idnits 2.17.1 

draft-ietf-ldapbis-models-06.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories. 


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 36 instances of lines with non-RFC6890-compliant IPv4
     addresses in the document.  If these are example addresses, they should
     be changed.

  == The 'Obsoletes: ' line in the draft header should list only the
     _numbers_ of the RFCs which will be obsoleted by this document (if
     approved); it should not include the word 'RFC' in the list.

  -- The draft header indicates that this document obsoletes RFC2251, but the
     abstract doesn't seem to directly say this.  It does mention RFC2251
     though, so this could be OK.

  -- The draft header indicates that this document obsoletes RFC2252, but the
     abstract doesn't seem to directly say this.  It does mention RFC2252
     though, so this could be OK.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 2170 has weird spacing: '...for the  purpo...'

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (16 December 2002) is 7795 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'RFC2222' is mentioned on line 1732, but not defined

  ** Obsolete undefined reference: RFC 2222 (Obsoleted by RFC 4422, RFC 4752)

  == Missing Reference: 'RFC3383bis' is mentioned on line 1787, but not
     defined

  ** Obsolete undefined reference: RFC 3383 (Obsoleted by RFC 4520)

  == Unused Reference: 'LDAPURL' is defined on line 1968, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 2279 (Obsoleted by RFC 3629)

  ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234)

  ** Obsolete normative reference: RFC 3383 (Obsoleted by RFC 4520)

  -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Roadmap' 

  -- No information found for draft-ietf-ldapbis-protocol-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Protocol' 

  -- No information found for draft-ietf-ldapbis-authmeth-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'AuthMeth' 

  -- No information found for draft-ietf-ldapbis-dn-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPDN' 

  -- No information found for draft-ietf-ldapbis-filter-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Filters' 

  -- No information found for draft-ietf-ldapbis-url-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPURL' 

  -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' 

  -- No information found for draft-ietf-ldapbis-user-schema-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Schema' 

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO10646'


     Summary: 9 errors (**), 0 flaws (~~), 7 warnings (==), 21 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	INTERNET-DRAFT                              Editor: Kurt D. Zeilenga
3	Intended Category: Standard Track                OpenLDAP Foundation
4	Expires in six months                               16 December 2002
5	Obsoletes: RFC 2251, RFC 2252, RFC 2256

7	                    LDAP: Directory Information Models
8	                    <draft-ietf-ldapbis-models-06.txt>

10	Status of this Memo

12	  This document is an Internet-Draft and is in full conformance with all
13	  provisions of Section 10 of RFC2026.

15	  This document is intended to be published as a Standard Track RFC.
16	  Distribution of this memo is unlimited.  Technical discussion of this
17	  document will take place on the IETF LDAP Revision Working Group
18	  mailing list <ietf-ldapbis@openldap.org>.  Please send editorial
19	  comments directly to the author <Kurt@OpenLDAP.org>.

21	  Internet-Drafts are working documents of the Internet Engineering Task
22	  Force (IETF), its areas, and its working groups.  Note that other
23	  groups may also distribute working documents as Internet-Drafts.
24	  Internet-Drafts are draft documents valid for a maximum of six months
25	  and may be updated, replaced, or obsoleted by other documents at any
26	  time.  It is inappropriate to use Internet-Drafts as reference
27	  material or to cite them other than as ``work in progress.''

29	  The list of current Internet-Drafts can be accessed at
30	  <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
31	  Internet-Draft Shadow Directories can be accessed at
32	  <http://www.ietf.org/shadow.html>.

34	  Copyright 2002, The Internet Society.  All Rights Reserved.  Please
35	  see the Copyright section near the end of this document for more
36	  information.

38	Abstract

40	  The Lightweight Directory Access Protocol (LDAP) is an Internet
41	  protocol for accessing distributed directory services which act in
42	  accordance with X.500 data and service models.  This document
43	  describes the X.500 Directory Information Models, as used in LDAP.

45	Table of Contents

47	  Status of this Memo                                             1
48	  Abstract
49	  Table of Contents                                               2
50	  1.       Introduction                                           3
51	  1.1.     Relationship to Other LDAP Specifications
52	  1.2.     Conventions                                            4
53	  1.3.     Common ABNF Productions
54	  2.       Model of Directory User Information                    6
55	  2.1.     The Directory Information Tree
56	  2.2.     Naming of Entries                                      7
57	  2.3.     Structure of an Entry                                  8
58	  2.4.     Object Classes
59	  2.5.     Attribute Descriptions                                11
60	  2.6.     Alias Entries                                         15
61	  3.       Directory Administrative and Operational Information  16
62	  3.1.     Subtrees
63	  3.2.     Subentries                                            17
64	  3.3.     The 'objectClass' attribute
65	  3.4.     Operational attributes                                18
66	  4.       Directory Schema                                      20
67	  4.1.     Schema Definitions                                    21
68	  4.2.     Subschema Subentries                                  30
69	  4.3.     'extensibleObject'                                    34
70	  4.4.     Subschema Discovery
71	  5.       DSA (Server) Informational Model
72	  5.1.     Server-specific Data Requirements                    35
73	  6.       Other Considerations                                  38
74	  6.1.     Preservation of User Information
75	  6.2.     Short Names
76	  6.3.     Cache and Shadowing                                   39
77	  7.       Implementation Guidelines                             40
78	  7.1.     Server Guidelines
79	  7.2.     Client Guidelines
80	  8.       Security Considerations                               41
81	  9.       IANA Considerations
82	  10.      Acknowledgments                                       42
83	  11.      Author's Address
84	  12.      References
85	  12.1.    Normative References
86	  12.2.    Informative References                                43
87	  Appendix A.  Changes
88	  A.1      Changes to RFC 2251                                   44
89	  A.2      Changes to RFC 2252                                   46
90	  A.3      Changes to RFC 2256                                   47
91	  Copyright

93	1. Introduction

95	  This document discusses the X.500 Directory Information Models
96	  [X.501], as used by the Lightweight Directory Access Protocol (LDAP)
97	  [Roadmap].

99	  The Directory is "a collection of open systems cooperating to provide
100	  directory services" [X.500].  The information held in the Directory is
101	  collectively known as the Directory Information Base (DIB).  A
102	  Directory user, which may be a human or other entity, accesses the
103	  Directory through a client (or Directory User Agent (DUA)).  The
104	  client, on behalf of the directory user, interacts with one or more
105	  servers (or Directory System Agents (DSA)).  A server holds a fragment
106	  of the DIB.

108	  The DIB contains two classes of information:

110	      1) user information (e.g., information provided and administrated
111	         by users).  Section 2 describes the Model of User Information.

113	      2) administrative and operational information (e.g., information
114	         used to administer and/or operate the directory).  Section 3
115	         describes the model of Directory Administrative and Operational
116	         Information.

118	  These two models, referred to as the generic Directory Information
119	  Models, describe how information is represented in the Directory.
120	  These generic models provide a framework for other information models.
121	  Section 4 discusses the subschema information model and subschema
122	  discovery.  Section 5 discusses the DSA (Server) Informational Model.

124	  Other X.500 information models, such as access control, collective
125	  attribute, distribution knowledge, and replication knowledge
126	  information models, may be adapted for use in LDAP.  Specification of
127	  how these models are to be used in LDAP is left to future documents.

129	1.1. Relationship to Other LDAP Specifications

131	  This document is a integral part of the LDAP technical specification
132	  [Roadmap] which obsoletes the previously defined LDAP technical
133	  specification, RFC 3377, in its entirety.

135	  This document obsoletes RFC 2251 sections 3.2 and 3.4, as well as
136	  portions of sections 4 and 6.  Appendix A.1 summaries changes to these
137	  sections.  The remainder of RFC 2251 is obsoleted by the [Protocol],
138	  [AuthMeth], and [Roadmap] documents.

140	  This document obsoletes RFC 2252 sections 4, 5 and 7.  Appendix A.2
141	  summaries changes to these sections.  The remainder of RFC 2252 is
142	  obsoleted by [Syntaxes] and [Schema].

144	  This document obsoletes RFC 2256 sections 5.1, 5.2, 7.1 and 7.2.
145	  Appendix A.3 summarizes changes to these sections.  The remainder of
146	  RFC 2256 is obsoleted by [Schema] and [Syntaxes].

148	1.2. Conventions

150	  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
151	  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
152	  document are to be interpreted as described in BCP 14 [RFC2119].

154	  Schema definitions are provided using LDAP description formats (as
155	  defined in Section 4.1).  Definitions provided here are formatted
156	  (line wrapped) for readability.  Matching rules and LDAP syntaxes
157	  referenced in these definitions are specified in [Syntaxes].

159	1.3. Common ABNF Productions

161	  A number of syntaxes in this document are described using Augmented
162	  Backus-Naur Form (ABNF) [RFC2234].  These syntaxes (as well as a
163	  number of syntaxes defined in other documents) rely on the following
164	  common productions:

166	      keystring = leadkeychar *keychar
167	      leadkeychar = ALPHA
168	      keychar = ALPHA / DIGIT / HYPHEN

170	      number = DIGIT / ( LDIGIT 1*DIGIT )

172	      ALPHA  = %x41-5A / %x61-7A   ; "A"-"Z" / "a"-"z"
173	      DIGIT  = %x30 / LDIGIT       ; "0"-"9"
174	      LDIGIT = %x31-39             ; "1"-"9"

176	      HEX     = DIGIT / %x41-46 / %x61-66 ; 0-9 / A-F / a-f

178	      SP     = 1*SPACE  ; one or more " "
179	      WSP    = 0*SPACE  ; zero or more " "

181	      NULL   = %x00 ; null (0)
182	      SPACE  = %x20 ; space (" ")
183	      DQUOTE = %x22 ; quote (""")
184	      SHARP  = %x23 ; octothorpe (or sharp sign) ("#")
185	      DOLLAR = %x24 ; dollar sign ("$")
186	      SQUOTE = %x27 ; single quote ("'")
187	      LPAREN = %x28 ; left paren ("(")
188	      RPAREN = %x29 ; right paren (")")
189	      PLUS   = %x2B ; plus sign ("+")
190	      COMMA  = %x2C ; comma (",")
191	      HYPHEN = %x2D ; hyphen ("-")
192	      DOT    = %x2E ; period (".")
193	      SEMI   = %x3B ; semicolon (";")
194	      LANGLE = %x3C ; left angle bracket ("<")
195	      EQUALS = %x3D ; equals sign ("=")
196	      RANGLE = %x3E ; right angle bracket (">")
197	      X      = %x58 ; uppercase x ("X")
198	      ESC    = %x5C ; backslash ("\")
199	      USCORE = %x5F ; underscore ("_")
200	      LCURLY = %x7B ; left curly brace "{"
201	      RCURLY = %x7D ; right curly brace "}"

203	      ; Any UTF-8 character
204	      UTF8    = UTF1 / UTFMB
205	      UTFMB   = UTF2 / UTF3 / UTF4 / UTF5 / UTF6
206	      UTF0    = %x80-BF
207	      UTF1    = %x00-7F
208	      UTF2    = %xC0-DF 1(UTF0)
209	      UTF3    = %xE0-EF 2(UTF0)
210	      UTF4    = %xF0-F7 3(UTF0)
211	      UTF5    = %xF8-FB 4(UTF0)
212	      UTF6    = %xFC-FD 5(UTF0)

214	      ; Any octet
215	      OCTET   = %x00-FF

217	  Object identifiers are represented in LDAP using a dot-decimal format
218	  conforming to the ABNF:

220	      numericoid = number *( DOT number )

222	  Short names, also known as descriptors, are used as more readable
223	  aliases for object identifiers.  Short names are case insensitive and
224	  conform to the ABNF:

226	      descr = keystring

228	  Where either an object identifier or a short name may be specified,
229	  the following production is used:

231	      oid = descr / numericoid

233	  The <descr> form is preferred.  When a production <oid> is encoded (in
234	  a protocol field, attribute value, assertion value, or elsewhere), the
235	  <descr> encoding option SHOULD be used instead of the <numericoid>
236	  encoding option.

238	2. Model of Directory User Information

240	  As [X.501] states:

242	      The purpose of the Directory is to hold, and provide access to,
243	      information about objects of interest (objects) in some 'world'.
244	      An object can be anything which is identifiable (can be named).

246	      An object class is an identified family of objects, or conceivable
247	      objects, which share certain characteristics. Every object belongs
248	      to at least one class.  An object class may be a subclass of other
249	      object classes, in which case the members of the former class, the
250	      subclass, are also considered to be members of the latter classes,
251	      the superclasses.  There may be subclasses of subclasses, etc., to
252	      an arbitrary depth.

254	  A directory entry, a named collection of information, is the basic
255	  unit of information held in the Directory.  There are multiple kinds
256	  of directory entries.

258	  An object entry represents a particular object.  An alias entry
259	  provides alternative naming.  A subentry holds administrative and/or
260	  operational information.

262	  The set of entries representing the DIB are organized hierarchically
263	  in a tree structure known as the Directory Information Tree (DIT).

265	  Section 2.1 describes the Directory Information Tree
266	  Section 2.2 discusses naming of entries.
267	  Section 2.3 discusses the structure of entries.
268	  Section 2.4 discusses object classes.
269	  Section 2.5 discusses attribute descriptions.
270	  Section 2.6 discusses alias entries.

272	2.1. The Directory Information Tree

274	  As noted above, the DIB is composed of a set of entries organized
275	  hierarchically in a tree structure known as the Directory Information
276	  Tree (DIT).  Specifically, a tree where vertices are the entries.

278	  The arcs between vertices define relations between entries.  If an arc
279	  exists from X to Y, then the entry at X is the immediate superior of Y
280	  and Y is the immediate subordinate of X.  An entry's superiors are the
281	  entry's immediate superior and its superiors.  An entry's subordinates
282	  are all of its immediate subordinates and their subordinates.

284	  Similarly, the superior/subordinate relationship between object
285	  entries can be used to derive a relation between the objects they
286	  represent.  DIT structure rules can be used to govern relationships
287	  between objects.

289	  Note: An entry's immediate superior is also known as the entry's
290	        parent and an entry's immediate subordinate is also known as the
291	        entry's child.

293	2.2. Naming of Entries

295	2.2.1.  Relative Distinguished Names

297	  Each entry is named relative to its immediate superior.  This relative
298	  name, known as its Relative Distinguished Name (RDN) [X.501], is
299	  composed of an unordered set of one or more attribute value assertions
300	  (AVA) consisting of an attribute description with zero options and an
301	  attribute value.  These AVAs are chosen from the attributes of the
302	  entry.

304	  An entry's relative distinguished name must be unique among all
305	  immediate subordinates of the entry's immediate superior (i.e., all
306	  siblings).

308	  The following are example string representations of RDNs [LDAPDN]:

310	      UID=12345
311	      OU=Engineering
312	      CN=Kurt Zeilenga+L=Redwood Shores

314	  The last is an example of a multi-valued RDN.  That is, an RDN
315	  composed of multiple AVAs.

317	2.2.2. Distinguished Names

319	  An entry's fully qualified name, known as its Distinguished Name (DN)
320	  [X.501], is the concatenation of its RDN and its immediate superior's
321	  DN.  A Distinguished Name unambiguously refers to an entry in the
322	  tree.  The following are example string representations of DNs
323	  [LDAPDN]:

325	      UID=nobody@example.com,DC=example,DC=com
326	      CN=John Smith,OU=Sales,O=ACME Limited,L=Moab,ST=Utah,C=US

328	2.2.3. Alias Names

330	  An alias, or alias name, is "an name for an object, provided by the
331	  use of alias entries" [X.501].  Alias entries are described in Section
332	  2.6.

334	2.3. Structure of an Entry

336	  An entry consists of a set of attributes which hold information about
337	  the object which entry represents.  Some attributes represent user
338	  information and are called user attributes.  Other attributes
339	  represent operational and/or administrative information and are called
340	  operational attributes.

342	  An attribute is an attribute description (a type and zero or more
343	  options) with one or more associated values.  An attribute is often
344	  referred to by its attribute description.  For example, the
345	  'givenName' attribute is the attribute which consists of the attribute
346	  description 'givenName' (the 'givenName' attribute type [Schema] and
347	  zero options) and one or more associated values.

349	  The attribute type governs whether the attribute can have multiple
350	  values, the syntax and matching rules used to construct and compare
351	  values of that attribute, and other functions.  Options indicate
352	  subtypes and other functions.  No two values of an attribute may be
353	  equivalent.

355	  Two values are considered equivalent if they would match according to
356	  the equality matching rule of the attribute type.  If the attribute
357	  type is defined with no equality matching rule, two values are
358	  equivalent if and only if they are identical.

360	  For example, the 'givenName' attribute can have can have more than one
361	  value, they must be Directory Strings, and they are case insensitive.
362	  The 'givenName' attribute cannot hold both "John" and "JOHN" as these
363	  are equivalent values per the equality matching rule of the attribute
364	  type.

366	2.4. Object Classes

368	  An object class is "an identified family of objects (or conceivable
369	  objects) which share certain characteristics" [X.501].

371	  As defined in [X.501]:

373	      Object classes are used in the Directory for a number of purposes:

375	        - describing and categorising objects and the entries that
376	          correspond to these objects;

378	        - where appropriate, controlling the operation of the Directory;

380	        - regulating, in conjunction with DIT structure rule
381	          specifications, the position of entries in the DIT;

383	        - regulating, in conjunction with DIT content rule
384	          specifications, the attributes that are contained in entries;

386	        - identifying classes of entry that are to be associated with a
387	          particular policy by the appropriate administrative authority.

389	      An object class (a subclass) may be derived from an object class
390	      (its direct superclass) which is itself derived from an even more
391	      generic object class.  For structural object classes, this process
392	      stops at the most generic object class, 'top' (defined in Section
393	      2.4.1).  An ordered set of superclasses up to the most superior
394	      object class of an object class is its superclass chain.

396	      An object class may be derived from two or more direct
397	      superclasses (superclasses not part of the same superclass chain).
398	      This feature of subclassing is termed multiple inheritance.

400	  Each object class identifies the set of attributes required to be
401	  present in entries belonging to the class and the set of attributes
402	  allowed to be present in entries belonging to the class.  As an entry
403	  of a class must meet the requirements of each class it belongs to, it
404	  can be said that an object class inherits the sets of allowed and
405	  required attributes from its superclasses.  A subclass can identify an
406	  attribute allowed by a subclass as being required.  If an attribute is
407	  a member of both sets, it is required to be present.

409	  Each object class is defined to be one of three kinds of object
410	  classes: Abstract, Structural, and Auxiliary.

412	  Each object class is identified by an object identifier (OID) and,
413	  optionally, one or more short names (descriptors).

415	2.4.1. Abstract Object Classes

417	  An abstract object class, as the name implies, provides a base of
418	  characteristics from which other object classes can be defined to
419	  inherit from.  An entry cannot belong to an abstract object class
420	  unless it belongs to a structural or auxiliary class which inherits
421	  from that abstract class.

423	  Abstract object classes can not derive from structural nor auxiliary
424	  object classes.

426	  All structural object classes derive (directly or indirectly) from the
427	  'top' abstract object class.  Auxiliary object classes do not
428	  necessarily derive from 'top'.

430	      ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )

432	  All entries belong to the 'top' abstract object class.

434	2.4.2. Structural Object Classes

436	  As stated in [X.501]:

438	      An object class defined for use in the structural specification of
439	      the DIT is termed a structural object class.  Structural object
440	      classes are used in the definition of the structure of the names
441	      of the objects for compliant entries.

443	      An object or alias entry is characterised by precisely one
444	      structural object class superclass chain which has a single
445	      structural object class as the most subordinate object class.
446	      This structural object class is referred to as the structural
447	      object class of the entry.

449	      Structural object classes are related to associated entries:

451	        - an entry conforming to a structural object class shall
452	          represent the real-world object constrained by the object
453	          class;

455	        - DIT structure rules only refer to structural object classes;
456	          the structural object class of an entry is used to specify the
457	          position of the entry in the DIT;

459	        - the structural object class of an entry is used, along with an
460	          associated DIT content rule, to control the content of an
461	          entry.

463	        The structural object class of an entry shall not be changed.

465	  Each structural object class is a (direct or indirect) subclass of the
466	  'top' abstract object class.

468	  Structural object classes cannot subclass auxiliary object classes.

470	  Each entry is said to belong to its structural object class as well as
471	  all classes in its structural object class's superclass chain, which
472	  always includes 'top'.

474	2.4.3. Auxiliary Object Classes

476	  Auxiliary object classes are used augment the characteristics of
477	  entries.  They are commonly used to augment the sets of attributes
478	  required and allowed attributes to be present in an entry.  They can
479	  be used to describe entries or classes of entries.

481	  Auxiliary object classes cannot subclass structural object classes.

483	  Each entry can belong to any number of auxiliary object classes.  The
484	  set of auxiliary object classes which an entry belongs to can change
485	  over time.

487	2.5. Attribute Descriptions

489	  An attribute description is composed of an attribute type (see Section
490	  2.5.1) and a set of zero or more attribute options (see Section
491	  2.5.2).

493	  An attribute description is represented by the ABNF:

495	      attributedescription = attributetype options

497	      attributetype = oid

499	      options = *( SEMI option )

501	      option = 1*keychar

503	  where <attributetype> identifies the attribute type and each <option>
504	  identifies an attribute option.  Both <attributetype> and <option>
505	  productions are case insensitive.  The order in which <option>s appear
506	  is irrelevant.  That is, any two <attributedescription>s which consist
507	  of the same <attributetype> and same set of <option>s are equivalent.

509	  Examples of valid attribute descriptions:

511	      2.5.4.0
512	      cn;lang-de;lang-en
513	      owner

515	  An attribute description which consisting of an unrecognized attribute
516	  type is to be treated as unrecognized.  Servers SHALL treat an
517	  attribute description with an unrecognized attribute option as
518	  unrecognized.  Clients MAY treat an unrecognized attribute option as a
519	  tagging option (see Section 2.5.2.1).

521	  All attributes of an entry must have distinct attribute descriptions.

523	2.5.1. Attribute Types

525	  An attribute type governs whether the attribute can have multiple
526	  values, the syntax and matching rules used to construct and compare
527	  values of that attribute, and other functions.

529	  The attribute type indicates whether the attribute is a user attribute
530	  or an operational attribute.  If operational, the attribute type
531	  indicates the operational usage and whether the attribute can
532	  modifiable by users or not.  Operational attributes discussed in
533	  Section 3.4.

535	  An attribute type (a subtype) may derive from another attribute type
536	  (a direct supertype).   The subtype inherits the matching rules and
537	  syntax of its supertype.  An attribute type cannot be a subtype of an
538	  attribute of different usage.

540	  An attribute description consisting of a subtype and no options is
541	  said to the direct description subtype of the attribute description
542	  consisting of the subtype's direct supertype and no options.

544	  Each attribute type is identified by an object identifier (OID) and,
545	  optionally, one or more short names (descriptors).

547	2.5.2. Attribute Options

549	  There are multiple kinds of attribute description options.  The LDAP
550	  technical specification details one kind: tagging options.

552	  Not all options can be associated with attributes held in the
553	  directory.  Tagging options can be.

555	  Not all options can be use in conjunction with all attribute types.
556	  In such cases, the attribute description is to be treated as
557	  unrecognized.

559	  An attribute description that contains mutually exclusive options
560	  shall be treated as unrecognized.  That is, "cn;x-bar;x-foo", where
561	  "x-foo" and "x-bar" are mutually exclusive, is to be treated as
562	  unrecognized.

564	  Other kinds of options may be specified in future documents.  These
565	  documents must detail how new kinds of options they define relate to
566	  tagging options.  In particular, these documents must detail whether
567	  or not new kinds of options can be associated with attributes held in
568	  the directory, how new kinds of options affect transfer of attribute
569	  values, and how new kinds of options are treated in attribute
570	  description hierarchies.

572	  Options are represented as short case insensitive textual strings
573	  conforming to the <option> production defined in Section 2.5 of this
574	  document.

576	  Procedures for registering options are detailed in BCP 64 [RFC3383].

578	2.5.2.1. Tagging Options

580	  Attributes held in the directory can have attribute descriptions with
581	  any number of tagging options.  Tagging options are never mutually
582	  exclusive.

584	  An attribute description with N tagging options is considered a direct
585	  (description) subtype of all attribute descriptions of the same
586	  attribute type and all but one of the N options.  If the attribute
587	  type has a supertype, then the attribute description is also
588	  considered a direct (description) subtype of the attribute description
589	  of the supertype and the N tagging options.  That is,
590	  'cn;lang-de;lang-en' is considered a direct subtype of 'cn;lang-de',
591	  'cn;lang-en', and 'name;lang-de;lang-en' ('cn' is a subtype of 'name',
592	  both are defined in [Schema]).

594	2.5.3. Attribute Description Hierarchies

596	  An attribute description can be the direct subtype of zero or more
597	  other attribute descriptions as indicated by attribute type subtyping
598	  (as described in Section 2.5.1) or attribute tagging option subtyping
599	  (as described in Section 2.5.2.1).  These subtyping relationships are
600	  used to form hierarchies of attribute descriptions and attributes.

602	  As adapted from [X.501]:

604	      Attribute hierarchies allow access to the DIB with varying degrees
605	      of granularity.  This is achieved by allowing the value components
606	      of attributes to be accessed by using either their specific
607	      attribute description (a direct reference to the attribute) or by
608	      a more generic attribute description (an indirect reference).

610	      Semantically related attributes may be placed in a hierarchical
611	      relationship, the more specialized being placed subordinate to the
612	      more generalized.  Searching for, or retrieving attributes and
613	      their values is made easier by quoting the more generalized
614	      attribute description; a filter item so specified is evaluated for
615	      the more specialized descriptions as well as for the quoted
616	      description.

618	      Where subordinate specialized descriptions are selected to be
619	      returned as part of a search result these descriptions shall be
620	      returned if available.  Where the more general descriptions are
621	      selected to be returned as part of a search result both the
622	      general and the specialized descriptions shall be returned, if
623	      available.  An attribute value shall always be returned as a value
624	      of its own attribute description.

626	      All of the attribute descriptions in an attribute hierarchy are
627	      treated as distinct and unrelated descriptions for user
628	      modification of entry content.

630	      An attribute value stored in a object or alias entry is of
631	      precisely one attribute description.  The description is indicated
632	      when the value is originally added to the entry.

634	  For the purpose of subschema administration of the entry, a required
635	  attribute specification is fulfilled if the entry contains a value of
636	  an attribute description belonging to an attribute hierarchy if the
637	  attribute type of that description is the same as the required
638	  attribute's type.  That is, a "MUST name" specification is fulfilled
639	  by 'name' or 'name;x-tag-option', but is not fulfilled by 'CN' nor by
640	  'CN;x-tag-option'.  Likewise, an entry may contain a value of an
641	  attribute description belonging to an attribute hierarchy if the
642	  attribute type of that description is either explicitly included in
643	  the definition of an object class to which the entry belongs or
644	  allowed by the DIT content rule applicable to that entry.  That is,
645	  'name' and 'name;x-tag-option' are allowed by "MAY name" (or by "MUST
646	  name"), but 'CN' and 'CN;x-tag-option' are not allowed by "MAY name"
647	  (nor by "MUST name").

649	  For the purposes of other policy administration, unless stated
650	  otherwise in the specification of the particular administrative model,
651	  all of the attribute descriptions in an attribute hierarchy are
652	  treated as distinct and unrelated descriptions.

654	2.5.4. Attribute Values

656	  Attribute values conform to the defined syntax of the attribute.

658	  When an attribute is used for naming of the entry, one and only one
659	  value of the attribute is selected to appear in the Relative
660	  Distinguished Name.  This value is known as a distinguished value.

662	  Only attributes whose descriptions have no options can be used for
663	  naming.

665	2.6. Alias Entries

667	  As adapted from [X.501]:

669	      An alias, or an alias name, for an object is a an alternative name
670	      for an object or object entry which is provided by the use of
671	      alias entries.

673	      Each alias entry contains, within the 'aliasedObjectName'
674	      attribute (known as the 'aliasedEntryName' attribute in X.500]), a
675	      name of some object.  The distinguished name of the alias entry is
676	      thus also a name for this object.

678	          NOTE - The name within the 'aliasedObjectName' is said to be
679	                 pointed to by the alias.  It does not have to be the
680	                 distinguished name of any entry.

682	      The conversion of an alias name to an object name is termed
683	      (alias) dereferencing and comprises the systematic replacement of
684	      alias names, where found within a purported name, by the value of
685	      the corresponding 'aliasedObjectName' attribute.  The process may
686	      require the examination of more than one alias entry.

688	      Any particular entry in the DIT may have zero or more alias names.
689	      It therefore follows that several alias entries may point to the
690	      same entry.  An alias entry may point to an entry that is not a
691	      leaf entry and may point to another alias entry.

693	      An alias entry shall have no subordinates, so that an alias entry
694	      is always a leaf entry.

696	      Every alias entry shall belong to the 'alias' object class.

698	2.6.1. 'alias' object class

700	  Alias entries belong to the 'alias' object class.

702	     ( 2.5.6.1 NAME 'alias'
703	       SUP top STRUCTURAL
704	       MUST aliasedObjectName )

706	2.6.2. 'aliasedObjectName' attribute type

708	  The 'aliasedObjectName' attribute holds the name of the entry an alias
709	  points to.  The 'aliasedObjectName' attribute is known as the
710	  'aliasedEntryName' attribute in X.500.

712	      ( 2.5.4.1 NAME 'aliasedObjectName'
713	        EQUALITY distinguishedNameMatch
714	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
715	        SINGLE-VALUE )

717	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
718	  (1.3.6.1.4.1.1466.115.121.1.12) syntax is defined in [Syntaxes].

720	3. Directory Administrative and Operational Information

722	  This section discusses select aspects of the X.500 Directory
723	  Administrative and Operational Information model [X.501].  LDAP
724	  implementations MAY support other aspects of this model.

726	3.1. Subtrees

728	  As defined in [X.501]:

730	      A subtree is a collection of object and alias entries situated at
731	      the vertices of a tree.  Subtrees do not contain subentries.  The
732	      prefix sub, in subtree, emphasizes that the base (or root) vertex
733	      of this tree is usually subordinate to the root of the DIT.

735	      A subtree begins at some vertex and extends to some identifiable
736	      lower boundary, possibly extending to leaves.  A subtree is always
737	      defined within a context which implicitly bounds the subtree.  For
738	      example, the vertex and lower boundaries of a subtree defining a
739	      replicated area are bounded by a naming context.  Similarly, the
740	      scope of a subtree defining a specific administrative area is
741	      limited to the context of an enclosing autonomous administrative
742	      area.

744	3.2. Subentries

746	  A subentry is a "special sort of entry, known by the Directory, used
747	  to hold information associated with a subtree or subtree refinement"
748	  [X.501].  Subentries are used in Directory to hold for administrative
749	  and operational purposes as defined in [X.501].  Their use in LDAP is
750	  not detailed in this technical specification, but may be detailed in
751	  future documents.

753	  The term "(sub)entry" in this specification indicates that servers
754	  implementing X.500(93) models are, in accordance with X.500(93), to
755	  use a subentry and that other servers are to use an object entry
756	  belonging to the appropriate auxiliary class normally used with the
757	  subentry (e.g., 'subschema' for subschema subentries) to mimic the
758	  subentry.  This object entry's RDN SHALL be formed from a value of the
759	  'cn' (commonName) attribute [Schema].

761	3.3. The 'objectClass' attribute

763	  Each entry in the DIT has an 'objectClass' attribute.

765	      ( 2.5.4.0 NAME 'objectClass'
766	        EQUALITY objectIdentifierMatch
767	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

769	  The 'objectIdentifierMatch' matching rule and OBJECT IDENTIFIER
770	  (1.3.6.1.4.1.1466.115.121.1.38) syntax is defined in [Syntaxes].

772	  The 'objectClass' attribute specifies the object classes of an entry,
773	  which (among other things) is used in conjunction with user and system
774	  schema to determine the permitted attributes of an entry.  Values of
775	  this attribute can be modified by clients, but the 'objectClass'
776	  attribute cannot be removed.

778	  Servers which follow X.500(93) models SHALL restrict modifications of
779	  this attribute to prevent the basic structural class of the entry from
780	  being changed.  That is, one cannot change a 'person' into a
781	  'country'.

783	  When creating an entry or adding an 'objectClass' value to an entry,
784	  all superclasses of the named classes SHALL be implicitly added as
785	  well if not already present.  That is, if the auxiliary class 'x-a' is
786	  a subclass of the class 'x-b', adding 'x-a' to 'objectClass' causes
787	  'x-b' to added (if is not already present).

789	  Servers SHALL restrict modifications of this attribute to to prevent a
790	  superclasses of remaining 'objectClass' values from being deleted.
791	  That is, if the auxiliary class 'x-a' is a subclass of the class 'x-b'
792	  and the 'objectClass' attribute contains 'x-a', an attempt to delete
793	  'x-b' from the 'objectClass' attribute is an error.

795	3.4. Operational attributes

797	  Some attributes, termed operational attributes, are used or maintained
798	  by servers for administrative and operational purposes.  As stated in
799	  [X.501]: "There are three varieties of operational attributes:
800	  Directory operational attributes, DSA-shared operational attributes,
801	  and DSA-specific operational attributes."

803	  A directory operational attribute is used to represent operational
804	  and/or administrative information in the Directory Information Model.
805	  This includes operational attributes maintained by the server (e.g.
806	  'subschemaSubentry') as well as operational attributes which hold
807	  values administrated by the user (e.g. 'matchingRuleUse').

809	  A DSA-shared operational attribute is used to represent information of
810	  the DSA Information Model.  Its values, if shared between DSAs
811	  (servers) are identical (except during periods of transient
812	  inconsistency).

814	  A DSA-specific operational attribute is used to represent information
815	  of the DSA Information Model.  Its values, if shared between DSAs
816	  (servers), need not be identical.

818	  The DSA Information Model operational attributes are detailed in
819	  [X.501].

821	  Operational attributes are not normally visible.  They are not
822	  returned in search results unless explicitly requested by name.

824	  Not all operational attributes are user modifiable.

826	  Entries may contain, among others, the following operational
827	  attributes.

829	    - creatorsName: the Distinguished Name of the user who added this
830	      entry to the directory.

832	    - createTimestamp: the time this entry was added to the directory.

834	    - modifiersName: the Distinguished Name of the user who last
835	      modified this entry.

837	    - modifyTimestamp: the time this entry was last modified.

839	  Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
840	  'modifiersName', and 'modifyTimestamp' for all entries of the DIT.

842	3.4.1. 'creatorsName'

844	  This attribute appears in entries which were added using the protocol
845	  (e.g., using the Add operation).  The value is the distinguished name
846	  of the creator.

848	      ( 2.5.18.3 NAME 'creatorsName'
849	        EQUALITY distinguishedNameMatch
850	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
851	        SINGLE-VALUE NO-USER-MODIFICATION
852	        USAGE directoryOperation )

854	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
855	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

857	3.4.2. 'createTimestamp'

859	  This attribute appears in entries which were added using the protocol
860	  (e.g., using the Add operation).  The value is the time the entry was
861	  added.

863	      ( 2.5.18.1 NAME 'createTimestamp'
864	        EQUALITY generalizedTimeMatch
865	        ORDERING generalizedTimeOrderingMatch
866	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
867	        SINGLE-VALUE NO-USER-MODIFICATION
868	        USAGE directoryOperation )

870	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
871	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
872	  are defined in [Syntaxes].

874	3.4.3. 'modifiersName'

876	  This attribute appears in entries which have been modified using the
877	  protocol (e.g., using Modify operation).  The value is the
878	  distinguished name of the last modifier.

880	      ( 2.5.18.4 NAME 'modifiersName'
881	        EQUALITY distinguishedNameMatch
882	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
883	        SINGLE-VALUE NO-USER-MODIFICATION
884	        USAGE directoryOperation )

886	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
887	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

889	3.4.4. 'modifyTimestamp'

891	  This attribute appears in entries which have been modified using the
892	  protocol (e.g., using the Modify operation).  The value is the time
893	  the entry was last modified.

895	      ( 2.5.18.2 NAME 'modifyTimestamp'
896	        EQUALITY generalizedTimeMatch
897	        ORDERING generalizedTimeOrderingMatch
898	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
899	        SINGLE-VALUE NO-USER-MODIFICATION
900	        USAGE directoryOperation )

902	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
903	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
904	  are defined in [Syntaxes].

906	4. Directory Schema

908	  As defined in [X.501]:

910	      The Directory Schema is a set of definitions and constraints
911	      concerning the structure of the DIT, the possible ways entries are
912	      named, the information that can be held in an entry, the
913	      attributes used to represent that information and their
914	      organization into hierarchies to facilitate search and retrieval
915	      of the information and the ways in which values of attributes may
916	      be matched in attribute value and matching rule assertions.

918	      NOTE 1 - The schema enables the Directory system to, for example:

920	      - prevent the creation of subordinate entries of the wrong
921	        object-class (e.g. a country as a subordinate of a person);

923	      - prevent the addition of attribute-types to an entry
924	        inappropriate to the object-class (e.g. a serial number to a
925	        person's entry);

927	      - prevent the addition of an attribute value of a syntax not
928	        matching that defined for the attribute-type (e.g. a printable
929	        string to a bit string).

931	        Formally, the Directory Schema comprises a set of:

933	      a) Name Form definitions that define primitive naming relations
934	         for structural object classes;

936	      b) DIT Structure Rule definitions that define the names that
937	         entries may have and the ways in which the entries may be
938	         related to one another in the DIT;

940	      c) DIT Content Rule definitions that extend the specification of
941	         allowable attributes for entries beyond those indicated by the
942	         structural object classes of the entries;

944	      d) Object Class definitions that define the basic set of mandatory
945	         and optional attributes that shall be present, and may be
946	         present, respectively, in an entry of a given class, and which
947	         indicate the kind of object class that is being defined;

949	      e) Attribute Type definitions that identify the object identifier
950	         by which an attribute is known, its syntax, associated matching
951	         rules, whether it is an operational attribute and if so its
952	         type, whether it is a collective attribute, whether it is
953	         permitted to have multiple values and whether or not it is
954	         derived from another attribute type;

956	      f) Matching Rule definitions that define matching rules.

958	  And in LDAP:

960	      g) LDAP Syntaxes definitions that define encodings used in LDAP.

962	4.1. Schema Definitions

964	  Schema definitions in this section are described using ABNF and rely
965	  on the common productions specified in Section 1.2 as well as these:

967	      noidlen = numericoid [ LCURLY len RCURLY ]

969	      len = number

971	      oids = oid / ( LPAREN WSP oidlist WSP RPAREN )

973	      oidlist = oid *( WSP DOLLAR WSP oid )
974	      extensions = *( SP xstring SP qdstrings )

976	      xstring = X HYPHEN 1*( ALPHA / HYPHEN / USCORE )

978	      qdescrs = qdescr / ( LPAREN WSP qdescrlist WSP RPAREN )

980	      qdescrlist = [ qdescr *( SP qdescr ) ]

982	      qdescr = SQUOTE descr SQUOTE

984	      qdstrings = qdstring / ( LPAREN WSP qdstringlist WSP RPAREN )

986	      qdstringlist = [ qdstring *( SP qdstring ) ]

988	      qdstring = SQUOTE dstring SQUOTE

990	      dstring = 1*( QS / QQ / QUTF8 )   ; escaped UTF8 string

992	      QQ =  ESC %x32 %x37 ; "\27"

994	      QS =  ESC %x35 ( %x43 / %x63 ) ; "\5C" / "\5c"

996	      ; Any UTF-8 encoded UCS character
997	      ; except %x27 ("'") and %x5C ("\")
998	      QUTF8    = QUTF1 / UTFMB

1000	      ; Any ASCII character except %x27 ("'") and %x5C ("\")
1001	      QUTF1    = %x00-26 / %x28-5B / %x5D-7F

1003	  Schema definitions in this section also share a number of common
1004	  terms.

1006	  The NAME field provides a set of short names (descriptors) which are
1007	  be used as aliases for the OID.

1009	  The DESC field optionally allows a descriptive string to be provided
1010	  by the directory administrator and/or implementor.  While
1011	  specifications may suggest a descriptive string, there is no
1012	  requirement that the suggested (or any) descriptive string be used.

1014	  The OBSOLETE field, if present, indicates the element is not active.

1016	  Implementors should note that future versions of this document may
1017	  expand these definitions to include additional terms.  Terms whose
1018	  identifier begins with "X-" are reserved for private experiments, and
1019	  MUST be followed by <SP> and <qdstrings> tokens.

1021	4.1.1. Object Class Definitions

1023	  Object Class definitions are written according to the ABNF:

1025	    ObjectClassDescription = LPAREN WSP
1026	        numericoid                 ; object identifier
1027	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1028	        [ SP "DESC" SP qdstring ]  ; description
1029	        [ SP "OBSOLETE" ]          ; not active
1030	        [ SP "SUP" SP oids ]       ; superior object classes
1031	        [ SP kind ]                ; kind of class
1032	        [ SP "MUST" SP oids ]      ; attribute types
1033	        [ SP "MAY" SP oids ]       ; attribute types
1034	        extensions WSP RPAREN

1036	    kind = "ABSTRACT" / "STRUCTURAL" / "AUXILIARY"

1038	  where:
1039	    <numericoid> is object identifier assigned to this object class;
1040	    NAME <qdescrs> are short names (descriptors) identifying this object
1041	        class;
1042	    DESC <qdstring> is a short descriptive string;
1043	    OBSOLETE indicates this object class is not active;
1044	    SUP <oids> specifies the direct superclasses of this object class;
1045	    the kind of object class is indicated by one of ABSTRACT,
1046	        STRUCTURAL, or AUXILIARY, default is STRUCTURAL;
1047	    MUST and MAY specify the sets of required and allowed attribute
1048	        types, respectively; and
1049	    <extensions> describe extensions.

1051	4.1.2. Attribute Types

1053	  Attribute Type definitions are written according to the ABNF:

1055	    AttributeTypeDescription = LPAREN WSP
1056	        numericoid                    ; object identifier
1057	        [ SP "NAME" SP qdescrs ]      ; short names (descriptors)
1058	        [ SP "DESC" SP qdstring ]     ; description
1059	        [ SP "OBSOLETE" ]             ; not active
1060	        [ SP "SUP" SP oid ]           ; subtype
1061	        [ SP "EQUALITY" SP oid ]      ; equality matching rule
1062	        [ SP "ORDERING" SP oid ]      ; ordering matching rule
1063	        [ SP "SUBSTR" SP oid ]        ; substrings matching rule
1064	        [ SP "SYNTAX" SP noidlen ]    ; value syntax
1065	        [ SP "SINGLE-VALUE" ]         ; single-value
1066	        [ SP "COLLECTIVE" ]           ; collective
1067	        [ SP "NO-USER-MODIFICATION" ] ; not user modifiable

1069	        [ SP "USAGE" SP usage ]       ; usage
1070	        extensions WSP RPAREN         ; extensions

1072	    usage = "userApplications"     /  ; user
1073	            "directoryOperation"   /  ; directory operational
1074	            "distributedOperation" /  ; DSA-shared operational
1075	            "dSAOperation"            ; DSA-specific operational

1077	  where:
1078	    <numericoid> is object identifier assigned to this attribute type;
1079	    NAME <qdescrs> are short names (descriptors) identifying this
1080	        attribute type;
1081	    DESC <qdstring> is a short descriptive string;
1082	    OBSOLETE indicates this attribute type is not active;
1083	    SUP oid specifies the direct supertype of this type;
1084	    EQUALITY, ORDERING, SUBSTRING provide the oid of the equality,
1085	        ordering, and substrings matching rules, respectively;
1086	    SYNTAX identifies value syntax by object identifier and may suggest
1087	        a minimum upper bound;
1088	    COLLECTIVE indicates this attribute type is collective [X.501];
1089	    NO-USER-MODIFICATION indicates this attribute type is not user
1090	        modifiable;
1091	    USAGE indicates the application of this attribute type; and
1092	    <extensions> describe extensions.

1094	  Each attribute type description must contain at least one of the SUP
1095	  or SYNTAX fields.

1097	  Usage of userApplications, the default, indicates that attributes of
1098	  this type represent user information.  That is, they are user
1099	  attributes.

1101	  COLLECTIVE requires usage userApplications.  Use of collective
1102	  attribute types in LDAP is not discussed in this technical
1103	  specification.

1105	  A usage of directoryOperation, distributedOperation, or dSAOperation
1106	  indicates that attributes of this type represent operational and/or
1107	  administrative information.  That is, they are operational attributes.

1109	  directoryOperation usage indicates that the attribute of this type is
1110	  a directory operational attribute.  distributedOperation usage
1111	  indicates that the attribute of this DSA-shared usage operational
1112	  attribute.  dSAOperation usage indicates that the attribute of this
1113	  type is a DSA-specific operational attribute.

1115	  NO-USER-MODIFICATION requires an operational usage.

1117	  Note that the <AttributeTypeDescription> does not list the matching
1118	  rules which can can be used with that attribute type in an
1119	  extensibleMatch search filter.  This is done using the
1120	  'matchingRuleUse' attribute described in Section 4.1.4.

1122	  This document refines the schema description of X.501 by requiring
1123	  that the SYNTAX field in an <AttributeTypeDescription> be a string
1124	  representation of an object identifier for the LDAP string syntax
1125	  definition with an optional indication of the suggested minimum bound
1126	  of a value of this attribute.

1128	  A suggested minimum upper bound on the number of characters in a value
1129	  with a string-based syntax, or the number of bytes in a value for all
1130	  other syntaxes, may be indicated by appending this bound count inside
1131	  of curly braces following the syntax's OBJECT IDENTIFIER in an
1132	  Attribute Type Description.  This bound is not part of the syntax name
1133	  itself.  For instance, "1.3.6.4.1.1466.0{64}" suggests that server
1134	  implementations should allow a string to be 64 characters long,
1135	  although they may allow longer strings.  Note that a single character
1136	  of the Directory String syntax may be encoded in more than one octet
1137	  since UTF-8 is a variable-length encoding.

1139	4.1.3. Matching Rules

1141	  Matching rules are used by servers to compare attribute values against
1142	  assertion values when performing Search and Compare operations.  They
1143	  are also used to identify the value to be added or deleted when
1144	  modifying entries, and are used when comparing a purported
1145	  distinguished name with the name of an entry.

1147	  A matching rule specifies the syntax of the assertion value.

1149	  Each matching rule is identified by an object identifier (OID) and,
1150	  optionally, one or more short names (descriptors).

1152	  Matching rule definitions are written according to the ABNF:

1154	    MatchingRuleDescription = LPAREN WSP
1155	        numericoid                 ; object identifier
1156	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1157	        [ SP "DESC" SP qdstring ]  ; description
1158	        [ SP "OBSOLETE" ]          ; not active
1159	        SP "SYNTAX" SP numericoid  ; assertion syntax
1160	        extensions WSP RPAREN      ; extensions

1162	  where:
1163	    <numericoid> is object identifier assigned to this matching rule;
1164	    NAME <qdescrs> are short names (descriptors) identifying this
1165	        matching rule;
1166	    DESC <qdstring> is a short descriptive string;
1167	    OBSOLETE indicates this matching rule is not active;
1168	    SYNTAX identifies the assertion syntax by object identifier; and
1169	    <extensions> describe extensions.

1171	4.1.4. Matching Rule Uses

1173	  A matching rule use lists the attributes which are suitable for use
1174	  with an extensible matching rule.

1176	  Matching rule use descriptions are written according to the following
1177	  ABNF:

1179	    MatchingRuleUseDescription = LPAREN WSP
1180	        numericoid                 ; object identifier
1181	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1182	        [ SP "DESC" SP qdstring ]  ; description
1183	        [ SP "OBSOLETE" ]          ; not active
1184	        SP "APPLIES" SP oids       ; attribute types
1185	        extensions WSP RPAREN      ; extensions

1187	  where:
1188	    <numericoid> is the object identifier of the matching rule
1189	        associated with this matching rule use description;
1190	    NAME <qdescrs> are short names (descriptors) identifying this
1191	        matching rule use;
1192	    DESC <qdstring> is a short descriptive string;
1193	    OBSOLETE indicates this matching rule use is not active;
1194	    APPLIES provides a list of attribute types the matching rule applies
1195	        to; and
1196	    <extensions> describe extensions.

1198	4.1.5. LDAP Syntaxes

1200	  LDAP Syntaxes of (attribute and assertion) values are described in
1201	  terms of ASN.1 [X.680] and, optionally, have an octet string encoding
1202	  known as the LDAP-specific encoding.  Commonly, the LDAP-specific
1203	  encoding is constrained to string of Universal Character Set (UCS)
1204	  [ISO10646] characters in UTF-8 [RFC2279] form.

1206	  Each LDAP syntax is identified by an object identifier (OID).

1208	  LDAP syntax definitions are written according to the ABNF:

1210	    SyntaxDescription = LPAREN WSP
1211	        numericoid                 ; object identifier
1212	        [ SP "DESC" SP qdstring ]  ; description
1213	        extensions WSP RPAREN      ; extensions

1215	  where:
1216	    <numericoid> is object identifier assigned to this LDAP syntax;
1217	    DESC <qdstring> is a short descriptive string; and
1218	    <extensions> describe extensions.

1220	4.1.6. DIT Content Rules

1222	  A DIT content rule is a "rule governing the content of entries of a
1223	  particular structural object class" [X.501].

1225	  For DIT entries of a particular structural object class, a DIT content
1226	  rule specifies which auxiliary object classes the entries are allowed
1227	  to belong to and which additional attributes (by type) are required,
1228	  allowed or not allowed to appear in the entries.

1230	  The list of precluded attributes cannot include any attribute listed
1231	  as mandatory in rule, the structural object class, or any of the
1232	  allowed auxiliary object classes.

1234	  Each content rule is identified by the object identifier, as well as
1235	  any short names (descriptors), of the structural object class it
1236	  applies to.

1238	  An entry may only belong to auxiliary object classes listed in the
1239	  governing content rule.

1241	  An entry must contain all attributes required by the object classes
1242	  the entry belongs to as well as all attributed required by the
1243	  governing content rule.

1245	  An entry may contain any non-precluded attributes allowed by the
1246	  object classes the entry belongs to as well as all attributes allowed
1247	  by the governing content rule.

1249	  An entry cannot include any attribute precluded by the governing
1250	  content rule.

1252	  An entry is governed by (if present and active in the subschema) the
1253	  DIT content rule which applies to the structural object class of the
1254	  entry (see Section 2.4.2).  If no active rule is present for the
1255	  entry's structural object class, the entry's content is governed by
1256	  the structural object class (and possibly other aspects of user and
1257	  system schema).

1259	  DIT content rule descriptions are written according to the ABNF:

1261	    DITContentRuleDescription = LPAREN WSP
1262	        numericoid                 ; object identifier
1263	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1264	        [ SP "DESC" SP qdstring ]  ; description
1265	        [ SP "OBSOLETE" ]          ; not active
1266	        [ SP "AUX" SP oids ]       ; auxiliary object classes
1267	        [ SP "MUST" SP oids ]      ; attribute types
1268	        [ SP "MAY" SP oids ]       ; attribute types
1269	        [ SP "NOT" SP oids ]       ; attribute types
1270	        extensions WSP RPAREN      ; extensions

1272	  where:
1273	    <numericoid> is the object identifier of the structural object class
1274	        associated with this DIT content rule;
1275	    NAME <qdescrs> are short names (descriptors) identifying this DIT
1276	        content rule;
1277	    DESC <qdstring> is a short descriptive string;
1278	    OBSOLETE indicates this DIT content rule use is not active;
1279	    AUX specifies a list of auxiliary object classes which entries
1280	        subject to this DIT content rule may belong to;
1281	    MUST, MAY, and NOT specify lists of attribute types which are
1282	        required, allowed, or precluded, respectively, from appearing in
1283	        entries subject to this DIT content rule; and
1284	    <extensions> describe extensions.

1286	4.1.7. DIT Structure Rules and Name Forms

1288	  It is sometimes desirable to regulate where object entries can be
1289	  placed in the DIT and how they can be named based upon their
1290	  structural object class.

1292	4.1.7.1. DIT Structure Rules

1294	  A DIT structure rule is a "rule governing the structure of the DIT by
1295	  specifying a permitted superior to subordinate entry relationship.  A
1296	  structure rule relates a name form, and therefore a structural object
1297	  class, to superior structure rules.  This permits entries of the
1298	  structural object class identified by the name form to exist in the
1299	  DIT as subordinates to entries governed by the indicated superior
1300	  structure rules" [X.501].

1302	  DIT structure rule descriptions are written according to the ABNF:

1304	    DITStructureRuleDescription = LPAREN WSP
1305	        ruleid                     ; rule identifier
1306	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1307	        [ SP "DESC" SP qdstring ]  ; description
1308	        [ SP "OBSOLETE" ]          ; not active
1309	        SP "FORM" SP oid           ; NameForm
1310	        [ SP "SUP" ruleids ]       ; superior rules
1311	        extensions WSP RPAREN      ; extensions

1313	    ruleids = ruleid / ( LPAREN WSP ruleidlist WSP RPAREN )

1315	    ruleidlist = ruleid *( SP ruleid )

1317	    ruleid = number

1319	  where:
1320	    <ruleid> is the rule identifier of this DIT structure rule;
1321	    NAME <qdescrs> are short names (descriptors) identifying this DIT
1322	        structure rule;
1323	    DESC <qdstring> is a short descriptive string;
1324	    OBSOLETE indicates this DIT structure rule use is not active;
1325	    FORM is specifies the name form associated with this DIT structure
1326	        rule;
1327	    SUP identifies superior rules (by rule id); and
1328	    <extensions> describe extensions.

1330	  If no superior rules are identified, the DIT structure rule applies
1331	  to an autonomous administrative point (e.g. the root vertex of the
1332	  subtree controlled by the subschema) [X.501].

1334	4.1.7.2. Name Forms

1336	  A name form "specifies a permissible RDN for entries of a particular
1337	  structural object class.  A name form identifies a named object
1338	  class and one or more attribute types to be used for naming (i.e.
1339	  for the RDN).  Name forms are primitive pieces of specification
1340	  used in the definition of DIT structure rules" [X.501].

1342	  Each name form indicates the structural object class to be named,
1343	  a set of required attribute types, and a set of allowed attributes
1344	  types.  A particular attribute type cannot be listed in both sets.

1346	  Entries governed by the form must be named using a value from each
1347	  required attribute type and zero or more values from the allowed
1348	  attribute types.

1350	  Each name form is identified by an object identifier (OID) and,
1351	  optionally, one or more short names (descriptors).

1353	  Name form descriptions are written according to the ABNF:

1355	    NameFormDescription = LPAREN WSP
1356	        numericoid                 ; object identifier
1357	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1358	        [ SP "DESC" SP qdstring ]  ; description
1359	        [ SP "OBSOLETE" ]          ; not active
1360	        SP "OC" SP oid             ; structural object class
1361	        SP "MUST" SP oids          ; attribute types
1362	        [ SP "MAY" SP oids ]       ; attribute types
1363	        extensions WSP RPAREN      ; extensions

1365	  where:
1366	    <numericoid> is object identifier which identifies this name form;
1367	    NAME <qdescrs> are short names (descriptors) identifying this name
1368	        form;
1369	    DESC <qdstring> is a short descriptive string;
1370	    OBSOLETE indicates this name form is not active;
1371	    OC identifies the structural object class this rule applies to,
1372	    MUST and MAY specify the sets of required and allowed, respectively,
1373	        naming attributes for this name form; and
1374	    <extensions> describe extensions.

1376	  All attribute types in the required ("MUST") and allowed ("MAY") lists
1377	  shall be different.

1379	4.2. Subschema Subentries

1381	  Subschema (sub)entries are used for administering information about
1382	  the directory schema.  A single subschema (sub)entry contains all
1383	  schema definitions (see Section 4.1) used by entries in a particular
1384	  part of the directory tree.

1386	  Servers which follow X.500(93) models SHOULD implement subschema using
1387	  the X.500 subschema mechanisms (as detailed in Section 12 of [X.501]),
1388	  and so these are not ordinary object entries but subentries (see
1389	  Section 3.2).  LDAP clients SHOULD NOT assume that servers implement
1390	  any of the other aspects of X.500 subschema.

1392	  Servers MAY allow subschema modification.  Procedures for subschema
1393	  modification are discussed in Section 14.5 of [X.501].

1395	  A server which masters entries and permits clients to modify these
1396	  entries MUST implement and provide access to these subschema
1397	  (sub)entries including providing a 'subschemaSubentry' attribute in
1398	  each modifiable entry.  This so clients may discover the attributes
1399	  and object classes which are permitted to be present.  It is strongly
1400	  RECOMMENDED that all other servers implement this as well.

1402	  The value of the 'subschemaSubentry' attribute is the name of the
1403	  subschema (sub)entry holding the subschema controlling the entry.

1405	      ( 2.5.18.10 NAME 'subschemaSubentry'
1406	        EQUALITY distinguishedNameMatch
1407	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1408	        NO-USER-MODIFICATION SINGLE-VALUE
1409	        USAGE directoryOperation )

1411	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
1412	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

1414	  Subschema is held in (sub)entries belonging to the subschema auxiliary
1415	  object class.

1417	      ( 2.5.20.1 NAME 'subschema' AUXILIARY
1418	        MAY ( dITStructureRules $ nameForms $ ditContentRules $
1419	          objectClasses $ attributeTypes $ matchingRules $
1420	          matchingRuleUse ) )

1422	  The 'ldapSyntaxes' operational attribute may also be present in
1423	  subschema entries.

1425	  Servers MAY provide additional attributes (described in other
1426	  documents) in subschema (sub)entries.

1428	  Servers SHOULD provide the attributes 'createTimestamp' and
1429	  'modifyTimestamp' in subschema (sub)entries, in order to allow clients
1430	  to maintain their caches of schema information.

1432	  The following subsections provide attribute type definitions for each
1433	  of schema definition attribute types.

1435	4.2.1. 'objectClasses'

1437	  This attribute holds definitions of object classes supported in the
1438	  subschema.

1440	      ( 2.5.21.6 NAME 'objectClasses'
1441	        EQUALITY objectIdentifierFirstComponentMatch
1442	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.37
1443	        USAGE directoryOperation )

1445	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1446	  ObjectClassDescription (1.3.6.1.4.1.1466.115.121.1.37) syntax are
1447	  defined in [Syntaxes].

1449	4.2.2. 'attributeTypes'

1451	  This attribute holds definitions of attribute types supported in the
1452	  subschema.

1454	      ( 2.5.21.5 NAME 'attributeTypes'
1455	        EQUALITY objectIdentifierFirstComponentMatch
1456	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.3
1457	        USAGE directoryOperation )

1459	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1460	  AttributeTypeDescription (1.3.6.1.4.1.1466.115.121.1.3) syntax are
1461	  defined in [Syntaxes].

1463	4.2.3. 'matchingRules'

1465	  This attribute holds definitions of matching rules supported in the
1466	  subschema.

1468	      ( 2.5.21.4 NAME 'matchingRules'
1469	        EQUALITY objectIdentifierFirstComponentMatch
1470	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.30
1471	        USAGE directoryOperation )

1473	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1474	  MatchingRuleDescription (1.3.6.1.4.1.1466.115.121.1.30) syntax are
1475	  defined in [Syntaxes].

1477	4.2.4 'matchingRuleUse'

1479	  This attribute holds definitions of matching rule uses supported in
1480	  the subschema.

1482	      ( 2.5.21.8 NAME 'matchingRuleUse'
1483	        EQUALITY objectIdentifierFirstComponentMatch
1484	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.31
1485	        USAGE directoryOperation )

1487	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1488	  MatchingRuleUseDescription (1.3.6.1.4.1.1466.115.121.1.31) syntax are
1489	  defined in [Syntaxes].

1491	4.2.5. 'ldapSyntaxes'

1493	  This attribute holds definitions of LDAP syntaxes supported in the
1494	  subschema.

1496	      ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
1497	        EQUALITY objectIdentifierFirstComponentMatch
1498	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.54
1499	        USAGE directoryOperation )

1501	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1502	  SyntaxDescription (1.3.6.1.4.1.1466.115.121.1.54) syntax are defined
1503	  in [Syntaxes].

1505	4.2.6. 'dITContentRules'

1507	  This attribute lists DIT Content Rules which are in force.

1509	      ( 2.5.21.2 NAME 'dITContentRules'
1510	        EQUALITY objectIdentifierFirstComponentMatch
1511	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.16
1512	        USAGE directoryOperation )

1514	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1515	  DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are
1516	  defined in [Syntaxes].

1518	4.2.7. 'dITStructureRules'

1520	  This attribute lists DIT Structure Rules which are in force.

1522	      ( 2.5.21.1 NAME 'dITStructureRules'
1523	        EQUALITY integerFirstComponentMatch
1524	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.17
1525	        USAGE directoryOperation )

1527	  The 'integerFirstComponentMatch' matching rule and the
1528	  DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax are
1529	  defined in [Syntaxes].

1531	4.2.8 'nameForms'

1533	  This attribute lists Name Forms which are in force.

1535	      ( 2.5.21.7 NAME 'nameForms'
1536	        EQUALITY objectIdentifierFirstComponentMatch
1537	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.35
1538	        USAGE directoryOperation )

1540	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1541	  NameFormDescription (1.3.6.1.4.1.1466.115.121.1.35) syntax are defined
1542	  in [Syntaxes].

1544	4.3. 'extensibleObject' object class

1546	  The 'extensibleObject auxiliary object class allows entries belong to
1547	  it to hold any attribute type.  The set of allowed attributes of this
1548	  class is implicitly the set of all user attributes.

1550	      ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
1551	        SUP top AUXILIARY )

1553	  The mandatory attributes of the other object classes of this entry are
1554	  still required to be present and any precluded attributes are still
1555	  not allowed to be present.

1557	  Note that not all servers will implement this object class, and those
1558	  which do not will reject requests to add entries which contain this
1559	  object class, or modify an entry to add this object class.

1561	4.4. Subschema Discovery

1563	  To discover the DN of the subschema (sub)entry holding the subschema
1564	  controlling a particular entry, a client reads that entry's
1565	  'subschemaSubentry' operational attribute.  To read schema attributes
1566	  from the subschema (sub)entry, clients MUST issue a base object search
1567	  where the filter is "(objectClass=subschema)" [Filters] and the list
1568	  of attributes includes the names of the desired schema attributes (as
1569	  they are operational).  This filter allows LDAP servers which gateway
1570	  to X.500 to detect that subentry information is being requested.

1572	5. DSA (Server) Informational Model

1574	  The LDAP protocol assumes there are one or more servers which jointly
1575	  provide access to a Directory Information Tree (DIT).

1577	  As defined in [X.501]:

1579	      context prefix: The sequence of RDNs leading from the Root of the
1580	          DIT to the initial vertex of a naming context; corresponds to
1581	          the distinguished name of that vertex.

1583	      DIB fragment: The portion of the DIB that is held by one master
1584	          DSA, comprising one or more naming contexts.

1586	      naming context: A subtree of entries held in a single master DSA.

1588	  That is, a naming context is the largest collection of entries,
1589	  starting at an entry that is mastered by a particular server, and
1590	  including all its subordinates and their subordinates, down to the
1591	  entries which are mastered by different servers.  The context prefix
1592	  is the name of the initial entry.

1594	  The root of the DIT is a DSA-specific Entry (DSE) and not part of any
1595	  naming context (or any subtree); each server has different attribute
1596	  values in the root DSE.

1598	5.1. Server-specific Data Requirements

1600	  An LDAP server MUST provide information about itself and other
1601	  information that is specific to each server.  This is represented as a
1602	  group of attributes located in the root DSE (DSA-Specific Entry),
1603	  which is named with the zero-length LDAPDN.  These attributes are
1604	  retrievable, subject to access control and other restrictions, if a
1605	  client performs a base object search of the root with the filter
1606	  "(objectClass=*)" [Filters] requesting the desired attributes.  It is
1607	  noted that root DSE attributes are operational, and like other
1608	  operational attributes, are not returned in search requests unless
1609	  requested by name.

1611	  The root DSE SHALL NOT be included if the client performs a subtree
1612	  search starting from the root.

1614	  Servers may allow clients to modify attributes of the root DSE where
1615	  appropriate.

1617	  The following attributes of the root DSE are defined in [Syntaxes].
1618	  Additional attributes may be defined in other documents.

1620	    - altServer: alternative servers;

1622	    - namingContexts: naming contexts;

1624	    - supportedControl: recognized LDAP controls;

1626	    - supportedExtension: recognized LDAP extended operations;
1627	    - supportedLDAPVersion: LDAP versions supported; and

1629	    - supportedSASLMechanisms: recognized SASL mechnanisms.

1631	  The values of these attributes provided may depend on session specific
1632	  and other factors.  For example, a server supporting the SASL EXTERNAL
1633	  mechanism might only list "EXTERNAL" when the client's identity has
1634	  been established by a lower level.  See [AuthMeth].

1636	  The root DSE may also include a 'subschemaSubentry' attribute.  If so,
1637	  it refers to the subschema (sub)entry holding schema controlling
1638	  attributes of the root DSE.  Client SHOULD NOT assume that the
1639	  subschema (sub)entry controlling the root DSE controls any entry held
1640	  by the server.  General subschema discovery procedures are provided in
1641	  Section 4.4.

1643	5.1.1. 'altServer'

1645	  The 'altServer' attribute lists URLs referring to alternative servers
1646	  which may be contacted when this server becomes unavailable.  If the
1647	  server does not know of any other servers which could be used this
1648	  attribute will be absent.  Clients may cache this information in case
1649	  their preferred LDAP server later becomes unavailable.

1651	      ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
1652	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
1653	        USAGE dSAOperation )

1655	  The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax is defined in
1656	  [Syntaxes].

1658	5.1.2. 'namingContexts'

1660	  The 'namingContexts' attribute lists the context prefixes of the
1661	  naming contexts the server masters or shadows (in part or in whole).
1662	  If the server does not master or shadow any information (e.g. it is an
1663	  LDAP gateway to a public X.500 directory) this attribute will be
1664	  absent.  If the server believes it masters or shadows the entire
1665	  directory, the attribute will have a single value, and that value will
1666	  be the empty string (indicating the null DN of the root).  This
1667	  attribute allows a client to choose suitable base objects for
1668	  searching when it has contacted a server.

1670	      ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
1671	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1672	        USAGE dSAOperation )

1674	  The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax is
1675	  defined in [Syntaxes].

1677	5.1.3. 'supportedControl'

1679	  The 'supportedControl' attribute lists object identifiers identifying
1680	  the request controls the server supports.  If the server does not
1681	  support any request controls, this attribute will be absent.

1683	  Object identifiers identifying response controls need not be listed.

1685	  Procedures for registering object identifiers used to discovery of
1686	  protocol mechanisms are detailed in BCP 64 [RFC3383].

1688	      ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
1689	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
1690	        USAGE dSAOperation )

1692	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1693	  defined in [Syntaxes].

1695	5.1.4. 'supportedExtension'

1697	  The 'supportedExtension' attribute lists object identifiers
1698	  identifying the extended operations which the server supports.  If the
1699	  server does not support any extended operations, this attribute will
1700	  be absent.

1702	  An extended operation comprises a ExtendedRequest, possibly other PDUs
1703	  defined by extension, and an ExtendedResponse [Protocol].  The object
1704	  identifier assigned to the ExtendedRequest is used to identify the
1705	  extended operation.  Other object identifiers associated with the
1706	  extended operation need not be listed.

1708	  Procedures for registering object identifiers used to discovery of
1709	  protocol mechanisms are detailed in BCP 64 [RFC3383].

1711	      ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
1712	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
1713	        USAGE dSAOperation )

1715	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1716	  defined in [Syntaxes].

1718	5.1.5. 'supportedLDAPVersion'
1719	  The 'supportedLDAPVersion' attribute lists the versions of LDAP which
1720	  the server supports.

1722	      ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
1723	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
1724	        USAGE dSAOperation )

1726	  The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax are defined in
1727	  [Syntaxes].

1729	5.1.6. 'supportedSASLMechanisms'

1731	  The 'supportedSASLMechanisms' attribute lists the SASL mechanisms
1732	  [RFC2222] which the server recognizes.  The contents of this attribute
1733	  may depend on the current session state.  If the server does not
1734	  support any SASL mechanisms this attribute will not be present.

1736	      ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
1737	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
1738	        USAGE dSAOperation )

1740	  The Directory String (1.3.6.1.4.1.1466.115.121.1.15) syntax is defined
1741	  in [Syntaxes].

1743	6. Other Considerations

1745	6.1. Preservation of User Information

1747	  Syntaxes may be defined which have specific value and/or value form
1748	  (representation) preservation requirements.  For example, a syntax
1749	  containing digitally signed data can mandate the server preserve both
1750	  the value and form of value presented to ensure signature is not
1751	  invalidated.

1753	  Where such requirements have not be explicitly stated, servers SHOULD
1754	  preserve the value of user information but MAY return the value in a
1755	  different form.  And where a server is unable (or unwilling) to
1756	  preserve the value of user information, the server SHALL ensure that
1757	  an equivalent value (per Section 2.3) is returned.

1759	6.2. Short Names

1761	  Short names, also known as descriptors, are used as more readable
1762	  aliases for object identifiers and are used to identify various schema
1763	  elements.  However, it is not expected that LDAP implementations with
1764	  human user interface would display these short names (nor the object
1765	  identifiers they refer to) to the user, but would most likely be
1766	  performing translations (such as expressing the short name in one of
1767	  the local national languages).  For example, the short name "st"
1768	  (stateOrProvinceName) might be displayed to a German-speaking user as
1769	  "Land".

1771	  The same short name might have different meaning in different
1772	  subschemas and, within a particular subschema, the same short name
1773	  might refer to different object identifiers each identifying a
1774	  different kind of schema element.

1776	  Implementations MUST be prepared that the same short name might be
1777	  used in a subschema to refer to the different kinds of schema
1778	  elements.  That is, there might be an object class 'x-fubar' and an
1779	  attribute type 'x-fubar' in a subschema.

1781	  Implementations MUST be prepared that the same short name might be
1782	  used in the different subschemas to refer to the different schema
1783	  elements.  That is, there might be two matching rules 'x-fubar', each
1784	  in different subschemas.

1786	  Procedures for registering short names (descriptors) are detailed in
1787	  BCP 64 [RFC3383bis].

1789	  [[The remainder of this subsection will be included a subsequent
1790	  revision of RFC 3383.]]

1792	  To avoid interoperability problems, the following additional
1793	  considerations are stated:

1795	      Descriptors used to identify various schema SHOULD be registered
1796	      unless in private-use name space (e.g., they begin with "x-").
1797	      Descriptors defined in RFCs MUST be registered.

1799	      While the protocol allows the same descriptor to refer to
1800	      different object identifiers in certain cases and the registry
1801	      supports multiple registrations of the same descriptor (each
1802	      indicating a different kind of schema element and different object
1803	      identifier), multiple registrations of the same descriptor are to
1804	      be avoided.  All such registration requests require Expert Review.

1806	6.3. Cache and Shadowing

1808	  Some servers may hold cache or shadow copies of entries, which can be
1809	  used to answer search and comparison queries, but will return
1810	  referrals or contact other servers if modification operations are
1811	  requested.  Servers that perform shadowing or caching MUST ensure that
1812	  they do not violate any access control constraints placed on the data
1813	  by the originating server.

1815	7. Implementation Guidelines

1817	7.1 Server Guidelines

1819	  Servers MUST recognize all attribute types and object classes names
1820	  defined in this document but, unless stated otherwise, need not
1821	  support the associated functionality.  Servers SHOULD recognize all
1822	  the names of attribute types and object classes defined in Section 3
1823	  and 4, respectively, of [Schema].

1825	  Servers MUST ensure that entries conform to user and system schema
1826	  rules or other data model constraints.

1828	  Servers MAY support the 'extensibleObject' object class.

1830	  Servers MAY support DIT Content Rules.  Servers MAY support DIT
1831	  Structure Rules, and Name Forms.

1833	  Servers MAY support alias entries.

1835	  Servers MAY support subentries.  If so, they MUST do so in accordance
1836	  with [X.501].  Servers which do not support subentries SHOULD use
1837	  object entries to mimic subentries as detailed in Section 3.2.

1839	  Servers MAY implement additional schema elements.  Servers SHOULD
1840	  provide definitions of all schema elements they support in subschema
1841	  (sub)entries.

1843	7.2 Client Guidelines

1845	  Clients MUST NOT display nor attempt to decode as ASN.1, a value if
1846	  its syntax is not known.  The implementation may attempt to discover
1847	  the subschema of the source entry, and retrieve the values of
1848	  'attributeTypes' from the subschema (sub)entry.

1850	  Clients MUST NOT assume the LDAP-specific string encoding is
1851	  restricted to a UTF-8 encoded string of UCS characters or any
1852	  particular subset of particular subset of UCS (such as a printable
1853	  subset) unless such restriction is explicitly stated.

1855	  Clients MUST NOT send attribute values in a request that are not valid
1856	  according to the syntax defined for the attributes.

1858	8. Security Considerations

1860	  Attributes of directory entries are used to provide descriptive
1861	  information about the real-world objects they represent, which can be
1862	  people, organizations or devices.  Most countries have privacy laws
1863	  regarding the publication of information about people.

1865	  General security considerations for accessing directory information
1866	  with LDAP are discussed in [Protocol] and [AuthMeth].

1868	9. IANA Considerations

1870	  It is requested that the Internet Assigned Numbers Authority (IANA)
1871	  update the LDAP descriptors registry as indicated the following
1872	  template:

1874	      Subject: Request for LDAP Descriptor Registration Update
1875	      Descriptor (short name): see comment
1876	      Object Identifier: see comment
1877	      Person & email address to contact for further information:
1878	          Kurt Zeilenga <kurt@OpenLDAP.org>
1879	      Usage: see comment
1880	      Specification: RFC XXXX
1881	      Author/Change Controller: IESG
1882	      Comments:

1884	      The following descriptors (short names) should be updated to refer
1885	      to RFC XXXX.

1887	        NAME                         Type OID
1888	        ------------------------     ---- -----------------
1889	        alias                           O 2.5.6.1
1890	        aliasedEntryName                A 2.5.4.1
1891	        aliasedObjectName               A 2.5.4.1
1892	        altServer                       A 1.3.6.1.4.1.1466.101.120.6
1893	        attributeTypes                  A 2.5.21.5
1894	        createTimestamp                 A 2.5.18.1
1895	        creatorsName                    A 2.5.18.3
1896	        dITContentRules                 A 2.5.21.2
1897	        dITStructureRules               A 2.5.21.1
1898	        extensibleObject                O 1.3.6.1.4.1.1466.101.120.111
1899	        ldapSyntaxes                    A 1.3.6.1.4.1.1466.101.120.16
1900	        matchingRuleUse                 A 2.5.21.8
1901	        matchingRules                   A 2.5.21.4
1902	        modifiersName                   A 2.5.18.4
1903	        modifyTimestamp                 A 2.5.18.2
1904	        nameForms                       A 2.5.21.7
1905	        namingContexts                  A 1.3.6.1.4.1.1466.101.120.5
1906	        objectClass                     A 2.5.4.0
1907	        objectClasses                   A 2.5.21.6
1908	        subschema                       O 2.5.20.1
1909	        subschemaSubentry               A 2.5.18.10
1910	        supportedControl                A 1.3.6.1.4.1.1466.101.120.13
1911	        supportedExtension              A 1.3.6.1.4.1.1466.101.120.7
1912	        supportedLDAPVersion            A 1.3.6.1.4.1.1466.101.120.15
1913	        supportedSASLMechanisms         A 1.3.6.1.4.1.1466.101.120.14
1914	        top                             O 2.5.6.0

1916	10. Acknowledgments

1918	  This document is based in part on RFC 2251 by M. Wahl, T.  Howes, and
1919	  S. Kille; RFC 2252 by M. Wahl, A. Coulbeck, T. Howes, S.  Kille; and
1920	  RFC 2556 by M. Wahl, all products of the IETF Access, Searching and
1921	  Indexing of Directories (ASID) Working Group.  This document is also
1922	  based in part on "The Directory: Models" [X.501], a product of the
1923	  International Telephone Union (ITU).  Additional text was borrowed
1924	  from RFC 2253 by Mark Wahl, Tim Howes, and Steve Kille.

1926	  This document is a product of the IETF LDAPBIS Working Group.

1928	11. Author's Address

1930	  Kurt Zeilenga
1931	  E-mail: <kurt@openldap.org>

1933	12. References

1935	12.1. Normative References

1937	  [RFC2279]  Yergeau, F., "UTF-8, a transformation format of ISO 10646",
1938	             RFC 2279, January 1998.

1940	  [RFC2119]  S. Bradner, "Key words for use in RFCs to Indicate
1941	             Requirement Levels", BCP 14 (also RFC 2119), March 1997.

1943	  [RFC2234]  Crocker, D., and P. Overell, "Augmented BNF for Syntax
1944	             Specifications: ABNF", RFC 2234, November 1997.

1946	  [RFC3383]  K. Zeilenga, "IANA Considerations for LDAP", BCP 64 (also
1947	             RFC 3383), September 2002.

1949	  [Roadmap]  K. Zeilenga (editor), "LDAP: Technical Specification Road
1950	             Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
1951	             progress.

1953	  [Protocol] J. Sermersheim (editor), "LDAP: The Protocol",
1954	             draft-ietf-ldapbis-protocol-xx.txt, a work in progress.

1956	  [AuthMeth] R. Harrison (editor), "LDAP: Authentication Methods and
1957	             Connection Level Security Mechanisms",
1958	             draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.

1960	  [LDAPDN]   K. Zeilenga (editor), "LDAP: String Representation of
1961	             Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a work
1962	             in progress.

1964	  [Filters]  M. Smith (editor), LDAPbis WG, "LDAP: String Representation
1965	             of Search Filters", draft-ietf-ldapbis-filter-xx.txt, a
1966	             work in progress.

1968	  [LDAPURL]  M. Smith (editor), "LDAP: Uniform Resource Locator",
1969	             draft-ietf-ldapbis-url-xx.txt, a work in progress.

1971	  [Syntaxes] S. Legg (editor), "LDAP: Syntaxes",
1972	             draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.

1974	  [Schema]   K. Dally (editor), "LDAP: User Schema",
1975	             draft-ietf-ldapbis-user-schema-xx.txt, a work in progress.

1977	  [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) -
1978	             Architecture and Basic Multilingual Plane, ISO/IEC 10646-1
1979	             : 1993.

1981	  [X.500]    ITU-T Rec. X.500, "The Directory: Overview of Concepts,
1982	             Models and Service", 1993.

1984	  [X.501]    ITU-T Rec. X.501, "The Directory: Models", 1993.

1986	  [X.680]    ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
1987	             Specification of Basic Notation", 1994.

1989	12.2. Informative References

1991	  None.

1993	Appendix A.  Changes

1995	  This appendix is non-normative.

1997	  This document amounts to nearly a complete rewrite of portions of RFC
1998	  2251, RFC 2252, and RFC 2256.  This rewrite was undertaken to improve
1999	  overall clarity of technical specification.  This appendix provides a
2000	  summary of substantive changes made to the portions of these documents
2001	  incorporated into this document.  Readers should consult [Roadmap],
2002	  [Protocol], [Syntaxes], and [Schema] for summaries of remaining
2003	  portions of these documents.

2005	A.1 Changes to RFC 2251

2007	  This document incorporates from RFC 2251 sections 3.2 and 3.4,
2008	  portions of Section 4 and 6 as summarized below.

2010	A.1.1 Section 3.2 of RFC 2251

2012	  Section 3.2 of RFC 2251 provided a brief introduction to the X.500
2013	  data model, as used by LDAP.  The previous specification relied on
2014	  [X.501] but lacked clarity in how X.500 models are adapted for use by
2015	  LDAP.  This document describes the X.500 data models, as used by LDAP
2016	  in greater detail, especially in areas where the models require
2017	  adaptation is needed.

2019	  Section 3.2.1 of RFC 2251 described an attribute as "a type with one
2020	  or more associated values."  In LDAP, an attribute is better described
2021	  as an attribute description, a type with zero or more options, and one
2022	  or more associated values.

2024	  Section 3.2.2 of RFC 2251 mandated that subschema subentries contain
2025	  objectClasses and attributeTypes attributes, yet X.500(93) treats
2026	  these attributes as optional.  While generally all implementations
2027	  that support X.500(93) subschema mechanisms will provide both of these
2028	  attributes, it is not absolutely required for interoperability that
2029	  all servers do.  The mandate was removed for consistency with
2030	  X.500(93).   The subschema discovery mechanism was also clarified to
2031	  indicate that subschema controlling an entry is obtained by reading
2032	  the (sub)entry referred to by that entry's 'subschemaSubentry'
2033	  attribute.

2035	A.1.2 Section 3.4 of RFC 2251

2037	  Section 3.4 of RFC 2251 provided "Server-specific Data Requirements".
2038	  This material, with changes, was incorporated in Section 5.1 of this
2039	  document.

2041	  Changes:

2043	  - Clarify that attributes of the root DSE are subject to "other
2044	    restrictions" in addition to acccess controls.

2046	  - Clarify that only recognized extended requests need to be enumerated
2047	    'supportedExtension'.

2049	  - Clarify that only recognized request controls need to be enumerated
2050	    'supportedControl'.

2052	  - Clarify that root DSE attributes are operational and, like other
2053	    operational attributes, will not be returned in search requests
2054	    unless requested by name.

2056	  - Clarify that not all root DSE attributes are user modifiable.

2058	  - Remove inconsistent text regarding handling of the
2059	    'subschemaSubentry' attribute within the root DSE.  The previous
2060	    specification stated that the 'subschemaSubentry' attribute held in
2061	    the root DSE referred to "subschema entries (or subentries) known by
2062	    this server."  This is inconsistent with the attribute intended use
2063	    as well as its formal definition as a single valued attribute
2064	    [X.501].  It is also noted that a simple (possibly incomplete) list
2065	    of subschema (sub)entries is not terrible useful.  This document (in
2066	    section 5.1) specifies that the 'subschemaSubentry' attribute of the
2067	    root DSE refers to the subschema controlling the root DSE.  It is
2068	    noted that the general subschema discovery mechanism remains
2069	    available (see Section 4.4 of this document).

2071	A.1.2 Section 4 of RFC 2251

2073	  Portions of Section 4 of RFC 2251 detailing aspects of the information
2074	  model used by LDAP were incorporated in this document, including:

2076	  - Restriction of distinguished values to attributes whose descriptions
2077	    have no options (from Section 4.1.3).

2079	  - Data model aspects of Attribute Types (from Section 4.1.4),
2080	    Attribute Descriptions (from 4.1.4), Attribute (from 4.1.8),
2081	    Matching Rule Identifier (from 4.1.9).

2083	  - User schema requirements (from Section 4.1.6, 4.5.1, and 4.7).

2085	A.1.3 Section 6 of RFC 2251

2087	    The Section 6.1 and the second paragraph of Section 6.2 of RFC 2251
2088	    where incorporated into this document.

2090	A.2 Changes to RFC 2252

2092	    This document incorporates Sections 4, 5 and 7 from RFC 2252.

2094	A.2.1 Section 4 of RFC 2252

2096	    The specification was updated to use Augmented BNF [RFC2234].  The
2097	    string representation of an OBJECT IDENTIFIER was tighten to
2098	    disallow leading zeros as described in RFC 2252 text.

2100	    The <descr> syntax was changed to disallow semicolon (U+0003B)
2101	    characters to appear to be consistent its natural language
2102	    specification "descr is the syntactic representation of an object
2103	    descriptor, which consists of letters and digits, starting with a
2104	    letter."  In a related change, the statement "an
2105	    AttributeDescription can be used as the value in a NAME part of an
2106	    AttributeTypeDescription" was deleted.  RFC 2252 provided no
2107	    specification as to the semantics of attribute options appearing in
2108	    NAME fields.

2110	    The ABNF for a quoted string (qdstring) was updated to reflect
2111	    support for the escaping mechanism described in 4.3 of RFC 2252.

2113	A.2.2 Section 5 of RFC 2252

2115	    Definitions of operational attributes provided in Section 5 of RFC
2116	    2252 where incorporated into this document.

2118	    The 'supportedExtension' description was clarified.  A server need
2119	    only list the OBJECT IDENTIFIERs associated with the extended
2120	    requests of the extended operations it recognizes.

2122	    The 'supportedControl' description was clarified.  A server need
2123	    only list the OBJECT IDENTIFIERs associated with the request
2124	    controls it recognizes.

2126	A.2.3 Section 7 of RFC 2252

2128	    Section 7 of RFC 2252 provides definitions of the 'subschema' and
2129	    'extensibleObject' object classes.  These definitions where
2130	    integrated into Section 4.2 and Section 4.3 of this document,
2131	    respectively.  Section 7 of RFC 2252 also contained the object class
2132	    implementation requirement.  This was incorporated into Section 7 of
2133	    this document.

2135	    The specification of 'extensibleObject' was clarified of how it
2136	    interacts with precluded attributes.

2138	A.3 Changes to RFC 2256

2140	    This document incorporates Sections 5.1, 5.2, 7.1, and 7.2 of RFC
2141	    2256.

2143	    Section 5.1 of RFC 2256 provided the definition of the 'objectClass'
2144	    attribute type.  This was integrated into Section 2.4.1 of this
2145	    document.  The statement "One of the values is either 'top' or
2146	    'alias'" was replaced with statement that one of the values is 'top'
2147	    as entries belonging to 'alias' also belong to 'top'.

2149	    Section 5.2 of RFC 2256 provided the definition of the
2150	    'aliasedObjectName' attribute type.  This was integrated into
2151	    Section 2.6.2 of this document.

2153	    Section 7.1 of RFC 2256 provided the definition of the 'top' object
2154	    class.  This was integrated into Section 2.4.1 of this document.

2156	    Section 7.2 of RFC 2256 provided the definition of the 'alias'
2157	    object class.  This was integrated into Section 2.6.1 of this
2158	    document.

2160	Copyright 2002, The Internet Society.  All Rights Reserved.

2162	  This document and translations of it may be copied and furnished to
2163	  others, and derivative works that comment on or otherwise explain it
2164	  or assist in its implementation may be prepared, copied, published and
2165	  distributed, in whole or in part, without restriction of any kind,
2166	  provided that the above copyright notice and this paragraph are
2167	  included on all such copies and derivative works.  However, this
2168	  document itself may not be modified in any way, such as by removing
2169	  the copyright notice or references to the Internet Society or other
2170	  Internet organizations, except as needed for the  purpose of
2171	  developing Internet standards in which case the procedures for
2172	  copyrights defined in the Internet Standards process must be followed,
2173	  or as required to translate it into languages other than English.

2175	  The limited permissions granted above are perpetual and will not be
2176	  revoked by the Internet Society or its successors or assigns.

2178	  This document and the information contained herein is provided on an
2179	  "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
2180	  ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
2181	  INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
2182	  INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2183	  WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.