From dbeb409ebd0396ce58102b118452c6e4c6802937 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 10 Aug 2009 10:38:51 -0400
Subject: Include schema for key escrow management

https://fedoraproject.org/wiki/Disk_encryption_key_escrow_in_IPA
---
 install/share/60basev2.ldif    | 6 ++++++
 install/share/60ipaconfig.ldif | 5 ++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

(limited to 'install')

diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index 03607308b..485f82992 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -80,3 +80,9 @@ attributeTypes: (2.16.840.1.113730.3.8.5.9 NAME 'idnsSOAminimum' DESC 'SOA minim
 attributeTypes: (2.16.840.1.113730.3.8.5.10 NAME 'idnsUpdatePolicy' DESC 'DNS dynamic updates policy' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ DNSTTL $ DNSClass $ ARecord $ AAAARecord $ A6Record $ NSRecord $ CNAMERecord $ PTRRecord $ SRVRecord $ TXTRecord $ MXRecord $ MDRecord $ HINFORecord $ MINFORecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ LOCRecord $ NXTRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ DNAMERecord $ DSRecord $ SSHFPRecord $ RRSIGRecord $ NSECRecord )
 objectClasses: (2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsName $ idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum) MAY idnsUpdatePolicy
+attributeTypes: (2.16.840.1.113730.3.8.3.44 NAME 'ipaVolumeEscrowPacket' DESC 'An encrypted packet containing a secret used for encrypting the volume' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )
+attributeTypes: (2.16.840.1.113730.3.8.3.45 NAME 'ipaVolumeHost' DESC 'Link to the host that contains this volume' SUP memberHost SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+attributeTypes: (2.16.840.1.113730.3.8.3.46 NAME 'ipaVolumeKeySecretType' DESC 'Type of the secret defined in this packet' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
+attributeTypes: (2.16.840.1.113730.3.8.3.47 NAME 'ipaVolumeInfo' DESC 'Information about a volume: NAME:VALUE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
+attributeTypes: (2.16.840.1.113730.3.8.3.48 NAME 'ipaVolumeKeyObsoletionTimestamp' DESC 'Time when a key was marked as obsolete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
+objectClasses: (2.16.840.1.113730.3.8.3.49 NAME 'ipaVolumeKey' SUP top STRUCTURAL MUST ( ipaUniqueID $ ipaVolumeHost $ ipaVolumeEscrowPacket ) MAY ( ipaVolumeKeySecretType $ ipaVolumeInfo $ ipaVolumeKeyObsoletionTimestamp ))
diff --git a/install/share/60ipaconfig.ldif b/install/share/60ipaconfig.ldif
index f4edbcc97..b7eb9d7df 100644
--- a/install/share/60ipaconfig.ldif
+++ b/install/share/60ipaconfig.ldif
@@ -34,9 +34,12 @@ attributetypes: ( 2.16.840.1.113730.3.8.1.11 NAME 'ipaUserObjectClasses' SYNTAX
 # ipaGroupObjectClasses - required objectclasses for groups
 attributetypes: ( 2.16.840.1.113730.3.8.1.12 NAME 'ipaGroupObjectClasses' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
 attributetypes: ( 2.16.840.1.113730.3.8.1.13 NAME 'ipaDefaultEmailDomain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+attributeTypes: ( 2.16.840.1.113730.3.8.3.50 NAME 'ipaObsoleteEscrowPacketLifetime' DESC 'Number of days before an obsolete escrow packet is deleted (if a newer packet for the same volume is available)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+attributeTypes: (2.16.840.1.113730.3.8.3.51 NAME 'ipaEscrowKeyCertificate' DESC 'Certificate for encrypting escrow packets' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE)
+attributeTypes: (2.16.840.1.113730.3.8.3.52 NAME 'ipaEscrowKey' DESC 'PKCS#12-formatted encrypted certificate and private key for encrypting escrow packets' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5)
 ###############################################
 ##
 ## ObjectClasses
 ##
 ## ipaGuiConfig - GUI config parameters objectclass
-objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain) )
+objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaObsoleteEscrowPacketLifetime $ ipaEscrowKeyCertificate $ ipaEscrowKey) )
-- 
cgit