# -----------------------------------------------------------------------------
#                             Safehaus LDAP Schema
# -----------------------------------------------------------------------------
#
# Author: $author$
# Author: Alex Karasulu 
# Revision: $rev$
# Nag-to: dev@safehaus.org
# Dependencies: system, core
#
# -----------------------------------------------------------------------------


attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.100
        NAME 'safehausUid'
        DESC 'A safehaus user id'
        SUP uid SINGLE-VALUE )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.101
        NAME 'safehausRealm'
        DESC 'The domain/realm name of the safehaus user account'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.102
        NAME 'safehausSecret'
        DESC 'The shared secret for the Safehaus user'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.103
        NAME 'safehausFactor'
        DESC 'The shared moving factor for the Safehaus user'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.104
        NAME 'safehausInfo'
        DESC 'Additional information about a Safehaus account'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.105
        NAME 'safehausLabel'
        DESC 'Additional information about a Safehaus account'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.106
        NAME 'safehausResynchCount'
        DESC 'The number of successful resync attempts so far'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.107
        NAME 'safehausFailuresInEpoch'
        DESC 'The number of authentication failures within an epoch used for lockouts'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.108
        NAME 'safehausDeleted'
        DESC 'An operational marker attribute for labelling an entry as deleted'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
        SINGLE-VALUE 
        NO-USER-MODIFICATION
        USAGE directoryOperation )        

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.109
        NAME 'safehausActivationKey'
        DESC 'Activation key for safehaus accounts which if present means the account is not active'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.110
        NAME 'safehausMidletName'
        DESC 'Optional name override for the hauskeys midlet'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.111
        NAME 'safehausNotifyBy'
        DESC 'Mechanism used to notify the user'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.112
        NAME 'safehausMobileCarrier'
        DESC 'The mobile carrier for the cell phone of the user'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.113
        NAME 'safehausTokenPin'
        DESC 'The mobile token pin for the hauskeys application'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.114
        NAME 'safehausDisabled'
        DESC 'Used to disable user accounts and policyProfiles'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

objectclass ( 1.2.6.1.4.1.22555.1.1.1.4.100 NAME 'safehausProfile'
    SUP top
    AUXILIARY
    MUST (  safehausUid $ safehausRealm $ safehausLabel $ safehausSecret $
            safehausFactor $ safehausResynchCount $ safehausFailuresInEpoch $ 
            safehausNotifyBy $ safehausTokenPin )
    MAY  ( safehausInfo $ safehausActivationKey $ safehausMidletName $ safehausDisabled ) )


# -----------------------------------------------------------------------------
# Safehaus Policy Entities
# -----------------------------------------------------------------------------

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.200
        NAME 'appName'
        DESC 'the name of an application whose policy is managed by triplesec'
        EQUALITY caseExactMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

objectclass ( 1.2.6.1.4.1.22555.1.1.1.4.200 NAME 'policyApplication'
    SUP top
    STRUCTURAL
    MUST ( appName )
    MAY  ( userPassword $ description ) )

objectclass ( 1.2.6.1.4.1.22555.1.1.1.4.201 NAME 'policyUser'
    SUP top
    AUXILIARY
    MUST ( uid )
    MAY  ( userPassword $ description $ safehausDisabled ) )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.201
        NAME 'permName'
        DESC 'the case sensitive name of a permission within the system'
        EQUALITY caseExactMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

objectclass ( 1.2.6.1.4.1.22555.1.1.1.4.202 NAME 'policyPermission'
    SUP top
    AUXILIARY
    MUST ( permName )
    MAY ( description )
    )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.202
        NAME 'grants'
        DESC 'the permissions granted to a role or a profile'
        EQUALITY caseExactMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.203
        NAME 'denials'
        DESC 'the permissions denied for a profile'
        EQUALITY caseExactMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.204
        NAME 'roleName'
        DESC 'the name of a role'
        EQUALITY caseExactMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.205
        NAME 'roles'
        DESC 'the roles assigned to a profile'
        EQUALITY caseExactMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.206
        NAME 'profileId'
        DESC 'a profile identifier'
        EQUALITY caseExactMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.2.6.1.4.1.22555.1.1.1.3.207
        NAME 'user'
        DESC 'the name of a user defined in the policy store'
        EQUALITY caseExactMatch
        SUBSTR caseExactSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

objectclass ( 1.2.6.1.4.1.22555.1.1.1.4.203 NAME 'policyRole'
    SUP top
    AUXILIARY
    MUST ( roleName )
    MAY  ( grants $ description ) )

objectclass ( 1.2.6.1.4.1.22555.1.1.1.4.204 NAME 'policyProfile'
    SUP top
    AUXILIARY
    MUST ( profileId $ user )
    MAY  ( grants $ denials $ roles $ userPassword $ description $ safehausDisabled ) )