diff options
Diffstat (limited to 'source4/ldap_server/devdocs/rfc2256.txt')
-rw-r--r-- | source4/ldap_server/devdocs/rfc2256.txt | 1123 |
1 files changed, 0 insertions, 1123 deletions
diff --git a/source4/ldap_server/devdocs/rfc2256.txt b/source4/ldap_server/devdocs/rfc2256.txt deleted file mode 100644 index 69706f65a6..0000000000 --- a/source4/ldap_server/devdocs/rfc2256.txt +++ /dev/null @@ -1,1123 +0,0 @@ - - - - - - -Network Working Group M. Wahl -Request for Comments: 2256 Critical Angle Inc. -Category: Standards Track December 1997 - - - A Summary of the X.500(96) User Schema for use with LDAPv3 - -1. Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (1997). All Rights Reserved. - -IESG Note - - This document describes a directory access protocol that provides - both read and update access. Update access requires secure - authentication, but this document does not mandate implementation of - any satisfactory authentication mechanisms. - - In accordance with RFC 2026, section 4.4.1, this specification is - being approved by IESG as a Proposed Standard despite this - limitation, for the following reasons: - - a. to encourage implementation and interoperability testing of - these protocols (with or without update access) before they - are deployed, and - - b. to encourage deployment and use of these protocols in read-only - applications. (e.g. applications where LDAPv3 is used as - a query language for directories which are updated by some - secure mechanism other than LDAP), and - - c. to avoid delaying the advancement and deployment of other Internet - standards-track protocols which require the ability to query, but - not update, LDAPv3 directory servers. - - Readers are hereby warned that until mandatory authentication - mechanisms are standardized, clients and servers written according to - this specification which make use of update functionality are - UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION - IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL. - - - -Wahl Standards Track [Page 1] - -RFC 2256 LDAPv3 Schema December 1997 - - - Implementors are hereby discouraged from deploying LDAPv3 clients or - servers which implement the update functionality, until a Proposed - Standard for mandatory authentication in LDAPv3 has been approved and - published as an RFC. - -2. Abstract - - This document provides an overview of the attribute types and object - classes defined by the ISO and ITU-T committees in the X.500 - documents, in particular those intended for use by directory clients. - This is the most widely used schema for LDAP/X.500 directories, and - many other schema definitions for white pages objects use it as a - basis. This document does not cover attributes used for the - administration of X.500 directory servers, nor does it include - attributes defined by other ISO/ITU-T documents. - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119 [6]. - -3. General Issues - - This document references syntaxes given in section 6 of this document - and section 6 of [1]. Matching rules are listed in section 8 of this - document and section 8 of [1]. - - The attribute type and object class definitions are written using the - BNF form of AttributeTypeDescription and ObjectClassDescription given - in [1]. Lines have been folded for readability. - -4. Source - - The schema definitions in this document are based on those found in - X.500 [2],[3],[4],[5], and updates to these documents, specifically: - - Sections Source - ============ ============ - 5.1 - 5.2 X.501(93) - 5.3 - 5.36 X.520(88) - 5.37 - 5.41 X.509(93) - 5.42 - 5.52 X.520(93) - 5.53 - 5.54 X.509(96) - 5.55 X.520(96) - 6.1 RFC 1274 - 6.2 (new syntax) - 6.3 - 6.6 RFC 1274 - 7.1 - 7.2 X.501(93) - 7.3 - 7.18 X.521(93) - - - -Wahl Standards Track [Page 2] - -RFC 2256 LDAPv3 Schema December 1997 - - - 7.19 - 7.21 X.509(96) - 7.22 X.521(96) - - Some attribute names are different from those found in X.520(93). - - Three new attributes supportedAlgorithms, deltaRevocationList and - dmdName, and the objectClass dmd, are defined in the X.500(96) - documents. - -5. Attribute Types - - An LDAP server implementation SHOULD recognize the attribute types - described in this section. - -5.1. objectClass - - The values of the objectClass attribute describe the kind of object - which an entry represents. The objectClass attribute is present in - every entry, with at least two values. One of the values is either - "top" or "alias". - - ( 2.5.4.0 NAME 'objectClass' EQUALITY objectIdentifierMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) - -5.2. aliasedObjectName - - The aliasedObjectName attribute is used by the directory service if - the entry containing this attribute is an alias. - - ( 2.5.4.1 NAME 'aliasedObjectName' EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) - -5.3. knowledgeInformation - - This attribute is no longer used. - - ( 2.5.4.2 NAME 'knowledgeInformation' EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) - -5.4. cn - - This is the X.500 commonName attribute, which contains a name of an - object. If the object corresponds to a person, it is typically the - person's full name. - - ( 2.5.4.3 NAME 'cn' SUP name ) - - - - - -Wahl Standards Track [Page 3] - -RFC 2256 LDAPv3 Schema December 1997 - - -5.5. sn - - This is the X.500 surname attribute, which contains the family name - of a person. - - ( 2.5.4.4 NAME 'sn' SUP name ) - -5.6. serialNumber - - This attribute contains the serial number of a device. - - ( 2.5.4.5 NAME 'serialNumber' EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) - -5.7. c - - This attribute contains a two-letter ISO 3166 country code - (countryName). - - ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE ) - -5.8. l - - This attribute contains the name of a locality, such as a city, - county or other geographic region (localityName). - - ( 2.5.4.7 NAME 'l' SUP name ) - -5.9. st - - This attribute contains the full name of a state or province - (stateOrProvinceName). - - ( 2.5.4.8 NAME 'st' SUP name ) - -5.10. street - - This attribute contains the physical address of the object to which - the entry corresponds, such as an address for package delivery - (streetAddress). - - ( 2.5.4.9 NAME 'street' EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) - - - - - - -Wahl Standards Track [Page 4] - -RFC 2256 LDAPv3 Schema December 1997 - - -5.11. o - - This attribute contains the name of an organization - (organizationName). - - ( 2.5.4.10 NAME 'o' SUP name ) - -5.12. ou - - This attribute contains the name of an organizational unit - (organizationalUnitName). - - ( 2.5.4.11 NAME 'ou' SUP name ) - -5.13. title - - This attribute contains the title, such as "Vice President", of a - person in their organizational context. The "personalTitle" - attribute would be used for a person's title independent of their job - function. - - ( 2.5.4.12 NAME 'title' SUP name ) - -5.14. description - - This attribute contains a human-readable description of the object. - - ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) - -5.15. searchGuide - - This attribute is for use by X.500 clients in constructing search - filters. It is obsoleted by enhancedSearchGuide, described below in - 5.48. - - ( 2.5.4.14 NAME 'searchGuide' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) - -5.16. businessCategory - - This attribute describes the kind of business performed by an - organization. - - ( 2.5.4.15 NAME 'businessCategory' EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) - - - -Wahl Standards Track [Page 5] - -RFC 2256 LDAPv3 Schema December 1997 - - -5.17. postalAddress - - ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreListMatch - SUBSTR caseIgnoreListSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) - -5.18. postalCode - - ( 2.5.4.17 NAME 'postalCode' EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) - -5.19. postOfficeBox - - ( 2.5.4.18 NAME 'postOfficeBox' EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) - -5.20. physicalDeliveryOfficeName - - ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) - -5.21. telephoneNumber - - ( 2.5.4.20 NAME 'telephoneNumber' EQUALITY telephoneNumberMatch - SUBSTR telephoneNumberSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) - -5.22. telexNumber - - ( 2.5.4.21 NAME 'telexNumber' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) - -5.23. teletexTerminalIdentifier - - ( 2.5.4.22 NAME 'teletexTerminalIdentifier' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) - -5.24. facsimileTelephoneNumber - - ( 2.5.4.23 NAME 'facsimileTelephoneNumber' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) - - - - - - - -Wahl Standards Track [Page 6] - -RFC 2256 LDAPv3 Schema December 1997 - - -5.25. x121Address - - ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch - SUBSTR numericStringSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) - -5.26. internationaliSDNNumber - - ( 2.5.4.25 NAME 'internationaliSDNNumber' EQUALITY numericStringMatch - SUBSTR numericStringSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) - -5.27. registeredAddress - - This attribute holds a postal address suitable for reception of - telegrams or expedited documents, where it is necessary to have the - recipient accept delivery. - - ( 2.5.4.26 NAME 'registeredAddress' SUP postalAddress - SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) - -5.28. destinationIndicator - - This attribute is used for the telegram service. - - ( 2.5.4.27 NAME 'destinationIndicator' EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) - -5.29. preferredDeliveryMethod - - ( 2.5.4.28 NAME 'preferredDeliveryMethod' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 - SINGLE-VALUE ) - -5.30. presentationAddress - - This attribute contains an OSI presentation address. - - ( 2.5.4.29 NAME 'presentationAddress' - EQUALITY presentationAddressMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 - SINGLE-VALUE ) - - - - - - - - -Wahl Standards Track [Page 7] - -RFC 2256 LDAPv3 Schema December 1997 - - -5.31. supportedApplicationContext - - This attribute contains the identifiers of OSI application contexts. - - ( 2.5.4.30 NAME 'supportedApplicationContext' - EQUALITY objectIdentifierMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) - -5.32. member - - ( 2.5.4.31 NAME 'member' SUP distinguishedName ) - -5.33. owner - - ( 2.5.4.32 NAME 'owner' SUP distinguishedName ) - -5.34. roleOccupant - - ( 2.5.4.33 NAME 'roleOccupant' SUP distinguishedName ) - -5.35. seeAlso - - ( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName ) - -5.36. userPassword - - ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) - - Passwords are stored using an Octet String syntax and are not - encrypted. Transfer of cleartext passwords are strongly discouraged - where the underlying transport service cannot guarantee - confidentiality and may result in disclosure of the password to - unauthorized parties. - -5.37. userCertificate - - This attribute is to be stored and requested in the binary form, as - 'userCertificate;binary'. - - ( 2.5.4.36 NAME 'userCertificate' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) - -5.38. cACertificate - - This attribute is to be stored and requested in the binary form, as - 'cACertificate;binary'. - - - - -Wahl Standards Track [Page 8] - -RFC 2256 LDAPv3 Schema December 1997 - - - ( 2.5.4.37 NAME 'cACertificate' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) - -5.39. authorityRevocationList - - This attribute is to be stored and requested in the binary form, as - 'authorityRevocationList;binary'. - - ( 2.5.4.38 NAME 'authorityRevocationList' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) - -5.40. certificateRevocationList - - This attribute is to be stored and requested in the binary form, as - 'certificateRevocationList;binary'. - - ( 2.5.4.39 NAME 'certificateRevocationList' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) - -5.41. crossCertificatePair - - This attribute is to be stored and requested in the binary form, as - 'crossCertificatePair;binary'. - - ( 2.5.4.40 NAME 'crossCertificatePair' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) - -5.42. name - - The name attribute type is the attribute supertype from which string - attribute types typically used for naming may be formed. It is - unlikely that values of this type itself will occur in an entry. LDAP - server implementations which do not support attribute subtyping need - not recognize this attribute in requests. Client implementations - MUST NOT assume that LDAP servers are capable of performing attribute - subtyping. - - ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) - -5.43. givenName - - The givenName attribute is used to hold the part of a person's name - which is not their surname nor middle name. - - ( 2.5.4.42 NAME 'givenName' SUP name ) - - - - -Wahl Standards Track [Page 9] - -RFC 2256 LDAPv3 Schema December 1997 - - -5.44. initials - - The initials attribute contains the initials of some or all of an - individuals names, but not the surname(s). - - ( 2.5.4.43 NAME 'initials' SUP name ) - -5.45. generationQualifier - - The generationQualifier attribute contains the part of the name which - typically is the suffix, as in "IIIrd". - - ( 2.5.4.44 NAME 'generationQualifier' SUP name ) - -5.46. x500UniqueIdentifier - - The x500UniqueIdentifier attribute is used to distinguish between - objects when a distinguished name has been reused. This is a - different attribute type from both the "uid" and "uniqueIdentifier" - types. - - ( 2.5.4.45 NAME 'x500UniqueIdentifier' EQUALITY bitStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) - -5.47. dnQualifier - - The dnQualifier attribute type specifies disambiguating information - to add to the relative distinguished name of an entry. It is - intended for use when merging data from multiple sources in order to - prevent conflicts between entries which would otherwise have the same - name. It is recommended that the value of the dnQualifier attribute - be the same for all entries from a particular source. - - ( 2.5.4.46 NAME 'dnQualifier' EQUALITY caseIgnoreMatch - ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) - -5.48. enhancedSearchGuide - - This attribute is for use by X.500 clients in constructing search - filters. - - ( 2.5.4.47 NAME 'enhancedSearchGuide' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) - - - - - - - -Wahl Standards Track [Page 10] - -RFC 2256 LDAPv3 Schema December 1997 - - -5.49. protocolInformation - - This attribute is used in conjunction with the presentationAddress - attribute, to provide additional information to the OSI network - service. - - ( 2.5.4.48 NAME 'protocolInformation' - EQUALITY protocolInformationMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 ) - -5.50. distinguishedName - - This attribute type is not used as the name of the object itself, but - it is instead a base type from which attributes with DN syntax - inherit. - - It is unlikely that values of this type itself will occur in an - entry. LDAP server implementations which do not support attribute - subtyping need not recognize this attribute in requests. Client - implementations MUST NOT assume that LDAP servers are capable of - performing attribute subtyping. - - ( 2.5.4.49 NAME 'distinguishedName' EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) - -5.51. uniqueMember - - ( 2.5.4.50 NAME 'uniqueMember' EQUALITY uniqueMemberMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) - -5.52. houseIdentifier - - This attribute is used to identify a building within a location. - - ( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) - -5.53. supportedAlgorithms - - This attribute is to be stored and requested in the binary form, as - 'supportedAlgorithms;binary'. - - ( 2.5.4.52 NAME 'supportedAlgorithms' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) - - - - - - -Wahl Standards Track [Page 11] - -RFC 2256 LDAPv3 Schema December 1997 - - -5.54. deltaRevocationList - - This attribute is to be stored and requested in the binary form, as - 'deltaRevocationList;binary'. - - ( 2.5.4.53 NAME 'deltaRevocationList' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) - -5.55. dmdName - - The value of this attribute specifies a directory management domain - (DMD), the administrative authority which operates the directory - server. - - ( 2.5.4.54 NAME 'dmdName' SUP name ) - -6. Syntaxes - - Servers SHOULD recognize the syntaxes defined in this section. Each - syntax begins with a sample value of the ldapSyntaxes attribute which - defines the OBJECT IDENTIFIER of the syntax. The descriptions of - syntax names are not carried in protocol, and are not guaranteed to - be unique. - -6.1. Delivery Method - - ( 1.3.6.1.4.1.1466.115.121.1.14 DESC 'Delivery Method' ) - - Values in this syntax are encoded according to the following BNF: - - delivery-value = pdm / ( pdm whsp "$" whsp delivery-value ) - - pdm = "any" / "mhs" / "physical" / "telex" / "teletex" / - "g3fax" / "g4fax" / "ia5" / "videotex" / "telephone" - - Example: - - telephone - -6.2. Enhanced Guide - - ( 1.3.6.1.4.1.1466.115.121.1.21 DESC 'Enhanced Guide' ) - - Values in this syntax are encoded according to the following BNF: - - EnhancedGuide = woid whsp "#" whsp criteria whsp "#" whsp subset - - subset = "baseobject" / "oneLevel" / "wholeSubtree" - - - -Wahl Standards Track [Page 12] - -RFC 2256 LDAPv3 Schema December 1997 - - - The criteria production is defined in the Guide syntax below. This - syntax has been added subsequent to RFC 1778. - - Example: - - person#(sn)#oneLevel - -6.3. Guide - - ( 1.3.6.1.4.1.1466.115.121.1.25 DESC 'Guide' ) - - Values in this syntax are encoded according to the following BNF: - - guide-value = [ object-class "#" ] criteria - - object-class = woid - - criteria = criteria-item / criteria-set / ( "!" criteria ) - - criteria-set = ( [ "(" ] criteria "&" criteria-set [ ")" ] ) / - ( [ "(" ] criteria "|" criteria-set [ ")" ] ) - - criteria-item = [ "(" ] attributetype "$" match-type [ ")" ] - - match-type = "EQ" / "SUBSTR" / "GE" / "LE" / "APPROX" - - This syntax should not be used for defining new attributes. - -6.4. Octet String - - ( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' ) - - Values in this syntax are encoded as octet strings. - - - Example: - - secret - -6.5. Teletex Terminal Identifier - - ( 1.3.6.1.4.1.1466.115.121.1.51 DESC 'Teletex Terminal Identifier' ) - - Values in this syntax are encoded according to the following BNF: - - teletex-id = ttx-term 0*("$" ttx-param) - - ttx-term = printablestring - - - -Wahl Standards Track [Page 13] - -RFC 2256 LDAPv3 Schema December 1997 - - - ttx-param = ttx-key ":" ttx-value - - ttx-key = "graphic" / "control" / "misc" / "page" / "private" - - ttx-value = octetstring - - In the above, the first printablestring is the encoding of the first - portion of the teletex terminal identifier to be encoded, and the - subsequent 0 or more octetstrings are subsequent portions of the - teletex terminal identifier. - -6.6. Telex Number - - ( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' ) - - Values in this syntax are encoded according to the following BNF: - - telex-number = actual-number "$" country "$" answerback - - actual-number = printablestring - - country = printablestring - - answerback = printablestring - - In the above, actual-number is the syntactic representation of the - number portion of the TELEX number being encoded, country is the - TELEX country code, and answerback is the answerback code of a TELEX - terminal. - -6.7. Supported Algorithm - - ( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' ) - - No printable representation of values of the supportedAlgorithms - attribute is defined in this document. Clients which wish to store - and retrieve this attribute MUST use "supportedAlgorithms;binary", in - which the value is transferred as a binary encoding. - -7. Object Classes - - LDAP servers MUST recognize the object classes "top" and "subschema". - LDAP servers SHOULD recognize all the other object classes listed - here as values of the objectClass attribute. - -7.1. top - - ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) - - - -Wahl Standards Track [Page 14] - -RFC 2256 LDAPv3 Schema December 1997 - - -7.2. alias - - ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName ) - -7.3. country - - ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c - MAY ( searchGuide $ description ) ) - -7.4. locality - - ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL - MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) - -7.5. organization - - ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o - MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ - x121Address $ registeredAddress $ destinationIndicator $ - preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ - telephoneNumber $ internationaliSDNNumber $ - facsimileTelephoneNumber $ - street $ postOfficeBox $ postalCode $ postalAddress $ - physicalDeliveryOfficeName $ st $ l $ description ) ) - -7.6. organizationalUnit - - ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou - MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ - x121Address $ registeredAddress $ destinationIndicator $ - preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ - telephoneNumber $ internationaliSDNNumber $ - facsimileTelephoneNumber $ - street $ postOfficeBox $ postalCode $ postalAddress $ - physicalDeliveryOfficeName $ st $ l $ description ) ) - -7.7. person - - ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn ) - MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) - -7.8. organizationalPerson - - ( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL - MAY ( title $ x121Address $ registeredAddress $ - destinationIndicator $ - preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ - telephoneNumber $ internationaliSDNNumber $ - - - -Wahl Standards Track [Page 15] - -RFC 2256 LDAPv3 Schema December 1997 - - - facsimileTelephoneNumber $ - street $ postOfficeBox $ postalCode $ postalAddress $ - physicalDeliveryOfficeName $ ou $ st $ l ) ) - -7.9. organizationalRole - - ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn - MAY ( x121Address $ registeredAddress $ destinationIndicator $ - preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ - telephoneNumber $ internationaliSDNNumber $ - facsimileTelephoneNumber $ - seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ - postOfficeBox $ postalCode $ postalAddress $ - physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) - -7.10. groupOfNames - - ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( member $ cn ) - MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) - -7.11. residentialPerson - - ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l - MAY ( businessCategory $ x121Address $ registeredAddress $ - destinationIndicator $ preferredDeliveryMethod $ telexNumber $ - teletexTerminalIdentifier $ telephoneNumber $ - internationaliSDNNumber $ - facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ - postOfficeBox $ postalCode $ postalAddress $ - physicalDeliveryOfficeName $ st $ l ) ) - -7.12. applicationProcess - - ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn - MAY ( seeAlso $ ou $ l $ description ) ) - -7.13. applicationEntity - - ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL - MUST ( presentationAddress $ cn ) - MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ - description ) ) - -7.14. dSA - - ( 2.5.6.13 NAME 'dSA' SUP applicationEntity STRUCTURAL - MAY knowledgeInformation ) - - - - -Wahl Standards Track [Page 16] - -RFC 2256 LDAPv3 Schema December 1997 - - -7.15. device - - ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn - MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) - -7.16. strongAuthenticationUser - - ( 2.5.6.15 NAME 'strongAuthenticationUser' SUP top AUXILIARY - MUST userCertificate ) - -7.17. certificationAuthority - - ( 2.5.6.16 NAME 'certificationAuthority' SUP top AUXILIARY - MUST ( authorityRevocationList $ certificateRevocationList $ - cACertificate ) MAY crossCertificatePair ) - -7.18. groupOfUniqueNames - - ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL - MUST ( uniqueMember $ cn ) - MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) - -7.19. userSecurityInformation - - ( 2.5.6.18 NAME 'userSecurityInformation' SUP top AUXILIARY - MAY ( supportedAlgorithms ) ) - -7.20. certificationAuthority-V2 - - ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP - certificationAuthority - AUXILIARY MAY ( deltaRevocationList ) ) - -7.21. cRLDistributionPoint - - ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL - MUST ( cn ) MAY ( certificateRevocationList $ - authorityRevocationList $ - deltaRevocationList ) ) - -7.22. dmd - - ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName ) - MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ - x121Address $ registeredAddress $ destinationIndicator $ - preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ - telephoneNumber $ internationaliSDNNumber $ - facsimileTelephoneNumber $ - - - -Wahl Standards Track [Page 17] - -RFC 2256 LDAPv3 Schema December 1997 - - - street $ postOfficeBox $ postalCode $ postalAddress $ - physicalDeliveryOfficeName $ st $ l $ description ) ) - -8. Matching Rules - - Servers MAY implement additional matching rules. - -8.1. octetStringMatch - - Servers which implement the extensibleMatch filter SHOULD allow the - matching rule listed in this section to be used in the - extensibleMatch. In general these servers SHOULD allow matching - rules to be used with all attribute types known to the server, when - the assertion syntax of the matching rule is the same as the value - syntax of the attribute. - - ( 2.5.13.17 NAME 'octetStringMatch' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) - -9. Security Considerations - - Attributes of directory entries are used to provide descriptive - information about the real-world objects they represent, which can be - people, organizations or devices. Most countries have privacy laws - regarding the publication of information about people. - - Transfer of cleartext passwords are strongly discouraged where the - underlying transport service cannot guarantee confidentiality and may - result in disclosure of the password to unauthorized parties. - -10. Acknowledgements - - The definitions on which this document have been developed by - committees for telecommunications and international standards. No - new attribute definitions have been added. The syntax definitions - are based on the ISODE "QUIPU" implementation of X.500. - -11. Bibliography - - [1] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, - "Lightweight X.500 Directory Access Protocol (v3): Attribute - Syntax Definitions", RFC 2252, December 1997. - - [2] The Directory: Models. ITU-T Recommendation X.501, 1996. - - [3] The Directory: Authentication Framework. ITU-T Recommendation - X.509, 1996. - - - - -Wahl Standards Track [Page 18] - -RFC 2256 LDAPv3 Schema December 1997 - - - [4] The Directory: Selected Attribute Types. ITU-T Recommendation - X.520, 1996. - - [5] The Directory: Selected Object Classes. ITU-T Recommendation - X.521, 1996. - - [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", RFC 2119, March 1997. - -12. Author's Address - - Mark Wahl - Critical Angle Inc. - 4815 West Braker Lane #502-385 - Austin, TX 78759 - USA - - Phone: +1 512 372 3160 - EMail: M.Wahl@critical-angle.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Wahl Standards Track [Page 19] - -RFC 2256 LDAPv3 Schema December 1997 - - -13. Full Copyright Statement - - Copyright (C) The Internet Society (1997). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - - - - - - - - - - - - - - - - - - - - - - - -Wahl Standards Track [Page 20] - |