hasufell/etc-gentoo
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
4b287b3e71
etc-gentoo/openldap/schema/pmi.schema

465 lines
20 KiB
Plaintext
Raw Blame History

# OpenLDAP X.509 PMI schema
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2013 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#
## Portions Copyright (C) The Internet Society (1997-2006).
## All Rights Reserved.
##
## This document and translations of it may be copied and furnished to
## others, and derivative works that comment on or otherwise explain it
## or assist in its implementation may be prepared, copied, published
## and distributed, in whole or in part, without restriction of any
## kind, provided that the above copyright notice and this paragraph are
## included on all such copies and derivative works. However, this
## document itself may not be modified in any way, such as by removing
## the copyright notice or references to the Internet Society or other
## Internet organizations, except as needed for the purpose of
## developing Internet standards in which case the procedures for
## copyrights defined in the Internet Standards process must be
## followed, or as required to translate it into languages other than
## English.
##
## The limited permissions granted above are perpetual and will not be
## revoked by the Internet Society or its successors or assigns.
##
## This document and the information contained herein is provided on an
## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
#
#
# Includes LDAPv3 schema items from:
# ITU X.509 (08/2005)
#
## X.509 (08/2005) pp. 120-121
##
## -- object identifier assignments --
## -- object classes --
## id-oc-pmiUser OBJECT IDENTIFIER ::= {id-oc 24}
## id-oc-pmiAA OBJECT IDENTIFIER ::= {id-oc 25}
## id-oc-pmiSOA OBJECT IDENTIFIER ::= {id-oc 26}
## id-oc-attCertCRLDistributionPts OBJECT IDENTIFIER ::= {id-oc 27}
## id-oc-privilegePolicy OBJECT IDENTIFIER ::= {id-oc 32}
## id-oc-pmiDelegationPath OBJECT IDENTIFIER ::= {id-oc 33}
## id-oc-protectedPrivilegePolicy OBJECT IDENTIFIER ::= {id-oc 34}
## -- directory attributes --
## id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}
## id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59}
## id-at-aACertificate OBJECT IDENTIFIER ::= {id-at 61}
## id-at-attributeDescriptorCertificate OBJECT IDENTIFIER ::= {id-at 62}
## id-at-attributeAuthorityRevocationList OBJECT IDENTIFIER ::= {id-at 63}
## id-at-privPolicy OBJECT IDENTIFIER ::= {id-at 71}
## id-at-role OBJECT IDENTIFIER ::= {id-at 72}
## id-at-delegationPath OBJECT IDENTIFIER ::= {id-at 73}
## id-at-protPrivPolicy OBJECT IDENTIFIER ::= {id-at 74}
## id-at-xMLPrivilegeInfo OBJECT IDENTIFIER ::= {id-at 75}
## id-at-xMLPprotPrivPolicy OBJECT IDENTIFIER ::= {id-at 76}
## -- attribute certificate extensions --
## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}
## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}
## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}
## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}
## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}
## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}
## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}
## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}
## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}
## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55}
## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}
## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}
## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}
## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}
## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}
## -- PMI matching rules --
## id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42}
## id-mr-attributeCertificateExactMatch OBJECT IDENTIFIER ::= {id-mr 45}
## id-mr-holderIssuerMatch OBJECT IDENTIFIER ::= {id-mr 46}
## id-mr-authAttIdMatch OBJECT IDENTIFIER ::= {id-mr 53}
## id-mr-roleSpecCertIdMatch OBJECT IDENTIFIER ::= {id-mr 54}
## id-mr-basicAttConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 55}
## id-mr-delegatedNameConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 56}
## id-mr-timeSpecMatch OBJECT IDENTIFIER ::= {id-mr 57}
## id-mr-attDescriptorMatch OBJECT IDENTIFIER ::= {id-mr 58}
## id-mr-acceptableCertPoliciesMatch OBJECT IDENTIFIER ::= {id-mr 59}
## id-mr-delegationPathMatch OBJECT IDENTIFIER ::= {id-mr 61}
## id-mr-sOAIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 66}
## id-mr-indirectIssuerMatch OBJECT IDENTIFIER ::= {id-mr 67}
##
##
## X.509 (08/2005) pp. 71, 86-89
##
## 14.4.1 Role attribute
## role ATTRIBUTE ::= {
## WITH SYNTAX RoleSyntax
## ID id-at-role }
## RoleSyntax ::= SEQUENCE {
## roleAuthority [0] GeneralNames OPTIONAL,
## roleName [1] GeneralName }
##
## 14.5 XML privilege information attribute
## xmlPrivilegeInfo ATTRIBUTE ::= {
## WITH SYNTAX UTF8String -- contains XML-encoded privilege information
## ID id-at-xMLPrivilegeInfo }
##
## 17.1 PMI directory object classes
##
## 17.1.1 PMI user object class
## pmiUser OBJECT-CLASS ::= {
## -- a PMI user (i.e., a "holder")
## SUBCLASS OF {top}
## KIND auxiliary
## MAY CONTAIN {attributeCertificateAttribute}
## ID id-oc-pmiUser }
##
## 17.1.2 PMI AA object class
## pmiAA OBJECT-CLASS ::= {
## -- a PMI AA
## SUBCLASS OF {top}
## KIND auxiliary
## MAY CONTAIN {aACertificate |
## attributeCertificateRevocationList |
## attributeAuthorityRevocationList}
## ID id-oc-pmiAA }
##
## 17.1.3 PMI SOA object class
## pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority
## SUBCLASS OF {top}
## KIND auxiliary
## MAY CONTAIN {attributeCertificateRevocationList |
## attributeAuthorityRevocationList |
## attributeDescriptorCertificate}
## ID id-oc-pmiSOA }
##
## 17.1.4 Attribute certificate CRL distribution point object class
## attCertCRLDistributionPt OBJECT-CLASS ::= {
## SUBCLASS OF {top}
## KIND auxiliary
## MAY CONTAIN { attributeCertificateRevocationList |
## attributeAuthorityRevocationList }
## ID id-oc-attCertCRLDistributionPts }
##
## 17.1.5 PMI delegation path
## pmiDelegationPath OBJECT-CLASS ::= {
## SUBCLASS OF {top}
## KIND auxiliary
## MAY CONTAIN { delegationPath }
## ID id-oc-pmiDelegationPath }
##
## 17.1.6 Privilege policy object class
## privilegePolicy OBJECT-CLASS ::= {
## SUBCLASS OF {top}
## KIND auxiliary
## MAY CONTAIN {privPolicy }
## ID id-oc-privilegePolicy }
##
## 17.1.7 Protected privilege policy object class
## protectedPrivilegePolicy OBJECT-CLASS ::= {
## SUBCLASS OF {top}
## KIND auxiliary
## MAY CONTAIN {protPrivPolicy }
## ID id-oc-protectedPrivilegePolicy }
##
## 17.2 PMI Directory attributes
##
## 17.2.1 Attribute certificate attribute
## attributeCertificateAttribute ATTRIBUTE ::= {
## WITH SYNTAX AttributeCertificate
## EQUALITY MATCHING RULE attributeCertificateExactMatch
## ID id-at-attributeCertificate }
##
## 17.2.2 AA certificate attribute
## aACertificate ATTRIBUTE ::= {
## WITH SYNTAX AttributeCertificate
## EQUALITY MATCHING RULE attributeCertificateExactMatch
## ID id-at-aACertificate }
##
## 17.2.3 Attribute descriptor certificate attribute
## attributeDescriptorCertificate ATTRIBUTE ::= {
## WITH SYNTAX AttributeCertificate
## EQUALITY MATCHING RULE attributeCertificateExactMatch
## ID id-at-attributeDescriptorCertificate }
##
## 17.2.4 Attribute certificate revocation list attribute
## attributeCertificateRevocationList ATTRIBUTE ::= {
## WITH SYNTAX CertificateList
## EQUALITY MATCHING RULE certificateListExactMatch
## ID id-at-attributeCertificateRevocationList}
##
## 17.2.5 AA certificate revocation list attribute
## attributeAuthorityRevocationList ATTRIBUTE ::= {
## WITH SYNTAX CertificateList
## EQUALITY MATCHING RULE certificateListExactMatch
## ID id-at-attributeAuthorityRevocationList }
##
## 17.2.6 Delegation path attribute
## delegationPath ATTRIBUTE ::= {
## WITH SYNTAX AttCertPath
## ID id-at-delegationPath }
## AttCertPath ::= SEQUENCE OF AttributeCertificate
##
## 17.2.7 Privilege policy attribute
## privPolicy ATTRIBUTE ::= {
## WITH SYNTAX PolicySyntax
## ID id-at-privPolicy }
##
## 17.2.8 Protected privilege policy attribute
## protPrivPolicy ATTRIBUTE ::= {
## WITH SYNTAX AttributeCertificate
## EQUALITY MATCHING RULE attributeCertificateExactMatch
## ID id-at-protPrivPolicy }
##
## 17.2.9 XML Protected privilege policy attribute
## xmlPrivPolicy ATTRIBUTE ::= {
## WITH SYNTAX UTF8String -- contains XML-encoded privilege policy information
## ID id-at-xMLPprotPrivPolicy }
##
## -- object identifier assignments --
## -- object classes --
objectidentifier id-oc-pmiUser 2.5.6.24
objectidentifier id-oc-pmiAA 2.5.6.25
objectidentifier id-oc-pmiSOA 2.5.6.26
objectidentifier id-oc-attCertCRLDistributionPts 2.5.6.27
objectidentifier id-oc-privilegePolicy 2.5.6.32
objectidentifier id-oc-pmiDelegationPath 2.5.6.33
objectidentifier id-oc-protectedPrivilegePolicy 2.5.6.34
## -- directory attributes --
objectidentifier id-at-attributeCertificate 2.5.4.58
objectidentifier id-at-attributeCertificateRevocationList 2.5.4.59
objectidentifier id-at-aACertificate 2.5.4.61
objectidentifier id-at-attributeDescriptorCertificate 2.5.4.62
objectidentifier id-at-attributeAuthorityRevocationList 2.5.4.63
objectidentifier id-at-privPolicy 2.5.4.71
objectidentifier id-at-role 2.5.4.72
objectidentifier id-at-delegationPath 2.5.4.73
objectidentifier id-at-protPrivPolicy 2.5.4.74
objectidentifier id-at-xMLPrivilegeInfo 2.5.4.75
objectidentifier id-at-xMLPprotPrivPolicy 2.5.4.76
## -- attribute certificate extensions --
## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}
## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}
## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}
## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}
## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}
## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}
## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}
## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}
## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}
## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55}
## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}
## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}
## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}
## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}
## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}
## -- PMI matching rules --
objectidentifier id-mr 2.5.13
objectidentifier id-mr-attributeCertificateMatch id-mr:42
objectidentifier id-mr-attributeCertificateExactMatch id-mr:45
objectidentifier id-mr-holderIssuerMatch id-mr:46
objectidentifier id-mr-authAttIdMatch id-mr:53
objectidentifier id-mr-roleSpecCertIdMatch id-mr:54
objectidentifier id-mr-basicAttConstraintsMatch id-mr:55
objectidentifier id-mr-delegatedNameConstraintsMatch id-mr:56
objectidentifier id-mr-timeSpecMatch id-mr:57
objectidentifier id-mr-attDescriptorMatch id-mr:58
objectidentifier id-mr-acceptableCertPoliciesMatch id-mr:59
objectidentifier id-mr-delegationPathMatch id-mr:61
objectidentifier id-mr-sOAIdentifierMatch id-mr:66
objectidentifier id-mr-indirectIssuerMatch id-mr:67
## -- syntaxes --
## NOTE: 1.3.6.1.4.1.4203.666.11.10 is the oid arc assigned by OpenLDAP
## to this work in progress
objectidentifier AttributeCertificate 1.3.6.1.4.1.4203.666.11.10.2.1
objectidentifier CertificateList 1.3.6.1.4.1.1466.115.121.1.9
objectidentifier AttCertPath 1.3.6.1.4.1.4203.666.11.10.2.4
objectidentifier PolicySyntax 1.3.6.1.4.1.4203.666.11.10.2.5
objectidentifier RoleSyntax 1.3.6.1.4.1.4203.666.11.10.2.6
# NOTE: OIDs from <draft-ietf-pkix-ldap-schema-02.txt> (expired)
#objectidentifier AttributeCertificate 1.2.826.0.1.3344810.7.5
#objectidentifier AttCertPath 1.2.826.0.1.3344810.7.10
#objectidentifier PolicySyntax 1.2.826.0.1.3344810.7.17
#objectidentifier RoleSyntax 1.2.826.0.1.3344810.7.13
##
## Substitute syntaxes
##
## AttCertPath
ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.4
NAME 'AttCertPath'
DESC 'X.509 PMI attribute cartificate path: SEQUENCE OF AttributeCertificate'
X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
##
## PolicySyntax
ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.5
NAME 'PolicySyntax'
DESC 'X.509 PMI policy syntax'
X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
##
## RoleSyntax
ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.6
NAME 'RoleSyntax'
DESC 'X.509 PMI role syntax'
X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
##
## X.509 (08/2005) pp. 71, 86-89
##
## 14.4.1 Role attribute
attributeType ( id-at-role
NAME 'role'
DESC 'X.509 Role attribute, use ;binary'
SYNTAX RoleSyntax )
##
## 14.5 XML privilege information attribute
## -- contains XML-encoded privilege information
attributeType ( id-at-xMLPrivilegeInfo
NAME 'xmlPrivilegeInfo'
DESC 'X.509 XML privilege information attribute'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##
## 17.2 PMI Directory attributes
##
## 17.2.1 Attribute certificate attribute
attributeType ( id-at-attributeCertificate
NAME 'attributeCertificateAttribute'
DESC 'X.509 Attribute certificate attribute, use ;binary'
SYNTAX AttributeCertificate
EQUALITY attributeCertificateExactMatch )
##
## 17.2.2 AA certificate attribute
attributeType ( id-at-aACertificate
NAME 'aACertificate'
DESC 'X.509 AA certificate attribute, use ;binary'
SYNTAX AttributeCertificate
EQUALITY attributeCertificateExactMatch )
##
## 17.2.3 Attribute descriptor certificate attribute
attributeType ( id-at-attributeDescriptorCertificate
NAME 'attributeDescriptorCertificate'
DESC 'X.509 Attribute descriptor certificate attribute, use ;binary'
SYNTAX AttributeCertificate
EQUALITY attributeCertificateExactMatch )
##
## 17.2.4 Attribute certificate revocation list attribute
attributeType ( id-at-attributeCertificateRevocationList
NAME 'attributeCertificateRevocationList'
DESC 'X.509 Attribute certificate revocation list attribute, use ;binary'
SYNTAX CertificateList
X-EQUALITY 'certificateListExactMatch, not implemented yet' )
##
## 17.2.5 AA certificate revocation list attribute
attributeType ( id-at-attributeAuthorityRevocationList
NAME 'attributeAuthorityRevocationList'
DESC 'X.509 AA certificate revocation list attribute, use ;binary'
SYNTAX CertificateList
X-EQUALITY 'certificateListExactMatch, not implemented yet' )
##
## 17.2.6 Delegation path attribute
attributeType ( id-at-delegationPath
NAME 'delegationPath'
DESC 'X.509 Delegation path attribute, use ;binary'
SYNTAX AttCertPath )
## AttCertPath ::= SEQUENCE OF AttributeCertificate
##
## 17.2.7 Privilege policy attribute
attributeType ( id-at-privPolicy
NAME 'privPolicy'
DESC 'X.509 Privilege policy attribute, use ;binary'
SYNTAX PolicySyntax )
##
## 17.2.8 Protected privilege policy attribute
attributeType ( id-at-protPrivPolicy
NAME 'protPrivPolicy'
DESC 'X.509 Protected privilege policy attribute, use ;binary'
SYNTAX AttributeCertificate
EQUALITY attributeCertificateExactMatch )
##
## 17.2.9 XML Protected privilege policy attribute
## -- contains XML-encoded privilege policy information
attributeType ( id-at-xMLPprotPrivPolicy
NAME 'xmlPrivPolicy'
DESC 'X.509 XML Protected privilege policy attribute'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##
## 17.1 PMI directory object classes
##
## 17.1.1 PMI user object class
## -- a PMI user (i.e., a "holder")
objectClass ( id-oc-pmiUser
NAME 'pmiUser'
DESC 'X.509 PMI user object class'
SUP top
AUXILIARY
MAY ( attributeCertificateAttribute ) )
##
## 17.1.2 PMI AA object class
## -- a PMI AA
objectClass ( id-oc-pmiAA
NAME 'pmiAA'
DESC 'X.509 PMI AA object class'
SUP top
AUXILIARY
MAY ( aACertificate $
attributeCertificateRevocationList $
attributeAuthorityRevocationList
) )
##
## 17.1.3 PMI SOA object class
## -- a PMI Source of Authority
objectClass ( id-oc-pmiSOA
NAME 'pmiSOA'
DESC 'X.509 PMI SOA object class'
SUP top
AUXILIARY
MAY ( attributeCertificateRevocationList $
attributeAuthorityRevocationList $
attributeDescriptorCertificate
) )
##
## 17.1.4 Attribute certificate CRL distribution point object class
objectClass ( id-oc-attCertCRLDistributionPts
NAME 'attCertCRLDistributionPt'
DESC 'X.509 Attribute certificate CRL distribution point object class'
SUP top
AUXILIARY
MAY ( attributeCertificateRevocationList $
attributeAuthorityRevocationList
) )
##
## 17.1.5 PMI delegation path
objectClass ( id-oc-pmiDelegationPath
NAME 'pmiDelegationPath'
DESC 'X.509 PMI delegation path'
SUP top
AUXILIARY
MAY ( delegationPath ) )
##
## 17.1.6 Privilege policy object class
objectClass ( id-oc-privilegePolicy
NAME 'privilegePolicy'
DESC 'X.509 Privilege policy object class'
SUP top
AUXILIARY
MAY ( privPolicy ) )
##
## 17.1.7 Protected privilege policy object class
objectClass ( id-oc-protectedPrivilegePolicy
NAME 'protectedPrivilegePolicy'
DESC 'X.509 Protected privilege policy object class'
SUP top
AUXILIARY
MAY ( protPrivPolicy ) )
Reference in New Issue View Git Blame Copy Permalink