dn: @INDEXLIST
@IDXATTR: cn
@IDXATTR: flatname
@IDXATTR: realm

dn: @ATTRIBUTES
realm: CASE_INSENSITIVE
flatname: CASE_INSENSITIVE
sAMAccountName: CASE_INSENSITIVE

#Add modules to the list to activate them by default
#beware often order is important
dn: @MODULES
@LIST: operational

dn: CN=LSA Secrets
objectClass: top
objectClass: container
cn: LSA Secrets

dn: CN=Primary Domains
objectClass: top
objectClass: container
cn: Primary Domains

dn: flatname=${DOMAIN},CN=Primary Domains
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
flatname: ${DOMAIN}
realm: ${REALM}
secret: ${MACHINEPASS}
secureChannelType: 6
sAMAccountName: ${NETBIOSNAME}$
whenCreated: ${LDAPTIME}
whenChanged: ${LDAPTIME}
msDS-KeyVersionNumber: 1
objectSid: ${DOMAINSID}
privateKeytab: secrets.keytab

# A hook from our credentials system into HDB, as we must be on a KDC,
# we can look directly into the database.
dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
objectClass: top
objectClass: secret
objectClass: kerberosSecret
flatname: ${DOMAIN}
realm: ${REALM}
sAMAccountName: krbtgt
whenCreated: ${LDAPTIME}
whenChanged: ${LDAPTIME}
objectSid: ${DOMAINSID}
servicePrincipalName: kadmin/changepw
krb5Keytab: HDB:ldb:sam.ldb:
#The trailing : here is a HACK, but it matches the Heimdal format.