###################
ACM OID Definitions
###################

The JHU ACM has been allocated an :index:`OID` prefix of ``1.3.6.1.4.1.25929`` for
our use.  We have defined the following arcs underneath that prefix:

* 42      ACM LDAP OIDs :ref:`oid-LDAP`

  * 1      Attributes

    * 1      Plan 9 Authentication Secret :ref:`oid-LDAP-P9`
    * 2      Door control record :ref:`oid-LDAP-DOOR`
    * 3      OpenStack User Enabled :ref:`oid-LDAP-OSUSER`

  * 2      Object Classes

    * 1      Plan 9 mixin :ref:`oid-LDAP-P9`
    * 2      Door control mixin :ref:`oid-LDAP-DOOR`
    * 3      OpenStack User mixin :ref:`oid-LDAP-OSUSER`
    * 4      Possibly empty groupOfNames :ref:`oid-LDAP-GONBIS`
    * 5      Kerberos Instance :ref:`oid-LDAP-KRBInst`

  * 3      Syntaxes

* 666     ACM SNMP MIB OIDs :ref:`oid-SNMP`

* 1337    ACM temporary and/or experimental OIDs :ref:`oid-1337`

.. _oid-LDAP:

LDAP
####

In general, LDAP has some shorthands to refer to its names::

     objectIdentifier acmROOT        1.3.6.1.4.1.25929
     objectIdentifier acmLDAP        acmROOT:42
     objectIdentifier acmAttrs       acmLDAP:1
     objectIdentifier acmObCls       acmLDAP:2
     objectIdentifier acmSyns        acmLDAP:3

.. _oid-LDAP-P9:

LDAP for Plan 9
---------------

Definitions are as follows, in OpenLDAP configuration language::

     attributetype ( acmAttrs:1 NAME 'jhuacmplan9secret'
             DESC 'Plan 9 Secret cleartext'
             EQUALITY caseExactMatch
             SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
     
     objectclass ( acmObCls:1 NAME 'jhuacmp9mixin'
             DESC 'Plan 9 mixin object class'
             AUXILIARY
             MAY jhuacmplan9secret )
  
It is anticipated that ACLs should be given to this attribute along the lines of::

     access to attrs=jhuacmplan9secret
         by dn="cn=proxyagent,dc=acm,dc=jhu,dc=edu" read
         by anonymous auth
         by self write
         by * none

.. _oid-LDAP-DOOR:

LDAP for Door Control
---------------------

::

     attributetype ( acmAttrs:2 NAME 'jhuacmDoorCard'
             DESC 'Door swipe entry card hash'
             EQUALITY caseExactMatch
             SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
     
     attributetype ( acmAttrs:4 NAME 'jhuacmDoorCardComment'
             DESC 'Comments about an an entry\27s jhuacmDoorCards (perhaps to say which one is which card)'
             EQUALITY caseExactMatch
             SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
     
     objectclass ( acmObCls:2 NAME 'jhuacmDoorMixin'
             DESC 'Door card database entry'
             AUXILIARY
             MAY ( jhuacmDoorCard $ jhuacmDoorCardComment ) )
     
     attributetype ( acmAttrs:5 NAME 'jhuacmFelicaIdm'
             DESC 'Janus - card contactless Felica IDm'
             EQUALITY caseExactMatch
             SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
             SINGLE-VALUE )
     
     objectclass ( acmObCls:6 NAME 'jhuacmFelicaMixin'
             DESC 'Janus - card contactless Felica IDm (mixin)'
             AUXILIARY
             MAY ( jhuacmFelicaIdm ) )

.. _oid-LDAP-OSUSER:

LDAP for OpenStack Integration
------------------------------

::

     attributetype ( acmAttrs:3 NAME 'jhuacmOpenStackEnabled'
             DESC 'Indicates whether an account is enabled for OpenStack'
             EQUALITY booleanMatch
             SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

     objectclass ( acmObCls:3 NAME 'jhuacmOpenStackUser'
             DESC 'Generic holder for user accounts in OpenStack, so as not to mix with posix user accounts'
             AUXILIARY
             MUST ( cn $ uid $ jhuacmOpenStackEnabled )
             MAY description
             ) 

.. _oid-LDAP-GONBIS:

LDAP Group Fixup
----------------

::

     objectclass ( acmObCls:4 NAME 'jhuacmGroupOfNames'
                   DESC 'Tweak RFC2256'
                   SUP top
                   STRUCTURAL MUST ( cn )
                   MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ description )
                 )

.. _oid-LDAP-KRBInst:

Kerberos Instance
-----------------

We sometimes want to refer to kerberos instances as objects in the database,
most often for access control.  There does not seem to be a standard way to
do this, so we define our own object class.  The mapping to Kerberos is
``${uid}/${cn}``; the realm is determined by ``dc`` components of the
object's name, as is typical. ::

     objectclass ( acmObCls:5 NAME 'jhuacmKerberosInstance'
             DESC 'A kerberos instance: uid/cn'
             SUP top 
             STRUCTURAL MUST ( cn $ uid ) )

.. _oid-SNMP:

SNMP
####

If the ACM ever has a need to define its own SNMP MIB entries, they go under
``1.3.6.1.4.1.25929.666``. (You can probably guess the sysadmins' general
opinion of SNMP from this.) Any resulting MIBs will be available somewhere in
AFS.

.. _oid-1337:

Experimental and temporary OIDs
###############################

Under ``1.3.6.1.4.1.25929.1337``, all bets are off. Things can be temporarily
defined here for experiments or things under development that might change
suddenly and in incompatible ways over time. Don't even think of relying on
anything in there.

When we commit to the way something in here will be for the future,
it will be moved to the appropriate arc.