Refactored ldap::server class.

2012-03-13 14:50:00 +02:00 · 2012-03-13 14:50:00 +02:00 · 756cbeb4f5
commit 756cbeb4f5
parent 742008eee8
8 changed files with 4051 additions and 58 deletions
--- a/ldap/files/core.schema
+++ b/ldap/files/core.schema
@ -0,0 +1,610 @@
+# OpenLDAP Core schema
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/core.schema,v 1.88.2.8 2010/04/13 20:23:48 kurt Exp $
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2010 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (1997-2006).
+## All Rights Reserved.
+##
+## This document and translations of it may be copied and furnished to
+## others, and derivative works that comment on or otherwise explain it
+## or assist in its implementation may be prepared, copied, published
+## and distributed, in whole or in part, without restriction of any
+## kind, provided that the above copyright notice and this paragraph are
+## included on all such copies and derivative works.  However, this
+## document itself may not be modified in any way, such as by removing
+## the copyright notice or references to the Internet Society or other
+## Internet organizations, except as needed for the purpose of
+## developing Internet standards in which case the procedures for
+## copyrights defined in the Internet Standards process must be         
+## followed, or as required to translate it into languages other than
+## English.
+##                                                                      
+## The limited permissions granted above are perpetual and will not be  
+## revoked by the Internet Society or its successors or assigns.        
+## 
+## This document and the information contained herein is provided on an 
+## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+#
+#
+# Includes LDAPv3 schema items from:
+#	RFC 2252/2256 (LDAPv3)
+#
+# Select standard track schema items:
+#	RFC 1274 (uid/dc)
+#	RFC 2079 (URI)
+#	RFC 2247 (dc/dcObject)
+#	RFC 2587 (PKI)
+#	RFC 2589 (Dynamic Directory Services)
+#	RFC 4524 (associatedDomain)
+#
+# Select informational schema items:
+#	RFC 2377 (uidObject)
+
+#
+# Standard attribute types from RFC 2256
+#
+
+# system schema
+#attributetype ( 2.5.4.0 NAME 'objectClass'
+#	DESC 'RFC2256: object classes of the entity'
+#	EQUALITY objectIdentifierMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+
+# system schema
+#attributetype ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' )
+#	DESC 'RFC2256: name of aliased object'
+#	EQUALITY distinguishedNameMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+
+attributetype ( 2.5.4.2 NAME 'knowledgeInformation'
+	DESC 'RFC2256: knowledge information'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+
+# system schema
+#attributetype ( 2.5.4.3 NAME ( 'cn' 'commonName' )
+#	DESC 'RFC2256: common name(s) for which the entity is known by'
+#	SUP name )
+
+attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' )
+	DESC 'RFC2256: last (family) name(s) for which the entity is known by'
+	SUP name )
+
+attributetype ( 2.5.4.5 NAME 'serialNumber'
+	DESC 'RFC2256: serial number of the entity'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
+
+# RFC 4519 definition ('countryName' in X.500 and RFC2256)
+attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' )
+	DESC 'RFC4519: two-letter ISO-3166 country code'
+	SUP name
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
+	SINGLE-VALUE )
+
+#attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' )
+#	DESC 'RFC2256: ISO-3166 country 2-letter code'
+#	SUP name SINGLE-VALUE )
+
+attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' )
+	DESC 'RFC2256: locality which this object resides in'
+	SUP name )
+
+attributetype ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' )
+	DESC 'RFC2256: state or province which this object resides in'
+	SUP name )
+
+attributetype ( 2.5.4.9 NAME ( 'street' 'streetAddress' )
+	DESC 'RFC2256: street address of this object'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+attributetype ( 2.5.4.10 NAME ( 'o' 'organizationName' )
+	DESC 'RFC2256: organization this object belongs to'
+	SUP name )
+
+attributetype ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' )
+	DESC 'RFC2256: organizational unit this object belongs to'
+	SUP name )
+
+attributetype ( 2.5.4.12 NAME 'title'
+	DESC 'RFC2256: title associated with the entity'
+	SUP name )
+
+# system schema
+#attributetype ( 2.5.4.13 NAME 'description'
+#	DESC 'RFC2256: descriptive information'
+#	EQUALITY caseIgnoreMatch
+#	SUBSTR caseIgnoreSubstringsMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
+
+# Deprecated by enhancedSearchGuide
+attributetype ( 2.5.4.14 NAME 'searchGuide'
+	DESC 'RFC2256: search guide, deprecated by enhancedSearchGuide'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
+
+attributetype ( 2.5.4.15 NAME 'businessCategory'
+	DESC 'RFC2256: business category'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+attributetype ( 2.5.4.16 NAME 'postalAddress'
+	DESC 'RFC2256: postal address'
+	EQUALITY caseIgnoreListMatch
+	SUBSTR caseIgnoreListSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+
+attributetype ( 2.5.4.17 NAME 'postalCode'
+	DESC 'RFC2256: postal code'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
+
+attributetype ( 2.5.4.18 NAME 'postOfficeBox'
+	DESC 'RFC2256: Post Office Box'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
+
+attributetype ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
+	DESC 'RFC2256: Physical Delivery Office Name'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+attributetype ( 2.5.4.20 NAME 'telephoneNumber'
+	DESC 'RFC2256: Telephone Number'
+	EQUALITY telephoneNumberMatch
+	SUBSTR telephoneNumberSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
+
+attributetype ( 2.5.4.21 NAME 'telexNumber'
+	DESC 'RFC2256: Telex Number'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
+
+attributetype ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
+	DESC 'RFC2256: Teletex Terminal Identifier'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
+
+attributetype ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' )
+	DESC 'RFC2256: Facsimile (Fax) Telephone Number'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
+
+attributetype ( 2.5.4.24 NAME 'x121Address'
+	DESC 'RFC2256: X.121 Address'
+	EQUALITY numericStringMatch
+	SUBSTR numericStringSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
+
+attributetype ( 2.5.4.25 NAME 'internationaliSDNNumber'
+	DESC 'RFC2256: international ISDN number'
+	EQUALITY numericStringMatch
+	SUBSTR numericStringSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )
+
+attributetype ( 2.5.4.26 NAME 'registeredAddress'
+	DESC 'RFC2256: registered postal address'
+	SUP postalAddress
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+
+attributetype ( 2.5.4.27 NAME 'destinationIndicator'
+	DESC 'RFC2256: destination indicator'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
+
+attributetype ( 2.5.4.28 NAME 'preferredDeliveryMethod'
+	DESC 'RFC2256: preferred delivery method'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
+	SINGLE-VALUE )
+
+attributetype ( 2.5.4.29 NAME 'presentationAddress'
+	DESC 'RFC2256: presentation address'
+	EQUALITY presentationAddressMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.43
+	SINGLE-VALUE )
+
+attributetype ( 2.5.4.30 NAME 'supportedApplicationContext'
+	DESC 'RFC2256: supported application context'
+	EQUALITY objectIdentifierMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+
+attributetype ( 2.5.4.31 NAME 'member'
+	DESC 'RFC2256: member of a group'
+	SUP distinguishedName )
+
+attributetype ( 2.5.4.32 NAME 'owner'
+	DESC 'RFC2256: owner (of the object)'
+	SUP distinguishedName )
+
+attributetype ( 2.5.4.33 NAME 'roleOccupant'
+	DESC 'RFC2256: occupant of role'
+	SUP distinguishedName )
+
+# system schema
+#attributetype ( 2.5.4.34 NAME 'seeAlso'
+#	DESC 'RFC2256: DN of related object'
+#	SUP distinguishedName )
+
+# system schema
+#attributetype ( 2.5.4.35 NAME 'userPassword'
+#	DESC 'RFC2256/2307: password of user'
+#	EQUALITY octetStringMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
+
+# Must be transferred using ;binary
+# with certificateExactMatch rule (per X.509)
+attributetype ( 2.5.4.36 NAME 'userCertificate'
+	DESC 'RFC2256: X.509 user certificate, use ;binary'
+	EQUALITY certificateExactMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
+
+# Must be transferred using ;binary
+# with certificateExactMatch rule (per X.509)
+attributetype ( 2.5.4.37 NAME 'cACertificate'
+	DESC 'RFC2256: X.509 CA certificate, use ;binary'
+	EQUALITY certificateExactMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
+
+# Must be transferred using ;binary
+attributetype ( 2.5.4.38 NAME 'authorityRevocationList'
+	DESC 'RFC2256: X.509 authority revocation list, use ;binary'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+
+# Must be transferred using ;binary
+attributetype ( 2.5.4.39 NAME 'certificateRevocationList'
+	DESC 'RFC2256: X.509 certificate revocation list, use ;binary'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+
+# Must be stored and requested in the binary form
+attributetype ( 2.5.4.40 NAME 'crossCertificatePair'
+	DESC 'RFC2256: X.509 cross certificate pair, use ;binary'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
+
+# system schema
+#attributetype ( 2.5.4.41 NAME 'name'
+#	EQUALITY caseIgnoreMatch
+#	SUBSTR caseIgnoreSubstringsMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+
+attributetype ( 2.5.4.42 NAME ( 'givenName' 'gn' )
+	DESC 'RFC2256: first name(s) for which the entity is known by'
+	SUP name )
+
+attributetype ( 2.5.4.43 NAME 'initials'
+	DESC 'RFC2256: initials of some or all of names, but not the surname(s).'
+	SUP name )
+
+attributetype ( 2.5.4.44 NAME 'generationQualifier'
+	DESC 'RFC2256: name qualifier indicating a generation'
+	SUP name )
+
+attributetype ( 2.5.4.45 NAME 'x500UniqueIdentifier'
+	DESC 'RFC2256: X.500 unique identifier'
+	EQUALITY bitStringMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
+
+attributetype ( 2.5.4.46 NAME 'dnQualifier'
+	DESC 'RFC2256: DN qualifier'
+	EQUALITY caseIgnoreMatch
+	ORDERING caseIgnoreOrderingMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
+
+attributetype ( 2.5.4.47 NAME 'enhancedSearchGuide'
+	DESC 'RFC2256: enhanced search guide'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
+
+attributetype ( 2.5.4.48 NAME 'protocolInformation'
+	DESC 'RFC2256: protocol information'
+	EQUALITY protocolInformationMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
+
+# system schema
+#attributetype ( 2.5.4.49 NAME 'distinguishedName'
+#	EQUALITY distinguishedNameMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+attributetype ( 2.5.4.50 NAME 'uniqueMember'
+	DESC 'RFC2256: unique member of a group'
+	EQUALITY uniqueMemberMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
+
+attributetype ( 2.5.4.51 NAME 'houseIdentifier'
+	DESC 'RFC2256: house identifier'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+
+# Must be transferred using ;binary
+attributetype ( 2.5.4.52 NAME 'supportedAlgorithms'
+	DESC 'RFC2256: supported algorithms'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
+
+# Must be transferred using ;binary
+attributetype ( 2.5.4.53 NAME 'deltaRevocationList'
+	DESC 'RFC2256: delta revocation list; use ;binary'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+
+attributetype ( 2.5.4.54 NAME 'dmdName'
+	DESC 'RFC2256: name of DMD'
+	SUP name )
+
+attributetype ( 2.5.4.65 NAME 'pseudonym'
+	DESC 'X.520(4th): pseudonym for the object'
+	SUP name )
+
+# Standard object classes from RFC2256
+
+# system schema
+#objectclass ( 2.5.6.0 NAME 'top'
+#	DESC 'RFC2256: top of the superclass chain'
+#	ABSTRACT
+#	MUST objectClass )
+
+# system schema
+#objectclass ( 2.5.6.1 NAME 'alias'
+#	DESC 'RFC2256: an alias'
+#	SUP top STRUCTURAL
+#	MUST aliasedObjectName )
+
+objectclass ( 2.5.6.2 NAME 'country'
+	DESC 'RFC2256: a country'
+	SUP top STRUCTURAL
+	MUST c
+	MAY ( searchGuide $ description ) )
+
+objectclass ( 2.5.6.3 NAME 'locality'
+	DESC 'RFC2256: a locality'
+	SUP top STRUCTURAL
+	MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
+
+objectclass ( 2.5.6.4 NAME 'organization'
+	DESC 'RFC2256: an organization'
+	SUP top STRUCTURAL
+	MUST o
+	MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+		x121Address $ registeredAddress $ destinationIndicator $
+		preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+		telephoneNumber $ internationaliSDNNumber $ 
+		facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+		postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
+
+objectclass ( 2.5.6.5 NAME 'organizationalUnit'
+	DESC 'RFC2256: an organizational unit'
+	SUP top STRUCTURAL
+	MUST ou
+	MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+		x121Address $ registeredAddress $ destinationIndicator $
+		preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+		telephoneNumber $ internationaliSDNNumber $
+		facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+		postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
+
+objectclass ( 2.5.6.6 NAME 'person'
+	DESC 'RFC2256: a person'
+	SUP top STRUCTURAL
+	MUST ( sn $ cn )
+	MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
+
+objectclass ( 2.5.6.7 NAME 'organizationalPerson'
+	DESC 'RFC2256: an organizational person'
+	SUP person STRUCTURAL
+	MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $
+		preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+		telephoneNumber $ internationaliSDNNumber $ 
+		facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+		postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) )
+
+objectclass ( 2.5.6.8 NAME 'organizationalRole'
+	DESC 'RFC2256: an organizational role'
+	SUP top STRUCTURAL
+	MUST cn
+	MAY ( x121Address $ registeredAddress $ destinationIndicator $
+		preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+		telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
+		seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
+		postOfficeBox $ postalCode $ postalAddress $
+		physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
+
+objectclass ( 2.5.6.9 NAME 'groupOfNames'
+	DESC 'RFC2256: a group of names (DNs)'
+	SUP top STRUCTURAL
+	MUST ( member $ cn )
+	MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
+
+objectclass ( 2.5.6.10 NAME 'residentialPerson'
+	DESC 'RFC2256: an residential person'
+	SUP person STRUCTURAL
+	MUST l
+	MAY ( businessCategory $ x121Address $ registeredAddress $
+		destinationIndicator $ preferredDeliveryMethod $ telexNumber $
+		teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $
+		facsimileTelephoneNumber $ preferredDeliveryMethod $ street $
+		postOfficeBox $ postalCode $ postalAddress $
+		physicalDeliveryOfficeName $ st $ l ) )
+
+objectclass ( 2.5.6.11 NAME 'applicationProcess'
+	DESC 'RFC2256: an application process'
+	SUP top STRUCTURAL
+	MUST cn
+	MAY ( seeAlso $ ou $ l $ description ) )
+
+objectclass ( 2.5.6.12 NAME 'applicationEntity'
+	DESC 'RFC2256: an application entity'
+	SUP top STRUCTURAL
+	MUST ( presentationAddress $ cn )
+	MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $
+	description ) )
+
+objectclass ( 2.5.6.13 NAME 'dSA'
+	DESC 'RFC2256: a directory system agent (a server)'
+	SUP applicationEntity STRUCTURAL
+	MAY knowledgeInformation )
+
+objectclass ( 2.5.6.14 NAME 'device'
+	DESC 'RFC2256: a device'
+	SUP top STRUCTURAL
+	MUST cn
+	MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
+
+objectclass ( 2.5.6.15 NAME 'strongAuthenticationUser'
+	DESC 'RFC2256: a strong authentication user'
+	SUP top AUXILIARY
+	MUST userCertificate )
+
+objectclass ( 2.5.6.16 NAME 'certificationAuthority'
+	DESC 'RFC2256: a certificate authority'
+	SUP top AUXILIARY
+	MUST ( authorityRevocationList $ certificateRevocationList $
+		cACertificate ) MAY crossCertificatePair )
+
+objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames'
+	DESC 'RFC2256: a group of unique names (DN and Unique Identifier)'
+	SUP top STRUCTURAL
+	MUST ( uniqueMember $ cn )
+	MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
+
+objectclass ( 2.5.6.18 NAME 'userSecurityInformation'
+	DESC 'RFC2256: a user security information'
+	SUP top AUXILIARY
+	MAY ( supportedAlgorithms ) )
+
+objectclass ( 2.5.6.16.2 NAME 'certificationAuthority-V2'
+	SUP certificationAuthority
+	AUXILIARY MAY ( deltaRevocationList ) )
+
+objectclass ( 2.5.6.19 NAME 'cRLDistributionPoint'
+	SUP top STRUCTURAL
+	MUST ( cn )
+	MAY ( certificateRevocationList $ authorityRevocationList $
+		deltaRevocationList ) )
+
+objectclass ( 2.5.6.20 NAME 'dmd'
+	SUP top STRUCTURAL
+	MUST ( dmdName )
+	MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+		x121Address $ registeredAddress $ destinationIndicator $
+		preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+		telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
+		street $ postOfficeBox $ postalCode $ postalAddress $
+		physicalDeliveryOfficeName $ st $ l $ description ) )
+
+#
+# Object Classes from RFC 2587
+#
+objectclass ( 2.5.6.21 NAME 'pkiUser'
+	DESC 'RFC2587: a PKI user'
+	SUP top AUXILIARY
+	MAY userCertificate )
+
+objectclass ( 2.5.6.22 NAME 'pkiCA'
+	DESC 'RFC2587: PKI certificate authority'
+	SUP top AUXILIARY
+	MAY ( authorityRevocationList $ certificateRevocationList $
+		cACertificate $ crossCertificatePair ) )
+
+objectclass ( 2.5.6.23 NAME 'deltaCRL'
+	DESC 'RFC2587: PKI user'
+	SUP top AUXILIARY
+	MAY deltaRevocationList )
+
+#
+# Standard Track URI label schema from RFC 2079
+# system schema
+#attributetype ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI'
+#	DESC 'RFC2079: Uniform Resource Identifier with optional label'
+#	EQUALITY caseExactMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+objectclass ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject'
+	DESC 'RFC2079: object that contains the URI attribute type'
+	SUP top AUXILIARY
+	MAY ( labeledURI ) )
+
+#
+# Derived from RFC 1274, but with new "short names"
+#
+#attributetype ( 0.9.2342.19200300.100.1.1
+#	NAME ( 'uid' 'userid' )
+#	DESC 'RFC1274: user identifier'
+#	EQUALITY caseIgnoreMatch
+#	SUBSTR caseIgnoreSubstringsMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+attributetype ( 0.9.2342.19200300.100.1.3
+	NAME ( 'mail' 'rfc822Mailbox' )
+	DESC 'RFC1274: RFC822 Mailbox'
+    EQUALITY caseIgnoreIA5Match
+    SUBSTR caseIgnoreIA5SubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+
+objectclass ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
+	DESC 'RFC1274: simple security object'
+	SUP top AUXILIARY
+	MUST userPassword )
+
+# RFC 1274 + RFC 2247
+attributetype ( 0.9.2342.19200300.100.1.25
+	NAME ( 'dc' 'domainComponent' )
+	DESC 'RFC1274/2247: domain component'
+	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseIgnoreIA5SubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+# RFC 2247
+objectclass ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
+	DESC 'RFC2247: domain component object'
+	SUP top AUXILIARY MUST dc )
+
+# RFC 2377
+objectclass ( 1.3.6.1.1.3.1 NAME 'uidObject'
+	DESC 'RFC2377: uid object'
+	SUP top AUXILIARY MUST uid )
+
+# RFC 4524
+#   The 'associatedDomain' attribute specifies DNS [RFC1034][RFC2181]
+#   host names [RFC1123] that are associated with an object.   That is,
+#   values of this attribute should conform to the following ABNF:
+#
+#    domain = root / label *( DOT label )
+#    root   = SPACE
+#    label  = LETDIG [ *61( LETDIG / HYPHEN ) LETDIG ]
+#    LETDIG = %x30-39 / %x41-5A / %x61-7A ; "0" - "9" / "A"-"Z" / "a"-"z"
+#    SPACE  = %x20                        ; space (" ")
+#    HYPHEN = %x2D                        ; hyphen ("-")
+#    DOT    = %x2E                        ; period (".")
+attributetype ( 0.9.2342.19200300.100.1.37
+	NAME 'associatedDomain'
+	DESC 'RFC1274: domain associated with object'
+	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseIgnoreIA5SubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# RFC 2459 -- deprecated in favor of 'mail' (in cosine.schema)
+attributetype ( 1.2.840.113549.1.9.1
+	NAME ( 'email' 'emailAddress' 'pkcs9email' )
+	DESC 'RFC3280: legacy attribute for email addresses in DNs'
+	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseIgnoreIA5SubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+
--- a/ldap/files/cosine.schema
+++ b/ldap/files/cosine.schema
--- a/ldap/files/ppolicy.schema
+++ b/ldap/files/ppolicy.schema
@ -0,0 +1,531 @@
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/ppolicy.schema,v 1.7.2.5 2010/04/13 20:23:49 kurt Exp $
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 2004-2010 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (2004).
+## Please see full copyright statement below.
+
+# Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
+#	Password Policy for LDAP Directories
+# With extensions from Hewlett-Packard:
+#	pwdCheckModule etc.
+
+# Contents of this file are subject to change (including deletion)
+# without notice.
+#
+# Not recommended for production use!
+# Use with extreme caution!
+
+#Network Working Group                                     J. Sermersheim
+#Internet-Draft                                               Novell, Inc
+#Expires: April 24, 2005                                        L. Poitou
+#                                                        Sun Microsystems
+#                                                        October 24, 2004
+#
+#
+#                  Password Policy for LDAP Directories
+#                draft-behera-ldap-password-policy-08.txt
+#
+#Status of this Memo
+#
+#   This document is an Internet-Draft and is subject to all provisions
+#   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
+#   author represents that any applicable patent or other IPR claims of
+#   which he or she is aware have been or will be disclosed, and any of
+#   which he or she become aware will be disclosed, in accordance with
+#   RFC 3668.
+#
+#   Internet-Drafts are working documents of the Internet Engineering
+#   Task Force (IETF), its areas, and its working groups.  Note that
+#   other groups may also distribute working documents as
+#   Internet-Drafts.
+#
+#   Internet-Drafts are draft documents valid for a maximum of six months
+#   and may be updated, replaced, or obsoleted by other documents at any
+#   time.  It is inappropriate to use Internet-Drafts as reference
+#   material or to cite them other than as "work in progress."
+#
+#   The list of current Internet-Drafts can be accessed at
+#   http://www.ietf.org/ietf/1id-abstracts.txt.
+#
+#   The list of Internet-Draft Shadow Directories can be accessed at
+#   http://www.ietf.org/shadow.html.
+#
+#   This Internet-Draft will expire on April 24, 2005.
+#
+#Copyright Notice
+#
+#   Copyright (C) The Internet Society (2004).
+#
+#Abstract
+#
+#   Password policy as described in this document is a set of rules that
+#   controls how passwords are used and administered in Lightweight
+#   Directory Access Protocol (LDAP) based directories.  In order to
+#   improve the security of LDAP directories and make it difficult for
+#   password cracking programs to break into directories, it is desirable
+#   to enforce a set of rules on password usage.  These rules are made to
+#
+#  [trimmed]
+#
+#5.  Schema used for Password Policy
+#
+#   The schema elements defined here fall into two general categories.  A
+#   password policy object class is defined which contains a set of
+#   administrative password policy attributes, and a set of operational
+#   attributes are defined that hold general password policy state
+#   information for each user.
+#
+#5.2  Attribute Types used in the pwdPolicy ObjectClass
+#
+#   Following are the attribute types used by the pwdPolicy object class.
+#
+#5.2.1  pwdAttribute
+#
+#   This holds the name of the attribute to which the password policy is
+#   applied.  For example, the password policy may be applied to the
+#   userPassword attribute.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
+      NAME 'pwdAttribute'
+      EQUALITY objectIdentifierMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+
+#5.2.2  pwdMinAge
+#
+#   This attribute holds the number of seconds that must elapse between
+#   modifications to the password.  If this attribute is not present, 0
+#   seconds is assumed.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
+      NAME 'pwdMinAge'
+      EQUALITY integerMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+
+#5.2.3  pwdMaxAge
+#
+#   This attribute holds the number of seconds after which a modified
+#   password will expire.
+#
+#   If this attribute is not present, or if the value is 0 the password
+#   does not expire.  If not 0, the value must be greater than or equal
+#   to the value of the pwdMinAge.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
+      NAME 'pwdMaxAge'
+      EQUALITY integerMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+
+#5.2.4  pwdInHistory
+#
+#   This attribute specifies the maximum number of used passwords stored
+#   in the pwdHistory attribute.
+#
+#   If this attribute is not present, or if the value is 0, used
+#   passwords are not stored in the pwdHistory attribute and thus may be
+#   reused.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
+      NAME 'pwdInHistory'
+      EQUALITY integerMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+
+#5.2.5  pwdCheckQuality
+#
+#   {TODO: Consider changing the syntax to OID.  Each OID will list a
+#   quality rule (like min len, # of special characters, etc).  These
+#   rules can be specified outsid ethis document.}
+#
+#   {TODO: Note that even though this is meant to be a check that happens
+#   during password modification, it may also be allowed to happen during
+#   authN.  This is useful for situations where the password is encrypted
+#   when modified, but decrypted when used to authN.}
+#
+#   This attribute indicates how the password quality will be verified
+#   while being modified or added.  If this attribute is not present, or
+#   if the value is '0', quality checking will not be enforced.  A value
+#   of '1' indicates that the server will check the quality, and if the
+#   server is unable to check it (due to a hashed password or other
+#   reasons) it will be accepted.  A value of '2' indicates that the
+#   server will check the quality, and if the server is unable to verify
+#   it, it will return an error refusing the password.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
+      NAME 'pwdCheckQuality'
+      EQUALITY integerMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+
+#5.2.6  pwdMinLength
+#
+#   When quality checking is enabled, this attribute holds the minimum
+#   number of characters that must be used in a password.  If this
+#   attribute is not present, no minimum password length will be
+#   enforced.  If the server is unable to check the length (due to a
+#   hashed password or otherwise), the server will, depending on the
+#   value of the pwdCheckQuality attribute, either accept the password
+#   without checking it ('0' or '1') or refuse it ('2').
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
+      NAME 'pwdMinLength'
+      EQUALITY integerMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+
+#5.2.7  pwdExpireWarning
+#
+#   This attribute specifies the maximum number of seconds before a
+#   password is due to expire that expiration warning messages will be
+#   returned to an authenticating user.
+#
+#   If this attribute is not present, or if the value is 0 no warnings
+#   will be returned.  If not 0, the value must be smaller than the value
+#   of the pwdMaxAge attribute.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
+      NAME 'pwdExpireWarning'
+      EQUALITY integerMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+
+#5.2.8  pwdGraceAuthNLimit
+#
+#   This attribute specifies the number of times an expired password can
+#   be used to authenticate.  If this attribute is not present or if the
+#   value is 0, authentication will fail.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
+      NAME 'pwdGraceAuthNLimit'
+      EQUALITY integerMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+
+#5.2.9  pwdLockout
+#
+#   This attribute indicates, when its value is "TRUE", that the password
+#   may not be used to authenticate after a specified number of
+#   consecutive failed bind attempts.  The maximum number of consecutive
+#   failed bind attempts is specified in pwdMaxFailure.
+#
+#   If this attribute is not present, or if the value is "FALSE", the
+#   password may be used to authenticate when the number of failed bind
+#   attempts has been reached.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
+      NAME 'pwdLockout'
+      EQUALITY booleanMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+      SINGLE-VALUE )
+
+#5.2.10  pwdLockoutDuration
+#
+#   This attribute holds the number of seconds that the password cannot
+#   be used to authenticate due to too many failed bind attempts.  If
+#   this attribute is not present, or if the value is 0 the password
+#   cannot be used to authenticate until reset by a password
+#   administrator.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
+      NAME 'pwdLockoutDuration'
+      EQUALITY integerMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+
+#5.2.11  pwdMaxFailure
+#
+#   This attribute specifies the number of consecutive failed bind
+#   attempts after which the password may not be used to authenticate.
+#   If this attribute is not present, or if the value is 0, this policy
+#   is not checked, and the value of pwdLockout will be ignored.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
+      NAME 'pwdMaxFailure'
+      EQUALITY integerMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+
+#5.2.12  pwdFailureCountInterval
+#
+#   This attribute holds the number of seconds after which the password
+#   failures are purged from the failure counter, even though no
+#   successful authentication occurred.
+#
+#   If this attribute is not present, or if its value is 0, the failure
+#   counter is only reset by a successful authentication.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
+      NAME 'pwdFailureCountInterval'
+      EQUALITY integerMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+
+#5.2.13  pwdMustChange
+#
+#   This attribute specifies with a value of "TRUE" that users must
+#   change their passwords when they first bind to the directory after a
+#   password is set or reset by a password administrator.  If this
+#   attribute is not present, or if the value is "FALSE", users are not
+#   required to change their password upon binding after the password
+#   administrator sets or resets the password.  This attribute is not set
+#   due to any actions specified by this document, it is typically set by
+#   a password administrator after resetting a user's password.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
+      NAME 'pwdMustChange'
+      EQUALITY booleanMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+      SINGLE-VALUE )
+
+#5.2.14  pwdAllowUserChange
+#
+#   This attribute indicates whether users can change their own
+#   passwords, although the change operation is still subject to access
+#   control.  If this attribute is not present, a value of "TRUE" is
+#   assumed.  This attribute is intended to be used in the absense of an
+#   access control mechanism.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
+      NAME 'pwdAllowUserChange'
+      EQUALITY booleanMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+      SINGLE-VALUE )
+
+#5.2.15  pwdSafeModify
+#
+#   This attribute specifies whether or not the existing password must be
+#   sent along with the new password when being changed.  If this
+#   attribute is not present, a "FALSE" value is assumed.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
+      NAME 'pwdSafeModify'
+      EQUALITY booleanMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+      SINGLE-VALUE )
+
+# HP extensions
+#
+# pwdCheckModule
+#
+#    This attribute names a user-defined loadable module that provides
+#    a check_password() function. If pwdCheckQuality is set to '1' or '2'
+#    this function will be called after all of the internal password
+#    quality checks have been passed. The function has this prototype:
+#
+#    int check_password( char *password, char **errormessage, void *arg )
+#
+#    The function should return LDAP_SUCCESS for a valid password.
+
+attributetype ( 1.3.6.1.4.1.4754.1.99.1
+     NAME 'pwdCheckModule'
+     EQUALITY caseExactIA5Match
+     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+     DESC 'Loadable module that instantiates "check_password() function'
+     SINGLE-VALUE )
+
+objectclass ( 1.3.6.1.4.1.4754.2.99.1
+      NAME 'pwdPolicyChecker'
+      SUP top
+      AUXILIARY
+      MAY ( pwdCheckModule ) )
+
+#5.1  The pwdPolicy Object Class
+#
+#   This object class contains the attributes defining a password policy
+#   in effect for a set of users.  Section 10 describes the
+#   administration of this object, and the relationship between it and
+#   particular objects.
+#
+objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
+      NAME 'pwdPolicy'
+      SUP top
+      AUXILIARY
+      MUST ( pwdAttribute )
+      MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
+      pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
+      $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
+      pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
+
+#5.3  Attribute Types for Password Policy State Information
+#
+#   Password policy state information must be maintained for each user.
+#   The information is located in each user entry as a set of operational
+#   attributes.  These operational attributes are: pwdChangedTime,
+#   pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
+#   pwdReset, pwdPolicySubEntry.
+#
+#5.3.1  Password Policy State Attribute Option
+#
+#   Since the password policy could apply to several attributes used to
+#   store passwords, each of the above operational attributes must have
+#   an option to specify which pwdAttribute it applies to.  The password
+#   policy option is defined as the following:
+#
+#   pwd-<passwordAttribute>
+#
+#   where passwordAttribute a string following the OID syntax
+#   (1.3.6.1.4.1.1466.115.121.1.38).  The attribute type descriptor
+#   (short name) MUST be used.
+#
+#   For example, if the pwdPolicy object has for pwdAttribute
+#   "userPassword" then the pwdChangedTime operational attribute, in a
+#   user entry, will be:
+#
+#   pwdChangedTime;pwd-userPassword: 20000103121520Z
+#
+#   This attribute option follows sub-typing semantics.  If a client
+#   requests a password policy state attribute to be returned in a search
+#   operation, and does not specify an option, all subtypes of that
+#   policy state attribute are returned.
+#
+#5.3.2  pwdChangedTime
+#
+#   This attribute specifies the last time the entry's password was
+#   changed.  This is used by the password expiration policy.  If this
+#   attribute does not exist, the password will never expire.
+#
+#      ( 1.3.6.1.4.1.42.2.27.8.1.16
+#      NAME 'pwdChangedTime'
+#      DESC 'The time the password was last changed'
+#      EQUALITY generalizedTimeMatch
+#      ORDERING generalizedTimeOrderingMatch
+#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+#      SINGLE-VALUE
+#      USAGE directoryOperation )
+#
+#5.3.3  pwdAccountLockedTime
+#
+#   This attribute holds the time that the user's account was locked.  A
+#   locked account means that the password may no longer be used to
+#   authenticate.  A 000001010000Z value means that the account has been
+#   locked permanently, and that only a password administrator can unlock
+#   the account.
+#
+#      ( 1.3.6.1.4.1.42.2.27.8.1.17
+#      NAME 'pwdAccountLockedTime'
+#      DESC 'The time an user account was locked'
+#      EQUALITY generalizedTimeMatch
+#      ORDERING generalizedTimeOrderingMatch
+#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+#      SINGLE-VALUE
+#      USAGE directoryOperation )
+#
+#5.3.4  pwdFailureTime
+#
+#   This attribute holds the timestamps of the consecutive authentication
+#   failures.
+#
+#      ( 1.3.6.1.4.1.42.2.27.8.1.19
+#      NAME 'pwdFailureTime'
+#      DESC 'The timestamps of the last consecutive authentication
+#      failures'
+#      EQUALITY generalizedTimeMatch
+#      ORDERING generalizedTimeOrderingMatch
+#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+#      USAGE directoryOperation )
+#
+#5.3.5  pwdHistory
+#
+#   This attribute holds a history of previously used passwords.  Values
+#   of this attribute are transmitted in string format as given by the
+#   following ABNF:
+#
+#   pwdHistory = time "#" syntaxOID "#" length "#" data
+#
+#   time       = <generalizedTimeString as specified in 6.14
+#                 of [RFC2252]>
+#
+#   syntaxOID  = numericoid    ; the string representation of the
+#                              ; dotted-decimal OID that defines the
+#                              ; syntax used to store the password.
+#                              ; numericoid is described in 4.1
+#                              ; of [RFC2252].
+#
+#   length     = numericstring ; the number of octets in data.
+#                              ; numericstring is described in 4.1
+#                              ; of [RFC2252].
+#
+#   data       = <octets representing the password in the format
+#                 specified by syntaxOID>.
+#
+#   This format allows the server to store, and transmit a history of
+#   passwords that have been used.  In order for equality matching to
+#   function properly, the time field needs to adhere to a consistent
+#   format.  For this purpose, the time field MUST be in GMT format.
+#
+#      ( 1.3.6.1.4.1.42.2.27.8.1.20
+#      NAME 'pwdHistory'
+#      DESC 'The history of user s passwords'
+#      EQUALITY octetStringMatch
+#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+#      USAGE directoryOperation )
+#
+#5.3.6  pwdGraceUseTime
+#
+#   This attribute holds the timestamps of grace authentications after a
+#   password has expired.
+#
+#      ( 1.3.6.1.4.1.42.2.27.8.1.21
+#      NAME 'pwdGraceUseTime'
+#      DESC 'The timestamps of the grace authentication after the
+#      password has expired'
+#      EQUALITY generalizedTimeMatch
+#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+#
+#5.3.7  pwdReset
+#
+#   This attribute holds a flag to indicate (when TRUE) that the password
+#   has been updated by the password administrator and must be changed by
+#   the user on first authentication.
+#
+#      ( 1.3.6.1.4.1.42.2.27.8.1.22
+#      NAME 'pwdReset'
+#      DESC 'The indication that the password has been reset'
+#      EQUALITY booleanMatch
+#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+#      SINGLE-VALUE
+#      USAGE directoryOperation )
+#
+#5.3.8  pwdPolicySubentry
+#
+#   This attribute points to the pwdPolicy subentry in effect for this
+#   object.
+#
+#      ( 1.3.6.1.4.1.42.2.27.8.1.23
+#      NAME 'pwdPolicySubentry'
+#      DESC 'The pwdPolicy subentry in effect for this object'
+#      EQUALITY distinguishedNameMatch
+#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+#      SINGLE-VALUE
+#      USAGE directoryOperation )
+#
+#
+#Disclaimer of Validity
+#
+#   This document and the information contained herein are provided on an
+#   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+#   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+#   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+#   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+#   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+#   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+#
+#
+#Copyright Statement
+#
+#   Copyright (C) The Internet Society (2004).  This document is subject
+#   to the rights, licenses and restrictions contained in BCP 78, and
+#   except as set forth therein, the authors retain all their rights.
+
--- a/ldap/files/slapd-index.conf
+++ b/ldap/files/slapd-index.conf
@ -0,0 +1,5 @@
+
+index objectClass                       eq,pres
+
+index uid				eq,pres
+index cn				eq,pres,sub