idnits 2.17.1 

draft-ietf-ldapbis-models-04.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories. 


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 36 instances of lines with non-RFC6890-compliant IPv4
     addresses in the document.  If these are example addresses, they should
     be changed.

  == The 'Obsoletes: ' line in the draft header should list only the
     _numbers_ of the RFCs which will be obsoleted by this document (if
     approved); it should not include the word 'RFC' in the list.

  -- The draft header indicates that this document obsoletes RFC2251, but the
     abstract doesn't seem to directly say this.  It does mention RFC2251
     though, so this could be OK.

  -- The draft header indicates that this document obsoletes RFC2252, but the
     abstract doesn't seem to directly say this.  It does mention RFC2252
     though, so this could be OK.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 2077 has weird spacing: '...for the  purpo...'

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (3 December 2002) is 7807 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'RFC2222' is mentioned on line 1654, but not defined

  ** Obsolete undefined reference: RFC 2222 (Obsoleted by RFC 4422, RFC 4752)

  == Missing Reference: 'RFC3383bis' is mentioned on line 1701, but not
     defined

  ** Obsolete undefined reference: RFC 3383 (Obsoleted by RFC 4520)

  == Unused Reference: 'LDAPURL' is defined on line 1877, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 2279 (Obsoleted by RFC 3629)

  ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234)

  ** Obsolete normative reference: RFC 3383 (Obsoleted by RFC 4520)

  -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Roadmap' 

  -- No information found for draft-ietf-ldapbis-protocol-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Protocol' 

  -- No information found for draft-ietf-ldapbis-authmeth-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'AuthMeth' 

  -- No information found for draft-ietf-ldapbis-dn-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPDN' 

  -- No information found for draft-ietf-ldapbis-filter-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Filters' 

  -- No information found for draft-ietf-ldapbis-url-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPURL' 

  -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' 

  -- No information found for draft-ietf-ldapbis-user-schema-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Schema' 

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO10646'


     Summary: 9 errors (**), 0 flaws (~~), 7 warnings (==), 21 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	INTERNET-DRAFT                              Editor: Kurt D. Zeilenga
3	Intended Category: Standard Track                OpenLDAP Foundation
4	Expires in six months                                3 December 2002
5	Obsoletes: RFC 2251, RFC 2252, RFC 2256

7	                    LDAP: Directory Information Models
8	                    <draft-ietf-ldapbis-models-04.txt>

10	Status of this Memo

12	  This document is an Internet-Draft and is in full conformance with all
13	  provisions of Section 10 of RFC2026.

15	  This document is intended to be published as a Standard Track RFC.
16	  Distribution of this memo is unlimited.  Technical discussion of this
17	  document will take place on the IETF LDAP Revision Working Group
18	  mailing list <ietf-ldapbis@openldap.org>.  Please send editorial
19	  comments directly to the author <Kurt@OpenLDAP.org>.

21	  Internet-Drafts are working documents of the Internet Engineering Task
22	  Force (IETF), its areas, and its working groups.  Note that other
23	  groups may also distribute working documents as Internet-Drafts.
24	  Internet-Drafts are draft documents valid for a maximum of six months
25	  and may be updated, replaced, or obsoleted by other documents at any
26	  time.  It is inappropriate to use Internet-Drafts as reference
27	  material or to cite them other than as ``work in progress.''

29	  The list of current Internet-Drafts can be accessed at
30	  <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
31	  Internet-Draft Shadow Directories can be accessed at
32	  <http://www.ietf.org/shadow.html>.

34	  Copyright 2002, The Internet Society.  All Rights Reserved.  Please
35	  see the Copyright section near the end of this document for more
36	  information.

38	Abstract

40	  The Lightweight Directory Access Protocol (LDAP) is an Internet
41	  protocol for accessing distributed directory services which act in
42	  accordance with X.500 data and service models.  This document
43	  describes the X.500 Directory Information Models, as used in LDAP.

45	Table of Contents

47	  Status of this Memo                                             1
48	  Abstract
49	  Table of Contents                                               2
50	  1.       Introduction                                           3
51	  1.1.     Relationship to Other LDAP Specifications
52	  1.2.     Conventions                                            4
53	  1.3.     Common ABNF Productions
54	  2.       Model of Directory User Information                    6
55	  2.1.     The Directory Information Tree
56	  2.2.     Naming of Entries                                      7
57	  2.3.     Structure of an Entry
58	  2.4.     Object Classes                                         8
59	  2.5.     Attribute Descriptions                                10
60	  2.6.     Alias Entries                                         14
61	  3.       Directory Administrative and Operational Information  15
62	  3.1.     Subtrees
63	  3.2.     Subentries
64	  3.3.     The 'objectClass' attribute
65	  3.4.     Operational attributes                                17
66	  4.       Directory Schema                                      19
67	  4.1.     Schema Definitions                                    20
68	  4.2.     Subschema Subentries                                  28
69	  4.3.     'extensibleObject'                                    32
70	  4.4.     Subschema Discovery
71	  5.       DSA (Server) Informational Model                      33
72	  5.1.     Server-specific Data Requirements
73	  6.       Other Considerations                                  36
74	  6.1.     Preservation of User Information
75	  6.2.     Short Names                                           37
76	  6.3.     Cache and Shadowing
77	  7.       Implementation Guidelines                             38
78	  7.1.     Server Guidelines
79	  7.2.     Client Guidelines
80	  8.       Security Considerations                               39
81	  9.       IANA Considerations
82	  10.      Acknowledgments                                       40
83	  11.      Author's Address
84	  12.      References
85	  12.1.    Normative References
86	  12.2.    Informative References                                41
87	  Appendix A.  Changes
88	  A.1      Changes to RFC 2251                                   42
89	  A.2      Changes to RFC 2252                                   44
90	  A.3      Changes to RFC 2256                                   45
91	  Copyright

93	1. Introduction

95	  This document discusses the X.500 Directory Information Models
96	  [X.501], as used by the Lightweight Directory Access Protocol (LDAP)
97	  [Roadmap].

99	  The Directory is "a collection of open systems cooperating to provide
100	  directory services" [X.500].  The information held in the Directory is
101	  collectively known as the Directory Information Base (DIB).  A
102	  Directory user, which may be a human or other entity, accesses the
103	  Directory through a client (or Directory User Agent (DUA)).  The
104	  client, on behalf of the directory user, interacts with one or more
105	  servers (or Directory System Agents (DSA)).  A server holds a fragment
106	  of the DIB.

108	  The DIB contains two classes of information:

110	      1) user information (e.g., information provided and administrated
111	         by users).  Section 2 describes the Model of User Information.

113	      2) administrative and operational information (e.g., information
114	         used to administer and/or operate the directory).  Section 3
115	         describes the model of Directory Administrative and Operational
116	         Information.

118	  These two models, referred to as the generic Directory Information
119	  Models, describe how information is represented in the Directory.
120	  These generic models provide a framework for other information models.
121	  Section 4 discusses the subschema information model and subschema
122	  discovery.  Section 5 discusses the DSA (Server) Informational Model.

124	  Other X.500 information models, such as access control, collective
125	  attribute, distribution knowledge, and replication knowledge
126	  information models, may be adapted for use in LDAP.  Specification of
127	  how these models are to be used in LDAP is left to future documents.

129	1.1. Relationship to Other LDAP Specifications

131	  This document is a integral part of the LDAP technical specification
132	  [Roadmap] which obsoletes the previously defined LDAP technical
133	  specification, RFC 3377, in its entirety.

135	  This document obsoletes RFC 2251 sections 3.2 and 3.4, as well as
136	  portions of sections 4 and 6.  Appendix A.1 summaries changes to these
137	  sections.  The remainder of RFC 2251 is obsoleted by the [Protocol],
138	  [AuthMeth], and [Roadmap] documents.

140	  This document obsoletes RFC 2252 sections 4, 5 and 7.  Appendix A.2
141	  summaries changes to these sections.  The remainder of RFC 2252 is
142	  obsoleted by [Syntaxes] and [Schema].

144	  This document obsoletes RFC 2256 sections 5.1, 5.2, 7.1 and 7.2.
145	  Appendix A.3 summarizes changes to these sections.  The remainder of
146	  RFC 2256 is obsoleted by [Schema] and [Syntaxes].

148	1.2. Conventions

150	  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
151	  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
152	  document are to be interpreted as described in BCP 14 [RFC2119].

154	  Schema definitions are provided using LDAP description formats (as
155	  defined in Section 4.1).  Definitions provided here are formatted
156	  (line wrapped) for readability.  Matching rules and LDAP syntaxes
157	  referenced in these definitions are specified in [Syntaxes].

159	1.3. Common ABNF Productions

161	  A number of syntaxes in this document are described using Augmented
162	  Backus-Naur Form (ABNF) [RFC2234].  These syntaxes (as well as a
163	  number of syntaxes defined in other documents) rely on the following
164	  common productions:

166	      keystring = leadkeychar *keychar
167	      leadkeychar = ALPHA
168	      keychar = ALPHA / DIGIT / HYPHEN

170	      number = DIGIT / ( LDIGIT 1*DIGIT )

172	      ALPHA  = %x41-5A / %x61-7A   ; "A"-"Z" / "a"-"z"
173	      DIGIT  = %x30 / LDIGIT       ; "0"-"9"
174	      LDIGIT = %x31-39             ; "1"-"9"

176	      HEX     = DIGIT / %x41-46 / %x61-66 ; 0-9 / A-F / a-f

178	      SP     = 1*SPACE  ; one or more " "
179	      WSP    = 0*SPACE  ; zero or more " "

181	      NULL   = %x00 ; null (0)
182	      SPACE  = %x20 ; space (" ")
183	      DQUOTE = %x22 ; quote (""")
184	      SHARP  = %x23 ; octothorpe (or sharp sign) ("#")
185	      DOLLAR = %x24 ; dollar sign ("$")
186	      SQUOTE = %x27 ; single quote ("'")
187	      LPAREN = %x28 ; left paren ("(")
188	      RPAREN = %x29 ; right paren (")")
189	      PLUS   = %x2B ; plus sign ("+")
190	      COMMA  = %x2C ; comma (",")
191	      HYPHEN = %x2D ; hyphen ("-")
192	      DOT    = %x2E ; period (".")
193	      SEMI   = %x3B ; semicolon (";")
194	      LANGLE = %x3C ; left angle bracket ("<")
195	      EQUALS = %x3D ; equals sign ("=")
196	      RANGLE = %x3E ; right angle bracket (">")
197	      X      = %x58 ; uppercase x ("X")
198	      ESC    = %x5C ; backslash ("\")
199	      USCORE = %x5F ; underscore ("_")
200	      LCURLY = %x7B ; left curly brace "{"
201	      RCURLY = %x7D ; right curly brace "}"

203	      ; Any UTF-8 character
204	      UTF8    = UTF1 / UTFMB
205	      UTFMB   = UTF2 / UTF3 / UTF4 / UTF5 / UTF6
206	      UTF0    = %x80-BF
207	      UTF1    = %x00-7F
208	      UTF2    = %xC0-DF 1(UTF0)
209	      UTF3    = %xE0-EF 2(UTF0)
210	      UTF4    = %xF0-F7 3(UTF0)
211	      UTF5    = %xF8-FB 4(UTF0)
212	      UTF6    = %xFC-FD 5(UTF0)

214	      ; Any octet
215	      OCTET   = %x00-FF

217	  Object identifiers are represented in LDAP using a dot-decimal format
218	  conforming to the ABNF:

220	      numericoid = number *( DOT number )

222	  Short names, known as descriptors, are used as more readable aliases
223	  for object identifiers.  Descriptors are case insensitive and conform
224	  to the ABNF:

226	      descr = keystring

228	  Where either an object identifier or a short name may be specified,
229	  the following production is used:

231	      oid = descr / numericoid

233	  The <descr> form is preferred.  When a production <oid> is encoded in
234	  a value, the <descr> encoding option SHOULD be used instead of the
235	  <numericoid> encoding option.

237	2. Model of Directory User Information

239	  As [X.501] states:

241	      The purpose of the Directory is to hold, and provide access to,
242	      information about objects of interest (objects) in some 'world'.
243	      An object can be anything which is identifiable (can be named).

245	      An object class is an identified family of objects, or conceivable
246	      objects, which share certain characteristics. Every object belongs
247	      to at least one class.  An object class may be a subclass of other
248	      object classes, in which case the members of the former class, the
249	      subclass, are also considered to be members of the latter classes,
250	      the superclasses.  There may be subclasses of subclasses, etc., to
251	      an arbitrary depth.

253	  A directory entry, a named collection of information, is the basic
254	  unit of information held in the Directory.  An object entry represents
255	  a particular object.  An alias entry provides alternative naming.  A
256	  subentry holds administrative and/or operational information.

258	  The set of entries representing the DIB are organized hierarchically
259	  in a tree structure known as the Directory Information Tree (DIT).

261	  Section 2.1 describes the Directory Information Tree
262	  Section 2.2 discusses naming of entries.
263	  Section 2.3 discusses the structure of entries.
264	  Section 2.4 discusses object classes.
265	  Section 2.5 discusses attribute descriptions.
266	  Section 2.6 discusses alias entries.

268	2.1. The Directory Information Tree

270	  As noted above, the DIB is composed of a set of entries organized
271	  hierarchically in a tree structure known as the Directory Information
272	  Tree (DIT).  Specifically, a tree where vertices are the entries.

274	  The arcs between vertices define relations between entries.  If an arc
275	  exists from X to Y, then the entry at X is the immediate superior of Y
276	  and Y is the immediate subordinate of X.  An entry's superiors is the
277	  entry's immediate superior and its superiors.  An entry's subordinates
278	  is all of its immediate subordinates and their subordinates.

280	  Similarly, the superior/subordinate relationship between object
281	  entries can be used to derive a relation between the objects they
282	  represent.  DIT structural rules can be used to govern relationships
283	  between objects.

285	2.2. Naming of Entries

287	2.2.1.  Relative Distinguished Names

289	  Each entry is named relative to its immediate superior.  This relative
290	  name, known as its Relative Distinguished Name (RDN) [X.501], is
291	  composed of one or more attribute value assertions (AVA) consisting of
292	  an attribute description with zero options and an attribute value.  An
293	  entry's relative distinguished name must be unique among all its
294	  siblings.

296	  The following are example string representations of RDNs [LDAPDN]:

298	      UID=12345
299	      OU=Engineering
300	      CN=Kurt Zeilenga+L=Redwood Shores

302	  The last is an example of a multi-valued RDN.

304	2.2.2. Distinguished Names

306	  An entry's fully qualified name, known as its Distinguished Name (DN)
307	  [X.501], is the concatenation of its RDN and its immediate superior's
308	  DN.  A Distinguished Name unambiguously refers to an entry in the
309	  tree.  The following are example string representations of DNs
310	  [LDAPDN]:

312	      UID=nobody@example.com,DC=example,DC=com
313	      CN=John Smith,OU=Sales,O=ACME Limited,L=Moab,ST=Utah,C=US

315	2.2.3. Alias Names

317	  An alias, or alias name, is "an name for an object, provided by the
318	  use of alias entries" [X.501].  Alias entries are described in Section
319	  2.6.

321	2.3. Structure of an Entry

323	  An entry consist of a set of attributes which hold information about
324	  the object which entry represents.

326	  An attribute is an attribute description, a type and one or more
327	  options, with one or more associated values.  The attribute type
328	  governs whether the attribute can have multiple values, the syntax and
329	  matching rules used to construct and compare values of that attribute,
330	  and other functions.  Options indicate subtypes and other functions.
331	  No two values of an attribute may be equivalent.

333	  Two values are considered equivalent if they would match according to
334	  the equality matching rule of the associated attribute type.  If the
335	  attribute type is defined with no equality matching rule, two values
336	  are equivalent if and only if they are identical.

338	  An example of an attribute is 'givenName'.  As described in [Schema]
339	  and [Syntaxes], there can be one or more values of this attribute,
340	  they must be Directory Strings, and they are case insensitive (e.g.
341	  "John" will match "JOHN").

343	2.4. Object Classes

345	  An object class is "an identified family of objects (or conceivable
346	  objects) which share certain characteristics" [X.501].

348	  As defined in [X.501]:

350	      Object classes are used in the Directory for a number of purposes:

352	        - describing and categorising objects and the entries that
353	          correspond to these objects;

355	        - where appropriate, controlling the operation of the Directory;

357	        - regulating, in conjunction with DIT structure rule
358	          specifications, the position of entries in the DIT;

360	        - regulating, in conjunction with DIT content rule
361	          specifications, the attributes that are contained in entries;

363	        - identifying classes of entry that are to be associated with a
364	          particular policy by the appropriate administrative authority.

366	      An object class (a subclass) may be derived from an object class
367	      (its direct superclass) which is itself derived from an even more
368	      generic object class.  For structural object classes, this process
369	      stops at the most generic object class, 'top' (defined in Section
370	      2.4.1).  An ordered set of superclasses up to the most superior
371	      object class of an object class is its superclass chain.

373	      An object class may be derived from two or more direct
374	      superclasses (superclasses not part of the same superclass chain).
375	      This feature of subclassing is termed multiple inheritance.

377	  Each object class identifies the set of attributes required to be
378	  present in entries belonging to the class and the set of attributes
379	  allowed to be present in entries belonging to the class.  As an entry
380	  of a class must meet the requirements of each class it belongs to, it
381	  can be said that an object class inherits the sets of allowed and
382	  required attributes from its superclasses.  A subclass can identify an
383	  attribute allowed by a subclass as being required.  If an attribute is
384	  a member of both sets, it is required to be present.

386	  Each object class is defined to be one of three kinds of object
387	  classes: Abstract, Structural, and Auxiliary.

389	  Each object is identified by an object identifier (OID) and,
390	  optionally, one or more short names known as descriptors.

392	2.4.1. Abstract Object Classes

394	  An abstract object class, as the name implies, provides a base of
395	  characteristics from which other object classes can be defined to
396	  inherit from.  An entry cannot belong to only abstract object classes.

398	  Abstract object classes can not derive from structural nor auxiliary
399	  object classes.

401	  All structural object classes derive (directly or indirectly) from the
402	  'top' abstract object class.  Auxiliary object classes do not
403	  necessarily derive from 'top'.

405	      ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )

407	  All entries belong to the 'top' abstract class.

409	2.4.2. Structural Object Classes

411	  As stated in [X.501]:

413	      An object class defined for use in the structural specification of
414	      the DIT is termed a structural object class.  Structural object
415	      classes are used in the definition of the structure of the names
416	      of the objects for compliant entries.

418	      An object or alias entry is characterised by precisely one
419	      structural object class superclass chain which has a single
420	      structural object class as the most subordinate object class.
421	      This structural object class is referred to as the structural
422	      object class of the entry.

424	      Structural object classes are related to associated entries:

426	        - an entry conforming to a structural object class shall
427	          represent the real-world object constrained by the object
428	          class;

430	        - DIT structure rules only refer to structural object classes;
431	          the structural object class of an entry is used to specify the
432	          position of the entry in the DIT;

434	        - the structural object class of an entry is used, along with an
435	          associated DIT content rule, to control the content of an
436	          entry.

438	        The structural object class of an entry shall not be changed.

440	  Each structural object class is a (direct or indirect) subclass of the
441	  'top' abstract object class.

443	  Structural object classes cannot subclass auxiliary object classes.

445	  Each entry is said to belong to its structural object class as well as
446	  all classes in its structural object class's superclass chain, which
447	  always includes 'top'.

449	2.4.3. Auxiliary Object Classes

451	  Auxiliary object classes are used augment the characteristics of
452	  entries.  They are commonly used to augment the sets of attributes
453	  required and allowed attributes to be present in an entry.  They can
454	  be used to describe entries or classes of entries.

456	  Auxiliary object classes cannot subclass structural object classes.

458	  Each entry can belong to any number of auxiliary object classes.  The
459	  set of auxiliary object classes which an entry belongs to can change
460	  over time.

462	2.5. Attribute Descriptions
463	  An attribute description is composed of an attribute type (see Section
464	  2.5.1) and a set of zero or more attribute options (see Section
465	  2.5.2).

467	  An attribute description is represented by the ABNF:

469	      attributedescription = attributetype options

471	      attributetype = oid

473	      options = *( SEMI option )

475	      option = 1*keychar

477	  where <attributetype> identifies the attribute type and each <option>
478	  identifies an attribute option.  Both <attributetype> and <option>
479	  productions are case insensitive.  The order in which <option>s appear
480	  is irrelevant.  That is, any two <attributedescription>s which consist
481	  of the same <attributetype> and same set of <option>s are equivalent.

483	  Examples of valid attribute descriptions:

485	      2.5.4.0
486	      cn;lang-de;lang-en
487	      owner

489	  An attribute description which consisting of an unrecognized attribute
490	  type is to be treated as unrecognized.  Servers SHALL treat an
491	  attribute description with an unrecognized attribute option as
492	  unrecognized.  Clients MAY treat an unrecognized attribute option as a
493	  tagging option (see Section 2.5.2.1).

495	  All attributes of an entry must have distinct attribute descriptions.

497	2.5.1. Attribute Types

499	  An attribute type governs whether the attribute can have multiple
500	  values, the syntax and matching rules used to construct and compare
501	  values of that attribute, and other functions.

503	  A user attribute type has userApplications usage.  An operational
504	  attribute type has one of three usages: directoryOperation,
505	  distributedOperation, or dSAOperation which mean the attribute type is
506	  a directory, distributed, or DSA operational, respectively.

508	  An operational attribute type may be defined as not modifiable by
509	  users.

511	  An attribute type (a subtype) may derive from another attribute type
512	  (a direct supertype).   The subtype inherits the matching rules and
513	  syntax of its supertype.  An attribute type cannot be a subtype of an
514	  attribute of different usage.

516	  An attribute description consisting of a subtype and no options is
517	  said to the direct description subtype of the attribute description
518	  consisting of the subtype's direct supertype and no options.

520	  Each attribute type is identified by an object identifier (OID) and,
521	  optionally, one or more short names known as descriptors.

523	2.5.2. Attribute Options

525	  There are multiple kinds of attribute description options.  The LDAP
526	  technical specification details one kind: tagging options.

528	  Not all options can be associated with attributes held in the
529	  directory.  Tagging options can be.

531	  Not all options can be use in conjunction with all attribute types.
532	  In such cases, the attribute description is to be treated as
533	  unrecognized.

535	  An attribute description that contains mutually exclusive options
536	  shall be treated as unrecognized.  That is, "cn;x-bar;x-foo", where
537	  "x-foo" and "x-bar" are mutually exclusive, is to be treated as
538	  unrecognized.

540	  Other kinds of options may be specified in future documents.  These
541	  documents must detail how new kinds of options they define relate to
542	  tagging options.  In particular, these documents must detail whether
543	  or not new kinds of options can be associated with attributes held in
544	  the directory, how new kinds of options affect transfer of attribute
545	  values, and how new kinds of options are treated in attribute
546	  description hierarchies.

548	  Options are represented as short case insensitive textual strings
549	  conforming to the <option> production defined in Section 2.5 of this
550	  document.

552	  Procedures for registering options are detailed in BCP 64 [RFC3383].

554	2.5.2.1. Tagging Options

556	  Attributes held in the directory can have attribute descriptions with
557	  one or more tagging options.  Tagging options are never mutually
558	  exclusive.

560	  An attribute description with N tagging options is consider a direct
561	  (description) subtype of all attribute descriptions of the same
562	  attribute type and all but one of the N options.  If the attribute
563	  type has a supertype, then the attribute description is also
564	  considered a direct (description) subtype of the attribute description
565	  of the supertype and the N tagging options.  That is,
566	  'cn;lang-de;lang-en' is considered a direct subtype of 'cn;lang-de',
567	  'cn;lang-en', and 'name;lang-de;lang-en' ('cn' is a subtype of 'name',
568	  both are defined in [Schema]).

570	2.5.3. Attribute Description Hierarchies

572	  An attribute description can be the direct subtype of zero or more
573	  other attribute descriptions as indicated by attribute type subtyping
574	  (as described in Section 2.5.1) or attribute tagging option subtyping
575	  (as described in Section 2.5.2.1).  These subtyping relationships are
576	  used to form hierarchies of attribute descriptions and attributes.

578	  As adapted from [X.501]:

580	      Attribute hierarchies allow access to the DIB with varying degrees
581	      of granularity.  This is achieved by allowing the value components
582	      of attributes to be accessed by using either their specific
583	      attribute description (a direct reference to the attribute) or by
584	      a more generic attribute description (an indirect reference).

586	      Semantically related attributes may be placed in a hierarchical
587	      relationship, the more specialized being placed subordinate to the
588	      more generalized.  Searching for, or retrieving attributes and
589	      their values is made easier by quoting the more generalized
590	      attribute description; a filter item so specified is evaluated for
591	      the more specialized descriptions as well as for the quoted
592	      description.

594	      Where subordinate specialized descriptions are selected to be
595	      returned as part of a search result these descriptions shall be
596	      returned if available.  Where the more general descriptions are
597	      selected to be returned as part of a search result both the
598	      general and the specialized descriptions shall be returned, if
599	      available.  An attribute value shall always be returned as a value
600	      of its own attribute description.

602	      All of the attribute descriptions in an attribute hierarchy are
603	      treated as distinct and unrelated descriptions for user
604	      modification of entry content.

606	      An attribute value stored in a object or alias entry is of
607	      precisely one attribute description.  The description is indicated
608	      when the value is originally added to the entry.

610	  For the purpose of subschema administration of the entry, a required
611	  attribute specification is fulfilled if the entry contains a value of
612	  an attribute description belonging to an attribute hierarchy if the
613	  attribute type of that description is the same as the required
614	  attribute's type.  That is, a "MUST name" specification is fulfilled
615	  by 'name' or 'name;x-tag-option', but is not fulfilled by 'CN' nor by
616	  'CN;x-tag-option'.  Likewise, an entry may contain a value of an
617	  attribute description belonging to an attribute hierarchy if the
618	  attribute type of that description is either explicitly included in
619	  the definition of an object class to which the entry belongs or
620	  allowed by the DIT content rule applicable to that entry.  That is,
621	  'name' and 'name;x-tag-option' are allowed by "MAY name" (or by "MUST
622	  name"), but 'CN' and 'CN;x-tag-option' are not allowed by "MAY name"
623	  (nor by "MUST name").

625	  For the purposes of other policy administration, unless stated
626	  otherwise in the specification of the particular administrative model,
627	  all of the attribute descriptions in an attribute hierarchy are
628	  treated as distinct and unrelated descriptions.

630	2.5.4. Attribute Values

632	  Attribute values conform to the defined syntax of the attribute.

634	  When an attribute is used for naming of the entry, one and only one
635	  value of the attribute is selected to appear in the Relative
636	  Distinguished Name.  This value is known as a distinguished value.

638	  Only attributes whose descriptions have no options can be used for
639	  naming.

641	2.6. Alias Entries

643	  As adapted from [X.501]:

645	      An alias, or an alias name, for an object is a an alternative name
646	      for an object or object entry which is provided by the use of
647	      alias entries.

649	      Each alias entry contains, within the 'aliasedObjectName'
650	      attribute (known as the 'aliasedEntryName' attribute in X.500]), a
651	      name of some object.  The distinguished name of the alias entry is
652	      thus also a name for this object.

654	          NOTE - The name within the 'aliasedObjectName' is said to be
655	                 pointed to by the alias.  It does not have to be the
656	                 distinguished name of any entry.

658	      The conversion of an alias name to an object name is termed
659	      (alias) dereferencing and comprises the systematic replacement of
660	      alias names, where found within a purported name, by the value of
661	      the corresponding 'aliasedObjectName' attribute.  The process may
662	      require the examination of more than one alias entry.

664	      Any particular entry in the DIT may have zero or more alias names.
665	      It therefore follows that several alias entries may point to the
666	      same entry.  An alias entry may point to an entry that is not a
667	      leaf entry and may point to another alias entry.

669	      An alias entry shall have no subordinates, so that an alias entry
670	      is always a leaf entry.

672	      Every alias entry shall belong to the 'alias' object class.

674	2.6.1. 'alias' object class

676	  Alias entries belong to the 'alias' object class.

678	     ( 2.5.6.1 NAME 'alias'
679	       SUP top STRUCTURAL
680	       MUST aliasedObjectName )

682	2.6.2. 'aliasedObjectName' attribute type

684	  The 'aliasedObjectName' attribute holds the name of the entry an alias
685	  points to.  The 'aliasedObjectName' attribute is known as the
686	  'aliasedEntryName' attribute in X.500.

688	      ( 2.5.4.1 NAME 'aliasedObjectName'
689	        EQUALITY distinguishedNameMatch
690	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
691	        SINGLE-VALUE )

693	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
694	  (1.3.6.1.4.1.1466.115.121.1.12) syntax is defined in [Syntaxes].

696	3. Directory Administrative and Operational Information

698	  This section discusses select aspects of the X.500 Directory
699	  Administrative and Operational Information model [X.501].  LDAP
700	  implementations MAY support other aspects of this model.

702	3.1. Subtrees

704	  As defined in [X.501]:

706	      A subtree is a collection of object and alias entries situated at
707	      the vertices of a tree.  Subtrees do not contain subentries.  The
708	      prefix sub, in subtree, emphasizes that the base (or root) vertex
709	      of this tree is usually subordinate to the root of the DIT.

711	      A subtree begins at some vertex and extends to some identifiable
712	      lower boundary, possibly extending to leaves.  A subtree is always
713	      defined within a context which implicitly bounds the subtree.  For
714	      example, the vertex and lower boundaries of a subtree defining a
715	      replicated area are bounded by a naming context.  Similarly, the
716	      scope of a subtree defining a specific administrative area is
717	      limited to the context of an enclosing autonomous administrative
718	      area.

720	3.2. Subentries

722	  A subentry is a "special sort of entry, known by the Directory, used
723	  to hold information associated with a subtree or subtree refinement"
724	  [X.501].  Subentries are used in Directory to hold for administrative
725	  and operational purposes as defined in [X.501].  Their use in LDAP is
726	  not detailed in this technical specification, but may be detailed in
727	  future documents.

729	  The term "(sub)entry" in this specification indicates that servers
730	  implementing X.500(93) models are to use a subentry and that other
731	  servers use an object entry belonging to the appropriate auxiliary
732	  class normally used with the subentry (e.g., 'subschema' for subschema
733	  subentries) to mimic the subentry.  This object entry's RDN SHALL be
734	  formed from a value of the 'cn' (commonName) attribute [Schema].

736	3.3. The 'objectClass' attribute

738	  Each entry in the DIT has an 'objectClass' attribute.

740	      ( 2.5.4.0 NAME 'objectClass'
741	        EQUALITY objectIdentifierMatch
742	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

744	  The 'objectIdentifierMatch' matching rule and OBJECT IDENTIFIER
745	  (1.3.6.1.4.1.1466.115.121.1.38) syntax is defined in [Syntaxes].

747	  The 'objectClass' attribute specifies the object classes of an entry,
748	  which (among other things) is used in conjunction with user and system
749	  schema to determine the permitted attributes of an entry.  Values of
750	  this attribute can be modified by clients, but the 'objectClass'
751	  attribute cannot be removed.

753	  Servers which follow X.500(93) models SHALL restrict modifications of
754	  this attribute to prevent the basic structural class of the entry from
755	  being changed.  That is, one cannot change a 'person' into a
756	  'country'.

758	  When creating an entry or adding an 'objectClass' value to an entry,
759	  all superclasses of the named classes SHALL be implicitly added as
760	  well if not already present, and the client must supply values for any
761	  mandatory attributes of new superclasses.  That is, if the auxiliary
762	  class 'x-a' is a subclass of the class 'x-b', adding 'x-a' to
763	  'objectClass' causes 'x-b' to added (if is not already present).

765	  Servers SHALL restrict modifications of this attribute to to prevent a
766	  superclasses of remaining 'objectClass' values from being deleted.
767	  That is, if the auxiliary class 'x-a' is a subclass of the class 'x-
768	  b', attempting to deleting 'x-b' to 'objectClass' is an error.

770	3.4. Operational attributes

772	  Some attributes, termed operational attributes (as defined in Section
773	  12.4.1 of [X.501]), are used or maintained by servers for
774	  administrative and operational purposes.  Not all operational
775	  attributes are user modifiable.

777	  Operational attributes are not normally visible.  They are not
778	  returned in search results unless explicitly requested by name.

780	  Entries may contain, among others, the following operational
781	  attributes.

783	    - creatorsName: the Distinguished Name of the user who added this
784	      entry to the directory.

786	    - createTimestamp: the time this entry was added to the directory.

788	    - modifiersName: the Distinguished Name of the user who last
789	      modified this entry.

791	    - modifyTimestamp: the time this entry was last modified.

793	  Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
794	  'modifiersName', and 'modifyTimestamp' for all entries of the DIT.

796	3.4.1. 'creatorsName'

798	  This attribute appears in entries which were added using the protocol
799	  (e.g., using the Add operation).  The value is the distinguished name
800	  of the creator.

802	      ( 2.5.18.3 NAME 'creatorsName'
803	        EQUALITY distinguishedNameMatch
804	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
805	        SINGLE-VALUE NO-USER-MODIFICATION
806	        USAGE directoryOperation )

808	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
809	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

811	3.4.2. 'createTimestamp'

813	  This attribute appears in entries which were added using the protocol
814	  (e.g., using the Add operation).  The value is the time the entry was
815	  added.

817	      ( 2.5.18.1 NAME 'createTimestamp'
818	        EQUALITY generalizedTimeMatch
819	        ORDERING generalizedTimeOrderingMatch
820	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
821	        SINGLE-VALUE NO-USER-MODIFICATION
822	        USAGE directoryOperation )

824	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
825	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
826	  are defined in [Syntaxes].

828	3.4.3. 'modifiersName'

830	  This attribute appears in entries which have been modified using the
831	  protocol (e.g., using Modify operation).  The value is the
832	  distinguished name of the last modifier.

834	      ( 2.5.18.4 NAME 'modifiersName'
835	        EQUALITY distinguishedNameMatch
836	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
837	        SINGLE-VALUE NO-USER-MODIFICATION
838	        USAGE directoryOperation )

840	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
841	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

843	3.4.4. 'modifyTimestamp'

845	  This attribute appears in entries which have been modified using the
846	  protocol (e.g., using the Modify operation).  The value is the time
847	  the entry was last modified.

849	      ( 2.5.18.2 NAME 'modifyTimestamp'
850	        EQUALITY generalizedTimeMatch
851	        ORDERING generalizedTimeOrderingMatch
852	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
853	        SINGLE-VALUE NO-USER-MODIFICATION
854	        USAGE directoryOperation )

856	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
857	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
858	  are defined in [Syntaxes].

860	4. Directory Schema

862	  As defined in [X.501]:

864	      The Directory Schema is a set of definitions and constraints
865	      concerning the structure of the DIT, the possible ways entries are
866	      named, the information that can be held in an entry, the
867	      attributes used to represent that information and their
868	      organization into hierarchies to facilitate search and retrieval
869	      of the information and the ways in which values of attributes may
870	      be matched in attribute value and matching rule assertions.

872	      NOTE 1 - The schema enables the Directory system to, for example:

874	      - prevent the creation of subordinate entries of the wrong
875	        object-class (e.g. a country as a subordinate of a person);

877	      - prevent the addition of attribute-types to an entry
878	        inappropriate to the object-class (e.g. a serial number to a
879	        person's entry);

881	      - prevent the addition of an attribute value of a syntax not
882	        matching that defined for the attribute-type (e.g. a printable
883	        string to a bit string).

885	        Formally, the Directory Schema comprises a set of:

887	      a) Name Form definitions that define primitive naming relations
888	         for structural object classes;

890	      b) DIT Structure Rule definitions that define the names that
891	         entries may have and the ways in which the entries may be
892	         related to one another in the DIT;

894	      c) DIT Content Rule definitions that extend the specification of
895	         allowable attributes for entries beyond those indicated by the
896	         structural object classes of the entries;

898	      d) Object Class definitions that define the basic set of mandatory
899	         and optional attributes that shall be present, and may be
900	         present, respectively, in an entry of a given class, and which
901	         indicate the kind of object class that is being defined;

903	      e) Attribute Type definitions that identify the object identifier
904	         by which an attribute is known, its syntax, associated matching
905	         rules, whether it is an operational attribute and if so its
906	         type, whether it is a collective attribute, whether it is
907	         permitted to have multiple values and whether or not it is
908	         derived from another attribute type;

910	      f) Matching Rule definitions that define matching rules.

912	  And in LDAP:

914	      g) LDAP Syntaxes definitions that define encodings used in LDAP.

916	4.1. Schema Definitions

918	  Schema definitions in this section are described using ABNF and rely
919	  on the common productions specified in Section 1.2 as well as these:

921	      noidlen = numericoid [ LCURLY len RCURLY ]

923	      len = number

925	      oids = oid / ( LPAREN WSP oidlist WSP RPAREN )

927	      oidlist = oid *( WSP DOLLAR WSP oid )
928	      extensions = *( SP xstring SP qdstrings )

930	      xstring = X HYPHEN 1*( ALPHA / HYPHEN / USCORE )

932	      qdescrs = qdescr / ( LPAREN WSP qdescrlist WSP RPAREN )

934	      qdescrlist = [ qdescr *( SP qdescr ) ]

936	      qdescr = SQUOTE descr SQUOTE

938	      qdstrings = qdstring / ( LPAREN WSP qdstringlist WSP RPAREN )

940	      qdstringlist = [ qdstring *( SP qdstring ) ]

942	      qdstring = SQUOTE dstring SQUOTE

944	      dstring = 1*( QS / QQ / QUTF8 )   ; escaped UTF8 string

946	      QQ =  ESC %x32 %x37 ; "\27"

948	      QS =  ESC %x35 ( %x43 / %x63 ) ; "\5C" / "\5c"

950	      ; Any UTF-8 encoded UCS character
951	      ; except %x27 ("'") and %x5C ("\")
952	      QUTF8    = QUTF1 / UTFMB

954	      ; Any ASCII character except %x27 ("'") and %x5C ("\")
955	      QUTF1    = %x00-26 / %x28-5B / %x5D-7F

957	  Schema definitions in this section also share a number of common
958	  terms.

960	  The NAME field provides a set of short names (descriptors) which are
961	  be used as aliases for the OID.

963	  The DESC field optionally allows a descriptive string to be provided
964	  by the directory administrator and/or implementor.  While
965	  specifications may suggest a descriptive string, there is no
966	  requirement that the suggested (or any) descriptive string be used.

968	  Implementors should note that future versions of this document may
969	  expand these definitions to include additional terms.  Terms whose
970	  identifier begins with "X-" are reserved for private experiments, and
971	  MUST be followed by <space> and <qdstrings> tokens.

973	4.1.1. Object Class Definitions
974	  Object Class definitions are written according to the ABNF:

976	    ObjectClassDescription = LPAREN WSP
977	        numericoid                 ; object identifier
978	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
979	        [ SP "DESC" SP qdstring ]  ; description
980	        [ SP "OBSOLETE" ]          ; not active
981	        [ SP "SUP" SP oids ]       ; superior object classes
982	        [ SP kind ]                ; kind of class
983	        [ SP "MUST" SP oids ]      ; attribute types
984	        [ SP "MAY" SP oids ]       ; attribute types
985	        extensions WSP RPAREN

987	    kind = "ABSTRACT" / "STRUCTURAL" / "AUXILIARY"

989	  where:
990	    <numericoid> is object identifier assigned to this object class;
991	    NAME <qdescrs> are short names (descriptors) identifying this object
992	        class;
993	    DESC <qdstring> is a short descriptive string;
994	    OBSOLETE indicates this object class is not active;
995	    SUP <oids> specifies the direct superclasses of this object class;
996	    the kind of object class is indicated by one of ABSTRACT,
997	        STRUCTURAL, or AUXILIARY, default is STRUCTURAL;
998	    MUST and MAY specify the sets of required and allowed attribute
999	        types, respectively; and
1000	    <extensions> describe extensions.

1002	4.1.2. Attribute Types

1004	  Attribute Type definitions are written according to the ABNF:

1006	    AttributeTypeDescription = LPAREN WSP
1007	        numericoid                 ; object identifier
1008	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1009	        [ SP "DESC" SP qdstring ]  ; description
1010	        [ SP "OBSOLETE" ]          ; not active
1011	        [ SP "SUP" SP oid ]        ; subtype
1012	        [ SP "EQUALITY" SP oid ]   ; equality matching rule
1013	        [ SP "ORDERING" SP oid ]   ; ordering matching rule
1014	        [ SP "SUBSTR" SP oid ]     ; substrings matching rule
1015	        [ SP "SYNTAX" SP noidlen ] ; value syntax
1016	        [ SP "SINGLE-VALUE" ]      ; single-value
1017	        [ SP "COLLECTIVE" ]        ; collective
1018	        [ SP "NO-USER-MODIFICATION" ] ; not user modifiable
1019	        [ SP "USAGE" SP usage ]    ; usage
1020	        extensions WSP RPAREN      ; extensions

1022	    usage = "userApplications"     /
1023	            "directoryOperation"   /
1024	            "distributedOperation" /    ; DSA-shared
1025	            "dSAOperation"              ; DSA-specific

1027	  where:
1028	    <numericoid> is object identifier assigned to this attribute type;
1029	    NAME <qdescrs> are short names (descriptors) identifying this
1030	        attribute type;
1031	    DESC <qdstring> is a short descriptive string;
1032	    OBSOLETE indicates this attribute type is not active;
1033	    SUP oid specifies the direct subtype of this type;
1034	    EQUALITY, ORDERING, SUBSTRING provide the oid of the equality,
1035	        ordering, and substrings matching rules, respectively;
1036	    SYNTAX identifies value syntax by object identifier and suggests a
1037	        minimum upper bound;
1038	    COLLECTIVE indicates this attribute type is collective;
1039	    NO-USER-MODIFICATION indicates this attribute type is not user
1040	        modifiable;
1041	    USAGE indicates the application of this attribute type; and
1042	    <extensions> describe extensions.

1044	  Each attribute type description must contain at least one of the SUP
1045	  or SYNTAX fields.

1047	  The default USAGE is userApplications.  COLLECTIVE requires USAGE
1048	  userApplications.  NO-USER-MODIFICATION requires usage other than
1049	  userApplications.

1051	  Note that the <AttributeTypeDescription> does not list the matching
1052	  rules which can can be used with that attribute type in an
1053	  extensibleMatch search filter.  This is done using the
1054	  'matchingRuleUse' attribute described in Section 4.1.3.

1056	  This document refines the schema description of X.501 by requiring
1057	  that the SYNTAX field in an <AttributeTypeDescription> be a string
1058	  representation of an object identifier for the LDAP string syntax
1059	  definition with an optional indication of the suggested minimum bound
1060	  of a value of this attribute.

1062	  A suggested minimum upper bound on the number of characters in a value
1063	  with a string-based syntax, or the number of bytes in a value for all
1064	  other syntaxes, may be indicated by appending this bound count inside
1065	  of curly braces following the syntax's OBJECT IDENTIFIER in an
1066	  Attribute Type Description.  This bound is not part of the syntax name
1067	  itself.  For instance, "1.3.6.4.1.1466.0{64}" suggests that server
1068	  implementations should allow a string to be 64 characters long,
1069	  although they may allow longer strings.  Note that a single character
1070	  of the Directory String syntax may be encoded in more than one octet
1071	  since UTF-8 is a variable-length encoding.

1073	4.1.3. Matching Rules

1075	  Matching rules are used by servers to compare attribute values against
1076	  assertion values when performing Search and Compare operations.  They
1077	  are also used to identify the value to be added or deleted when
1078	  modifying entries, and are used when comparing a purported
1079	  distinguished name with the name of an entry.

1081	  A matching rule specifies the syntax of the assertion value.

1083	  Each matching rule is identified by an object identifier (OID) and,
1084	  optionally, one or more short names known as descriptors.

1086	  Matching rule definitions are written according to the ABNF:

1088	    MatchingRuleDescription = LPAREN WSP
1089	        numericoid                 ; object identifier
1090	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1091	        [ SP "DESC" SP qdstring ]  ; description
1092	        [ SP "OBSOLETE" ]          ; not active
1093	        SP "SYNTAX" SP numericoid  ; oid corrected to numericoid
1094	        extensions WSP RPAREN      ; extensions

1096	  where:
1097	    <numericoid> is object identifier assigned to this matching rule;
1098	    NAME <qdescrs> are short names (descriptors) identifying this
1099	        matching rule;
1100	    DESC <qdstring> is a short descriptive string;
1101	    OBSOLETE indicates this matching rule is not active;
1102	    SYNTAX identifies the assertion syntax by object identifier; and
1103	    <extensions> describe extensions.

1105	  A matching rule use lists the attributes which are suitable for use
1106	  with an extensible matching rule.

1108	  Matching rule use descriptions (see Section 4.1.3) are written
1109	  according to the following ABNF:

1111	    MatchingRuleUseDescription = LPAREN WSP
1112	        numericoid                 ; object identifier
1113	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1114	        [ SP "DESC" SP qdstring ]  ; description
1115	        [ SP "OBSOLETE" ]          ; not active
1116	        SP "APPLIES" SP oids       ; attribute types
1117	        extensions WSP RPAREN      ; extensions

1119	  where:
1120	    <numericoid> is the object identifier of the matching rule
1121	        associated with this matching rule use description;
1122	    NAME <qdescrs> are short names (descriptors) identifying this
1123	        matching rule use;
1124	    DESC <qdstring> is a short descriptive string;
1125	    OBSOLETE indicates this matching rule use is not active;
1126	    APPLIES provides a list of attribute types the matching rule applies
1127	        to; and
1128	    <extensions> describe extensions.

1130	4.1.4. LDAP Syntaxes

1132	  LDAP Syntaxes of (attribute and assertion) values are described in
1133	  terms of ASN.1 [X.680] and, optionally, have an octet string encoding
1134	  known as the LDAP-specific encoding.  Commonly, the LDAP-specific
1135	  encoding is constrained to string of Universal Character Set (UCS)
1136	  [ISO10646] characters in UTF-8 [RFC2279] form.

1138	  Each LDAP syntax is identified by an object identifier (OID).  These
1139	  are not intended to be displayed to users.

1141	  LDAP syntax definitions are written according to the ABNF:

1143	    SyntaxDescription = LPAREN WSP
1144	        numericoid                 ; object identifier
1145	        [ SP "DESC" SP qdstring ]  ; description
1146	        extensions WSP RPAREN      ; extensions

1148	  where:
1149	    <numericoid> is object identifier assigned to this LDAP syntax;
1150	    DESC <qdstring> is a short descriptive string; and
1151	    <extensions> describe extensions.

1153	4.1.5. DIT Content Rules

1155	  A DIT content rule is a "rule governing the content of entries of a
1156	  particular structural object class" [X.501].

1158	  A DIT content rule specifies for DIT entries of a particular
1159	  structural object class, which auxiliary object classes the entries
1160	  are allowed to belong to and which additional attributes (by type) are
1161	  required, allowed or not allowed to appear in the entries.

1163	  The list of precluded attributes cannot include any attribute listed
1164	  as mandatory in rule, the structural object class, or any of the
1165	  allowed auxiliary object classes.

1167	  Each content rule is identified by the object identifier, as well as
1168	  any short names (descriptors), of the structural rule it applies to.

1170	  An entry may only belong to auxiliary object classes listed in the
1171	  governing content rule.

1173	  An entry must contain all attributes required by the object classes
1174	  the entry belongs to as well as all attributed required by the
1175	  governing content rule.

1177	  An entry may contain any non-precluded attributes allowed by the
1178	  object classes the entry belongs to as well as all attributes allowed
1179	  by the governing content rule.

1181	  An entry cannot include any attribute precluded by the governing
1182	  content rule.

1184	  An entry is governed by (if present and active in the subschema) the
1185	  DIT content rule which applies to the structural object class of the
1186	  entry (see Section 2.4.2).  If no active rule is present for the
1187	  entry's structural object class, the entry's content is governed by
1188	  the structural object class (and possibly other aspects of user and
1189	  system schema).

1191	  DIT content rule descriptions are written according to the ABNF:

1193	    DITContentRuleDescription = LPAREN WSP
1194	        numericoid                 ; object identifier
1195	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1196	        [ SP "DESC" SP qdstring ]  ; description
1197	        [ SP "OBSOLETE" ]          ; not active
1198	        [ SP "AUX" SP oids ]       ; auxiliary object classes
1199	        [ SP "MUST" SP oids ]      ; attribute types
1200	        [ SP "MAY" SP oids ]       ; attribute types
1201	        [ SP "NOT" SP oids ]       ; attribute types
1202	        extensions WSP RPAREN      ; extensions

1204	  where:
1205	    <numericoid> is the object identifier of the structural object class
1206	        associated with this DIT content rule;
1207	    NAME <qdescrs> are short names (descriptors) identifying this DIT
1208	        content rule;
1209	    DESC <qdstring> is a short descriptive string;
1210	    OBSOLETE indicates this DIT content rule use is not active;
1211	    AUX specifies a list of auxiliary object classes which entries
1212	        subject to this DIT content rule may belong to;
1213	    MUST, MAY, and NOT specify lists of attribute types which are
1214	        required, allowed, or precluded, respectively, from appearing in
1215	        entries subject to this DIT content rule; and
1216	    <extensions> describe extensions.

1218	4.1.6. DIT Structural Rules and Name Forms

1220	  It is sometimes desirable to regulate where object entries can be
1221	  placed in the DIT and how they can be named based upon their
1222	  structural object class.

1224	  A DIT structural rule is a "rule governing the structure of the DIT by
1225	  specifying a permitted superior to subordinate entry relationship.  A
1226	  structure rule relates a name form, and therefore a structural object
1227	  class, to superior structure rules.  This permits entries of the
1228	  structural object class identified by the name form to exist in the
1229	  DIT as subordinates to entries governed by the indicated superior
1230	  structure rules" [X.501].

1232	  A name form "specifies a permissible RDN for entries of a particular
1233	  structural object class.  A name form identifies a named object class
1234	  and one or more attribute types to be used for naming (i.e.  for the
1235	  RDN).  Name forms are primitive pieces of specification used in the
1236	  definition of DIT structure rules" [X.501].

1238	  Each name form indicates the structural object class to be named, a
1239	  set of required attribute types, and a set of allowed attributes
1240	  types.  A particular attribute type cannot be listed in both sets.

1242	  Entries governed by the form must be named using a value from each
1243	  required attribute type and zero or more values from the allowed
1244	  attribute types.

1246	  Each name form is identified by an object identifier (OID) and,
1247	  optionally, one or more short names known as descriptors.

1249	  DIT structure rule descriptions are written according to the ABNF:

1251	    DITStructureRuleDescription = LPAREN WSP
1252	        ruleid                     ; rule identifier
1253	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1254	        [ SP "DESC" SP qdstring ]  ; description
1255	        [ SP "OBSOLETE" ]          ; not active
1256	        SP "FORM" SP oid           ; NameForm
1257	        [ SP "SUP" ruleids ]       ; superior rules
1258	        extensions WSP RPAREN      ; extensions

1260	    ruleids = ruleid / ( LPAREN WSP ruleidlist WSP RPAREN )

1262	    ruleidlist = ruleid *( SP ruleid )

1264	    ruleid = number

1266	  where:
1267	    <ruleid> is the rule identifier of this DIT structure rule;
1268	    NAME <qdescrs> are short names (descriptors) identifying this DIT
1269	        structure rule;
1270	    DESC <qdstring> is a short descriptive string;
1271	    OBSOLETE indicates this DIT structure rule use is not active;
1272	    FORM is specifies the name form associated with this DIT structure
1273	        rule;
1274	    SUP identifies superior rules (by rule id); and
1275	    <extensions> describe extensions.

1277	  Name form descriptions are written according to the ABNF:

1279	    NameFormDescription = LPAREN WSP
1280	        numericoid                 ; object identifier
1281	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1282	        [ SP "DESC" SP qdstring ]  ; description
1283	        [ SP "OBSOLETE" ]          ; not active
1284	        SP "OC" SP oid             ; structural object class
1285	        SP "MUST" SP oids          ; attribute types
1286	        [ SP "MAY" SP oids ]       ; attribute types
1287	        extensions WSP RPAREN      ; extensions

1289	  where:
1290	    <numericoid> is object identifier assigned to this name form;
1291	    NAME <qdescrs> are short names (descriptors) identifying this name
1292	        form;
1293	    DESC <qdstring> is a short descriptive string;
1294	    OBSOLETE indicates this name form is not active;
1295	    OC identifies the structural object class this rule applies to,
1296	    MUST and MAY specify the sets of required and allowed, respectively,
1297	        naming attributes for this name form; and
1298	    <extensions> describe extensions.

1300	4.2. Subschema Subentries

1302	  Subschema (sub)entries are used for administering information about
1303	  the directory schema.  A single subschema (sub)entry contains all
1304	  schema definitions (see Section 4.1) used by entries in a particular
1305	  part of the directory tree.

1307	  Servers which follow X.500(93) models SHOULD implement subschema using
1308	  the X.500 subschema mechanisms (as detailed in Section 12 of [X.501]),
1309	  and so these are not ordinary object entries but subentries (see
1310	  Section 3.2).  LDAP clients SHOULD NOT assume that servers implement
1311	  any of the other aspects of X.500 subschema.

1313	  Servers MAY allow subschema modification.  Procedures for subschema
1314	  modification are discussed in Section 14.5 of [X.501].

1316	  A server which masters entries and permits clients to modify these
1317	  entries MUST implement and provide access to these subschema
1318	  (sub)entries including providing a 'subschemaSubentry' attribute in
1319	  each modifiable entry.  This so clients may discover the attributes
1320	  and object classes which are permitted to be present.  It is strongly
1321	  RECOMMENDED that all other servers implement this as well.

1323	  The value of the 'subschemaSubentry' attribute is the name of the
1324	  subschema (sub)entry holding the subschema controlling the entry.

1326	      ( 2.5.18.10 NAME 'subschemaSubentry'
1327	        EQUALITY distinguishedNameMatch
1328	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1329	        NO-USER-MODIFICATION SINGLE-VALUE
1330	        USAGE directoryOperation )

1332	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
1333	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

1335	  Subschema is held in (sub)entries belonging to the subschema auxiliary
1336	  object class.

1338	      ( 2.5.20.1 NAME 'subschema' AUXILIARY
1339	        MAY ( dITStructureRules $ nameForms $ ditContentRules $
1340	          objectClasses $ attributeTypes $ matchingRules $
1341	          matchingRuleUse ) )

1343	  The 'ldapSyntaxes' operational attribute may also be present in
1344	  subschema entries.

1346	  Servers MAY provide additional attributes (described in other
1347	  documents) in subschema (sub)entries.

1349	  Servers SHOULD provide the attributes 'createTimestamp' and
1350	  'modifyTimestamp' in subschema (sub)entries, in order to allow clients
1351	  to maintain their caches of schema information.

1353	  The following subsections provide attribute type definitions for each
1354	  of schema definition attribute types.

1356	4.2.1. 'objectClasses'

1358	  This attribute holds definitions of object classes supported in the
1359	  subschema.

1361	      ( 2.5.21.6 NAME 'objectClasses'
1362	        EQUALITY objectIdentifierFirstComponentMatch
1363	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.37
1364	        USAGE directoryOperation )

1366	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1367	  ObjectClassDescription (1.3.6.1.4.1.1466.115.121.1.37) syntax are
1368	  defined in [Syntaxes].

1370	4.2.2. 'attributeTypes'

1372	  This attribute holds definitions of attribute types supported in the
1373	  subschema.

1375	      ( 2.5.21.5 NAME 'attributeTypes'
1376	        EQUALITY objectIdentifierFirstComponentMatch
1377	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.3
1378	        USAGE directoryOperation )

1380	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1381	  AttributeTypeDescription (1.3.6.1.4.1.1466.115.121.1.3) syntax are
1382	  defined in [Syntaxes].

1384	4.2.3. 'matchingRules'

1386	  This attribute holds definitions of matching rules supported in the
1387	  subschema.

1389	      ( 2.5.21.4 NAME 'matchingRules'
1390	        EQUALITY objectIdentifierFirstComponentMatch
1391	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.30
1392	        USAGE directoryOperation )

1394	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1395	  MatchingRuleDescription (1.3.6.1.4.1.1466.115.121.1.30) syntax are
1396	  defined in [Syntaxes].

1398	4.2.4 'matchingRuleUse'

1400	  This attribute holds definitions of matching rule uses supported in
1401	  the subschema.

1403	      ( 2.5.21.8 NAME 'matchingRuleUse'
1404	        EQUALITY objectIdentifierFirstComponentMatch
1405	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.31
1406	        USAGE directoryOperation )

1408	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1409	  MatchingRuleUseDescription (1.3.6.1.4.1.1466.115.121.1.31) syntax are
1410	  defined in [Syntaxes].

1412	4.2.5. 'ldapSyntaxes'

1414	  This attribute holds definitions of LDAP syntaxes supported in the
1415	  subschema.

1417	      ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
1418	        EQUALITY objectIdentifierFirstComponentMatch
1419	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.54
1420	        USAGE directoryOperation )

1422	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1423	  SyntaxDescription (1.3.6.1.4.1.1466.115.121.1.54) syntax are defined
1424	  in [Syntaxes].

1426	4.2.6. 'dITContentRules'

1428	  This attribute lists DIT Content Rules which are in force.

1430	      ( 2.5.21.2 NAME 'dITContentRules'
1431	        EQUALITY objectIdentifierFirstComponentMatch
1432	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.16
1433	        USAGE directoryOperation )

1435	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1436	  DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are
1437	  defined in [Syntaxes].

1439	4.2.7. 'dITStructureRules'

1441	  This attribute lists DIT Structure Rules which are in force.

1443	      ( 2.5.21.1 NAME 'dITStructureRules'
1444	        EQUALITY integerFirstComponentMatch
1445	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.17
1446	        USAGE directoryOperation )

1448	  The 'integerFirstComponentMatch' matching rule and the
1449	  DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax are
1450	  defined in [Syntaxes].

1452	4.2.8 'nameForms'

1454	  This attribute lists Name Forms which are in force.

1456	      ( 2.5.21.7 NAME 'nameForms'
1457	        EQUALITY objectIdentifierFirstComponentMatch
1458	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.35
1459	        USAGE directoryOperation )

1461	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1462	  NameFormDescription (1.3.6.1.4.1.1466.115.121.1.35) syntax are defined
1463	  in [Syntaxes].

1465	4.3. 'extensibleObject' object class

1467	  The 'extensibleObject auxiliary object class allows entries belong to
1468	  it to hold any attribute type.  The set of allowed attributes of this
1469	  class is implicitly the set of all user attributes.

1471	      ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
1472	        SUP top AUXILIARY )

1474	  The mandatory attributes of the other object classes of this entry are
1475	  still required to be present and any precluded attributes are still
1476	  not allowed to be present.

1478	  Note that not all servers will implement this object class, and those
1479	  which do not will reject requests to add entries which contain this
1480	  object class, or modify an entry to add this object class.

1482	4.4. Subschema Discovery

1484	  To discover the DN of the subschema (sub)entry holding the subschema
1485	  controlling a particular entry, a client reads that entry's
1486	  'subschemaSubentry' operational attribute.  To read schema attributes
1487	  from the subschema (sub)entry, clients MUST issue a base object search
1488	  where the filter is "(objectClass=subschema)" [Filters] and the list
1489	  of attributes includes the names of the desired schema attributes (as
1490	  they are operational).  This filter allows LDAP servers which gateway
1491	  to X.500 to detect that subentry information is being requested.

1493	5. DSA (Server) Informational Model

1495	  The LDAP protocol assumes there are one or more servers which jointly
1496	  provide access to a Directory Information Tree (DIT).

1498	  As defined in [X.501]:

1500	      context prefix: The sequence of RDNs leading from the Root of the
1501	          DIT to the initial vertex of a naming context; corresponds to
1502	          the distinguished name of that vertex.

1504	      DIB fragment: The portion of the DIB that is held by one master
1505	          DSA, comprising one or more naming contexts.

1507	      naming context: A subtree of entries held in a single master DSA.

1509	  That is, a naming context is the largest collection of entries,
1510	  starting at an entry that is mastered by a particular server, and
1511	  including all its subordinates and their subordinates, down to the
1512	  entries which are mastered by different servers.  The context prefix
1513	  is the name of the initial entry.

1515	  The root of the DIT is a DSA-specific Entry (DSE) and not part of any
1516	  naming context (or any subtree); each server has different attribute
1517	  values in the root DSE.

1519	5.1. Server-specific Data Requirements

1521	  An LDAP server MUST provide information about itself and other
1522	  information that is specific to each server.  This is represented as a
1523	  group of attributes located in the root DSE (DSA-Specific Entry),
1524	  which is named with the zero-length LDAPDN.  These attributes are
1525	  retrievable, subject to access control and other restrictions, if a
1526	  client performs a base object search of the root with the filter
1527	  "(objectClass=*)" [Filters] requesting the desired attributes.  It is
1528	  noted that root DSE attributes are operational, and like other
1529	  operational attributes, are not returned in search requests unless
1530	  requested by name.

1532	  The root DSE SHALL NOT be included if the client performs a subtree
1533	  search starting from the root.

1535	  Servers may allow clients to modify attributes of the root DSE where
1536	  appropriate.

1538	  The following attributes of the root DSE are defined in [Syntaxes].
1539	  Additional attributes may be defined in other documents.

1541	    - altServer: alternative servers;

1543	    - namingContexts: naming contexts;

1545	    - supportedControl: recognized LDAP controls;

1547	    - supportedExtension: recognized LDAP extended operations;

1549	    - supportedLDAPVersion: LDAP versions supported; and

1551	    - supportedSASLMechanisms: recognized SASL mechnanisms.

1553	  The values of these attributes provided may depend on session specific
1554	  and other factors.  For example, a server supporting the SASL EXTERNAL
1555	  mechanism may only list "EXTERNAL" when the client's identity has been
1556	  established by a lower level.  See [AuthMeth].

1558	  The root DSE may also include a 'subschemaSubentry' attribute.  If so,
1559	  it refers to the subschema (sub)entry holding schema controlling
1560	  attributes of the root DSE.  Client SHOULD NOT assume that the
1561	  subschema (sub)entry controlling the root DSE controls any entry held
1562	  by the server.  General subschema discovery procedures are provided in
1563	  Section 4.4.

1565	5.1.1. 'altServer'

1567	  The 'altServer' attribute lists URLs referring to alternative servers
1568	  which may be contacted when this server becomes unavailable.  If the
1569	  server does not know of any other servers which could be used this
1570	  attribute will be absent.  Clients may cache this information in case
1571	  their preferred LDAP server later becomes unavailable.

1573	      ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
1574	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
1575	        USAGE dSAOperation )

1577	  The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax is defined in
1578	  [Syntaxes].

1580	5.1.2. 'namingContexts'
1581	  The 'namingContexts' attribute lists the context prefixes of the
1582	  naming contexts the server masters or shadows (in part or in whole).
1583	  If the server does not master or shadow any information (e.g. it is an
1584	  LDAP gateway to a public X.500 directory) this attribute will be
1585	  absent.  If the server believes it masters or shadows the entire
1586	  directory, the attribute will have a single value, and that value will
1587	  be the empty string (indicating the null DN of the root).  This
1588	  attribute allows a client to choose suitable base objects for
1589	  searching when it has contacted a server.

1591	      ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
1592	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1593	        USAGE dSAOperation )

1595	  The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax is
1596	  defined in [Syntaxes].

1598	5.1.3. 'supportedControl'

1600	  The 'supportedControl' attribute lists object identifiers identifying
1601	  the request controls the server supports.  If the server does not
1602	  support any request controls, this attribute will be absent.

1604	  Object identifiers identifying response controls need not be listed.

1606	  Procedures for registering object identifiers used to discovery of
1607	  protocol mechanisms are detailed in BCP 64 [RFC3383].

1609	      ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
1610	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
1611	        USAGE dSAOperation )

1613	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1614	  defined in [Syntaxes].

1616	5.1.4. 'supportedExtension'

1618	  The 'supportedExtension' attribute lists object identifiers
1619	  identifying the extended operations which the server supports.  If the
1620	  server does not support any extended operations, this attribute will
1621	  be absent.

1623	  An extended operation comprises a ExtendedRequest, possibly other PDUs
1624	  defined by extension, and an ExtendedResponse [Protocol].  The object
1625	  identifier assigned to the ExtendedRequest is used to identify the
1626	  extended operation.  Other object identifiers associated with the
1627	  extended operation need not be listed.

1629	  Procedures for registering object identifiers used to discovery of
1630	  protocol mechanisms are detailed in BCP 64 [RFC3383].

1632	      ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
1633	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
1634	        USAGE dSAOperation )

1636	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1637	  defined in [Syntaxes].

1639	5.1.5. 'supportedLDAPVersion'

1641	  The 'supportedLDAPVersion' attribute lists the versions of LDAP which
1642	  the server supports.

1644	      ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
1645	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
1646	        USAGE dSAOperation )

1648	  The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax are defined in
1649	  [Syntaxes].

1651	5.1.6. 'supportedSASLMechanisms'

1653	  The 'supportedSASLMechanisms' attribute lists the SASL mechanisms
1654	  [RFC2222] which the server recognizes.  The contents of this attribute
1655	  may depend on the current session state.  If the server does not
1656	  support any SASL mechanisms this attribute will not be present.

1658	      ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
1659	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
1660	        USAGE dSAOperation )

1662	  The Directory String (1.3.6.1.4.1.1466.115.121.1.15) syntax is defined
1663	  in [Syntaxes].

1665	6. Other Considerations

1667	6.1. Preservation of User Information

1669	  Syntaxes may be defined which have specific value and/or value form
1670	  (representation) preservation requirements.  For example, a syntax
1671	  containing digitally signed data can mandate the server preserve both
1672	  the value and form of value presented to ensure signature is not
1673	  invalidated.

1675	  Where such requirements have not be explicitly stated, servers SHOULD
1676	  preserve the value of user information but MAY return the value in a
1677	  different form.  And where a server is unable (or unwilling) to
1678	  preserve the value of user information, the server SHALL ensure that
1679	  an equivalent value (per Section 2.3) is returned.

1681	6.2. Short Names

1683	  Short names, also known as descriptors, are used as more readable
1684	  aliases for object identifiers and are used to identify various schema
1685	  elements.  The same short name might have different meaning in
1686	  different subschemas and, within a particular subschema, the same
1687	  short name might refer to different object identifiers each
1688	  identifying a different kind of schema element.

1690	  Implementations MUST be prepared that the same short name might be
1691	  used in a subschema to refer to the different kinds of schema
1692	  elements.  That is, there might be an object class 'x-fubar' and an
1693	  attribute type 'x-fubar' in a subschema.

1695	  Implementations MUST be prepared that the same short name might be
1696	  used in the different subschemas to refer to the different schema
1697	  elements.  That is, there might be two matching rules 'x-fubar', each
1698	  in different subschemas.

1700	  Procedures for registering short names (descriptors) are detailed in
1701	  BCP 64 [RFC3383bis].

1703	  [[The remainder of this subsection will be included a subsequent
1704	  revision of RFC 3383.]]

1706	  To avoid interoperability problems, the following additional
1707	  considerations are stated:

1709	      Descriptors used to identify various schema SHOULD be registered
1710	      unless in private-use name space (e.g., they begin with "x-").
1711	      Descriptors defined in RFCs MUST be registered.

1713	      While the protocol allows the same descriptor to refer to
1714	      different object identifiers in certain cases and the registry
1715	      supports multiple registrations of the same descriptor (each
1716	      indicating a different kind of schema element and different object
1717	      identifier), multiple registrations of the same descriptor are to
1718	      be avoided.  All such registration requests require Expert Review.

1720	6.3. Cache and Shadowing

1722	  Some servers may hold cache or shadow copies of entries, which can be
1723	  used to answer search and comparison queries, but will return
1724	  referrals or contact other servers if modification operations are
1725	  requested.  Servers that perform shadowing or caching MUST ensure that
1726	  they do not violate any access control constraints placed on the data
1727	  by the originating server.

1729	7. Implementation Guidelines

1731	7.1 Server Guidelines

1733	  Servers MUST recognize all attribute types and object classes defined
1734	  in this document but, unless stated otherwise, need not support the
1735	  associated functionality.  Servers SHOULD recognize all the names of
1736	  object classes defined in Section 7 of [Schema].

1738	  Servers MUST ensure that entries conform to user and system schema
1739	  rules or other data model constraints.

1741	  Servers MAY support DIT Content Rules, DIT Structural Rules, and/or
1742	  Name Forms features.

1744	  Servers MAY support alias entries.

1746	  Servers MAY support subentries.  If so, they MUST do so in accordance
1747	  with [X.501].  Servers which do not support subentries SHOULD use
1748	  object entries to mimic subentries as detailed in Section 3.2.

1750	  Servers MAY support the 'extensibleObject' object class.

1752	  Servers MAY implement additional object classes.  Servers SHOULD
1753	  provide the definitions of all object classes they support in
1754	  subschema (sub)entries.

1756	7.2 Client Guidelines

1758	  Clients MUST NOT display nor attempt to decode as ASN.1, a value if
1759	  its syntax is not known.  The implementation may attempt to discover
1760	  the subschema of the source entry, and retrieve the values of
1761	  'attributeTypes' from the subschema (sub)entry.

1763	  Clients MUST NOT assume the LDAP-specific string encoding is
1764	  restricted to a UTF-8 encoded string of UCS characters or any
1765	  particular subset of particular subset of UCS (such as a printable
1766	  subset) unless such restriction is explicitly stated.

1768	  Clients MUST NOT send attribute values in a request that are not valid
1769	  according to the syntax defined for the attributes.

1771	8. Security Considerations

1773	  Attributes of directory entries are used to provide descriptive
1774	  information about the real-world objects they represent, which can be
1775	  people, organizations or devices.  Most countries have privacy laws
1776	  regarding the publication of information about people.

1778	  General security considerations for accessing directory information
1779	  with LDAP are discussed in [Protocol] and [AuthMeth].

1781	9. IANA Considerations

1783	  It is requested that the Internet Assigned Numbers Authority (IANA)
1784	  update the LDAP descriptors registry as indicated the following
1785	  template:

1787	      Subject: Request for LDAP Descriptor Registration Update
1788	      Descriptor (short name): see comment
1789	      Object Identifier: see comment
1790	      Person & email address to contact for further information:
1791	          Kurt Zeilenga <kurt@OpenLDAP.org>
1792	      Usage: see comment
1793	      Specification: RFC XXXX
1794	      Author/Change Controller: IESG
1795	      Comments:

1797	      The following descriptors should be updated to refer to RFC XXXX.

1799	        NAME                         Type OID
1800	        ------------------------     ---- -----------------
1801	        alias                           O 2.5.6.1
1802	        aliasedEntryName                A 2.5.4.1
1803	        aliasedObjectName               A 2.5.4.1
1804	        altServer                       A 1.3.6.1.4.1.1466.101.120.6
1805	        attributeTypes                  A 2.5.21.5
1806	        createTimestamp                 A 2.5.18.1
1807	        creatorsName                    A 2.5.18.3
1808	        dITContentRules                 A 2.5.21.2
1809	        dITStructureRules               A 2.5.21.1
1810	        extensibleObject                O 1.3.6.1.4.1.1466.101.120.111
1811	        ldapSyntaxes                    A 1.3.6.1.4.1.1466.101.120.16
1812	        matchingRuleUse                 A 2.5.21.8
1813	        matchingRules                   A 2.5.21.4
1814	        modifiersName                   A 2.5.18.4
1815	        modifyTimestamp                 A 2.5.18.2
1816	        nameForms                       A 2.5.21.7
1817	        namingContexts                  A 1.3.6.1.4.1.1466.101.120.5
1818	        objectClass                     A 2.5.4.0
1819	        objectClasses                   A 2.5.21.6
1820	        subschema                       O 2.5.20.1
1821	        subschemaSubentry               A 2.5.18.10
1822	        supportedControl                A 1.3.6.1.4.1.1466.101.120.13
1823	        supportedExtension              A 1.3.6.1.4.1.1466.101.120.7
1824	        supportedLDAPVersion            A 1.3.6.1.4.1.1466.101.120.15
1825	        supportedSASLMechanisms         A 1.3.6.1.4.1.1466.101.120.14
1826	        top                             O 2.5.6.0

1828	10. Acknowledgments

1830	  This document is based in part on RFC 2251 by M. Wahl, T.  Howes, and
1831	  S. Kille; RFC 2252 by M. Wahl, A. Coulbeck, T. Howes, S.  Kille; and
1832	  RFC 2556 by M. Wahl, all products of the IETF Access, Searching and
1833	  Indexing of Directories (ASID) Working Group.  This document is also
1834	  based in part on "The Directory: Models" [X.501], a product of the
1835	  International Telephone Union (ITU).

1837	11. Author's Address

1839	  Kurt Zeilenga
1840	  E-mail: <kurt@openldap.org>

1842	12. References

1844	12.1. Normative References

1846	  [RFC2279]  Yergeau, F., "UTF-8, a transformation format of ISO 10646",
1847	             RFC 2279, January 1998.

1849	  [RFC2119]  S. Bradner, "Key words for use in RFCs to Indicate
1850	             Requirement Levels", BCP 14 (also RFC 2119), March 1997.

1852	  [RFC2234]  Crocker, D., and P. Overell, "Augmented BNF for Syntax
1853	             Specifications: ABNF", RFC 2234, November 1997.

1855	  [RFC3383]  K. Zeilenga, "IANA Considerations for LDAP", BCP 64 (also
1856	             RFC 3383), September 2002.

1858	  [Roadmap]  K. Zeilenga (editor), "LDAP: Technical Specification Road
1859	             Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
1860	             progress.

1862	  [Protocol] J. Sermersheim (editor), "LDAP: The Protocol",
1863	             draft-ietf-ldapbis-protocol-xx.txt, a work in progress.

1865	  [AuthMeth] R. Harrison (editor), "LDAP: Authentication Methods and
1866	             Connection Level Security Mechanisms",
1867	             draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.

1869	  [LDAPDN]   K. Zeilenga (editor), "LDAP: String Representation of
1870	             Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a work
1871	             in progress.

1873	  [Filters]  M. Smith (editor), LDAPbis WG, "LDAP: String Representation
1874	             of Search Filters", draft-ietf-ldapbis-filter-xx.txt, a
1875	             work in progress.

1877	  [LDAPURL]  M. Smith (editor), "LDAP: Uniform Resource Locator",
1878	             draft-ietf-ldapbis-url-xx.txt, a work in progress.

1880	  [Syntaxes] S. Legg (editor), "LDAP: Syntaxes",
1881	             draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.

1883	  [Schema]   K. Dally (editor), "LDAP: User Schema",
1884	             draft-ietf-ldapbis-user-schema-xx.txt, a work in progress.

1886	  [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) -
1887	             Architecture and Basic Multilingual Plane, ISO/IEC 10646-1
1888	             : 1993.

1890	  [X.500]    ITU-T Rec. X.500, "The Directory: Overview of Concepts,
1891	             Models and Service", 1993.

1893	  [X.501]    ITU-T Rec. X.501, "The Directory: Models", 1993.

1895	  [X.680]    ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
1896	             Specification of Basic Notation", 1994.

1898	12.2. Informative References

1900	  None.

1902	Appendix A.  Changes
1903	  This appendix is non-normative.

1905	  This document amounts to nearly a complete rewrite of portions of RFC
1906	  2251, RFC 2252, and RFC 2256.  This rewrite was undertaken to improve
1907	  overall clarity of technical specification.  This appendix provides a
1908	  summary of substantive changes made to the portions of these documents
1909	  incorporated into this document.  Readers should consult [Roadmap],
1910	  [Protocol], [Syntaxes], and [Schema] for summaries of remaining
1911	  portions of these documents.

1913	A.1 Changes to RFC 2251

1915	  This document incorporates from RFC 2251 sections 3.2 and 3.4,
1916	  portions of Section 4 and 6 as summarized below.

1918	A.1.1 Section 3.2 of RFC 2251

1920	  Section 3.2 of RFC 2251 provided a brief introduction to the X.500
1921	  data model, as used by LDAP.  The previous specification relied on
1922	  [X.501] but lacked clarity in how X.500 models are adapted for use by
1923	  LDAP.  This document describes the X.500 data models, as used by LDAP
1924	  in greater detail, especially in areas where the models require
1925	  adaptation is needed.

1927	  Section 3.2.1 of RFC 2251 described an attribute as "a type with one
1928	  or more associated values."  In LDAP, an attribute is better described
1929	  as an attribute description, a type with zero or more options, and one
1930	  or more associated values.

1932	  Section 3.2.2 of RFC 2251 mandated that subschema subentries contain
1933	  objectClasses and attributeTypes attributes, yet X.500(93) treats
1934	  these attributes as optional.  While generally all implementations
1935	  that support X.500(93) subschema mechanisms will provide both of these
1936	  attributes, it is not absolutely required for interoperability that
1937	  all servers do.  The mandate was removed for consistency with
1938	  X.500(93).   The subschema discovery mechanism was also clarified to
1939	  indicate that subschema controlling an entry is obtained by reading
1940	  the (sub)entry referred to by that entry's 'subschemaSubentry'
1941	  attribute.

1943	A.1.2 Section 3.4 of RFC 2251

1945	  Section 3.4 of RFC 2251 provided "Server-specific Data Requirements".
1946	  This material, with changes, was incorporated in Section 5.1 of this
1947	  document.

1949	  Changes:

1951	  - Clarify that attributes of the root DSE are subject to "other
1952	    restrictions" in addition to acccess controls.

1954	  - Clarify that only recognized extended requests need to be enumerated
1955	    'supportedExtension'.

1957	  - Clarify that only recognized request controls need to be enumerated
1958	    'supportedControl'.

1960	  - Clarify that root DSE attributes are operational and, like other
1961	    operational attributes, will not be returned in search requests
1962	    unless requested by name.

1964	  - Clarify that not all root DSE attributes are user modifiable.

1966	  - Remove inconsistent text regarding handling of the
1967	    'subschemaSubentry' attribute within the root DSE.  The previous
1968	    specification stated that the 'subschemaSubentry' attribute held in
1969	    the root DSE referred to "subschema entries (or subentries) known by
1970	    this server."  This is inconsistent with the attribute intended use
1971	    as well as its formal definition as a single valued attribute
1972	    [X.501].  It is also noted that a simple (possibly incomplete) list
1973	    of subschema (sub)entries is not terrible useful.  This document (in
1974	    section 5.1) specifies that the 'subschemaSubentry' attribute of the
1975	    root DSE refers to the subschema controlling the root DSE.  It is
1976	    noted that the general subschema discovery mechanism remains
1977	    available (see Section 4.4 of this document).

1979	A.1.2 Section 4 of RFC 2251

1981	  Portions of Section 4 of RFC 2251 detailing aspects of the information
1982	  model used by LDAP were incorporated in this document, including:

1984	  - Restriction of distinguished values to attributes whose descriptions
1985	    have no options (from Section 4.1.3).

1987	  - Data model aspects of Attribute Types (from Section 4.1.4),
1988	    Attribute Descriptions (from 4.1.4), Attribute (from 4.1.8),
1989	    Matching Rule Identifier (from 4.1.9).

1991	  - User schema requirements (from Section 4.1.6, 4.5.1, and 4.7).

1993	A.1.3 Section 6 of RFC 2251
1994	    The Section 6.1 and the second paragraph of Section 6.2 of RFC 2251
1995	    where incorporated into this document.

1997	A.2 Changes to RFC 2252

1999	    This document incorporates Sections 4, 5 and 7 from RFC 2252.

2001	A.2.1 Section 4 of RFC 2252

2003	    The specification was updated to use Augmented BNF [RFC2234].  The
2004	    string representation of an OBJECT IDENTIFIER was tighten to
2005	    disallow leading zeros as described in RFC 2252 text.

2007	    The <descr> syntax was changed to disallow semicolon (U+0003B)
2008	    characters to appear to be consistent its natural language
2009	    specification "descr is the syntactic representation of an object
2010	    descriptor, which consists of letters and digits, starting with a
2011	    letter."  In a related change, the statement "an
2012	    AttributeDescription can be used as the value in a NAME part of an
2013	    AttributeTypeDescription" was deleted.  RFC 2252 provided no
2014	    specification as to the semantics of attribute options appearing in
2015	    NAME fields.

2017	    The ABNF for a quoted string (qdstring) was updated to reflect
2018	    support for the escaping mechanism described in 4.3 of RFC 2252.

2020	A.2.2 Section 5 of RFC 2252

2022	    Definitions of operational attributes provided in Section 5 of RFC
2023	    2252 where incorporated into this document.

2025	    The 'supportedExtension' description was clarified.  A server need
2026	    only list the OBJECT IDENTIFIERs associated with the extended
2027	    requests of the extended operations it recognizes.

2029	    The 'supportedControl' description was clarified.  A server need
2030	    only list the OBJECT IDENTIFIERs associated with the request
2031	    controls it recognizes.

2033	A.2.3 Section 7 of RFC 2252

2035	    Section 7 of RFC 2252 provides definitions of the 'subschema' and
2036	    'extensibleObject' object classes.  These definitions where
2037	    integrated into Section 4.2 and Section 4.3 of this document,
2038	    respectively.  Section 7 of RFC 2252 also contained the object class
2039	    implementation requirement.  This was incorporated into Section 7 of
2040	    this document.

2042	    The specification of 'extensibleObject' was clarified of how it
2043	    interacts with precluded attributes.

2045	A.3 Changes to RFC 2256

2047	    This document incorporates Sections 5.1, 5.2, 7.1, and 7.2 of RFC
2048	    2256.

2050	    Section 5.1 of RFC 2256 provided the definition of the 'objectClass'
2051	    attribute type.  This was integrated into Section 2.4.1 of this
2052	    document.  The statement "One of the values is either 'top' or
2053	    'alias'" was replaced with statement that one of the values is 'top'
2054	    as entries belonging to 'alias' also belong to 'top'.

2056	    Section 5.2 of RFC 2256 provided the definition of the
2057	    'aliasedObjectName' attribute type.  This was integrated into
2058	    Section 2.6.2 of this document.

2060	    Section 7.1 of RFC 2256 provided the definition of the 'top' object
2061	    class.  This was integrated into Section 2.4.1 of this document.

2063	    Section 7.2 of RFC 2256 provided the definition of the 'alias'
2064	    object class.  This was integrated into Section 2.6.1 of this
2065	    document.

2067	Copyright 2002, The Internet Society.  All Rights Reserved.

2069	  This document and translations of it may be copied and furnished to
2070	  others, and derivative works that comment on or otherwise explain it
2071	  or assist in its implementation may be prepared, copied, published and
2072	  distributed, in whole or in part, without restriction of any kind,
2073	  provided that the above copyright notice and this paragraph are
2074	  included on all such copies and derivative works.  However, this
2075	  document itself may not be modified in any way, such as by removing
2076	  the copyright notice or references to the Internet Society or other
2077	  Internet organizations, except as needed for the  purpose of
2078	  developing Internet standards in which case the procedures for
2079	  copyrights defined in the Internet Standards process must be followed,
2080	  or as required to translate it into languages other than English.

2082	  The limited permissions granted above are perpetual and will not be
2083	  revoked by the Internet Society or its successors or assigns.

2085	  This document and the information contained herein is provided on an
2086	  "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
2087	  ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
2088	  INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
2089	  INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2090	  WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.