idnits 2.17.1 

draft-ietf-ldapbis-models-02.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories. 


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 36 instances of lines with non-RFC6890-compliant IPv4
     addresses in the document.  If these are example addresses, they should
     be changed.

  == The 'Obsoletes: ' line in the draft header should list only the
     _numbers_ of the RFCs which will be obsoleted by this document (if
     approved); it should not include the word 'RFC' in the list.

  -- The draft header indicates that this document obsoletes RFC2251, but the
     abstract doesn't seem to directly say this.  It does mention RFC2251
     though, so this could be OK.

  -- The draft header indicates that this document obsoletes RFC2252, but the
     abstract doesn't seem to directly say this.  It does mention RFC2252
     though, so this could be OK.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 2085 has weird spacing: '...for the  purpo...'

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (12 August 2002) is 7928 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'RFC2222' is mentioned on line 1668, but not defined

  ** Obsolete undefined reference: RFC 2222 (Obsoleted by RFC 4422, RFC 4752)

  == Unused Reference: 'Filters' is defined on line 1865, but no explicit
     reference was found in the text

  == Unused Reference: 'LDAPURL' is defined on line 1869, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 2279 (Obsoleted by RFC 3629)

  ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234)

  -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Roadmap' 

  -- No information found for draft-ietf-ldapbis-protocol-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Protocol' 

  -- No information found for draft-ietf-ldapbis-authmeth-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'AuthMeth' 

  -- No information found for draft-ietf-ldapbis-dn-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPDN' 

  -- No information found for draft-ietf-ldapbis-filter-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Filters' 

  -- No information found for draft-ietf-ldapbis-url-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPURL' 

  -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' 

  -- No information found for draft-ietf-ldapbis-user-schema-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Schema' 

  -- No information found for draft-ietf-ldapbis-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPIANA' 

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO10646'

  -- Obsolete informational reference (is this intentional?): RFC 2251
     (Obsoleted by RFC 4510, RFC 4511, RFC 4512, RFC 4513)

  -- Obsolete informational reference (is this intentional?): RFC 2252
     (Obsoleted by RFC 4510, RFC 4512, RFC 4517, RFC 4523)

  -- No information found for draft-ietf-ldapbis-ldapv3-ts-xx - is the name
     correct?


     Summary: 7 errors (**), 0 flaws (~~), 7 warnings (==), 26 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	INTERNET-DRAFT                              Editor: Kurt D. Zeilenga
3	Intended Category: Standard Track                OpenLDAP Foundation
4	Expires in six months                                 12 August 2002
5	Obsoletes: RFC 2251, RFC 2252, RFC 2256

7	                    LDAP: Directory Information Models
8	                    <draft-ietf-ldapbis-models-02.txt>

10	Status of this Memo

12	  This document is an Internet-Draft and is in full conformance with all
13	  provisions of Section 10 of RFC2026.

15	  This document is intended to be published as a Standard Track RFC.
16	  Distribution of this memo is unlimited.  Technical discussion of this
17	  document will take place on the IETF LDAP Revision Working Group
18	  mailing list <ietf-ldapbis@openldap.org>.  Please send editorial
19	  comments directly to the author <Kurt@OpenLDAP.org>.

21	  Internet-Drafts are working documents of the Internet Engineering Task
22	  Force (IETF), its areas, and its working groups.  Note that other
23	  groups may also distribute working documents as Internet-Drafts.
24	  Internet-Drafts are draft documents valid for a maximum of six months
25	  and may be updated, replaced, or obsoleted by other documents at any
26	  time.  It is inappropriate to use Internet-Drafts as reference
27	  material or to cite them other than as ``work in progress.''

29	  The list of current Internet-Drafts can be accessed at
30	  <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
31	  Internet-Draft Shadow Directories can be accessed at
32	  <http://www.ietf.org/shadow.html>.

34	  Copyright 2002, The Internet Society.  All Rights Reserved.  Please
35	  see the Copyright section near the end of this document for more
36	  information.

38	Abstract

40	  The Lightweight Directory Access Protocol (LDAP) is an Internet
41	  protocol for accessing distributed directory services which act in
42	  accordance with X.500 data and service models.  This document
43	  describes the X.500 Directory Information Models, as used in LDAP.

45	Table of Contents

47	  Status of this Memo                                             1
48	  Abstract
49	  Table of Contents                                               2
50	  1.       Introduction                                           4
51	  1.1.     Relationship to Other LDAP Specifications
52	  1.2.     Conventions                                            5
53	  1.3.     Common ABNF Productions
54	  2.       Model of Directory User Information                    7
55	  2.1.     The Directory Information Tree
56	  2.2.     Naming of Entries                                      8
57	  2.2.1.   Relative Distinguished Names
58	  2.2.2.   Distinguished Names
59	  2.2.3.   Alias Names
60	  2.3.     Structure of an Entry
61	  2.4.     Object Classes                                         9
62	  2.4.1.   Abstract Object Classes                               10
63	  2.4.2.   Structural Object Classes
64	  2.4.3.   Auxiliary Object Classes                              11
65	  2.5.     Attribute Descriptions
66	  2.5.1.   Attribute Types                                       12
67	  2.5.2.   Attribute Options                                     13
68	  2.5.2.1. Tagging Options
69	  2.5.3.   Attribute Description Hierarchies                     14
70	  2.5.4.   Attribute Values                                      15
71	  2.6.     Alias Entries
72	  2.6.1.   'alias'                                               16
73	  2.6.2.   'aliasObjectName'
74	  3.       Directory Administrative and Operational Information
75	  3.1.     Subtrees
76	  3.2.     Subentries                                            17
77	  3.3.     The 'objectClass' attribute
78	  3.4.     Operational attributes                                18
79	  3.4.1.   'creatorsName'
80	  3.4.2.   'createTimestamp'                                     19
81	  3.4.3.   'modifiersName'
82	  3.4.4.   'modifyTimestamp'
83	  4.       Directory Schema                                      20
84	  4.1.     Schema Definitions                                    21
85	  4.1.1.   Object Class Definitions                              22
86	  4.1.2.   Attribute Types                                       23
87	  4.1.3.   Matching Rules                                        24
88	  4.1.4.   LDAP Syntaxes                                         25
89	  4.1.5.   DIT Content Rules                                     26
90	  4.1.6.   DIT Structural Rules and Name Forms                   27
91	  4.2.     Subschema Subentries                                  29
92	  4.2.1.   'objectClasses'                                       30
93	  4.2.2.   'attributeTypes'
94	  4.2.3.   'matchingRules'                                       31
95	  4.2.4.   'matchingRuleUse'
96	  4.2.5.   'ldapSyntaxes'
97	  4.2.6.   'dITContentRules'                                     32
98	  4.2.7.   'dITStructureRules'
99	  4.2.8.   'nameForms'
100	  4.3.     'extensibleObject'
101	  4.4.     Subschema Discovery                                   33
102	  5.       DSA (Server) Informational Model
103	  5.1.     Server-specific Data Requirements                    34
104	  5.1.1.   'altServer'                                           35
105	  5.1.2.   'namingContexts'
106	  5.1.3.   'supportedControl'
107	  5.1.4.   'supportedExtension'                                  36
108	  5.1.5.   'supportedLDAPVersion'
109	  5.1.6.   'supportedSASLMechanisms'
110	  6.       Other Considerations                                  37
111	  6.1.     Preservation of User Information
112	  6.2.     Short Names
113	  6.3.     Cache and Shadowing
114	  7.       Implementation Guidelines                             38
115	  7.1.     Server Guidelines
116	  7.2.     Client Guidelines
117	  8.       Security Considerations                               39
118	  9.       IANA Considerations
119	  10.      Acknowledgments                                       40
120	  11.      Author's Address
121	  12.      References
122	  12.1.    Normative References
123	  12.2.    Informative References                                41
124	  Appendix A.  Changes                                           42
125	  A.1      Changes to RFC 2251
126	  A.1.1    Section 3.2 of RFC 2251
127	  A.1.2    Section 3.4 of RFC 2251                               43
128	  A.1.2    Section 4 of RFC 2251
129	  A.1.3    Section 6 of RFC 2251                                 44
130	  A.2      Changes to RFC 2252
131	  A.2.1    Section 4 of RFC 2252
132	  A.2.2    Section 5 of RFC 2252
133	  A.2.3    Section 7 of RFC 2252                                 45
134	  A.3      Changes to RFC 2256
135	  Copyright

137	1. Introduction

139	  This document discusses the X.500 Directory Information Models
140	  [X.501], as used by the Lightweight Directory Access Protocol (LDAP)
141	  [Roadmap].

143	  The Directory is "a collection of open systems cooperating to provide
144	  directory services" [X.500].  The information held in the Directory is
145	  collectively known as the Directory Information Base (DIB).  A
146	  Directory user, which may be a human or other entity, accesses the
147	  Directory through a client (or Directory User Agent (DUA)).  The
148	  client, on behalf of the directory user, interacts with one or more
149	  servers (or Directory System Agents (DSA)).  A server holds a fragment
150	  of the DIB.

152	  The DIB contains two classes of information:

154	      1) user information (e.g., information provided and administrated
155	         by users).  Section 2 describes the Model of User Information.

157	      2) administrative and operational information (e.g., information
158	         used to administer and/or operate the directory).  Section 3
159	         describes the model of Directory Administrative and Operational
160	         Information.

162	  These two models, referred to as the generic Directory Information
163	  Models, describe how information is represented in the Directory.
164	  These generic models provide a framework for other information models.
165	  Section 4 discusses the subschema information model and subschema
166	  discovery.  Section 5 discusses the DSA (Server) Informational Model.

168	  Other X.500 information models, such as access control, collective
169	  attribute, distribution knowledge, and replication knowledge
170	  information models, may be adapted for use in LDAP.  Specification of
171	  how these models are to be used in LDAP is left to future documents.

173	1.1. Relationship to Other LDAP Specifications

175	  This document is a integral part of the LDAP technical specification
176	  [Roadmap] which obsoletes entirely the previously defined LDAP
177	  technical specification [LDAPTS].

179	  This document obsoletes RFC 2251 sections 3.2 and 3.4, as well as
180	  portions of sections 4 and 6.  Appendix A.1 summaries changes to these
181	  sections.  The remainder of RFC 2251 is obsoleted by the [Protocol],
182	  [AuthMeth], and [Roadmap] documents.

184	  This document obsoletes RFC 2252 sections 4, 5 and 7.  Appendix A.2
185	  summaries changes to these sections.  The remainder of RFC 2252 is
186	  obsoleted by [Syntaxes] and [Schema].

188	  This document obsoletes RFC 2256 sections 5.1, 5.2, 7.1 and 7.2.
189	  Appendix A.3 summarizes changes to these sections.  The remainder of
190	  RFC 2256 is obsoleted by [Schema] and [Syntaxes].

192	1.2. Conventions

194	  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
195	  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
196	  document are to be interpreted as described in BCP 14 [RFC2119].

198	  Schema definitions are provided using LDAP description formats (as
199	  defined in Section 4.1).  Definitions provided here are formatted
200	  (line wrapped) for readability.  Matching rules and LDAP syntaxes
201	  referenced in these defintions are defined in [Syntaxes].

203	1.3. Common ABNF Productions

205	  A number of syntaxes in this document are described using ABNF
206	  [RFC2234].  These syntaxes (as well as a number of syntaxes defined in
207	  other documents) rely on the following common productions:

209	      keystring = leadkeychar *keychar
210	      leadkeychar = ALPHA
211	      keychar = ALPHA / DIGIT / HYPHEN

213	      number = DIGIT / ( LDIGIT 1*DIGIT )

215	      ALPHA  = %x41-5A / %x61-7A   ; "A"-"Z" / "a"-"z"
216	      DIGIT  = %x30 / LDIGIT       ; "0"-"9"
217	      LDIGIT = %x31-39             ; "1"-"9"

219	      HEX     = DIGIT / %x41-46 / %x61-66 ; 0-9 / A-F / a-f

221	      SP     = 1*SPACE  ; one or more " "
222	      WSP    = 0*SPACE  ; zero or more " "

224	      NULL   = %x00 ; null (0)
225	      SPACE  = %x20 ; space (" ")
226	      DQUOTE = %x22 ; quote (""")
227	      SHARP  = %x23 ; octothorpe (or sharp sign) ("#")
228	      DOLLAR = %x24 ; dollar sign ("$")
229	      SQUOTE = %x27 ; single quote ("'")
230	      LPAREN = %x28 ; left paren ("(")
231	      RPAREN = %x29 ; right paren (")")
232	      PLUS   = %x2B ; plus sign ("+")
233	      COMMA  = %x2C ; comma (",")
234	      HYPHEN = %x2D ; hypen ("-")
235	      DOT    = %x2E ; period (".")
236	      SEMI   = %x3B ; semicolon (";")
237	      LANGLE = %x3C ; left angle bracket ("<")
238	      EQUALS = %x3D ; equals sign ("=")
239	      RANGLE = %x3E ; right angle bracket (">")
240	      X      = %x58 ; uppercase x ("X")
241	      ESC    = %x5C ; backslash ("\")
242	      USCORE = %x5F ; underscore ("_")
243	      LCURLY = %x7B ; left curly brace "{"
244	      RCURLY = %x7D ; right curly brace "}"

246	      ; Any UTF-8 character
247	      UTF8    = UTF1 / UTFMB
248	      UTFMB   = UTF2 / UTF3 / UTF4 / UTF5 / UTF6
249	      UTF0    = %x80-BF
250	      UTF1    = %x00-7F
251	      UTF2    = %xC0-DF 1(UTF0)
252	      UTF3    = %xE0-EF 2(UTF0)
253	      UTF4    = %xF0-F7 3(UTF0)
254	      UTF5    = %xF8-FB 4(UTF0)
255	      UTF6    = %xFC-FD 5(UTF0)

257	      ; Any octet
258	      OCTET   = %x00-FF

260	  Object identifiers are represented in LDAP using a dot-decimal format
261	  conforming to the ABNF:

263	      numericoid = number *( DOT number )

265	  Short names, known as descriptors, are used as a more readable aliases
266	  for object identifiers.  Descriptors are case insensitive and conform
267	  to the the ABNF:

269	      descr = keystring

271	  Where either an object identifier or a short name may be specified,
272	  the following production is used:

274	      oid = descr / numericoid

276	  The <descr> form is preferred.  When a production <oid> is encoded in
277	  a value, the <descr> encoding option SHOULD be used instead of the
278	  <numericoid> encoding option.

280	2. Model of Directory User Information

282	  As [X.501] states:

284	      The purpose of the Directory is to hold, and provide access to,
285	      information about objects of interest (objects) in some 'world'.
286	      An object can be anything which is identifiable (can be named).

288	      An object class is an identified family of objects, or conceivable
289	      objects, which share certain characteristics. Every object belongs
290	      to at least one class.  An object class may be a subclass of other
291	      object classes, in which case the members of the former class, the
292	      subclass, are also considered to be members of the latter classes,
293	      the superclasses.  There may be subclasses of subclasses, etc., to
294	      an arbitrary depth.

296	  A directory entry, a named collection of information, is the basic
297	  unit of information held in the Directory.  An object entry represents
298	  a particular object.  An alias entry provides alternative naming.  A
299	  subentry holds administrative and/or operational information.

301	  The set of entries representing the DIB are organized hierarchically
302	  in a tree structure known as the Directory Information Tree (DIT).

304	  Section 2.1 describes the Directory Information Tree
305	  Section 2.2 discusses naming of entries.
306	  Section 2.3 discusses the structure of entries.
307	  Section 2.4 discusses object classes.
308	  Section 2.5 discusses attributes
309	  Section 2.6 discusses alias entries

311	2.1. The Directory Information Tree

313	  As noted above, the DIB is composed of a set of entries organized
314	  hierarchically in a tree structure known as the Directory Information
315	  Tree (DIT).  Specifically, a tree where vertices are the entries.

317	  The arcs between vertices define relations between entries.  If an arc
318	  exists from X to Y, then the entry at X is the immediate superior of Y
319	  and Y is the immediate subordinate of X.  An entry's superiors is the
320	  entry's immediate superior and its superiors.  An entry's subordinates
321	  is all of its immediate subordinates and their subordinates.

323	  Similarly, the superior/subordinate relationship between object
324	  entries can be used to derive a relation between the objects they
325	  represent.  DIT structural rules can be used to govern relationships
326	  between objects.

328	2.2. Naming of Entries

330	2.2.1.  Relative Distinguished Names

332	  Each entry is named relative to its immediate superior.  This relative
333	  name, known as its Relative Distinguished Name (RDN) [X.501], is
334	  composed of one or more attribute value assertions (AVA) consisting of
335	  an attribute description with zero options and an attribute value.  An
336	  entry's relative distinguished name must be unique among all its
337	  siblings.

339	  The following are example string representations of RDNs [LDAPDN]:

341	      UID=12345
342	      OU=Engineering
343	      CN=Kurt Zeilenga+L=Redwood Shores

345	  The last is an example of a multi-valued RDN.

347	2.2.2. Distinguished Names

349	  An entry's fully qualified name, known as its Distinguished Name (DN)
350	  [X.501], is the concatenation of its RDN and its immediate superior's
351	  DN.  A Distinguished Name unambiguously refers to an entry in the
352	  tree.  The following are example string representations of DNs
353	  [LDAPDN]:

355	      UID=nobody@example.com,DC=example,DC=com
356	      CN=John Smith,OU=Sales,O=ACME Limited,L=Moab,ST=Utah,C=US

358	2.2.3. Alias Names

360	  An alias, or alias name, is "an name for an object, provided by the
361	  use of alias entries" [X.501].  Alias entries are described in Section
362	  2.6.

364	2.3. Structure of an Entry

366	  An entry consist of a set of attributes which hold information about
367	  the object which entry represents.

369	  An attribute is an attribute description, a type and one or more
370	  options, with one or more associated values.  The attribute type
371	  governs whether the attribute can have multiple values, the syntax and
372	  matching rules used to construct and compare values of that attribute,
373	  and other functions.  Options indicate subtypes and other functions.

375	  An example of an attribute is 'givenName' [Schema].  There can be one
376	  or more values of this attribute, they must be directory strings, and
377	  they are case insensitive (e.g. "John" will match "JOHN").

379	2.4. Object Classes

381	  An object class is "an identified family of objects (or conceivable
382	  objects) which share certain characteristics" [X.501].

384	  As defined in [X.501]:

386	      Object classes are used in the Directory for a number of purposes:

388	        - describing and categorising objects and the entries that
389	          correspond to these objects;

391	        - where appropriate, controlling the operation of the Directory;

393	        - regulating, in conjunction with DIT structure rule
394	          specifications, the position of entries in the DIT;

396	        - regulating, in conjunction with DIT content rule
397	          specifications, the attributes that are contained in entries;

399	        - identifying classes of entry that are to be associated with a
400	          particular policy by the appropriate administrative authority.

402	      An object class (a subclass) may be derived from an object class
403	      (its direct superclass) which is itself derived from an even more
404	      generic object class.  For structural object classes, this process
405	      stops at the most generic object class, 'top' (defined in Section
406	      2.4.1).  An ordered set of superclasses up to the most superior
407	      object class of an object class is its superclass chain.

409	      An object class may be derived from two or more direct
410	      superclasses (superclasses not part of the same superclass chain).
411	      This feature of subclassing is termed multiple inheritance.

413	  Each object class identifies the set of attributes required to be
414	  present in entries belonging to the class and the set of attributes
415	  allowed to be present in entries belonging to the class.  As an entry
416	  of a class must meet the requirements of each class it belongs to, it
417	  can be said that an object class inherits the sets of allowed and
418	  required attributes from its superclasses.  A subclass can identify an
419	  attribute allowed by a subclass as being required.  If an attribute is
420	  a member of both sets, it is required to be present.

422	  Each object class is defined to be one of three kinds of object
423	  classes: Abstract, Structural, and Auxiliary.

425	  Each object is identified by an object identifier (OID) and,
426	  optionally, one or more short names known as descriptors.

428	2.4.1. Abstract Object Classes

430	  An Abstract object class, as the name implies, provides a base of
431	  characteristics from which other object classes can be defined to
432	  inherit from.  An entry cannot belong to only abstract object classes.

434	  Abstract object classes can not derive from structural nor auxiliary
435	  object classes.

437	  All structural object classes derive (directly or indirectly) from the
438	  'top' abstract object class.  Auxiliary object classes do not
439	  necessarily derive from 'top'.

441	      ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )

443	  All entries belong to the 'top' abstract class.

445	2.4.2. Structural Object Classes

447	  As stated in [X.501]:

449	      An object class defined for use in the structural specification of
450	      the DIT is termed a structural object class.  Structural object
451	      classes are used in the definition of the structure of the names
452	      of the objects for compliant entries.

454	      An object or alias entry is characterised by precisely one
455	      structural object class superclass chain which has a single
456	      structural object class as the most subordinate object class.
457	      This structural object class is referred to as the structural
458	      object class of the entry.

460	      Structural object classes are related to associated entries:

462	        - an entry conforming to a structural object class shall
463	          represent the real-world object constrained by the object
464	          class;

466	        - DIT structure rules only refer to structural object classes;
467	          the structural object class of an entry is used to specify the
468	          position of the entry in the DIT;

470	        - the structural object class of an entry is used, along with an
471	          associated DIT content rule, to control the content of an
472	          entry.

474	        The structural object class of an entry shall not be changed.

476	  Each structural object class is a (direct or indirect) subclass of the
477	  'top' abstract object class.

479	  Structural object classes cannot subclass auxiliary object classes.

481	  Each entry is said to belong to its structural object class as well as
482	  all classes in its structural object class's superclass chain, which
483	  always includes 'top'.

485	2.4.3. Auxiliary Object Classes

487	  Auxiliary object classes are used augment the characteristics of
488	  entries.  They are commonly used to augment the sets of attributes
489	  required and allowed attributes to be present in an entry.  They can
490	  be used to describe entries or classes of entries.

492	  Auxiliary object classes cannot subclass structural object classes.

494	  Each entry can belong to any number of auxiliary object classes.  The
495	  set of auxiliary object classes which an entry belongs to can change
496	  over time.

498	2.5. Attribute Descriptions

500	  An attribute description is composed of an attribute type (see Section
501	  2.5.1) and a set of zero or more attribute options (see Section
502	  2.5.2).

504	  An attribute description is represented by the ABNF:

506	      attributedescription = attributetype options

508	      attributetype = oid

510	      options = *( SEMI option )

512	      option = 1*keychar

514	  where <attributetype> identifies the attribute type and each <option>
515	  identifies an attribute option.  Both <attributetype> and <option>
516	  productions are case insensitive.  The order in which <option>s appear
517	  is irrelevant.  That is, any two <attributedescription>s which consist
518	  of the same <attributetype> and same set of <option>s are equivalent.

520	  Examples of valid attribute descriptions:

522	      2.5.4.0
523	      cn;lang-de;lang-en
524	      owner

526	  An attribute description which consisting of an unrecognized attribute
527	  type is to be treated as unrecongized.  Servers SHALL treat an
528	  attribute description with an unrecognized attribute option as
529	  unrecongized.  Client MAY treat an unrecongized attribute option as a
530	  tagging option (see Section 2.5.2.1).

532	  All attributes of an entry must have distinct attribute descriptions.

534	2.5.1. Attribute Types

536	  An attribute type governs whether the attribute can have multiple
537	  values, the syntax and matching rules used to construct and compare
538	  values of that attribute, and other functions.

540	  A user attribute type has userApplications usage.  An operational
541	  attribute type has one of three usages: directoryOperation,
542	  distributedOperation, or dsaOperation.  An operational attribute type
543	  may be defined as not modifiable by users.

545	  A user attribute type cannot be a subtype of an operational attribute
546	  type.  An operational attribute type which is a subtype must be
547	  subtype of an operational attribute type of the same usage
548	  (application).

550	  An attribute type (a subtype) may derive from another attribute type
551	  (a direct supertype).   The subtype inherits the matching rules and
552	  syntax of its supertype.

554	  An attribute description consisting of a subtype and no options is
555	  said to the direct description subtype of the attribute description
556	  consisting of the subtype's direct supertype and no options.

558	  Each attribute type is identified by an object identifier (OID) and,
559	  optionally, one or more short names known as descriptors.

561	  Procedures for registering descriptors are detailed in [LDAPIANA].

563	2.5.2. Attribute Options

565	  There are multiple kinds of attribute description options.  The LDAP
566	  technical specification details one kind: tagging options.

568	  Not all options can be associated with attributes held in the
569	  directory.  Tagging options can be.

571	  Not all options can be use in conjunction with all attribute types.
572	  In such cases, the attribute description is to be treated as
573	  unrecognized.

575	  An attribute description that contains mutually exclusive options
576	  shall be treated as unrecognized.  That is, "cn;x-bar;x-foo" (where
577	  "x-foo" and "x-bar" are mutually exclusive) is to be treated as
578	  unrecognized.

580	  Other kinds of options may be specified in future documents.  These
581	  documents must detail how new kinds of options they define relate to
582	  tagging and transfer options.  In particular, these documents must
583	  detail whether or not new kinds of options can be associated with
584	  attributes held in the directory, how new kinds of options affect
585	  transfer of attribute values, and how new kinds of options are treated
586	  in attribute description hierarchies.

588	  Options are represented as short case insensitive textual strings
589	  conforming to the <option> production defined in Section 2.5 of this
590	  document.

592	  Procedures for registering options are detailed in [LDAPIANA].

594	2.5.2.1. Tagging Options

596	  Attributes held in the directory can have attribute descriptions with
597	  one or more tagging options.  Tagging options are never mutually
598	  exclusive.

600	  An attribute description with N tagging options is consider a direct
601	  (description) subtype of all attribute descriptions of the same
602	  attribute type and all but one of the N options.  If the attribute
603	  type has a supertype, then the attribute description is also
604	  considered a direct (description) subtype of the attribute description
605	  of the supertype and the N tagging options.  That is,
606	  'cn;lang-de;lang-en' is considered a direct subtype of 'cn;lang-de',
607	  'cn;lang-en', and 'name;lang-de;lang-en' ('cn' is a subtype of 'name',
608	  both are defined in [Schema]).

610	2.5.3. Attribute Description Hierarchies

612	  An attribute description can be the direct subtype of zero or more
613	  other attribute descriptions as indicated by attribute type subtyping
614	  (as described in Section 2.5.1) or attribute tagging option subtyping
615	  (as described in Section 2.5.2.1).  These subtyping relationships are
616	  used to form hierarchies of attribute descriptions and attributes.

618	  As adapted from [X.501]:

620	      Attribute hierarchies allow access to the DIB with varying degrees
621	      of granularity.  This is achieved by allowing the value components
622	      of attributes to be accessed by using either their specific
623	      attribute description (a direct reference to the attribute) or by
624	      a more generic attribute description (an indirect reference).

626	      Semantically related attributes may be placed in a hierarchical
627	      relationship, the more specialized being placed subordinate to the
628	      more generalized.  Searching for, or retrieving attributes and
629	      their values is made easier by quoting the more generalized
630	      attribute description; a filter item so specified is evaluated for
631	      the more specialized descriptions as well as for the quoted
632	      description.

634	      Where subordinate specialized descriptions are selected to be
635	      returned as part of a search result these descriptions shall be
636	      returned if available.  Where the more general descriptions are
637	      selected to be returned as part of a search result both the
638	      general and the specialized descriptions shall be returned, if
639	      available.  An attribute value shall always be returned as a value
640	      of its own attribute description.

642	      All of the attribute descriptions in an attribute hierarchy are
643	      treated as distinct and unrelated descriptions for the purpose of
644	      administration of the entry and for user modification of entry
645	      content.

647	      For an entry to contain a value of an attribute description
648	      belonging to an attribute hierarchy, the attribute type of that
649	      description must be explicitly included either in the definition
650	      of an object class to which the entry belongs, or because the DIT
651	      content rule applicable to that entry permits it.

653	      An attribute value stored in a object or alias entry is of
654	      precisely one attribute description.  The description is indicated
655	      when the value is originally added to the entry.

657	  The indicated description may include options not stored with as part
658	  of the attribute.

660	2.5.4. Attribute Values

662	  Attribute values conform to the defined syntax of the attribute.

664	  When an attribute is used for naming of the entry, one and only one
665	  value of the attribute is selected to appear in the Relative
666	  Distinguished Name.  This value is known as a distinguished value.

668	  Only attributes whose descriptions have no options can be used for
669	  naming.

671	2.6. Alias Entries

673	  As adapted from [X.501]:

675	      An alias, or an alias name, for an object is a an alternative name
676	      for an object or object entry which is provided by the use of
677	      alias entries.

679	      Each alias entry contains, within the 'aliasedObjectName'
680	      attribute (known as the 'aliasedEntryName' attribute in X.500]), a
681	      name of some object.  The distinguished name of the alias entry is
682	      thus also a name for this object.

684	          NOTE - The name within the 'aliasedObjectName' is said to be
685	                 pointed to by the alias.  It does not have to be the
686	                 distinguished name of any entry.

688	      The conversion of an alias name to an object name is termed
689	      (alias) dereferencing and comprises the systematic replacement of
690	      alias names, where found within a purported name, by the value of
691	      the corresponding 'aliasedObjectName' attribute.  The process may
692	      require the examination of more than one alias entry.

694	      Any particular entry in the DIT may have zero or more alias names.
695	      It therefore follows that several alias entries may point to the
696	      same entry.  An alias entry may point to an entry that is not a
697	      leaf entry and may point to another alias entry.

699	      An alias entry shall have no subordinates, so that an alias entry
700	      is always a leaf entry.

702	      Every alias entry shall belong to the 'alias' object class.

704	2.6.1. 'alias' object class

706	  Alias entries belong to the 'alias' object class.

708	     ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName )

710	2.6.2. 'aliasedObjectName' attribute type

712	  The 'aliasedObjectName' attribute holds the name of the entry an alias
713	  points to.  The 'aliasedObjectName' attribute is known as the
714	  'aliasedEntryName' attribute in X.500.

716	      ( 2.5.4.1 NAME 'aliasedObjectName' EQUALITY distinguishedNameMatch
717	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )

719	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
720	  (1.3.6.1.4.1.1466.115.121.1.12) syntax is defined in [Syntaxes].

722	3. Directory Administrative and Operational Information

724	  This section discusses select aspects of the X.500 Directory
725	  Administrative and Operational Information model [X.501].  LDAP
726	  implementations MAY support other aspects of this model.

728	3.1. Subtrees

730	  As defined in [X.501]:

732	      A subtree is a collection of object and alias entries situated at
733	      the vertices of a tree.  Subtrees do not contain subentries.  The
734	      prefix sub, in subtree, emphasizes that the base (or root) vertex
735	      of this tree is usually subordinate to the root of the DIT.

737	      A subtree begins at some vertex and extends to some identifiable
738	      lower boundary, possibly extending to leaves.  A subtree is always
739	      defined within a context which implicitly bounds the subtree.  For
740	      example, the vertex and lower boundaries of a subtree defining a
741	      replicated area are bounded by a naming context.  Similarly, the
742	      scope of a subtree defining a specific administrative area is
743	      limited to the context of an enclosing autonomous administrative
744	      area.

746	3.2. Subentries

748	  A subentry is a "special sort of entry, known by the Directory, used
749	  to hold information associated with a subtree or subtree refinement"
750	  [X.501].  Subentries are used in Directory to hold for administrative
751	  and operational purposes as defined in [X.501].  Their use in LDAP is
752	  not detailed in this technical specification, but may be detailed in
753	  future documents.

755	  The term "(sub)entry" in this specification indicates that servers
756	  implementing X.500(93) models are to use a subentry and other servers
757	  use an object entry belonging to the appropriate auxiliary class
758	  normally used with the subentry (e.g., 'subschema' for subschema
759	  subentries) to mimic the subentry.  This object entry's RDN SHALL be
760	  formed from a value of the 'cn' (commonName) attribute [Schema].

762	3.3. The 'objectClass' attribute

764	  Each entry in the DIT has an 'objectClass' attribute.

766	      ( 2.5.4.0 NAME 'objectClass'
767	        EQUALITY objectIdentifierMatch
768	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

770	  The 'objectIdentifierMatch' matching rule and OBJECT IDENTIFIER
771	  (1.3.6.1.4.1.1466.115.121.1.38) syntax is defined in [Syntaxes].

773	  The 'objectClass' attribute specifies the object classes of an entry,
774	  which (among other things) is used in conjunction with user and system
775	  schema to determine the permitted attributes of an entry.  Values of
776	  this attribute can be modified by clients, but the 'objectClass'
777	  attribute cannot be removed.

779	  Servers which follow X.500(93) models SHALL restrict modifications of
780	  this attribute to prevent the basic structural class of the entry from
781	  being changed (e.g. one cannot change a 'person' into a 'country').

783	  When creating an entry or adding an 'objectClass' value to an entry,
784	  all superclasses of the named classes are implicitly added as well if
785	  not already present, and the client must supply values for any
786	  mandatory attributes of new superclasses.

788	3.4. Operational attributes

790	  Some attributes, termed operational attributes (as defined in Section
791	  12.4.1 of [X.501]), are used or maintained by servers for
792	  administrative and operational purposes.  Not all operational
793	  attributes are user modifiable.

795	  Operational attributes are not normally visible.  They are not
796	  returned in search results unless explicitly requested by name.

798	  Entries may contain, among others, the following operational
799	  attributes.

801	    - creatorsName: the Distinguished Name of the user who added this
802	      entry to the directory.

804	    - createTimestamp: the time this entry was added to the directory.

806	    - modifiersName: the Distinguished Name of the user who last
807	      modified this entry.

809	    - modifyTimestamp: the time this entry was last modified.

811	  Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
812	  'modifiersName', and 'modifyTimestamp' for all entries of the DIT.

814	3.4.1. 'creatorsName'

816	  This attribute appears in entries which were added using the protocol
817	  (e.g., using the Add operation).  The value is the distinguised name
818	  of the creator.

820	      ( 2.5.18.3 NAME 'creatorsName'
821	        EQUALITY distinguishedNameMatch
822	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
823	        SINGLE-VALUE NO-USER-MODIFICATION
824	        USAGE directoryOperation )

826	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
827	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

829	3.4.2. 'createTimestamp'

831	  This attribute appears in entries which were added using the protocol
832	  (e.g., using the Add operation).  The value is the time the entry was
833	  added.

835	      ( 2.5.18.1 NAME 'createTimestamp'
836	        EQUALITY generalizedTimeMatch
837	        ORDERING generalizedTimeOrderingMatch
838	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
839	        SINGLE-VALUE NO-USER-MODIFICATION
840	        USAGE directoryOperation )

842	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
843	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
844	  are defined in [Syntaxes].

846	3.4.3. 'modifiersName'

848	  This attribute appears in entries which have been modified using the
849	  protocol (e.g., using Modify operation).  The value is the
850	  distinguised name of the last modifier.

852	      ( 2.5.18.4 NAME 'modifiersName'
853	        EQUALITY distinguishedNameMatch
854	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
855	        SINGLE-VALUE NO-USER-MODIFICATION
856	        USAGE directoryOperation )

858	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
859	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

861	3.4.4. 'modifyTimestamp'

863	  This attribute appears in entries which have been modified using the
864	  protocol (e.g., using the Modify operation).  The value is the time
865	  the entry was last modified.

867	      ( 2.5.18.2 NAME 'modifyTimestamp'
868	        EQUALITY generalizedTimeMatch
869	        ORDERING generalizedTimeOrderingMatch
870	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
871	        SINGLE-VALUE NO-USER-MODIFICATION
872	        USAGE directoryOperation )

874	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
875	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
876	  are defined in [Syntaxes].

878	4. Directory Schema

880	  As defined in [X.501]:

882	      The Directory Schema is a set of definitions and constraints
883	      concerning the structure of the DIT, the possible ways entries are
884	      named, the information that can be held in an entry, the
885	      attributes used to represent that information and their
886	      organization into hierarchies to facilitate search and retrieval
887	      of the information and the ways in which values of attributes may
888	      be matched in attribute value and matching rule assertions.

890	      NOTE 1 - The schema enables the Directory system to, for example:

892	      - prevent the creation of subordinate entries of the wrong
893	        object-class (e.g. a country as a subordinate of a person);

895	      - prevent the addition of attribute-types to an entry
896	        inappropriate to the object-class (e.g. a serial number to a
897	        person's entry);

899	      - prevent the addition of an attribute value of a syntax not
900	        matching that defined for the attribute-type (e.g. a printable
901	        string to a bit string).

903	        Formally, the Directory Schema comprises a set of:

905	      a) Name Form definitions that define primitive naming relations
906	         for structural object classes;

908	      b) DIT Structure Rule definitions that define the names that
909	         entries may have and the ways in which the the entries may be
910	         related to one another in the DIT;

912	      c) DIT Content Rule definitions that extend the specification of
913	         allowable attributes for entries beyond those indicated by the
914	         structural object classes of the entries;

916	      d) Object Class definitions that define the basic set of mandatory
917	         and optional attributes that shall be present, and may be
918	         present, respectively, in an entry of a given class, and which
919	         indicate the kind of object class that is being defined;

921	      e) Attribute Type definitions that identify the object identifier
922	         by which an attribute is known, its syntax, associated matching
923	         rules, whether it is an operational attribute and if so its
924	         type, whether it is a collective attribute, whether it is
925	         permitted to have multiple values and whether or not it is
926	         derived from another attribute type;

928	      f) Matching Rule definitions that define matching rules.

930	  And in LDAP:

932	      g) LDAP Syntaxes definitions that define encodings used in LDAP.

934	4.1. Schema Definitions

936	  Schema definitions in this section are described using ABNF and rely
937	  on the common productions specified in Section 1.2 as well as these:

939	      noidlen = numericoid [ LCURLY len RCURLY ]

941	      len = number

943	      oids = oid / ( LPAREN SP oidlist SP RPAREN )

945	      oidlist = oid *( SP DOLLAR SP oid )

947	      extensions = *( SP xstring SP qdstrings )

949	      xstring = X HYPHEN 1*( ALPHA / HYPHEN / USCORE )

951	      qdescrs = qdescr / ( LPAREN WHSP qdescrlist WHSP RPAREN )

953	      qdescrlist = [ qdescr *( WHSP qdescr ) ]

955	      qdescr = SQUOTE descr SQUOTE

957	      qdstring = SQUOTE dstring SQUOTE

959	      dstring = 1*( QS / QQ / QUTF8 )   ; escaped UTF8 string

961	      QQ =  ESC %x32 %x37 ; "\27"

963	      QS =  ESC %x35 ( %x43 / %x63 ) ; "\5C" / "\5C"

965	      ; Any UTF-8 encoded UCS character
966	      ; except %x27 ("'") and %x5C ("\")
967	      QUTF8    = QUTF1 / UTFMB
968	      ; Any ASCII character except %x27 ("'") and %x5C ("\")
969	      QUTF1    = %x00-26 / %x28-5B / %x5D-7F

971	  Schema definitions in this section also share a number of common
972	  terms.

974	  The NAME field provides a set of short names (descriptors) which are
975	  be used as aliases for the OID.

977	  The DESC field optionally allows a descriptive string to be provided
978	  by the directory administrator and/or implementor.  While
979	  specifications may suggest a descriptive string, there is no
980	  requirement that the suggested (or any) descriptive string be used.

982	  Implementors should note that future versions of this document may
983	  expand these definitions to include additional terms.  Terms whose
984	  identifier begins with "X-" are reserved for private experiments, and
985	  MUST be followed by a <space> and a <qdstrings> tokens.

987	4.1.1. Object Class Definitions

989	  Object Class definitions are written according to the ABNF:

991	    ObjectClassDescription = RPAREN WSP
992	        numericoid                 ; object identifer
993	        [ SP "NAME" SP qdescrs ]   ; short names
994	        [ SP "DESC" SP qdstring ]  ; description
995	        [ SP "OBSOLETE" ]          ; not active
996	        [ SP "SUP" SP oids ]       ; superior object classes
997	        [ SP kind ]                ; kind of class
998	        [ SP "MUST" SP oids ]      ; attribute types
999	        [ SP "MAY" SP oids ]       ; attribute types
1000	        extensions WSP RPAREN

1002	    kind = "ABSTRACT" / "STRUCTURAL" / "AUXILIARY"

1004	  where:
1005	    <numericoid> is object identifier assigned to this object class;
1006	    NAME <qdescrs> are short names identifying this object class;
1007	    DESC <qdstring> is a store descriptive string;
1008	    OBSOLETE indicates this object class is not active;
1009	    SUP <oids> specifies the direct superclasses of this object class;
1010	    the kind of object class is indicated by one of ABSTRACT,
1011	        STRUCTURAL, or AUXILIARY, default is STRUCTURAL;
1012	    MUST and MAY specify the sets of required and allowed attribute
1013	        types, respectively; and
1014	    <extensions> describe extensions.

1016	4.1.2. Attribute Types

1018	  Attribute Type definitions are written according to the ABNF:

1020	    AttributeTypeDescription = LPAREN WSP
1021	        numericoid                 ; object identifer
1022	        [ SP "NAME" SP qdescrs ]   ; short names
1023	        [ SP "DESC" SP qdstring ]  ; description
1024	        [ SP "OBSOLETE" ]          ; not active
1025	        [ SP "SUP" SP oid ]        ; subtype
1026	        [ SP "EQUALITY" SP oid ]   ; equality matching rule
1027	        [ SP "ORDERING" SP oid ]   ; ordering matching rule
1028	        [ SP "SUBSTR" SP oid ]     ; substrings matching rule
1029	        [ SP "SYNTAX" SP noidlen ] ; value syntax
1030	        [ SP "SINGLE-VALUE" ]      ; single-value
1031	        [ SP "COLLECTIVE" ]        ; collective
1032	        [ SP "NO-USER-MODIFICATION" ] ; not user modifiable
1033	        [ SP "USAGE" SP usage ]    ; usage
1034	        extensions WSP RPAREN      ; extensions

1036	    usage = "userApplications"     /
1037	            "directoryOperation"   /
1038	            "distributedOperation" /    ; DSA-shared
1039	            "dsaOperation"              ; DSA-specific

1041	  where:
1042	    <numericoid> is object identifier assigned to this attribute type;
1043	    NAME <qdescrs> are short names identifying this attribute type;
1044	    DESC <qdstring> is a store descriptive string;
1045	    OBSOLETE indicates this attribute type is not active;
1046	    SUP oid specifies the direct subtype of this type;
1047	    EQUALITY, ORDERING, SUBSTRING provide the oid of the equality,
1048	        ordering, and substrings matching rules, respectively;
1049	    SYNTAX identifies value syntax by object identifier and suggests a
1050	        minimum upper bound;
1051	    COLLECTIVE indicates this attribute type is collective;
1052	    NO-USER-MODIFICATION indicates this attribute type is not user
1053	        modifiable;
1054	    USAGE indicates the application of this attribute type; and
1055	    <extensions> describe extensions.

1057	  Each attribute type description must contain at least one of the SUP
1058	  or SYNTAX fields.

1060	  The default USAGE is userApplications.  COLLECTIVE requires USAGE
1061	  userApplications.  NO-USER_MODIFICATION requires usage other than
1062	  userApplications.

1064	  Note that the <AttributeTypeDescription> does not list the matching
1065	  rules which can can be used with that attribute type in an
1066	  extensibleMatch search filter.  This is done using the
1067	  'matchingRuleUse' attribute described in Section 4.1.3.

1069	  This document refines the schema description of X.501 by requiring
1070	  that the SYNTAX field in an <AttributeTypeDescription> be a string
1071	  representation of an object identifier for the LDAP string syntax
1072	  definition with an optional indication of the suggested minimun bound
1073	  of a value of this attribute.

1075	  A suggested minimum upper bound on the number of characters in a value
1076	  with a string-based syntax, or the number of bytes in a value for all
1077	  other syntaxes, may be indicated by appending this bound count inside
1078	  of curly braces following the syntax's OBJECT IDENTIFIER in an
1079	  Attribute Type Description.  This bound is not part of the syntax name
1080	  itself.  For instance, "1.3.6.4.1.1466.0{64}" suggests that server
1081	  implementations should allow a string to be 64 characters long,
1082	  although they may allow longer strings.  Note that a single character
1083	  of the Directory String syntax may be encoded in more than one octet
1084	  since UTF-8 is a variable-length encoding.

1086	4.1.3. Matching Rules

1088	  Matching rules are used by servers to compare attribute values against
1089	  assertion values when performing Search and Compare operations.  They
1090	  are also used to identify the value to be added or deleted when
1091	  modifying entries, and are used when comparing a purported
1092	  distinguished name with the name of an entry.

1094	  A matching rule specifes the syntax of the assertion value.

1096	  Each matching rule is identified by an object identifier (OID) and,
1097	  optionally, one or more short names known as descriptors.

1099	  Matching rule definitions are written according to the ABNF:

1101	    MatchingRuleDescription = LPAREN WSP
1102	        numericoid                 ; object identifer
1103	        [ SP "NAME" SP qdescrs ]   ; short names
1104	        [ SP "DESC" SP qdstring ]  ; description
1105	        [ SP "OBSOLETE" ]          ; not active
1106	        SP "SYNTAX" SP numericoid  ; oid corrected to numericoid
1107	        extensions WSP RPAREN      ; extensions

1109	  where:
1110	    <numericoid> is object identifier assigned to this matching rule;
1111	    NAME <qdescrs> are short names identifying this matching rule;
1112	    DESC <qdstring> is a store descriptive string;
1113	    OBSOLETE indicates this matching rule is not active;
1114	    SYNTAX identifies the assertion syntax by object identifier; and
1115	    <extensions> describe extensions.

1117	  A matching rule use lists the attributes which are suitable for use
1118	  with an extensible matching rule.

1120	  Matching rule use descriptions (see Section 4.1.3) are written
1121	  according to the following ABNF:

1123	    MatchingRuleUseDescription = LPAREN WSP
1124	        numericoid                 ; object identifer
1125	        [ SP "NAME" SP qdescrs ]   ; short names
1126	        [ SP "DESC" SP qdstring ]  ; description
1127	        [ SP "OBSOLETE" ]          ; not active
1128	        SP "APPLIES" SP oids       ; attribute types
1129	        extensions WSP RPAREN      ; extensions

1131	  where:
1132	    <numericoid> is the object identifier of the matching rule
1133	        associated with this matching rule use description;
1134	    NAME <qdescrs> are short names identifying this matching rule use;
1135	    DESC <qdstring> is a store descriptive string;
1136	    OBSOLETE indicates this matching rule use is not active;
1137	    APPLIES provides a list of attribute types the matching rule applies
1138	        to; and
1139	    <extensions> describe extensions.

1141	4.1.4. LDAP Syntaxes

1143	  LDAP Syntaxes of (attribute and assertion) values are described in
1144	  terms of ASN.1 [X.680] and, optionally, have an octet string encoding
1145	  known as the LDAP-specific encoding.  Commonly, the LDAP-specific
1146	  encoding is constrained to string of Universal Character Set (UCS)
1147	  [ISO10646] characters in UTF-8 [RFC2279] form.

1149	  Each LDAP syntax is identified by an object identifier (OID).  These
1150	  are not intended to be displayed to users.

1152	  LDAP syntax definitions are written according to the ABNF:

1154	    SyntaxDescription = LPAREN WSP
1155	        numericoid                 ; object identifer
1156	        [ SP "DESC" SP qdstring ]  ; description
1157	        extensions WSP RPAREN      ; extensions

1159	  where:
1160	    <numericoid> is object identifier assigned to this LDAP syntax;
1161	    DESC <qdstring> is a store descriptive string; and
1162	    <extensions> describe extensions.

1164	4.1.5. DIT Content Rules

1166	  A DIT content rule is a "rule governing the content of entries of a
1167	  particular structural object class" [X.501].

1169	  A DIT content rule specifies for DIT entries of a particular
1170	  structural object class, which auxiliary object classes the entries
1171	  are allowed to belong to and which additional attributes (by type) are
1172	  required, allowed or not allowed to appear in the entries.

1174	  The list of precluded attributes cannot include any attribute listed
1175	  as mandatory in rule, the structural object class, or any of the
1176	  allowed auxiliary object classes.

1178	  Each content rule is identified by the object identifer, as well as
1179	  any short names, of the structural rule it applies to.

1181	  An entry may only belong to auxiliary object classes listed in the
1182	  governing content rule.

1184	  An entry must contain all attributes required by the object classes
1185	  the entry belongs to as well as all attributed required by the
1186	  governing content rule.

1188	  An entry may contain any non-precluded attributes allowed by the
1189	  object classes the entry belongs to as well as all attributes allowed
1190	  by the governing content rule.

1192	  An entry cannot include any attribute precluded by the governing
1193	  content rule.

1195	  An entry is governed by (if present and active in the subschema) the
1196	  DIT content rule which applies to the structural object class of the
1197	  entry (see Section 2.4.2).  If no active rule is present for the
1198	  entry's structural object class, the entry's content is governed by
1199	  the structural object class (and possibly other aspects of user and
1200	  system schema).

1202	  DIT content rule descriptions are written according to the ABNF:

1204	    DITContentRuleDescription = LPAREN WSP
1205	        numericoid                 ; object identifer
1206	        [ SP "NAME" SP qdescrs ]   ; short names
1207	        [ SP "DESC" SP qdstring ]  ; description
1208	        [ SP "OBSOLETE" ]          ; not active
1209	        [ SP "AUX" SP oids ]       ; auxiliary object classes
1210	        [ SP "MUST" SP oids ]      ; attribute types
1211	        [ SP "MAY" SP oids ]       ; attribute types
1212	        [ SP "NOT" SP oids ]       ; attribute types
1213	        extensions WSP RPAREN      ; extensions

1215	  where:
1216	    <numericoid> is the object identifier of the structural object class
1217	        associated with this DIT content rule;
1218	    NAME <qdescrs> are short names identifying this DIT content rule;
1219	    DESC <qdstring> is a store descriptive string;
1220	    OBSOLETE indicates this DIT content rule use is not active;
1221	    AUX specifies a list of auxiliary object classes which entries
1222	        subject to this DIT content rule may belong to;
1223	    MUST, MAY, and NOT specify lists of attribute types which are
1224	        required, allowed, or precluded, respectively, from appearing in
1225	        entries subject to this DIT content rule; and
1226	    <extensions> describe extensions.

1228	4.1.6. DIT Structural Rules and Name Forms

1230	  It is sometimes desirable to regulate where object entries can be
1231	  placed in the DIT and how they can be named based upon their
1232	  structural object class.

1234	  A DIT structural rule is a "rule governing the structure of the DIT by
1235	  specifying a permitted superior to subordinate entry relationship.  A
1236	  structure rule relates a name form, and therefore a structural object
1237	  class, to superior structure rules.  This permits entries of the
1238	  structural object class identified by the name form to exist in the
1239	  DIT as subordinates to entries governed by the indicated superior
1240	  structure rules" [X.501].

1242	  A name form "specifies a permissible RDN for entries of a particular
1243	  structural object class.  A name form identifies a named object class
1244	  and one or more attribute types to be used for naming (i.e.  for the
1245	  RDN).  Name forms are primitive pieces of specification used in the
1246	  definition of DIT structure rules" [X.501].

1248	  Each name form indicates the structural object class to be named, a
1249	  set of required attribute types, and a set of allowed attributes
1250	  types.  A particular attribute type cannot be listed in both sets.

1252	  Entries governed by the form must be named using a value from each
1253	  required attribute type and zero or more values from the allowed
1254	  attribute types.

1256	  Each name form is identified by an object identifier (OID) and,
1257	  optionally, one or more short names known as descriptors.

1259	  DIT structure rule descriptions are written according to the ABNF:

1261	    DITStructureRuleDescription = LPAREN WSP
1262	        ruleid                     ; rule identifier
1263	        [ SP "NAME" SP qdescrs ]   ; short names
1264	        [ SP "DESC" SP qdstring ]  ; description
1265	        [ SP "OBSOLETE" ]          ; not active
1266	        SP "FORM" SP oid           ; NameForm
1267	        [ SP "SUP" ruleids ]       ; superior rules
1268	        extensions WSP RPAREN      ; extensions

1270	    ruleids = ruleid / LPAREN WSP ruleidlist WSP RPAREN

1272	    ruleidlist = [ ruleid *( SP ruleid ) ]

1274	    ruleid = number

1276	  where:
1277	    <ruleid> is the rule identifier of this DIT structure rule;
1278	    NAME <qdescrs> are short names identifying this DIT structure rule;
1279	    DESC <qdstring> is a store descriptive string;
1280	    OBSOLETE indicates this DIT structure rule use is not active;
1281	    FORM is specifies the name form associated with this DIT strucure
1282	        rule;
1283	    SUP identifies superior rules (by rule id); and
1284	    <extensions> describe extensions.

1286	  Name form descriptions are written according to the ABNF:

1288	    NameFormDescription = LPAREN WSP
1289	        numericoid                 ; object identifer
1290	        [ SP "NAME" SP qdescrs ]   ; short names
1291	        [ SP "DESC" SP qdstring ]  ; description
1292	        [ SP "OBSOLETE" ]          ; not active
1293	        SP "OC" SP oid             ; structural object class
1294	        SP "MUST" SP oids          ; attribute types
1295	        [ SP "MAY" SP oids ]       ; attribute types
1296	        extensions WSP RPAREN      ; extensions

1298	  where:
1299	    <numericoid> is object identifier assigned to this name form;
1300	    NAME <qdescrs> are short names identifying this name form;
1301	    DESC <qdstring> is a store descriptive string;
1302	    OBSOLETE indicates this name form is not active;
1303	    OC identifies the structural object class this rule applies to,
1304	    MUST and MAY specify the sets of required and allowed, respectively,
1305	        naming attributes for this name form; and
1306	    <extensions> describe extensions.

1308	4.2. Subschema Subentries

1310	  Subschema (sub)entries are used for administering information about
1311	  the directory schema.  A single subschema (sub)entry contains all
1312	  schema definitions (see Section 4.1) used by entries in a particular
1313	  part of the directory tree.

1315	  Servers which follow X.500(93) models SHOULD implement subschema using
1316	  the X.500 subschema mechanisms (as detailed in Section 12 of [X.501]),
1317	  and so these are not ordinary object entries but subentries (see
1318	  Section 3.2).  LDAP clients SHOULD NOT assume that servers implement
1319	  any of the other aspects of X.500 subschema.

1321	  Servers MAY allow modification of subschema.  Procedures for Subschema
1322	  Modification are discussed in Section 14.5 of [X.501].

1324	  A server which masters entries and permits clients to modify these
1325	  entries MUST implement and provide access to these subschema
1326	  (sub)entries including providing a 'subschemaSubentry' attribute in
1327	  each modifiable entry.  This so clients may discover the attributes
1328	  and object classes which are permitted to be present.  It is strongly
1329	  RECOMMENDED that all other servers implement this as well.

1331	  A server SHALL only publish schema definitions for elements it
1332	  supports.  It is noted that servers do not necessarily have to support
1333	  all schema elements referenced by a published definition.

1335	  The value of the 'subschemaSubentry' attribute is the name of the
1336	  subschema (sub)entry holding the subschema controlling the entry.

1338	      ( 2.5.18.10 NAME 'subschemaSubentry'
1339	        EQUALITY distinguishedNameMatch
1340	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1341	        NO-USER-MODIFICATION SINGLE-VALUE
1342	        USAGE directoryOperation )

1344	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
1345	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

1347	  Subschema is held in (sub)entries belonging to the subschema auxiliary
1348	  object class.

1350	      ( 2.5.20.1 NAME 'subschema' AUXILIARY
1351	        MAY ( dITStructureRules $ nameForms $ ditContentRules $
1352	          objectClasses $ attributeTypes $ matchingRules $
1353	          matchingRuleUse ) )

1355	  The 'ldapSyntaxes' operational attribute may also be present in
1356	  subschema entries.

1358	  Servers MAY provide other attributes in subschema (sub)entries to
1359	  reflect additional supported capabilities or for other administrative
1360	  and operational purposes.

1362	  Servers SHOULD provide the attributes 'createTimestamp' and
1363	  'modifyTimestamp' in subschema (sub)entries, in order to allow clients
1364	  to maintain their caches of schema information.

1366	  The following subsections provide attribute type definitions for each
1367	  of schema definition attribute types.

1369	4.2.1. 'objectClasses'

1371	  This attribute holds definitions of object classes supported in the
1372	  subschema.

1374	      ( 2.5.21.6 NAME 'objectClasses'
1375	        EQUALITY objectIdentifierFirstComponentMatch
1376	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.37
1377	        USAGE directoryOperation )

1379	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1380	  ObjectClassDescription (1.3.6.1.4.1.1466.115.121.1.37) syntax are
1381	  defined in [Syntaxes].

1383	4.2.2. 'attributeTypes'

1385	  This attribute holds definitions of attribute types supported in the
1386	  subschema.

1388	      ( 2.5.21.5 NAME 'attributeTypes'
1389	        EQUALITY objectIdentifierFirstComponentMatch
1390	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.3
1391	        USAGE directoryOperation )

1393	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1394	  AttributeTypeDescription (1.3.6.1.4.1.1466.115.121.1.3) syntax are
1395	  defined in [Syntaxes].

1397	4.2.3. 'matchingRules'

1399	  This attribute holds definitions of matching rules supported in the
1400	  subschema.

1402	      ( 2.5.21.4 NAME 'matchingRules'
1403	        EQUALITY objectIdentifierFirstComponentMatch
1404	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.30
1405	        USAGE directoryOperation )

1407	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1408	  MatchingRuleDescription (1.3.6.1.4.1.1466.115.121.1.30) syntax are
1409	  defined in [Syntaxes].

1411	4.2.4 'matchingRuleUse'

1413	  This attribute holds definitions of matching rule uses supported in
1414	  the subschema.

1416	      ( 2.5.21.8 NAME 'matchingRuleUse'
1417	        EQUALITY objectIdentifierFirstComponentMatch
1418	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.31
1419	        USAGE directoryOperation )

1421	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1422	  MatchingRuleUseDescription (1.3.6.1.4.1.1466.115.121.1.31) syntax are
1423	  defined in [Syntaxes].

1425	4.2.5. 'ldapSyntaxes'

1427	  This attribute holds definitions of LDAP syntaxes supported in the
1428	  subschema.

1430	      ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
1431	        EQUALITY objectIdentifierFirstComponentMatch
1432	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.54
1433	        USAGE directoryOperation )

1435	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1436	  SyntaxDescription (1.3.6.1.4.1.1466.115.121.1.54) syntax are defined
1437	  in [Syntaxes].

1439	4.2.6. 'dITContentRules'

1441	  This attribute lists DIT Content Rules which are in force.

1443	      ( 2.5.21.2 NAME 'dITContentRules'
1444	        EQUALITY objectIdentifierFirstComponentMatch
1445	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.16
1446	        USAGE directoryOperation )

1448	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1449	  DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are
1450	  defined in [Syntaxes].

1452	4.2.7. 'dITStructureRules'

1454	  This attribute lists DIT Structure Rules which are in force.

1456	      ( 2.5.21.1 NAME 'dITStructureRules'
1457	        EQUALITY integerFirstComponentMatch
1458	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.17
1459	        USAGE directoryOperation )

1461	  The 'integerFirstComponentMatch' matching rule and the
1462	  DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax are
1463	  defined in [Syntaxes].

1465	4.2.8 'nameForms'

1467	  This attribute lists Name Forms which are in force.

1469	      ( 2.5.21.7 NAME 'nameForms'
1470	        EQUALITY objectIdentifierFirstComponentMatch
1471	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.35
1472	        USAGE directoryOperation )

1474	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1475	  NameFormDescription (1.3.6.1.4.1.1466.115.121.1.35) syntax are defined
1476	  in [Syntaxes].

1478	4.3. 'extensibleObject' object class

1480	  The 'extensibleObject auxiliary object class allows entries belong to
1481	  it to hold any attribute type.  The set of allowed attributes of this
1482	  class is implicitly the set of all user attributes.

1484	      ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
1485	        SUP top AUXILIARY )

1487	  The mandatory attributes of the other object classes of this entry are
1488	  still required to be present and any precluded attributes are still
1489	  not allowed to be present.

1491	  Note that not all servers will implement this object class, and those
1492	  which do not will reject requests to add entries which contain this
1493	  object class, or modify an entry to add this object class.

1495	4.4. Subschema Discovery

1497	  To discover the DN of the subschema (sub)entry holding the subschema
1498	  controlling a particular entry (or subentry), a client reads that
1499	  entry's 'subschemaSubentry' operational attribute.  To read schema
1500	  attributes from the subschema (sub)entry, clients MUST issue a base
1501	  object search where the filter is "(objectClass=subschema)" and the
1502	  list of attributes includes the names of the desired schema attributes
1503	  (as they are operational).  This filter allows LDAP servers which
1504	  gateway to X.500 to detect that subentry information is being
1505	  requested.

1507	  Clients SHOULD NOT assume that server supports all referenced elements
1508	  of a particular definition.  For example, a client is not to assume
1509	  the server supports the EQUALITY matching rule of a listed attribute
1510	  unless the server publishes a definition for that matching rule.

1512	5. DSA (Server) Informational Model

1514	  The LDAP protocol assumes there are one or more servers which jointly
1515	  provide access to a Directory Information Tree (DIT).

1517	  As defined in [X.501]:

1519	      context prefix: The sequence of RDNs leading from the Root of the
1520	          DIT to the initial vertex of a naming context; corresponds to
1521	          the distinguished name of that vertex.

1523	      DIB fragment: The portion of the DIB that is held by one master
1524	          DSA, comprising one or more naming contexts.

1526	      naming context: A subtree of entries held in a single master DSA.

1528	  That is, a naming context is the largest collection of entries,
1529	  starting at an entry that is mastered by a particular server, and
1530	  including all its subordinates and their subordinates, down to the
1531	  entries which are mastered by different servers.  And the context
1532	  prefix is the name of the initial entry.

1534	  The root of the DIT is a DSA-specific Entry (DSE) and not part of any
1535	  naming context (or any subtree); each server has different attribute
1536	  values in the root DSE.

1538	5.1. Server-specific Data Requirements

1540	  An LDAP server MUST provide information about itself and other
1541	  information that is specific to each server.  This is represented as a
1542	  group of attributes located in the root DSE (DSA-Specific Entry),
1543	  which is named with the zero-length LDAPDN.  These attributes are
1544	  retrievable, subject to access control and other restrictions, if a
1545	  client performs a base object search of the root with filter
1546	  "(objectClass=*)" requesting the desired attributes.  It is noted that
1547	  root DSE attributes are operational, and like other operational
1548	  attributes, are not returned in search requests unless requested by
1549	  name.

1551	  The root DSE SHALL NOT be included if the client performs a subtree
1552	  search starting from the root.

1554	  Servers may allow clients to modify attributes of the root DSE where
1555	  appropriate.

1557	  The following attributes of the root DSE are defined in [Syntaxes].
1558	  Additional attributes may be defined in other documents.

1560	    - altServer: alternative servers;

1562	    - namingContexts: naming contexts;

1564	    - supportedControl: recognized LDAP controls;

1566	    - supportedExtension: recognized LDAP extended operations;

1568	    - supportedLDAPVersion: LDAP versions supported; and

1570	    - supportedSASLMechanisms: recognized SASL mechnanisms.

1572	  The values of these attributes provided may depend on a session
1573	  specific and other factors.  For example, a server supporting the SASL
1574	  EXTERNAL mechanism may only list "EXTERNAL" when the client's identity
1575	  has been established by a lower level.  See [AuthMeth].

1577	  The root DSE may also include a 'subschemaSubentry' attribute.  If so,
1578	  it refers to the subschema (sub)entry holding schema controlling
1579	  attributes of the root DSE.  Client SHOULD NOT assume that the
1580	  subschema (sub)entry controlling the root DSE controls any entry held
1581	  by the server.  General subschema discovery procedures are provided in
1582	  Section 4.4.

1584	5.1.1. 'altServer'

1586	  The 'altServer' attribute lists URLs referring to alternative servers
1587	  which may be contacted when this server becomes unavailable.  If the
1588	  server does not know of any other servers which could be used this
1589	  attribute will be absent.  Clients may cache this information in case
1590	  their preferred LDAP server later becomes unavailable.

1592	      ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
1593	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 USAGE dSAOperation )

1595	  The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax is defined in
1596	  [Syntaxes].

1598	5.1.2. 'namingContexts'

1600	  The 'namingContexts' attribute lists the context prefixes of the
1601	  naming contexts the server masters or shadows (in part or in whole).
1602	  If the server does not master or shadow any information (e.g. it is an
1603	  LDAP gateway to a public X.500 directory) this attribute will be
1604	  absent.  If the server believes it masters or shadows the entire
1605	  directory, the attribute will have a single value, and that value will
1606	  be the empty string (indicating the null DN of the root).  This
1607	  attribute allows a client to choose suitable base objects for
1608	  searching when it has contacted a server.

1610	      ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
1611	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE dSAOperation )

1613	  The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax is
1614	  defined in [Syntaxes].

1616	5.1.3. 'supportedControl'

1618	  The 'supportedControl' attribute lists object identifiers identifying
1619	  the request controls the server supports.  If the server does not
1620	  support any request controls, this attribute will be absent.

1622	  Object identifiers identifying response controls need not be listed.

1624	  Procedures for registering object identifiers used to discovery of
1625	  protocol mechanisms are detailed in [LDAPIANA].

1627	      ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
1628	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )

1630	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1631	  defined in [Syntaxes].

1633	5.1.4. 'supportedExtension'

1635	  The 'supportedExtension' attribute lists object identifiers
1636	  identifying the extended operations which the server supports.  If the
1637	  server does not support any extended operations, this attribute will
1638	  be absent.

1640	  An extended operation comprises a ExtendedRequest, possibly other PDUs
1641	  defined by extension, and an ExtendedResponse [Protocol].  The object
1642	  identifier assigned to the ExtendedRequest is used to identify the
1643	  extended operation.  Other object identifiers associated with the
1644	  extended operation need not be listed.

1646	  Procedures for registering object identifiers used to discovery of
1647	  protocol mechanisms are detailed in [LDAPIANA].

1649	      ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
1650	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )

1652	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1653	  defined in [Syntaxes].

1655	5.1.5. 'supportedLDAPVersion'

1657	  The 'supportedLDAPVersion' attribute lists the versions of LDAP which
1658	  the server supports.

1660	      ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
1661	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 USAGE dSAOperation )

1663	  The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax are defined in
1664	  [Syntaxes].

1666	5.1.6. 'supportedSASLMechanisms'
1667	  The 'supportedSASLMechanisms' attribute lists the SASL mechanisms
1668	  [RFC2222] which the server recognizes.  The contents of this attribute
1669	  may depend on the current session state.  If the server does not
1670	  support any SASL mechanisms this attribute will not be present.

1672	      ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
1673	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE dSAOperation )

1675	  The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is defined
1676	  in [Syntaxes].

1678	6. Other Considerations

1680	6.1. Preservation of User Information

1682	  Syntaxes may be defined which have specific value and/or value form
1683	  (representation) preservation requirements.  For example, a syntax
1684	  containing digitally signed data can mandate the server preserve both
1685	  the value and form of value presented to ensure signature is not
1686	  invalidated.

1688	  Where such requirements have not be explicitly stated, servers SHOULD
1689	  preserve the value of user information but MAY return the value in a
1690	  different form.  Where a server is unable (or unwilling) to preserve
1691	  the value of user information, the server SHALL ensure that an
1692	  equivalent value is returned.  Two values are considered equivalent if
1693	  they would match according to the equality matching rule of the
1694	  associated attribute as evaluated (within variances allowed by the
1695	  rule's specification) on that server.  If the attribute is defined
1696	  with no equality matching rule, two values are equivalent only if and
1697	  only if they are identical.

1699	6.2. Short Names

1701	  Short names (descriptors) used to identify various schema elements are
1702	  non-unique, as two different specifications (neither in Standards
1703	  Track RFCs) may choose the same name.  The client can retrieve the
1704	  subschema (as described above) to determine the element identified (in
1705	  that subschema) by a particular short name.

1707	  Procedures for registering short names are detailed in [LDAPIANA].
1708	  Specifications of schema elements should use registered short names to
1709	  avoid conflicts.

1711	6.3. Cache and Shadowing
1712	  Some servers may hold cache or shadow copies of entries, which can be
1713	  used to answer search and comparison queries, but will return
1714	  referrals or contact other servers if modification operations are
1715	  requested.  Servers that perform shadowing or caching MUST ensure that
1716	  they do not violate any access control constraints placed on the data
1717	  by the originating server.

1719	7. Implementation Guidelines

1721	7.1 Server Guidelines

1723	  Servers MUST recognize all attribute types and object classes defined
1724	  in this document but, unless stated otherwise, need not support the
1725	  associated functionality.  Servers SHOULD recognize all the names of
1726	  object classes defined in Section 7 of [Schema].

1728	  Servers MUST ensure that entries conform to user and system schema
1729	  rules or other data model constraints.

1731	  Servers MAY support DIT Content Rules, DIT Structural Rules, and/or
1732	  Name Forms features.  To indicate support, servers SHOULD provide in
1733	  the subschema the definitions of attribute types associated with the
1734	  features they support.

1736	  Servers MAY support alias entries.  To indicate support for alias
1737	  entries, servers SHOULD provide definitions for 'alias' and
1738	  'aliasedObjectName' in subschema (sub)entries.

1740	  Servers MAY support subentries.  If so, they MUST do so in accordance
1741	  with [X.501].  Servers which do not support subenties SHOULD use
1742	  object entries to mimic subentries as detailed in Section 3.2.

1744	  Servers MAY support the 'extensibleObject' object class.  To indicate
1745	  support for 'extensibleObject', servers SHOULD provide the
1746	  'extensibleObject' definition in subschema (sub)entries.

1748	  Servers MAY implement additional object classes.  Servers SHOULD
1749	  provide the definitions of all object classes they support in
1750	  subschema (sub)entries.

1752	7.2 Client Guidelines

1754	  Clients MUST NOT display nor attempt to decode as ASN.1, a value if
1755	  its syntax is not known.  The implementation may attempt to discover
1756	  the subschema of the source entry, and retrieve the values of
1757	  'attributeTypes' from the subschema (sub)entry.

1759	  Clients MUST NOT assume the LDAP-specific string encoding is
1760	  restricted to a UTF-8 encoded string of UCS characters or any
1761	  particular subset of particular subset of UCS (such as a printable
1762	  subset) unless such restriction is explicitly stated.

1764	  Clients MUST NOT send attribute values in a request that are not valid
1765	  according to the syntax defined for the attributes.

1767	8. Security Considerations

1769	  Attributes of directory entries are used to provide descriptive
1770	  information about the real-world objects they represent, which can be
1771	  people, organizations or devices.  Most countries have privacy laws
1772	  regarding the publication of information about people.

1774	  General security considerations for accessing directory information
1775	  with LDAP are discussed in [Protocol] and [AuthMeth].

1777	9. IANA Considerations

1779	  It is requested that IANA update the LDAP descriptors registry as
1780	  indicated the following template:

1782	      Subject: Request for LDAP Descriptor Registration Update
1783	      Descriptor (short name): see comment
1784	      Object Identifier: see comment
1785	      Person & email address to contact for further information:
1786	          Kurt Zeilenga <kurt@OpenLDAP.org>
1787	      Usage: see comment
1788	      Specification: RFC XXXX
1789	      Author/Change Controller: IESG
1790	      Comments:

1792	      The following descriptors should be updated to refer to RFC XXXX.

1794	        NAME                         Type OID
1795	        ------------------------     ---- -----------------
1796	        alias                           O 2.5.6.1
1797	        aliasedEntryName                A 2.5.4.1
1798	        aliasedObjectName               A 2.5.4.1
1799	        altServer                       A 1.3.6.1.4.1.1466.101.120.6
1800	        attributeTypes                  A 2.5.21.5
1801	        createTimestamp                 A 2.5.18.1
1802	        creatorsName                    A 2.5.18.3
1803	        dITContentRules                 A 2.5.21.2
1804	        dITStructureRules               A 2.5.21.1
1805	        extensibleObject                O 1.3.6.1.4.1.1466.101.120.111
1806	        ldapSyntaxes                    A 1.3.6.1.4.1.1466.101.120.16
1807	        matchingRuleUse                 A 2.5.21.8
1808	        matchingRules                   A 2.5.21.4
1809	        modifiersName                   A 2.5.18.4
1810	        modifyTimestamp                 A 2.5.18.2
1811	        nameForms                       A 2.5.21.7
1812	        namingContexts                  A 1.3.6.1.4.1.1466.101.120.5
1813	        objectClass                     A 2.5.4.0
1814	        objectClasses                   A 2.5.21.6
1815	        subschema                       O 2.5.20.1
1816	        subschemaSubentry               A 2.5.18.10
1817	        supportedControl                A 1.3.6.1.4.1.1466.101.120.13
1818	        supportedExtension              A 1.3.6.1.4.1.1466.101.120.7
1819	        supportedLDAPVersion            A 1.3.6.1.4.1.1466.101.120.15
1820	        supportedSASLMechanisms         A 1.3.6.1.4.1.1466.101.120.14
1821	        top                             O 2.5.6.0

1823	10. Acknowledgments

1825	  This document is based, in part, on [RFC2251] by M. Wahl, T.  Howes,
1826	  and S. Kille and [RFC2252] by M. Wahl, A. Coulbeck, T. Howes, S.
1827	  Kille, both products of the IETF Access, Searching and Indexing of
1828	  Directories (ASID) Working Group.  This document is also based, in
1829	  part, on "The Directory: Models" [X.501], a product of the
1830	  International Telephone Union (ITU).

1832	11. Author's Address

1834	  Kurt Zeilenga
1835	  E-mail: <kurt@openldap.org>

1837	12. References

1839	12.1. Normative References

1841	  [RFC2279]  Yergeau, F., "UTF-8, a transformation format of ISO 10646",
1842	             RFC 2279, January 1998.

1844	  [RFC2119]  S. Bradner, "Key words for use in RFCs to Indicate
1845	             Requirement Levels", BCP 14 (also RFC 2119), March 1997.

1847	  [RFC2234]    Crocker, D., and P. Overell, "Augmented BNF for Syntax
1848	             Specifications: ABNF", RFC 2234, November 1997.

1850	  [Roadmap]  K. Zeilenga (editor), "LDAP: Technical Specification Road
1851	             Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
1852	             progress.

1854	  [Protocol] J. Sermersheim (editor), "LDAP: The Protocol",
1855	             draft-ietf-ldapbis-protocol-xx.txt, a work in progress.

1857	  [AuthMeth] R. Harrison (editor), "LDAP: Authentication Methods and
1858	             Connection Level Security Mechanisms",
1859	             draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.

1861	  [LDAPDN]   K. Zeilenga (editor), "LDAP: String Representation of
1862	             Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a work
1863	             in progress.

1865	  [Filters]  M. Smith (editor), LDAPbis WG, "LDAP: String Representation
1866	             of Search Filters", draft-ietf-ldapbis-filter-xx.txt, a
1867	             work in progress.

1869	  [LDAPURL]  M. Smith (editor), "LDAP: Uniform Resource Locator",
1870	             draft-ietf-ldapbis-url-xx.txt, a work in progress.

1872	  [Syntaxes] K. Dally (editor), "LDAP: Syntaxes",
1873	             draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.

1875	  [Schema]   K. Dally (editor), "LDAP: User Schema",
1876	             draft-ietf-ldapbis-user-schema-xx.txt, a work in progress.

1878	  [LDAPIANA] K. Zeilenga, "IANA Considerations for LDAP",
1879	             draft-ietf-ldapbis-xx.txt (a work in progress).

1881	  [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) -
1882	             Architecture and Basic Multilingual Plane, ISO/IEC 10646-1
1883	             : 1993.

1885	  [X.500]    ITU-T Rec. X.500, "The Directory: Overview of Concepts,
1886	             Models and Service", 1993.

1888	  [X.501]    ITU-T Rec. X.501, "The Directory: Models", 1993.

1890	  [X.511]    ITU-T Rec. X.511, "The Directory: Abstract Service
1891	             Definition", 1993.

1893	  [X.680]    ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
1894	             Specification of Basic Notation", 1994.

1896	12.2. Informative References

1898	  [RFC2251]  M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
1899	             Protocol (v3)", RFC 2251, December 1997.

1901	  [RFC2252]  M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
1902	             Directory Access Protocol (v3):  Attribute Syntax
1903	             Definitions", RFC 2252, December 1997.

1905	  [LDAPTS]   J. Hodges, R.L. Morgan, "Lightweight Directory Access
1906	             Protocol (v3): Technical Specification",
1907	             draft-ietf-ldapbis-ldapv3-ts-xx.txt.

1909	Appendix A.  Changes

1911	  This appendix is non-normative.

1913	  This document amounts to nearly a complete rewrite of portions of RFC
1914	  2251, RFC 2252, and RFC 2256.  This rewrite was undertaken to improve
1915	  overall clarity of technical specification.  This appendix provides a
1916	  summary of substantive changes made to the portions of these documents
1917	  incorporated into this document.  Readers should consult [Roadmap],
1918	  [Protocol], [Syntaxes], and [Schema] for summaries of remaining
1919	  portions of these documents.

1921	A.1 Changes to RFC 2251

1923	  This document incorporates from RFC 2251 sections 3.2 and 3.4,
1924	  portions of Section 4 and 6 as summarized below.

1926	A.1.1 Section 3.2 of RFC 2251

1928	  Section 3.2 of RFC 2251 provided a brief introduction to the X.500
1929	  data model, as used by LDAP.  The previous specification relied on
1930	  [X.501] but lacked clarity in how X.500 models are adapted for use by
1931	  LDAP.  This document describes the X.500 data models, as used by LDAP
1932	  in greater detail, especially in areas where the models require
1933	  adaptation is needed.

1935	  Section 3.2.1 of RFC 2251 described an attribute as "a type with one
1936	  or more associated values."  In LDAP, an attribute is better described
1937	  as an attribute description, a type with zero or options, and one or
1938	  more associated values.

1940	  Section 3.2.2 of RFC 2251 mandated that subschema subentries contain
1941	  objectClasses and attributeTypes attributes, yet X.500(93) treats
1942	  these attributes as optional.  While generally all implementations
1943	  support X.500(93) subschema mechanisms will provide both of these
1944	  attributes, it is not absolutely required for interoperability that
1945	  all servers do.  The mandate was removed for consistency with
1946	  X.500(93).   The subschema discovery mechanism was also clarified to
1947	  indicate that subschema controlling an entry is obtained by reading
1948	  the (sub)entry referred to by that entry's 'subschemaSubentry'
1949	  attribute.

1951	A.1.2 Section 3.4 of RFC 2251

1953	  Section 3.4 of RFC 2251 provided "Server-specific Data Requirements".
1954	  This material, with changes, was incorporated in Section 5.1 of this
1955	  document.

1957	  Changes:

1959	  - Clarify that attributes of the root DSE are subject to "other
1960	    restrictions" in addition to acccess controls.

1962	  - Clarify that only recognized extended requests need to be enumerated
1963	    'supportedExtension'.

1965	  - Clarify that only recognized request controls need to be enumerated
1966	    'supportedControl'.

1968	  - Clarify that root DSE attributes are operational and, like other
1969	    operational attributes, will not be returned in search requests
1970	    unless requested by name.

1972	  - Clarify that not all root DSE attributes are user modifiable.

1974	  - Remove inconsistent text regarding handling of the
1975	    'subschemaSubentry' attribute within the root DSE.  The previous
1976	    specification stated that the 'subschemaSubentry' attribute held in
1977	    the root DSE referred to "subschema entries (or subentries) known by
1978	    this server."  This is inconsistent with the attribute intended use
1979	    as well as its formal definition as a single valued attribute
1980	    [X.501].  It is also noted that a simple (possibly incomplete) list
1981	    of subschema (sub)entries is not terrible useful.  This document (in
1982	    section 5.1) specifies that the 'subschemaSubentry' attribute of the
1983	    root DSE refers to the subschema controlling the root DSE.  It is
1984	    noted that the general subschema discovery mechanism remains
1985	    available (see Section 4.4 of this document).

1987	A.1.2 Section 4 of RFC 2251
1988	  Portions of Section 4 of RFC 2251 detailing aspects of the information
1989	  model used by LDAP were incorporated in this document, including:

1991	  - Restriction of distinguished values to attributes whose descriptions
1992	    have no options (from Section 4.1.3).

1994	  - Data model aspects of Attribute Types (from Section 4.1.4),
1995	    Attribute Descriptions (from 4.1.4), Attribute (from 4.1.8),
1996	    Matching Rule Identifer (from 4.1.9).

1998	  - User schema requirements (from Section 4.1.6, 4.5.1, and 4.7).

2000	A.1.3 Section 6 of RFC 2251

2002	    The Section 6.1 and the second paragraph of Section 6.2 of RFC 2251
2003	    where incorporated into this document.

2005	A.2 Changes to RFC 2252

2007	    This document incorporates Sections 4, 5 and 7 from RFC 2252.

2009	A.2.1 Section 4 of RFC 2252

2011	    The specification was updated to use Augmented BNF [RFC2234].  The
2012	    string representation of an OBJECT IDENTIFIER was tighten to
2013	    disallow leading zeros as described in RFC 2252 text.

2015	    The <descr> syntax was changed to disallow semicolon (U+0003B)
2016	    characters to appear to be consistent its natural language
2017	    specification "descr is the syntactic representation of an object
2018	    descriptor, which consists of letters and digits, starting with a
2019	    letter."  In a related change, the statement "an
2020	    AttributeDescription can be used as the value in a NAME part of an
2021	    AttributeTypeDescription" was deleted.  RFC 2252 provided no
2022	    specification as to the semantics of attribute options appearing in
2023	    NAME fields.

2025	    The ABNF for a quoted string (qdstring) was updated to reflect
2026	    support for the eescaping mechanism described in 4.3 of RFC 2252.

2028	A.2.2 Section 5 of RFC 2252

2030	    Definitions of operational attributes provided in Section 5 of RFC
2031	    2252 where incorporated into this document.

2033	    The 'supportedExtension' description was clarified.  A server need
2034	    only list the OBJECT IDENTIFIERs associated with the extended
2035	    requests of the extended operations it recognizes.

2037	    The 'supportedControl' description was clarified.  A server need
2038	    only list the OBJECT IDENTIFIERs associated with the request
2039	    controls it recognizes.

2041	A.2.3 Section 7 of RFC 2252

2043	    Section 7 of RFC 2252 provides definitions of the 'subschema' and
2044	    'extensibleObject' object classes.  These definitions where
2045	    integrated into Section 4.2 and Section 4.3 of this document,
2046	    respectively.  Section 7 of RFC 2252 also contained the object class
2047	    implementation requirement.  This was incorporated into Section 7 of
2048	    this document.

2050	    The specification of 'extensibleObject' was clarified of how it
2051	    interacts with precluded attributes.

2053	A.3 Changes to RFC 2256

2055	    This document incorporates Sections 5.1, 5.2, 7.1, and 7.2 of RFC
2056	    2256.

2058	    Section 5.1 of RFC 2256 provided the definition of the 'objectClass'
2059	    attribute type.  This was integrated into Section 2.4.1 of this
2060	    document.  The statement "One of the values is either 'top' or
2061	    'alias'" was replaced with statement that one of the values is 'top'
2062	    as entries belonging to 'alias' also belong to 'top'.

2064	    Section 5.2 of RFC 2256 provided the definition of the
2065	    'aliasedObjectName' attribute type.  This was integrated into
2066	    Section 2.6.2 of this document.

2068	    Section 7.1 of RFC 2256 provided the definition of the 'top' object
2069	    class.  This was integrated into Section 2.4.1 of this document.

2071	    Section 7.2 of RFC 2256 provided the definition of the 'alias'
2072	    object class.  This was integrated into Section 2.6.1 of this
2073	    document.

2075	Copyright 2002, The Internet Society.  All Rights Reserved.

2077	  This document and translations of it may be copied and furnished to
2078	  others, and derivative works that comment on or otherwise explain it
2079	  or assist in its implementation may be prepared, copied, published and
2080	  distributed, in whole or in part, without restriction of any kind,
2081	  provided that the above copyright notice and this paragraph are
2082	  included on all such copies and derivative works.  However, this
2083	  document itself may not be modified in any way, such as by removing
2084	  the copyright notice or references to the Internet Society or other
2085	  Internet organizations, except as needed for the  purpose of
2086	  developing Internet standards in which case the procedures for
2087	  copyrights defined in the Internet Standards process must be followed,
2088	  or as required to translate it into languages other than English.

2090	  The limited permissions granted above are perpetual and will not be
2091	  revoked by the Internet Society or its successors or assigns.

2093	  This document and the information contained herein is provided on an
2094	  "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
2095	  ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
2096	  INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
2097	  INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2098	  WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.