Subversion Repositories configs

Rev

Rev 4 | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
4 - 1 
# dyngroup.schema -- Dynamic Group schema
9 - 2 
# $OpenLDAP$
4 - 3 
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 
##
9 - 5 
## Copyright 1998-2014 The OpenLDAP Foundation.
4 - 6 
## All rights reserved.
7 
##
8 
## Redistribution and use in source and binary forms, with or without
9 
## modification, are permitted only as authorized by the OpenLDAP
10 
## Public License.
11 
##
12 
## A copy of this license is available in the file LICENSE in the
13 
## top-level directory of the distribution or, alternatively, at
14 
## <http://www.OpenLDAP.org/license.html>.
15 
#
16 
# Dynamic Group schema (experimental), as defined by Netscape.  See
17 
# http://www.redhat.com/docs/manuals/ent-server/pdf/esadmin611.pdf
18 
# page 70 for details on how these groups were used.
19 
#
20 
# A description of the objectclass definition is available here:
21 
# http://www.redhat.com/docs/manuals/dir-server/schema/7.1/oc_dir.html#1303745
22 
#
23 
# depends upon:
24 
#	core.schema
25 
#
26 
# These definitions are considered experimental due to the lack of
27 
# a formal specification (e.g., RFC).
28 
#
29 
# NOT RECOMMENDED FOR PRODUCTION USE!  USE WITH CAUTION!
30 
#
31 
# The Netscape documentation describes this as an auxiliary objectclass
32 
# but their implementations have always defined it as a structural class.
33 
# The sloppiness here is because Netscape-derived servers don't actually
34 
# implement the X.500 data model, and they don't honor the distinction
35 
# between structural and auxiliary classes. This fact is noted here:
36 
# http://forum.java.sun.com/thread.jspa?threadID=5016864&messageID=9034636
37 
#
38 
# In accordance with other existing implementations, we define it as a
39 
# structural class.
40 
#
41 
# Our definition of memberURL also does not match theirs but again
42 
# their published definition and what works in practice do not agree.
43 
# In other words, the Netscape definitions are broken and interoperability
44 
# is not guaranteed.
45 
#
46 
# Also see the new DynGroup proposed spec at
47 
# http://tools.ietf.org/html/draft-haripriya-dynamicgroup-02
48 
 
49 
objectIdentifier NetscapeRoot 2.16.840.1.113730
50 
 
51 
objectIdentifier NetscapeLDAP NetscapeRoot:3
52 
objectIdentifier NetscapeLDAPattributeType NetscapeLDAP:1
53 
objectIdentifier NetscapeLDAPobjectClass NetscapeLDAP:2
54 
 
55 
objectIdentifier OpenLDAPExp11	1.3.6.1.4.1.4203.666.11
56 
objectIdentifier DynGroupBase	OpenLDAPExp11:8
57 
objectIdentifier DynGroupAttr	DynGroupBase:1
58 
objectIdentifier DynGroupOC	DynGroupBase:2
59 
 
60 
attributetype ( NetscapeLDAPattributeType:198
61 
	NAME 'memberURL'
62 
	DESC 'Identifies an URL associated with each member of a group. Any type of labeled URL can be used.'
63 
	SUP labeledURI )
64 
 
65 
attributetype ( DynGroupAttr:1
66 
	NAME 'dgIdentity'
67 
	DESC 'Identity to use when processing the memberURL'
68 
	SUP distinguishedName SINGLE-VALUE )
69 
 
70 
attributeType ( DynGroupAttr:2
71 
	NAME 'dgAuthz'
72 
	DESC 'Optional authorization rules that determine who is allowed to assume the dgIdentity'
73 
	EQUALITY authzMatch
74 
	SYNTAX 1.3.6.1.4.1.4203.666.2.7
75 
	X-ORDERED 'VALUES' )
76 
 
77 
objectClass ( NetscapeLDAPobjectClass:33
78 
	NAME 'groupOfURLs'
79 
	SUP top STRUCTURAL
80 
	MUST cn
81 
	MAY ( memberURL $ businessCategory $ description $ o $ ou $
82 
		owner $ seeAlso ) )
83 
 
84 
# The Haripriya dyngroup schema still needs a lot of work.
85 
# We're just adding support for the dgIdentity attribute for now...
86 
objectClass ( DynGroupOC:1
87 
	NAME 'dgIdentityAux'
88 
	SUP top AUXILIARY
89 
	MAY ( dgIdentity $ dgAuthz ) )
90 
 
91