idnits 2.17.1 

draft-ietf-ldapbis-models-09.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories. 


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 36 instances of lines with non-RFC6890-compliant IPv4
     addresses in the document.  If these are example addresses, they should
     be changed.

  == The 'Obsoletes: ' line in the draft header should list only the
     _numbers_ of the RFCs which will be obsoleted by this document (if
     approved); it should not include the word 'RFC' in the list.

  -- The draft header indicates that this document obsoletes RFC2251, but the
     abstract doesn't seem to directly say this.  It does mention RFC2251
     though, so this could be OK.

  -- The draft header indicates that this document obsoletes RFC2252, but the
     abstract doesn't seem to directly say this.  It does mention RFC2252
     though, so this could be OK.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == Line 2247 has weird spacing: '...for the  purpo...'

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (27 October 2003) is 7477 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'RFC2222' is mentioned on line 1773, but not defined

  ** Obsolete undefined reference: RFC 2222 (Obsoleted by RFC 4422, RFC 4752)

  == Unused Reference: 'LDAPURL' is defined on line 1990, but no explicit
     reference was found in the text

  == Unused Reference: 'ASCII' is defined on line 2013, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234)

  -- No information found for draft-ietf-ldapbis-bcp64-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'BCP64bis' 

  -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Roadmap' 

  -- No information found for draft-ietf-ldapbis-protocol-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Protocol' 

  -- No information found for draft-ietf-ldapbis-authmeth-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'AuthMeth' 

  -- No information found for draft-ietf-ldapbis-dn-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPDN' 

  -- No information found for draft-ietf-ldapbis-filter-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Filters' 

  -- No information found for draft-ietf-ldapbis-url-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPURL' 

  -- No information found for draft-ietf-sasl-rfc2222bis-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'SASL' 

  -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' 

  -- No information found for draft-ietf-ldapbis-user-schema-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Schema' 

  -- No information found for draft-yergeau-rfc2279bis-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'UTF-8' 

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO10646'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ASCII'


     Summary: 6 errors (**), 0 flaws (~~), 8 warnings (==), 28 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	INTERNET-DRAFT                              Editor: Kurt D. Zeilenga
3	Intended Category: Standard Track                OpenLDAP Foundation
4	Expires in six months                                27 October 2003
5	Obsoletes: RFC 2251, RFC 2252, RFC 2256

7	                    LDAP: Directory Information Models
8	                    <draft-ietf-ldapbis-models-09.txt>

10	Status of this Memo

12	  This document is an Internet-Draft and is in full conformance with all
13	  provisions of Section 10 of RFC2026.

15	  This document is intended to be published as a Standard Track RFC.
16	  Distribution of this memo is unlimited.  Technical discussion of this
17	  document will take place on the IETF LDAP Revision Working Group
18	  mailing list <ietf-ldapbis@openldap.org>.  Please send editorial
19	  comments directly to the author <Kurt@OpenLDAP.org>.

21	  Internet-Drafts are working documents of the Internet Engineering Task
22	  Force (IETF), its areas, and its working groups.  Note that other
23	  groups may also distribute working documents as Internet-Drafts.
24	  Internet-Drafts are draft documents valid for a maximum of six months
25	  and may be updated, replaced, or obsoleted by other documents at any
26	  time.  It is inappropriate to use Internet-Drafts as reference
27	  material or to cite them other than as ``work in progress.''

29	  The list of current Internet-Drafts can be accessed at
30	  <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
31	  Internet-Draft Shadow Directories can be accessed at
32	  <http://www.ietf.org/shadow.html>.

34	  Copyright (C) The Internet Society (2003).  All Rights Reserved.

36	  Please see the Full Copyright section near the end of this document
37	  for more information.

39	Abstract

41	  The Lightweight Directory Access Protocol (LDAP) is an Internet
42	  protocol for accessing distributed directory services which act in
43	  accordance with X.500 data and service models.  This document
44	  describes the X.500 Directory Information Models, as used in LDAP.

46	Table of Contents

48	  Status of this Memo                                             1
49	  Abstract
50	  Table of Contents                                               2
51	  1.       Introduction                                           3
52	  1.1.     Relationship to Other LDAP Specifications
53	  1.2.     Relationship to X.501                                  4
54	  1.3.     Conventions
55	  1.4.     Common ABNF Productions
56	  2.       Model of Directory User Information                    6
57	  2.1.     The Directory Information Tree                         7
58	  2.2.     Naming of Entries
59	  2.3.     Structure of an Entry                                  8
60	  2.4.     Object Classes                                         9
61	  2.5.     Attribute Descriptions                                11
62	  2.6.     Alias Entries                                         15
63	  3.       Directory Administrative and Operational Information  17
64	  3.1.     Subtrees
65	  3.2.     Subentries
66	  3.3.     The 'objectClass' attribute                           18
67	  3.4.     Operational attributes
68	  4.       Directory Schema                                      21
69	  4.1.     Schema Definitions                                    22
70	  4.2.     Subschema Subentries                                  31
71	  4.3.     'extensibleObject'                                    34
72	  4.4.     Subschema Discovery                                   35
73	  5.       DSA (Server) Informational Model
74	  5.1.     Server-specific Data Requirements                     36
75	  6.       Other Considerations                                  39
76	  6.1.     Preservation of User Information
77	  6.2.     Short Names
78	  6.3.     Cache and Shadowing                                   40
79	  7.       Implementation Guidelines
80	  7.1.     Server Guidelines
81	  7.2.     Client Guidelines                                     41
82	  8.       Security Considerations
83	  9.       IANA Considerations
84	  10.      Acknowledgments                                       42
85	  11.      Author's Address
86	  12.      References                                            43
87	  12.1.    Normative References
88	  12.2.    Informative References                                44
89	  Appendix A.  Changes
90	  A.1      Changes to RFC 2251                                   44
91	  A.2      Changes to RFC 2252                                   46
92	  A.3      Changes to RFC 2256                                   48
93	  Intellectual Property Rights
94	  Full Copyright                                                 49

96	1. Introduction

98	  This document discusses the X.500 Directory Information Models
99	  [X.501], as used by the Lightweight Directory Access Protocol (LDAP)
100	  [Roadmap].

102	  The Directory is "a collection of open systems cooperating to provide
103	  directory services" [X.500].  The information held in the Directory is
104	  collectively known as the Directory Information Base (DIB).  A
105	  Directory user, which may be a human or other entity, accesses the
106	  Directory through a client (or Directory User Agent (DUA)).  The
107	  client, on behalf of the directory user, interacts with one or more
108	  servers (or Directory System Agents (DSA)).  A server holds a fragment
109	  of the DIB.

111	  The DIB contains two classes of information:

113	      1) user information (e.g., information provided and administrated
114	         by users).  Section 2 describes the Model of User Information.

116	      2) administrative and operational information (e.g., information
117	         used to administer and/or operate the directory).  Section 3
118	         describes the model of Directory Administrative and Operational
119	         Information.

121	  These two models, referred to as the generic Directory Information
122	  Models, describe how information is represented in the Directory.
123	  These generic models provide a framework for other information models.
124	  Section 4 discusses the subschema information model and subschema
125	  discovery.  Section 5 discusses the DSA (Server) Informational Model.

127	  Other X.500 information models, such as access control, collective
128	  attribute, distribution knowledge, and replication knowledge
129	  information models, may be adapted for use in LDAP.  Specification of
130	  how these models apply to LDAP is left to future documents.

132	1.1. Relationship to Other LDAP Specifications

134	  This document is a integral part of the LDAP technical specification
135	  [Roadmap] which obsoletes the previously defined LDAP technical
136	  specification, RFC 3377, in its entirety.

138	  This document obsoletes RFC 2251 sections 3.2 and 3.4, as well as
139	  portions of sections 4 and 6.  Appendix A.1 summaries changes to these
140	  sections.  The remainder of RFC 2251 is obsoleted by the [Protocol],
141	  [AuthMeth], and [Roadmap] documents.

143	  This document obsoletes RFC 2252 sections 4, 5 and 7.  Appendix A.2
144	  summaries changes to these sections.  The remainder of RFC 2252 is
145	  obsoleted by [Syntaxes].

147	  This document obsoletes RFC 2256 sections 5.1, 5.2, 7.1 and 7.2.
148	  Appendix A.3 summarizes changes to these sections.  The remainder of
149	  RFC 2256 is obsoleted by [Schema] and [Syntaxes].

151	1.2. Relationship to X.501

153	  This document includes material, with and without adaptation, from the
154	  [X.501].  The material in this document takes precedence over that in
155	  [X.501].

157	1.3. Conventions

159	  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
160	  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
161	  document are to be interpreted as described in BCP 14 [RFC2119].

163	  Schema definitions are provided using LDAP description formats (as
164	  defined in Section 4.1).  Definitions provided here are formatted
165	  (line wrapped) for readability.  Matching rules and LDAP syntaxes
166	  referenced in these definitions are specified in [Syntaxes].

168	1.4. Common ABNF Productions

170	  A number of syntaxes in this document are described using Augmented
171	  Backus-Naur Form (ABNF) [RFC2234].  These syntaxes (as well as a
172	  number of syntaxes defined in other documents) rely on the following
173	  common productions:

175	      keystring = leadkeychar *keychar
176	      leadkeychar = ALPHA
177	      keychar = ALPHA / DIGIT / HYPHEN

179	      number = DIGIT / ( LDIGIT 1*DIGIT )

181	      ALPHA  = %x41-5A / %x61-7A   ; "A"-"Z" / "a"-"z"
182	      DIGIT  = %x30 / LDIGIT       ; "0"-"9"
183	      LDIGIT = %x31-39             ; "1"-"9"
184	      HEX     = DIGIT / %x41-46 / %x61-66 ; 0-9 / A-F / a-f

186	      SP     = 1*SPACE  ; one or more " "
187	      WSP    = 0*SPACE  ; zero or more " "

189	      NULL   = %x00 ; null (0)
190	      SPACE  = %x20 ; space (" ")
191	      DQUOTE = %x22 ; quote (""")
192	      SHARP  = %x23 ; octothorpe (or sharp sign) ("#")
193	      DOLLAR = %x24 ; dollar sign ("$")
194	      SQUOTE = %x27 ; single quote ("'")
195	      LPAREN = %x28 ; left paren ("(")
196	      RPAREN = %x29 ; right paren (")")
197	      PLUS   = %x2B ; plus sign ("+")
198	      COMMA  = %x2C ; comma (",")
199	      HYPHEN = %x2D ; hyphen ("-")
200	      DOT    = %x2E ; period (".")
201	      SEMI   = %x3B ; semicolon (";")
202	      LANGLE = %x3C ; left angle bracket ("<")
203	      EQUALS = %x3D ; equals sign ("=")
204	      RANGLE = %x3E ; right angle bracket (">")
205	      X      = %x58 ; uppercase x ("X")
206	      ESC    = %x5C ; backslash ("\")
207	      USCORE = %x5F ; underscore ("_")
208	      LCURLY = %x7B ; left curly brace "{"
209	      RCURLY = %x7D ; right curly brace "}"

211	      ; Any UTF-8 character
212	      UTF8    = UTF1 / UTFMB
213	      UTFMB   = UTF2 / UTF3 / UTF4
214	      UTF0    = %x80-BF
215	      UTF1    = %x00-7F
216	      UTF2    = %xC2-DF UTF0
217	      UTF3    = %xE0 %xA0-BF UTF0 / %xE1-EC 2(UTF0) /
218	                %xED %x80-9F UTF0 / %xEE-EF 2(UTF0)
219	      UTF4    = %xF0 %x90-BF 2(UTF0) / %xF1-F3 3(UTF0) /
220	                %xF4 %x80-8F 2(UTF0)

222	      ; Any octet
223	      OCTET   = %x00-FF

225	  Object identifiers (OIDs) [X.680] are represented in LDAP using a dot-
226	  decimal format conforming to the ABNF:

228	      numericoid = number *( DOT number )

230	  Short names, also known as descriptors, are used as more readable
231	  aliases for object identifiers.  Short names are case insensitive and
232	  conform to the ABNF:

234	      descr = keystring

236	  Where either an object identifier or a short name may be specified,
237	  the following production is used:

239	      oid = descr / numericoid

241	  While the <descr> form is generally preferred when the usage is
242	  restricted to short names referring to object identifiers which
243	  identify like kinds of objects (e.g., attribute type descriptions,
244	  matching rule descriptions, object class descriptions), the
245	  <numericoid> form should be used when the object identifiers may
246	  identify multiple kinds of objects or when an unambiguous short name
247	  (descriptor) is not available.

249	  When the <descr> form is used, the representation SHALL be considered
250	  invalid if the usage is not restricted as discussed above or the
251	  implementation cannot determine unambiguously which object identifier
252	  the <descr> refers to.

254	  Short Names (descriptors) are discussed further in Section 6.2.

256	2. Model of Directory User Information

258	  As [X.501] states:

260	      The purpose of the Directory is to hold, and provide access to,
261	      information about objects of interest (objects) in some 'world'.
262	      An object can be anything which is identifiable (can be named).

264	      An object class is an identified family of objects, or conceivable
265	      objects, which share certain characteristics. Every object belongs
266	      to at least one class.  An object class may be a subclass of other
267	      object classes, in which case the members of the former class, the
268	      subclass, are also considered to be members of the latter classes,
269	      the superclasses.  There may be subclasses of subclasses, etc., to
270	      an arbitrary depth.

272	  A directory entry, a named collection of information, is the basic
273	  unit of information held in the Directory.  There are multiple kinds
274	  of directory entries.

276	  An object entry represents a particular object.  An alias entry
277	  provides alternative naming.  A subentry holds administrative and/or
278	  operational information.

280	  The set of entries representing the DIB are organized hierarchically
281	  in a tree structure known as the Directory Information Tree (DIT).

283	  Section 2.1 describes the Directory Information Tree
284	  Section 2.2 discusses naming of entries.
285	  Section 2.3 discusses the structure of entries.
286	  Section 2.4 discusses object classes.
287	  Section 2.5 discusses attribute descriptions.
288	  Section 2.6 discusses alias entries.

290	2.1. The Directory Information Tree

292	  As noted above, the DIB is composed of a set of entries organized
293	  hierarchically in a tree structure known as the Directory Information
294	  Tree (DIT).  Specifically, a tree where vertices are the entries.

296	  The arcs between vertices define relations between entries.  If an arc
297	  exists from X to Y, then the entry at X is the immediate superior of Y
298	  and Y is the immediate subordinate of X.  An entry's superiors are the
299	  entry's immediate superior and its superiors.  An entry's subordinates
300	  are all of its immediate subordinates and their subordinates.

302	  Similarly, the superior/subordinate relationship between object
303	  entries can be used to derive a relation between the objects they
304	  represent.  DIT structure rules can be used to govern relationships
305	  between objects.

307	  Note: An entry's immediate superior is also known as the entry's
308	        parent and an entry's immediate subordinate is also known as the
309	        entry's child.  Entries which have the same parent are known as
310	        siblings.

312	2.2. Naming of Entries

314	2.2.1.  Relative Distinguished Names

316	  Each entry is named relative to its immediate superior.  This relative
317	  name, known as its Relative Distinguished Name (RDN) [X.501], is
318	  composed of an unordered set of one or more attribute value assertions
319	  (AVA) consisting of an attribute description with zero options and an
320	  attribute value.  These AVAs are chosen from the attributes of the
321	  entry.

323	  An entry's relative distinguished name must be unique among all
324	  immediate subordinates of the entry's immediate superior (i.e., all
325	  siblings).

327	  The following are example string representations of RDNs [LDAPDN]:
328	      UID=12345
329	      OU=Engineering
330	      CN=Kurt Zeilenga+L=Redwood Shores

332	  The last is an example of a multi-valued RDN.  That is, an RDN
333	  composed of multiple AVAs.

335	2.2.2. Distinguished Names

337	  An entry's fully qualified name, known as its Distinguished Name (DN)
338	  [X.501], is the concatenation of its RDN and its immediate superior's
339	  DN.  A Distinguished Name unambiguously refers to an entry in the
340	  tree.  The following are example string representations of DNs
341	  [LDAPDN]:

343	      UID=nobody@example.com,DC=example,DC=com
344	      CN=John Smith,OU=Sales,O=ACME Limited,L=Moab,ST=Utah,C=US

346	2.2.3. Alias Names

348	  An alias, or alias name, is "an name for an object, provided by the
349	  use of alias entries" [X.501].  Alias entries are described in Section
350	  2.6.

352	2.3. Structure of an Entry

354	  An entry consists of a set of attributes which hold information about
355	  the object which entry represents.  Some attributes represent user
356	  information and are called user attributes.  Other attributes
357	  represent operational and/or administrative information and are called
358	  operational attributes.

360	  An attribute is an attribute description (a type and zero or more
361	  options) with one or more associated values.  An attribute is often
362	  referred to by its attribute description.  For example, the
363	  'givenName' attribute is the attribute which consists of the attribute
364	  description 'givenName' (the 'givenName' attribute type [Schema] and
365	  zero options) and one or more associated values.

367	  The attribute type governs whether the attribute can have multiple
368	  values, the syntax and matching rules used to construct and compare
369	  values of that attribute, and other functions.  Options indicate
370	  subtypes and other functions.  No two values of an attribute may be
371	  equivalent.

373	  Two values are considered equivalent if they would match according to
374	  the equality matching rule of the attribute type.  If the attribute
375	  type is defined with no equality matching rule, two values are
376	  equivalent if and only if they are identical.

378	  For example, the 'givenName' attribute can have can have more than one
379	  value, they must be Directory Strings, and they are case insensitive.
380	  The 'givenName' attribute cannot hold both "John" and "JOHN" as these
381	  are equivalent values per the equality matching rule of the attribute
382	  type.

384	2.4. Object Classes

386	  An object class is "an identified family of objects (or conceivable
387	  objects) which share certain characteristics" [X.501].

389	  As defined in [X.501]:

391	      Object classes are used in the Directory for a number of purposes:

393	        - describing and categorising objects and the entries that
394	          correspond to these objects;

396	        - where appropriate, controlling the operation of the Directory;

398	        - regulating, in conjunction with DIT structure rule
399	          specifications, the position of entries in the DIT;

401	        - regulating, in conjunction with DIT content rule
402	          specifications, the attributes that are contained in entries;

404	        - identifying classes of entry that are to be associated with a
405	          particular policy by the appropriate administrative authority.

407	      An object class (a subclass) may be derived from an object class
408	      (its direct superclass) which is itself derived from an even more
409	      generic object class.  For structural object classes, this process
410	      stops at the most generic object class, 'top' (defined in Section
411	      2.4.1).  An ordered set of superclasses up to the most superior
412	      object class of an object class is its superclass chain.

414	      An object class may be derived from two or more direct
415	      superclasses (superclasses not part of the same superclass chain).
416	      This feature of subclassing is termed multiple inheritance.

418	  Each object class identifies the set of attributes required to be
419	  present in entries belonging to the class and the set of attributes
420	  allowed to be present in entries belonging to the class.  As an entry
421	  of a class must meet the requirements of each class it belongs to, it
422	  can be said that an object class inherits the sets of allowed and
423	  required attributes from its superclasses.  A subclass can identify an
424	  attribute allowed by its superclass as being required.  If an
425	  attribute is a member of both sets, it is required to be present.

427	  Each object class is defined to be one of three kinds of object
428	  classes: Abstract, Structural, or Auxiliary.

430	  Each object class is identified by an object identifier (OID) and,
431	  optionally, one or more short names (descriptors).

433	2.4.1. Abstract Object Classes

435	  An abstract object class, as the name implies, provides a base of
436	  characteristics from which other object classes can be defined to
437	  inherit from.  An entry cannot belong to an abstract object class
438	  unless it belongs to a structural or auxiliary class which inherits
439	  from that abstract class.

441	  Abstract object classes can not derive from structural nor auxiliary
442	  object classes.

444	  All structural object classes derive (directly or indirectly) from the
445	  'top' abstract object class.  Auxiliary object classes do not
446	  necessarily derive from 'top'.

448	      ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )

450	  All entries belong to the 'top' abstract object class.

452	2.4.2. Structural Object Classes

454	  As stated in [X.501]:

456	      An object class defined for use in the structural specification of
457	      the DIT is termed a structural object class.  Structural object
458	      classes are used in the definition of the structure of the names
459	      of the objects for compliant entries.

461	      An object or alias entry is characterised by precisely one
462	      structural object class superclass chain which has a single
463	      structural object class as the most subordinate object class.
464	      This structural object class is referred to as the structural
465	      object class of the entry.

467	      Structural object classes are related to associated entries:

469	        - an entry conforming to a structural object class shall
470	          represent the real-world object constrained by the object
471	          class;

473	        - DIT structure rules only refer to structural object classes;
474	          the structural object class of an entry is used to specify the
475	          position of the entry in the DIT;

477	        - the structural object class of an entry is used, along with an
478	          associated DIT content rule, to control the content of an
479	          entry.

481	        The structural object class of an entry shall not be changed.

483	  Each structural object class is a (direct or indirect) subclass of the
484	  'top' abstract object class.

486	  Structural object classes cannot subclass auxiliary object classes.

488	  Each entry is said to belong to its structural object class as well as
489	  all classes in its structural object class's superclass chain, which
490	  always includes 'top'.

492	2.4.3. Auxiliary Object Classes

494	  Auxiliary object classes are used augment the characteristics of
495	  entries.  They are commonly used to augment the sets of attributes
496	  required and allowed attributes to be present in an entry.  They can
497	  be used to describe entries or classes of entries.

499	  Auxiliary object classes cannot subclass structural object classes.

501	  An entry can belong to any subset of the set of auxiliary object
502	  classes allowed by the DIT content rule associated with structural
503	  object class of the entry.  If no DIT content rule is associated with
504	  the structural object class of the entry, the entry cannot belong to
505	  any auxiliary object class.

507	  The set of auxiliary object classes which an entry belongs to can
508	  change over time.

510	2.5. Attribute Descriptions

512	  An attribute description is composed of an attribute type (see Section
513	  2.5.1) and a set of zero or more attribute options (see Section
514	  2.5.2).

516	  An attribute description is represented by the ABNF:

518	      attributedescription = attributetype options

520	      attributetype = oid

522	      options = *( SEMI option )

524	      option = 1*keychar

526	  where <attributetype> identifies the attribute type and each <option>
527	  identifies an attribute option.  Both <attributetype> and <option>
528	  productions are case insensitive.  The order in which <option>s appear
529	  is irrelevant.  That is, any two <attributedescription>s which consist
530	  of the same <attributetype> and same set of <option>s are equivalent.

532	  Examples of valid attribute descriptions:

534	      2.5.4.0
535	      cn;lang-de;lang-en
536	      owner

538	  An attribute description which consisting of an unrecognized attribute
539	  type is to be treated as unrecognized.  Servers SHALL treat an
540	  attribute description with an unrecognized attribute option as
541	  unrecognized.  Clients MAY treat an unrecognized attribute option as a
542	  tagging option (see Section 2.5.2.1).

544	  All attributes of an entry must have distinct attribute descriptions.

546	2.5.1. Attribute Types

548	  An attribute type governs whether the attribute can have multiple
549	  values, the syntax and matching rules used to construct and compare
550	  values of that attribute, and other functions.

552	  The attribute type indicates whether the attribute is a user attribute
553	  or an operational attribute.  If operational, the attribute type
554	  indicates the operational usage and whether the attribute can
555	  modifiable by users or not.  Operational attributes discussed in
556	  Section 3.4.

558	  An attribute type (a subtype) may derive from another attribute type
559	  (a direct supertype).   The subtype inherits the matching rules and
560	  syntax of its supertype.  An attribute type cannot be a subtype of an
561	  attribute of different usage.

563	  An attribute description consisting of a subtype and no options is
564	  said to the direct description subtype of the attribute description
565	  consisting of the subtype's direct supertype and no options.

567	  Each attribute type is identified by an object identifier (OID) and,
568	  optionally, one or more short names (descriptors).

570	2.5.2. Attribute Options

572	  There are multiple kinds of attribute description options.  The LDAP
573	  technical specification details one kind: tagging options.

575	  Not all options can be associated with attributes held in the
576	  directory.  Tagging options can be.

578	  Not all options can be used in conjunction with all attribute types.
579	  In such cases, the attribute description is to be treated as
580	  unrecognized.

582	  An attribute description that contains mutually exclusive options
583	  shall be treated as unrecognized.  That is, "cn;x-bar;x-foo", where
584	  "x-foo" and "x-bar" are mutually exclusive, is to be treated as
585	  unrecognized.

587	  Other kinds of options may be specified in future documents.  These
588	  documents must detail how new kinds of options they define relate to
589	  tagging options.  In particular, these documents must detail whether
590	  or not new kinds of options can be associated with attributes held in
591	  the directory, how new kinds of options affect transfer of attribute
592	  values, and how new kinds of options are treated in attribute
593	  description hierarchies.

595	  Options are represented as short case insensitive textual strings
596	  conforming to the <option> production defined in Section 2.5 of this
597	  document.

599	  Procedures for registering options are detailed in BCP 64 [BCP64bis].

601	2.5.2.1. Tagging Options

603	  Attributes held in the directory can have attribute descriptions with
604	  any number of tagging options.  Tagging options are never mutually
605	  exclusive.

607	  An attribute description with N tagging options is considered a direct
608	  (description) subtype of all attribute descriptions of the same
609	  attribute type and all but one of the N options.  If the attribute
610	  type has a supertype, then the attribute description is also
611	  considered a direct (description) subtype of the attribute description
612	  of the supertype and the N tagging options.  That is,
613	  'cn;lang-de;lang-en' is considered a direct subtype of 'cn;lang-de',
614	  'cn;lang-en', and 'name;lang-de;lang-en' ('cn' is a subtype of 'name',
615	  both are defined in [Schema]).

617	2.5.3. Attribute Description Hierarchies

619	  An attribute description can be the direct subtype of zero or more
620	  other attribute descriptions as indicated by attribute type subtyping
621	  (as described in Section 2.5.1) or attribute tagging option subtyping
622	  (as described in Section 2.5.2.1).  These subtyping relationships are
623	  used to form hierarchies of attribute descriptions and attributes.

625	  As adapted from [X.501]:

627	      Attribute hierarchies allow access to the DIB with varying degrees
628	      of granularity.  This is achieved by allowing the value components
629	      of attributes to be accessed by using either their specific
630	      attribute description (a direct reference to the attribute) or by
631	      a more generic attribute description (an indirect reference).

633	      Semantically related attributes may be placed in a hierarchical
634	      relationship, the more specialized being placed subordinate to the
635	      more generalized.  Searching for, or retrieving attributes and
636	      their values is made easier by quoting the more generalized
637	      attribute description; a filter item so specified is evaluated for
638	      the more specialized descriptions as well as for the quoted
639	      description.

641	      Where subordinate specialized descriptions are selected to be
642	      returned as part of a search result these descriptions shall be
643	      returned if available.  Where the more general descriptions are
644	      selected to be returned as part of a search result both the
645	      general and the specialized descriptions shall be returned, if
646	      available.  An attribute value shall always be returned as a value
647	      of its own attribute description.

649	      All of the attribute descriptions in an attribute hierarchy are
650	      treated as distinct and unrelated descriptions for user
651	      modification of entry content.

653	      An attribute value stored in a object or alias entry is of
654	      precisely one attribute description.  The description is indicated
655	      when the value is originally added to the entry.

657	  For the purpose of subschema administration of the entry, a required
658	  attribute specification is fulfilled if the entry contains a value of
659	  an attribute description belonging to an attribute hierarchy if the
660	  attribute type of that description is the same as the required
661	  attribute's type.  That is, a "MUST name" specification is fulfilled
662	  by 'name' or 'name;x-tag-option', but is not fulfilled by 'CN' nor by
663	  'CN;x-tag-option'.  Likewise, an entry may contain a value of an
664	  attribute description belonging to an attribute hierarchy if the
665	  attribute type of that description is either explicitly included in
666	  the definition of an object class to which the entry belongs or
667	  allowed by the DIT content rule applicable to that entry.  That is,
668	  'name' and 'name;x-tag-option' are allowed by "MAY name" (or by "MUST
669	  name"), but 'CN' and 'CN;x-tag-option' are not allowed by "MAY name"
670	  (nor by "MUST name").

672	  For the purposes of other policy administration, unless stated
673	  otherwise in the specification of the particular administrative model,
674	  all of the attribute descriptions in an attribute hierarchy are
675	  treated as distinct and unrelated descriptions.

677	2.5.4. Attribute Values

679	  Attribute values conform to the defined syntax of the attribute.

681	  When an attribute is used for naming of the entry, one and only one
682	  value of the attribute is selected to appear in the Relative
683	  Distinguished Name.  This value is known as a distinguished value.

685	  Only attributes whose descriptions have no options can be used for
686	  naming.

688	2.6. Alias Entries

690	  As adapted from [X.501]:

692	      An alias, or an alias name, for an object is a an alternative name
693	      for an object or object entry which is provided by the use of
694	      alias entries.

696	      Each alias entry contains, within the 'aliasedObjectName'
697	      attribute (known as the 'aliasedEntryName' attribute in X.500]), a
698	      name of some object.  The distinguished name of the alias entry is
699	      thus also a name for this object.

701	          NOTE - The name within the 'aliasedObjectName' is said to be
702	                 pointed to by the alias.  It does not have to be the
703	                 distinguished name of any entry.

705	      The conversion of an alias name to an object name is termed
706	      (alias) dereferencing and comprises the systematic replacement of
707	      alias names, where found within a purported name, by the value of
708	      the corresponding 'aliasedObjectName' attribute.  The process may
709	      require the examination of more than one alias entry.

711	      Any particular entry in the DIT may have zero or more alias names.
712	      It therefore follows that several alias entries may point to the
713	      same entry.  An alias entry may point to an entry that is not a
714	      leaf entry and may point to another alias entry.

716	      An alias entry shall have no subordinates, so that an alias entry
717	      is always a leaf entry.

719	      Every alias entry shall belong to the 'alias' object class.

721	  An entry with the 'alias' object class must also belong to an object
722	  class (or classes), or be governed by a DIT content rule, which allows
723	  suitable naming attributes to be present.

725	  Example:
726	      dn: cn=bar,dc=example,dc=com
727	      objectClass: top
728	      objectClass: alias
729	      objectClass: extensibleObject
730	      cn: bar
731	      aliasedObjectName: cn=foo,dc=example,dc=com

733	2.6.1. 'alias' object class

735	  Alias entries belong to the 'alias' object class.

737	     ( 2.5.6.1 NAME 'alias'
738	       SUP top STRUCTURAL
739	       MUST aliasedObjectName )

741	2.6.2. 'aliasedObjectName' attribute type

743	  The 'aliasedObjectName' attribute holds the name of the entry an alias
744	  points to.  The 'aliasedObjectName' attribute is known as the
745	  'aliasedEntryName' attribute in X.500.

747	      ( 2.5.4.1 NAME 'aliasedObjectName'
748	        EQUALITY distinguishedNameMatch
749	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
750	        SINGLE-VALUE )

752	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
753	  (1.3.6.1.4.1.1466.115.121.1.12) syntax is defined in [Syntaxes].

755	3. Directory Administrative and Operational Information

757	  This section discusses select aspects of the X.500 Directory
758	  Administrative and Operational Information model [X.501].  LDAP
759	  implementations MAY support other aspects of this model.

761	3.1. Subtrees

763	  As defined in [X.501]:

765	      A subtree is a collection of object and alias entries situated at
766	      the vertices of a tree.  Subtrees do not contain subentries.  The
767	      prefix sub, in subtree, emphasizes that the base (or root) vertex
768	      of this tree is usually subordinate to the root of the DIT.

770	      A subtree begins at some vertex and extends to some identifiable
771	      lower boundary, possibly extending to leaves.  A subtree is always
772	      defined within a context which implicitly bounds the subtree.  For
773	      example, the vertex and lower boundaries of a subtree defining a
774	      replicated area are bounded by a naming context.  Similarly, the
775	      scope of a subtree defining a specific administrative area is
776	      limited to the context of an enclosing autonomous administrative
777	      area.

779	3.2. Subentries

781	  A subentry is a "special sort of entry, known by the Directory, used
782	  to hold information associated with a subtree or subtree refinement"
783	  [X.501].  Subentries are used in Directory to hold for administrative
784	  and operational purposes as defined in [X.501].  Their use in LDAP is
785	  not detailed in this technical specification, but may be detailed in
786	  future documents.

788	  The term "(sub)entry" in this specification indicates that servers
789	  implementing X.500(93) models are, in accordance with X.500(93), to
790	  use a subentry and that other servers are to use an object entry
791	  belonging to the appropriate auxiliary class normally used with the
792	  subentry (e.g., 'subschema' for subschema subentries) to mimic the
793	  subentry.  This object entry's RDN SHALL be formed from a value of the
794	  'cn' (commonName) attribute [Schema].

796	3.3. The 'objectClass' attribute

798	  Each entry in the DIT has an 'objectClass' attribute.

800	      ( 2.5.4.0 NAME 'objectClass'
801	        EQUALITY objectIdentifierMatch
802	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

804	  The 'objectIdentifierMatch' matching rule and OBJECT IDENTIFIER
805	  (1.3.6.1.4.1.1466.115.121.1.38) syntax is defined in [Syntaxes].

807	  The 'objectClass' attribute specifies the object classes of an entry,
808	  which (among other things) is used in conjunction with user and system
809	  schema to determine the permitted attributes of an entry.  Values of
810	  this attribute can be modified by clients, but the 'objectClass'
811	  attribute cannot be removed.

813	  Servers which follow X.500(93) models SHALL restrict modifications of
814	  this attribute to prevent the basic structural class of the entry from
815	  being changed.  That is, one cannot change a 'person' into a
816	  'country'.

818	  When creating an entry or adding an 'objectClass' value to an entry,
819	  all superclasses of the named classes SHALL be implicitly added as
820	  well if not already present.  That is, if the auxiliary class 'x-a' is
821	  a subclass of the class 'x-b', adding 'x-a' to 'objectClass' causes
822	  'x-b' to be implicitly added (if is not already present).

824	  Servers SHALL restrict modifications of this attribute to prevent a
825	  superclasses of remaining 'objectClass' values from being deleted.
826	  That is, if the auxiliary class 'x-a' is a subclass of the auxiliary
827	  class 'x-b' and the 'objectClass' attribute contains 'x-a' and 'x-b',
828	  an attempt to delete only 'x-b' from the 'objectClass' attribute is an
829	  error.

831	3.4. Operational attributes

833	  Some attributes, termed operational attributes, are used or maintained
834	  by servers for administrative and operational purposes.  As stated in
835	  [X.501]: "There are three varieties of operational attributes:
836	  Directory operational attributes, DSA-shared operational attributes,
837	  and DSA-specific operational attributes."
838	  A directory operational attribute is used to represent operational
839	  and/or administrative information in the Directory Information Model.
840	  This includes operational attributes maintained by the server (e.g.
841	  'createTimestamp') as well as operational attributes which hold values
842	  administrated by the user (e.g. 'ditContentRules').

844	  A DSA-shared operational attribute is used to represent information of
845	  the DSA Information Model.  Its values, if shared between DSAs
846	  (servers) are identical (except during periods of transient
847	  inconsistency).

849	  A DSA-specific operational attribute is used to represent information
850	  of the DSA Information Model.  Its values, if shared between DSAs
851	  (servers), need not be identical.

853	  The DSA Information Model operational attributes are detailed in
854	  [X.501].

856	  Operational attributes are not normally visible.  They are not
857	  returned in search results unless explicitly requested by name.

859	  Not all operational attributes are user modifiable.

861	  Entries may contain, among others, the following operational
862	  attributes.

864	    - creatorsName: the Distinguished Name of the user who added this
865	      entry to the directory.

867	    - createTimestamp: the time this entry was added to the directory.

869	    - modifiersName: the Distinguished Name of the user who last
870	      modified this entry.

872	    - modifyTimestamp: the time this entry was last modified.

874	  Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
875	  'modifiersName', and 'modifyTimestamp' for all entries of the DIT.

877	3.4.1. 'creatorsName'

879	  This attribute appears in entries which were added using the protocol
880	  (e.g., using the Add operation).  The value is the distinguished name
881	  of the creator.

883	      ( 2.5.18.3 NAME 'creatorsName'
884	        EQUALITY distinguishedNameMatch
885	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
886	        SINGLE-VALUE NO-USER-MODIFICATION
887	        USAGE directoryOperation )

889	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
890	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

892	3.4.2. 'createTimestamp'

894	  This attribute appears in entries which were added using the protocol
895	  (e.g., using the Add operation).  The value is the time the entry was
896	  added.

898	      ( 2.5.18.1 NAME 'createTimestamp'
899	        EQUALITY generalizedTimeMatch
900	        ORDERING generalizedTimeOrderingMatch
901	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
902	        SINGLE-VALUE NO-USER-MODIFICATION
903	        USAGE directoryOperation )

905	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
906	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
907	  are defined in [Syntaxes].

909	3.4.3. 'modifiersName'

911	  This attribute appears in entries which have been modified using the
912	  protocol (e.g., using Modify operation).  The value is the
913	  distinguished name of the last modifier.

915	      ( 2.5.18.4 NAME 'modifiersName'
916	        EQUALITY distinguishedNameMatch
917	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
918	        SINGLE-VALUE NO-USER-MODIFICATION
919	        USAGE directoryOperation )

921	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
922	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

924	3.4.4. 'modifyTimestamp'

926	  This attribute appears in entries which have been modified using the
927	  protocol (e.g., using the Modify operation).  The value is the time
928	  the entry was last modified.

930	      ( 2.5.18.2 NAME 'modifyTimestamp'
931	        EQUALITY generalizedTimeMatch
932	        ORDERING generalizedTimeOrderingMatch
933	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
934	        SINGLE-VALUE NO-USER-MODIFICATION
935	        USAGE directoryOperation )

937	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
938	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
939	  are defined in [Syntaxes].

941	4. Directory Schema

943	  As defined in [X.501]:

945	      The Directory Schema is a set of definitions and constraints
946	      concerning the structure of the DIT, the possible ways entries are
947	      named, the information that can be held in an entry, the
948	      attributes used to represent that information and their
949	      organization into hierarchies to facilitate search and retrieval
950	      of the information and the ways in which values of attributes may
951	      be matched in attribute value and matching rule assertions.

953	      NOTE 1 - The schema enables the Directory system to, for example:

955	      - prevent the creation of subordinate entries of the wrong
956	        object-class (e.g. a country as a subordinate of a person);

958	      - prevent the addition of attribute-types to an entry
959	        inappropriate to the object-class (e.g. a serial number to a
960	        person's entry);

962	      - prevent the addition of an attribute value of a syntax not
963	        matching that defined for the attribute-type (e.g. a printable
964	        string to a bit string).

966	        Formally, the Directory Schema comprises a set of:

968	      a) Name Form definitions that define primitive naming relations
969	         for structural object classes;

971	      b) DIT Structure Rule definitions that define the names that
972	         entries may have and the ways in which the entries may be
973	         related to one another in the DIT;

975	      c) DIT Content Rule definitions that extend the specification of
976	         allowable attributes for entries beyond those indicated by the
977	         structural object classes of the entries;

979	      d) Object Class definitions that define the basic set of mandatory
980	         and optional attributes that shall be present, and may be
981	         present, respectively, in an entry of a given class, and which
982	         indicate the kind of object class that is being defined;

984	      e) Attribute Type definitions that identify the object identifier
985	         by which an attribute is known, its syntax, associated matching
986	         rules, whether it is an operational attribute and if so its
987	         type, whether it is a collective attribute, whether it is
988	         permitted to have multiple values and whether or not it is
989	         derived from another attribute type;

991	      f) Matching Rule definitions that define matching rules.

993	  And in LDAP:

995	      g) LDAP Syntaxes definitions that define encodings used in LDAP.

997	4.1. Schema Definitions

999	  Schema definitions in this section are described using ABNF and rely
1000	  on the common productions specified in Section 1.2 as well as these:

1002	      noidlen = numericoid [ LCURLY len RCURLY ]

1004	      len = number

1006	      oids = oid / ( LPAREN WSP oidlist WSP RPAREN )

1008	      oidlist = oid *( WSP DOLLAR WSP oid )

1010	      extensions = *( SP xstring SP qdstrings )

1012	      xstring = X HYPHEN 1*( ALPHA / HYPHEN / USCORE )

1014	      qdescrs = qdescr / ( LPAREN WSP qdescrlist WSP RPAREN )

1016	      qdescrlist = [ qdescr *( SP qdescr ) ]

1018	      qdescr = SQUOTE descr SQUOTE

1020	      qdstrings = qdstring / ( LPAREN WSP qdstringlist WSP RPAREN )

1022	      qdstringlist = [ qdstring *( SP qdstring ) ]
1023	      qdstring = SQUOTE dstring SQUOTE

1025	      dstring = 1*( QS / QQ / QUTF8 )   ; escaped UTF8 string

1027	      QQ =  ESC %x32 %x37 ; "\27"

1029	      QS =  ESC %x35 ( %x43 / %x63 ) ; "\5C" / "\5c"

1031	      ; Any UTF-8 encoded UCS character
1032	      ; except %x27 ("'") and %x5C ("\")
1033	      QUTF8    = QUTF1 / UTFMB

1035	      ; Any ASCII character except %x27 ("'") and %x5C ("\")
1036	      QUTF1    = %x00-26 / %x28-5B / %x5D-7F

1038	  Schema definitions in this section also share a number of common
1039	  terms.

1041	  The NAME field provides a set of short names (descriptors) which are
1042	  be used as aliases for the OID.

1044	  The DESC field optionally allows a descriptive string to be provided
1045	  by the directory administrator and/or implementor.  While
1046	  specifications may suggest a descriptive string, there is no
1047	  requirement that the suggested (or any) descriptive string be used.

1049	  The OBSOLETE field, if present, indicates the element is not active.

1051	  Implementors should note that future versions of this document may
1052	  expand these definitions to include additional terms.  Terms whose
1053	  identifier begins with "X-" are reserved for private experiments, and
1054	  are followed by <SP> and <qdstrings> tokens.

1056	4.1.1. Object Class Definitions

1058	  Object Class definitions are written according to the ABNF:

1060	    ObjectClassDescription = LPAREN WSP
1061	        numericoid                 ; object identifier
1062	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1063	        [ SP "DESC" SP qdstring ]  ; description
1064	        [ SP "OBSOLETE" ]          ; not active
1065	        [ SP "SUP" SP oids ]       ; superior object classes
1066	        [ SP kind ]                ; kind of class
1067	        [ SP "MUST" SP oids ]      ; attribute types
1068	        [ SP "MAY" SP oids ]       ; attribute types
1069	        extensions WSP RPAREN

1071	    kind = "ABSTRACT" / "STRUCTURAL" / "AUXILIARY"

1073	  where:
1074	    <numericoid> is object identifier assigned to this object class;
1075	    NAME <qdescrs> are short names (descriptors) identifying this object
1076	        class;
1077	    DESC <qdstring> is a short descriptive string;
1078	    OBSOLETE indicates this object class is not active;
1079	    SUP <oids> specifies the direct superclasses of this object class;
1080	    the kind of object class is indicated by one of ABSTRACT,
1081	        STRUCTURAL, or AUXILIARY, default is STRUCTURAL;
1082	    MUST and MAY specify the sets of required and allowed attribute
1083	        types, respectively; and
1084	    <extensions> describe extensions.

1086	4.1.2. Attribute Types

1088	  Attribute Type definitions are written according to the ABNF:

1090	    AttributeTypeDescription = LPAREN WSP
1091	        numericoid                    ; object identifier
1092	        [ SP "NAME" SP qdescrs ]      ; short names (descriptors)
1093	        [ SP "DESC" SP qdstring ]     ; description
1094	        [ SP "OBSOLETE" ]             ; not active
1095	        [ SP "SUP" SP oid ]           ; supertype
1096	        [ SP "EQUALITY" SP oid ]      ; equality matching rule
1097	        [ SP "ORDERING" SP oid ]      ; ordering matching rule
1098	        [ SP "SUBSTR" SP oid ]        ; substrings matching rule
1099	        [ SP "SYNTAX" SP noidlen ]    ; value syntax
1100	        [ SP "SINGLE-VALUE" ]         ; single-value
1101	        [ SP "COLLECTIVE" ]           ; collective
1102	        [ SP "NO-USER-MODIFICATION" ] ; not user modifiable
1103	        [ SP "USAGE" SP usage ]       ; usage
1104	        extensions WSP RPAREN         ; extensions

1106	    usage = "userApplications"     /  ; user
1107	            "directoryOperation"   /  ; directory operational
1108	            "distributedOperation" /  ; DSA-shared operational
1109	            "dSAOperation"            ; DSA-specific operational

1111	  where:
1112	    <numericoid> is object identifier assigned to this attribute type;
1113	    NAME <qdescrs> are short names (descriptors) identifying this
1114	        attribute type;
1115	    DESC <qdstring> is a short descriptive string;
1116	    OBSOLETE indicates this attribute type is not active;
1117	    SUP oid specifies the direct supertype of this type;
1118	    EQUALITY, ORDERING, SUBSTRING provide the oid of the equality,
1119	        ordering, and substrings matching rules, respectively;
1120	    SYNTAX identifies value syntax by object identifier and may suggest
1121	        a minimum upper bound;
1122	    COLLECTIVE indicates this attribute type is collective [X.501];
1123	    NO-USER-MODIFICATION indicates this attribute type is not user
1124	        modifiable;
1125	    USAGE indicates the application of this attribute type; and
1126	    <extensions> describe extensions.

1128	  Each attribute type description must contain at least one of the SUP
1129	  or SYNTAX fields.

1131	  Usage of userApplications, the default, indicates that attributes of
1132	  this type represent user information.  That is, they are user
1133	  attributes.

1135	  COLLECTIVE requires usage userApplications.  Use of collective
1136	  attribute types in LDAP is not discussed in this technical
1137	  specification.

1139	  A usage of directoryOperation, distributedOperation, or dSAOperation
1140	  indicates that attributes of this type represent operational and/or
1141	  administrative information.  That is, they are operational attributes.

1143	  directoryOperation usage indicates that the attribute of this type is
1144	  a directory operational attribute.  distributedOperation usage
1145	  indicates that the attribute of this DSA-shared usage operational
1146	  attribute.  dSAOperation usage indicates that the attribute of this
1147	  type is a DSA-specific operational attribute.

1149	  NO-USER-MODIFICATION requires an operational usage.

1151	  Note that the <AttributeTypeDescription> does not list the matching
1152	  rules which can be used with that attribute type in an extensibleMatch
1153	  search filter.  This is done using the 'matchingRuleUse' attribute
1154	  described in Section 4.1.4.

1156	  This document refines the schema description of X.501 by requiring
1157	  that the SYNTAX field in an <AttributeTypeDescription> be a string
1158	  representation of an object identifier for the LDAP string syntax
1159	  definition with an optional indication of the suggested minimum bound
1160	  of a value of this attribute.

1162	  A suggested minimum upper bound on the number of characters in a value
1163	  with a string-based syntax, or the number of bytes in a value for all
1164	  other syntaxes, may be indicated by appending this bound count inside
1165	  of curly braces following the syntax's OBJECT IDENTIFIER in an
1166	  Attribute Type Description.  This bound is not part of the syntax name
1167	  itself.  For instance, "1.3.6.4.1.1466.0{64}" suggests that server
1168	  implementations should allow a string to be 64 characters long,
1169	  although they may allow longer strings.  Note that a single character
1170	  of the Directory String syntax may be encoded in more than one octet
1171	  since UTF-8 is a variable-length encoding.

1173	4.1.3. Matching Rules

1175	  Matching rules are used by servers to compare attribute values against
1176	  assertion values when performing Search and Compare operations.  They
1177	  are also used to identify the value to be added or deleted when
1178	  modifying entries, and are used when comparing a purported
1179	  distinguished name with the name of an entry.

1181	  A matching rule specifies the syntax of the assertion value.

1183	  Each matching rule is identified by an object identifier (OID) and,
1184	  optionally, one or more short names (descriptors).

1186	  Matching rule definitions are written according to the ABNF:

1188	    MatchingRuleDescription = LPAREN WSP
1189	        numericoid                 ; object identifier
1190	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1191	        [ SP "DESC" SP qdstring ]  ; description
1192	        [ SP "OBSOLETE" ]          ; not active
1193	        SP "SYNTAX" SP numericoid  ; assertion syntax
1194	        extensions WSP RPAREN      ; extensions

1196	  where:
1197	    <numericoid> is object identifier assigned to this matching rule;
1198	    NAME <qdescrs> are short names (descriptors) identifying this
1199	        matching rule;
1200	    DESC <qdstring> is a short descriptive string;
1201	    OBSOLETE indicates this matching rule is not active;
1202	    SYNTAX identifies the assertion syntax by object identifier; and
1203	    <extensions> describe extensions.

1205	4.1.4. Matching Rule Uses

1207	  A matching rule use lists the attributes which are suitable for use
1208	  with an extensibleMatch search filter.

1210	  Matching rule use descriptions are written according to the following
1211	  ABNF:

1213	    MatchingRuleUseDescription = LPAREN WSP
1214	        numericoid                 ; object identifier
1215	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1216	        [ SP "DESC" SP qdstring ]  ; description
1217	        [ SP "OBSOLETE" ]          ; not active
1218	        SP "APPLIES" SP oids       ; attribute types
1219	        extensions WSP RPAREN      ; extensions

1221	  where:
1222	    <numericoid> is the object identifier of the matching rule
1223	        associated with this matching rule use description;
1224	    NAME <qdescrs> are short names (descriptors) identifying this
1225	        matching rule use;
1226	    DESC <qdstring> is a short descriptive string;
1227	    OBSOLETE indicates this matching rule use is not active;
1228	    APPLIES provides a list of attribute types the matching rule applies
1229	        to; and
1230	    <extensions> describe extensions.

1232	4.1.5. LDAP Syntaxes

1234	  LDAP Syntaxes of (attribute and assertion) values are described in
1235	  terms of ASN.1 [X.680] and, optionally, have an octet string encoding
1236	  known as the LDAP-specific encoding.  Commonly, the LDAP-specific
1237	  encoding is constrained to string of Universal Character Set (UCS)
1238	  [ISO10646] characters in UTF-8 [UTF-8] form.

1240	  Each LDAP syntax is identified by an object identifier (OID).

1242	  LDAP syntax definitions are written according to the ABNF:

1244	    SyntaxDescription = LPAREN WSP
1245	        numericoid                 ; object identifier
1246	        [ SP "DESC" SP qdstring ]  ; description
1247	        extensions WSP RPAREN      ; extensions

1249	  where:
1250	    <numericoid> is object identifier assigned to this LDAP syntax;
1251	    DESC <qdstring> is a short descriptive string; and
1252	    <extensions> describe extensions.

1254	4.1.6. DIT Content Rules

1256	  A DIT content rule is a "rule governing the content of entries of a
1257	  particular structural object class" [X.501].

1259	  For DIT entries of a particular structural object class, a DIT content
1260	  rule specifies which auxiliary object classes the entries are allowed
1261	  to belong to and which additional attributes (by type) are required,
1262	  allowed or not allowed to appear in the entries.

1264	  The list of precluded attributes cannot include any attribute listed
1265	  as mandatory in rule, the structural object class, or any of the
1266	  allowed auxiliary object classes.

1268	  Each content rule is identified by the object identifier, as well as
1269	  any short names (descriptors), of the structural object class it
1270	  applies to.

1272	  An entry may only belong to auxiliary object classes listed in the
1273	  governing content rule.

1275	  An entry must contain all attributes required by the object classes
1276	  the entry belongs to as well as all attributed required by the
1277	  governing content rule.

1279	  An entry may contain any non-precluded attributes allowed by the
1280	  object classes the entry belongs to as well as all attributes allowed
1281	  by the governing content rule.

1283	  An entry cannot include any attribute precluded by the governing
1284	  content rule.

1286	  An entry is governed by (if present and active in the subschema) the
1287	  DIT content rule which applies to the structural object class of the
1288	  entry (see Section 2.4.2).  If no active rule is present for the
1289	  entry's structural object class, the entry's content is governed by
1290	  the structural object class (and possibly other aspects of user and
1291	  system schema).

1293	  DIT content rule descriptions are written according to the ABNF:

1295	    DITContentRuleDescription = LPAREN WSP
1296	        numericoid                 ; object identifier
1297	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1298	        [ SP "DESC" SP qdstring ]  ; description
1299	        [ SP "OBSOLETE" ]          ; not active
1300	        [ SP "AUX" SP oids ]       ; auxiliary object classes
1301	        [ SP "MUST" SP oids ]      ; attribute types
1302	        [ SP "MAY" SP oids ]       ; attribute types
1303	        [ SP "NOT" SP oids ]       ; attribute types
1304	        extensions WSP RPAREN      ; extensions

1306	  where:

1308	    <numericoid> is the object identifier of the structural object class
1309	        associated with this DIT content rule;
1310	    NAME <qdescrs> are short names (descriptors) identifying this DIT
1311	        content rule;
1312	    DESC <qdstring> is a short descriptive string;
1313	    OBSOLETE indicates this DIT content rule use is not active;
1314	    AUX specifies a list of auxiliary object classes which entries
1315	        subject to this DIT content rule may belong to;
1316	    MUST, MAY, and NOT specify lists of attribute types which are
1317	        required, allowed, or precluded, respectively, from appearing in
1318	        entries subject to this DIT content rule; and
1319	    <extensions> describe extensions.

1321	4.1.7. DIT Structure Rules and Name Forms

1323	  It is sometimes desirable to regulate where object entries can be
1324	  placed in the DIT and how they can be named based upon their
1325	  structural object class.

1327	4.1.7.1. DIT Structure Rules

1329	  A DIT structure rule is a "rule governing the structure of the DIT by
1330	  specifying a permitted superior to subordinate entry relationship.  A
1331	  structure rule relates a name form, and therefore a structural object
1332	  class, to superior structure rules.  This permits entries of the
1333	  structural object class identified by the name form to exist in the
1334	  DIT as subordinates to entries governed by the indicated superior
1335	  structure rules" [X.501].

1337	  DIT structure rule descriptions are written according to the ABNF:

1339	    DITStructureRuleDescription = LPAREN WSP
1340	        ruleid                     ; rule identifier
1341	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1342	        [ SP "DESC" SP qdstring ]  ; description
1343	        [ SP "OBSOLETE" ]          ; not active
1344	        SP "FORM" SP oid           ; NameForm
1345	        [ SP "SUP" ruleids ]       ; superior rules
1346	        extensions WSP RPAREN      ; extensions

1348	    ruleids = ruleid / ( LPAREN WSP ruleidlist WSP RPAREN )

1350	    ruleidlist = ruleid *( SP ruleid )

1352	    ruleid = number

1354	  where:
1355	    <ruleid> is the rule identifier of this DIT structure rule;
1356	    NAME <qdescrs> are short names (descriptors) identifying this DIT
1357	        structure rule;
1358	    DESC <qdstring> is a short descriptive string;
1359	    OBSOLETE indicates this DIT structure rule use is not active;
1360	    FORM is specifies the name form associated with this DIT structure
1361	        rule;
1362	    SUP identifies superior rules (by rule id); and
1363	    <extensions> describe extensions.

1365	  If no superior rules are identified, the DIT structure rule applies
1366	  to an autonomous administrative point (e.g. the root vertex of the
1367	  subtree controlled by the subschema) [X.501].

1369	4.1.7.2. Name Forms

1371	  A name form "specifies a permissible RDN for entries of a particular
1372	  structural object class.  A name form identifies a named object
1373	  class and one or more attribute types to be used for naming (i.e.
1374	  for the RDN).  Name forms are primitive pieces of specification
1375	  used in the definition of DIT structure rules" [X.501].

1377	  Each name form indicates the structural object class to be named,
1378	  a set of required attribute types, and a set of allowed attributes
1379	  types.  A particular attribute type cannot be listed in both sets.

1381	  Entries governed by the form must be named using a value from each
1382	  required attribute type and zero or more values from the allowed
1383	  attribute types.

1385	  Each name form is identified by an object identifier (OID) and,
1386	  optionally, one or more short names (descriptors).

1388	  Name form descriptions are written according to the ABNF:

1390	    NameFormDescription = LPAREN WSP
1391	        numericoid                 ; object identifier
1392	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1393	        [ SP "DESC" SP qdstring ]  ; description
1394	        [ SP "OBSOLETE" ]          ; not active
1395	        SP "OC" SP oid             ; structural object class
1396	        SP "MUST" SP oids          ; attribute types
1397	        [ SP "MAY" SP oids ]       ; attribute types
1398	        extensions WSP RPAREN      ; extensions

1400	  where:

1402	    <numericoid> is object identifier which identifies this name form;
1403	    NAME <qdescrs> are short names (descriptors) identifying this name
1404	        form;
1405	    DESC <qdstring> is a short descriptive string;
1406	    OBSOLETE indicates this name form is not active;
1407	    OC identifies the structural object class this rule applies to,
1408	    MUST and MAY specify the sets of required and allowed, respectively,
1409	        naming attributes for this name form; and
1410	    <extensions> describe extensions.

1412	  All attribute types in the required ("MUST") and allowed ("MAY") lists
1413	  shall be different.

1415	4.2. Subschema Subentries

1417	  Subschema (sub)entries are used for administering information about
1418	  the directory schema.  A single subschema (sub)entry contains all
1419	  schema definitions (see Section 4.1) used by entries in a particular
1420	  part of the directory tree.

1422	  Servers which follow X.500(93) models SHOULD implement subschema using
1423	  the X.500 subschema mechanisms (as detailed in Section 12 of [X.501]),
1424	  and so these are not ordinary object entries but subentries (see
1425	  Section 3.2).  LDAP clients SHOULD NOT assume that servers implement
1426	  any of the other aspects of X.500 subschema.

1428	  Servers MAY allow subschema modification.  Procedures for subschema
1429	  modification are discussed in Section 14.5 of [X.501].

1431	  A server which masters entries and permits clients to modify these
1432	  entries SHALL implement and provide access to these subschema
1433	  (sub)entries including providing a 'subschemaSubentry' attribute in
1434	  each modifiable entry.  This so clients may discover the attributes
1435	  and object classes which are permitted to be present.  It is strongly
1436	  RECOMMENDED that all other servers implement this as well.

1438	  The value of the 'subschemaSubentry' attribute is the name of the
1439	  subschema (sub)entry holding the subschema controlling the entry.

1441	      ( 2.5.18.10 NAME 'subschemaSubentry'
1442	        EQUALITY distinguishedNameMatch
1443	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1444	        NO-USER-MODIFICATION SINGLE-VALUE
1445	        USAGE directoryOperation )

1447	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
1448	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

1450	  Subschema is held in (sub)entries belonging to the subschema auxiliary
1451	  object class.

1453	      ( 2.5.20.1 NAME 'subschema' AUXILIARY
1454	        MAY ( dITStructureRules $ nameForms $ ditContentRules $
1455	          objectClasses $ attributeTypes $ matchingRules $
1456	          matchingRuleUse ) )

1458	  The 'ldapSyntaxes' operational attribute may also be present in
1459	  subschema entries.

1461	  Servers MAY provide additional attributes (described in other
1462	  documents) in subschema (sub)entries.

1464	  Servers SHOULD provide the attributes 'createTimestamp' and
1465	  'modifyTimestamp' in subschema (sub)entries, in order to allow clients
1466	  to maintain their caches of schema information.

1468	  The following subsections provide attribute type definitions for each
1469	  of schema definition attribute types.

1471	4.2.1. 'objectClasses'

1473	  This attribute holds definitions of object classes.

1475	      ( 2.5.21.6 NAME 'objectClasses'
1476	        EQUALITY objectIdentifierFirstComponentMatch
1477	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.37
1478	        USAGE directoryOperation )

1480	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1481	  ObjectClassDescription (1.3.6.1.4.1.1466.115.121.1.37) syntax are
1482	  defined in [Syntaxes].

1484	4.2.2. 'attributeTypes'

1486	  This attribute holds definitions of attribute types.

1488	      ( 2.5.21.5 NAME 'attributeTypes'
1489	        EQUALITY objectIdentifierFirstComponentMatch
1490	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.3
1491	        USAGE directoryOperation )

1493	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1494	  AttributeTypeDescription (1.3.6.1.4.1.1466.115.121.1.3) syntax are
1495	  defined in [Syntaxes].

1497	4.2.3. 'matchingRules'

1499	  This attribute holds definitions of matching rules.

1501	      ( 2.5.21.4 NAME 'matchingRules'
1502	        EQUALITY objectIdentifierFirstComponentMatch
1503	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.30
1504	        USAGE directoryOperation )

1506	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1507	  MatchingRuleDescription (1.3.6.1.4.1.1466.115.121.1.30) syntax are
1508	  defined in [Syntaxes].

1510	4.2.4 'matchingRuleUse'

1512	  This attribute holds definitions of matching rule uses.

1514	      ( 2.5.21.8 NAME 'matchingRuleUse'
1515	        EQUALITY objectIdentifierFirstComponentMatch
1516	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.31
1517	        USAGE directoryOperation )

1519	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1520	  MatchingRuleUseDescription (1.3.6.1.4.1.1466.115.121.1.31) syntax are
1521	  defined in [Syntaxes].

1523	4.2.5. 'ldapSyntaxes'

1525	  This attribute holds definitions of LDAP syntaxes.

1527	      ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
1528	        EQUALITY objectIdentifierFirstComponentMatch
1529	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.54
1530	        USAGE directoryOperation )

1532	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1533	  SyntaxDescription (1.3.6.1.4.1.1466.115.121.1.54) syntax are defined
1534	  in [Syntaxes].

1536	4.2.6. 'dITContentRules'

1538	  This attribute lists DIT Content Rules which are in force.

1540	      ( 2.5.21.2 NAME 'dITContentRules'
1541	        EQUALITY objectIdentifierFirstComponentMatch
1542	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.16
1543	        USAGE directoryOperation )

1545	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1546	  DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are
1547	  defined in [Syntaxes].

1549	4.2.7. 'dITStructureRules'

1551	  This attribute lists DIT Structure Rules which are in force.

1553	      ( 2.5.21.1 NAME 'dITStructureRules'
1554	        EQUALITY integerFirstComponentMatch
1555	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.17
1556	        USAGE directoryOperation )

1558	  The 'integerFirstComponentMatch' matching rule and the
1559	  DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax are
1560	  defined in [Syntaxes].

1562	4.2.8 'nameForms'

1564	  This attribute lists Name Forms which are in force.

1566	      ( 2.5.21.7 NAME 'nameForms'
1567	        EQUALITY objectIdentifierFirstComponentMatch
1568	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.35
1569	        USAGE directoryOperation )

1571	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1572	  NameFormDescription (1.3.6.1.4.1.1466.115.121.1.35) syntax are defined
1573	  in [Syntaxes].

1575	4.3. 'extensibleObject' object class

1577	  The 'extensibleObject auxiliary object class allows entries belong to
1578	  it to hold any attribute type.  The set of allowed attributes of this
1579	  class is implicitly the set of all user attributes.

1581	      ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
1582	        SUP top AUXILIARY )

1584	  The mandatory attributes of the other object classes of this entry are
1585	  still required to be present and any precluded attributes are still
1586	  not allowed to be present.

1588	  Note that not all servers will implement this object class, and those
1589	  which do not will reject requests to add entries which contain this
1590	  object class, or modify an entry to add this object class.

1592	4.4. Subschema Discovery

1594	  To discover the DN of the subschema (sub)entry holding the subschema
1595	  controlling a particular entry, a client reads that entry's
1596	  'subschemaSubentry' operational attribute.  To read schema attributes
1597	  from the subschema (sub)entry, clients MUST issue a base object search
1598	  where the filter is "(objectClass=subschema)" [Filters] and the list
1599	  of attributes includes the names of the desired schema attributes (as
1600	  they are operational).  This filter allows LDAP servers which gateway
1601	  to X.500 to detect that subentry information is being requested.

1603	  Clients SHOULD NOT assume a published subschema is complete nor assume
1604	  the server supports all of the schema elements it publishes nor assume
1605	  the server does not support an unpublished element.

1607	5. DSA (Server) Informational Model

1609	  The LDAP protocol assumes there are one or more servers which jointly
1610	  provide access to a Directory Information Tree (DIT).

1612	  As defined in [X.501]:

1614	      context prefix: The sequence of RDNs leading from the Root of the
1615	          DIT to the initial vertex of a naming context; corresponds to
1616	          the distinguished name of that vertex.

1618	      DIB fragment: The portion of the DIB that is held by one master
1619	          DSA, comprising one or more naming contexts.

1621	      naming context: A subtree of entries held in a single master DSA.

1623	  That is, a naming context is the largest collection of entries,
1624	  starting at an entry that is mastered by a particular server, and
1625	  including all its subordinates and their subordinates, down to the
1626	  entries which are mastered by different servers.  The context prefix
1627	  is the name of the initial entry.

1629	  The root of the DIT is a DSA-specific Entry (DSE) and not part of any
1630	  naming context (or any subtree); each server has different attribute
1631	  values in the root DSE.

1633	5.1. Server-specific Data Requirements

1635	  An LDAP server SHALL provide information about itself and other
1636	  information that is specific to each server.  This is represented as a
1637	  group of attributes located in the root DSE (DSA-Specific Entry),
1638	  which is named with the zero-length LDAPDN.  These attributes are
1639	  retrievable, subject to access control and other restrictions, if a
1640	  client performs a base object search of the root with the filter
1641	  "(objectClass=*)" [Filters] requesting the desired attributes.  It is
1642	  noted that root DSE attributes are operational, and like other
1643	  operational attributes, are not returned in search requests unless
1644	  requested by name.

1646	  The root DSE SHALL NOT be included if the client performs a subtree
1647	  search starting from the root.

1649	  Servers may allow clients to modify attributes of the root DSE where
1650	  appropriate.

1652	  The following attributes of the root DSE are defined in [Syntaxes].
1653	  Additional attributes may be defined in other documents.

1655	    - altServer: alternative servers;

1657	    - namingContexts: naming contexts;

1659	    - supportedControl: recognized LDAP controls;

1661	    - supportedExtension: recognized LDAP extended operations;

1663	    - supportedLDAPVersion: LDAP versions supported; and

1665	    - supportedSASLMechanisms: recognized Simple Authentication and
1666	      Security Layers (SASL) [SASL] mechanisms.

1668	  The values of these attributes provided may depend on session specific
1669	  and other factors.  For example, a server supporting the SASL EXTERNAL
1670	  mechanism might only list "EXTERNAL" when the client's identity has
1671	  been established by a lower level.  See [AuthMeth].

1673	  The root DSE may also include a 'subschemaSubentry' attribute.  If so,
1674	  it refers to the subschema (sub)entry holding schema controlling
1675	  attributes of the root DSE.  Client SHOULD NOT assume that the
1676	  subschema (sub)entry controlling the root DSE controls any entry held
1677	  by the server.  General subschema discovery procedures are provided in
1678	  Section 4.4.

1680	5.1.1. 'altServer'

1682	  The 'altServer' attribute lists URLs referring to alternative servers
1683	  which may be contacted when this server becomes unavailable.  If the
1684	  server does not know of any other servers which could be used this
1685	  attribute will be absent.  Clients may cache this information in case
1686	  their preferred server later becomes unavailable.

1688	      ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
1689	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
1690	        USAGE dSAOperation )

1692	  The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax is defined in
1693	  [Syntaxes].

1695	5.1.2. 'namingContexts'

1697	  The 'namingContexts' attribute lists the context prefixes of the
1698	  naming contexts the server masters or shadows (in part or in whole).
1699	  If the server is a first-level DSA [X.501], it should list (in
1700	  addition) an empty string (indicating the root of the DIT).  If the
1701	  server does not master or shadow any information (e.g. it is an LDAP
1702	  gateway to a public X.500 directory) this attribute will be absent.
1703	  If the server believes it masters or shadows the entire directory, the
1704	  attribute will have a single value, and that value will be the empty
1705	  string (indicating the root of the DIT).  This attribute allows a
1706	  client to choose suitable base objects for searching when it has
1707	  contacted a server.

1709	      ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
1710	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1711	        USAGE dSAOperation )

1713	  The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax is
1714	  defined in [Syntaxes].

1716	5.1.3. 'supportedControl'

1718	  The 'supportedControl' attribute lists object identifiers identifying
1719	  the request controls the server supports.  If the server does not
1720	  support any request controls, this attribute will be absent.

1722	  Object identifiers identifying response controls need not be listed.

1724	  Procedures for registering object identifiers used to discovery of
1725	  protocol mechanisms are detailed in BCP 64 [BCP64bis].

1727	      ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
1728	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
1729	        USAGE dSAOperation )

1731	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1732	  defined in [Syntaxes].

1734	5.1.4. 'supportedExtension'

1736	  The 'supportedExtension' attribute lists object identifiers
1737	  identifying the extended operations which the server supports.  If the
1738	  server does not support any extended operations, this attribute will
1739	  be absent.

1741	  An extended operation comprises a ExtendedRequest, possibly other PDUs
1742	  defined by extension, and an ExtendedResponse [Protocol].  The object
1743	  identifier assigned to the ExtendedRequest is used to identify the
1744	  extended operation.  Other object identifiers associated with the
1745	  extended operation need not be listed.

1747	  Procedures for registering object identifiers used to discovery of
1748	  protocol mechanisms are detailed in BCP 64 [BCP64bis].

1750	      ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
1751	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
1752	        USAGE dSAOperation )

1754	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1755	  defined in [Syntaxes].

1757	5.1.5. 'supportedLDAPVersion'

1759	  The 'supportedLDAPVersion' attribute lists the versions of LDAP which
1760	  the server supports.

1762	      ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
1763	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
1764	        USAGE dSAOperation )

1766	  The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax are defined in
1767	  [Syntaxes].

1769	5.1.6. 'supportedSASLMechanisms'

1771	  The 'supportedSASLMechanisms' attribute lists the SASL mechanisms

1773	  [RFC2222] which the server recognizes.  The contents of this attribute
1774	  may depend on the current session state.  If the server does not
1775	  support any SASL mechanisms this attribute will not be present.

1777	      ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
1778	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
1779	        USAGE dSAOperation )

1781	  The Directory String (1.3.6.1.4.1.1466.115.121.1.15) syntax is defined
1782	  in [Syntaxes].

1784	6. Other Considerations

1786	6.1. Preservation of User Information

1788	  Syntaxes may be defined which have specific value and/or value form
1789	  (representation) preservation requirements.  For example, a syntax
1790	  containing digitally signed data can mandate the server preserve both
1791	  the value and form of value presented to ensure signature is not
1792	  invalidated.

1794	  Where such requirements have not be explicitly stated, servers SHOULD
1795	  preserve the value of user information but MAY return the value in a
1796	  different form.  And where a server is unable (or unwilling) to
1797	  preserve the value of user information, the server SHALL ensure that
1798	  an equivalent value (per Section 2.3) is returned.

1800	6.2. Short Names

1802	  Short names, also known as descriptors, are used as more readable
1803	  aliases for object identifiers and are used to identify various schema
1804	  elements.  However, it is not expected that LDAP implementations with
1805	  human user interface would display these short names (nor the object
1806	  identifiers they refer to) to the user, but would most likely be
1807	  performing translations (such as expressing the short name in one of
1808	  the local national languages).  For example, the short name "st"
1809	  (stateOrProvinceName) might be displayed to a German-speaking user as
1810	  "Land".

1812	  The same short name might have different meaning in different
1813	  subschemas and, within a particular subschema, the same short name
1814	  might refer to different object identifiers each identifying a
1815	  different kind of schema element.

1817	  Implementations MUST be prepared that the same short name might be
1818	  used in a subschema to refer to the different kinds of schema
1819	  elements.  That is, there might be an object class 'x-fubar' and an
1820	  attribute type 'x-fubar' in a subschema.

1822	  Implementations MUST be prepared that the same short name might be
1823	  used in the different subschemas to refer to the different schema
1824	  elements.  That is, there might be two matching rules 'x-fubar', each
1825	  in different subschemas.

1827	  Procedures for registering short names (descriptors) are detailed in
1828	  BCP 64 [BCP64bis].

1830	6.3. Cache and Shadowing

1832	  Some servers may hold cache or shadow copies of entries, which can be
1833	  used to answer search and comparison queries, but will return
1834	  referrals or contact other servers if modification operations are
1835	  requested.  Servers that perform shadowing or caching MUST ensure that
1836	  they do not violate any access control constraints placed on the data
1837	  by the originating server.

1839	7. Implementation Guidelines

1841	7.1 Server Guidelines

1843	  Servers MUST recognize all attribute types and object classes names
1844	  defined in this document but, unless stated otherwise, need not
1845	  support the associated functionality.  Servers SHOULD recognize all
1846	  the names of attribute types and object classes defined in Section 3
1847	  and 4, respectively, of [Schema].

1849	  Servers MUST ensure that entries conform to user and system schema
1850	  rules or other data model constraints.

1852	  Servers MAY support the 'extensibleObject' object class.

1854	  Servers MAY support DIT Content Rules.  Servers MAY support DIT
1855	  Structure Rules and Name Forms.

1857	  Servers MAY support alias entries.

1859	  Servers MAY support subentries.  If so, they MUST do so in accordance
1860	  with [X.501].  Servers which do not support subentries SHOULD use
1861	  object entries to mimic subentries as detailed in Section 3.2.

1863	  Servers MAY implement additional schema elements.  Servers SHOULD
1864	  provide definitions of all schema elements they support in subschema
1865	  (sub)entries.

1867	7.2 Client Guidelines

1869	  Clients MUST NOT display nor attempt to decode as ASN.1, a value if
1870	  its syntax is not known.  The implementation may attempt to discover
1871	  the subschema of the source entry, and retrieve the values of
1872	  'attributeTypes' from the subschema (sub)entry.

1874	  Clients MUST NOT assume the LDAP-specific string encoding is
1875	  restricted to a UTF-8 encoded string of UCS characters or any
1876	  particular subset of particular subset of UCS (such as a printable
1877	  subset) unless such restriction is explicitly stated.

1879	  Clients MUST NOT send attribute values in a request that are not valid
1880	  according to the syntax defined for the attributes.

1882	8. Security Considerations

1884	  Attributes of directory entries are used to provide descriptive
1885	  information about the real-world objects they represent, which can be
1886	  people, organizations or devices.  Most countries have privacy laws
1887	  regarding the publication of information about people.

1889	  General security considerations for accessing directory information
1890	  with LDAP are discussed in [Protocol] and [AuthMeth].

1892	9. IANA Considerations

1894	  It is requested that the Internet Assigned Numbers Authority (IANA)
1895	  update the LDAP descriptors registry as indicated the following
1896	  template:

1898	      Subject: Request for LDAP Descriptor Registration Update
1899	      Descriptor (short name): see comment
1900	      Object Identifier: see comment
1901	      Person & email address to contact for further information:
1902	          Kurt Zeilenga <kurt@OpenLDAP.org>
1903	      Usage: see comment
1904	      Specification: RFC XXXX
1905	      Author/Change Controller: IESG
1906	      Comments:

1908	      The following descriptors (short names) should be updated to refer
1909	      to RFC XXXX.

1911	        NAME                         Type OID
1912	        ------------------------     ---- -----------------
1913	        alias                           O 2.5.6.1
1914	        aliasedEntryName                A 2.5.4.1
1915	        aliasedObjectName               A 2.5.4.1
1916	        altServer                       A 1.3.6.1.4.1.1466.101.120.6
1917	        attributeTypes                  A 2.5.21.5
1918	        createTimestamp                 A 2.5.18.1
1919	        creatorsName                    A 2.5.18.3
1920	        dITContentRules                 A 2.5.21.2
1921	        dITStructureRules               A 2.5.21.1
1922	        extensibleObject                O 1.3.6.1.4.1.1466.101.120.111
1923	        ldapSyntaxes                    A 1.3.6.1.4.1.1466.101.120.16
1924	        matchingRuleUse                 A 2.5.21.8
1925	        matchingRules                   A 2.5.21.4
1926	        modifiersName                   A 2.5.18.4
1927	        modifyTimestamp                 A 2.5.18.2
1928	        nameForms                       A 2.5.21.7
1929	        namingContexts                  A 1.3.6.1.4.1.1466.101.120.5
1930	        objectClass                     A 2.5.4.0
1931	        objectClasses                   A 2.5.21.6
1932	        subschema                       O 2.5.20.1
1933	        subschemaSubentry               A 2.5.18.10
1934	        supportedControl                A 1.3.6.1.4.1.1466.101.120.13
1935	        supportedExtension              A 1.3.6.1.4.1.1466.101.120.7
1936	        supportedLDAPVersion            A 1.3.6.1.4.1.1466.101.120.15
1937	        supportedSASLMechanisms         A 1.3.6.1.4.1.1466.101.120.14
1938	        top                             O 2.5.6.0

1940	10. Acknowledgments

1942	  This document is based in part on RFC 2251 by M. Wahl, T.  Howes, and
1943	  S. Kille; RFC 2252 by M. Wahl, A. Coulbeck, T. Howes, S.  Kille; and
1944	  RFC 2556 by M. Wahl, all products of the IETF Access, Searching and
1945	  Indexing of Directories (ASID) Working Group.  This document is also
1946	  based in part on "The Directory: Models" [X.501], a product of the
1947	  International Telephone Union (ITU).  Additional text was borrowed
1948	  from RFC 2253 by Mark Wahl, Tim Howes, and Steve Kille.

1950	  This document is a product of the IETF LDAP Revison (LDAPBIS) Working
1951	  Group.

1953	11. Author's Address

1955	  Kurt Zeilenga
1956	  E-mail: <kurt@openldap.org>

1958	12. References

1960	12.1. Normative References

1962	  [RFC2119]     Bradner, S., "Key words for use in RFCs to Indicate
1963	                Requirement Levels", BCP 14 (also RFC 2119), March 1997.

1965	  [RFC2234]     Crocker, D. and P. Overell, "Augmented BNF for Syntax
1966	                Specifications: ABNF", RFC 2234, November 1997.

1968	  [BCP64bis]    Zeilenga, K., "IANA Considerations for LDAP", draft-
1969	                ietf-ldapbis-bcp64-xx.txt, a work in progress.

1971	  [Roadmap]     Zeilenga, K. (editor), "LDAP: Technical Specification
1972	                Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
1973	                progress.

1975	  [Protocol]    Sermersheim, J. (editor), "LDAP: The Protocol",
1976	                draft-ietf-ldapbis-protocol-xx.txt, a work in progress.

1978	  [AuthMeth]    Harrison, R. (editor), "LDAP: Authentication Methods and
1979	                Connection Level Security Mechanisms",
1980	                draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.

1982	  [LDAPDN]      Zeilenga, K. (editor), "LDAP: String Representation of
1983	                Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a
1984	                work in progress.

1986	  [Filters]     Smith, M. (editor), LDAPbis WG, "LDAP: String
1987	                Representation of Search Filters",
1988	                draft-ietf-ldapbis-filter-xx.txt, a work in progress.

1990	  [LDAPURL]     Smith, M. (editor), "LDAP: Uniform Resource Locator",
1991	                draft-ietf-ldapbis-url-xx.txt, a work in progress.

1993	  [SASL]        Melnikov, A. (Editor), "Simple Authentication and
1994	                Security Layer (SASL)",
1995	                draft-ietf-sasl-rfc2222bis-xx.txt, a work in progress.

1997	  [Syntaxes]    Legg, S. (editor), "LDAP: Syntaxes and Matching Rules",
1998	                draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.

2000	  [Schema]      Dally, K. (editor), "LDAP: User Schema",
2001	                draft-ietf-ldapbis-user-schema-xx.txt, a work in
2002	                progress.

2004	  [UTF-8]       Yergeau, F., "UTF-8, a transformation format of ISO
2005	                10646", draft-yergeau-rfc2279bis-xx.txt, a work in
2006	                progress.

2008	  [ISO10646]    International Organization for Standardization,
2009	                "Universal Multiple-Octet Coded Character Set (UCS) -
2010	                Architecture and Basic Multilingual Plane", ISO/IEC
2011	                10646-1 : 1993.

2013	  [ASCII]       Coded Character Set--7-bit American Standard Code for
2014	                Information Interchange, ANSI X3.4-1986.

2016	  [X.500]       International Telecommunication Union -
2017	                Telecommunication Standardization Sector, "The Directory
2018	                -- Overview of concepts, models and services,"
2019	                X.500(1993) (also ISO/IEC 9594-1:1994).

2021	  [X.501]       International Telecommunication Union -
2022	                Telecommunication Standardization Sector, "The Directory
2023	                -- Models," X.501(1993) (also ISO/IEC 9594-2:1994).

2025	  [X.680]       International Telecommunication Union -
2026	                Telecommunication Standardization Sector, "Abstract
2027	                Syntax Notation One (ASN.1) - Specification of Basic
2028	                Notation", X.680(1997) (also ISO/IEC 8824-1:1998).

2030	12.2. Informative References

2032	  None.

2034	Appendix A.  Changes

2036	  This appendix is non-normative.

2038	  This document amounts to nearly a complete rewrite of portions of RFC
2039	  2251, RFC 2252, and RFC 2256.  This rewrite was undertaken to improve
2040	  overall clarity of technical specification.  This appendix provides a
2041	  summary of substantive changes made to the portions of these documents
2042	  incorporated into this document.  Readers should consult [Roadmap],
2043	  [Protocol], [Syntaxes], and [Schema] for summaries of remaining
2044	  portions of these documents.

2046	A.1 Changes to RFC 2251

2048	  This document incorporates from RFC 2251 sections 3.2 and 3.4,
2049	  portions of Section 4 and 6 as summarized below.

2051	A.1.1 Section 3.2 of RFC 2251

2053	  Section 3.2 of RFC 2251 provided a brief introduction to the X.500
2054	  data model, as used by LDAP.  The previous specification relied on
2055	  [X.501] but lacked clarity in how X.500 models are adapted for use by
2056	  LDAP.  This document describes the X.500 data models, as used by LDAP
2057	  in greater detail, especially in areas where the models require
2058	  adaptation is needed.

2060	  Section 3.2.1 of RFC 2251 described an attribute as "a type with one
2061	  or more associated values."  In LDAP, an attribute is better described
2062	  as an attribute description, a type with zero or more options, and one
2063	  or more associated values.

2065	  Section 3.2.2 of RFC 2251 mandated that subschema subentries contain
2066	  objectClasses and attributeTypes attributes, yet X.500(93) treats
2067	  these attributes as optional.  While generally all implementations
2068	  that support X.500(93) subschema mechanisms will provide both of these
2069	  attributes, it is not absolutely required for interoperability that
2070	  all servers do.  The mandate was removed for consistency with
2071	  X.500(93).   The subschema discovery mechanism was also clarified to
2072	  indicate that subschema controlling an entry is obtained by reading
2073	  the (sub)entry referred to by that entry's 'subschemaSubentry'
2074	  attribute.

2076	A.1.2 Section 3.4 of RFC 2251

2078	  Section 3.4 of RFC 2251 provided "Server-specific Data Requirements".
2079	  This material, with changes, was incorporated in Section 5.1 of this
2080	  document.

2082	  Changes:

2084	  - Clarify that attributes of the root DSE are subject to "other
2085	    restrictions" in addition to access controls.

2087	  - Clarify that only recognized extended requests need to be enumerated
2088	    'supportedExtension'.

2090	  - Clarify that only recognized request controls need to be enumerated
2091	    'supportedControl'.

2093	  - Clarify that root DSE attributes are operational and, like other
2094	    operational attributes, will not be returned in search requests
2095	    unless requested by name.

2097	  - Clarify that not all root DSE attributes are user modifiable.

2099	  - Remove inconsistent text regarding handling of the
2100	    'subschemaSubentry' attribute within the root DSE.  The previous
2101	    specification stated that the 'subschemaSubentry' attribute held in
2102	    the root DSE referred to "subschema entries (or subentries) known by
2103	    this server."  This is inconsistent with the attribute intended use
2104	    as well as its formal definition as a single valued attribute
2105	    [X.501].  It is also noted that a simple (possibly incomplete) list
2106	    of subschema (sub)entries is not terrible useful.  This document (in
2107	    section 5.1) specifies that the 'subschemaSubentry' attribute of the
2108	    root DSE refers to the subschema controlling the root DSE.  It is
2109	    noted that the general subschema discovery mechanism remains
2110	    available (see Section 4.4 of this document).

2112	A.1.2 Section 4 of RFC 2251

2114	  Portions of Section 4 of RFC 2251 detailing aspects of the information
2115	  model used by LDAP were incorporated in this document, including:

2117	  - Restriction of distinguished values to attributes whose descriptions
2118	    have no options (from Section 4.1.3).

2120	  - Data model aspects of Attribute Types (from Section 4.1.4),
2121	    Attribute Descriptions (from 4.1.4), Attribute (from 4.1.8),
2122	    Matching Rule Identifier (from 4.1.9).

2124	  - User schema requirements (from Section 4.1.6, 4.5.1, and 4.7).

2126	A.1.3 Section 6 of RFC 2251

2128	    The Section 6.1 and the second paragraph of Section 6.2 of RFC 2251
2129	    where incorporated into this document.

2131	A.2 Changes to RFC 2252

2133	    This document incorporates Sections 4, 5 and 7 from RFC 2252.

2135	A.2.1 Section 4 of RFC 2252

2137	    The specification was updated to use Augmented BNF [RFC2234].  The
2138	    string representation of an OBJECT IDENTIFIER was tighten to
2139	    disallow leading zeros as described in RFC 2252 text.

2141	    The <descr> syntax was changed to disallow semicolon (U+003B)
2142	    characters to appear to be consistent its natural language
2143	    specification "descr is the syntactic representation of an object
2144	    descriptor, which consists of letters and digits, starting with a
2145	    letter."  In a related change, the statement "an
2146	    AttributeDescription can be used as the value in a NAME part of an
2147	    AttributeTypeDescription" was deleted.  RFC 2252 provided no
2148	    specification as to the semantics of attribute options appearing in
2149	    NAME fields.

2151	    RFC 2252 stated that the <descr> form of <oid> SHOULD be preferred
2152	    over the <numericoid> form.  However, <descr> form can be ambiguous.
2153	    To address this issue, the imperative was replaced with a statement
2154	    (in Section 1.4) that while the <descr> form is generally preferred,
2155	    <numericoid> should be used where an unambiguous <descr> is not
2156	    available.  Additionally, an expanded discussion of descriptor
2157	    issues is discussed in Section 6.2 (Short Names).

2159	    The ABNF for a quoted string (qdstring) was updated to reflect
2160	    support for the escaping mechanism described in 4.3 of RFC 2252.

2162	A.2.2 Section 5 of RFC 2252

2164	    Definitions of operational attributes provided in Section 5 of RFC
2165	    2252 where incorporated into this document.

2167	    The 'namingContexts' description was clarified.  A first-level DSA
2168	    should publish, in addition to other values, "" indicating the root
2169	    of the DIT.

2171	    The 'supportedExtension' description was clarified.  A server need
2172	    only list the OBJECT IDENTIFIERs associated with the extended
2173	    requests of the extended operations it recognizes.

2175	    The 'supportedControl' description was clarified.  A server need
2176	    only list the OBJECT IDENTIFIERs associated with the request
2177	    controls it recognizes.

2179	A.2.3 Section 7 of RFC 2252

2181	    Section 7 of RFC 2252 provides definitions of the 'subschema' and
2182	    'extensibleObject' object classes.  These definitions where
2183	    integrated into Section 4.2 and Section 4.3 of this document,
2184	    respectively.  Section 7 of RFC 2252 also contained the object class
2185	    implementation requirement.  This was incorporated into Section 7 of
2186	    this document.

2188	    The specification of 'extensibleObject' was clarified of how it
2189	    interacts with precluded attributes.

2191	A.3 Changes to RFC 2256

2193	    This document incorporates Sections 5.1, 5.2, 7.1, and 7.2 of RFC
2194	    2256.

2196	    Section 5.1 of RFC 2256 provided the definition of the 'objectClass'
2197	    attribute type.  This was integrated into Section 2.4.1 of this
2198	    document.  The statement "One of the values is either 'top' or
2199	    'alias'" was replaced with statement that one of the values is 'top'
2200	    as entries belonging to 'alias' also belong to 'top'.

2202	    Section 5.2 of RFC 2256 provided the definition of the
2203	    'aliasedObjectName' attribute type.  This was integrated into
2204	    Section 2.6.2 of this document.

2206	    Section 7.1 of RFC 2256 provided the definition of the 'top' object
2207	    class.  This was integrated into Section 2.4.1 of this document.

2209	    Section 7.2 of RFC 2256 provided the definition of the 'alias'
2210	    object class.  This was integrated into Section 2.6.1 of this
2211	    document.

2213	Intellectual Property Rights

2215	  The IETF takes no position regarding the validity or scope of any
2216	  intellectual property or other rights that might be claimed to pertain
2217	  to the implementation or use of the technology described in this
2218	  document or the extent to which any license under such rights might or
2219	  might not be available; neither does it represent that it has made any
2220	  effort to identify any such rights.  Information on the IETF's
2221	  procedures with respect to rights in standards-track and
2222	  standards-related documentation can be found in BCP-11.  Copies of
2223	  claims of rights made available for publication and any assurances of
2224	  licenses to be made available, or the result of an attempt made to
2225	  obtain a general license or permission for the use of such proprietary
2226	  rights by implementors or users of this specification can be obtained
2227	  from the IETF Secretariat.

2229	  The IETF invites any interested party to bring to its attention any
2230	  copyrights, patents or patent applications, or other proprietary
2231	  rights which may cover technology that may be required to practice
2232	  this standard.  Please address the information to the IETF Executive
2233	  Director.

2235	Full Copyright

2237	  Copyright (C) The Internet Society (2003). All Rights Reserved.

2239	  This document and translations of it may be copied and furnished to
2240	  others, and derivative works that comment on or otherwise explain it
2241	  or assist in its implmentation may be prepared, copied, published and
2242	  distributed, in whole or in part, without restriction of any kind,
2243	  provided that the above copyright notice and this paragraph are
2244	  included on all such copies and derivative works.  However, this
2245	  document itself may not be modified in any way, such as by removing
2246	  the copyright notice or references to the Internet Society or other
2247	  Internet organizations, except as needed for the  purpose of
2248	  developing Internet standards in which case the procedures for
2249	  copyrights defined in the Internet Standards process must be followed,
2250	  or as required to translate it into languages other than English.