SecurityRealm implementation that uses LDAP for authentication.
Key Object Classes
Group Membership
Two object classes seem to be relevant. These are in RFC 2256 and core.schema. These use DN for membership,
so it can create a group of anything. I don't know what the difference between these two are.
attributetype ( 2.5.4.31 NAME 'member'
DESC 'RFC2256: member of a group'
SUP distinguishedName )
attributetype ( 2.5.4.50 NAME 'uniqueMember'
DESC 'RFC2256: unique member of a group'
EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
objectclass ( 2.5.6.9 NAME 'groupOfNames'
DESC 'RFC2256: a group of names (DNs)'
SUP top STRUCTURAL
MUST ( member $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames'
DESC 'RFC2256: a group of unique names (DN and Unique Identifier)'
SUP top STRUCTURAL
MUST ( uniqueMember $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
This one is from nis.schema, and appears to model POSIX group/user thing more closely.
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
DESC 'Abstraction of a group of accounts'
SUP top STRUCTURAL
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ description ) )
attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount'
DESC 'Abstraction of an account with POSIX attributes'
SUP top AUXILIARY
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
MAY ( userPassword $ loginShell $ gecos $ description ) )
attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
DESC 'An integer uniquely identifying a user in an administrative domain'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
DESC 'An integer uniquely identifying a group in an administrative domain'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
Active Directory specific schemas (from here).
objectclass ( 1.2.840.113556.1.5.8
NAME 'group'
SUP top
STRUCTURAL
MUST (groupType )
MAY (member $ nTGroupMembers $ operatorCount $ adminCount $
groupAttributes $ groupMembershipSAM $ controlAccessRights $
desktopProfile $ nonSecurityMember $ managedBy $
primaryGroupToken $ mail ) )
objectclass ( 1.2.840.113556.1.5.9
NAME 'user'
SUP organizationalPerson
STRUCTURAL
MAY (userCertificate $ networkAddress $ userAccountControl $
badPwdCount $ codePage $ homeDirectory $ homeDrive $
badPasswordTime $ lastLogoff $ lastLogon $ dBCSPwd $
localeID $ scriptPath $ logonHours $ logonWorkstation $
maxStorage $ userWorkstations $ unicodePwd $
otherLoginWorkstations $ ntPwdHistory $ pwdLastSet $
preferredOU $ primaryGroupID $ userParameters $
profilePath $ operatorCount $ adminCount $ accountExpires $
lmPwdHistory $ groupMembershipSAM $ logonCount $
controlAccessRights $ defaultClassStore $ groupsToIgnore $
groupPriority $ desktopProfile $ dynamicLDAPServer $
userPrincipalName $ lockoutTime $ userSharedFolder $
userSharedFolderOther $ servicePrincipalName $
aCSPolicyName $ terminalServer $ mSMQSignCertificates $
mSMQDigests $ mSMQDigestsMig $ mSMQSignCertificatesMig $
msNPAllowDialin $ msNPCallingStationID $
msNPSavedCallingStationID $ msRADIUSCallbackNumber $
msRADIUSFramedIPAddress $ msRADIUSFramedRoute $
msRADIUSServiceType $ msRASSavedCallbackNumber $
msRASSavedFramedIPAddress $ msRASSavedFramedRoute $
mS-DS-CreatorSID ) )
References
Standard Schemas
The downloadable distribution contains schemas that define the structure of LDAP entries.
Because this is a standard, we expect most LDAP servers out there to use it, although
there are different objectClasses that can be used for similar purposes, and apparently
many deployments choose to use different objectClasses.
RFC 2256
Defines the meaning of several key datatypes used in the schemas with some explanations.
Active Directory schema
More navigable schema list, including core and MS extensions specific to Active Directory.