.1.21
NAME 'SolarisTransportSecurity'
DESC 'Transport Level Security method to be used eg.
"NS_LDAP_SEC_NONE" or "NS_LDAP_SEC_SASL_TLS"'
EQUALITY caseIgnoreIA5Match
SYNTAX IA5String SINGLE-VALUE)
( 1.3.6.1.4.1.42.2.27.5.1.22
NAME 'SolarisCertificatePath'
DESC 'Path to certificate file/device'
EQUALITY caseExactIA5Match
SYNTAX IA5String SINGLE-VALUE)
( 1.3.6.1.4.1.42.2.27.5.1.23
NAME 'SolarisCertificatePassword'
DESC 'Password or PIN that grants access to certificate.'
EQUALITY caseExactIA5Match
SYNTAX OctetString SINGLE-VALUE)
( 1.3.6.1.4.1.42.2.27.5.1.24
NAME 'SolarisDataSearchDN'
DESC 'Search DN for data lookup in "<database>:(DN0),(DN1),..." format'
EQUALITY caseIgnoreIA5Match
SYNTAX IA5String)
( 1.3.6.1.4.1.42.2.27.5.1.25
NAME 'SolarisSearchScope'
DESC 'Scope to be used for search operations eg.
"NS_LDAP_SCOPE_BASE", "NS_LDAP_SCOPE_ONELEVEL" or
"NS_LDAP_SCOPE_SUBTREE"'
EQUALITY caseIgnoreIA5Match
SYNTAX IA5String SINGLE-VALUE)
( 1.3.6.1.4.1.42.2.27.5.1.26
NAME 'SolarisSearchTimeLimit'
DESC 'Time Limit in seconds for search operations'
EQUALITY integerMatch
SYNTAX INTEGER SINGLE-VALUE)
( 1.3.6.1.4.1.42.2.27.5.1.27
NAME 'SolarisPreferredServer'
DESC 'Preferred LDAP Server address or network number'
EQUALITY caseIgnoreIA5Match
SYNTAX IAString)
( 1.3.6.1.4.1.42.2.27.5.1.28
NAME 'SolarisPreferredServerOnly'
DESC 'Boolean flag for use of preferredServer or not'
EQUALITY booleanMatch
SYNTAX BOOLEAN SINGLE-VALUE)
( 1.3.6.1.4.1.42.2.27.5.1.29
NAME 'SolarisSearchReferral'
DESC 'referral chasing option eg.
"NS_LDAP_NOREF" or "NS_LDAP_FOLLOWREF"'
EQUALITY caseIgnoreIA5Match
SYNTAX IA5String SINGLE-VALUE)
|
The Solaris client naming profile Objectclasss is:
( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile'
SUP top STRUCTURAL
DESC 'Solaris LDAP Naming client profile objectClass'
MUST ( cn $ SolarisLDAPServers $ SolarisSearchBaseDN )
MAY ( SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $
SolarisTransportSecurity $ SolarisCertificatePath $
SolarisCertificatePassword $ SolarisDataSearchDN $
SolarisSearchScope $ SolarisSearchTimeLimit $
SolarisPreferredServer $ SolarisPreferredServerOnly $
SolarisCacheTTL $ SolarisSearchReferral )
)
|
- © 2010, Oracle Corporation and/or its affiliates