idnits 2.17.1 draft-ietf-asid-ldapv3-attributes-03.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-25) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. ** The document is more than 15 pages and seems to lack a Table of Contents. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 205 instances of too long lines in the document, the longest one being 7 characters in excess of 72. ** The abstract seems to contain references ([2], [3], [4], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 146 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 1155: '...NAME 'top' ABSTRACT MUST objectClass )...' RFC 2119 keyword, line 1157: '...P top STRUCTURAL MUST aliasedObjectNam...' RFC 2119 keyword, line 1159: '...ME 'country' SUP top STRUCTURAL MUST c...' RFC 2119 keyword, line 1160: '... MAY ( searchGuide $ description ...' RFC 2119 keyword, line 1163: '... MAY ( street $ seeAlso $ searchG...' (49 more instances...) == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. -- The draft header indicates that this document obsoletes RFC1778, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The "Author's Address" (or "Authors' Addresses") section title is misspelled. == Line 28 has weird spacing: '...listing conta...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 22, 1996) is 10047 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 1966 looks like a reference -- Missing reference section? '2' on line 1970 looks like a reference -- Missing reference section? '3' on line 1973 looks like a reference -- Missing reference section? '4' on line 1975 looks like a reference -- Missing reference section? '11' on line 1998 looks like a reference -- Missing reference section? '12' on line 2000 looks like a reference -- Missing reference section? '5' on line 1978 looks like a reference -- Missing reference section? '6' on line 1981 looks like a reference -- Missing reference section? '8' on line 1988 looks like a reference -- Missing reference section? '7' on line 1984 looks like a reference -- Missing reference section? '0' on line 1729 looks like a reference -- Missing reference section? '10' on line 1994 looks like a reference -- Missing reference section? '9' on line 1991 looks like a reference -- Missing reference section? '13' on line 2003 looks like a reference -- Missing reference section? '14' on line 2006 looks like a reference Summary: 11 errors (**), 0 flaws (~~), 4 warnings (==), 19 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group M. Wahl 2 INTERNET-DRAFT Critical Angle Inc. 3 Obsoletes: RFC 1778 A. Coulbeck 4 ISODE Consortium 5 T. Howes 6 Netscape Communications Corp. 7 S. Kille 8 ISODE Consortium 9 Intended Category: Standards Track October 22, 1996 11 Lightweight Directory Access Protocol: 12 Standard and Pilot Attribute Definitions 13 15 1. Status of this Memo 17 This document is an Internet-Draft. Internet-Drafts are working 18 documents of the Internet Engineering Task Force (IETF), its areas, and 19 its working groups. Note that other groups may also distribute working 20 documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference material 25 or to cite them other than as "work in progress." 27 To learn the current status of any Internet-Draft, please check the 28 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 29 Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), 30 ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 32 2. Abstract 34 The Lightweight Directory Access Protocol (LDAP) [1] requires that the 35 contents of AttributeValue fields in protocol elements be octet 36 strings. This document defines the requirements that must be 37 satisfied by encoding rules used to render directory attribute 38 syntaxes into a form suitable for use in the LDAP, then goes on to 39 define the encoding rules for the standard set of attribute syntaxes 40 of [2],[3] and [4]. It also identifies all the attribute types, object 41 classes and matching rules for LDAP version 3. 43 3. Overview 45 Section 4 states the general requirements and notations for attribute 46 types, object classes, syntax and matching rule definitions. 48 The core definitions are given in section 5, those which are based on 49 X.500(1993) in section 6, and other optional definitions in section 7. 51 4. General Issues 53 4.1. Attribute Types 55 The attribute types are described by sample values for the subschema 56 "attributeTypes" attribute, which is written in the 57 AttributeTypeDescription syntax. While lines have been folded for 58 readability, the values transferred in protocol would not contain 59 newlines. 61 The AttributeTypeDescription is encoded according to the following BNF, 62 and the productions for , and 63 are given in sections 4.2.1. 65 ::= "(" 66 -- AttributeType identifier 67 [ "NAME" ] -- name used in AttributeType 68 [ "DESC" ] 69 [ "OBSOLETE" ] 70 [ "SUP" ] -- derived from this other AttributeType 71 [ "EQUALITY" ] -- Matching Rule name 72 [ "ORDERING" ] -- Matching Rule name 73 [ "SUBSTR" ] -- Matching Rule name 74 [ "SYNTAX" ] -- see section 4.2 75 [ "SINGLE-VALUE" ] -- default multi-valued 76 [ "COLLECTIVE" ] -- default not collective 77 [ "NO-USER-MODIFICATION" ] -- default user modifiable 78 [ "USAGE" ] -- default user applications 79 ")" 81 ::= 82 "userApplications" 83 | "directoryOperation" 84 | "distributedOperation" -- DSA-shared 85 | "dSAOperation" -- DSA-specific, value depends on server 87 Servers are not required to provide the same or any text 88 in the description part of the subschema values they maintain. 90 Servers must implement all the attribute types in section 5.1, and 91 may also implement the types listed in sections 6.1 and 7.1. Servers must 92 be able to perform equality matching of values, but need not perform 93 any additional validity checks on attribute values. 95 Servers may recognize additional names and attributes not listed in this 96 document. Later documents may define additional types. 98 Servers may implement additional attribute types not listed in this 99 document, and if they do so, must publish the definitions of the types 100 in the attributeTypes attribute of their subschema subentries. 102 AttributeDescriptions may be used as the value in a NAME part of an 103 AttributeTypeDescription. Note that these are case insensitive. 105 4.2. Syntaxes 107 This section defines general requirements for LDAP attribute value 108 syntax encodings. All documents defining attribute syntax encodings for 109 use with LDAP are expected to conform to these requirements. 111 The encoding rules defined for a given attribute syntax must produce 112 octet strings. To the greatest extent possible, encoded octet 113 strings should be usable in their native encoded form for display 114 purposes. In particular, encoding rules for attribute syntaxes 115 defining non-binary values should produce strings that can be 116 displayed with little or no translation by clients implementing 117 LDAP. There are a few cases (e.g. Audio) however, when it is not sensible 118 to produce a printable representation, and clients must not assume that 119 an unrecognized syntax is a string representation. 121 4.2.1. Common Encoding Aspects 123 In these encodings where an arbitrary string is used as part of a larger 124 production (other than a Distinguished Name), a backslash quoting mechanism 125 is used to encode the following separator symbol character (such as ''', 126 '$' or '#') if it should occur in that string. The backslash is followed 127 by a pair of hexadecimal digits representing the next character. A 128 backslash itself in the string which forms part of a larger syntax is 129 always transmitted as '\5C' or '\5c'. 131 For the purposes of defining the encoding rules for attribute syntaxes, 132 the following auxiliary BNF definitions will be used: 134 ::= 'a' | 'b' | 'c' | 'd' | 'e' | 'f' | 'g' | 'h' | 'i' | 135 'j' | 'k' | 'l' | 'm' | 'n' | 'o' | 'p' | 'q' | 'r' | 136 's' | 't' | 'u' | 'v' | 'w' | 'x' | 'y' | 'z' | 'A' | 137 'B' | 'C' | 'D' | 'E' | 'F' | 'G' | 'H' | 'I' | 'J' | 138 'K' | 'L' | 'M' | 'N' | 'O' | 'P' | 'Q' | 'R' | 'S' | 139 'T' | 'U' | 'V' | 'W' | 'X' | 'Y' | 'Z' 141 ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' 143 ::= | 'a' | 'b' | 'c' | 'd' | 'e' | 'f' | 144 'A' | 'B' | 'C' | 'D' | 'E' | 'F' 146 ::= | | '-' 148

::= | | ''' | '(' | ')' | '+' | ',' | '-' | '.' | 149 '/' | ':' | '?' | ' ' 151 ::= | 153 ::= | 155 ::= | 157 ::= | 158 ::=

|

160 ::= ' ' | ' ' 162 ::= | empty 164 ::= any sequence of octets formed from the UTF-8 [11] 165 transformation of a character from ISO 10646 [12] 167 ::= | 169 ::= | '(' ')' 171 ::= | "" 173 ::= ''' ''' 175 ::= | '(' ')' 177 ::= '$' | 179 -- is defined in 5.2.1.15 181 4.2.2 Binary Transfer of Values 183 This encoding format is used if the binary encoding is requested by the 184 client for an attribute, or if the attribute syntax name is 'Binary'. The 185 value, an instance of the ASN.1 AttributeValue type, is BER-encoded, 186 subject to the restrictions of section 5.1 of [1], and this sequence of 187 octets is used as the value. 189 All servers must implement this form for both generating Search responses 190 and parsing Add, Compare and Modify requests. Clients must be prepared 191 receiving values in binary (e.g. userCertificate or audio), and must not 192 simply display binary or unrecognized values to users. 194 4.2.3. Syntax Namees 196 Names of syntaxes for use with LDAP are ASCII strings which either 197 begin with a letter and contain only letters or digits. The names are 198 case insensitive. Historically since syntaxes correspond to ASN.1 types, 199 they have been named starting with a capital letter. A suggested upper 200 bound on the number of characters in value with a DirectoryString or 201 IA5String syntax or the number of bytes in a value for all other syntaxes 202 may be indicated by appending this bound count inside of curly braces, e.g. 203 "DirectoryString{64}". Note that a single character of the DirectoryString 204 may be encoded in more than one byte since UTF-8 is a variable-length 205 encoding. 207 Syntax names do not have global scope: two clients or servers may 208 know of different syntaxes with the same name. 210 The definition of additional arbitrary syntaxes is strongly depreciated 211 since it will hinder interoperability: today's client and server 212 implementations generally do not have the ability to dynamically recognize 213 new syntaxes. In most cases attributes will be defined with the 214 DirectoryString syntax. 216 The following syntax names are used for attributes in this document. 217 Servers are only required to implement the syntaxes in section 5.2. 219 AccessPoint ACIItem 220 AttributeTypeDescription Audio 221 Binary BitString 222 Certificate CertificateList 223 CertificatePair DataQualitySyntax 224 DeliveryMethod DirectoryString 225 DITContentRuleDescription DN 226 DSAQualitySyntax DSEType 227 EnhancedGuide FacsimileTelephoneNumber 228 Fax GeneralizedTime 229 Guide IA5String 230 INTEGER JPEG 231 MailPreference MasterAndShadowAccessPoints 232 MatchingRuleDescription MatchingRuleUseDescription 233 ModifyRight NameAndOptionalUID 234 NameFormDescription NumericString 235 ObjectClassDescription OID 236 OtherMailbox Password 237 PostalAddress PresentationAddress 238 PrintableString ProtocolInformation 239 SubtreeSpecification SupplierAndConsumers 240 SupplierInformation SupplierOrConsumer 241 TelephoneNumber TeletexTerminalIdentifier 242 TelexNumber UTCTime 244 4.3. Object Classes 246 These are described as sample values for the subschema "objectClasses" 247 attribute for a server which implements the LDAP schema. 248 While lines have been folded for readability, the values transferred in 249 protocol would not contain newlines. 251 Object class descriptions are written according to the following BNF: 253 ::= "(" 254 -- ObjectClass identifier 255 [ "NAME" ] 256 [ "DESC" ] 257 [ "OBSOLETE" ] 258 [ "SUP" ] -- Superior ObjectClasses 259 [ ( "ABSTRACT" | "STRUCTURAL" | "AUXILIARY" ) ] -- default structural 260 [ "MUST" ] -- AttributeTypes 261 [ "MAY" ] -- AttributeTypes 262 ")" 264 Servers must implement all the object classes in section 5.3: 265 account alias 266 applicationEntity applicationProcess 267 certificationAuthority country 268 dNSDomain dSA 269 device document 270 documentSeries domain 271 domainRelatedObject friendlyCountry 272 groupOfNames groupOfUniqueNames 273 locality newPilotPerson 274 organization organizationalPerson 275 organizationalRole organizationalUnit 276 person pilotDSA 277 pilotObject pilotOrganization 278 qualityLabelledData rFC822localPart 279 residentialPerson room 280 simpleSecurityObject strongAuthenticationUser 281 top 283 and may also implement the object classes of 6.3 and 7.3. 285 Servers may implement additional object classes not listed in this 286 document, and if they do so, must publish the definitions of the classes 287 in the objectClasses attribute of their subschema subentries. Later 288 documents may define additional object classes. 290 4.4. Matching Rules 292 Matching rules are used by servers to compare attribute values against 293 assertion values when performing Search and Compare operations. 295 Most of the attributes given in this document will have an equality 296 matching rule defined. 298 Matching rule descriptions are written according to the following BNF: 300 ::= "(" 301 -- MatchingRule identifier 302 [ "NAME" ] 303 [ "DESC" ] 304 [ "OBSOLETE" ] 305 "SYNTAX" 306 ")" 308 Servers must implement all the matching rules in section 5.4: 309 bitStringMatch caseExactIA5Match 310 caseIgnoreIA5Match caseIgnoreListMatch 311 caseIgnoreMatch distinguishedNameMatch 312 generalizedTimeMatch integerMatch 313 numericStringMatch objectIdentifierMatch 314 octetStringMatch telephoneNumberMatch 316 and may also implement the matching rules of 6.4 and 7.4. 318 Servers may implement additional matching rules not listed in this 319 document, and if they do so, must publish the definitions of the 320 matching rules in the matchingRules attribute of their 321 subschema subentries. 323 5. Mandatory Definitions 325 Section 5 contains definitions which must be implemented by all servers. 327 5.1. Attribute Types 329 Servers must recognize all the attributes of this section (5.1.1 - 5.1.5). 331 5.1.1. Standard User Attributes 333 The attributes listed in this section are those defined in X.520(1993), 334 likely to be present in user entries. Servers must recognize all the 335 attributes of this section. The semantics of attributes 2.5.4.0 through 336 2.5.4.40 are summarized in RFC 1274. 338 ( 2.5.4.0 NAME 'objectClass' EQUALITY objectIdentifierMatch SYNTAX 'OID' ) 340 ( 2.5.4.1 NAME 'aliasedObjectName' EQUALITY distinguishedNameMatch 341 SYNTAX 'DN' SINGLE-VALUE ) 343 ( 2.5.4.2 NAME 'knowledgeInformation' EQUALITY caseIgnoreMatch 344 SYNTAX 'DirectoryString{32768}' ) 346 ( 2.5.4.3 NAME 'cn' SUP name ) 348 ( 2.5.4.4 NAME 'sn' SUP name ) 350 ( 2.5.4.5 NAME 'serialNumber' EQUALITY caseIgnoreMatch 351 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'PrintableString{64}' ) 353 ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE ) 355 ( 2.5.4.7 NAME 'l' SUP name ) 357 ( 2.5.4.8 NAME 'st' SUP name ) 359 ( 2.5.4.9 NAME 'street' EQUALITY caseIgnoreMatch 360 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{128}' ) 362 ( 2.5.4.10 NAME 'o' SUP name ) 364 ( 2.5.4.11 NAME 'ou' SUP name ) 366 ( 2.5.4.12 NAME 'title' SUP name ) 368 ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch 369 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{1024}' ) 371 ( 2.5.4.14 NAME 'searchGuide' SYNTAX 'Guide' ) 373 ( 2.5.4.15 NAME 'businessCategory' EQUALITY caseIgnoreMatch 374 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{128}' ) 376 ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreListMatch 377 SUBSTRINGS caseIgnoreListSubstringsMatch SYNTAX 'PostalAddress' ) 379 ( 2.5.4.17 NAME 'postalCode' EQUALITY caseIgnoreMatch 380 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{40}' ) 382 ( 2.5.4.18 NAME 'postOfficeBox' EQUALITY caseIgnoreMatch 383 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{40}' ) 385 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' EQUALITY caseIgnoreMatch 386 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{128}' ) 388 ( 2.5.4.20 NAME 'telephoneNumber' EQUALITY telephoneNumberMatch 389 SUBSTRINGS telephoneNumberSubstringsMatch SYNTAX 'TelephoneNumber{32}' ) 391 ( 2.5.4.21 NAME 'telexNumber' SYNTAX 'TelexNumber' ) 393 ( 2.5.4.22 NAME 'teletexTerminalIdentifier' 394 SYNTAX 'TeletexTerminalIdentifier' ) 396 ( 2.5.4.23 NAME 'facsimileTelephoneNumber' 397 SYNTAX 'FacsimileTelephoneNumber' ) 399 ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch 400 SUBSTRINGS numericStringSubstringsMatch SYNTAX 'NumericString{15}' ) 402 ( 2.5.4.25 NAME 'internationaliSDNNumber' EQUALITY numericStringMatch 403 SUBSTRINGS numericStringSubstringsMatch SYNTAX 'NumericString{16}' ) 405 ( 2.5.4.26 NAME 'registeredAddress' SUP postalAddress 406 SYNTAX 'PostalAddress' ) 408 ( 2.5.4.27 NAME 'destinationIndicator' EQUALITY caseIgnoreMatch 409 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'PrintableString{128}' ) 411 ( 2.5.4.28 NAME 'preferredDeliveryMethod' SYNTAX 'DeliveryMethod' 412 SINGLE-VALUE ) 414 ( 2.5.4.29 NAME 'presentationAddress' EQUALITY presentationAddressMatch 415 SYNTAX 'PresentationAddress' SINGLE-VALUE ) 417 ( 2.5.4.30 NAME 'supportedApplicationContext' 418 EQUALITY objectIdentifierMatch SYNTAX 'OID' ) 420 ( 2.5.4.31 NAME 'member' SUP distinguishedName ) 422 ( 2.5.4.32 NAME 'owner' SUP distinguishedName ) 423 ( 2.5.4.33 NAME 'roleOccupant' SUP distinguishedName ) 425 ( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName ) 427 ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch 428 SYNTAX 'Password{128}' ) 430 ( 2.5.4.36 NAME 'userCertificate' SYNTAX 'Certificate' ) 432 ( 2.5.4.37 NAME 'cACertificate' SYNTAX 'Certificate' ) 434 ( 2.5.4.38 NAME 'authorityRevocationList' SYNTAX 'CertificateList' ) 436 ( 2.5.4.39 NAME 'certificateRevocationList' SYNTAX 'CertificateList' ) 438 ( 2.5.4.40 NAME 'crossCertificatePair' SYNTAX 'CertificatePair' ) 440 ( 2.5.4.41 NAME 'name' 441 DESC 'The name attribute type is the attribute supertype from which 442 string attribute types typically used for naming may be formed.' 443 EQUALITY caseIgnoreMatch 444 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{32768}' ) 446 ( 2.5.4.42 NAME 'givenName' SUP name ) 448 ( 2.5.4.43 NAME 'initials' 449 DESC 'The initials attribute type contains the initials of some or all 450 of an individuals names, but not the surname(s).' 451 SUP name ) 453 ( 2.5.4.44 NAME 'generationQualifier' 454 DESC 'e.g. Jr or II.' 455 SUP name ) 457 ( 2.5.4.45 NAME 'x500UniqueIdentifier' 458 DESC 'used to distinguish between objects when a distinguished name has 459 been reused.' 460 EQUALITY bitStringMatch SYNTAX 'BitString' ) 462 ( 2.5.4.46 NAME 'dnQualifier' 463 DESC 'The dnQualifier attribute type specifies disambiguating 464 information to add to the relative distinguished name of an 465 entry. It is intended to be used for entries held in multiple 466 DSAs which would otherwise have the same name, and that its 467 value be the same in a given DSA for all entries to which this 468 information has been added.' 469 EQUALITY caseIgnoreMatch 470 ORDERING caseIgnoreOrderingMatch SUBSTRINGS caseIgnoreSubstringsMatch 471 SYNTAX 'PrintableString' ) 473 ( 2.5.4.47 NAME 'enhancedSearchGuide' SYNTAX 'EnhancedGuide' ) 474 ( 2.5.4.48 NAME 'protocolInformation' EQUALITY protocolInformationMatch 475 SYNTAX 'ProtocolInformation' ) 477 ( 2.5.4.49 NAME 'distinguishedName' 478 DESC 'This is not the name of the object itself, but a base type 479 from which attributes with DN syntax inherit.' 480 EQUALITY distinguishedNameMatch 481 SYNTAX 'DN' ) 483 ( 2.5.4.50 NAME 'uniqueMember' EQUALITY uniqueMemberMatch 484 SYNTAX 'NameAndOptionalUID' ) 486 ( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch 487 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{32768}' ) 489 5.1.2. Pilot User Attributes 491 These attributes are defined in RFC 1274. Servers must recognize all the 492 attributes of this section. 494 ( 0.9.2342.19200300.100.1.1 NAME 'uid' EQUALITY caseIgnoreMatch 495 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' ) 497 ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORaddress' 498 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch 499 SYNTAX 'DirectoryString{256}' ) 501 ( 0.9.2342.19200300.100.1.3 NAME 'mail' EQUALITY caseIgnoreIA5Match 502 SUBSTRINGS caseIgnoreIA5SubstringsMatch SYNTAX 'IA5String{256}' ) 504 ( 0.9.2342.19200300.100.1.4 NAME 'info' EQUALITY caseIgnoreMatch 505 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{2048}' ) 507 ( 0.9.2342.19200300.100.1.5 NAME 'drink' EQUALITY caseIgnoreMatch 508 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' ) 510 ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' EQUALITY caseIgnoreMatch 511 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' ) 513 ( 0.9.2342.19200300.100.1.7 NAME 'photo' SYNTAX 'Fax{250000}' ) 515 ( 0.9.2342.19200300.100.1.8 NAME 'userClass' EQUALITY caseIgnoreMatch 516 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' ) 518 ( 0.9.2342.19200300.100.1.9 NAME 'host' EQUALITY caseIgnoreMatch 519 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' ) 521 ( 0.9.2342.19200300.100.1.10 NAME 'manager' 522 EQUALITY distinguishedNameMatch SYNTAX 'DN' ) 524 ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier' 525 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch 526 SYNTAX 'DirectoryString{256}' ) 528 ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' EQUALITY caseIgnoreMatch 529 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' ) 531 ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' 532 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch 533 SYNTAX 'DirectoryString{256}' ) 535 ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' 536 EQUALITY distinguishedNameMatch SYNTAX 'DN' ) 538 ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' 539 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch 540 SYNTAX 'DirectoryString{256}' ) 542 ( 0.9.2342.19200300.100.1.20 NAME 'homePhone' EQUALITY telephoneNumberMatch 543 SUBSTRINGS telephoneNumberSubstringsMatch SYNTAX 'TelephoneNumber{32}' ) 545 ( 0.9.2342.19200300.100.1.21 NAME 'secretary' 546 EQUALITY distinguishedNameMatch SYNTAX 'DN' ) 548 ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNTAX 'OtherMailbox' ) 550 ( 0.9.2342.19200300.100.1.25 NAME 'dc' EQUALITY caseIgnoreIA5Match 551 SUBSTRINGS caseIgnoreIA5SubstringsMatch SYNTAX 'IA5String' ) 553 ( 0.9.2342.19200300.100.1.26 NAME 'dNSRecord' 554 EQUALITY caseExactIA5Match SYNTAX 'IA5String' ) 556 ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' 557 EQUALITY caseIgnoreIA5Match SUBSTRINGS caseIgnoreIA5SubstringsMatch 558 SYNTAX 'IA5String' ) 560 ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' 561 EQUALITY distinguishedNameMatch SYNTAX 'DN' ) 563 ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' 564 EQUALITY caseIgnoreListMatch 565 SUBSTRINGS caseIgnoreListSubstringsMatch SYNTAX 'PostalAddress' ) 567 ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' 568 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch 569 SYNTAX 'DirectoryString' ) 571 ( 0.9.2342.19200300.100.1.41 NAME 'mobile' EQUALITY telephoneNumberMatch 572 SUBSTRINGS telephoneNumberSubstringsMatch SYNTAX 'TelephoneNumber{32}' ) 574 ( 0.9.2342.19200300.100.1.42 NAME 'pager' EQUALITY telephoneNumberMatch 575 SUBSTRINGS telephoneNumberSubstringsMatch SYNTAX 'TelephoneNumber{32}' ) 577 ( 0.9.2342.19200300.100.1.43 NAME 'co' EQUALITY caseIgnoreMatch 578 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString' ) 580 ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' 581 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch 582 SYNTAX 'DirectoryString' ) 584 ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus' 585 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch 586 SYNTAX 'DirectoryString{256}' ) 588 ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox' 589 EQUALITY caseIgnoreIA5Match SUBSTRINGS caseIgnoreIA5SubstringsMatch 590 SYNTAX 'IA5String{256}' ) 592 ( 0.9.2342.19200300.100.1.47 NAME 'mailPreferenceOption' 593 SYNTAX 'INTEGER' SINGLE-VALUE } 595 ( 0.9.2342.19200300.100.1.48 NAME 'buildingName' 596 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch 597 SYNTAX 'DirectoryString{256}' ) 599 ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality' 600 SYNTAX 'DSAQualitySyntax' SINGLE-VALUE ) 602 ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality' 603 SYNTAX 'DataQualitySyntax' SINGLE-VALUE ) 605 ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQuality' 606 SYNTAX 'DataQualitySyntax' SINGLE-VALUE ) 608 ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQuality' 609 SYNTAX 'DataQualitySyntax' SINGLE-VALUE ) 611 ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature' 612 SYNTAX 'Fax{50000}' ) 614 ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' 615 EQUALITY distinguishedNameMatch SYNTAX 'DN' ) 617 ( 0.9.2342.19200300.100.1.55 NAME 'audio' SYNTAX 'Audio{250000}' ) 619 ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' 620 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch 621 SYNTAX 'DirectoryString' ) 623 ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' SYNTAX 'JPEG' ) 625 5.1.3. Standard Operational Attributes 627 All servers must recognize the attribute types defined in this 628 section. 630 ( 2.5.18.1 NAME 'createTimestamp' EQUALITY generalizedTimeMatch 631 ORDERING generalizedTimeOrderingMatch SYNTAX 'GeneralizedTime' 632 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) 634 ( 2.5.18.2 NAME 'modifyTimestamp' EQUALITY generalizedTimeMatch 635 ORDERING generalizedTimeOrderingMatch SYNTAX 'GeneralizedTime' 636 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) 638 ( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatch SYNTAX 'DN' 639 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) 641 ( 2.5.18.4 NAME 'modifiersName' EQUALITY distinguishedNameMatch SYNTAX 'DN' 642 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) 644 ( 2.5.18.10 NAME 'subschemaSubentry' 645 DESC 'The value of this attribute is the name of a subschema subentry, 646 an entry in which the server makes available attributes specifying 647 the schema.' 648 EQUALITY distinguishedNameMatch SYNTAX 'DN' NO-USER-MODIFICATION 649 SINGLE-VALUE USAGE directoryOperation ) 651 ( 2.5.21.5 NAME 'attributeTypes' 652 EQUALITY objectIdentifierFirstComponentMatch 653 SYNTAX 'AttributeTypeDescription' USAGE directoryOperation ) 655 ( 2.5.21.6 NAME 'objectClasses' 656 EQUALITY objectIdentifierFirstComponentMatch 657 SYNTAX 'ObjectClassDescription' USAGE directoryOperation ) 659 5.1.4. LDAP Operational Attributes 661 All servers must recognize the attribute types defined in this section. 662 (Of course, it is not required that the server provide values for these 663 attributes, when the attribute corresponds to a feature which the server 664 does not implement.) 666 ( 1.3.6.1.4.1.1466.101.120.1 NAME 'administratorsAddress' 667 DESC 'This attribute\27s values are string containing the addresses of 668 the LDAP server\27s human administrator. This information may 669 be of use when tracking down problems in an Internet distributed 670 directory. For simplicity the syntax of the values are limited to 671 being URLs of the mailto form with an RFC 822 address: 672 "mailto:user@domain". Future versions of this protocol may permit 673 other forms of addresses.' 674 SYNTAX 'IA5String' USAGE dSAOperation ) 676 ( 1.3.6.1.4.1.1466.101.120.2 NAME 'currentTime' 677 DESC 'This attribute has a single value, a string containing a 678 GeneralizedTime character string. This attribute need only 679 be present if the server supports LDAP strong or protected 680 simple authentication. Otherwise if the server does not know 681 the current time, or does not choose to present it to clients, 682 this attribute need not be present. The client may wish to 683 use this value to detect whether a strong or protected bind 684 is failing because the client and server clocks are not 685 sufficiently synchronized. Clients must not use this time 686 field for setting their own system clock.' 687 SYNTAX 'GeneralizedTime' SINGLE-VALUE USAGE dSAOperation ) 689 ( 1.3.6.1.4.1.1466.101.120.3 NAME 'serverName' 690 DESC 'This attribute\27s value is the server\27s Distinguished Name. 691 If the server does not have a Distinguished Name it will not 692 be able to accept X.509-style strong authentication, and this 693 attribute must be absent. However the presence of this 694 attribute does not guarantee that the server will be able to 695 perform strong authentication. If the server acts as a 696 gateway to more than one X.500 DSA capable of strong 697 authentication, there may be multiple values of this 698 attribute, one per DSA. (Note: this attribute is distinct 699 from myAccessPoint, for it is not required that a server 700 have a presentation address in order to perform strong 701 authentication.) (Note: it is likely that clients will 702 retrieve this attribute in binary.)' 703 SYNTAX 'DN' USAGE dSAOperation ) 705 ( 1.3.6.1.4.1.1466.101.120.4 NAME 'certificationPath' 706 DESC 'This attribute contains a binary DER encoding of an 707 AF.CertificatePath data type, which is the certificate 708 path for a server. If the server does not have a certificate 709 path this attribute must be absent. (Note: this attribute 710 may only be retrieved in binary.)' 711 SYNTAX 'CertificatePath' USAGE dSAOperation ) 713 ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts' 714 DESC 'The values of this attribute correspond to naming contexts 715 which this server masters or shadows. If the server does 716 not master any information (e.g. it is an LDAP gateway to a 717 public X.500 directory) this attribute must be absent. If 718 the server believes it contains the entire directory, the 719 attribute must have a single value, and that value must 720 be the empty string (indicating the null DN of the root). 721 This attribute will allow clients to choose suitable base 722 objects for searching when it has contacted a server.' 723 SYNTAX 'DN' USAGE dSAOperation ) 725 ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer' 726 DESC 'The values of this attribute are URLs of other servers which 727 may be contacted when this server becomes unavailable. If 728 the server does not know of any other servers which could be 729 used this attribute must be absent. Clients may cache this 730 information in case their preferred LDAP server later becomes 731 unavailable.' 732 SYNTAX 'IA5String' USAGE dSAOperation ) 734 ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension' 735 DESC 'The values of this attribute are OBJECT IDENTIFIERs, 736 the names of supported extended operations 737 which the server supports. If the server does not support 738 any extensions this attribute must be absent.' 739 SYNTAX 'OID' USAGE dSAOperation ) 741 ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl' 742 DESC 'The values of this attribute are the names of supported session 743 controls which the server supports. If the server does not 744 support any controls this attribute must be absent.' 745 SYNTAX 'LDAPString' USAGE dSAOperation ) 747 ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms' 748 DESC 'The values of this attribute are the names of supported SASL 749 mechanisms which the server supports. If the server does not 750 support any mechanisms this attribute must be absent.' 751 SYNTAX 'LDAPString' USAGE dSAOperation ) 753 ( 1.3.6.1.4.1.1466.101.120.8 NAME 'entryName' 754 SYNTAX 'DN' SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) 756 ( 1.3.6.1.4.1.1466.101.120.9 NAME 'modifyRights' 757 SYNTAX 'ModifyRight' NO-USER-MODIFICATION USAGE dSAOperation ) 759 ( 1.3.6.1.4.1.1466.101.120.10 NAME 'incompleteEntry' 760 SYNTAX 'BOOLEAN' NO-USER-MODIFICATION USAGE dSAOperation ) 762 ( 1.3.6.1.4.1.1466.101.120.11 NAME 'fromEntry' 763 SYNTAX 'BOOLEAN' NO-USER-MODIFICATION USAGE dSAOperation ) 765 5.1.5. LDAP User Attributes 767 The following attributes may be of use in naming entries, or as 768 descriptive attributes in entries. 770 ( 1.3.6.1.4.1.1466.101.121.1 NAME 'url' 771 DESC 'Uniform Resource Locator' 772 EQUALITY caseExactIA5Match SYNTAX 'IA5String' ) 774 Note that the associatedDomain attribute may be used to hold a DNS name. 776 5.2. Syntaxes 778 5.2.1. Standard User Syntaxes 780 Servers must recognize all the syntaxes described in this section. 782 5.2.1.1. BitString 784 The encoding of a value with BitString syntax is according to the 785 following BNF: 787 ::= ''' ''B' 789 ::= '0' | '1' | 790 empty 792 5.2.1.2. PrintableString 794 The encoding of a value with PrintableString syntax is the string 795 value itself. PrintableString is limited to the characters in 796 production

of section 4.1. 798 5.2.1.3. DirectoryString 800 A string with DirectoryString syntax is encoded in the UTF-8 form of 801 ISO 10646 (a superset of Unicode). Servers and clients must be prepared to 802 receive arbitrary Unicode characters in values. 804 For characters in the PrintableString form, the value is encoded as the 805 string value itself. 807 If it is of the TeletexString form, then the characters are transliterated 808 to their equivalents in UniversalString, and encoded in UTF-8 [11]. 810 If it is of the UniversalString or BMPString forms [12], UTF-8 is used to 811 encode them. 813 Note: the form of DirectoryString is not indicated in protocol unless the 814 attribute value is carried in binary. Servers which convert to DAP must 815 choose an appropriate form. Servers must not reject values merely because 816 they contain legal Unicode characters outside of the range of printable 817 ASCII. 819 5.2.1.4. Certificate 821 Because of the changes from X.509(1988) and X.509(1993) and additional 822 changes to the ASN.1 definition to support certificate extensions, no 823 string representation is defined, and values with Certificate syntax 824 must only be transferred using the binary encoding, by requesting or 825 returning the attributes with descriptions "userCertificate;binary" or 826 "caCertificate;binary". The BNF notation in RFC 1778 for 827 "User Certificate" is not recommended to be used. 829 5.2.1.5. CertificateList 831 Because of the incompatibility of the X.509(1988) and X.509(1993) 832 definitions of revocation lists, values with CertificateList syntax 833 must only be transferred using a binary encoding, by requesting or 834 returning the attributes with descriptions 835 "certificateRevocationList;binary" or "authorityRevocationList;binary". 836 The BNF notation in RFC 1778 for "Authority Revocation List" is not 837 recommended to be used. 839 5.2.1.6. CertificatePair 841 Because the Certificate is being carried in binary, values with 842 CertificatePair syntax must only be transferred using a binary encoding, 843 by requesting or returning the attribute description 844 "crossCertificatePair;binary". The BNF notation in RFC 1778 for 845 "Certificate Pair" is not recommended to be used. 847 5.2.1.7. CountryString 849 A value of CountryString syntax is encoded the same as a value of 850 DirectoryString syntax. Note that this syntax is limited to values of 851 exactly two printable string characters. 853 ::=

855 5.2.1.8. DN 857 Values with DN (Distinguished Name) syntax are encoded to have the 858 representation defined in [5]. Note that this representation is not 859 reversible to the original ASN.1 encoding as the CHOICE of any 860 DirectoryString element in an RDN is no longer known. 862 5.2.1.9. DeliveryMethod 864 Values with DeliveryMethod syntax are encoded according to the 865 following BNF: 867 ::= | '$' 869 ::= 'any' | 'mhs' | 'physical' | 'telex' | 'teletex' | 870 'g3fax' | 'g4fax' | 'ia5' | 'videotex' | 'telephone' 872 5.2.1.10. EnhancedGuide 874 Values with the EnhancedGuide syntax are encoded according to the 875 following BNF: 877 ::= '#' '#' 879 ::= "baseobject" | "oneLevel" | "wholeSubtree" 881 The production is defined in the Guide syntax below. 882 This syntax has been added subsequent to RFC 1778. 884 5.2.1.11. FacsimileTelephoneNumber 886 Values with the FacsimileTelephoneNumber syntax are encoded according 887 to the following BNF: 889 ::= [ '$' ] 891 ::= | '$' 893 ::= 'twoDimensional' | 'fineResolution' | 'unlimitedLength' | 894 'b4Length' | 'a3Width' | 'b4Width' | 'uncompressed' 896 In the above, the first is the actual fax number, 897 and the tokens represent fax parameters. 899 5.2.1.12. Guide 901 Values with the Guide syntax are encoded according to the following 902 BNF: 904 ::= [ '#' ] 906 ::= an encoded value with OID syntax 908 ::= | | '!' 910 ::= [ '(' ] '&' [ ')' ] | 911 [ '(' ] '|' [ ')' ] 913 ::= [ '(' ] '$' [ ')' ] 915 ::= "EQ" | "SUBSTR" | "GE" | "LE" | "APPROX" 917 5.2.1.13. NameAndOptionalUID 919 The encoding of a value with the NameAndOptionalUID syntax is according 920 to the following BNF: 922 ::= 923 [ '#' ] 925 Although the '#' character may occur in a string representation of a 926 distinguished name, no additional special quoting is done in the 927 distinguished name other than that of [5]. 929 This syntax has been added subsequent to RFC 1778. 931 5.2.1.14. NumericString 933 The encoding of a string with the NumericString syntax is the string 934 value itself. 936 5.2.1.15. OID 938 Values with OID (Object Identifier) syntax are encoded according to the 939 following BNF: 941 ::= | 943 ::= 945 ::= | '.' 947 In the above BNF, is the syntactic representation of an 948 object descriptor, which must consist of letters and digits, starting 949 with a letter. When encoding values with OID syntax, the first encoding 950 option must be used in preference to the second. That is, in encoding 951 object identifiers, object descriptors (where assigned and known by 952 the implementation) must be used in preference to numeric oids to 953 the greatest extent possible. All permitted object descriptors for use 954 in LDAP are given in this document. No other object descriptors may be 955 used. (Note that clients must expect that LDAPv2 implementations 956 will return object descriptors other than those listed.) 958 5.2.1.16. Password 960 Values with Password syntax are encoded as octet strings. 962 5.2.1.17. PostalAddress 964 Values with the PostalAddress syntax are encoded according to the 965 following BNF: 967 ::= | '$' 969 In the above, each component of a postal address value is 970 encoded as a value of type DirectoryString syntax. Backslashes and 971 dollar characters, if they occur in the component, are quoted as 972 described in section 4.2. 974 5.2.1.18. PresentationAddress 976 Values with the PresentationAddress syntax are encoded to have the 977 representation described in [6]. 979 5.2.1.20. TelephoneNumber 981 Values with the TelephoneNumber syntax are encoded as if they were 982 Printable String types. Telephone numbers are recommended in X.520 to 983 be in international form, e.g. "+1 512 305 0280". 985 5.2.1.21. TeletexTerminalIdentifier 987 Values with the TeletexTerminalIdentifier syntax are encoded according 988 to the following BNF: 990 ::= 0*('$' ) 992 ::= 994 ::= ':' 996 ::= 'graphic' | 'control' | 'misc' | 'page' | 'private' 998 ::= 1000 In the above, the first is the encoding of the 1001 first portion of the teletex terminal identifier to be encoded, and 1002 the subsequent 0 or more are subsequent portions 1003 of the teletex terminal identifier. 1005 5.2.1.22. TelexNumber 1007 Values with the TelexNumber syntax are encoded according to the 1008 following BNF: 1010 ::= '$' '$' 1012 ::= 1014 ::= 1016 ::= 1018 In the above, is the syntactic representation of the 1019 number portion of the TELEX number being encoded, is the 1020 TELEX country code, and is the answerback code of a 1021 TELEX terminal. 1023 5.2.1.23. UTCTime 1025 Values with UTCTime syntax are encoded as if they were printable 1026 strings with the strings containing a UTCTime value. This is historical; 1027 new attribute definitions must use GeneralizedTime instead. 1029 5.2.1.24. Boolean 1031 Values with Boolean syntax are encoded according to the following 1032 BNF: 1034 ::= "TRUE" | "FALSE" 1036 Boolean values have an encoding of "TRUE" if they are logically true, 1037 and have an encoding of "FALSE" otherwise. 1039 5.2.2. Pilot Syntaxes 1041 Servers must recognize all the syntaxes described in this section. 1043 5.2.2.1. Audio 1045 The encoding of a value with Audio syntax is the octets of the value 1046 itself, an 8KHz uncompressed encoding compatible with the SunOS 1047 4.1.3 'play' utility. 1049 5.2.2.2. DSAQualitySyntax 1051 Values with this syntax are encoded according to the following BNF: 1053 ::= [ '#' ] 1055 ::= 'DEFUNCT' | 'EXPERIMENTAL' | 'BEST-EFFORT' | 1056 'PILOT-SERVICE' | 'FULL-SERVICE' 1058 ::= encoded as a PrintableString 1060 5.2.2.3. DataQualitySyntax 1062 Values with this syntax are encoded according to the following BNF: 1064 ::= '#' '#' 1065 [ '#' ] 1067 ::= '+' 1069 ::= '$' 1071 ::= '+' 1073 ::= 'NONE' | 'SAMPLE' | 'SELECTED' | 1074 'SUBSTANTIAL' | 'FULL' 1076 ::= 'UNKNOWN' | 'EXTERNAL' | 'SYSTEM-MAINTAINED' | 1077 'USER-SUPPLIED' 1079 5.2.2.4. IA5String 1081 The encoding of a value with IA5String syntax is the string value 1082 itself. 1084 5.2.2.5. JPEG 1086 Values with JPEG syntax are encoded as if they were octet strings 1087 containing JPEG images in the JPEG File Interchange Format (JFIF), as 1088 described in [8]. 1090 5.2.2.6. MailPreference 1092 Values with MailPreference syntax are encoded according to the 1093 following BNF: 1095 ::= "NO-LISTS" | "ANY-LIST" | "PROFESSIONAL-LISTS" 1097 5.2.2.7. OtherMailbox 1099 Values of the OtherMailbox syntax are encoded according to the 1100 following BNF: 1102 ::= '$' 1104 ::= an encoded Printable String 1106 ::= an encoded IA5 String 1108 In the above, represents the type of mail system in 1109 which the mailbox resides, for example "MCIMail"; and is the 1110 actual mailbox in the mail system defined by . 1112 5.2.2.8. Fax 1114 Values with Fax syntax are encoded as if they were octet strings 1115 containing Group 3 Fax images as defined in [7]. 1117 5.2.3. Operational Syntaxes 1119 Servers must recognize all the syntaxes described in this section. 1121 5.2.3.1. AttributeTypeDescription 1123 Values with this syntax are encoded according to the BNF given at the 1124 start of section 4.1. For example, 1126 ( 2.5.4.0 NAME 'objectClass' SYNTAX 'OID' ) 1128 5.2.3.2. GeneralizedTime 1130 Values of this syntax are encoded as printable strings, represented 1131 as specified in X.208. Note that the time zone must be specified. 1132 It is strongly recommended that Zulu time zone be used. For example, 1134 199412161032Z 1136 5.2.3.3. INTEGER 1138 Values with INTEGER syntax are encoded as the decimal representation 1139 of their values, with each decimal digit represented by the its 1140 character equivalent. So the number 1321 is represented by the character 1141 string "1321". 1143 5.2.3.4. ObjectClassDescription 1145 Values of this syntax are encoded according to the BNF in section 4.3. 1147 5.3. Object Classes 1149 5.3.1. Standard Classes 1151 Servers must recognize the object classes listed here as values of 1152 the objectClass attribute. With the exception of groupOfUniqueNames, 1153 they are described in RFC 1274. 1155 ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) 1157 ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName ) 1159 ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c 1160 MAY ( searchGuide $ description ) ) 1162 ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL 1163 MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) 1165 ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o 1166 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 1167 x121Address $ registeredAddress $ destinationIndicator $ 1168 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 1169 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ 1170 street $ postOfficeBox $ postalCode $ postalAddress $ 1171 physicalDeliveryOfficeName $ st $ l $ description ) ) 1173 ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou 1174 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 1175 x121Address $ registeredAddress $ destinationIndicator $ 1176 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 1177 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ 1178 street $ postOfficeBox $ postalCode $ postalAddress $ 1179 physicalDeliveryOfficeName $ st $ l $ description ) ) 1181 ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn ) 1182 MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) 1184 ( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL 1185 MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ 1186 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 1187 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ 1188 street $ postOfficeBox $ postalCode $ postalAddress $ 1189 physicalDeliveryOfficeName $ ou $ st $ l ) ) 1191 ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn 1192 MAY ( x121Address $ registeredAddress $ destinationIndicator $ 1193 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 1194 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ 1195 seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ 1196 postOfficeBox $ postalCode $ postalAddress $ 1197 physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) 1199 ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( member $ cn ) 1200 MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) 1202 ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l 1203 MAY ( businessCategory $ x121Address $ registeredAddress $ 1204 destinationIndicator $ preferredDeliveryMethod $ telexNumber $ 1205 teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ 1206 facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ 1207 postOfficeBox $ postalCode $ postalAddress $ 1208 physicalDeliveryOfficeName $ st $ l ) ) 1210 ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn 1211 MAY ( seeAlso $ ou $ l $ description ) ) 1213 ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL 1214 MUST ( presentationAddress $ cn ) 1215 MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ 1216 description ) ) 1218 ( 2.5.6.13 NAME 'dSA' SUP applicationEntity STRUCTURAL 1219 MAY knowledgeInformation ) 1221 ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn 1222 MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) 1224 ( 2.5.6.15 NAME 'strongAuthenticationUser' SUP top STRUCTURAL 1225 MUST userCertificate ) 1227 ( 2.5.6.16 NAME 'certificationAuthority' SUP top STRUCTURAL 1228 MUST ( authorityRevocationList $ certificateRevocationList $ 1229 cACertificate ) MAY crossCertificatePair ) 1231 ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL 1232 MUST ( uniqueMember $ cn ) 1233 MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) 1235 5.3.2. Pilot Classes 1237 These object classes are defined in RFC 1274. All servers must recognize 1238 these object class names. 1240 ( 0.9.2342.19200300.100.4.3 NAME 'pilotObject' SUP top STRUCTURAL 1241 MAY ( jpegPhoto $ audio $ dITRedirect $ lastModifiedBy $ 1242 lastModifiedTime $ uniqueIdentifier $ manager $ photo $ info ) ) 1244 ( 0.9.2342.19200300.100.4.4 NAME 'newPilotPerson' SUP person 1245 STRUCTURAL MAY ( personalSignature $ mailPreferenceOption $ 1246 organizationalStatus $ pagerTelephoneNumber $ mobileTelephoneNumber $ 1247 otherMailbox $ janetMailbox $ businessCategory $ 1248 preferredDeliveryMethod $ personalTitle $ secretary $ 1249 homePostalAddress $ homePhone $ userClass $ roomNumber $ 1250 favouriteDrink $ rfc822Mailbox $ textEncodedORaddress $ userid ) ) 1252 ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL 1253 MUST userid MAY ( host $ ou $ o $ l $ seeAlso $ description ) ) 1255 ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP ( top $ pilotObject ) 1256 STRUCTURAL MUST documentIdentifier 1257 MAY ( documentPublisher $ documentStore $ documentAuthorSurName $ 1258 documentAuthorCommonName $ abstract $ subject $ keywords $ 1259 updatedByDocument $ updatesDocument $ obsoletedByDocument $ 1260 obsoletesDocument $ documentLocation $ documentAuthor $ 1261 documentVersion $ documentTitle $ ou $ o $ l $ seeAlso $ description $ 1262 cn ) ) 1264 ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST cn 1265 MAY ( telephoneNumber $ seeAlso $ description $ roomNumber ) ) 1267 ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUCTURAL 1268 MUST cn MAY ( ou $ o $ l $ telephoneNumber $ seeAlso $ description ) ) 1270 ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL 1271 MUST dc 1272 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 1273 x121Address $ registeredAddress $ destinationIndicator $ 1274 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 1275 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ 1276 street $ postOfficeBox $ postalCode $ postalAddress $ 1277 physicalDeliveryOfficeName $ st $ l $ description $ o $ 1278 associatedName ) ) 1280 ( 0.9.2342.19200300.100.4.14 NAME 'rFC822localPart' SUP domain 1281 STRUCTURAL 1282 MAY ( x121Address $ registeredAddress $ destinationIndicator $ 1283 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 1284 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ 1285 streetAddress $ postOfficeBox $ postalCode $ postalAddress $ 1286 physicalDeliveryOfficeName $ telephoneNumber $ seeAlso $ description $ 1287 sn $ cn ) ) 1289 ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain STRUCTURAL 1290 MAY dNSRecord ) 1292 ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' SUP top 1293 STRUCTURAL MUST associatedDomain ) 1295 ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country 1296 STRUCTURAL MUST co ) 1298 ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' SUP top 1299 STRUCTURAL MUST userPassword ) 1301 ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' 1302 SUP ( organization $ organizationalUnit ) STRUCTURAL 1303 MAY buildingName ) 1305 ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dSA STRUCTURAL 1306 MUST dSAQuality ) 1308 ( 0.9.2342.19200300.100.4.23 NAME 'qualityLabelledData' SUP top 1309 STRUCTURAL MUST singleLevelQuality 1310 MAY ( subtreeMaximumQuality $ subtreeMinimumQuality ) ) 1312 5.4. Matching Rules 1314 Servers must recognize the following matching rules, used for equality 1315 matching, and must be capable of performing the matching rules. 1316 For all these rules, the assertion syntax is the same as the value syntax. 1318 ( 2.5.13.0 NAME 'objectIdentifierMatch' SYNTAX 'OID' ) 1319 ( 2.5.13.1 NAME 'distinguishedNameMatch' SYNTAX 'DN' ) 1320 ( 2.5.13.2 NAME 'caseIgnoreMatch' SYNTAX 'DirectoryString' ) 1321 ( 2.5.13.8 NAME 'numericStringMatch' SYNTAX 'NumericString' ) 1322 ( 2.5.13.11 NAME 'caseIgnoreListMatch' SYNTAX 'PostalAddress' ) 1323 ( 2.5.13.14 NAME 'integerMatch' SYNTAX 'INTEGER' ) 1324 ( 2.5.13.16 NAME 'bitStringMatch' SYNTAX 'BitString' ) 1325 ( 2.5.13.17 NAME 'octetStringMatch' SYNTAX 'Password' ) 1326 ( 2.5.13.20 NAME 'telephoneNumberMatch' SYNTAX 'TelephoneNumber' ) 1327 ( 2.5.13.27 NAME 'generalizedTimeMatch' SYNTAX 'GeneralizedTime' ) 1328 ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' SYNTAX 'IA5String' ) 1329 ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' SYNTAX 'IA5String' ) 1331 When performing the caseIgnoreMatch, caseIgnoreListMatch, 1332 telephoneNumberMatch, caseExactIA5Match and caseIgnoreIA5Match, 1333 multiple adjoining whitespace characters are treated the same as 1334 an individual space, and leading and trailing whitespace is ignored. 1336 6. X.500 Definitions 1338 Servers which implement the X.500(1993) protocols are required to recognize 1339 these attributes types, syntaxes, object classes and matching rules, where 1340 they correspond to X.500 features implemented by that server. No other 1341 servers are required to implement any definitions in section 6, although 1342 they may do so. 1344 Clients must not assume these definitions are recognized by all servers. 1346 6.1. Attribute Types 1348 6.1.1. User Attributes 1350 All user attributes of X.500 are listed in section 5.1.1. 1352 6.1.2. Collective Attributes 1354 These attributes are stored in collective attribute subentries, but may 1355 be visible in user entries if requested. 1357 Each of these collective attributes is a subtype of the attribute which 1358 has the OID without the final ".1", e.g. "collectivePostalCode" is a 1359 subtype of "postalCode". 1361 ( 2.5.4.7.1 NAME 'collectiveLocalityName' SUP l COLLECTIVE ) 1363 ( 2.5.4.8.1 NAME 'collectiveStateOrProvinceName' SUP st COLLECTIVE ) 1365 ( 2.5.4.9.1 NAME 'collectiveStreetAddress' SUP street COLLECTIVE ) 1367 ( 2.5.4.10.1 NAME 'collectiveOrganizationName' SUP o COLLECTIVE ) 1369 ( 2.5.4.11.1 NAME 'collectiveOrganizationalUnitName' SUP ou COLLECTIVE ) 1371 ( 2.5.4.16.1 NAME 'collectivePostalAddress' SUP postalAddress COLLECTIVE ) 1373 ( 2.5.4.17.1 NAME 'collectivePostalCode' SUP postalCode COLLECTIVE ) 1375 ( 2.5.4.18.1 NAME 'collectivePostOfficeBox' SUP postOfficeBox COLLECTIVE ) 1377 ( 2.5.4.19.1 NAME 'collectivePhysicalDeliveryOfficeName' 1378 SUP physicalDeliveryOfficeName COLLECTIVE ) 1380 ( 2.5.4.20.1 NAME 'collectiveTelephoneNumber' SUP telephoneNumber 1381 COLLECTIVE ) 1383 ( 2.5.4.21.1 NAME 'collectiveTelexNumber' SUP 'TelexNumber' COLLECTIVE ) 1385 ( 2.5.4.22.1 NAME 'collectiveTeletexTerminalIdentifier' 1386 SUP teletexTerminalIdentifier COLLECTIVE ) 1388 ( 2.5.4.23.1 NAME 'collectiveFacsimileTelephoneNumber' 1389 SUP facsimileTelephoneNumber COLLECTIVE ) 1391 ( 2.5.4.25.1 NAME 'collectiveInternationaliSDNNumber' 1392 SUP internationaliSDNNumber COLLECTIVE ) 1394 6.1.3. Standard Operational Attributes 1396 These attributes are defined in X.501(1993) Annexes B through E. 1398 ( 2.5.18.5 NAME 'administrativeRole' EQUALITY objectIdentifierMatch 1399 SYNTAX 'OID' USAGE directoryOperation ) 1401 ( 2.5.18.6 NAME 'subtreeSpecification' SYNTAX 'SubtreeSpecification' 1402 SINGLE-VALUE USAGE directoryOperation ) 1404 ( 2.5.18.7 NAME 'collectiveExclusions' EQUALITY objectIdentifierMatch 1405 SYNTAX 'OID' USAGE directoryOperation ) 1407 ( 2.5.21.1 NAME 'dITStructureRules' EQUALITY integerFirstComponentMatch 1408 SYNTAX 'DITStructureRuleDescription' USAGE directoryOperation ) 1410 ( 2.5.21.2 NAME 'dITContentRules' 1411 EQUALITY objectIdentifierFirstComponentMatch 1412 SYNTAX 'DITContentRuleDescription' USAGE directoryOperation ) 1414 ( 2.5.21.4 NAME 'matchingRules' 1415 EQUALITY objectIdentifierFirstComponentMatch 1416 SYNTAX 'MatchingRuleDescription' USAGE directoryOperation ) 1418 ( 2.5.21.7 NAME 'nameForms' 1419 EQUALITY objectIdentifierFirstComponentMatch 1420 SYNTAX 'NameFormDescription' USAGE directoryOperation ) 1422 ( 2.5.21.8 NAME 'matchingRuleUse' 1423 EQUALITY objectIdentifierFirstComponentMatch 1424 SYNTAX 'MatchingRuleUseDescription' USAGE directoryOperation ) 1426 ( 2.5.21.9 NAME 'structuralObjectClass' EQUALITY objectIdentifierMatch 1427 SYNTAX 'OID' SINGLE-VALUE NO-USER-MODIFICATION 1428 USAGE directoryOperation ) 1430 ( 2.5.21.10 NAME 'governingStructuralRule' EQUALITY integerMatch 1431 SYNTAX 'INTEGER' SINGLE-VALUE NO-USER-MODIFICATION 1432 USAGE directoryOperation ) 1434 ( 2.5.24.1 NAME 'accessControlScheme' EQUALITY objectIdentifierMatch 1435 SYNTAX 'OID' SINGLE-VALUE USAGE directoryOperation ) 1437 ( 2.5.24.4 NAME 'prescriptiveACI' 1438 EQUALITY directoryStringFirstComponentMatch SYNTAX 'ACIItem' 1439 USAGE directoryOperation ) 1441 ( 2.5.24.5 NAME 'entryACI' 1442 EQUALITY directoryStringFirstComponentMatch SYNTAX 'ACIItem' 1443 USAGE directoryOperation ) 1445 ( 2.5.24.6 NAME 'subentryACI' 1446 EQUALITY directoryStringFirstComponentMatch SYNTAX 'ACIItem' 1447 USAGE directoryOperation ) 1449 ( 2.5.12.0 NAME 'dseType' EQUALITY bitStringMatch SYNTAX 'DSEType' 1450 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) 1452 ( 2.5.12.1 NAME 'myAccessPoint' EQUALITY accessPointMatch 1453 SYNTAX 'AccessPoint' SINGLE-VALUE NO-USER-MODIFICATION 1454 USAGE dSAOperation ) 1456 ( 2.5.12.2 NAME 'superiorKnowledge' EQUALITY accessPointMatch 1457 SYNTAX 'AccessPoint' SINGLE-VALUE NO-USER-MODIFICATION 1458 USAGE dSAOperation ) 1460 ( 2.5.12.3 NAME 'specificKnowledge' 1461 EQUALITY masterAndShadowAccessPointsMatch 1462 SYNTAX 'MasterAndShadowAccessPoints' 1463 SINGLE-VALUE NO-USER-MODIFICATION USAGE distributedOperation ) 1465 ( 2.5.12.4 NAME 'nonSpecificKnowledge' 1466 EQUALITY masterAndShadowAccessPointsMatch 1467 SYNTAX 'MasterAndShadowAccessPoints' NO-USER-MODIFICATION 1468 USAGE distributedOperation ) 1470 ( 2.5.12.5 NAME 'supplierKnowledge' 1471 EQUALITY supplierOrConsumerInformationMatch 1472 SYNTAX 'SupplierInformation' 1473 NO-USER-MODIFICATION USAGE dSAOperation ) 1475 ( 2.5.12.6 NAME 'consumerKnowledge' 1476 EQUALITY supplierOrConsumerInformationMatch 1477 SYNTAX 'SupplierOrConsumer' 1478 NO-USER-MODIFICATION USAGE dSAOperation ) 1480 ( 2.5.12.7 NAME 'secondaryShadows' 1481 EQUALITY supplierAndConsumersMatch 1482 SYNTAX 'SupplierAndConsumers' 1483 NO-USER-MODIFICATION USAGE dSAOperation ) 1485 6.1.4. LDAP-defined Operational Attributes 1487 6.1.4.1. targetSystem 1489 ( 1.3.6.1.4.1.1466.101.120.12 NAME 'targetSystem' 1490 SYNTAX 'AccessPoint' SINGLE-VALUE NO-USER-MODIFICATION 1491 USAGE distributedOperation ) 1493 The value of this attribute may be supplied in an AddEntry operation 1494 to inform the Directory of the target server on which the entry is to 1495 be held. This is used to create a new naming context in the directory 1496 tree. A server which does not permit the use of this attribute must 1497 return an appropriate error code if it is present in the attribute list. 1498 This attribute will generally not be present in the entry after the add 1499 is completed. 1501 6.2. Syntaxes 1503 6.2.1. Standard Syntaxes 1505 6.2.1.1. ACIItem 1507 This syntax appears too complicated for a compact string representation 1508 to be useful. Clients must only request and servers must only return 1509 values which use the the binary encoding of the value, e.g. 1510 "entryACI;binary". 1512 It is recommended that clients that wish to only determine whether they 1513 have been granted permission to modify an entry use the "modifyRights" 1514 attribute rather than attempt to parse this syntax. 1516 6.2.1.2. AccessPoint 1518 Values with AccessPoint syntax are encoded according to the 1519 following BNF: 1521 ::= ( '(' '#' 1522 ')' ) | 1523 -- Optional protocol info absent, parenthesis required 1524 ( '(' '#' 1525 '#' 1526 ::= | 1529 '(' ')' 1531 ::= | 1532 '$' 1533 1535 6.2.1.3. DITContentRuleDescription 1537 Values with this syntax are encoded according to the following BNF: 1539 ::= "(" 1540 -- Structural ObjectClass identifier 1541 [ "NAME" ] 1542 [ "DESC" ] 1543 [ "OBSOLETE" ] 1544 [ "AUX" ] -- Auxiliary ObjectClasses 1545 [ "MUST" ] -- AttributeType identifiers 1546 [ "MAY" ] -- AttributeType identifiers 1547 [ "NOT" ] -- AttributeType identifiers 1548 ")" 1550 6.2.1.4. DITStructureRuleDescription 1552 Values with this syntax are encoded according to the following BNF: 1554 ::= "(" 1555 -- DITStructureRule identifier 1556 [ "NAME" ] 1557 [ "DESC" ] 1558 [ "OBSOLETE" ] 1559 "FORM" -- NameForm 1560 [ "SUP" ] -- superior DITStructureRules 1561 ")" 1563 ::= 1565 ::= 1566 | 1567 "(" ")" 1569 ::= 1570 1571 | 1572 -- empty list 1574 6.2.1.5. DSEType 1576 Values with DSEType syntax are encoded according to the following BNF: 1578 ::= '(' ')' 1580 ::= | '$' 1582 ::= 'root' | 'glue' | 'cp' | 'entry' | 'alias' | 'subr' | 1583 'nssr' | 'supr' | 'xr' | 'admPoint' | 'subentry' | 1584 'shadow' | 'zombie' | 'immSupr' | 'rhob' | 'sa' 1586 6.2.1.6. MasterAndShadowAccessPoints 1588 Values of this syntax are encoded according to the following BNF: 1590 ::= | 1591 '(' ::= | 1594 '$' 1596 ::= '#' 1598 ::= 'master' | 'shadow' 1600 6.2.1.7. MatchingRuleDescription 1602 Values of this syntax are encoded according to the BNF of section 4.4. 1604 6.2.1.8. MatchingRuleUseDescription 1606 Values of this syntax are encoded according to the following BNF: 1608 ::= "(" 1609 -- MatchingRule identifier 1610 [ "NAME" ] 1611 [ "DESC" ] 1612 [ "OBSOLETE" ] 1613 "APPLIES" -- AttributeType identifiers 1614 ")" 1616 6.2.1.9. NameFormDescription 1618 Values of this syntax are encoded according to the following BNF: 1620 ::= "(" 1621 -- NameForm identifier 1622 [ "NAME" ] 1623 [ "DESC" ] 1624 [ "OBSOLETE" ] 1625 "OC" -- Structural ObjectClass 1626 "MUST" -- AttributeTypes 1627 [ "MAY" ] -- AttributeTypes 1628 ")" 1630 6.2.1.10. SubtreeSpecification 1632 Values of this syntax are encoded according to the following BNF: 1634 ::= '(' [] '#' 1635 [] '#' 1636 [] '#' [] '#' 1637 [] ')' 1639 ::= 1641 ::= '(' ')' 1643 ::= | '$' 1645 ::= ( 'before ' ) | 1646 ( 'after ' ) 1648 ::= 1650 ::= 1652 ::= | '!' | 1653 '( &' ')' | 1654 '( |' ')' 1656 ::= | '$' 1658 6.2.1.11. SupplierInformation 1660 Values of this syntax are encoded according to the following BNF: 1662 ::= 1663 -- supplier is master -- 1664 '(' 'master' '#' ')' | 1666 -- supplier is not master, master unspecified -- 1667 '(' 'shadow' '#' ')' | 1669 -- supplier not master, master specified -- 1670 ['('] 'shadow' '#' '#' [')'] 1672 6.2.1.12. SupplierOrConsumer 1674 Values of this syntax are encoded according to the following BNF: 1676 ::= '#' 1678 ::= '.' 1680 ::= 1682 ::= 1684 6.2.1.13. SupplierAndConsumers 1686 Values of this syntax are encoded according to the following BNF: 1688 ::= '#' 1690 ::= 1692 ::= | '(' ')' 1694 ::= | 1695 '$' 1697 6.2.1.14. ProtocolInformation 1699 A value with the ProtocolInformation syntax is encoded according to the 1700 following BNF: 1702 ::= '#' 1703 1705 ::= As appears in PresentationAddress 1707 ::= | 1708 '(' ')' 1710 ::= | 1711 '$' 1713 ::= 1715 For example, 1717 NS+12345678 # 1.2.3.4.5 1719 6.2.2. LDAP-defined Syntaxes 1721 There is currently one syntax defined here. 1723 6.2.2.1 ModifyRight 1725 This syntax is a printable encoding of the following ASN.1 data type: 1727 ModifyRight ::= SEQUENCE { 1728 item CHOICE { 1729 entry [0] NULL, 1730 attribute [1] AttributeType, 1731 value [2] AttributeValueAssertion }, 1732 permission [3] BIT STRING { add(0), remove(1), rename(2), move(3) } } 1734 The syntax is encoded according to the following BNF: 1736 ::= [] 1737 -- perm list is absent when none of the bits set in permission 1739 ::= | | 1741 ::= 'entry' 1743 ::= 'attribute' 1745 ::= 'value' 1747 -- is the string encoding of the value 1749 ::= | 1750 -- one or more of the bits in permission, if set 1752 ::= 'add' | 'remove' | 'rename' | 'move' 1754 ::= [ ] '#' [ ] 1756 ::= [ ] '$' [ ] 1758 For example, 1760 # entry 1761 add $ remove # attribute $ cn 1762 add $ remove # attribute $ sn 1763 remove # value $ memberName $ CN=Babs, O=Michigan, C=US 1765 6.3. Object Classes 1767 The following object classes may be recognized. 1769 ( 2.5.17.0 NAME 'subentry' SUP top STRUCTURAL 1770 MUST ( cn $ subtreeSpecification ) ) 1772 ( 2.5.17.1 NAME 'accessControlSubentry' AUXILIARY ) 1774 ( 2.5.17.2 NAME 'collectiveAttributeSubentry' AUXILIARY ) 1776 ( 2.5.20.1 NAME 'subschema' AUXILIARY 1777 MAY ( dITStructureRules $ nameForms $ ditContentRules $ 1778 objectClasses $ attributeTypes $ matchingRules $ matchingRuleUse ) ) 1780 6.4. Matching Rules 1782 Only servers which implement the attribute types which reference these 1783 matching rules in their definition are required to implement these rules. 1785 The definitions of the rules can be found in [2] and [3]. 1787 Name OID 1788 ===================================== =========== 1789 caseIgnoreOrderingMatch 2.5.13.3 1790 caseIgnoreSubstringsMatch 2.5.13.4 1791 caseExactMatch 2.5.13.5 1792 caseExactOrderingMatch 2.5.13.6 1793 caseExactSubstringsMatch 2.5.13.7 1794 numericStringOrderingMatch 2.5.13.9 1795 numericStringSubstringsMatch 2.5.13.10 1796 caseIgnoreListSubstringsMatch 2.5.13.12 1797 booleanMatch 2.5.13.13 1798 integerOrderingMatch 2.5.13.15 1799 octetStringOrderingMatch 2.5.13.18 1800 octetStringSubstringsMatch 2.5.13.19 1801 telephoneNumberSubstringsMatch 2.5.13.21 1802 presentationAddressMatch 2.5.13.22 1803 uniqueMemberMatch 2.5.13.23 1804 protocolInformationMatch 2.5.13.24 1805 uTCTimeMatch 2.5.13.25 1806 uTCTimeOrderingMatch 2.5.13.26 1807 generalizedTimeOrderingMatch 2.5.13.28 1808 integerFirstComponentMatch 2.5.13.29 1809 objectIdentifierFirstComponentMatch 2.5.13.30 1810 directoryStringFirstComponentMatch 2.5.13.31 1811 wordMatch 2.5.13.32 1812 keywordMatch 2.5.13.33 1813 accessPointMatch 2.5.14.0 1814 masterAndShadowAccessPointsMatch 2.5.14.1 1815 supplierOrConsumerInformationMatch 2.5.14.2 1816 supplierAndConsumersMatch 2.5.14.3 1818 6.5. Other 1820 The string 'excludeAllCollectiveAttributes' is defined as a synonym 1821 for the OID 2.5.18.0. It would typically be used as a value of the 1822 collectiveExclusions attribute. 1824 7. Other Optional Definitions 1826 7.1. Attribute Types 1828 7.1.1. Obsolete Attributes 1830 Implementors must use modifyTimestamp and modifiersName instead. 1832 ( 0.9.2342.19200300.100.1.23 NAME 'lastModifiedTime' OBSOLETE 1833 SYNTAX 'UTCTime' ) 1835 ( 0.9.2342.19200300.100.1.24 NAME 'lastModifiedBy' OBSOLETE 1836 EQUALITY distinguishedNameMatch SYNTAX 'DN' ) 1838 7.2. Syntaxes 1840 7.2.1 MHSORAddress 1842 Values of type MHSORAddress are encoded as strings, according to 1843 the format defined in [10]. 1845 7.2.2 DLSubmitPermission 1847 Values of type DLSubmitPermission are encoded as strings, according 1848 to the following BNF: 1850 ::= ':' 1851 | ':' 1853 ::= 'group_member' 1855 ::= 1857 ::= an encoded Distinguished Name 1859 ::= 'individual' | 'dl_member' | 'pattern' 1861 ::= 1862 ::=

'#' 1863 |
1865
::= ':' 1867 ::= ':' 1869 = 'X400' 1871 = 'X500' 1873 where is as defined in RFC 1327. 1875 7.3. Object Classes 1877 7.3.1. Obsolete Classes 1879 ( 0.9.2342.19200300.100.4.22 NAME 'oldQualityLabelledData' SUP top 1880 STRUCTURAL MUST dSAQuality 1881 MAY ( subtreeMaximumQuality $ subtreeMinimumQuality ) ) 1883 The oldQualityLabelledData object class is historical and must not be 1884 used for defining new objects. 1886 7.3.2. extensibleObject 1888 ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' 1889 SUP top AUXILIARY ) 1891 This class, if present in an entry, permits that entry to optionally 1892 hold any attribute. The MAY attribute list of this class is implicitly 1893 the set of all attributes known to the server. The mandatory attributes 1894 of the other object classes of this entry are still required to be 1895 present. 1897 Note that not all servers will implement this object class, and those 1898 which do not will reject requests to add entries which contain this 1899 object class, or modify an entry to add this object class. 1901 7.4. Matching Rules 1903 7.4.1. caseIgnoreIA5SubstringsMatch 1905 ( 1.3.6.1.4.1.1466.109.114.3 1906 NAME 'caseIgnoreIA5SubstringsMatch' SYNTAX 'IA5String' ) 1908 This matching rule may be used to compare components of an IA5 string 1909 against an attribute whose values have IA5 string syntax. 1911 8. Security Considerations 1913 Security issues are not discussed in this memo. 1915 9. Acknowledgements 1917 This document is based substantially on RFC 1778, written by Tim Howes, 1918 Steve Kille, Wengyik Yeong and Colin Robbins. 1920 Many of the attribute syntax encodings defined in this document are 1921 adapted from those used in the QUIPU and the IC R3 X.500 1922 implementations. The contributions of the authors of both these 1923 implementations in the specification of syntaxes in this document are 1924 gratefully acknowledged. 1926 10. Authors Addresses 1928 Mark Wahl 1929 Critical Angle Inc. 1930 4815 West Braker Lane #502-385 1931 Austin, TX 78759 1932 USA 1934 EMail: M.Wahl@critical-angle.com 1936 Andy Coulbeck 1937 ISODE Consortium 1938 The Dome, The Square 1939 Richmond TW9 1DT 1940 United Kingdom 1942 Phone: +44 181-332-9091 1943 EMail: A.Coulbeck@isode.com 1945 Tim Howes 1946 Netscape Communications Corp. 1947 501 E. Middlefield Rd 1948 Mountain View, CA 94043 1949 USA 1951 Phone: +1 415 254-1900 1952 EMail: howes@netscape.com 1954 Steve Kille 1955 ISODE Consortium 1956 The Dome, The Square 1957 Richmond 1958 TW9 1DT 1959 UK 1961 Phone: +44-181-332-9091 1962 EMail: S.Kille@isode.com 1964 11. Bibliography 1966 [1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol 1967 (Version 3)", INTERNET-DRAFT , 1968 October 1996. 1970 [2] The Directory: Selected Attribute Types. ITU-T Recommendation 1971 X.520, 1993. 1973 [3] The Directory: Models. ITU-T Recommendation X.501, 1993. 1975 [4] P. Barker, S. Kille, "The COSINE and Internet X.500 Schema", RFC 1976 1274, November 1991. 1978 [5] M. Wahl, S. Kille, "A UTF-8 String Representation of Distinguished 1979 Names", INTERNET-DRAFT , August 1996. 1981 [6] S. Kille, "A String Representation for Presentation Addresses", 1982 RFC 1278, University College London, November 1991. 1984 [7] Terminal Equipment and Protocols for Telematic Services - 1985 Standardization of Group 3 facsimile apparatus for document 1986 transmission. CCITT, Recommendation T.4. 1988 [8] JPEG File Interchange Format (Version 1.02). Eric Hamilton, 1989 C-Cube Microsystems, Milpitas, CA, September 1, 1992. 1991 [9] The Directory: Selected Object Classes. ITU-T Recommendation 1992 X.521, 1993. 1994 [10] H. Alvestrand, S. Kille, R. Miles, M. Rose, S. Thompson, 1995 "Mapping between X.400 and RFC-822 Message Bodies", RFC 1495, 1996 August 1993. 1998 [11] M. Davis, UTF-8, (WG2 N1036) DAM for ISO/IEC 10646-1. 2000 [12] Universal Multiple-Octet Coded Character Set (UCS) - Architecture 2001 and Basic Multilingual Plane, ISO/IEC 10646-1 : 1993. 2003 [13] The Directory: Authentication Framework. ITU-T Recommendation 2004 X.509 (1993). 2006 [14] Abstract Syntax Notation One (ASN.1) - Specification of Basic 2007 Notation. ITU-T Recommendation X.680, 1994. 2009 2010 Expires: April 1997