diff options
Diffstat (limited to 'source4/ldap_server/devdocs/rfc2256.txt')
-rw-r--r-- | source4/ldap_server/devdocs/rfc2256.txt | 1123 |
1 files changed, 1123 insertions, 0 deletions
diff --git a/source4/ldap_server/devdocs/rfc2256.txt b/source4/ldap_server/devdocs/rfc2256.txt new file mode 100644 index 0000000000..69706f65a6 --- /dev/null +++ b/source4/ldap_server/devdocs/rfc2256.txt @@ -0,0 +1,1123 @@ + + + + + + +Network Working Group M. Wahl +Request for Comments: 2256 Critical Angle Inc. +Category: Standards Track December 1997 + + + A Summary of the X.500(96) User Schema for use with LDAPv3 + +1. Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (1997). All Rights Reserved. + +IESG Note + + This document describes a directory access protocol that provides + both read and update access. Update access requires secure + authentication, but this document does not mandate implementation of + any satisfactory authentication mechanisms. + + In accordance with RFC 2026, section 4.4.1, this specification is + being approved by IESG as a Proposed Standard despite this + limitation, for the following reasons: + + a. to encourage implementation and interoperability testing of + these protocols (with or without update access) before they + are deployed, and + + b. to encourage deployment and use of these protocols in read-only + applications. (e.g. applications where LDAPv3 is used as + a query language for directories which are updated by some + secure mechanism other than LDAP), and + + c. to avoid delaying the advancement and deployment of other Internet + standards-track protocols which require the ability to query, but + not update, LDAPv3 directory servers. + + Readers are hereby warned that until mandatory authentication + mechanisms are standardized, clients and servers written according to + this specification which make use of update functionality are + UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION + IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL. + + + +Wahl Standards Track [Page 1] + +RFC 2256 LDAPv3 Schema December 1997 + + + Implementors are hereby discouraged from deploying LDAPv3 clients or + servers which implement the update functionality, until a Proposed + Standard for mandatory authentication in LDAPv3 has been approved and + published as an RFC. + +2. Abstract + + This document provides an overview of the attribute types and object + classes defined by the ISO and ITU-T committees in the X.500 + documents, in particular those intended for use by directory clients. + This is the most widely used schema for LDAP/X.500 directories, and + many other schema definitions for white pages objects use it as a + basis. This document does not cover attributes used for the + administration of X.500 directory servers, nor does it include + attributes defined by other ISO/ITU-T documents. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [6]. + +3. General Issues + + This document references syntaxes given in section 6 of this document + and section 6 of [1]. Matching rules are listed in section 8 of this + document and section 8 of [1]. + + The attribute type and object class definitions are written using the + BNF form of AttributeTypeDescription and ObjectClassDescription given + in [1]. Lines have been folded for readability. + +4. Source + + The schema definitions in this document are based on those found in + X.500 [2],[3],[4],[5], and updates to these documents, specifically: + + Sections Source + ============ ============ + 5.1 - 5.2 X.501(93) + 5.3 - 5.36 X.520(88) + 5.37 - 5.41 X.509(93) + 5.42 - 5.52 X.520(93) + 5.53 - 5.54 X.509(96) + 5.55 X.520(96) + 6.1 RFC 1274 + 6.2 (new syntax) + 6.3 - 6.6 RFC 1274 + 7.1 - 7.2 X.501(93) + 7.3 - 7.18 X.521(93) + + + +Wahl Standards Track [Page 2] + +RFC 2256 LDAPv3 Schema December 1997 + + + 7.19 - 7.21 X.509(96) + 7.22 X.521(96) + + Some attribute names are different from those found in X.520(93). + + Three new attributes supportedAlgorithms, deltaRevocationList and + dmdName, and the objectClass dmd, are defined in the X.500(96) + documents. + +5. Attribute Types + + An LDAP server implementation SHOULD recognize the attribute types + described in this section. + +5.1. objectClass + + The values of the objectClass attribute describe the kind of object + which an entry represents. The objectClass attribute is present in + every entry, with at least two values. One of the values is either + "top" or "alias". + + ( 2.5.4.0 NAME 'objectClass' EQUALITY objectIdentifierMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) + +5.2. aliasedObjectName + + The aliasedObjectName attribute is used by the directory service if + the entry containing this attribute is an alias. + + ( 2.5.4.1 NAME 'aliasedObjectName' EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) + +5.3. knowledgeInformation + + This attribute is no longer used. + + ( 2.5.4.2 NAME 'knowledgeInformation' EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) + +5.4. cn + + This is the X.500 commonName attribute, which contains a name of an + object. If the object corresponds to a person, it is typically the + person's full name. + + ( 2.5.4.3 NAME 'cn' SUP name ) + + + + + +Wahl Standards Track [Page 3] + +RFC 2256 LDAPv3 Schema December 1997 + + +5.5. sn + + This is the X.500 surname attribute, which contains the family name + of a person. + + ( 2.5.4.4 NAME 'sn' SUP name ) + +5.6. serialNumber + + This attribute contains the serial number of a device. + + ( 2.5.4.5 NAME 'serialNumber' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) + +5.7. c + + This attribute contains a two-letter ISO 3166 country code + (countryName). + + ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE ) + +5.8. l + + This attribute contains the name of a locality, such as a city, + county or other geographic region (localityName). + + ( 2.5.4.7 NAME 'l' SUP name ) + +5.9. st + + This attribute contains the full name of a state or province + (stateOrProvinceName). + + ( 2.5.4.8 NAME 'st' SUP name ) + +5.10. street + + This attribute contains the physical address of the object to which + the entry corresponds, such as an address for package delivery + (streetAddress). + + ( 2.5.4.9 NAME 'street' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + + + + + + +Wahl Standards Track [Page 4] + +RFC 2256 LDAPv3 Schema December 1997 + + +5.11. o + + This attribute contains the name of an organization + (organizationName). + + ( 2.5.4.10 NAME 'o' SUP name ) + +5.12. ou + + This attribute contains the name of an organizational unit + (organizationalUnitName). + + ( 2.5.4.11 NAME 'ou' SUP name ) + +5.13. title + + This attribute contains the title, such as "Vice President", of a + person in their organizational context. The "personalTitle" + attribute would be used for a person's title independent of their job + function. + + ( 2.5.4.12 NAME 'title' SUP name ) + +5.14. description + + This attribute contains a human-readable description of the object. + + ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) + +5.15. searchGuide + + This attribute is for use by X.500 clients in constructing search + filters. It is obsoleted by enhancedSearchGuide, described below in + 5.48. + + ( 2.5.4.14 NAME 'searchGuide' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) + +5.16. businessCategory + + This attribute describes the kind of business performed by an + organization. + + ( 2.5.4.15 NAME 'businessCategory' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + + + +Wahl Standards Track [Page 5] + +RFC 2256 LDAPv3 Schema December 1997 + + +5.17. postalAddress + + ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreListMatch + SUBSTR caseIgnoreListSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) + +5.18. postalCode + + ( 2.5.4.17 NAME 'postalCode' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) + +5.19. postOfficeBox + + ( 2.5.4.18 NAME 'postOfficeBox' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) + +5.20. physicalDeliveryOfficeName + + ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + +5.21. telephoneNumber + + ( 2.5.4.20 NAME 'telephoneNumber' EQUALITY telephoneNumberMatch + SUBSTR telephoneNumberSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) + +5.22. telexNumber + + ( 2.5.4.21 NAME 'telexNumber' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) + +5.23. teletexTerminalIdentifier + + ( 2.5.4.22 NAME 'teletexTerminalIdentifier' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) + +5.24. facsimileTelephoneNumber + + ( 2.5.4.23 NAME 'facsimileTelephoneNumber' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) + + + + + + + +Wahl Standards Track [Page 6] + +RFC 2256 LDAPv3 Schema December 1997 + + +5.25. x121Address + + ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch + SUBSTR numericStringSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) + +5.26. internationaliSDNNumber + + ( 2.5.4.25 NAME 'internationaliSDNNumber' EQUALITY numericStringMatch + SUBSTR numericStringSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) + +5.27. registeredAddress + + This attribute holds a postal address suitable for reception of + telegrams or expedited documents, where it is necessary to have the + recipient accept delivery. + + ( 2.5.4.26 NAME 'registeredAddress' SUP postalAddress + SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) + +5.28. destinationIndicator + + This attribute is used for the telegram service. + + ( 2.5.4.27 NAME 'destinationIndicator' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) + +5.29. preferredDeliveryMethod + + ( 2.5.4.28 NAME 'preferredDeliveryMethod' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 + SINGLE-VALUE ) + +5.30. presentationAddress + + This attribute contains an OSI presentation address. + + ( 2.5.4.29 NAME 'presentationAddress' + EQUALITY presentationAddressMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 + SINGLE-VALUE ) + + + + + + + + +Wahl Standards Track [Page 7] + +RFC 2256 LDAPv3 Schema December 1997 + + +5.31. supportedApplicationContext + + This attribute contains the identifiers of OSI application contexts. + + ( 2.5.4.30 NAME 'supportedApplicationContext' + EQUALITY objectIdentifierMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) + +5.32. member + + ( 2.5.4.31 NAME 'member' SUP distinguishedName ) + +5.33. owner + + ( 2.5.4.32 NAME 'owner' SUP distinguishedName ) + +5.34. roleOccupant + + ( 2.5.4.33 NAME 'roleOccupant' SUP distinguishedName ) + +5.35. seeAlso + + ( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName ) + +5.36. userPassword + + ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) + + Passwords are stored using an Octet String syntax and are not + encrypted. Transfer of cleartext passwords are strongly discouraged + where the underlying transport service cannot guarantee + confidentiality and may result in disclosure of the password to + unauthorized parties. + +5.37. userCertificate + + This attribute is to be stored and requested in the binary form, as + 'userCertificate;binary'. + + ( 2.5.4.36 NAME 'userCertificate' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) + +5.38. cACertificate + + This attribute is to be stored and requested in the binary form, as + 'cACertificate;binary'. + + + + +Wahl Standards Track [Page 8] + +RFC 2256 LDAPv3 Schema December 1997 + + + ( 2.5.4.37 NAME 'cACertificate' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) + +5.39. authorityRevocationList + + This attribute is to be stored and requested in the binary form, as + 'authorityRevocationList;binary'. + + ( 2.5.4.38 NAME 'authorityRevocationList' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) + +5.40. certificateRevocationList + + This attribute is to be stored and requested in the binary form, as + 'certificateRevocationList;binary'. + + ( 2.5.4.39 NAME 'certificateRevocationList' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) + +5.41. crossCertificatePair + + This attribute is to be stored and requested in the binary form, as + 'crossCertificatePair;binary'. + + ( 2.5.4.40 NAME 'crossCertificatePair' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) + +5.42. name + + The name attribute type is the attribute supertype from which string + attribute types typically used for naming may be formed. It is + unlikely that values of this type itself will occur in an entry. LDAP + server implementations which do not support attribute subtyping need + not recognize this attribute in requests. Client implementations + MUST NOT assume that LDAP servers are capable of performing attribute + subtyping. + + ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) + +5.43. givenName + + The givenName attribute is used to hold the part of a person's name + which is not their surname nor middle name. + + ( 2.5.4.42 NAME 'givenName' SUP name ) + + + + +Wahl Standards Track [Page 9] + +RFC 2256 LDAPv3 Schema December 1997 + + +5.44. initials + + The initials attribute contains the initials of some or all of an + individuals names, but not the surname(s). + + ( 2.5.4.43 NAME 'initials' SUP name ) + +5.45. generationQualifier + + The generationQualifier attribute contains the part of the name which + typically is the suffix, as in "IIIrd". + + ( 2.5.4.44 NAME 'generationQualifier' SUP name ) + +5.46. x500UniqueIdentifier + + The x500UniqueIdentifier attribute is used to distinguish between + objects when a distinguished name has been reused. This is a + different attribute type from both the "uid" and "uniqueIdentifier" + types. + + ( 2.5.4.45 NAME 'x500UniqueIdentifier' EQUALITY bitStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) + +5.47. dnQualifier + + The dnQualifier attribute type specifies disambiguating information + to add to the relative distinguished name of an entry. It is + intended for use when merging data from multiple sources in order to + prevent conflicts between entries which would otherwise have the same + name. It is recommended that the value of the dnQualifier attribute + be the same for all entries from a particular source. + + ( 2.5.4.46 NAME 'dnQualifier' EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) + +5.48. enhancedSearchGuide + + This attribute is for use by X.500 clients in constructing search + filters. + + ( 2.5.4.47 NAME 'enhancedSearchGuide' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) + + + + + + + +Wahl Standards Track [Page 10] + +RFC 2256 LDAPv3 Schema December 1997 + + +5.49. protocolInformation + + This attribute is used in conjunction with the presentationAddress + attribute, to provide additional information to the OSI network + service. + + ( 2.5.4.48 NAME 'protocolInformation' + EQUALITY protocolInformationMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 ) + +5.50. distinguishedName + + This attribute type is not used as the name of the object itself, but + it is instead a base type from which attributes with DN syntax + inherit. + + It is unlikely that values of this type itself will occur in an + entry. LDAP server implementations which do not support attribute + subtyping need not recognize this attribute in requests. Client + implementations MUST NOT assume that LDAP servers are capable of + performing attribute subtyping. + + ( 2.5.4.49 NAME 'distinguishedName' EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) + +5.51. uniqueMember + + ( 2.5.4.50 NAME 'uniqueMember' EQUALITY uniqueMemberMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) + +5.52. houseIdentifier + + This attribute is used to identify a building within a location. + + ( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) + +5.53. supportedAlgorithms + + This attribute is to be stored and requested in the binary form, as + 'supportedAlgorithms;binary'. + + ( 2.5.4.52 NAME 'supportedAlgorithms' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) + + + + + + +Wahl Standards Track [Page 11] + +RFC 2256 LDAPv3 Schema December 1997 + + +5.54. deltaRevocationList + + This attribute is to be stored and requested in the binary form, as + 'deltaRevocationList;binary'. + + ( 2.5.4.53 NAME 'deltaRevocationList' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) + +5.55. dmdName + + The value of this attribute specifies a directory management domain + (DMD), the administrative authority which operates the directory + server. + + ( 2.5.4.54 NAME 'dmdName' SUP name ) + +6. Syntaxes + + Servers SHOULD recognize the syntaxes defined in this section. Each + syntax begins with a sample value of the ldapSyntaxes attribute which + defines the OBJECT IDENTIFIER of the syntax. The descriptions of + syntax names are not carried in protocol, and are not guaranteed to + be unique. + +6.1. Delivery Method + + ( 1.3.6.1.4.1.1466.115.121.1.14 DESC 'Delivery Method' ) + + Values in this syntax are encoded according to the following BNF: + + delivery-value = pdm / ( pdm whsp "$" whsp delivery-value ) + + pdm = "any" / "mhs" / "physical" / "telex" / "teletex" / + "g3fax" / "g4fax" / "ia5" / "videotex" / "telephone" + + Example: + + telephone + +6.2. Enhanced Guide + + ( 1.3.6.1.4.1.1466.115.121.1.21 DESC 'Enhanced Guide' ) + + Values in this syntax are encoded according to the following BNF: + + EnhancedGuide = woid whsp "#" whsp criteria whsp "#" whsp subset + + subset = "baseobject" / "oneLevel" / "wholeSubtree" + + + +Wahl Standards Track [Page 12] + +RFC 2256 LDAPv3 Schema December 1997 + + + The criteria production is defined in the Guide syntax below. This + syntax has been added subsequent to RFC 1778. + + Example: + + person#(sn)#oneLevel + +6.3. Guide + + ( 1.3.6.1.4.1.1466.115.121.1.25 DESC 'Guide' ) + + Values in this syntax are encoded according to the following BNF: + + guide-value = [ object-class "#" ] criteria + + object-class = woid + + criteria = criteria-item / criteria-set / ( "!" criteria ) + + criteria-set = ( [ "(" ] criteria "&" criteria-set [ ")" ] ) / + ( [ "(" ] criteria "|" criteria-set [ ")" ] ) + + criteria-item = [ "(" ] attributetype "$" match-type [ ")" ] + + match-type = "EQ" / "SUBSTR" / "GE" / "LE" / "APPROX" + + This syntax should not be used for defining new attributes. + +6.4. Octet String + + ( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' ) + + Values in this syntax are encoded as octet strings. + + + Example: + + secret + +6.5. Teletex Terminal Identifier + + ( 1.3.6.1.4.1.1466.115.121.1.51 DESC 'Teletex Terminal Identifier' ) + + Values in this syntax are encoded according to the following BNF: + + teletex-id = ttx-term 0*("$" ttx-param) + + ttx-term = printablestring + + + +Wahl Standards Track [Page 13] + +RFC 2256 LDAPv3 Schema December 1997 + + + ttx-param = ttx-key ":" ttx-value + + ttx-key = "graphic" / "control" / "misc" / "page" / "private" + + ttx-value = octetstring + + In the above, the first printablestring is the encoding of the first + portion of the teletex terminal identifier to be encoded, and the + subsequent 0 or more octetstrings are subsequent portions of the + teletex terminal identifier. + +6.6. Telex Number + + ( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' ) + + Values in this syntax are encoded according to the following BNF: + + telex-number = actual-number "$" country "$" answerback + + actual-number = printablestring + + country = printablestring + + answerback = printablestring + + In the above, actual-number is the syntactic representation of the + number portion of the TELEX number being encoded, country is the + TELEX country code, and answerback is the answerback code of a TELEX + terminal. + +6.7. Supported Algorithm + + ( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' ) + + No printable representation of values of the supportedAlgorithms + attribute is defined in this document. Clients which wish to store + and retrieve this attribute MUST use "supportedAlgorithms;binary", in + which the value is transferred as a binary encoding. + +7. Object Classes + + LDAP servers MUST recognize the object classes "top" and "subschema". + LDAP servers SHOULD recognize all the other object classes listed + here as values of the objectClass attribute. + +7.1. top + + ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) + + + +Wahl Standards Track [Page 14] + +RFC 2256 LDAPv3 Schema December 1997 + + +7.2. alias + + ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName ) + +7.3. country + + ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c + MAY ( searchGuide $ description ) ) + +7.4. locality + + ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL + MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) + +7.5. organization + + ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o + MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ + x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ + street $ postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ st $ l $ description ) ) + +7.6. organizationalUnit + + ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou + MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ + x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ + street $ postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ st $ l $ description ) ) + +7.7. person + + ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn ) + MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) + +7.8. organizationalPerson + + ( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL + MAY ( title $ x121Address $ registeredAddress $ + destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + + + +Wahl Standards Track [Page 15] + +RFC 2256 LDAPv3 Schema December 1997 + + + facsimileTelephoneNumber $ + street $ postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ ou $ st $ l ) ) + +7.9. organizationalRole + + ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn + MAY ( x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ + seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ + postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) + +7.10. groupOfNames + + ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( member $ cn ) + MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) + +7.11. residentialPerson + + ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l + MAY ( businessCategory $ x121Address $ registeredAddress $ + destinationIndicator $ preferredDeliveryMethod $ telexNumber $ + teletexTerminalIdentifier $ telephoneNumber $ + internationaliSDNNumber $ + facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ + postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ st $ l ) ) + +7.12. applicationProcess + + ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn + MAY ( seeAlso $ ou $ l $ description ) ) + +7.13. applicationEntity + + ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL + MUST ( presentationAddress $ cn ) + MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ + description ) ) + +7.14. dSA + + ( 2.5.6.13 NAME 'dSA' SUP applicationEntity STRUCTURAL + MAY knowledgeInformation ) + + + + +Wahl Standards Track [Page 16] + +RFC 2256 LDAPv3 Schema December 1997 + + +7.15. device + + ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn + MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) + +7.16. strongAuthenticationUser + + ( 2.5.6.15 NAME 'strongAuthenticationUser' SUP top AUXILIARY + MUST userCertificate ) + +7.17. certificationAuthority + + ( 2.5.6.16 NAME 'certificationAuthority' SUP top AUXILIARY + MUST ( authorityRevocationList $ certificateRevocationList $ + cACertificate ) MAY crossCertificatePair ) + +7.18. groupOfUniqueNames + + ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL + MUST ( uniqueMember $ cn ) + MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) + +7.19. userSecurityInformation + + ( 2.5.6.18 NAME 'userSecurityInformation' SUP top AUXILIARY + MAY ( supportedAlgorithms ) ) + +7.20. certificationAuthority-V2 + + ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP + certificationAuthority + AUXILIARY MAY ( deltaRevocationList ) ) + +7.21. cRLDistributionPoint + + ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL + MUST ( cn ) MAY ( certificateRevocationList $ + authorityRevocationList $ + deltaRevocationList ) ) + +7.22. dmd + + ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName ) + MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ + x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ + + + +Wahl Standards Track [Page 17] + +RFC 2256 LDAPv3 Schema December 1997 + + + street $ postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ st $ l $ description ) ) + +8. Matching Rules + + Servers MAY implement additional matching rules. + +8.1. octetStringMatch + + Servers which implement the extensibleMatch filter SHOULD allow the + matching rule listed in this section to be used in the + extensibleMatch. In general these servers SHOULD allow matching + rules to be used with all attribute types known to the server, when + the assertion syntax of the matching rule is the same as the value + syntax of the attribute. + + ( 2.5.13.17 NAME 'octetStringMatch' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) + +9. Security Considerations + + Attributes of directory entries are used to provide descriptive + information about the real-world objects they represent, which can be + people, organizations or devices. Most countries have privacy laws + regarding the publication of information about people. + + Transfer of cleartext passwords are strongly discouraged where the + underlying transport service cannot guarantee confidentiality and may + result in disclosure of the password to unauthorized parties. + +10. Acknowledgements + + The definitions on which this document have been developed by + committees for telecommunications and international standards. No + new attribute definitions have been added. The syntax definitions + are based on the ISODE "QUIPU" implementation of X.500. + +11. Bibliography + + [1] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, + "Lightweight X.500 Directory Access Protocol (v3): Attribute + Syntax Definitions", RFC 2252, December 1997. + + [2] The Directory: Models. ITU-T Recommendation X.501, 1996. + + [3] The Directory: Authentication Framework. ITU-T Recommendation + X.509, 1996. + + + + +Wahl Standards Track [Page 18] + +RFC 2256 LDAPv3 Schema December 1997 + + + [4] The Directory: Selected Attribute Types. ITU-T Recommendation + X.520, 1996. + + [5] The Directory: Selected Object Classes. ITU-T Recommendation + X.521, 1996. + + [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", RFC 2119, March 1997. + +12. Author's Address + + Mark Wahl + Critical Angle Inc. + 4815 West Braker Lane #502-385 + Austin, TX 78759 + USA + + Phone: +1 512 372 3160 + EMail: M.Wahl@critical-angle.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Wahl Standards Track [Page 19] + +RFC 2256 LDAPv3 Schema December 1997 + + +13. Full Copyright Statement + + Copyright (C) The Internet Society (1997). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + + + + + + + + + + + + + + + + + + + + + + + +Wahl Standards Track [Page 20] + |