Datenerstbefüllung des OpenLDAP Servers unter CentOS 7.x

OpenLDAP Logo

Nachdem wir die Grundinstallation des OpenLDAP Servers und die TLS-Absicherung des OpenLDAP-Servers erfolgreich abgeschlossen haben, werden wir im nächsten Schritt unsere Berkely-Datenbank mit Inhalt befüllen und weiter konfigurieren.

Wir werden im ersten Schritt unseren OpenLDAP-Verzeichnisdienst mit Schemen befüllen, die wir im späteren Betrieb benötigen werden. Für die Befüllung mit Nutzdaten, die aus Distinguished Names (DN) und einem eindeutigen Objektnamen bestehen, müssen hierzu in den Directory Information Tree (DIT), einer hierarchischen Baumstruktur eingefügt werden.

Grundlegende Informationen zum Thema Sche­ma­ta finden man im Kapitel 13. Schema Specification des OpenLDAP Software 2.4 Administrator's Guide.

Bei der Installation des RPM-Paketes openldap-servers wurden im Verzeichnis /etc/openldap/schema Vorlagen für die gängisten Schematas abgelegt.

/etc/openldap/schema
├── collective.ldif
├── collective.schema
├── corba.ldif
├── corba.schema
├── core.ldif
├── core.schema
├── cosine.ldif
├── cosine.schema
├── duaconf.ldif
├── duaconf.schema
├── dyngroup.ldif
├── dyngroup.schema
├── inetorgperson.ldif
├── inetorgperson.schema
├── java.ldif
├── java.schema
├── misc.ldif
├── misc.schema
├── nis.ldif
├── nis.schema
├── openldap.ldif
├── openldap.schema
├── pmi.ldif
├── pmi.schema
├── ppolicy.ldif
└── ppolicy.schema

Die Beschreibung der Schematas finden sich in den Dateien mit der Endung .schema. Die zugehörigen Dateien mit der Endung .ldif benötigen wir dann beim Import eines Schemas in unseren OpenLDAP-Verzeichnisdienst.

Folgende Schamatas werden wir jetzt nacheinander importieren:

  • cosine.schema Cosine and Internet X.500 (RFC 1274)
  • inetorgperson.schema InetOrgPerson (RFC 2798)
  • nis.schema Network Information Services ( RFC 2307)

cosine

Im ersten Schritt werden wir nun das Schema cosine importieren. Die Beschreibung des Schemas findet sich in der gleichnamigen Datei /etc/openldap/schema/cosine.schema.

 # less /etc/openldap/schema/cosine.schema
/etc/openldap/schema/cosine.schema
# RFC1274: Cosine and Internet X.500 schema 
# $OpenLDAP$                                
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##                                                                   
## Copyright 1998-2014 The OpenLDAP Foundation.                      
## All rights reserved.                                              
##                                                                   
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP    
## Public License.                                                   
##                                                                   
## A copy of this license is available in the file LICENSE in the    
## top-level directory of the distribution or, alternatively, at     
## <http://www.OpenLDAP.org/license.html>.                           
#                                                                    
# RFC1274: Cosine and Internet X.500 schema                          
#                                                                    
# This file contains LDAPv3 schema derived from X.500 COSINE "pilot" 
# schema.  As this schema was defined for X.500(89), some            
# oddities were introduced in the mapping to LDAPv3.  The            
# mappings were based upon: draft-ietf-asid-ldapv3-attributes-03.txt 
# (a work in progress)                                               
#                                                                    
# Note: It seems that the pilot schema evolved beyond what was       
# described in RFC1274.  However, this document attempts to describes
# RFC1274 as published.                                              
#                                                                    
# Depends on core.schema                                             
 
 
# Network Working Group                                          P. Barker
# Request for Comments: 1274                                      S. Kille
#                                              University College London  
#                                                          November 1991  
#                                                                         
#                 The COSINE and Internet X.500 Schema                    
#                                                                         
# [trimmed]                                                               
#                                                                         
# Abstract                                                                
#                                                                         
#  This document suggests an X.500 Directory Schema, or Naming            
#  Architecture, for use in the COSINE and Internet X.500 pilots.  The    
#  schema is independent of any specific implementation.  As well as      
#  indicating support for the standard object classes and attributes, a   
#  large number of generally useful object classes and attributes are     
#  also defined.  An appendix to this document includes a machine         
#  processable version of the schema.                                     
#                                                                         
# [trimmed]                                                               
 
# 7.  Object Identifiers
#                       
#  Some additional object identifiers are defined for this schema.
#  These are also reproduced in Appendix C.                       
#                                                                 
#    data OBJECT IDENTIFIER ::= {ccitt 9}                         
#    pss OBJECT IDENTIFIER ::= {data 2342}                        
#    ucl OBJECT IDENTIFIER ::= {pss 19200300}                     
#    pilot OBJECT IDENTIFIER ::= {ucl 100}                        
#                                                                 
#    pilotAttributeType OBJECT IDENTIFIER ::= {pilot 1}           
#    pilotAttributeSyntax OBJECT IDENTIFIER ::= {pilot 3}         
#    pilotObjectClass OBJECT IDENTIFIER ::= {pilot 4}             
#    pilotGroups OBJECT IDENTIFIER ::= {pilot 10}                 
#                                                                 
#    iA5StringSyntax OBJECT IDENTIFIER ::= {pilotAttributeSyntax 4}
#    caseIgnoreIA5StringSyntax OBJECT IDENTIFIER ::=               
#                                          {pilotAttributeSyntax 5}
#                                                                  
# 8.  Object Classes                                               
# [relocated after 9]                                              
 
#
# 9.  Attribute Types
#                    
# 9.1.  X.500 standard attribute types
#                                     
#  A number of generally useful attribute types are defined in X.520,
#  and these are supported.  Refer to that document for descriptions of
#  the suggested usage of these attribute types.  The ASN.1 for these  
#  attribute types is reproduced for completeness in Appendix C.       
#                                                                      
# 9.2.  X.400 standard attribute types                                 
#                                                                      
#  The standard X.400 attribute types are supported.  See X.402 for full
#  details.  The ASN.1 for these attribute types is reproduced in       
#  Appendix C.                                                          
#                                                                       
# 9.3.  COSINE/Internet attribute types                                 
#                                                                       
#  This section describes all the attribute types defined for use in the
#  COSINE and Internet pilots.  Descriptions are given as to the        
#  suggested usage of these attribute types.  The ASN.1 for these       
#  attribute types is reproduced in Appendix C.                         
#                                                                       
# 9.3.1.  Userid                                                        
#                                                                       
#  The Userid attribute type specifies a computer system login name.    
#                                                                       
#    userid ATTRIBUTE                                                   
#        WITH ATTRIBUTE-SYNTAX                                          
#            caseIgnoreStringSyntax                                     
#            (SIZE (1 .. ub-user-identifier))                           
#    ::= {pilotAttributeType 1}                                         
#                                                                       
#(in core.schema)                                                       
##attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' )     
##      EQUALITY caseIgnoreMatch                                        
##      SUBSTR caseIgnoreSubstringsMatch                                
##      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                     
 
# 9.3.2.  Text Encoded O/R Address
#                                 
#  The Text Encoded O/R Address attribute type specifies a text encoding
#  of an X.400 O/R address, as specified in RFC 987.  The use of this   
#  attribute is deprecated as the attribute is intended for interim use 
#  only.  This attribute will be the first candidate for the attribute  
#  expiry mechanisms!                                                   
#                                                                       
#    textEncodedORAddress ATTRIBUTE                                     
#        WITH ATTRIBUTE-SYNTAX                                          
#            caseIgnoreStringSyntax                                     
#        (SIZE (1 .. ub-text-encoded-or-address))                       
#    ::= {pilotAttributeType 2}                                         
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORAddress'   
        EQUALITY caseIgnoreMatch                                        
        SUBSTR caseIgnoreSubstringsMatch                                
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                     
 
# 9.3.3.  RFC 822 Mailbox
#                        
#  The RFC822 Mailbox attribute type specifies an electronic mailbox
#  attribute following the syntax specified in RFC 822.  Note that this
#  attribute should not be used for greybook or other non-Internet order
#  mailboxes.                                                           
#                                                                       
#    rfc822Mailbox ATTRIBUTE                                            
#        WITH ATTRIBUTE-SYNTAX                                          
#            caseIgnoreIA5StringSyntax                                  
#            (SIZE (1 .. ub-rfc822-mailbox))                            
#    ::= {pilotAttributeType 3}                                         
#                                                                       
#(in core.schema)                                                       
##attributetype ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' )
##      EQUALITY caseIgnoreIA5Match                                        
##      SUBSTR caseIgnoreIA5SubstringsMatch                                
##      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )                        
 
# 9.3.4.  Information
#                    
#  The Information attribute type specifies any general information
#  pertinent to an object.  It is recommended that specific usage of
#  this attribute type is avoided, and that specific requirements are
#  met by other (possibly additional) attribute types.               
#                                                                    
#    info ATTRIBUTE                                                  
#        WITH ATTRIBUTE-SYNTAX                                       
#            caseIgnoreStringSyntax                                  
#            (SIZE (1 .. ub-information))                            
#    ::= {pilotAttributeType 4}                                      
#                                                                    
attributetype ( 0.9.2342.19200300.100.1.4 NAME 'info'                
        DESC 'RFC1274: general information'                          
        EQUALITY caseIgnoreMatch                                     
        SUBSTR caseIgnoreSubstringsMatch                             
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )                 
 
 
# 9.3.5.  Favourite Drink
#                        
#  The Favourite Drink attribute type specifies the favourite drink of
#  an object (or person).                                             
#                                                                     
#    favouriteDrink ATTRIBUTE                                         
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-favourite-drink))                         
#    ::= {pilotAttributeType 5}                                       
#                                                                     
attributetype ( 0.9.2342.19200300.100.1.5                             
        NAME ( 'drink' 'favouriteDrink' )                             
        DESC 'RFC1274: favorite drink'                                
        EQUALITY caseIgnoreMatch                                      
        SUBSTR caseIgnoreSubstringsMatch                              
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                   
 
# 9.3.6.  Room Number
#                    
#  The Room Number attribute type specifies the room number of an
#  object.  Note that the commonName attribute should be used for naming
#  room objects.                                                        
#                                                                       
#    roomNumber ATTRIBUTE                                               
#        WITH ATTRIBUTE-SYNTAX                                          
#            caseIgnoreStringSyntax                                     
#            (SIZE (1 .. ub-room-number))                               
#    ::= {pilotAttributeType 6}                                         
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber'             
        DESC 'RFC1274: room number'                                     
        EQUALITY caseIgnoreMatch                                        
        SUBSTR caseIgnoreSubstringsMatch                                
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                     
 
# 9.3.7.  Photo
#              
#  The Photo attribute type specifies a "photograph" for an object.
#  This should be encoded in G3 fax as explained in recommendation T.4,
#  with an ASN.1 wrapper to make it compatible with an X.400 BodyPart as
#  defined in X.420.                                                    
#                                                                       
#    IMPORT  G3FacsimileBodyPart  FROM  {   mhs-motis   ipms   modules  
#    information-objects }                                              
#                                                                       
#    photo ATTRIBUTE                                                    
#        WITH ATTRIBUTE-SYNTAX                                          
#            CHOICE {                                                   
#                g3-facsimile [3] G3FacsimileBodyPart                   
#                }                                                      
#        (SIZE (1 .. ub-photo))                                         
#    ::= {pilotAttributeType 7}                                         
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.7 NAME 'photo'                  
        DESC 'RFC1274: photo (G3 fax)'                                  
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.23{25000} )                   
 
# 9.3.8.  User Class
#                   
#  The User Class attribute type specifies a category of computer user.
#  The semantics placed on this attribute are for local interpretation.
#  Examples of current usage od this attribute in academia are         
#  undergraduate student, researcher, lecturer, etc.  Note that the    
#  organizationalStatus attribute may now often be preferred as it makes
#  no distinction between computer users and others.                    
#                                                                       
#    userClass ATTRIBUTE                                                
#        WITH ATTRIBUTE-SYNTAX                                          
#            caseIgnoreStringSyntax                                     
#            (SIZE (1 .. ub-user-class))                                
#    ::= {pilotAttributeType 8}                                         
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.8 NAME 'userClass'              
        DESC 'RFC1274: category of user'                                
        EQUALITY caseIgnoreMatch                                        
        SUBSTR caseIgnoreSubstringsMatch                                
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                     
 
# 9.3.9.  Host
#             
#  The Host attribute type specifies a host computer.
#                                                    
#    host ATTRIBUTE                                  
#        WITH ATTRIBUTE-SYNTAX                       
#            caseIgnoreStringSyntax                  
#            (SIZE (1 .. ub-host))                   
#    ::= {pilotAttributeType 9}                      
#                                                    
attributetype ( 0.9.2342.19200300.100.1.9 NAME 'host'
        DESC 'RFC1274: host computer'                
        EQUALITY caseIgnoreMatch                     
        SUBSTR caseIgnoreSubstringsMatch             
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )  
 
# 9.3.10.  Manager
#                 
#  The Manager attribute type specifies the manager of an object
#  represented by an entry.                                     
#                                                               
#    manager ATTRIBUTE                                          
#        WITH ATTRIBUTE-SYNTAX                                  
#            distinguishedNameSyntax                            
#    ::= {pilotAttributeType 10}                                
#                                                               
attributetype ( 0.9.2342.19200300.100.1.10 NAME 'manager'       
        DESC 'RFC1274: DN of manager'                           
        EQUALITY distinguishedNameMatch                         
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )                  
 
# 9.3.11.  Document Identifier
#                             
#  The Document Identifier attribute type specifies a unique identifier
#  for a document.                                                     
#                                                                      
#    documentIdentifier ATTRIBUTE                                      
#        WITH ATTRIBUTE-SYNTAX                                         
#            caseIgnoreStringSyntax                                    
#            (SIZE (1 .. ub-document-identifier))                      
#    ::= {pilotAttributeType 11}                                       
#                                                                      
attributetype ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier'   
        DESC 'RFC1274: unique identifier of document'                  
        EQUALITY caseIgnoreMatch                                       
        SUBSTR caseIgnoreSubstringsMatch                               
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                    
 
# 9.3.12.  Document Title
#                        
#  The Document Title attribute type specifies the title of a document.
#                                                                      
#    documentTitle ATTRIBUTE                                           
#        WITH ATTRIBUTE-SYNTAX                                         
#            caseIgnoreStringSyntax                                    
#        (SIZE (1 .. ub-document-title))                               
#    ::= {pilotAttributeType 12}                                       
#                                                                      
attributetype ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle'        
        DESC 'RFC1274: title of document'                              
        EQUALITY caseIgnoreMatch                                       
        SUBSTR caseIgnoreSubstringsMatch                               
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                    
 
# 9.3.13.  Document Version
#                          
#  The Document Version attribute type specifies the version number of a
#  document.                                                            
#                                                                       
#    documentVersion ATTRIBUTE                                          
#        WITH ATTRIBUTE-SYNTAX                                          
#            caseIgnoreStringSyntax                                     
#            (SIZE (1 .. ub-document-version))                          
#    ::= {pilotAttributeType 13}                                        
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion'       
        DESC 'RFC1274: version of document'                             
        EQUALITY caseIgnoreMatch                                        
        SUBSTR caseIgnoreSubstringsMatch                                
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                     
 
# 9.3.14.  Document Author
#                         
#  The Document Author attribute type specifies the distinguished name
#  of the author of a document.                                       
#                                                                     
#    documentAuthor ATTRIBUTE                                         
#        WITH ATTRIBUTE-SYNTAX                                        
#            distinguishedNameSyntax                                  
#    ::= {pilotAttributeType 14}                                      
#                                                                     
attributetype ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor'      
        DESC 'RFC1274: DN of author of document'                      
        EQUALITY distinguishedNameMatch                               
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )                        
 
# 9.3.15.  Document Location
#                           
#  The Document Location attribute type specifies the location of the
#  document original.                                                
#                                                                    
#    documentLocation ATTRIBUTE                                      
#        WITH ATTRIBUTE-SYNTAX                                       
#            caseIgnoreStringSyntax                                  
#            (SIZE (1 .. ub-document-location))                      
#    ::= {pilotAttributeType 15}                                     
#                                                                    
attributetype ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation'   
        DESC 'RFC1274: location of document original'                
        EQUALITY caseIgnoreMatch                                     
        SUBSTR caseIgnoreSubstringsMatch                             
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                  
 
# 9.3.16.  Home Telephone Number
#                               
#  The Home Telephone Number attribute type specifies a home telephone
#  number associated with a person.  Attribute values should follow the
#  agreed format for international telephone numbers: i.e., "+44 71 123
#  4567".                                                              
#                                                                      
#    homeTelephoneNumber ATTRIBUTE                                     
#        WITH ATTRIBUTE-SYNTAX                                         
#            telephoneNumberSyntax                                     
#    ::= {pilotAttributeType 20}                                       
#                                                                      
attributetype ( 0.9.2342.19200300.100.1.20                             
        NAME ( 'homePhone' 'homeTelephoneNumber' )                     
        DESC 'RFC1274: home telephone number'                          
        EQUALITY telephoneNumberMatch                                  
        SUBSTR telephoneNumberSubstringsMatch                          
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )                         
 
# 9.3.17.  Secretary
#                   
#  The Secretary attribute type specifies the secretary of a person.
#  The attribute value for Secretary is a distinguished name.       
#                                                                   
#    secretary ATTRIBUTE                                            
#        WITH ATTRIBUTE-SYNTAX                                      
#            distinguishedNameSyntax                                
#    ::= {pilotAttributeType 21}                                    
#                                                                   
attributetype ( 0.9.2342.19200300.100.1.21 NAME 'secretary'         
        DESC 'RFC1274: DN of secretary'                             
        EQUALITY distinguishedNameMatch                             
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )                      
 
# 9.3.18.  Other Mailbox
#                       
#  The Other Mailbox attribute type specifies values for electronic
#  mailbox types other than X.400 and rfc822.                      
#                                                                  
#    otherMailbox ATTRIBUTE                                        
#        WITH ATTRIBUTE-SYNTAX                                     
#            SEQUENCE {                                            
#                    mailboxType PrintableString, -- e.g. Telemail 
#                    mailbox IA5String  -- e.g. X378:Joe           
#            }                                                     
#    ::= {pilotAttributeType 22}                                   
#                                                                  
attributetype ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox'     
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.39 )                     
 
# 9.3.19.  Last Modified Time
#                            
#  The Last Modified Time attribute type specifies the last time, in UTC
#  time, that an entry was modified.  Ideally, this attribute should be 
#  maintained by the DSA.                                               
#                                                                       
#    lastModifiedTime ATTRIBUTE                                         
#        WITH ATTRIBUTE-SYNTAX                                          
#            uTCTimeSyntax                                              
#    ::= {pilotAttributeType 23}                                        
#                                                                       
## Deprecated in favor of modifyTimeStamp                               
#attributetype ( 0.9.2342.19200300.100.1.23 NAME 'lastModifiedTime'     
#       DESC 'RFC1274: time of last modify, replaced by modifyTimestamp'
#       OBSOLETE                                                        
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.53                            
#       USAGE directoryOperation )                                      
 
# 9.3.20.  Last Modified By
#                          
#  The Last Modified By attribute specifies the distinguished name of
#  the last user to modify the associated entry.  Ideally, this      
#  attribute should be maintained by the DSA.                        
#                                                                    
#    lastModifiedBy ATTRIBUTE                                        
#        WITH ATTRIBUTE-SYNTAX                                       
#            distinguishedNameSyntax                                 
#    ::= {pilotAttributeType 24}                                     
#                                                                    
## Deprecated in favor of modifiersName                              
#attributetype ( 0.9.2342.19200300.100.1.24 NAME 'lastModifiedBy'    
#       DESC 'RFC1274: last modifier, replaced by modifiersName'     
#       OBSOLETE                                                     
#       EQUALITY distinguishedNameMatch                              
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.12                         
#       USAGE directoryOperation )                                   
 
# 9.3.21.  Domain Component
#                          
#  The Domain Component attribute type specifies a DNS/NRS domain.  For
#  example, "uk" or "ac".                                              
#                                                                      
#    domainComponent ATTRIBUTE                                         
#        WITH ATTRIBUTE-SYNTAX                                         
#            caseIgnoreIA5StringSyntax                                 
#            SINGLE VALUE                                              
#    ::= {pilotAttributeType 25}                                       
#                                                                      
##(in core.schema)                                                     
##attributetype ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainComponent' )
##      EQUALITY caseIgnoreIA5Match                                         
##      SUBSTR caseIgnoreIA5SubstringsMatch                                 
##      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )                 
 
# 9.3.22.  DNS ARecord
#                     
#  The A Record attribute type specifies a type A (Address) DNS resource
#  record [6] [7].                                                      
#                                                                       
#    aRecord ATTRIBUTE                                                  
#        WITH ATTRIBUTE-SYNTAX                                          
#            DNSRecordSyntax                                            
#    ::= {pilotAttributeType 26}                                        
#                                                                       
## incorrect syntax?                                                    
attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord'               
        EQUALITY caseIgnoreIA5Match                                     
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )                          
 
## missing from RFC1274
## incorrect syntax?   
attributetype ( 0.9.2342.19200300.100.1.27 NAME 'mDRecord'
        EQUALITY caseIgnoreIA5Match                       
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )            
 
# 9.3.23.  MX Record
#                   
#  The MX Record attribute type specifies a type MX (Mail Exchange) DNS
#  resource record [6] [7].                                            
#                                                                      
#    mXRecord ATTRIBUTE                                                
#        WITH ATTRIBUTE-SYNTAX                                         
#            DNSRecordSyntax                                           
#    ::= {pilotAttributeType 28}                                       
#                                                                      
## incorrect syntax!!                                                  
attributetype ( 0.9.2342.19200300.100.1.28 NAME 'mXRecord'             
        EQUALITY caseIgnoreIA5Match                                    
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )                         
 
# 9.3.24.  NS Record
#                   
#  The NS Record attribute type specifies an NS (Name Server) DNS
#  resource record [6] [7].                                      
#                                                                
#    nSRecord ATTRIBUTE                                          
#        WITH ATTRIBUTE-SYNTAX                                   
#            DNSRecordSyntax                                     
#    ::= {pilotAttributeType 29}                                 
#                                                                
## incorrect syntax!!                                            
attributetype ( 0.9.2342.19200300.100.1.29 NAME 'nSRecord'       
        EQUALITY caseIgnoreIA5Match                              
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )                   
 
# 9.3.25.  SOA Record
#                    
#  The SOA Record attribute type specifies a type SOA (Start of
#  Authority) DNS resorce record [6] [7].                      
#                                                              
#    sOARecord ATTRIBUTE                                       
#        WITH ATTRIBUTE-SYNTAX                                 
#            DNSRecordSyntax                                   
#    ::= {pilotAttributeType 30}                               
#                                                              
## incorrect syntax!!                                          
attributetype ( 0.9.2342.19200300.100.1.30 NAME 'sOARecord'    
        EQUALITY caseIgnoreIA5Match                            
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )                 
 
# 9.3.26.  CNAME Record
#                      
#  The CNAME Record attribute type specifies a type CNAME (Canonical
#  Name) DNS resource record [6] [7].                               
#                                                                   
#    cNAMERecord ATTRIBUTE                                          
#        WITH ATTRIBUTE-SYNTAX                                      
#            iA5StringSyntax                                        
#    ::= {pilotAttributeType 31}                                    
#                                                                   
## incorrect syntax!!                                               
attributetype ( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord'       
        EQUALITY caseIgnoreIA5Match                                 
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )                      
 
# 9.3.27.  Associated Domain
#                           
#  The Associated Domain attribute type specifies a DNS or NRS domain
#  which is associated with an object in the DIT. For example, the entry
#  in the DIT with a distinguished name "C=GB, O=University College     
#  London" would have an associated domain of "UCL.AC.UK.  Note that all
#  domains should be represented in rfc822 order.  See [3] for more     
#  details of usage of this attribute.                                  
#                                                                       
#    associatedDomain ATTRIBUTE                                         
#        WITH ATTRIBUTE-SYNTAX                                          
#            caseIgnoreIA5StringSyntax                                  
#    ::= {pilotAttributeType 37}                                        
#                                                                       
#attributetype ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain'     
#       EQUALITY caseIgnoreIA5Match                                     
#       SUBSTR caseIgnoreIA5SubstringsMatch                             
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )                          
 
# 9.3.28.  Associated Name
#                         
#  The Associated Name attribute type specifies an entry in the
#  organisational DIT associated with a DNS/NRS domain.  See [3] for
#  more details of usage of this attribute.                         
#                                                                   
#    associatedName ATTRIBUTE                                       
#        WITH ATTRIBUTE-SYNTAX                                      
#            distinguishedNameSyntax                                
#    ::= {pilotAttributeType 38}                                    
#                                                                   
attributetype ( 0.9.2342.19200300.100.1.38 NAME 'associatedName'    
        DESC 'RFC1274: DN of entry associated with domain'          
        EQUALITY distinguishedNameMatch                             
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )                      
 
# 9.3.29.  Home postal address
#                             
#  The Home postal address attribute type specifies a home postal
#  address for an object.  This should be limited to up to 6 lines of 30
#  characters each.                                                     
#                                                                       
#    homePostalAddress ATTRIBUTE                                        
#        WITH ATTRIBUTE-SYNTAX                                          
#            postalAddress                                              
#            MATCHES FOR EQUALITY                                       
#    ::= {pilotAttributeType 39}                                        
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress'     
        DESC 'RFC1274: home postal address'                             
        EQUALITY caseIgnoreListMatch                                    
        SUBSTR caseIgnoreListSubstringsMatch                            
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )                          
 
# 9.3.30.  Personal Title
#                        
#  The Personal Title attribute type specifies a personal title for a
#  person. Examples of personal titles are "Ms", "Dr", "Prof" and "Rev".
#                                                                       
#    personalTitle ATTRIBUTE                                            
#        WITH ATTRIBUTE-SYNTAX                                          
#            caseIgnoreStringSyntax                                     
#            (SIZE (1 .. ub-personal-title))                            
#    ::= {pilotAttributeType 40}                                        
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle'         
        DESC 'RFC1274: personal title'                                  
        EQUALITY caseIgnoreMatch                                        
        SUBSTR caseIgnoreSubstringsMatch                                
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                     
 
# 9.3.31.  Mobile Telephone Number
#                                 
#  The Mobile Telephone Number attribute type specifies a mobile
#  telephone number associated with a person.  Attribute values should
#  follow the agreed format for international telephone numbers: i.e.,
#  "+44 71 123 4567".                                                 
#                                                                     
#    mobileTelephoneNumber ATTRIBUTE                                  
#        WITH ATTRIBUTE-SYNTAX                                        
#            telephoneNumberSyntax                                    
#    ::= {pilotAttributeType 41}                                      
#                                                                     
attributetype ( 0.9.2342.19200300.100.1.41                            
        NAME ( 'mobile' 'mobileTelephoneNumber' )                     
        DESC 'RFC1274: mobile telephone number'                       
        EQUALITY telephoneNumberMatch                                 
        SUBSTR telephoneNumberSubstringsMatch                         
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )                        
 
# 9.3.32.  Pager Telephone Number
#                                
#  The Pager Telephone Number attribute type specifies a pager telephone
#  number for an object. Attribute values should follow the agreed      
#  format for international telephone numbers: i.e., "+44 71 123 4567". 
#                                                                       
#    pagerTelephoneNumber ATTRIBUTE                                     
#        WITH ATTRIBUTE-SYNTAX                                          
#            telephoneNumberSyntax                                      
#    ::= {pilotAttributeType 42}                                        
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.42                              
        NAME ( 'pager' 'pagerTelephoneNumber' )                         
        DESC 'RFC1274: pager telephone number'                          
        EQUALITY telephoneNumberMatch                                   
        SUBSTR telephoneNumberSubstringsMatch                           
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )                          
 
# 9.3.33.  Friendly Country Name
#                               
#  The Friendly Country Name attribute type specifies names of countries
#  in human readable format.  The standard attribute country name must  
#  be one of the two-letter codes defined in ISO 3166.                  
#                                                                       
#    friendlyCountryName ATTRIBUTE                                      
#        WITH ATTRIBUTE-SYNTAX                                          
#            caseIgnoreStringSyntax                                     
#    ::= {pilotAttributeType 43}                                        
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.43                              
        NAME ( 'co' 'friendlyCountryName' )                             
        DESC 'RFC1274: friendly country name'                           
        EQUALITY caseIgnoreMatch                                        
        SUBSTR caseIgnoreSubstringsMatch                                
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )                          
 
# 9.3.34.  Unique Identifier
#                           
#  The Unique Identifier attribute type specifies a "unique identifier"
#  for an object represented in the Directory.  The domain within which
#  the identifier is unique, and the exact semantics of the identifier,
#  are for local definition.  For a person, this might be an           
#  institution-wide payroll number.  For an organisational unit, it    
#  might be a department code.                                         
#                                                                      
#    uniqueIdentifier ATTRIBUTE                                        
#        WITH ATTRIBUTE-SYNTAX                                         
#            caseIgnoreStringSyntax                                    
#            (SIZE (1 .. ub-unique-identifier))                        
#    ::= {pilotAttributeType 44}                                       
#                                                                      
attributetype ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier'     
        DESC 'RFC1274: unique identifer'                               
        EQUALITY caseIgnoreMatch                                       
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                    
 
# 9.3.35.  Organisational Status
#                               
#  The Organisational Status attribute type specifies a category by
#  which a person is often referred to in an organisation.  Examples of
#  usage in academia might include undergraduate student, researcher,  
#  lecturer, etc.                                                      
#                                                                      
#  A Directory administrator should probably consider carefully the    
#  distinctions between this and the title and userClass attributes.   
#                                                                      
#    organizationalStatus ATTRIBUTE                                    
#            WITH ATTRIBUTE-SYNTAX                                     
#            caseIgnoreStringSyntax                                    
#            (SIZE (1 .. ub-organizational-status))                    
#    ::= {pilotAttributeType 45}                                       
#                                                                      
attributetype ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus' 
        DESC 'RFC1274: organizational status'                          
        EQUALITY caseIgnoreMatch                                       
        SUBSTR caseIgnoreSubstringsMatch                               
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                    
 
# 9.3.36.  Janet Mailbox
#                       
#  The Janet Mailbox attribute type specifies an electronic mailbox
#  attribute following the syntax specified in the Grey Book of the
#  Coloured Book series.  This attribute is intended for the convenience
#  of U.K users unfamiliar with rfc822 and little-endian mail addresses.
#  Entries using this attribute MUST also include an rfc822Mailbox      
#  attribute.                                                           
#                                                                       
#    janetMailbox ATTRIBUTE                                             
#        WITH ATTRIBUTE-SYNTAX                                          
#            caseIgnoreIA5StringSyntax                                  
#            (SIZE (1 .. ub-janet-mailbox))                             
#    ::= {pilotAttributeType 46}                                        
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox'          
        DESC 'RFC1274: Janet mailbox'                                   
        EQUALITY caseIgnoreIA5Match                                     
        SUBSTR caseIgnoreIA5SubstringsMatch                             
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )                     
 
# 9.3.37.  Mail Preference Option
#                                
#  An attribute to allow users to indicate a preference for inclusion of
#  their names on mailing lists (electronic or physical).  The absence  
#  of such an attribute should be interpreted as if the attribute was   
#  present with value "no-list-inclusion".  This attribute should be    
#  interpreted by anyone using the directory to derive mailing lists,   
#  and its value respected.                                             
#                                                                       
#    mailPreferenceOption ATTRIBUTE                                     
#        WITH ATTRIBUTE-SYNTAX ENUMERATED {                             
#                no-list-inclusion(0),                                  
#                any-list-inclusion(1),  -- may be added to any lists   
#                professional-list-inclusion(2)                         
#                                        -- may be added to lists       
#                                        -- which the list provider     
#                                        -- views as related to the     
#                                        -- users professional inter-   
#                                        -- ests, perhaps evaluated     
#                                        -- from the business of the    
#                                        -- organisation or keywords    
#                                        -- in the entry.               
#                }                                                      
#    ::= {pilotAttributeType 47}                                        
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.47                              
        NAME 'mailPreferenceOption'                                     
        DESC 'RFC1274: mail preference option'                          
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )                          
 
# 9.3.38.  Building Name
#                       
#  The Building Name attribute type specifies the name of the building
#  where an organisation or organisational unit is based.             
#                                                                     
#    buildingName ATTRIBUTE                                           
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-building-name))                           
#    ::= {pilotAttributeType 48}                                      
#                                                                     
attributetype ( 0.9.2342.19200300.100.1.48 NAME 'buildingName'        
        DESC 'RFC1274: name of building'                              
        EQUALITY caseIgnoreMatch                                      
        SUBSTR caseIgnoreSubstringsMatch                              
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )                   
 
# 9.3.39.  DSA Quality
#                     
#  The DSA Quality attribute type specifies the purported quality of a
#  DSA.  It allows a DSA manager to indicate the expected level of    
#  availability of the DSA. See [8] for details of the syntax.        
#                                                                     
#    dSAQuality ATTRIBUTE                                             
#            WITH ATTRIBUTE-SYNTAX DSAQualitySyntax                   
#            SINGLE VALUE                                             
#    ::= {pilotAttributeType 49}                                      
#                                                                     
attributetype ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality'          
        DESC 'RFC1274: DSA Quality'                                   
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.19 SINGLE-VALUE )           
 
# 9.3.40.  Single Level Quality
#                              
#  The Single Level Quality attribute type specifies the purported data
#  quality at the level immediately below in the DIT.  See [8] for     
#  details of the syntax.                                              
#                                                                      
#    singleLevelQuality ATTRIBUTE                                      
#            WITH ATTRIBUTE-SYNTAX DataQualitySyntax                   
#            SINGLE VALUE                                              
#    ::= {pilotAttributeType 50}                                       
#                                                                      
attributetype ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality'   
        DESC 'RFC1274: Single Level Quality'                           
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE )            
 
# 9.3.41.  Subtree Minimum Quality
#                                 
#  The Subtree Minimum Quality attribute type specifies the purported
#  minimum data quality for a DIT subtree.  See [8] for more discussion
#  and details of the syntax.                                          
#                                                                      
#    subtreeMinimumQuality ATTRIBUTE                                   
#            WITH ATTRIBUTE-SYNTAX DataQualitySyntax                   
#            SINGLE VALUE                                              
#               -- Defaults to singleLevelQuality                      
#    ::= {pilotAttributeType 51}                                       
#                                                                      
attributetype ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQuality'
        DESC 'RFC1274: Subtree Mininum Quality'                        
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE )            
 
# 9.3.42.  Subtree Maximum Quality
#                                 
#  The Subtree Maximum Quality attribute type specifies the purported
#  maximum data quality for a DIT subtree.  See [8] for more discussion
#  and details of the syntax.                                          
#                                                                      
#    subtreeMaximumQuality ATTRIBUTE                                   
#            WITH ATTRIBUTE-SYNTAX DataQualitySyntax                   
#            SINGLE VALUE                                              
#               -- Defaults to singleLevelQuality                      
#    ::= {pilotAttributeType 52}                                       
#                                                                      
attributetype ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQuality'
        DESC 'RFC1274: Subtree Maximun Quality'                        
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE )            
 
# 9.3.43.  Personal Signature
#                            
#  The Personal Signature attribute type allows for a representation of
#  a person's signature.  This should be encoded in G3 fax as explained
#  in recommendation T.4, with an ASN.1 wrapper to make it compatible  
#  with an X.400 BodyPart as defined in X.420.                         
#                                                                      
#    IMPORT  G3FacsimileBodyPart  FROM  {   mhs-motis   ipms   modules 
#    information-objects }                                             
#                                                                      
#    personalSignature ATTRIBUTE                                       
#        WITH ATTRIBUTE-SYNTAX                                         
#            CHOICE {                                                  
#                g3-facsimile [3] G3FacsimileBodyPart                  
#                }                                                     
#        (SIZE (1 .. ub-personal-signature))                           
#    ::= {pilotAttributeType 53}                                       
#                                                                      
attributetype ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature'    
        DESC 'RFC1274: Personal Signature (G3 fax)'                    
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.23 )                         
 
# 9.3.44.  DIT Redirect
#                      
#  The DIT Redirect attribute type is used to indicate that the object
#  described by one entry now has a newer entry in the DIT.  The entry
#  containing the redirection attribute should be expired after a     
#  suitable grace period.  This attribute may be used when an individual
#  changes his/her place of work, and thus acquires a new organisational
#  DN.                                                                  
#                                                                       
#    dITRedirect ATTRIBUTE                                              
#        WITH ATTRIBUTE-SYNTAX                                          
#            distinguishedNameSyntax                                    
#    ::= {pilotAttributeType 54}                                        
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect'           
        DESC 'RFC1274: DIT Redirect'                                    
        EQUALITY distinguishedNameMatch                                 
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )                          
 
# 9.3.45.  Audio
#               
#  The Audio attribute type allows the storing of sounds in the
#  Directory.  The attribute uses a u-law encoded sound file as used by
#  the "play" utility on a Sun 4.  This is an interim format.          
#                                                                      
#    audio ATTRIBUTE                                                   
#        WITH ATTRIBUTE-SYNTAX                                         
#            Audio                                                     
#        (SIZE (1 .. ub-audio))                                        
#    ::= {pilotAttributeType 55}                                       
#                                                                      
attributetype ( 0.9.2342.19200300.100.1.55 NAME 'audio'                
        DESC 'RFC1274: audio (u-law)'                                  
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.4{25000} )                   
 
# 9.3.46.  Publisher of Document
#                               
#                               
#  The Publisher of Document attribute is the person and/or organization
#  that published a document.                                           
#                                                                       
#    documentPublisher ATTRIBUTE                                        
#            WITH ATTRIBUTE SYNTAX caseIgnoreStringSyntax               
#    ::= {pilotAttributeType 56}                                        
#                                                                       
attributetype ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher'     
        DESC 'RFC1274: publisher of document'                           
        EQUALITY caseIgnoreMatch                                        
        SUBSTR caseIgnoreSubstringsMatch                                
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )                          
 
# 9.4.  Generally useful syntaxes
#                                
#    caseIgnoreIA5StringSyntax ATTRIBUTE-SYNTAX
#            IA5String                         
#            MATCHES FOR EQUALITY SUBSTRINGS   
#                                              
#    iA5StringSyntax ATTRIBUTE-SYNTAX          
#        IA5String                             
#        MATCHES FOR EQUALITY SUBSTRINGS       
#                                              
#                                              
#    -- Syntaxes to support the DNS attributes 
#                                              
#    DNSRecordSyntax ATTRIBUTE-SYNTAX          
#            IA5String                         
#            MATCHES FOR EQUALITY              
#                                              
#                                              
#    NRSInformationSyntax ATTRIBUTE-SYNTAX     
#            NRSInformation                    
#            MATCHES FOR EQUALITY              
#                                              
#                                              
#    NRSInformation ::=  SET {                 
#                    [0] Context,              
#                    [1] Address-space-id,     
#                    routes [2] SEQUENCE OF SEQUENCE {
#                    Route-cost,                      
#                    Addressing-info }                
#            }                                        
#                                                     
#                                                     
# 9.5.  Upper bounds on length of attribute values    
#                                                     
#                                                     
#    ub-document-identifier INTEGER ::= 256           
#                                                     
#    ub-document-location INTEGER ::= 256             
#                                                     
#    ub-document-title INTEGER ::= 256                
#                                                     
#    ub-document-version INTEGER ::= 256              
#                                                     
#    ub-favourite-drink INTEGER ::= 256               
#                                                     
#    ub-host INTEGER ::= 256                          
#                                                     
#    ub-information INTEGER ::= 2048                  
#                                                     
#    ub-unique-identifier INTEGER ::= 256             
#                                                     
#    ub-personal-title INTEGER ::= 256                
#                                                     
#    ub-photo INTEGER ::= 250000                      
#                                                     
#    ub-rfc822-mailbox INTEGER ::= 256                
#                                                     
#    ub-room-number INTEGER ::= 256                   
#                                                     
#    ub-text-or-address INTEGER ::= 256               
#                                                     
#    ub-user-class INTEGER ::= 256                    
#                                                     
#    ub-user-identifier INTEGER ::= 256               
#                                                     
#    ub-organizational-status INTEGER ::= 256         
#                                                     
#    ub-janet-mailbox INTEGER ::= 256                 
#                                                     
#    ub-building-name INTEGER ::= 256                 
#                                                     
#    ub-personal-signature ::= 50000                  
#                                                     
#    ub-audio INTEGER ::= 250000                      
#                                                     
 
# [back to 8]
# 8.  Object Classes
#                   
# 8.1.  X.500 standard object classes
#                                    
#  A number of generally useful object classes are defined in X.521, and
#  these are supported.  Refer to that document for descriptions of the 
#  suggested usage of these object classes.  The ASN.1 for these object 
#  classes is reproduced for completeness in Appendix C.                
#                                                                       
# 8.2.  X.400 standard object classes                                   
#                                                                       
#  A number of object classes defined in X.400 are supported.  Refer to 
#  X.402 for descriptions of the usage of these object classes.  The    
#  ASN.1 for these object classes is reproduced for completeness in     
#  Appendix C.                                                          
#                                                                       
# 8.3.  COSINE/Internet object classes                                  
#                                                                       
#  This section attempts to fuse together the object classes designed   
#  for use in the COSINE and Internet pilot activities.  Descriptions   
#  are given of the suggested usage of these object classes.  The ASN.1 
#  for these object classes is also reproduced in Appendix C.           
#                                                                       
# 8.3.1.  Pilot Object                                                  
#                                                                       
#  The PilotObject object class is used as a sub-class to allow some    
#  common, useful attributes to be assigned to entries of all other     
#  object classes.                                                      
#                                                                       
#    pilotObject OBJECT-CLASS                                           
#        SUBCLASS OF top                                                
#        MAY CONTAIN {                                                  
#            info,                                                      
#            photo,                                                     
#            manager,                                                   
#            uniqueIdentifier,                                          
#            lastModifiedTime,                                          
#            lastModifiedBy,                                            
#            dITRedirect,                                               
#            audio}                                                     
#    ::= {pilotObjectClass 3}                                           
#                                                                       
#objectclass ( 0.9.2342.19200300.100.4.3 NAME 'pilotObject'             
#       DESC 'RFC1274: pilot object'                                    
#       SUP top AUXILIARY                                               
#       MAY ( info $ photo $ manager $ uniqueIdentifier $               
#               lastModifiedTime $ lastModifiedBy $ dITRedirect $ audio )
#       )                                                                
 
# 8.3.2.  Pilot Person
#                     
#  The PilotPerson object class is used as a sub-class of person, to
#  allow the use of a number of additional attributes to be assigned to
#  entries of object class person.                                     
#                                                                      
#    pilotPerson OBJECT-CLASS                                          
#        SUBCLASS OF person                                            
#        MAY CONTAIN {                                                 
#                    userid,                                           
#                    textEncodedORAddress,                             
#                    rfc822Mailbox,                                    
#                    favouriteDrink,                                   
#                    roomNumber,                                       
#                    userClass,                                        
#                    homeTelephoneNumber,                              
#                    homePostalAddress,                                
#                    secretary,                                        
#                    personalTitle,                                    
#                    preferredDeliveryMethod,                          
#                    businessCategory,                                 
#                    janetMailbox,                                     
#                    otherMailbox,                                     
#                    mobileTelephoneNumber,                            
#                    pagerTelephoneNumber,                             
#                    organizationalStatus,                             
#                    mailPreferenceOption,                             
#                    personalSignature}                                
#    ::= {pilotObjectClass 4}                                          
#                                                                      
objectclass ( 0.9.2342.19200300.100.4.4                                
        NAME ( 'pilotPerson' 'newPilotPerson' )                        
        SUP person STRUCTURAL                                          
        MAY ( userid $ textEncodedORAddress $ rfc822Mailbox $          
                favouriteDrink $ roomNumber $ userClass $              
                homeTelephoneNumber $ homePostalAddress $ secretary $  
                personalTitle $ preferredDeliveryMethod $ businessCategory $
                janetMailbox $ otherMailbox $ mobileTelephoneNumber $       
                pagerTelephoneNumber $ organizationalStatus $               
                mailPreferenceOption $ personalSignature )                  
        )                                                                   
 
# 8.3.3.  Account
#                
#  The Account object class is used to define entries representing
#  computer accounts.  The userid attribute should be used for naming
#  entries of this object class.                                     
#                                                                    
#    account OBJECT-CLASS                                            
#        SUBCLASS OF top                                             
#        MUST CONTAIN {                                              
#            userid}                                                 
#        MAY CONTAIN {                                               
#            description,                                            
#            seeAlso,                                                
#            localityName,                                           
#            organizationName,                                       
#            organizationalUnitName,                                 
#            host}                                                   
#    ::= {pilotObjectClass 5}                                        
#                                                                    
objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account'               
        SUP top STRUCTURAL                                           
        MUST userid                                                  
        MAY ( description $ seeAlso $ localityName $                 
                organizationName $ organizationalUnitName $ host )   
        )                                                            
 
# 8.3.4.  Document
#                 
#  The Document object class is used to define entries which represent
#  documents.                                                         
#                                                                     
#    document OBJECT-CLASS                                            
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            documentIdentifier}                                      
#        MAY CONTAIN {                                                
#            commonName,                                              
#            description,                                             
#            seeAlso,                                                 
#            localityName,                                            
#            organizationName,                                        
#            organizationalUnitName,                                  
#            documentTitle,                                           
#            documentVersion,                                         
#            documentAuthor,                                          
#            documentLocation,                                        
#            documentPublisher}                                       
#    ::= {pilotObjectClass 6}                                         
#                                                                     
objectclass ( 0.9.2342.19200300.100.4.6 NAME 'document'               
        SUP top STRUCTURAL                                            
        MUST documentIdentifier                                       
        MAY ( commonName $ description $ seeAlso $ localityName $     
                organizationName $ organizationalUnitName $           
                documentTitle $ documentVersion $ documentAuthor $    
                documentLocation $ documentPublisher )                
        )                                                             
 
# 8.3.5.  Room
#             
#  The Room object class is used to define entries representing rooms.
#  The commonName attribute should be used for naming pentries of this
#  object class.                                                      
#                                                                     
#    room OBJECT-CLASS                                                
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            commonName}                                              
#        MAY CONTAIN {                                                
#            roomNumber,                                              
#            description,                                             
#            seeAlso,                                                 
#            telephoneNumber}                                         
#    ::= {pilotObjectClass 7}                                         
#                                                                     
objectclass ( 0.9.2342.19200300.100.4.7 NAME 'room'                   
        SUP top STRUCTURAL                                            
        MUST commonName                                               
        MAY ( roomNumber $ description $ seeAlso $ telephoneNumber )  
        )                                                             
 
# 8.3.6.  Document Series
#                        
#  The Document Series object class is used to define an entry which
#  represents a series of documents (e.g., The Request For Comments 
#  papers).                                                         
#                                                                   
#    documentSeries OBJECT-CLASS                                    
#        SUBCLASS OF top                                            
#        MUST CONTAIN {                                             
#            commonName}                                            
#        MAY CONTAIN {                                              
#            description,                                           
#            seeAlso,                                               
#            telephoneNumber,                                       
#            localityName,                                          
#            organizationName,                                      
#            organizationalUnitName}                                
#    ::= {pilotObjectClass 9}                                       
#                                                                   
objectclass ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries'       
        SUP top STRUCTURAL                                          
        MUST commonName                                             
        MAY ( description $ seeAlso $ telephonenumber $             
                localityName $ organizationName $ organizationalUnitName )
        )                                                                 
 
# 8.3.7.  Domain
#               
#  The Domain object class is used to define entries which represent DNS
#  or NRS domains.  The domainComponent attribute should be used for    
#  naming entries of this object class.  The usage of this object class 
#  is described in more detail in [3].                                  
#                                                                       
#    domain OBJECT-CLASS                                                
#        SUBCLASS OF top                                                
#        MUST CONTAIN {                                                 
#            domainComponent}                                           
#        MAY CONTAIN {                                                  
#            associatedName,                                            
#            organizationName,                                          
#            organizationalAttributeSet}                                
#    ::= {pilotObjectClass 13}                                          
#                                                                       
objectclass ( 0.9.2342.19200300.100.4.13 NAME 'domain'                  
        SUP top STRUCTURAL                                              
        MUST domainComponent                                            
        MAY ( associatedName $ organizationName $ description $         
                businessCategory $ seeAlso $ searchGuide $ userPassword $
                localityName $ stateOrProvinceName $ streetAddress $     
                physicalDeliveryOfficeName $ postalAddress $ postalCode $
                postOfficeBox $ streetAddress $                          
                facsimileTelephoneNumber $ internationalISDNNumber $     
                telephoneNumber $ teletexTerminalIdentifier $ telexNumber $
                preferredDeliveryMethod $ destinationIndicator $           
                registeredAddress $ x121Address )                          
        )                                                                  
 
# 8.3.8.  RFC822 Local Part
#                          
#  The RFC822 Local Part object class is used to define entries which
#  represent the local part of RFC822 mail addresses.  This treats this
#  part of an RFC822 address as a domain.  The usage of this object    
#  class is described in more detail in [3].                           
#                                                                      
#    rFC822localPart OBJECT-CLASS                                      
#        SUBCLASS OF domain                                            
#        MAY CONTAIN {                                                 
#            commonName,                                               
#            surname,                                                  
#            description,                                              
#            seeAlso,                                                  
#            telephoneNumber,                                          
#            postalAttributeSet,                                       
#            telecommunicationAttributeSet}                            
#    ::= {pilotObjectClass 14}                                         
#                                                                      
objectclass ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart'        
        SUP domain STRUCTURAL                                          
        MAY ( commonName $ surname $ description $ seeAlso $ telephoneNumber $
                physicalDeliveryOfficeName $ postalAddress $ postalCode $     
                postOfficeBox $ streetAddress $                               
                facsimileTelephoneNumber $ internationalISDNNumber $          
                telephoneNumber $ teletexTerminalIdentifier $                 
                telexNumber $ preferredDeliveryMethod $ destinationIndicator $
                registeredAddress $ x121Address )                             
        )                                                                     
 
# 8.3.9.  DNS Domain
#                   
#  The DNS Domain (Domain NameServer) object class is used to define
#  entries for DNS domains.  The usage of this object class is described
#  in more detail in [3].                                               
#                                                                       
#    dNSDomain OBJECT-CLASS                                             
#        SUBCLASS OF domain                                             
#        MAY CONTAIN {                                                  
#            ARecord,                                                   
#            MDRecord,                                                  
#            MXRecord,                                                  
#            NSRecord,                                                  
#            SOARecord,                                                 
#            CNAMERecord}                                               
#    ::= {pilotObjectClass 15}                                          
#                                                                       
objectclass ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain'               
        SUP domain STRUCTURAL                                           
        MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $                
                SOARecord $ CNAMERecord )                               
        )                                                               
 
# 8.3.10.  Domain Related Object
#                               
#  The Domain Related Object object class is used to define entries
#  which represent DNS/NRS domains which are "equivalent" to an X.500
#  domain: e.g., an organisation or organisational unit.  The usage of
#  this object class is described in more detail in [3].              
#                                                                     
#    domainRelatedObject OBJECT-CLASS                                 
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            associatedDomain}                                        
#    ::= {pilotObjectClass 17}                                        
#                                                                     
objectclass ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject'   
        DESC 'RFC1274: an object related to an domain'                
        SUP top AUXILIARY                                             
        MUST associatedDomain )                                       
 
# 8.3.11.  Friendly Country
#                          
#  The Friendly Country object class is used to define country entries
#  in the DIT.  The object class is used to allow friendlier naming of
#  countries than that allowed by the object class country.  The naming
#  attribute of object class country, countryName, has to be a 2 letter
#  string defined in ISO 3166.                                         
#                                                                      
#    friendlyCountry OBJECT-CLASS                                      
#        SUBCLASS OF country                                           
#        MUST CONTAIN {                                                
#            friendlyCountryName}                                      
#    ::= {pilotObjectClass 18}                                         
#                                                                      
objectclass ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry'        
        SUP country STRUCTURAL                                         
        MUST friendlyCountryName )                                     
 
# 8.3.12.  Simple Security Object
#                                
#  The Simple Security Object object class is used to allow an entry to
#  have a userPassword attribute when an entry's principal object      
#  classes do not allow userPassword as an attribute type.             
#                                                                      
#    simpleSecurityObject OBJECT-CLASS                                 
#        SUBCLASS OF top                                               
#        MUST CONTAIN {                                                
#            userPassword }                                            
#    ::= {pilotObjectClass 19}                                         
#                                                                      
## (in core.schema)                                                    
## objectclass ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
##      SUP top AUXILIARY                                              
##      MUST userPassword )                                            
 
# 8.3.13.  Pilot Organization
#                            
#  The PilotOrganization object class is used as a sub-class of
#  organization and organizationalUnit to allow a number of additional
#  attributes to be assigned to entries of object classes organization
#  and organizationalUnit.                                            
#                                                                     
#    pilotOrganization OBJECT-CLASS                                   
#        SUBCLASS OF organization, organizationalUnit                 
#        MAY CONTAIN {                                                
#                    buildingName}                                    
#    ::= {pilotObjectClass 20}                                        
#                                                                     
objectclass ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization'     
        SUP ( organization $ organizationalUnit ) STRUCTURAL          
        MAY buildingName )                                            
 
# 8.3.14.  Pilot DSA
#                   
#  The PilotDSA object class is used as a sub-class of the dsa object
#  class to allow additional attributes to be assigned to entries for
#  DSAs.                                                             
#                                                                    
#    pilotDSA OBJECT-CLASS                                           
#        SUBCLASS OF dsa                                             
#        MUST CONTAIN {                                              
#            dSAQuality}                                             
#    ::= {pilotObjectClass 21}                                       
#                                                                    
objectclass ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA'             
        SUP dsa STRUCTURAL                                           
        MAY dSAQuality )                                             
 
# 8.3.15.  Quality Labelled Data
#                               
#  The Quality Labelled Data object class is used to allow the
#  assignment of the data quality attributes to subtrees in the DIT.
#                                                                   
#  See [8] for more details.                                        
#                                                                   
#    qualityLabelledData OBJECT-CLASS                               
#        SUBCLASS OF top                                            
#        MUST CONTAIN {                                             
#            dSAQuality}                                            
#        MAY CONTAIN {                                              
#            subtreeMinimumQuality,                                 
#            subtreeMaximumQuality}                                 
#    ::= {pilotObjectClass 22}                                      
objectclass ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' 
        SUP top AUXILIARY                                           
        MUST dsaQuality                                             
        MAY ( subtreeMinimumQuality $ subtreeMaximumQuality )       
        )                                                           
 
 
# References
#           
#    [1]  CCITT/ISO, "X.500, The Directory - overview of concepts,
#         models and services, CCITT /ISO IS 9594.                
#                                                                 
#    [2]  Kille, S., "The THORN and RARE X.500 Naming Architecture, in
#         University College London, Department of Computer Science   
#         Research Note 89/48, May 1989.                              
#                                                                     
#    [3]  Kille, S., "X.500 and Domains", RFC 1279, University College
#         London, November 1991.                                      
#                                                                     
#    [4]  Rose, M., "PSI/NYSERNet White Pages Pilot Project: Status   
#         Report", Technical Report 90-09-10-1, published by NYSERNet 
#         Inc, 1990.                                                  
#                                                                     
#    [5]  Craigie, J., "UK Academic Community Directory Service Pilot 
#         Project, pp. 305-310 in Computer Networks and ISDN Systems  
#         17 (1989), published by North Holland.                      
#                                                                     
#    [6]  Mockapetris, P., "Domain Names - Concepts and Facilities",  
#         RFC 1034, USC/Information Sciences Institute, November 1987.
#                                                                     
#    [7]  Mockapetris, P., "Domain Names - Implementation and         
#         Specification, RFC 1035, USC/Information Sciences Institute,
#         November 1987.                                              
#                                                                     
#    [8]  Kille, S., "Handling QOS (Quality of service) in the        
#         Directory," publication in process, March 1991.             
#                                                                     
#                                                                     
# APPENDIX C - Summary of all Object Classes and Attribute Types      
#                                                                     
#    -- Some Important Object Identifiers                             
#                                                                     
#    data OBJECT IDENTIFIER ::= {ccitt 9}                             
#    pss OBJECT IDENTIFIER ::= {data 2342}                            
#    ucl OBJECT IDENTIFIER ::= {pss 19200300}                         
#    pilot OBJECT IDENTIFIER ::= {ucl 100}                            
#                                                                     
#    pilotAttributeType OBJECT IDENTIFIER ::= {pilot 1}               
#    pilotAttributeSyntax OBJECT IDENTIFIER ::= {pilot 3}             
#    pilotObjectClass OBJECT IDENTIFIER ::= {pilot 4}                 
#    pilotGroups OBJECT IDENTIFIER ::= {pilot 10}                     
#                                                                     
#    iA5StringSyntax OBJECT IDENTIFIER ::= {pilotAttributeSyntax 4}   
#    caseIgnoreIA5StringSyntax OBJECT IDENTIFIER ::=                  
#                                          {pilotAttributeSyntax 5}   
#                                                                     
#    -- Standard Object Classes                                       
#                                                                     
#    top OBJECT-CLASS                                                 
#        MUST CONTAIN {                                               
#            objectClass}                                             
#    ::= {objectClass 0}                                              
#                                                                     
#                                                                     
#    alias OBJECT-CLASS                                               
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            aliasedObjectName}                                       
#    ::= {objectClass 1}                                              
#                                                                     
#                                                                     
#    country OBJECT-CLASS                                             
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            countryName}                                             
#        MAY CONTAIN {                                                
#            description,                                             
#            searchGuide}                                             
#    ::= {objectClass 2}                                              
#                                                                     
#                                                                     
#    locality OBJECT-CLASS                                            
#        SUBCLASS OF top                                              
#        MAY CONTAIN {                                                
#            description,                                             
#            localityName,                                            
#            stateOrProvinceName,                                     
#            searchGuide,                                             
#            seeAlso,                                                 
#            streetAddress}                                           
#    ::= {objectClass 3}                                              
#                                                                     
#                                                                     
#    organization OBJECT-CLASS                                        
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            organizationName}                                        
#        MAY CONTAIN {                                                
#            organizationalAttributeSet}                              
#    ::= {objectClass 4}                                              
#                                                                     
#                                                                     
#    organizationalUnit OBJECT-CLASS                                  
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            organizationalUnitName}                                  
#        MAY CONTAIN {                                                
#            organizationalAttributeSet}                              
#    ::= {objectClass 5}                                              
#                                                                     
#                                                                     
#    person OBJECT-CLASS                                              
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            commonName,                                              
#            surname}                                                 
#        MAY CONTAIN {                                                
#            description,                                             
#            seeAlso,                                                 
#            telephoneNumber,                                         
#            userPassword}                                            
#    ::= {objectClass 6}                                              
#                                                                     
#                                                                     
#    organizationalPerson OBJECT-CLASS                                
#        SUBCLASS OF person                                           
#        MAY CONTAIN {                                                
#            localeAttributeSet,                                      
#            organizationalUnitName,                                  
#            postalAttributeSet,                                      
#            telecommunicationAttributeSet,                           
#            title}                                                   
#    ::= {objectClass 7}                                              
#                                                                     
#                                                                     
#    organizationalRole OBJECT-CLASS                                  
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            commonName}                                              
#        MAY CONTAIN {                                                
#            description,                                             
#            localeAttributeSet,                                      
#            organizationalUnitName,                                  
#            postalAttributeSet,                                      
#            preferredDeliveryMethod,                                 
#            roleOccupant,                                            
#            seeAlso,                                                 
#            telecommunicationAttributeSet}                           
#    ::= {objectClass 8}                                              
#                                                                     
#                                                                     
#    groupOfNames OBJECT-CLASS                                        
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            commonName,                                              
#            member}                                                  
#        MAY CONTAIN {                                                
#            description,                                             
#            organizationName,                                        
#            organizationalUnitName,                                  
#            owner,                                                   
#            seeAlso,                                                 
#            businessCategory}                                        
#    ::= {objectClass 9}                                              
#                                                                     
#                                                                     
#    residentialPerson OBJECT-CLASS                                   
#        SUBCLASS OF person                                           
#        MUST CONTAIN {                                               
#            localityName}                                            
#        MAY CONTAIN {                                                
#            localeAttributeSet,                                      
#            postalAttributeSet,                                      
#            preferredDeliveryMethod,                                 
#            telecommunicationAttributeSet,                           
#            businessCategory}                                        
#    ::= {objectClass 10}                                             
#                                                                     
#                                                                     
#    applicationProcess OBJECT-CLASS                                  
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            commonName}                                              
#        MAY CONTAIN {                                                
#            description,                                             
#            localityName,                                            
#            organizationalUnitName,                                  
#            seeAlso}                                                 
#    ::= {objectClass 11}                                             
#                                                                     
#                                                                     
#    applicationEntity OBJECT-CLASS                                   
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            commonName,                                              
#            presentationAddress}                                     
#        MAY CONTAIN {                                                
#            description,                                             
#            localityName,                                            
#            organizationName,                                        
#            organizationalUnitName,                                  
#            seeAlso,                                                 
#            supportedApplicationContext}                             
#    ::= {objectClass 12}                                             
#                                                                     
#                                                                     
#    dSA OBJECT-CLASS                                                 
#        SUBCLASS OF applicationEntity                                
#        MAY CONTAIN {                                                
#            knowledgeInformation}                                    
#    ::= {objectClass 13}                                             
#                                                                     
#                                                                     
#    device OBJECT-CLASS                                              
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            commonName}                                              
#        MAY CONTAIN {                                                
#            description,                                             
#            localityName,                                            
#            organizationName,                                        
#            organizationalUnitName,                                  
#            owner,                                                   
#            seeAlso,                                                 
#            serialNumber}                                            
#    ::= {objectClass 14}                                             
#                                                                     
#                                                                     
#    strongAuthenticationUser OBJECT-CLASS                            
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            userCertificate}                                         
#    ::= {objectClass 15}                                             
#                                                                     
#                                                                     
#    certificationAuthority OBJECT-CLASS                              
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            cACertificate,                                           
#            certificateRevocationList,                               
#            authorityRevocationList}                                 
#        MAY CONTAIN {                                                
#            crossCertificatePair}                                    
#    ::= {objectClass 16}                                             
#                                                                     
#    -- Standard MHS Object Classes                                   
#                                                                     
#    mhsDistributionList OBJECT-CLASS                                 
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            commonName,                                              
#            mhsDLSubmitPermissions,                                  
#            mhsORAddresses}                                          
#        MAY CONTAIN {                                                
#            description,                                             
#            organizationName,                                        
#            organizationalUnitName,                                  
#            owner,                                                   
#            seeAlso,                                                 
#            mhsDeliverableContentTypes,                              
#            mhsdeliverableEits,                                      
#            mhsDLMembers,                                            
#            mhsPreferredDeliveryMethods}                             
#    ::= {mhsObjectClass 0}                                           
#                                                                     
#                                                                     
#    mhsMessageStore OBJECT-CLASS                                     
#        SUBCLASS OF applicationEntity                                
#        MAY CONTAIN {                                                
#            description,                                             
#            owner,                                                   
#            mhsSupportedOptionalAttributes,                          
#            mhsSupportedAutomaticActions,                            
#            mhsSupportedContentTypes}                                
#    ::= {mhsObjectClass 1}                                           
#                                                                     
#                                                                     
#    mhsMessageTransferAgent OBJECT-CLASS                             
#        SUBCLASS OF applicationEntity                                
#        MAY CONTAIN {                                                
#            description,                                             
#            owner,                                                   
#            mhsDeliverableContentLength}                             
#    ::= {mhsObjectClass 2}                                           
#                                                                     
#                                                                     
#    mhsOrganizationalUser OBJECT-CLASS                               
#        SUBCLASS OF organizationalPerson                             
#        MUST CONTAIN {                                               
#            mhsORAddresses}                                          
#        MAY CONTAIN {                                                
#            mhsDeliverableContentLength,                             
#            mhsDeliverableContentTypes,                              
#            mhsDeliverableEits,                                      
#            mhsMessageStoreName,                                     
#            mhsPreferredDeliveryMethods }                            
#    ::= {mhsObjectClass 3}                                           
#                                                                     
#                                                                     
#    mhsResidentialUser OBJECT-CLASS                                  
#        SUBCLASS OF residentialPerson                                
#        MUST CONTAIN {                                               
#            mhsORAddresses}                                          
#        MAY CONTAIN {                                                
#            mhsDeliverableContentLength,                             
#            mhsDeliverableContentTypes,                              
#            mhsDeliverableEits,                                      
#            mhsMessageStoreName,                                     
#            mhsPreferredDeliveryMethods }                            
#    ::= {mhsObjectClass 4}                                           
#                                                                     
#                                                                     
#    mhsUserAgent OBJECT-CLASS                                        
#        SUBCLASS OF applicationEntity                                
#        MAY CONTAIN {                                                
#            mhsDeliverableContentLength,                             
#            mhsDeliverableContentTypes,                              
#            mhsDeliverableEits,                                      
#            mhsORAddresses,                                          
#            owner}                                                   
#    ::= {mhsObjectClass 5}                                           
#                                                                     
#                                                                     
#                                                                     
#                                                                     
#    -- Pilot Object Classes                                          
#                                                                     
#    pilotObject OBJECT-CLASS                                         
#        SUBCLASS OF top                                              
#        MAY CONTAIN {                                                
#            info,                                                    
#            photo,                                                   
#            manager,                                                 
#            uniqueIdentifier,                                        
#            lastModifiedTime,                                        
#            lastModifiedBy,                                          
#            dITRedirect,                                             
#            audio}                                                   
#    ::= {pilotObjectClass 3}                                         
#    pilotPerson OBJECT-CLASS                                         
#        SUBCLASS OF person                                           
#        MAY CONTAIN {                                                
#                    userid,                                          
#                    textEncodedORAddress,                            
#                    rfc822Mailbox,                                   
#                    favouriteDrink,                                  
#                    roomNumber,                                      
#                    userClass,                                       
#                    homeTelephoneNumber,                             
#                    homePostalAddress,                               
#                    secretary,                                       
#                    personalTitle,                                   
#                    preferredDeliveryMethod,                         
#                    businessCategory,                                
#                    janetMailbox,                                    
#                    otherMailbox,                                    
#                    mobileTelephoneNumber,                           
#                    pagerTelephoneNumber,                            
#                    organizationalStatus,                            
#                    mailPreferenceOption,                            
#                    personalSignature}                               
#    ::= {pilotObjectClass 4}                                         
#                                                                     
#                                                                     
#    account OBJECT-CLASS                                             
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            userid}                                                  
#        MAY CONTAIN {                                                
#            description,                                             
#            seeAlso,                                                 
#            localityName,                                            
#            organizationName,                                        
#            organizationalUnitName,                                  
#            host}                                                    
#    ::= {pilotObjectClass 5}                                         
#                                                                     
#                                                                     
#    document OBJECT-CLASS                                            
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            documentIdentifier}                                      
#        MAY CONTAIN {                                                
#            commonName,                                              
#            description,                                             
#            seeAlso,                                                 
#            localityName,                                            
#            organizationName,                                        
#            organizationalUnitName,                                  
#            documentTitle,                                           
#            documentVersion,                                         
#            documentAuthor,                                          
#            documentLocation,                                        
#            documentPublisher}                                       
#    ::= {pilotObjectClass 6}                                         
#                                                                     
#                                                                     
#    room OBJECT-CLASS                                                
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            commonName}                                              
#        MAY CONTAIN {                                                
#            roomNumber,                                              
#            description,                                             
#            seeAlso,                                                 
#            telephoneNumber}                                         
#    ::= {pilotObjectClass 7}                                         
#                                                                     
#                                                                     
#    documentSeries OBJECT-CLASS                                      
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            commonName}                                              
#        MAY CONTAIN {                                                
#            description,                                             
#            seeAlso,                                                 
#            telephoneNumber,                                         
#            localityName,                                            
#            organizationName,                                        
#            organizationalUnitName}                                  
#    ::= {pilotObjectClass 9}                                         
#                                                                     
#                                                                     
#    domain OBJECT-CLASS                                              
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            domainComponent}                                         
#        MAY CONTAIN {                                                
#            associatedName,                                          
#            organizationName,                                        
#            organizationalAttributeSet}                              
#    ::= {pilotObjectClass 13}                                        
#                                                                     
#                                                                     
#    rFC822localPart OBJECT-CLASS                                     
#        SUBCLASS OF domain                                           
#        MAY CONTAIN {                                                
#            commonName,                                              
#            surname,                                                 
#            description,                                             
#            seeAlso,                                                 
#            telephoneNumber,                                         
#            postalAttributeSet,                                      
#            telecommunicationAttributeSet}                           
#    ::= {pilotObjectClass 14}                                        
#                                                                     
#                                                                     
#    dNSDomain OBJECT-CLASS                                           
#        SUBCLASS OF domain                                           
#        MAY CONTAIN {                                                
#            ARecord,                                                 
#            MDRecord,                                                
#            MXRecord,                                                
#            NSRecord,                                                
#            SOARecord,                                               
#            CNAMERecord}                                             
#    ::= {pilotObjectClass 15}                                        
#                                                                     
#                                                                     
#    domainRelatedObject OBJECT-CLASS                                 
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            associatedDomain}                                        
#    ::= {pilotObjectClass 17}                                        
#                                                                     
#                                                                     
#    friendlyCountry OBJECT-CLASS                                     
#        SUBCLASS OF country                                          
#        MUST CONTAIN {                                               
#            friendlyCountryName}                                     
#    ::= {pilotObjectClass 18}                                        
#                                                                     
#                                                                     
#    simpleSecurityObject OBJECT-CLASS                                
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            userPassword }                                           
#    ::= {pilotObjectClass 19}                                        
#                                                                     
#                                                                     
#    pilotOrganization OBJECT-CLASS                                   
#        SUBCLASS OF organization, organizationalUnit                 
#        MAY CONTAIN {                                                
#                    buildingName}                                    
#    ::= {pilotObjectClass 20}                                        
#                                                                     
#                                                                     
#    pilotDSA OBJECT-CLASS                                            
#        SUBCLASS OF dsa                                              
#        MUST CONTAIN {                                               
#            dSAQuality}                                              
#    ::= {pilotObjectClass 21}                                        
#                                                                     
#                                                                     
#    qualityLabelledData OBJECT-CLASS                                 
#        SUBCLASS OF top                                              
#        MUST CONTAIN {                                               
#            dSAQuality}                                              
#        MAY CONTAIN {                                                
#            subtreeMinimumQuality,                                   
#            subtreeMaximumQuality}                                   
#    ::= {pilotObjectClass 22}                                        
#                                                                     
#                                                                     
#                                                                     
#                                                                     
#    -- Standard Attribute Types                                      
#                                                                     
#    objectClass ObjectClass                                          
#        ::= {attributeType 0}                                        
#                                                                     
#                                                                     
#    aliasedObjectName AliasedObjectName                              
#        ::= {attributeType 1}                                        
#                                                                     
#                                                                     
#    knowledgeInformation ATTRIBUTE                                   
#        WITH ATTRIBUTE-SYNTAX caseIgnoreString                       
#        ::= {attributeType 2}                                        
#                                                                     
#                                                                     
#    commonName ATTRIBUTE                                             
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-common-name))                                   
#        ::= {attributeType 3}                                        
#                                                                     
#                                                                     
#    surname ATTRIBUTE                                                
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-surname))                                       
#        ::= {attributeType 4}                                        
#                                                                     
#                                                                     
#    serialNumber ATTRIBUTE                                           
#        WITH ATTRIBUTE-SYNTAX printableStringSyntax                  
#        (SIZE (1..ub-serial-number))                                 
#        ::= {attributeType 5}                                        
#                                                                     
#                                                                     
#    countryName ATTRIBUTE                                            
#        WITH ATTRIBUTE-SYNTAX PrintableString                        
#        (SIZE (1..ub-country-code))                                  
#        SINGLE VALUE                                                 
#        ::= {attributeType 6}                                        
#                                                                     
#                                                                     
#    localityName ATTRIBUTE                                           
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-locality-name))                                 
#        ::= {attributeType 7}                                        
#                                                                     
#                                                                     
#    stateOrProvinceName ATTRIBUTE                                    
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-state-name))                                    
#        ::= {attributeType 8}                                        
#                                                                     
#                                                                     
#    streetAddress ATTRIBUTE                                          
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-street-address))                                
#        ::= {attributeType 9}                                        
#                                                                     
#                                                                     
#    organizationName ATTRIBUTE                                       
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-organization-name))                             
#        ::= {attributeType 10}                                       
#                                                                     
#                                                                     
#    organizationalUnitName ATTRIBUTE                                 
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-organizational-unit-name))                      
#        ::= {attributeType 11}                                       
#                                                                     
#                                                                     
#    title ATTRIBUTE                                                  
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-title))                                         
#        ::= {attributeType 12}                                       
#                                                                     
#                                                                     
#    description ATTRIBUTE                                            
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-description))                                   
#        ::= {attributeType 13}                                       
#                                                                     
#                                                                     
#    searchGuide ATTRIBUTE                                            
#        WITH ATTRIBUTE-SYNTAX Guide                                  
#        ::= {attributeType 14}                                       
#                                                                     
#                                                                     
#    businessCategory ATTRIBUTE                                       
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-business-category))                             
#        ::= {attributeType 15}                                       
#                                                                     
#                                                                     
#    postalAddress ATTRIBUTE                                          
#        WITH ATTRIBUTE-SYNTAX PostalAddress                          
#        MATCHES FOR EQUALITY                                         
#        ::= {attributeType 16}                                       
#                                                                     
#                                                                     
#    postalCode ATTRIBUTE                                             
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-postal-code))                                   
#        ::= {attributeType 17}                                       
#                                                                     
#                                                                     
#    postOfficeBox ATTRIBUTE                                          
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-post-office-box))                               
#        ::= {attributeType 18}                                       
#                                                                     
#                                                                     
#    physicalDeliveryOfficeName ATTRIBUTE                             
#        WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax                 
#        (SIZE (1..ub-physical-office-name))                          
#        ::= {attributeType 19}                                       
#                                                                     
#                                                                     
#    telephoneNumber ATTRIBUTE                                        
#        WITH ATTRIBUTE-SYNTAX telephoneNumberSyntax                  
#        (SIZE (1..ub-telephone-number))                              
#        ::= {attributeType 20}                                       
#                                                                     
#                                                                     
#    telexNumber ATTRIBUTE                                            
#        WITH ATTRIBUTE-SYNTAX TelexNumber                            
#        (SIZE (1..ub-telex))                                         
#        ::= {attributeType 21}                                       
#                                                                     
#                                                                     
#    teletexTerminalIdentifier ATTRIBUTE                              
#        WITH ATTRIBUTE-SYNTAX TeletexTerminalIdentifier              
#        (SIZE (1..ub-teletex-terminal-id))                           
#        ::= {attributeType 22}                                       
#                                                                     
#                                                                     
#    facsimileTelephoneNumber ATTRIBUTE                               
#        WITH ATTRIBUTE-SYNTAX FacsimileTelephoneNumber               
#        ::= {attributeType 23}                                       
#                                                                     
#                                                                     
#    x121Address ATTRIBUTE                                            
#        WITH ATTRIBUTE-SYNTAX NumericString                          
#        (SIZE (1..ub-x121-address))                                  
#        ::= {attributeType 24}                                       
#                                                                     
#                                                                     
#    internationaliSDNNumber ATTRIBUTE                                
#        WITH ATTRIBUTE-SYNTAX NumericString                          
#        (SIZE (1..ub-isdn-address))                                  
#        ::= {attributeType 25}                                       
#                                                                     
#                                                                     
#    registeredAddress ATTRIBUTE                                      
#        WITH ATTRIBUTE-SYNTAX PostalAddress                          
#        ::= {attributeType 26}                                       
#                                                                     
#                                                                     
#    destinationIndicator ATTRIBUTE                                   
#        WITH ATTRIBUTE-SYNTAX PrintableString                        
#        (SIZE (1..ub-destination-indicator))                         
#        MATCHES FOR EQUALITY SUBSTRINGS                              
#        ::= {attributeType 27}                                       
#                                                                     
#                                                                     
#    preferredDeliveryMethod ATTRIBUTE                                
#        WITH ATTRIBUTE-SYNTAX deliveryMethod                         
#        ::= {attributeType 28}                                       
#                                                                     
#                                                                     
#    presentationAddress ATTRIBUTE                                    
#        WITH ATTRIBUTE-SYNTAX PresentationAddress                    
#        MATCHES FOR EQUALITY                                         
#        ::= {attributeType 29}                                       
#                                                                     
#                                                                     
#    supportedApplicationContext ATTRIBUTE                            
#        WITH ATTRIBUTE-SYNTAX objectIdentifierSyntax                 
#        ::= {attributeType 30}                                       
#                                                                     
#                                                                     
#    member ATTRIBUTE                                                 
#        WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax                
#        ::= {attributeType 31}                                       
#                                                                     
#                                                                     
#    owner ATTRIBUTE                                                  
#        WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax                
#        ::= {attributeType 32}                                       
#                                                                     
#                                                                     
#    roleOccupant ATTRIBUTE                                           
#        WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax                
#        ::= {attributeType 33}                                       
#                                                                     
#                                                                     
#    seeAlso ATTRIBUTE                                                
#        WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax                
#        ::= {attributeType 34}                                       
#                                                                     
#                                                                     
#    userPassword ATTRIBUTE                                           
#        WITH ATTRIBUTE-SYNTAX Userpassword                           
#        ::= {attributeType 35}                                       
#                                                                     
#                                                                     
#    userCertificate ATTRIBUTE                                        
#        WITH ATTRIBUTE-SYNTAX UserCertificate                        
#        ::= {attributeType 36}                                       
#                                                                     
#                                                                     
#    cACertificate ATTRIBUTE                                          
#        WITH ATTRIBUTE-SYNTAX cACertificate                          
#        ::= {attributeType 37}                                       
#                                                                     
#                                                                     
#    authorityRevocationList ATTRIBUTE                                
#        WITH ATTRIBUTE-SYNTAX AuthorityRevocationList                
#        ::= {attributeType 38}                                       
#                                                                     
#                                                                     
#    certificateRevocationList ATTRIBUTE                              
#        WITH ATTRIBUTE-SYNTAX CertificateRevocationList              
#        ::= {attributeType 39}                                       
#                                                                     
#                                                                     
#    crossCertificatePair ATTRIBUTE                                   
#        WITH ATTRIBUTE-SYNTAX CrossCertificatePair                   
#        ::= {attributeType 40}                                       
#                                                                     
#                                                                     
#                                                                     
#                                                                     
#    -- Standard MHS Attribute Types                                  
#                                                                     
#    mhsDeliverableContentLength ATTRIBUTE                            
#        WITH ATTRIBUTE-SYNTAX integer                                
#        ::= {mhsAttributeType 0}                                     
#                                                                     
#                                                                     
#    mhsDeliverableContentTypes ATTRIBUTE                             
#        WITH ATTRIBUTE-SYNTAX oID                                    
#        ::= {mhsAttributeType 1}                                     
#                                                                     
#                                                                     
#    mhsDeliverableEits ATTRIBUTE                                     
#        WITH ATTRIBUTE-SYNTAX oID                                    
#        ::= {mhsAttributeType 2}                                     
#                                                                     
#                                                                     
#    mhsDLMembers ATTRIBUTE                                           
#        WITH ATTRIBUTE-SYNTAX oRName                                 
#        ::= {mhsAttributeType 3}                                     
#                                                                     
#                                                                     
#    mhsDLSubmitPermissions ATTRIBUTE                                 
#        WITH ATTRIBUTE-SYNTAX dLSubmitPermission                     
#        ::= {mhsAttributeType 4}                                     
#                                                                     
#                                                                     
#    mhsMessageStoreName ATTRIBUTE                                    
#        WITH ATTRIBUTE-SYNTAX dN                                     
#        ::= {mhsAttributeType 5}                                     
#                                                                     
#                                                                     
#    mhsORAddresses ATTRIBUTE                                         
#        WITH ATTRIBUTE-SYNTAX oRAddress                              
#        ::= {mhsAttributeType 6}                                     
#                                                                     
#                                                                     
#    mhsPreferredDeliveryMethods ATTRIBUTE                            
#        WITH ATTRIBUTE-SYNTAX deliveryMethod                         
#        ::= {mhsAttributeType 7}                                     
#                                                                     
#                                                                     
#    mhsSupportedAutomaticActions ATTRIBUTE                           
#        WITH ATTRIBUTE-SYNTAX oID                                    
#        ::= {mhsAttributeType 8}                                     
#                                                                     
#                                                                     
#    mhsSupportedContentTypes ATTRIBUTE                               
#                                                                     
#        WITH ATTRIBUTE-SYNTAX oID                                    
#        ::= {mhsAttributeType 9}                                     
#                                                                     
#                                                                     
#    mhsSupportedOptionalAttributes ATTRIBUTE                         
#        WITH ATTRIBUTE-SYNTAX oID                                    
#        ::= {mhsAttributeType 10}                                    
#                                                                     
#                                                                     
#                                                                     
#                                                                     
#    -- Pilot Attribute Types                                         
#                                                                     
#    userid ATTRIBUTE                                                 
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-user-identifier))                         
#    ::= {pilotAttributeType 1}                                       
#                                                                     
#                                                                     
#    textEncodedORAddress ATTRIBUTE                                   
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#        (SIZE (1 .. ub-text-encoded-or-address))                     
#    ::= {pilotAttributeType 2}                                       
#                                                                     
#                                                                     
#    rfc822Mailbox ATTRIBUTE                                          
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreIA5StringSyntax                                
#            (SIZE (1 .. ub-rfc822-mailbox))                          
#    ::= {pilotAttributeType 3}                                       
#                                                                     
#                                                                     
#    info ATTRIBUTE                                                   
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-information))                             
#    ::= {pilotAttributeType 4}                                       
#                                                                     
#                                                                     
#    favouriteDrink ATTRIBUTE                                         
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-favourite-drink))                         
#    ::= {pilotAttributeType 5}                                       
#                                                                     
#                                                                     
#    roomNumber ATTRIBUTE                                             
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-room-number))                             
#    ::= {pilotAttributeType 6}                                       
#                                                                     
#                                                                     
#    photo ATTRIBUTE                                                  
#        WITH ATTRIBUTE-SYNTAX                                        
#            CHOICE {                                                 
#                g3-facsimile [3] G3FacsimileBodyPart                 
#                }                                                    
#        (SIZE (1 .. ub-photo))                                       
#    ::= {pilotAttributeType 7}                                       
#                                                                     
#                                                                     
#    userClass ATTRIBUTE                                              
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-user-class))                              
#    ::= {pilotAttributeType 8}                                       
#                                                                     
#                                                                     
#    host ATTRIBUTE                                                   
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-host))                                    
#    ::= {pilotAttributeType 9}                                       
#                                                                     
#                                                                     
#    manager ATTRIBUTE                                                
#        WITH ATTRIBUTE-SYNTAX                                        
#            distinguishedNameSyntax                                  
#    ::= {pilotAttributeType 10}                                      
#                                                                     
#                                                                     
#    documentIdentifier ATTRIBUTE                                     
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-document-identifier))                     
#    ::= {pilotAttributeType 11}                                      
#                                                                     
#                                                                     
#    documentTitle ATTRIBUTE                                          
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#        (SIZE (1 .. ub-document-title))                              
#    ::= {pilotAttributeType 12}                                      
#                                                                     
#                                                                     
#    documentVersion ATTRIBUTE                                        
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-document-version))                        
#    ::= {pilotAttributeType 13}                                      
#                                                                     
#                                                                     
#    documentAuthor ATTRIBUTE                                         
#        WITH ATTRIBUTE-SYNTAX                                        
#            distinguishedNameSyntax                                  
#    ::= {pilotAttributeType 14}                                      
#                                                                     
#                                                                     
#    documentLocation ATTRIBUTE                                       
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-document-location))                       
#    ::= {pilotAttributeType 15}                                      
#                                                                     
#                                                                     
#    homeTelephoneNumber ATTRIBUTE                                    
#        WITH ATTRIBUTE-SYNTAX                                        
#            telephoneNumberSyntax                                    
#    ::= {pilotAttributeType 20}                                      
#                                                                     
#                                                                     
#    secretary ATTRIBUTE                                              
#        WITH ATTRIBUTE-SYNTAX                                        
#            distinguishedNameSyntax                                  
#    ::= {pilotAttributeType 21}                                      
#                                                                     
#                                                                     
#    otherMailbox ATTRIBUTE                                           
#        WITH ATTRIBUTE-SYNTAX                                        
#            SEQUENCE {                                               
#                    mailboxType PrintableString, -- e.g. Telemail    
#                    mailbox IA5String  -- e.g. X378:Joe              
#            }                                                        
#    ::= {pilotAttributeType 22}                                      
#                                                                     
#                                                                     
#    lastModifiedTime ATTRIBUTE                                       
#        WITH ATTRIBUTE-SYNTAX                                        
#            uTCTimeSyntax                                            
#    ::= {pilotAttributeType 23}                                      
#                                                                     
#                                                                     
#    lastModifiedBy ATTRIBUTE                                         
#        WITH ATTRIBUTE-SYNTAX                                        
#            distinguishedNameSyntax                                  
#    ::= {pilotAttributeType 24}                                      
#                                                                     
#                                                                     
#    domainComponent ATTRIBUTE                                        
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreIA5StringSyntax                                
#            SINGLE VALUE                                             
#    ::= {pilotAttributeType 25}                                      
#                                                                     
#                                                                     
#    aRecord ATTRIBUTE                                                
#        WITH ATTRIBUTE-SYNTAX                                        
#            DNSRecordSyntax                                          
#    ::= {pilotAttributeType 26}                                      
#                                                                     
#                                                                     
#    mXRecord ATTRIBUTE                                               
#        WITH ATTRIBUTE-SYNTAX                                        
#            DNSRecordSyntax                                          
#    ::= {pilotAttributeType 28}                                      
#                                                                     
#                                                                     
#    nSRecord ATTRIBUTE                                               
#        WITH ATTRIBUTE-SYNTAX                                        
#            DNSRecordSyntax                                          
#    ::= {pilotAttributeType 29}                                      
#                                                                     
#    sOARecord ATTRIBUTE                                              
#        WITH ATTRIBUTE-SYNTAX                                        
#            DNSRecordSyntax                                          
#    ::= {pilotAttributeType 30}                                      
#                                                                     
#                                                                     
#    cNAMERecord ATTRIBUTE                                            
#        WITH ATTRIBUTE-SYNTAX                                        
#            iA5StringSyntax                                          
#    ::= {pilotAttributeType 31}                                      
#                                                                     
#                                                                     
#    associatedDomain ATTRIBUTE                                       
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreIA5StringSyntax                                
#    ::= {pilotAttributeType 37}                                      
#                                                                     
#                                                                     
#    associatedName ATTRIBUTE                                         
#        WITH ATTRIBUTE-SYNTAX                                        
#            distinguishedNameSyntax                                  
#    ::= {pilotAttributeType 38}                                      
#                                                                     
#                                                                     
#    homePostalAddress ATTRIBUTE                                      
#        WITH ATTRIBUTE-SYNTAX                                        
#            postalAddress                                            
#            MATCHES FOR EQUALITY                                     
#    ::= {pilotAttributeType 39}                                      
#                                                                     
#                                                                     
#    personalTitle ATTRIBUTE                                          
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-personal-title))                          
#    ::= {pilotAttributeType 40}                                      
#                                                                     
#                                                                     
#    mobileTelephoneNumber ATTRIBUTE                                  
#        WITH ATTRIBUTE-SYNTAX                                        
#            telephoneNumberSyntax                                    
#    ::= {pilotAttributeType 41}                                      
#                                                                     
#                                                                     
#    pagerTelephoneNumber ATTRIBUTE                                   
#        WITH ATTRIBUTE-SYNTAX                                        
#            telephoneNumberSyntax                                    
#    ::= {pilotAttributeType 42}                                      
#                                                                     
#                                                                     
#    friendlyCountryName ATTRIBUTE                                    
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#    ::= {pilotAttributeType 43}                                      
#                                                                     
#                                                                     
#    uniqueIdentifier ATTRIBUTE                                       
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-unique-identifier))                       
#    ::= {pilotAttributeType 44}                                      
#                                                                     
#                                                                     
#    organizationalStatus ATTRIBUTE                                   
#            WITH ATTRIBUTE-SYNTAX                                    
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-organizational-status))                   
#    ::= {pilotAttributeType 45}                                      
#                                                                     
#                                                                     
#    janetMailbox ATTRIBUTE                                           
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreIA5StringSyntax                                
#            (SIZE (1 .. ub-janet-mailbox))                           
#    ::= {pilotAttributeType 46}                                      
#                                                                     
#                                                                     
#    mailPreferenceOption ATTRIBUTE                                   
#        WITH ATTRIBUTE-SYNTAX ENUMERATED {                           
#                no-list-inclusion(0),                                
#                any-list-inclusion(1),  -- may be added to any lists 
#                professional-list-inclusion(2)                       
#                                        -- may be added to lists     
#                                        -- which the list provider   
#                                        -- views as related to the   
#                                        -- users professional inter- 
#                                        -- ests, perhaps evaluated   
#                                        -- from the business of the  
#                                        -- organisation or keywords  
#                                        -- in the entry.             
#                }                                                    
#    ::= {pilotAttributeType 47}                                      
#                                                                     
#                                                                     
#    buildingName ATTRIBUTE                                           
#        WITH ATTRIBUTE-SYNTAX                                        
#            caseIgnoreStringSyntax                                   
#            (SIZE (1 .. ub-building-name))                           
#    ::= {pilotAttributeType 48}                                      
#                                                                     
#                                                                     
#    dSAQuality ATTRIBUTE                                             
#            WITH ATTRIBUTE-SYNTAX DSAQualitySyntax                   
#            SINGLE VALUE                                             
#    ::= {pilotAttributeType 49}                                      
#                                                                     
#                                                                     
#    singleLevelQuality ATTRIBUTE                                     
#            WITH ATTRIBUTE-SYNTAX DataQualitySyntax                  
#            SINGLE VALUE                                             
#                                                                     
#                                                                     
#    subtreeMinimumQuality ATTRIBUTE                                  
#            WITH ATTRIBUTE-SYNTAX DataQualitySyntax                  
#            SINGLE VALUE                                             
#               -- Defaults to singleLevelQuality                     
#    ::= {pilotAttributeType 51}                                      
#                                                                     
#                                                                     
#    subtreeMaximumQuality ATTRIBUTE                                  
#            WITH ATTRIBUTE-SYNTAX DataQualitySyntax                  
#            SINGLE VALUE                                             
#               -- Defaults to singleLevelQuality                     
#    ::= {pilotAttributeType 52}                                      
#                                                                     
#                                                                     
#    personalSignature ATTRIBUTE                                      
#        WITH ATTRIBUTE-SYNTAX                                        
#            CHOICE {                                                 
#                g3-facsimile [3] G3FacsimileBodyPart                 
#                }                                                    
#        (SIZE (1 .. ub-personal-signature))                          
#    ::= {pilotAttributeType 53}                                      
#                                                                     
#                                                                     
#    dITRedirect ATTRIBUTE                                            
#        WITH ATTRIBUTE-SYNTAX                                        
#            distinguishedNameSyntax                                  
#    ::= {pilotAttributeType 54}                                      
#                                                                     
#                                                                     
#    audio ATTRIBUTE                                                  
#        WITH ATTRIBUTE-SYNTAX                                        
#            Audio                                                    
#        (SIZE (1 .. ub-audio))                                       
#    ::= {pilotAttributeType 55}                                      
#                                                                     
#    documentPublisher ATTRIBUTE                                      
#            WITH ATTRIBUTE SYNTAX caseIgnoreStringSyntax             
#    ::= {pilotAttributeType 56}                                      
#                                                                     
#                                                                     
#                                                                     
#    -- Generally useful syntaxes                                     
#                                                                     
#                                                                     
#    caseIgnoreIA5StringSyntax ATTRIBUTE-SYNTAX                       
#            IA5String                                                
#            MATCHES FOR EQUALITY SUBSTRINGS                          
#                                                                     
#                                                                     
#    iA5StringSyntax ATTRIBUTE-SYNTAX                                 
#        IA5String                                                    
#        MATCHES FOR EQUALITY SUBSTRINGS                              
#                                                                     
#                                                                     
#    -- Syntaxes to support the DNS attributes                        
#                                                                     
#    DNSRecordSyntax ATTRIBUTE-SYNTAX                                 
#            IA5String                                                
#            MATCHES FOR EQUALITY                                     
#                                                                     
#                                                                     
#    NRSInformationSyntax ATTRIBUTE-SYNTAX
#            NRSInformation
#            MATCHES FOR EQUALITY
#
#
#    NRSInformation ::=  SET {
#                    [0] Context,
#                    [1] Address-space-id,
#                    routes [2] SEQUENCE OF SEQUENCE {
#                    Route-cost,
#                    Addressing-info }
#            }
#
#
#    -- Upper bounds on length of attribute values
#
#
#    ub-document-identifier INTEGER ::= 256
#
#    ub-document-location INTEGER ::= 256
#
#    ub-document-title INTEGER ::= 256
#
#    ub-document-version INTEGER ::= 256
#
#    ub-favourite-drink INTEGER ::= 256
#
#    ub-host INTEGER ::= 256
#
#    ub-information INTEGER ::= 2048
#
#    ub-unique-identifier INTEGER ::= 256
#
#    ub-personal-title INTEGER ::= 256
#
#    ub-photo INTEGER ::= 250000
#
#    ub-rfc822-mailbox INTEGER ::= 256
#
#    ub-room-number INTEGER ::= 256
#
#    ub-text-or-address INTEGER ::= 256
#
#    ub-user-class INTEGER ::= 256
#
#    ub-user-identifier INTEGER ::= 256
#
#    ub-organizational-status INTEGER ::= 256
#
#    ub-janet-mailbox INTEGER ::= 256
#
#    ub-building-name INTEGER ::= 256
#
#    ub-personal-signature ::= 50000
#
#    ub-audio INTEGER ::= 250000
#
# [remainder of memo trimmed]

Der Import dieses Schemas erfolgt mit nachfolgendem Aufruf.

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config

inetorgperson

Wie schon zuvor importieren wir das nächste Schema inetorgperson mit Hilfe des Befehls ldapadd. Die Beschreibung des Schemas findet sich in der gleichnamigen Datei /etc/openldap/schema/inetorgperson.schema.

 # less /etc/openldap/schema/inetorgperson.schema
/etc/openldap/schema/inetorgperson.schema
# inetorgperson.schema -- InetOrgPerson (RFC2798)                     
# $OpenLDAP$                                                          
## This work is part of OpenLDAP Software <http://www.openldap.org/>. 
##                                                                    
## Copyright 1998-2014 The OpenLDAP Foundation.                       
## All rights reserved.                                               
##                                                                    
## Redistribution and use in source and binary forms, with or without 
## modification, are permitted only as authorized by the OpenLDAP     
## Public License.                                                    
##                                                                    
## A copy of this license is available in the file LICENSE in the     
## top-level directory of the distribution or, alternatively, at      
## <http://www.OpenLDAP.org/license.html>.                            
#                                                                     
# InetOrgPerson (RFC2798)                                             
#                                                                     
# Depends upon                                                        
#   Definition of an X.500 Attribute Type and an Object Class to Hold 
#   Uniform Resource Identifiers (URIs) [RFC2079]                     
#       (core.schema)                                                 
#                                                                     
#   A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256]
#       (core.schema)                                                   
#                                                                       
#   The COSINE and Internet X.500 Schema [RFC1274] (cosine.schema)      
 
# carLicense
# This multivalued field is used to record the values of the license or
# registration plate associated with an individual.                    
attributetype ( 2.16.840.1.113730.3.1.1                                
        NAME 'carLicense'                                              
        DESC 'RFC2798: vehicle license or registration plate'          
        EQUALITY caseIgnoreMatch                                       
        SUBSTR caseIgnoreSubstringsMatch                               
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )                         
 
# departmentNumber
# Code for department to which a person belongs.  This can also be
# strictly numeric (e.g., 1234) or alphanumeric (e.g., ABC/123).  
attributetype ( 2.16.840.1.113730.3.1.2                           
        NAME 'departmentNumber'                                   
        DESC 'RFC2798: identifies a department within an organization'
        EQUALITY caseIgnoreMatch                                      
        SUBSTR caseIgnoreSubstringsMatch                              
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )                        
 
# displayName
# When displaying an entry, especially within a one-line summary list, it
# is useful to be able to identify a name to be used.  Since other attri-
# bute types such as 'cn' are multivalued, an additional attribute type is
# needed.  Display name is defined for this purpose.                      
attributetype ( 2.16.840.1.113730.3.1.241                                 
        NAME 'displayName'                                                
        DESC 'RFC2798: preferred name to be used when displaying entries' 
        EQUALITY caseIgnoreMatch                                          
        SUBSTR caseIgnoreSubstringsMatch                                  
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15                              
        SINGLE-VALUE )                                                    
 
# employeeNumber
# Numeric or alphanumeric identifier assigned to a person, typically based
# on order of hire or association with an organization.  Single valued.   
attributetype ( 2.16.840.1.113730.3.1.3                                   
        NAME 'employeeNumber'                                             
        DESC 'RFC2798: numerically identifies an employee within an organization'
        EQUALITY caseIgnoreMatch                                                 
        SUBSTR caseIgnoreSubstringsMatch                                         
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15                                     
        SINGLE-VALUE )                                                           
 
# employeeType
# Used to identify the employer to employee relationship.  Typical values
# used will be "Contractor", "Employee", "Intern", "Temp", "External", and
# "Unknown" but any value may be used.                                    
attributetype ( 2.16.840.1.113730.3.1.4                                   
        NAME 'employeeType'                                               
        DESC 'RFC2798: type of employment for a person'                   
        EQUALITY caseIgnoreMatch                                          
        SUBSTR caseIgnoreSubstringsMatch                                  
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )                            
 
# jpegPhoto
# Used to store one or more images of a person using the JPEG File
# Interchange Format [JFIF].                                      
# Note that the jpegPhoto attribute type was defined for use in the
# Internet X.500 pilots but no referencable definition for it could be
# located.                                                            
attributetype ( 0.9.2342.19200300.100.1.60                            
        NAME 'jpegPhoto'                                              
        DESC 'RFC2798: a JPEG image'                                  
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )                        
 
# preferredLanguage
# Used to indicate an individual's preferred written or spoken
# language.  This is useful for international correspondence or human-
# computer interaction.  Values for this attribute type MUST conform to
# the definition of the Accept-Language header field defined in
# [RFC2068] with one exception:  the sequence "Accept-Language" ":"
# should be omitted.  This is a single valued attribute type.
attributetype ( 2.16.840.1.113730.3.1.39
        NAME 'preferredLanguage'
        DESC 'RFC2798: preferred written or spoken language for a person'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )
 
# userSMIMECertificate
# A PKCS#7 [RFC2315] SignedData, where the content that is signed is
# ignored by consumers of userSMIMECertificate values.  It is
# recommended that values have a `contentType' of data with an absent
# `content' field.  Values of this attribute contain a person's entire
# certificate chain and an smimeCapabilities field [RFC2633] that at a
# minimum describes their SMIME algorithm capabilities.  Values for
# this attribute are to be stored and requested in binary form, as
# 'userSMIMECertificate;binary'.  If available, this attribute is
# preferred over the userCertificate attribute for S/MIME applications.
## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary
attributetype ( 2.16.840.1.113730.3.1.40
        NAME 'userSMIMECertificate'
        DESC 'RFC2798: PKCS#7 SignedData used to support S/MIME'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
 
# userPKCS12
# PKCS #12 [PKCS12] provides a format for exchange of personal identity
# information.  When such information is stored in a directory service,
# the userPKCS12 attribute should be used. This attribute is to be stored
# and requested in binary form, as 'userPKCS12;binary'.  The attribute
# values are PFX PDUs stored as binary data.
## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary
attributetype ( 2.16.840.1.113730.3.1.216
        NAME 'userPKCS12'
        DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
 
 
# inetOrgPerson
# The inetOrgPerson represents people who are associated with an
# organization in some way.  It is a structural class and is derived
# from the organizationalPerson which is defined in X.521 [X521].
objectclass     ( 2.16.840.1.113730.3.2.2
    NAME 'inetOrgPerson'
        DESC 'RFC2798: Internet Organizational Person'
    SUP organizationalPerson
    STRUCTURAL
        MAY (
                audio $ businessCategory $ carLicense $ departmentNumber $
                displayName $ employeeNumber $ employeeType $ givenName $
                homePhone $ homePostalAddress $ initials $ jpegPhoto $
                labeledURI $ mail $ manager $ mobile $ o $ pager $
                photo $ roomNumber $ secretary $ uid $ userCertificate $
                x500uniqueIdentifier $ preferredLanguage $
                userSMIMECertificate $ userPKCS12 )
        )

Der Import dieses Schemas erfolgt mit nachfolgendem Aufruf.

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

nis

Als letztes importieren wir nun noch das Schema nis. Die Beschreibung des Schemas findet sich in der gleichnamigen Datei /etc/openldap/schema/nis.schema.

 # less /etc/openldap/schema/nis.schema
/etc/openldap/schema/nis.schema
# $OpenLDAP$                                                 
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##                                                                   
## Copyright 1998-2014 The OpenLDAP Foundation.                      
## All rights reserved.                                              
##                                                                   
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP    
## Public License.                                                   
##                                                                   
## A copy of this license is available in the file LICENSE in the    
## top-level directory of the distribution or, alternatively, at     
## <http://www.OpenLDAP.org/license.html>.                           
 
# Definitions from RFC2307 (Experimental)
#       An Approach for Using LDAP as a Network Information Service
 
# Depends upon core.schema and cosine.schema
 
# Note: The definitions in RFC2307 are given in syntaxes closely related
# to those in RFC2252, however, some liberties are taken that are not   
# supported by RFC2252.  This file has been written following RFC2252   
# strictly.                                                             
 
# OID Base is iso(1) org(3) dod(6) internet(1) directory(1) nisSchema(1).
# i.e. nisSchema in RFC2307 is 1.3.6.1.1.1                               
#                                                                        
# Syntaxes are under 1.3.6.1.1.1.0 (two new syntaxes are defined)        
#       validaters for these syntaxes are incomplete, they only          
#       implement printable string validation (which is good as the      
#       common use of these syntaxes violates the specification).        
# Attribute types are under 1.3.6.1.1.1.1                                
# Object classes are under 1.3.6.1.1.1.2                                 
 
# Attribute Type Definitions
 
# builtin
#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
#       DESC 'An integer uniquely identifying a user in an administrative domain'
#       EQUALITY integerMatch                                                    
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )                      
 
# builtin
#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
#       DESC 'An integer uniquely identifying a group in an administrative domain'
#       EQUALITY integerMatch                                                     
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )                       
 
attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos'
        DESC 'The GECOS field; the common name'
        EQUALITY caseIgnoreIA5Match            
        SUBSTR caseIgnoreIA5SubstringsMatch    
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
        DESC 'The absolute path to the home directory'
        EQUALITY caseExactIA5Match                    
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
        DESC 'The path to the login shell'       
        EQUALITY caseExactIA5Match               
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
        EQUALITY integerMatch                          
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
        EQUALITY integerMatch                   
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
        EQUALITY integerMatch                   
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
        EQUALITY integerMatch                       
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
        EQUALITY integerMatch                        
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
        EQUALITY integerMatch                       
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
        EQUALITY integerMatch                     
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
        EQUALITY caseExactIA5Match               
        SUBSTR caseExactIA5SubstringsMatch       
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )   
 
attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
        EQUALITY caseExactIA5Match                       
        SUBSTR caseExactIA5SubstringsMatch               
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )           
 
attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
        DESC 'Netgroup triple'                           
        SYNTAX 1.3.6.1.1.1.0.0 )                         
 
attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
        EQUALITY integerMatch                        
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
        SUP name )                                       
 
attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
        EQUALITY integerMatch                           
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
        EQUALITY integerMatch                       
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
        DESC 'IP address'                           
        EQUALITY caseIgnoreIA5Match                 
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) 
 
attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
        DESC 'IP network'                              
        EQUALITY caseIgnoreIA5Match                    
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
        DESC 'IP netmask'                              
        EQUALITY caseIgnoreIA5Match                    
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )
 
attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
        DESC 'MAC address'                        
        EQUALITY caseIgnoreIA5Match               
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
 
attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
        DESC 'rpc.bootparamd parameter'              
        SYNTAX 1.3.6.1.1.1.0.1 )                     
 
attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
        DESC 'Boot image name'                  
        EQUALITY caseExactIA5Match              
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )  
 
attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
        SUP name )                                
 
attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
        EQUALITY caseExactIA5Match                 
        SUBSTR caseExactIA5SubstringsMatch         
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} SINGLE-VALUE )
 
# Object Class Definitions
 
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount'
        DESC 'Abstraction of an account with POSIX attributes'
        SUP top AUXILIARY                                     
        MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
        MAY ( userPassword $ loginShell $ gecos $ description ) )
 
objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount'
        DESC 'Additional attributes for shadow passwords'
        SUP top AUXILIARY                                
        MUST uid                                         
        MAY ( userPassword $ shadowLastChange $ shadowMin $
              shadowMax $ shadowWarning $ shadowInactive $ 
              shadowExpire $ shadowFlag $ description ) )  
 
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
        DESC 'Abstraction of a group of accounts'
        SUP top STRUCTURAL                       
        MUST ( cn $ gidNumber )                  
        MAY ( userPassword $ memberUid $ description ) )
 
objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService'
        DESC 'Abstraction an Internet Protocol service'
        SUP top STRUCTURAL
        MUST ( cn $ ipServicePort $ ipServiceProtocol )
        MAY ( description ) )
 
objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol'
        DESC 'Abstraction of an IP protocol'
        SUP top STRUCTURAL
        MUST ( cn $ ipProtocolNumber $ description )
        MAY description )
 
objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc'
        DESC 'Abstraction of an ONC/RPC binding'
        SUP top STRUCTURAL
        MUST ( cn $ oncRpcNumber $ description )
        MAY description )
 
objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost'
        DESC 'Abstraction of a host, an IP device'
        SUP top AUXILIARY
        MUST ( cn $ ipHostNumber )
        MAY ( l $ description $ manager ) )
 
objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork'
        DESC 'Abstraction of an IP network'
        SUP top STRUCTURAL
        MUST ( cn $ ipNetworkNumber )
        MAY ( ipNetmaskNumber $ l $ description $ manager ) )
 
objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup'
        DESC 'Abstraction of a netgroup'
        SUP top STRUCTURAL
        MUST cn
        MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
 
objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap'
        DESC 'A generic abstraction of a NIS map'
        SUP top STRUCTURAL
        MUST nisMapName
        MAY description )
 
objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject'
        DESC 'An entry in a NIS map'
        SUP top STRUCTURAL
        MUST ( cn $ nisMapEntry $ nisMapName )
        MAY description )
 
objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device'
        DESC 'A device with a MAC address'
        SUP top AUXILIARY
        MAY macAddress )
 
objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice'
        DESC 'A device with boot parameters'
        SUP top AUXILIARY
        MAY ( bootFile $ bootParameter ) )

Auch hier erfolgt natürlich der Import des Schemas mit Hilfe des Befehls ldapadd.

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

Konfigurationscheck

Nachdem wir die benötigten Schematas alle importiert haben, können wir nun abschließend überprüfen, ob die neuen Schematas auch im Verzeichnisbaum zu finden sind.

 #  ldapsearch -W -x -D cn=config -b cn=config | grep cn=schema,cn=config
Enter LDAP Password:

dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}inetorgperson,cn=schema,cn=config
dn: cn={3}nis,cn=schema,cn=config

Zur Speicherung der Daten, die aus einem DN1) und einem eindeutigen Objektnamen bestehen, werden im DIT2), erfolgt bei unserem OpenLDAP_Verzeichnisdienmst in einer hierarchischen Baumstruktur. Die Wurzel (root bzw. suffix) ist das oberste Datenobjekt unter dem sich dann die höheren Datenstrukturen verzweigen.

Zur Übernahme bereits bestehender Nutzer aus den beiden Tabellen /etc/passwd und /etc/group unseres Servers werden wir nun zunächst einen passenden DIT anlegen. Hierzu legen wir uns nun eine passende LDIF-Datei für unsere verwendete Domäne nausch.org an, und speichern diese im Verzeichnis /etc/openldap/ldif/.

 # vim /etc/openldap/ldif/cn\=config_DIT_nausch.org.ldif
/etc/openldap/ldif/cn=config_DIT_nausch.org.ldif
# Django : 2015-07-16
# Erstellung des Directory Information Tree für die Domäne nausch.org
# https://dokuwiki.nausch.org/doku.php/centos:ldap_c7:data?&#dit
 
## Build the root node : nausch.org
dn: dc=nausch,dc=org
dc: Nausch
objectClass: top
objectClass: dcObject
objectClass: organizationalUnit
ou: nausch Dot org
 
## Build the ou People, nausch.org
dn: ou=People,dc=nausch,dc=org
objectClass: top
objectClass: organizationalUnit
ou: People
 
## Build the ou Group, nausch.org
dn: ou=Group,dc=nausch,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Group

Zum Importieren unseres DITs verwenden wir nun folgenden Aufruf. Das Passwort nach dem wir hier gefragt werden, haben wir im Kapitel Manager-Passwort bei der Installation unseres OpenLDAP Server unter CentOS 7.x angelegt.

 # ldapadd -W -x -D cn=Manager,dc=nausch,dc=org -f /etc/openldap/ldif/cn\=config_DIT_nausch.org.ldif
Enter LDAP Password: 
adding new entry "dc=nausch,dc=org"

adding new entry "ou=People,dc=nausch,dc=org"

adding new entry "ou=Group,dc=nausch,dc=org"

Anschließend überprüfen wir, ob unser DIT im OpenLDAP-Verzeichnisdienst richtig angelegt wurde.

 # ldapsearch -W -x -D cn=config -b "dc=nausch,dc=org" "(objectclass=*)" -LLL -H ldaps://openldap.dmz.nausch.org
Enter LDAP Password: 
dn: dc=nausch,dc=org
dc: Nausch
objectClass: top
objectClass: dcObject
objectClass: organizationalUnit
ou: nausch Dot org

dn: ou=People,dc=nausch,dc=org
objectClass: top
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=nausch,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Group

Im Logfile des slapd-Daemon wird unsere erfolgreiche Abfrage entsprechend protokolliert.

 # less /var/log/ldap.log
Jul 16 22:05:25 vml000037 slapd[14264]: conn=1008 fd=13 ACCEPT from IP=10.0.0.37:50876 (IP=0.0.0.0:636)
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 fd=13 TLS established tls_ssf=128 ssf=128
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=0 BIND dn="cn=config" method=128
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=0 BIND dn="cn=config" mech=SIMPLE ssf=0
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=0 RESULT tag=97 err=0 text=
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=1 SRCH base="dc=nausch,dc=org" scope=2 deref=0 filter="(objectClass=*)"
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=1 SEARCH RESULT tag=101 err=0 nentries=3 text=
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=2 UNBIND
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 fd=13 closed

In den seltensten Fällen haben wir eine Installation ohne jegliche Benutzer; in der Regel befinden sich auf unserem LINUX-System bereits angelegte Nutzer mit Ihren Konten. Diesen Nutzer wird immer eine UserID (uid) ab 1000 zugewiesen. Somit ist eine Unterscheidung zwischen realen Nutzern und technischen Nutzeraccounts relativ leicht möglich. Die hierzu erforderlichen Daten bekommen wir aus den beiden Dateien /etc/group und /etc/passwd.

Installation

Zur leichteren Übernahme der Nutzerdaten bedienen wir uns der Hilfsprogramme aus dem RPM-Paket migrationtools aus dem Base-Repository, welches wir nun zuerst installieren wollen.

 # yum install migrationtools -y

Was uns dieses RPM-Paket alles an Hilfsmittel mitbringt zeigt uns ein Blick in das Paket selbst.

 # rpm -qil migrationtools
Name        : migrationtools
Version     : 47
Release     : 15.el7
Architecture: noarch
Install Date: Thu 16 Jul 2015 10:21:55 PM CEST
Group       : System Environment/Daemons
Size        : 108216
License     : BSD
Signature   : RSA/SHA256, Fri 04 Jul 2014 05:47:45 AM CEST, Key ID 24c6a8a7f4a80eb5
Source RPM  : migrationtools-47-15.el7.src.rpm
Build Date  : Tue 10 Jun 2014 05:32:33 AM CEST
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.padl.com/OSS/MigrationTools.html
Summary     : Migration scripts for LDAP
Description :
The MigrationTools are a set of Perl scripts for migrating users, groups,
aliases, hosts, netgroups, networks, protocols, RPCs, and services from
existing nameservices (flat files, NIS, and NetInfo) to LDAP.
/usr/share/doc/migrationtools-47
/usr/share/doc/migrationtools-47/README
/usr/share/doc/migrationtools-47/migration-tools.txt
/usr/share/migrationtools
/usr/share/migrationtools/migrate_aliases.pl
/usr/share/migrationtools/migrate_all_netinfo_offline.sh
/usr/share/migrationtools/migrate_all_netinfo_online.sh
/usr/share/migrationtools/migrate_all_nis_offline.sh
/usr/share/migrationtools/migrate_all_nis_online.sh
/usr/share/migrationtools/migrate_all_nisplus_offline.sh
/usr/share/migrationtools/migrate_all_nisplus_online.sh
/usr/share/migrationtools/migrate_all_offline.sh
/usr/share/migrationtools/migrate_all_online.sh
/usr/share/migrationtools/migrate_automount.pl
/usr/share/migrationtools/migrate_base.pl
/usr/share/migrationtools/migrate_common.ph
/usr/share/migrationtools/migrate_fstab.pl
/usr/share/migrationtools/migrate_group.pl
/usr/share/migrationtools/migrate_hosts.pl
/usr/share/migrationtools/migrate_netgroup.pl
/usr/share/migrationtools/migrate_netgroup_byhost.pl
/usr/share/migrationtools/migrate_netgroup_byuser.pl
/usr/share/migrationtools/migrate_networks.pl
/usr/share/migrationtools/migrate_passwd.pl
/usr/share/migrationtools/migrate_profile.pl
/usr/share/migrationtools/migrate_protocols.pl
/usr/share/migrationtools/migrate_rpc.pl
/usr/share/migrationtools/migrate_services.pl
/usr/share/migrationtools/migrate_slapd_conf.pl

Konfiguration

Vor der Migration unserer Daten ist es noch notwendig, das mitgelieferte Hilfsprogramm migrate_common.ph unserer Produktivumgebung anzupassen. Hierzu passen wir die beiden folgenden Parameter unserer Organisation an:

  • $DEFAULT_MAIL_DOMAIN = „nausch.org“;
  • $DEFAULT_BASE = „dc=nausch,dc=org“;
 # vim /usr/share/migrationtools/migrate_common.ph
vim /usr/share/migrationtools/migrate_common.ph
#
# $Id: migrate_common.ph,v 1.22 2003/04/15 03:09:33 lukeh Exp $
#
# Copyright (c) 1997-2003 Luke Howard.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
#    must display the following acknowledgement:
#        This product includes software developed by Luke Howard.
# 4. The name of the other may not be used to endorse or promote products
#    derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE LUKE HOWARD ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL LUKE HOWARD BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
 
#
# Common defines for MigrationTools
#
 
# Naming contexts. Key is $PROGRAM with migrate_ and .pl 
# stripped off. 
$NETINFOBRIDGE = (-x "/usr/sbin/mkslapdconf");
 
if ($NETINFOBRIDGE) {
        $NAMINGCONTEXT{'aliases'}           = "cn=aliases";
        $NAMINGCONTEXT{'fstab'}             = "cn=mounts";
        $NAMINGCONTEXT{'passwd'}            = "cn=users";
        $NAMINGCONTEXT{'netgroup_byuser'}   = "cn=netgroup.byuser";
        $NAMINGCONTEXT{'netgroup_byhost'}   = "cn=netgroup.byhost";
        $NAMINGCONTEXT{'group'}             = "cn=groups";
        $NAMINGCONTEXT{'netgroup'}          = "cn=netgroup";
        $NAMINGCONTEXT{'hosts'}             = "cn=machines";
        $NAMINGCONTEXT{'networks'}          = "cn=networks";
        $NAMINGCONTEXT{'protocols'}         = "cn=protocols";
        $NAMINGCONTEXT{'rpc'}               = "cn=rpcs";
        $NAMINGCONTEXT{'services'}          = "cn=services";
} else {
        $NAMINGCONTEXT{'aliases'}           = "ou=Aliases";
        $NAMINGCONTEXT{'fstab'}             = "ou=Mounts";
        $NAMINGCONTEXT{'passwd'}            = "ou=People";
        $NAMINGCONTEXT{'netgroup_byuser'}   = "nisMapName=netgroup.byuser";
        $NAMINGCONTEXT{'netgroup_byhost'}   = "nisMapName=netgroup.byhost";
        $NAMINGCONTEXT{'group'}             = "ou=Group";
        $NAMINGCONTEXT{'netgroup'}          = "ou=Netgroup";
        $NAMINGCONTEXT{'hosts'}             = "ou=Hosts";
        $NAMINGCONTEXT{'networks'}          = "ou=Networks";
        $NAMINGCONTEXT{'protocols'}         = "ou=Protocols";
        $NAMINGCONTEXT{'rpc'}               = "ou=Rpc";
        $NAMINGCONTEXT{'services'}          = "ou=Services";
}
 
# Default DNS domain
# Django : 2015-07-16
# default: $DEFAULT_MAIL_DOMAIN = "padl.com";
$DEFAULT_MAIL_DOMAIN = "nausch.org";
 
# Default base 
# Django : 2015-07-16
# default: $DEFAULT_BASE = "dc=padl,dc=com";
$DEFAULT_BASE = "dc=nausch,dc=org";
 
# Turn this on for inetLocalMailReceipient
# sendmail support; add the following to 
# sendmail.mc (thanks to Petr@Kristof.CZ):
##### CUT HERE #####
#define(`confLDAP_DEFAULT_SPEC',`-h "ldap.padl.com"')dnl
#LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl
#FEATURE(ldap_routing)dnl
##### CUT HERE #####
# where /etc/mail/ldapdomains contains names of ldap_routed
# domains (similiar to MASQUERADE_DOMAIN_FILE).
# $DEFAULT_MAIL_HOST = "mail.padl.com";
 
# turn this on to support more general object clases
# such as person.
$EXTENDED_SCHEMA = 0;
 
#
# allow environment variables to override predefines
#
if (defined($ENV{'LDAP_BASEDN'})) {
        $DEFAULT_BASE = $ENV{'LDAP_BASEDN'};
}
 
if (defined($ENV{'LDAP_DEFAULT_MAIL_DOMAIN'})) {
        $DEFAULT_MAIL_DOMAIN = $ENV{'LDAP_DEFAULT_MAIL_DOMAIN'};
}
 
if (defined($ENV{'LDAP_DEFAULT_MAIL_HOST'})) {
        $DEFAULT_MAIL_HOST = $ENV{'LDAP_DEFAULT_MAIL_HOST'};
}
 
# binddn used for alias owner (otherwise uid=root,...)
if (defined($ENV{'LDAP_BINDDN'})) {
        $DEFAULT_OWNER = $ENV{'LDAP_BINDDN'};
}
 
if (defined($ENV{'LDAP_EXTENDED_SCHEMA'})) {
        $EXTENDED_SCHEMA = $ENV{'LDAP_EXTENDED_SCHEMA'};
}
 
# If we haven't set the default base, guess it automagically.
if (!defined($DEFAULT_BASE)) {
        $DEFAULT_BASE = &domain_expand($DEFAULT_MAIL_DOMAIN);
        $DEFAULT_BASE =~ s/,$//o;
}
 
# Default Kerberos realm
#if ($EXTENDED_SCHEMA) {
#       $DEFAULT_REALM = $DEFAULT_MAIL_DOMAIN;
#       $DEFAULT_REALM =~ tr/a-z/A-Z/;
#}
 
if (-x "/usr/sbin/revnetgroup") {
        $REVNETGROUP = "/usr/sbin/revnetgroup";
} elsif (-x "/usr/lib/yp/revnetgroup") {
        $REVNETGROUP = "/usr/lib/yp/revnetgroup";
}
 
$classmap{'o'} = 'organization';
$classmap{'dc'} = 'domain';
$classmap{'l'} = 'locality';
$classmap{'ou'} = 'organizationalUnit';
$classmap{'c'} = 'country';
$classmap{'nismapname'} = 'nisMap';
$classmap{'cn'} = 'container';
 
sub parse_args
{
        if ($#ARGV < 0) {
                print STDERR "Usage: $PROGRAM infile [outfile]\n";
                exit 1;
        }
 
        $INFILE = $ARGV[0];
 
        if ($#ARGV > 0) {
                $OUTFILE = $ARGV[1];
        }
}
 
sub open_files
{
        open(INFILE);
        if ($OUTFILE) {
                open(OUTFILE,">$OUTFILE");
                $use_stdout = 0;
        } else {
                $use_stdout = 1;
        }
}
 
# moved from migrate_hosts.pl
# lukeh 10/30/97
sub domain_expand
{
        local($first) = 1;
        local($dn);
        local(@namecomponents) = split(/\./, $_[0]);
        foreach $_ (@namecomponents) {
                $first = 0;
                $dn .= "dc=$_,";
        }
        $dn .= $DEFAULT_BASE;
        return $dn;
}
 
# case insensitive unique
sub uniq
{
        local($name) = shift(@_);
        local(@vec) = sort {uc($a) cmp uc($b)} @_;
        local(@ret);
        local($next, $last);
        foreach $next (@vec) {
                if ((uc($next) ne uc($last)) &&
                        (uc($next) ne uc($name))) {
                        push (@ret, $next);
                }
                $last = $next;
        }
        return @ret;
}
 
# concatenate naming context and 
# organizational base
sub getsuffix
{
        local($program) = shift(@_);
        local($nc);
        $program =~ s/^migrate_(.*)\.pl$/$1/;
        $nc = $NAMINGCONTEXT{$program};
        if ($nc eq "") {
                return $DEFAULT_BASE;
        } else {
                return $nc . ',' . $DEFAULT_BASE;
        }
}
 
sub ldif_entry
{
# remove leading, trailing whitespace
        local ($HANDLE, $lhs, $rhs) = @_;
        local ($type, $val) = split(/\=/, $lhs);
        local ($dn);
 
        if ($rhs ne "") {
                $dn = $lhs . ',' . $rhs;
        } else {
                $dn = $lhs;
        }
 
        $type =~ s/\s*$//o;
        $type =~ s/^\s*//o;
        $type =~ tr/A-Z/a-z/;
        $val =~ s/\s*$//o;
        $val =~ s/^\s*//o;
 
        print $HANDLE "dn: $dn\n";
        print $HANDLE "$type: $val\n";
        print $HANDLE "objectClass: top\n";
        print $HANDLE "objectClass: $classmap{$type}\n";
        if ($EXTENDED_SCHEMA) {
                if ($DEFAULT_MAIL_DOMAIN) {
                        print $HANDLE "objectClass: domainRelatedObject\n";
                        print $HANDLE "associatedDomain: $DEFAULT_MAIL_DOMAIN\n";
                }
        }
 
        print $HANDLE "\n";
}
 
# Added Thu Jun 20 16:40:28 CDT 2002 by Bob Apthorpe
# <apthorpe@cynistar.net> to solve problems with embedded plusses in
# protocols and mail aliases.
sub escape_metacharacters
{
        local($name) = @_;
 
        # From Table 3.1 "Characters Requiring Quoting When Contained
        # in Distinguished Names", p87 "Understanding and Deploying LDAP
        # Directory Services", Howes, Smith, & Good.
 
        # 1) Quote backslash
        # Note: none of these are very elegant or robust and may cause
        # more trouble than they're worth. That's why they're disabled.
        # 1.a) naive (escape all backslashes)
        # $name =~ s#\\#\\\\#og;
        #
        # 1.b) mostly naive (escape all backslashes not followed by
        # a backslash)
        # $name =~ s#\\(?!\\)#\\\\#og;
        #
        # 1.c) less naive and utterly gruesome (replace solitary
        # backslashes)
        # $name =~ s{           # Replace
        #               (?<!\\) # negative lookbehind (no preceding backslash)
        #               \\      # a single backslash
        #               (?!\\)  # negative lookahead (no following backslash)
        #       }
        #       {               # With
        #               \\\\    # a pair of backslashes
        #       }gx;
        # Ugh. Note that s#(?:[^\\])\\(?:[^\\])#////#g fails if $name
        # starts or ends with a backslash. This expression won't work
        # under perl4 because the /x flag and negative lookahead and
        # lookbehind operations aren't supported. Sorry. Also note that
        # s#(?:[^\\]*)\\(?:[^\\]*)#////#g won't work either.  Of course,
        # this is all broken if $name is already escaped before we get
        # to it. Best to throw a warning and make the user import these
        # records by hand.
 
        # 2) Quote leading and trailing spaces
        local($leader, $body, $trailer) = ();
        if (($leader, $body, $trailer) = ($name =~ m#^( *)(.*\S)( *)$#o)) {
                $leader =~ s# #\\ #og;
                $trailer =~ s# #\\ #og;
                $name = $leader . $body . $trailer;
        }
 
        # 3) Quote leading octothorpe (#)
        $name =~ s/^#/\\#/o;
 
        # 4) Quote comma, plus, double-quote, less-than, greater-than,
        # and semicolon
        $name =~ s#([,+"<>;])#\\$1#g;
 
        return $name;
}
 
1;

Datenselektion

Da wir nicht alle Nutzer, sondern nur die realen Benutzer in den DIT übernehmen wollen, extrahieren wir alle Nutzer aus der /etc/group und /etc/passwd deren UID größer oder gleich 1000 ist und legen diesen in zwei eigenen Dateien ab.

 # grep ":1[0-9][0-9][0-9]" /etc/group > /etc/openldap/ldif/group

Es wird folgende Datei erstellt.

 # cat /etc/openldap/ldif/group
django:x:1000:django
michael:x:1001:michael
inge:x:1002:inge
rebekka:x:1003:rebekka
jakob:x:1004:jakob
ruben:x:1005:ruben
leah:x:1006:leah
markus:x:1007:markus
gertraud:x:1008:gertraud
johann:x:1009:johann
 # grep ":1[0-9][0-9][0-9]" /etc/passwd > /etc/openldap/ldif/passwd

Es wird folgende Datei erstellt.

 # cat /etc/openldap/ldif/passwd 
django:x:1000:1000:django:/home/django:/bin/bash
michael:x:1001:1001:michael:/home/michael:/bin/bash
inge:x:1002:1002:inge:/home/inge:/bin/bash
rebekka:x:1003:1003:rebekka:/home/rebekka:/bin/bash
jakob:x:1004:1004:jakob:/home/jakob:/bin/bash
ruben:x:1005:1005:ruben:/home/ruben:/bin/bash
leah:x:1006:1006:leah:/home/leah:/bin/bash
markus:x:1007:1007:markus:/home/markus:/bin/bash
gertraud:x:1008:1008:gertraud:/home/gertraud:/bin/bash
johann:x:1009:1009:johann:/home/johann:/bin/bash

Datenmigration

Nun ist es an der Zeit unsere Nutzerdaten aus den zuvor angelegten temporären Dateien in entsprechende .ldif Dateien zu konvertieren. Hierzu nutzen wir die Hilfsprogramme aus dem zuvor installiertem RPM Paket migrationtools:

  • migrate_passwd.pl
  • migrate_group.pl

Wir erstellen also nun die beiden .ldif-Dateien.

 # /usr/share/migrationtools/migrate_group.pl /etc/openldap/ldif/group > cn\=config_GroupDN.ldif
 # /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/ldif/passwd > cn\=config_PeopleDN.ldif

Aus der Datei /etc/openldap/ldif/group mit dem Inhalt

django:x:1000:django
michael:x:1001:michael
inge:x:1002:inge
rebekka:x:1003:rebekka
jakob:x:1004:jakob
ruben:x:1005:ruben
leah:x:1006:leah
markus:x:1007:markus
gertraud:x:1008:gertraud
johann:x:1009:johann

wurde also die Datei /etc/openldap/ldif/cn\=config_GroupDN.ldif mit dem Inhalt

dn: cn=django,ou=Group,dc=nausch,dc=org
objectClass: posixGroup
objectClass: top
cn: django
userPassword: {crypt}x
gidNumber: 1000
memberUid: 1000

dn: cn=michael,ou=Group,dc=nausch,dc=org
objectClass: posixGroup
objectClass: top
cn: michael
userPassword: {crypt}x
gidNumber: 1001
memberUid: 1001

dn: cn=inge,ou=Group,dc=nausch,dc=org
objectClass: posixGroup
objectClass: top
cn: inge
userPassword: {crypt}x
gidNumber: 1002
memberUid: 1002

dn: cn=rebekka,ou=Group,dc=nausch,dc=org
objectClass: posixGroup
objectClass: top
cn: rebekka
userPassword: {crypt}x
gidNumber: 1003
memberUid: 1003

dn: cn=jakob,ou=Group,dc=nausch,dc=org
objectClass: posixGroup
objectClass: top
cn: jakob
userPassword: {crypt}x
gidNumber: 1004
memberUid: 1004

dn: cn=ruben,ou=Group,dc=nausch,dc=org
objectClass: posixGroup
objectClass: top
cn: ruben
userPassword: {crypt}x
gidNumber: 1005
memberUid: 1005

dn: cn=leah,ou=Group,dc=nausch,dc=org
objectClass: posixGroup
objectClass: top
cn: leah
userPassword: {crypt}x
gidNumber: 1006
memberUid: 1006

dn: cn=markus,ou=Group,dc=nausch,dc=org
objectClass: posixGroup
objectClass: top
cn: markus
userPassword: {crypt}x
gidNumber: 1007
memberUid: 1007

dn: cn=gertraud,ou=Group,dc=nausch,dc=org
objectClass: posixGroup
objectClass: top
cn: gertraud
userPassword: {crypt}x
gidNumber: 1008
memberUid: 1008

dn: cn=johann,ou=Group,dc=nausch,dc=org
objectClass: posixGroup
objectClass: top
cn: johann
userPassword: {crypt}x
gidNumber: 1009
memberUid: 1009

generiert.

Aus der Datei /etc/openldap/ldif/passwd mit dem Inhalt

django:x:1000:1000:django:/home/django:/bin/bash
michael:x:1001:1001:michael:/home/michael:/bin/bash
inge:x:1002:1002:inge:/home/inge:/bin/bash
rebekka:x:1003:1003:rebekka:/home/rebekka:/bin/bash
jakob:x:1004:1004:jakob:/home/jakob:/bin/bash
ruben:x:1005:1005:ruben:/home/ruben:/bin/bash
leah:x:1006:1006:leah:/home/leah:/bin/bash
markus:x:1007:1007:markus:/home/markus:/bin/bash
gertraud:x:1008:1008:gertraud:/home/gertraud:/bin/bash
johann:x:1009:1009:johann:/home/johann:/bin/bash

wurde also die Datei /etc/openldap/ldif/cn\=config_PeopleDN.ldif mit dem Inhalt

dn: uid=django,ou=People,dc=nausch,dc=org
uid: django
cn: django
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$34os/lDDY2cAEfyW$fqe3PP3Qo5FDAtC724a7plCieqgeYCWONkaKgYnQKm5iDx/3WtCq8Tv0VA2MLkYAhW9/IySlhFIJZIU0UyiOv/
shadowLastChange: 16617
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/django
gecos: django

dn: uid=michael,ou=People,dc=nausch,dc=org
uid: michael
cn: michael
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$34os/lDDY2cAEfyW$fqe3PP3Qo5FDAtC724a7plCieqgeYCWONkaKgYnQKm5iDx/3WtCq8Tv0VA2MLkYAhW9
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/michael
gecos: michael

dn: uid=inge,ou=People,dc=nausch,dc=org
uid: inge
cn: inge
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$34os/lDf98723jyX$fqe24a7plCDY2cAEfyW5FDAtwdfC$f3PP3gYnosHSenpncs5FDAtC724a7Tv0VA2MLk
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/inge
gecos: inge

dn: uid=rebekka,ou=People,dc=nausch,dc=org
uid: rebekka
cn: rebekka
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$34os/lDDY2cAEfy$Afqe3PP3Qo5FDAtC7o5FDAtC724a7po5FDAtC7lCieo5FDAtC7qgeYCWONkaKgYnQKm5
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/rebekka
gecos: rebekka

dn: uid=jakob,ou=People,dc=nausch,dc=org
uid: jakob
cn: jakob
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$34os/lCDY5cmEffqe3PP3QfyW$fqe2cAEfy$Afqe3PP3Q4a7plCDtC724a7Y2cAEfyW5FDAtCtC724a7$f3P
loginShell: /bin/bash
uidNumber: 1004
gidNumber: 1004
homeDirectory: /home/jakob
gecos: jakob

dn: uid=ruben,ou=People,dc=nausch,dc=org
uid: ruben
cn: ruben
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$34os/o5FDAtC724a7plCieqlDDY2cAEfyW$plCieqlfqe3PP3Qo5FDAtYCWOC72C724a7pYnQKm5ilCieqge
loginShell: /bin/bash
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/ruben
gecos: ruben

dn: uid=leah,ou=People,dc=nausch,dc=org
uid: leah
cn: leah
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$34os/e3PP3Qo5FDAtC724a7plfy$Afqe3PCieqgeYCWOC724a7po5FDAtNkaKgYnQKm5iDx/3WtCMLkYAhW9
loginShell: /bin/bash
uidNumber: 1006
gidNumber: 1006
homeDirectory: /home/leah
gecos: leah

dn: uid=markus,ou=People,dc=nausch,dc=org
uid: markus
cn: markus
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$34os/AEfy$AfqelDfyW$fqe24a7plCDY2cApllDDEfyW5FDAtC$lCieqgeEfyWw140867f3PP3gYno5FDA3P
loginShell: /bin/bash
uidNumber: 1007
gidNumber: 1007
homeDirectory: /home/markus
gecos: markus

dn: uid=gertraud,ou=People,dc=nausch,dc=org
uid: gertraud
cn: gertraud
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$34os/3PP3Qo5FDAtC724a7pllDDY2cAEfyW$fqe3PP3Qo5FDAta7pllDDYC724a7plCieqgeEfyWw140867d
loginShell: /bin/bash
uidNumber: 1008
gidNumber: 1008
homeDirectory: /home/gertraud
gecos: gertraud

dn: uid=johann,ou=People,dc=nausch,dc=org
uid: johann
cn: johann
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$34os/a7plCDY2cAEfyW5FlDfyW$fqe24fyW5Fa7plCDY2cAEfyW5FDAtC$f3fyW5FPP3gYno5FDAtC724a7p
loginShell: /bin/bash
uidNumber: 1009
gidNumber: 1009
homeDirectory: /home/johann
gecos: johann

generiert.

Datenübernahme in den DIT

Nachdem wir die Nutzerdaten aus dem/einem System migriert haben, werden wir nun mit dem Befehl ldapadd die gerade generierten LDIF-Dateien in den DIT importieren.

Als erstes importieren wir den DN3) Group.

 # ldapadd -W -x -D cn=Manager,dc=nausch,dc=org -f /etc/openldap/ldif/cn\=config_GroupDN.ldif 
Enter LDAP Password: 
adding new entry "cn=django,ou=Group,dc=nausch,dc=org"

adding new entry "cn=michael,ou=Group,dc=nausch,dc=org"

adding new entry "cn=inge,ou=Group,dc=nausch,dc=org"

adding new entry "cn=rebekka,ou=Group,dc=nausch,dc=org"

adding new entry "cn=jakob,ou=Group,dc=nausch,dc=org"

adding new entry "cn=ruben,ou=Group,dc=nausch,dc=org"

adding new entry "cn=leah,ou=Group,dc=nausch,dc=org"

adding new entry "cn=markus,ou=Group,dc=nausch,dc=org"

adding new entry "cn=gertraud,ou=Group,dc=nausch,dc=org"

adding new entry "cn=johann,ou=Group,dc=nausch,dc=org"
 

Anschließend importieren wir den DN People.

 # ldapadd -W -x -D cn=Manager,dc=nausch,dc=org -f /etc/openldap/ldif/cn\=config_PeopleDN.ldif 
Enter LDAP Password: 
adding new entry "uid=django,ou=People,dc=nausch,dc=org"

adding new entry "uid=michael,ou=People,dc=nausch,dc=org"

adding new entry "uid=inge,ou=People,dc=nausch,dc=org"

adding new entry "uid=rebekka,ou=People,dc=nausch,dc=org"

adding new entry "uid=jakob,ou=People,dc=nausch,dc=org"

adding new entry "uid=ruben,ou=People,dc=nausch,dc=org"

adding new entry "uid=leah,ou=People,dc=nausch,dc=org"

adding new entry "uid=markus,ou=People,dc=nausch,dc=org"

adding new entry "uid=gertraud,ou=People,dc=nausch,dc=org"

adding new entry "uid=johann,ou=People,dc=nausch,dc=org"
 

abschließender Test

Für den abschliessenden Test, ob die Datenmigration aus den filebasierenden Dateien in den DIT unseres OpenLADP-Servers geklappt hat, befragen wir unseren LDAP-Server nach den Daten zum User django.

 # ldapsearch -W -x -D cn=config -b "uid=django,ou=People,dc=nausch,dc=org" -LLL -H ldaps://openldap.dmz.nausch.org
Enter LDAP Password: 
dn: uid=django,ou=People,dc=nausch,dc=org
uid: django
cn: django
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB1lu0fSQ2JDM0b3MvbERE8zVWTJjQUVmeVckZnFlM1BQM1FXRDNzI0YTd
 wbEuUUttNpZXFnZVlDV09Oa2FLZ1luUUttNWlEeC8zV3RDcThUdjBWQTJNTGtZM0b3QWhXOS9e2pJ
 VTWlEeC8di8=
shadowLastChange: 16617
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/django
gecos: django

Unsere erfolgreiche Abfrage erzeugt einen entsprechendnen Eintrag im Logfile des slapd-Daemon.

 # less /var/log/ldap.log
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 fd=13 ACCEPT from IP=10.0.0.37:52275 (IP=0.0.0.0:636)
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 fd=13 TLS established tls_ssf=128 ssf=128
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=0 BIND dn="cn=config" method=128
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=0 BIND dn="cn=config" mech=SIMPLE ssf=0
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=0 RESULT tag=97 err=0 text=
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=1 SRCH base="uid=django,ou=People,dc=nausch,dc=org" scope=2 deref=0 filter="(objectClass=*)"
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=2 UNBIND
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 fd=13 closed

Zu guter letzt befragen wir nun noch unseren LDAP-Server nach den Daten der Gruppe django.

 # ldapsearch -x -b "cn=django,ou=Group,dc=nausch,dc=org" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <cn=django,ou=Group,dc=nausch,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# django, Group, nausch.org
dn: cn=django,ou=Group,dc=nausch,dc=org
objectClass: posixGroup
objectClass: top
cn: django
userPassword:: e2NyeXB0fXg=
gidNumber: 1000
memberUid: 1000

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Natürlich wurde auch hier unsere Abfrage im LDAP-Log dokumentiert.

 # less /var/log/ldap.log
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 fd=13 ACCEPT from IP=[::1]:44084 (IP=[::]:389)
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 op=0 BIND dn="" method=128
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 op=0 RESULT tag=97 err=0 text=
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 op=1 SRCH base="cn=django,ou=Group,dc=nausch,dc=org" scope=2 deref=0 filter="(objectClass=*)"
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 op=2 UNBIND
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 fd=13 closed

Abfrage der Indizes

Wollen wir später einzelne Index Felder im DIT anpassen, müssen wir natürlich wissen wie die derzeitigen Felder indiziert wurden. Hierzu lassen wir uns die existierende Indizierung der Felder anzeigen.

Hierzu nutzen wir nun folgenden Befehlsaufruf.

 #  ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <olcDatabase={2}hdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nausch,dc=org
olcRootDN: cn=Manager,dc=nausch,dc=org
olcRootPW: {SSHA}lfeku/uaD4x1i$7n3931Le54U111
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Für die Felder objectClass und ou,cn,mail,surname,givenname besteht bereits ein Index. Folgende beiden Zeilen sind aus der obigen Ausgabe:

  • olcDbIndex: objectClass eq,pres
  • olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

Dies entspricht nachfolgender Tabelle.

Felder Attribute Beschreibungen
eq
pres


sub
gleich
Anzeige
Teilzeichenkette
objectClass :OK: :OK:
ou :OK: :OK: :OK:
cn :OK: :OK: :OK:
mail :OK: :OK: :OK:
surname :OK: :OK: :OK:
givenname :OK: :OK: :OK:

Erfolgt ein Zugriff auf ein Fled im OpenLDAP-Verzeichnisbaum bei dem kein Index definiert wurde, wird dazu im LDAP-Log /var/log/ldap-log nachfolgender Hinweis zu finden sein.

 Jul 17 12:32:53 vml000037 slapd[14264]: <= bdb_equality_candidates: (uid) not indexed

Setzen der Indizes (LDIF)

Für die Felder in der folgenden Tabelle wollen wir nun noch Indizes erstellen.

Felder Attribute Beschreibungen
eq
pres


sub
gleich
Anzeige
Teilzeichenkette
uidNumber :OK: :OK:
gidNumber :OK: :OK:
loginShell :OK: :OK:
uid :OK: :OK: :OK:
memberUid :OK: :OK: :OK:
nisMapName :OK: :OK: :OK:
nisMapEntry :OK: :OK: :OK:
uniqueMember :OK: :OK:

Zu dieser Tabelle erstellen wir uns nun eine passende LDIF-Datei.

 # vim /etc/openldap/ldif/cn=\config_DbIndex.ldif
/etc/openldap/ldif/cn=config_DbIndex.ldif
# Django : 2015-07-17
# Erstellen von zusätzlichen Indizes für Felder im DIT
# https://dokuwiki.nausch.org/doku.php/centos:ldap_c7:data?&#setzen_der_indizes_ldif
 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
olcDbIndex: uniqueMember eq,pres

Anschließend importieren wir diese Daten in unseren DIT.

 # ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif/cn=\config_DbIndex.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

Überprüfen der gesetzten Indizes

Zu guter letzt lassen wir uns erneut anzeigen für welche Felder im DIT Indizies gesetzt sind. Dazu verwenden wir folgenden Befehl.

 #  ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <olcDatabase={2}hdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nausch,dc=org
olcRootDN: cn=Manager,dc=nausch,dc=org
olcRootPW: {SSHA}lfeku/uaD4x1i$7n3931Le54U111
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
olcDbIndex: uniqueMember eq,pres

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Links


1) , 3)
Distinguished Name
2)
Directory Information Tree
Cookies helfen bei der Bereitstellung von Inhalten. Durch die Nutzung dieser Seiten erklären Sie sich damit einverstanden, dass Cookies auf Ihrem Rechner gespeichert werden. Weitere Information
  • centos/ldap_c7/data.txt
  • Zuletzt geändert: 22.07.2019 15:03.
  • (Externe Bearbeitung)