# Custom schema for our LDAP directory. This defines only objectclasses, the # relevant attributes are reused from other schema. Having a custom schema # ensures that we can enforce our local rules and not have all those extra # attributes available which we'll never use. # # A lot of the ideas in this schema are taken from the paper "LDAP Schema # Design", by Andrew Findlay. # http://www.skills-1st.co.uk/papers/ldap-schema-design-feb-2005/ldap-schema-design-feb-2005.pdf # Oid for the "stderr.nl" organization, owned by Matthijs Kooijman. Do not use # this OID or these objectclasses without contacting Matthijs, since they may # change without notice! objectIdentifier StdErr 1.3.6.1.4.1.33232 objectIdentifier StdErrLDAP StdErr:2 objectIdentifier StdErrAttributeType StdErrLDAP:1 objectIdentifier StdErrObjectClass StdErrLDAP:2 # # Define a number of structural object classes. These define what an object # _is_ and is expected never to change. # # An object. Can be anything that is not a person and not a group (mostly # used for organizing the directory and for sytem accounts). objectclass ( StdErrObjectClass:1 NAME 'simpleObject' SUP top STRUCTURAL MUST ( displayName) MAY ( uniqueIdentifier ) ) # A person. Any person that should be represented should be a simplePerson, # adding auxillary classes from below to add an account, mailbox, etc. objectclass ( StdErrObjectClass:2 NAME 'simplePerson' SUP simpleObject STRUCTURAL MUST ( cn $ givenName $ sn) MAY ( mail) ) # A group. This is any group of things, though usually it will be a group of # people. Does not have any particular meaning by itself, but auxillary classes # from below can be added to make this group a unix group, mail alias, etc. # # This is similar to groupOfUniqueNames, but its uniqueMember attribute is # optional, allowing for an empty group. # Also, it adds a displayName and removes some other attributes. objectclass ( StdErrObjectClass:3 NAME 'simpleGroup' SUP simpleObject STRUCTURAL MUST ( cn ) MAY ( uniqueMember $ description ) ) # A posix group that should get a unix account. # # This is similar to posixGroup, but it is an auxillary class instead of # structural, so it can be used together with groupOfUniqueNames objectclass ( StdErrObjectClass:4 NAME 'simplePosixGroup' SUP top AUXILIARY MUST ( cn $ gidNumber ) MAY ( memberUid $ description ) ) # A mail user. It has a number of mail addresses (mail and # mailAlternateAddresses). Mail to these addresses should be delivered to the # mailbox of uid on mailHost or forwarded to all mailForwardingAddresses. objectclass ( StdErrObjectClass:5 NAME 'mailUser' SUP top AUXILIARY MUST ( mail ) MAY ( mailAlternateAddress $ mailHost $ uid $ mailForwardingAddress ) ) # A mail group. This has a number of mail addresses (mail and # mailAlternateAddresses). Mail to these addresses should be delivered to each # rf822member and uniqueMember. objectclass ( StdErrObjectClass:6 NAME 'mailGroup' SUP top AUXILIARY MUST ( mail ) MAY ( mailAlternateAddress $ rfc822member $ uniqueMember ) ) # Note that there is no alternative for posixGroup here. posixGroup exactly has # the attributes we would like to have, so there seems to be no need to add a # custom version of it.