e-smith-base%2Bldap/sme7/e-smith-base%2Bldap-4.19.1-ldap_fixes.patch

diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all        2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all      2008-04-17 09:37:58.000000000 +0200
@@ -32,7 +32,7 @@
 RANDOM = "false"
 PASSWORD_FILE = "/etc/passfile"
 SHADOW_FILE = "/etc/shadowfile"
-HASH = "sha1"
+HASH = "crypt"
 #ADD_SCRIPT = "contrib/postaddscript.sh"
 #DEL_SCRIPT = "foo"
 SHADOWLASTCHANGE        = 11192
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password    2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password  2008-04-17 09:38:21.000000000 +0200
@@ -1 +1 @@
-pam_password md5
+pam_password exop
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd 2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd       2008-04-17 09:39:05.000000000 +0200
@@ -2,4 +2,8 @@
     $OUT .= "nss_base_passwd ou=Users,";
     $OUT .= esmith::util::ldapBase ($DomainName);
     $OUT .= '?one';
+    $OUT .= "\n";
+    $OUT .= "nss_base_passwd ou=Computers,";
+    $OUT .= esmith::util::ldapBase ($DomainName);
+    $OUT .= '?one';
 }
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy     2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy   2008-04-17 09:39:40.000000000 +0200
@@ -1,2 +1,4 @@
+{
 # Allow read /etc/{passwd,groups,shadow} files when ldap is down.
+}
 bind_policy soft
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash  1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash        2008-04-17 09:41:03.000000000 +0200
@@ -0,0 +1,5 @@
+
+# This is to use md5crypt
+password-hash \{CRYPT\}
+password-crypt-salt-format "$1$%.8s"
+
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls  2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls        2008-04-17 09:41:52.000000000 +0200
@@ -5,6 +5,18 @@
  by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
  by * none
 
+ access to attr=sambaLMPassword
+ by self write
+ by anonymous auth
+ by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
+ by * none
+
+ access to attr=sambaNTPassword
+ by self write
+ by anonymous auth
+ by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
+ by * none
+
  access to *
  by self write
  by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema
--- e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema      2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema    2007-03-01 05:55:18.000000000 +0100
@@ -14,6 +14,13 @@
 ## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes
 ## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses
 ##
+## Samba4
+## 1.3.6.1.4.1.7165.4.1.x - attributetypes
+## 1.3.6.1.4.1.7165.4.2.x - objectclasses
+## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
+## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
+## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
+##
 ## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------
 ##
 ## Run the 'get_next_oid' bash script in this directory to find the 
@@ -38,6 +45,7 @@
 # objectIdentifier Samba3 SambaRoot:2
 # objectIdentifier Samba3Attrib Samba3:1
 # objectIdentifier Samba3ObjectClass Samba3:2
+# objectIdentifier Samba4 SambaRoot:4
 
 ########################################################################
 ##                            HISTORICAL                              ##
@@ -279,12 +287,12 @@
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
 
 attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
-       DESC ''
+       DESC 'Base64 encoded user parameter string'
        EQUALITY caseExactMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
 
 attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
-       DESC 'Concatenated MD4 hashes of the unicode passwords used on this account'
+       DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
 
@@ -295,9 +303,9 @@
 attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
        DESC 'Security ID'
        EQUALITY caseIgnoreIA5Match
+       SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
 
-
 ##
 ## Primary group SID, compatible with ntSid
 ##
@@ -376,19 +384,81 @@
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
 
-attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' 
-       SUP name )
+##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' 
+##     SUP name )
 
-attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
-       DESC 'Privileges List'
-       EQUALITY caseIgnoreIA5Match
-       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
+##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
+##     DESC 'Privileges List'
+##     EQUALITY caseIgnoreIA5Match
+##     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
 
 attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
        DESC 'Trust Password Flags'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
+# "min password length"
+attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
+       DESC 'Minimal password length (default: 5)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "password history"
+attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
+       DESC 'Length of Password History Entries (default: 0 => off)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "user must logon to change password"
+attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
+       DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "maximum password age"
+attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
+       DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "minimum password age"
+attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
+       DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "lockout duration"
+attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
+       DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "reset count minutes"
+attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
+       DESC 'Reset time after lockout in minutes (default: 30)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "bad lockout attempt"
+attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
+       DESC 'Lockout users after bad logon attempts (default: 0 => off)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "disconnect time"
+attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
+       DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "refuse machine password change"
+attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
+       DESC 'Allow Machine Password changes (default: 0 => off)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+
+
 
 #######################################################################
 ##              objectClasses used by Samba 3.0 schema               ##
@@ -438,7 +508,11 @@
        MUST ( sambaDomainName $ 
               sambaSID ) 
        MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
-             sambaAlgorithmicRidBase ) )
+             sambaAlgorithmicRidBase $ 
+             sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
+             sambaMaxPwdAge $ sambaMinPwdAge $
+             sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $
+             sambaForceLogoff $ sambaRefuseMachinePwdChange ))
 
 ##
 ## used for idmap_ldap module
@@ -457,7 +531,7 @@
        DESC 'Structural Class for a SID'
        MUST ( sambaSID ) )
 
-objectclass ( 1.3.6.1.4.1.7165.1.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
+objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
        DESC 'Samba Configuration Section'
        MAY ( description ) )
 
@@ -473,8 +547,8 @@
              sambaStringListoption $ description ) )
 
 
-objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
-       DESC 'Samba Privilege'
-       MUST ( sambaSID )
-       MAY ( sambaPrivilegeList ) )
-
+## retired during privilege rewrite
+##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
+##     DESC 'Samba Privilege'
+##     MUST ( sambaSID )
+##     MAY ( sambaPrivilegeList ) )
1	slords	1.1	diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all
2			--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all 2008-04-17 09:51:47.000000000 +0200
3			+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all 2008-04-17 09:37:58.000000000 +0200
4			@@ -32,7 +32,7 @@
5			RANDOM = "false"
6			PASSWORD_FILE = "/etc/passfile"
7			SHADOW_FILE = "/etc/shadowfile"
8			-HASH = "sha1"
9			+HASH = "crypt"
10			#ADD_SCRIPT = "contrib/postaddscript.sh"
11			#DEL_SCRIPT = "foo"
12			SHADOWLASTCHANGE = 11192
13			diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password
14			--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password 2008-04-17 09:51:47.000000000 +0200
15			+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password 2008-04-17 09:38:21.000000000 +0200
16			@@ -1 +1 @@
17			-pam_password md5
18			+pam_password exop
19			diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd
20			--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd 2008-04-17 09:51:47.000000000 +0200
21			+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd 2008-04-17 09:39:05.000000000 +0200
22			@@ -2,4 +2,8 @@
23			$OUT .= "nss_base_passwd ou=Users,";
24			$OUT .= esmith::util::ldapBase ($DomainName);
25			$OUT .= '?one';
26			+ $OUT .= "\n";
27			+ $OUT .= "nss_base_passwd ou=Computers,";
28			+ $OUT .= esmith::util::ldapBase ($DomainName);
29			+ $OUT .= '?one';
30			}
31			diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy
32			--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy 2008-04-17 09:51:47.000000000 +0200
33			+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy 2008-04-17 09:39:40.000000000 +0200
34			@@ -1,2 +1,4 @@
35			+{
36			# Allow read /etc/{passwd,groups,shadow} files when ldap is down.
37			+}
38			bind_policy soft
39			diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash
40			--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash 1970-01-01 01:00:00.000000000 +0100
41			+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash 2008-04-17 09:41:03.000000000 +0200
42			@@ -0,0 +1,5 @@
43			+
44			+# This is to use md5crypt
45			+password-hash \{CRYPT\}
46			+password-crypt-salt-format "$1$%.8s"
47			+
48			diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls
49			--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls 2008-04-17 09:51:47.000000000 +0200
50			+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls 2008-04-17 09:41:52.000000000 +0200
51			@@ -5,6 +5,18 @@
52			by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
53			by * none
54
55			+ access to attr=sambaLMPassword
56			+ by self write
57			+ by anonymous auth
58			+ by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
59			+ by * none
60			+
61			+ access to attr=sambaNTPassword
62			+ by self write
63			+ by anonymous auth
64			+ by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
65			+ by * none
66			+
67			access to *
68			by self write
69			by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
70			diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema
71			--- e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema 2008-04-17 09:51:47.000000000 +0200
72			+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema 2007-03-01 05:55:18.000000000 +0100
73			@@ -14,6 +14,13 @@
74			## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes
75			## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses
76			##
77			+## Samba4
78			+## 1.3.6.1.4.1.7165.4.1.x - attributetypes
79			+## 1.3.6.1.4.1.7165.4.2.x - objectclasses
80			+## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
81			+## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
82			+## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
83			+##
84			## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------
85			##
86			## Run the 'get_next_oid' bash script in this directory to find the
87			@@ -38,6 +45,7 @@
88			# objectIdentifier Samba3 SambaRoot:2
89			# objectIdentifier Samba3Attrib Samba3:1
90			# objectIdentifier Samba3ObjectClass Samba3:2
91			+# objectIdentifier Samba4 SambaRoot:4
92
93			########################################################################
94			## HISTORICAL ##
95			@@ -279,12 +287,12 @@
96			SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
97
98			attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
99			- DESC ''
100			+ DESC 'Base64 encoded user parameter string'
101			EQUALITY caseExactMatch
102			SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
103
104			attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
105			- DESC 'Concatenated MD4 hashes of the unicode passwords used on this account'
106			+ DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
107			EQUALITY caseIgnoreIA5Match
108			SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
109
110			@@ -295,9 +303,9 @@
111			attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
112			DESC 'Security ID'
113			EQUALITY caseIgnoreIA5Match
114			+ SUBSTR caseExactIA5SubstringsMatch
115			SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
116
117			-
118			##
119			## Primary group SID, compatible with ntSid
120			##
121			@@ -376,19 +384,81 @@
122			SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
123
124
125			-attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
126			- SUP name )
127			+##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
128			+## SUP name )
129
130			-attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
131			- DESC 'Privileges List'
132			- EQUALITY caseIgnoreIA5Match
133			- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
134			+##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
135			+## DESC 'Privileges List'
136			+## EQUALITY caseIgnoreIA5Match
137			+## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
138
139			attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
140			DESC 'Trust Password Flags'
141			EQUALITY caseIgnoreIA5Match
142			SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
143
144			+# "min password length"
145			+attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
146			+ DESC 'Minimal password length (default: 5)'
147			+ EQUALITY integerMatch
148			+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
149			+
150			+# "password history"
151			+attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
152			+ DESC 'Length of Password History Entries (default: 0 => off)'
153			+ EQUALITY integerMatch
154			+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
155			+
156			+# "user must logon to change password"
157			+attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
158			+ DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
159			+ EQUALITY integerMatch
160			+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
161			+
162			+# "maximum password age"
163			+attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
164			+ DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
165			+ EQUALITY integerMatch
166			+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
167			+
168			+# "minimum password age"
169			+attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
170			+ DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)'
171			+ EQUALITY integerMatch
172			+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
173			+
174			+# "lockout duration"
175			+attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
176			+ DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
177			+ EQUALITY integerMatch
178			+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
179			+
180			+# "reset count minutes"
181			+attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
182			+ DESC 'Reset time after lockout in minutes (default: 30)'
183			+ EQUALITY integerMatch
184			+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
185			+
186			+# "bad lockout attempt"
187			+attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
188			+ DESC 'Lockout users after bad logon attempts (default: 0 => off)'
189			+ EQUALITY integerMatch
190			+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
191			+
192			+# "disconnect time"
193			+attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
194			+ DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
195			+ EQUALITY integerMatch
196			+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
197			+
198			+# "refuse machine password change"
199			+attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
200			+ DESC 'Allow Machine Password changes (default: 0 => off)'
201			+ EQUALITY integerMatch
202			+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
203			+
204			+
205			+
206
207			#######################################################################
208			## objectClasses used by Samba 3.0 schema ##
209			@@ -438,7 +508,11 @@
210			MUST ( sambaDomainName $
211			sambaSID )
212			MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
213			- sambaAlgorithmicRidBase ) )
214			+ sambaAlgorithmicRidBase $
215			+ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
216			+ sambaMaxPwdAge $ sambaMinPwdAge $
217			+ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $
218			+ sambaForceLogoff $ sambaRefuseMachinePwdChange ))
219
220			##
221			## used for idmap_ldap module
222			@@ -457,7 +531,7 @@
223			DESC 'Structural Class for a SID'
224			MUST ( sambaSID ) )
225
226			-objectclass ( 1.3.6.1.4.1.7165.1.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
227			+objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
228			DESC 'Samba Configuration Section'
229			MAY ( description ) )
230
231			@@ -473,8 +547,8 @@
232			sambaStringListoption $ description ) )
233
234
235			-objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
236			- DESC 'Samba Privilege'
237			- MUST ( sambaSID )
238			- MAY ( sambaPrivilegeList ) )
239			-
240			+## retired during privilege rewrite
241			+##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
242			+## DESC 'Samba Privilege'
243			+## MUST ( sambaSID )
244			+## MAY ( sambaPrivilegeList ) )