e-smith-base%2Bldap/sme8/e-smith-base%2Bldap-4.19.1-ldap_fixes.patch

diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all        2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all      2008-04-17 09:37:58.000000000 +0200
@@ -32,7 +32,7 @@
 RANDOM = "false"
 PASSWORD_FILE = "/etc/passfile"
 SHADOW_FILE = "/etc/shadowfile"
-HASH = "sha1"
+HASH = "crypt"
 #ADD_SCRIPT = "contrib/postaddscript.sh"
 #DEL_SCRIPT = "foo"
 SHADOWLASTCHANGE        = 11192
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password    2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password  2008-04-17 09:38:21.000000000 +0200
@@ -1 +1 @@
-pam_password md5
+pam_password exop
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd 2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd       2008-04-17 09:39:05.000000000 +0200
@@ -2,4 +2,8 @@
     $OUT .= "nss_base_passwd ou=Users,";
     $OUT .= esmith::util::ldapBase ($DomainName);
     $OUT .= '?one';
+    $OUT .= "\n";
+    $OUT .= "nss_base_passwd ou=Computers,";
+    $OUT .= esmith::util::ldapBase ($DomainName);
+    $OUT .= '?one';
 }
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy     2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy   2008-04-17 09:39:40.000000000 +0200
@@ -1,2 +1,4 @@
+{
 # Allow read /etc/{passwd,groups,shadow} files when ldap is down.
+}
 bind_policy soft
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash  1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash        2008-04-17 09:41:03.000000000 +0200
@@ -0,0 +1,5 @@
+
+# This is to use md5crypt
+password-hash \{CRYPT\}
+password-crypt-salt-format "$1$%.8s"
+
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls
--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls  2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls        2008-04-17 09:41:52.000000000 +0200
@@ -5,6 +5,18 @@
  by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
  by * none
 
+ access to attr=sambaLMPassword
+ by self write
+ by anonymous auth
+ by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
+ by * none
+
+ access to attr=sambaNTPassword
+ by self write
+ by anonymous auth
+ by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
+ by * none
+
  access to *
  by self write
  by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema
--- e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema      2008-04-17 09:51:47.000000000 +0200
+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema    2007-03-01 05:55:18.000000000 +0100
@@ -14,6 +14,13 @@
 ## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes
 ## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses
 ##
+## Samba4
+## 1.3.6.1.4.1.7165.4.1.x - attributetypes
+## 1.3.6.1.4.1.7165.4.2.x - objectclasses
+## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
+## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
+## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
+##
 ## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------
 ##
 ## Run the 'get_next_oid' bash script in this directory to find the 
@@ -38,6 +45,7 @@
 # objectIdentifier Samba3 SambaRoot:2
 # objectIdentifier Samba3Attrib Samba3:1
 # objectIdentifier Samba3ObjectClass Samba3:2
+# objectIdentifier Samba4 SambaRoot:4
 
 ########################################################################
 ##                            HISTORICAL                              ##
@@ -279,12 +287,12 @@
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
 
 attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
-       DESC ''
+       DESC 'Base64 encoded user parameter string'
        EQUALITY caseExactMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
 
 attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
-       DESC 'Concatenated MD4 hashes of the unicode passwords used on this account'
+       DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
 
@@ -295,9 +303,9 @@
 attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
        DESC 'Security ID'
        EQUALITY caseIgnoreIA5Match
+       SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
 
-
 ##
 ## Primary group SID, compatible with ntSid
 ##
@@ -376,19 +384,81 @@
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
 
-attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' 
-       SUP name )
+##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' 
+##     SUP name )
 
-attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
-       DESC 'Privileges List'
-       EQUALITY caseIgnoreIA5Match
-       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
+##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
+##     DESC 'Privileges List'
+##     EQUALITY caseIgnoreIA5Match
+##     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
 
 attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
        DESC 'Trust Password Flags'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
+# "min password length"
+attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
+       DESC 'Minimal password length (default: 5)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "password history"
+attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
+       DESC 'Length of Password History Entries (default: 0 => off)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "user must logon to change password"
+attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
+       DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "maximum password age"
+attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
+       DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "minimum password age"
+attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
+       DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "lockout duration"
+attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
+       DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "reset count minutes"
+attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
+       DESC 'Reset time after lockout in minutes (default: 30)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "bad lockout attempt"
+attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
+       DESC 'Lockout users after bad logon attempts (default: 0 => off)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "disconnect time"
+attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
+       DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "refuse machine password change"
+attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
+       DESC 'Allow Machine Password changes (default: 0 => off)'
+       EQUALITY integerMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+
+
 
 #######################################################################
 ##              objectClasses used by Samba 3.0 schema               ##
@@ -438,7 +508,11 @@
        MUST ( sambaDomainName $ 
               sambaSID ) 
        MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
-             sambaAlgorithmicRidBase ) )
+             sambaAlgorithmicRidBase $ 
+             sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
+             sambaMaxPwdAge $ sambaMinPwdAge $
+             sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $
+             sambaForceLogoff $ sambaRefuseMachinePwdChange ))
 
 ##
 ## used for idmap_ldap module
@@ -457,7 +531,7 @@
        DESC 'Structural Class for a SID'
        MUST ( sambaSID ) )
 
-objectclass ( 1.3.6.1.4.1.7165.1.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
+objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
        DESC 'Samba Configuration Section'
        MAY ( description ) )
 
@@ -473,8 +547,8 @@
              sambaStringListoption $ description ) )
 
 
-objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
-       DESC 'Samba Privilege'
-       MUST ( sambaSID )
-       MAY ( sambaPrivilegeList ) )
-
+## retired during privilege rewrite
+##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
+##     DESC 'Samba Privilege'
+##     MUST ( sambaSID )
+##     MAY ( sambaPrivilegeList ) )
1	diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all
2	--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all 2008-04-17 09:51:47.000000000 +0200
3	+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all 2008-04-17 09:37:58.000000000 +0200
4	@@ -32,7 +32,7 @@
5	RANDOM = "false"
6	PASSWORD_FILE = "/etc/passfile"
7	SHADOW_FILE = "/etc/shadowfile"
8	-HASH = "sha1"
9	+HASH = "crypt"
10	#ADD_SCRIPT = "contrib/postaddscript.sh"
11	#DEL_SCRIPT = "foo"
12	SHADOWLASTCHANGE = 11192
13	diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password
14	--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password 2008-04-17 09:51:47.000000000 +0200
15	+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password 2008-04-17 09:38:21.000000000 +0200
16	@@ -1 +1 @@
17	-pam_password md5
18	+pam_password exop
19	diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd
20	--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd 2008-04-17 09:51:47.000000000 +0200
21	+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd 2008-04-17 09:39:05.000000000 +0200
22	@@ -2,4 +2,8 @@
23	$OUT .= "nss_base_passwd ou=Users,";
24	$OUT .= esmith::util::ldapBase ($DomainName);
25	$OUT .= '?one';
26	+ $OUT .= "\n";
27	+ $OUT .= "nss_base_passwd ou=Computers,";
28	+ $OUT .= esmith::util::ldapBase ($DomainName);
29	+ $OUT .= '?one';
30	}
31	diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy
32	--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy 2008-04-17 09:51:47.000000000 +0200
33	+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy 2008-04-17 09:39:40.000000000 +0200
34	@@ -1,2 +1,4 @@
35	+{
36	# Allow read /etc/{passwd,groups,shadow} files when ldap is down.
37	+}
38	bind_policy soft
39	diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash
40	--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash 1970-01-01 01:00:00.000000000 +0100
41	+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash 2008-04-17 09:41:03.000000000 +0200
42	@@ -0,0 +1,5 @@
43	+
44	+# This is to use md5crypt
45	+password-hash \{CRYPT\}
46	+password-crypt-salt-format "$1$%.8s"
47	+
48	diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls
49	--- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls 2008-04-17 09:51:47.000000000 +0200
50	+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls 2008-04-17 09:41:52.000000000 +0200
51	@@ -5,6 +5,18 @@
52	by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
53	by * none
54
55	+ access to attr=sambaLMPassword
56	+ by self write
57	+ by anonymous auth
58	+ by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
59	+ by * none
60	+
61	+ access to attr=sambaNTPassword
62	+ by self write
63	+ by anonymous auth
64	+ by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
65	+ by * none
66	+
67	access to *
68	by self write
69	by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write
70	diff -Nur -x '.orig' -x '.rej' e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema
71	--- e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema 2008-04-17 09:51:47.000000000 +0200
72	+++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema 2007-03-01 05:55:18.000000000 +0100
73	@@ -14,6 +14,13 @@
74	## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes
75	## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses
76	##
77	+## Samba4
78	+## 1.3.6.1.4.1.7165.4.1.x - attributetypes
79	+## 1.3.6.1.4.1.7165.4.2.x - objectclasses
80	+## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
81	+## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
82	+## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
83	+##
84	## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------
85	##
86	## Run the 'get_next_oid' bash script in this directory to find the
87	@@ -38,6 +45,7 @@
88	# objectIdentifier Samba3 SambaRoot:2
89	# objectIdentifier Samba3Attrib Samba3:1
90	# objectIdentifier Samba3ObjectClass Samba3:2
91	+# objectIdentifier Samba4 SambaRoot:4
92
93	########################################################################
94	## HISTORICAL ##
95	@@ -279,12 +287,12 @@
96	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
97
98	attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
99	- DESC ''
100	+ DESC 'Base64 encoded user parameter string'
101	EQUALITY caseExactMatch
102	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
103
104	attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
105	- DESC 'Concatenated MD4 hashes of the unicode passwords used on this account'
106	+ DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
107	EQUALITY caseIgnoreIA5Match
108	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
109
110	@@ -295,9 +303,9 @@
111	attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
112	DESC 'Security ID'
113	EQUALITY caseIgnoreIA5Match
114	+ SUBSTR caseExactIA5SubstringsMatch
115	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
116
117	-
118	##
119	## Primary group SID, compatible with ntSid
120	##
121	@@ -376,19 +384,81 @@
122	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
123
124
125	-attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
126	- SUP name )
127	+##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
128	+## SUP name )
129
130	-attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
131	- DESC 'Privileges List'
132	- EQUALITY caseIgnoreIA5Match
133	- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
134	+##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
135	+## DESC 'Privileges List'
136	+## EQUALITY caseIgnoreIA5Match
137	+## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
138
139	attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
140	DESC 'Trust Password Flags'
141	EQUALITY caseIgnoreIA5Match
142	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
143
144	+# "min password length"
145	+attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
146	+ DESC 'Minimal password length (default: 5)'
147	+ EQUALITY integerMatch
148	+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
149	+
150	+# "password history"
151	+attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
152	+ DESC 'Length of Password History Entries (default: 0 => off)'
153	+ EQUALITY integerMatch
154	+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
155	+
156	+# "user must logon to change password"
157	+attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
158	+ DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
159	+ EQUALITY integerMatch
160	+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
161	+
162	+# "maximum password age"
163	+attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
164	+ DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
165	+ EQUALITY integerMatch
166	+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
167	+
168	+# "minimum password age"
169	+attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
170	+ DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)'
171	+ EQUALITY integerMatch
172	+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
173	+
174	+# "lockout duration"
175	+attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
176	+ DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
177	+ EQUALITY integerMatch
178	+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
179	+
180	+# "reset count minutes"
181	+attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
182	+ DESC 'Reset time after lockout in minutes (default: 30)'
183	+ EQUALITY integerMatch
184	+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
185	+
186	+# "bad lockout attempt"
187	+attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
188	+ DESC 'Lockout users after bad logon attempts (default: 0 => off)'
189	+ EQUALITY integerMatch
190	+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
191	+
192	+# "disconnect time"
193	+attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
194	+ DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
195	+ EQUALITY integerMatch
196	+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
197	+
198	+# "refuse machine password change"
199	+attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
200	+ DESC 'Allow Machine Password changes (default: 0 => off)'
201	+ EQUALITY integerMatch
202	+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
203	+
204	+
205	+
206
207	#######################################################################
208	## objectClasses used by Samba 3.0 schema ##
209	@@ -438,7 +508,11 @@
210	MUST ( sambaDomainName $
211	sambaSID )
212	MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
213	- sambaAlgorithmicRidBase ) )
214	+ sambaAlgorithmicRidBase $
215	+ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
216	+ sambaMaxPwdAge $ sambaMinPwdAge $
217	+ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $
218	+ sambaForceLogoff $ sambaRefuseMachinePwdChange ))
219
220	##
221	## used for idmap_ldap module
222	@@ -457,7 +531,7 @@
223	DESC 'Structural Class for a SID'
224	MUST ( sambaSID ) )
225
226	-objectclass ( 1.3.6.1.4.1.7165.1.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
227	+objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
228	DESC 'Samba Configuration Section'
229	MAY ( description ) )
230
231	@@ -473,8 +547,8 @@
232	sambaStringListoption $ description ) )
233
234
235	-objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
236	- DESC 'Samba Privilege'
237	- MUST ( sambaSID )
238	- MAY ( sambaPrivilegeList ) )
239	-
240	+## retired during privilege rewrite
241	+##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
242	+## DESC 'Samba Privilege'
243	+## MUST ( sambaSID )
244	+## MAY ( sambaPrivilegeList ) )