idnits 2.17.1 

draft-ietf-ldapbis-models-12.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3667, Section 5.1 on line 21.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 2306.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2279.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2286.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2292.

  ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line
     2298), which is fine, but *also* found old RFC 2026, Section 10.4C,
     paragraph 1 text on line 37.

  ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure
     Acknowledgement -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.

  ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate
     instead of verbatim RFC 3978 boilerplate.  After 6 May 2005, submission
     of drafts without verbatim RFC 3978 boilerplate is not accepted.

     The following non-3978 patterns matched text found in the document. 
     That text should be removed or replaced:

        By submitting this Internet-Draft, I certify that any applicable patent
        or other IPR claims of which I am aware have been disclosed, or
        will be disclosed, and any of which I become aware will be
        disclosed, in accordance with RFC 3668.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories. 

  == It seems as if not all pages are separated by form feeds - found 0 form
     feeds but 50 pages


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 39 instances of lines with non-RFC6890-compliant IPv4
     addresses in the document.  If these are example addresses, they should
     be changed.

  == The 'Obsoletes: ' line in the draft header should list only the
     _numbers_ of the RFCs which will be obsoleted by this document (if
     approved); it should not include the word 'RFC' in the list.

  -- The draft header indicates that this document obsoletes RFC2251, but the
     abstract doesn't seem to mention this, which it should.

  -- The draft header indicates that this document obsoletes RFC2252, but the
     abstract doesn't seem to mention this, which it should.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (24 October 2004) is 7124 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'UTF-8' is mentioned on line 209, but not defined

  ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234)

  -- No information found for draft-ietf-ldapbis-bcp64-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'BCP64bis' 

  -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Roadmap' 

  -- No information found for draft-ietf-ldapbis-protocol-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Protocol' 

  -- No information found for draft-ietf-ldapbis-authmeth-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'AuthMeth' 

  -- No information found for draft-ietf-ldapbis-filter-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Filters' 

  -- No information found for draft-ietf-ldapbis-dn-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPDN' 

  -- No information found for draft-ietf-ldapbis-url-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPURL' 

  -- No information found for draft-ietf-sasl-rfc2222bis-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'SASL' 

  -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' 

  -- No information found for draft-ietf-ldapbis-user-schema-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Schema' 

  -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode'


     Summary: 9 errors (**), 0 flaws (~~), 6 warnings (==), 30 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	INTERNET-DRAFT                              Editor: Kurt D. Zeilenga
2	Intended Category: Standard Track                OpenLDAP Foundation
3	Expires in six months                                24 October 2004
4	Obsoletes: RFC 2251, RFC 2252, RFC 2256

6	                    LDAP: Directory Information Models
7	                    <draft-ietf-ldapbis-models-12.txt>

9	Status of this Memo

11	  This document is intended to be published as a Standard Track RFC.
12	  Distribution of this memo is unlimited.  Technical discussion of this
13	  document will take place on the IETF LDAP Revision Working Group
14	  mailing list <ietf-ldapbis@openldap.org>.  Please send editorial
15	  comments directly to the editor <Kurt@OpenLDAP.org>.

17	  By submitting this Internet-Draft, I accept the provisions of Section
18	  4 of RFC 3667.  By submitting this Internet-Draft, I certify that any
19	  applicable patent or other IPR claims of which I am aware have been
20	  disclosed, or will be disclosed, and any of which I become aware will
21	  be disclosed, in accordance with RFC 3668.

23	  Internet-Drafts are working documents of the Internet Engineering Task
24	  Force (IETF), its areas, and its working groups. Note that other
25	  groups may also distribute working documents as Internet-Drafts.

27	  Internet-Drafts are draft documents valid for a maximum of six months
28	  and may be updated, replaced, or obsoleted by other documents at any
29	  time. It is inappropriate to use Internet-Drafts as reference material
30	  or to cite them other than as "work in progress."

32	  The list of current Internet-Drafts can be accessed at
33	  <http://www.ietf.org/ietf/1id-abstracts.txt>.  The list of
34	  Internet-Draft Shadow Directories can be accessed at
35	  <http://www.ietf.org/shadow.html>.

37	  Copyright (C) The Internet Society (2004).  All Rights Reserved.

39	  Please see the Full Copyright section near the end of this document
40	  for more information.

42	Abstract

44	  The Lightweight Directory Access Protocol (LDAP) is an Internet
45	  protocol for accessing distributed directory services which act in
46	  accordance with X.500 data and service models.  This document
47	  describes the X.500 Directory Information Models, as used in LDAP.

49	Table of Contents

51	  Status of this Memo                                             1
52	  Abstract                                                        2
53	  Table of Contents
54	  1.       Introduction                                           3
55	  1.1.     Relationship to Other LDAP Specifications
56	  1.2.     Relationship to X.501                                  4
57	  1.3.     Conventions
58	  1.4.     Common ABNF Productions
59	  2.       Model of Directory User Information                    6
60	  2.1.     The Directory Information Tree                         7
61	  2.2.     Structure of an Entry
62	  2.3.     Naming of Entries                                      8
63	  2.4.     Object Classes                                         9
64	  2.5.     Attribute Descriptions                                12
65	  2.6.     Alias Entries                                         15
66	  3.       Directory Administrative and Operational Information  17
67	  3.1.     Subtrees
68	  3.2.     Subentries
69	  3.3.     The 'objectClass' attribute                           18
70	  3.4.     Operational attributes                                19
71	  4.       Directory Schema                                      20
72	  4.1.     Schema Definitions                                    23
73	  4.2.     Subschema Subentries                                  30
74	  4.3.     'extensibleObject'                                    35
75	  4.4.     Subschema Discovery
76	  5.       DSA (Server) Informational Model                      36
77	  5.1.     Server-specific Data Requirements
78	  6.       Other Considerations                                  39
79	  6.1.     Preservation of User Information                      40
80	  6.2.     Short Names
81	  6.3.     Cache and Shadowing                                   41
82	  7.       Implementation Guidelines
83	  7.1.     Server Guidelines
84	  7.2.     Client Guidelines
85	  8.       Security Considerations                               42
86	  9.       IANA Considerations
87	  10.      Acknowledgments                                       43
88	  11.      Editor's Address
89	  12.      References                                            44
90	  12.1.    Normative References
91	  12.2.    Informative References                                45
92	  Appendix A.  Changes
93	  Intellectual Property Rights                                   50
94	  Full Copyright

96	1. Introduction

98	  This document discusses the X.500 Directory Information Models
99	  [X.501], as used by the Lightweight Directory Access Protocol (LDAP)
100	  [Roadmap].

102	  The Directory is "a collection of open systems cooperating to provide
103	  directory services" [X.500].  The information held in the Directory is
104	  collectively known as the Directory Information Base (DIB).  A
105	  Directory user, which may be a human or other entity, accesses the
106	  Directory through a client (or Directory User Agent (DUA)).  The
107	  client, on behalf of the directory user, interacts with one or more
108	  servers (or Directory System Agents (DSA)).  A server holds a fragment
109	  of the DIB.

111	  The DIB contains two classes of information:

113	      1) user information (e.g., information provided and administrated
114	         by users).  Section 2 describes the Model of User Information.

116	      2) administrative and operational information (e.g., information
117	         used to administer and/or operate the directory).  Section 3
118	         describes the model of Directory Administrative and Operational
119	         Information.

121	  These two models, referred to as the generic Directory Information
122	  Models, describe how information is represented in the Directory.
123	  These generic models provide a framework for other information models.
124	  Section 4 discusses the subschema information model and subschema
125	  discovery.  Section 5 discusses the DSA (Server) Informational Model.

127	  Other X.500 information models, such as access control distribution
128	  knowledge, and replication knowledge information models, may be
129	  adapted for use in LDAP.  Specification of how these models apply to
130	  LDAP is left to future documents.

132	1.1. Relationship to Other LDAP Specifications

134	  This document is a integral part of the LDAP technical specification
135	  [Roadmap] which obsoletes the previously defined LDAP technical
136	  specification, RFC 3377, in its entirety.

138	  This document obsoletes RFC 2251 sections 3.2 and 3.4, as well as
139	  portions of sections 4 and 6.  Appendix A.1 summaries changes to these
140	  sections.  The remainder of RFC 2251 is obsoleted by the [Protocol],
141	  [AuthMeth], and [Roadmap] documents.

143	  This document obsoletes RFC 2252 sections 4, 5 and 7.  Appendix A.2
144	  summaries changes to these sections.  The remainder of RFC 2252 is
145	  obsoleted by [Syntaxes].

147	  This document obsoletes RFC 2256 sections 5.1, 5.2, 7.1 and 7.2.
148	  Appendix A.3 summarizes changes to these sections.  The remainder of
149	  RFC 2256 is obsoleted by [Schema] and [Syntaxes].

151	1.2. Relationship to X.501

153	  This document includes material, with and without adaptation, from
154	  [X.501].  The material in this document takes precedence over that in
155	  [X.501].

157	1.3. Conventions

159	  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
160	  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
161	  document are to be interpreted as described in BCP 14 [RFC2119].

163	  Schema definitions are provided using LDAP description formats (as
164	  defined in Section 4.1).  Definitions provided here are formatted
165	  (line wrapped) for readability.  Matching rules and LDAP syntaxes
166	  referenced in these definitions are specified in [Syntaxes].

168	1.4. Common ABNF Productions

170	  A number of syntaxes in this document are described using Augmented
171	  Backus-Naur Form (ABNF) [RFC2234].  These syntaxes (as well as a
172	  number of syntaxes defined in other documents) rely on the following
173	  common productions:

175	      keystring = leadkeychar *keychar
176	      leadkeychar = ALPHA
177	      keychar = ALPHA / DIGIT / HYPHEN
178	      number  = DIGIT / ( LDIGIT 1*DIGIT )

180	      ALPHA   = %x41-5A / %x61-7A   ; "A"-"Z" / "a"-"z"
181	      DIGIT   = %x30 / LDIGIT       ; "0"-"9"
182	      LDIGIT  = %x31-39             ; "1"-"9"
183	      HEX     = DIGIT / %x41-46 / %x61-66 ; "0"-"9" / "A"-"F" / "a"-"f"

185	      SP      = 1*SPACE  ; one or more " "
186	      WSP     = 0*SPACE  ; zero or more " "

188	      NULL    = %x00 ; null (0)
189	      SPACE   = %x20 ; space (" ")
190	      DQUOTE  = %x22 ; quote (""")
191	      SHARP   = %x23 ; octothorpe (or sharp sign) ("#")
192	      DOLLAR  = %x24 ; dollar sign ("$")
193	      SQUOTE  = %x27 ; single quote ("'")
194	      LPAREN  = %x28 ; left paren ("(")
195	      RPAREN  = %x29 ; right paren (")")
196	      PLUS    = %x2B ; plus sign ("+")
197	      COMMA   = %x2C ; comma (",")
198	      HYPHEN  = %x2D ; hyphen ("-")
199	      DOT     = %x2E ; period (".")
200	      SEMI    = %x3B ; semicolon (";")
201	      LANGLE  = %x3C ; left angle bracket ("<")
202	      EQUALS  = %x3D ; equals sign ("=")
203	      RANGLE  = %x3E ; right angle bracket (">")
204	      ESC     = %x5C ; backslash ("\")
205	      USCORE  = %x5F ; underscore ("_")
206	      LCURLY  = %x7B ; left curly brace "{"
207	      RCURLY  = %x7D ; right curly brace "}"

209	      ; Any UTF-8 [UTF-8] encoded Unicode [Unicode] character
210	      UTF8    = UTF1 / UTFMB
211	      UTFMB   = UTF2 / UTF3 / UTF4
212	      UTF0    = %x80-BF
213	      UTF1    = %x00-7F
214	      UTF2    = %xC2-DF UTF0
215	      UTF3    = %xE0 %xA0-BF UTF0 / %xE1-EC 2(UTF0) /
216	                %xED %x80-9F UTF0 / %xEE-EF 2(UTF0)
217	      UTF4    = %xF0 %x90-BF 2(UTF0) / %xF1-F3 3(UTF0) /
218	                %xF4 %x80-8F 2(UTF0)

220	      OCTET   = %x00-FF ; Any octet (8-bit data unit)

222	  Object identifiers (OIDs) [X.680] are represented in LDAP using a
223	  dot-decimal format conforming to the ABNF:

225	      numericoid = number 1*( DOT number )

227	  Short names, also known as descriptors, are used as more readable
228	  aliases for object identifiers.  Short names are case insensitive and
229	  conform to the ABNF:

231	      descr = keystring

233	  Where either an object identifier or a short name may be specified,
234	  the following production is used:

236	      oid = descr / numericoid

238	  While the <descr> form is generally preferred when the usage is
239	  restricted to short names referring to object identifiers which
240	  identify like kinds of objects (e.g., attribute type descriptions,
241	  matching rule descriptions, object class descriptions), the
242	  <numericoid> form should be used when the object identifiers may
243	  identify multiple kinds of objects or when an unambiguous short name
244	  (descriptor) is not available.

246	  Implementations SHOULD treat short names (descriptors) used in an
247	  ambiguous manner (as discussed above) as unrecognized.

249	  Short Names (descriptors) are discussed further in Section 6.2.

251	2. Model of Directory User Information

253	  As [X.501] states:

255	      The purpose of the Directory is to hold, and provide access to,
256	      information about objects of interest (objects) in some 'world'.
257	      An object can be anything which is identifiable (can be named).

259	      An object class is an identified family of objects, or conceivable
260	      objects, which share certain characteristics. Every object belongs
261	      to at least one class.  An object class may be a subclass of other
262	      object classes, in which case the members of the former class, the
263	      subclass, are also considered to be members of the latter classes,
264	      the superclasses.  There may be subclasses of subclasses, etc., to
265	      an arbitrary depth.

267	  A directory entry, a named collection of information, is the basic
268	  unit of information held in the Directory.  There are multiple kinds
269	  of directory entries.

271	  An object entry represents a particular object.  An alias entry
272	  provides alternative naming.  A subentry holds administrative and/or
273	  operational information.

275	  The set of entries representing the DIB are organized hierarchically
276	  in a tree structure known as the Directory Information Tree (DIT).

278	  Section 2.1 describes the Directory Information Tree
279	  Section 2.2 discusses the structure of entries.
280	  Section 2.3 discusses naming of entries.
281	  Section 2.4 discusses object classes.
282	  Section 2.5 discusses attribute descriptions.
283	  Section 2.6 discusses alias entries.

285	2.1. The Directory Information Tree

287	  As noted above, the DIB is composed of a set of entries organized
288	  hierarchically in a tree structure known as the Directory Information
289	  Tree (DIT).  Specifically, a tree where vertices are the entries.

291	  The arcs between vertices define relations between entries.  If an arc
292	  exists from X to Y, then the entry at X is the immediate superior of Y
293	  and Y is the immediate subordinate of X.  An entry's superiors are the
294	  entry's immediate superior and its superiors.  An entry's subordinates
295	  are all of its immediate subordinates and their subordinates.

297	  Similarly, the superior/subordinate relationship between object
298	  entries can be used to derive a relation between the objects they
299	  represent.  DIT structure rules can be used to govern relationships
300	  between objects.

302	  Note: An entry's immediate superior is also known as the entry's
303	        parent and an entry's immediate subordinate is also known as the
304	        entry's child.  Entries which have the same parent are known as
305	        siblings.

307	2.2. Structure of an Entry

309	  An entry consists of a set of attributes which hold information about
310	  the object which the entry represents.  Some attributes represent user
311	  information and are called user attributes.  Other attributes
312	  represent operational and/or administrative information and are called
313	  operational attributes.

315	  An attribute is an attribute description (a type and zero or more
316	  options) with one or more associated values.  An attribute is often
317	  referred to by its attribute description.  For example, the
318	  'givenName' attribute is the attribute which consists of the attribute
319	  description 'givenName' (the 'givenName' attribute type [Schema] and
320	  zero options) and one or more associated values.

322	  The attribute type governs whether the attribute can have multiple
323	  values, the syntax and matching rules used to construct and compare
324	  values of that attribute, and other functions.  Options indicate
325	  subtypes and other functions.

327	  Attribute values conform to the defined syntax of the attribute type.

329	  No two values of an attribute may be equivalent.  Two values are
330	  considered equivalent only if they would match according to the
331	  equality matching rule of the attribute type.  If the attribute type
332	  is defined with no equality matching rule, two values are equivalent
333	  if and only if they are identical.  (See 2.5.1 for other
334	  restrictions.)

336	  For example, a 'givenName' attribute can have more than one value,
337	  they must be Directory Strings, and they are case insensitive.  A
338	  'givenName' attribute cannot hold both "John" and "JOHN" as these are
339	  equivalent values per the equality matching rule of the attribute
340	  type.

342	  When an attribute is used for naming of the entry, one and only one
343	  value of the attribute is used in forming the Relative Distinguished
344	  Name.  This value is known as a distinguished value.

346	2.3. Naming of Entries

348	2.3.1.  Relative Distinguished Names

350	  Each entry is named relative to its immediate superior.  This relative
351	  name, known as its Relative Distinguished Name (RDN) [X.501], is
352	  composed of an unordered set of one or more attribute value assertions
353	  (AVA) consisting of an attribute description with zero options and an
354	  attribute value.  These AVAs are chosen to match attribute values
355	  (each a distinguished value) of the entry.

357	  An entry's relative distinguished name must be unique among all
358	  immediate subordinates of the entry's immediate superior (i.e., all
359	  siblings).

361	  The following are examples of string representations of RDNs [LDAPDN]:

363	      UID=12345
364	      OU=Engineering
365	      CN=Kurt Zeilenga+L=Redwood Shores

367	  The last is an example of a multi-valued RDN.  That is, an RDN
368	  composed of multiple AVAs.

370	2.3.2. Distinguished Names

372	  An entry's fully qualified name, known as its Distinguished Name (DN)
373	  [X.501], is the concatenation of its RDN and its immediate superior's
374	  DN.  A Distinguished Name unambiguously refers to an entry in the
375	  tree.  The following are examples of string representations of DNs
376	  [LDAPDN]:

378	      UID=nobody@example.com,DC=example,DC=com
379	      CN=John Smith,OU=Sales,O=ACME Limited,L=Moab,ST=Utah,C=US

381	2.3.3. Alias Names

383	  An alias, or alias name, is "an name for an object, provided by the
384	  use of alias entries" [X.501].  Alias entries are described in Section
385	  2.6.

387	2.4. Object Classes

389	  An object class is "an identified family of objects (or conceivable
390	  objects) which share certain characteristics" [X.501].

392	  As defined in [X.501]:

394	      Object classes are used in the Directory for a number of purposes:

396	        - describing and categorising objects and the entries that
397	          correspond to these objects;

399	        - where appropriate, controlling the operation of the Directory;

401	        - regulating, in conjunction with DIT structure rule
402	          specifications, the position of entries in the DIT;

404	        - regulating, in conjunction with DIT content rule
405	          specifications, the attributes that are contained in entries;

407	        - identifying classes of entry that are to be associated with a
408	          particular policy by the appropriate administrative authority.

410	      An object class (a subclass) may be derived from an object class
411	      (its direct superclass) which is itself derived from an even more
412	      generic object class.  For structural object classes, this process
413	      stops at the most generic object class, 'top' (defined in Section
414	      2.4.1).  An ordered set of superclasses up to the most superior
415	      object class of an object class is its superclass chain.

417	      An object class may be derived from two or more direct
418	      superclasses (superclasses not part of the same superclass chain).
419	      This feature of subclassing is termed multiple inheritance.

421	  Each object class identifies the set of attributes required to be
422	  present in entries belonging to the class and the set of attributes
423	  allowed to be present in entries belonging to the class.  As an entry
424	  of a class must meet the requirements of each class it belongs to, it
425	  can be said that an object class inherits the sets of allowed and
426	  required attributes from its superclasses.  A subclass can identify an
427	  attribute allowed by its superclass as being required.  If an
428	  attribute is a member of both sets, it is required to be present.

430	  Each object class is defined to be one of three kinds of object
431	  classes: Abstract, Structural, or Auxiliary.

433	  Each object class is identified by an object identifier (OID) and,
434	  optionally, one or more short names (descriptors).

436	2.4.1. Abstract Object Classes

438	  An abstract object class, as the name implies, provides a base of
439	  characteristics from which other object classes can be defined to
440	  inherit from.  An entry cannot belong to an abstract object class
441	  unless it belongs to a structural or auxiliary class which inherits
442	  from that abstract class.

444	  Abstract object classes can not derive from structural nor auxiliary
445	  object classes.

447	  All structural object classes derive (directly or indirectly) from the
448	  'top' abstract object class.  Auxiliary object classes do not
449	  necessarily derive from 'top'.

451	  The following is the object class definition (see Section 4.1.1) for
452	  the 'top' object class:

454	      ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )

456	  All entries belong to the 'top' abstract object class.

458	2.4.2. Structural Object Classes

460	  As stated in [X.501]:

462	      An object class defined for use in the structural specification of
463	      the DIT is termed a structural object class.  Structural object
464	      classes are used in the definition of the structure of the names
465	      of the objects for compliant entries.

467	      An object or alias entry is characterised by precisely one
468	      structural object class superclass chain which has a single
469	      structural object class as the most subordinate object class.
470	      This structural object class is referred to as the structural
471	      object class of the entry.

473	      Structural object classes are related to associated entries:

475	        - an entry conforming to a structural object class shall
476	          represent the real-world object constrained by the object
477	          class;

479	        - DIT structure rules only refer to structural object classes;
480	          the structural object class of an entry is used to specify the
481	          position of the entry in the DIT;

483	        - the structural object class of an entry is used, along with an
484	          associated DIT content rule, to control the content of an
485	          entry.

487	        The structural object class of an entry shall not be changed.

489	  Each structural object class is a (direct or indirect) subclass of the
490	  'top' abstract object class.

492	  Structural object classes cannot subclass auxiliary object classes.

494	  Each entry is said to belong to its structural object class as well as
495	  all classes in its structural object class's superclass chain.

497	2.4.3. Auxiliary Object Classes

499	  Auxiliary object classes are used to augment the characteristics of
500	  entries.  They are commonly used to augment the sets of attributes
501	  required and allowed to be present in an entry.  They can be used to
502	  describe entries or classes of entries.

504	  Auxiliary object classes cannot subclass structural object classes.

506	  An entry can belong to any subset of the set of auxiliary object
507	  classes allowed by the DIT content rule associated with the structural
508	  object class of the entry.  If no DIT content rule is associated with
509	  the structural object class of the entry, the entry cannot belong to
510	  any auxiliary object class.

512	  The set of auxiliary object classes which an entry belongs to can
513	  change over time.

515	2.5. Attribute Descriptions

517	  An attribute description is composed of an attribute type (see Section
518	  2.5.1) and a set of zero or more attribute options (see Section
519	  2.5.2).

521	  An attribute description is represented by the ABNF:

523	      attributedescription = attributetype options
524	      attributetype = oid
525	      options = *( SEMI option )
526	      option = 1*keychar

528	  where <attributetype> identifies the attribute type and each <option>
529	  identifies an attribute option.  Both <attributetype> and <option>
530	  productions are case insensitive.  The order in which <option>s appear
531	  is irrelevant.  That is, any two <attributedescription>s which consist
532	  of the same <attributetype> and same set of <option>s are equivalent.

534	  Examples of valid attribute descriptions:

536	      2.5.4.0
537	      cn;lang-de;lang-en
538	      owner

540	  An attribute description with an unrecognized attribute type is to be
541	  treated as unrecognized.  Servers SHALL treat an attribute description
542	  with an unrecognized attribute option as unrecognized.  Clients MAY
543	  treat an unrecognized attribute option as a tagging option (see
544	  Section 2.5.2.1).

546	  All attributes of an entry must have distinct attribute descriptions.

548	2.5.1. Attribute Types

550	  An attribute type governs whether the attribute can have multiple
551	  values, the syntax and matching rules used to construct and compare
552	  values of that attribute, and other functions.

554	  If no equality matching is specified for the attribute type:
555	    - the attribute (of the type) cannot be used for naming;
556	    - when adding the attribute (or replacing all values), no two values
557	      may be equivalent (see 2.2);
558	    - individual values of a multi-valued attribute are not to be
559	      independently added or deleted;
560	    - attribute value assertions (such as matching in search filters and
561	      comparisons) using values of such a type cannot be performed.

563	  Otherwise, the equality matching rule is to be used for the purposes
564	  of evaluating attribute value assertions concerning the attribute
565	  type.

567	  The attribute type indicates whether the attribute is a user attribute
568	  or an operational attribute.  If operational, the attribute type
569	  indicates the operational usage and whether the attribute is
570	  modifiable by users or not.  Operational attributes are discussed in
571	  Section 3.4.

573	  An attribute type (a subtype) may derive from a more generic attribute
574	  type (a direct supertype).  The following restrictions apply to
575	  subtyping:
576	    - a subtype must have the same usage as its direct supertype,
577	    - a subtype's syntax must be the same, or a refinement of, its
578	      supertype's syntax, and
579	    - a subtype must be collective [RFC3671] if its supertype is
580	      collective.

582	  An attribute description consisting of a subtype and no options is
583	  said to be the direct description subtype of the attribute description
584	  consisting of the subtype's direct supertype and no options.

586	  Each attribute type is identified by an object identifier (OID) and,
587	  optionally, one or more short names (descriptors).

589	2.5.2. Attribute Options

591	  There are multiple kinds of attribute description options.  The LDAP
592	  technical specification details one kind: tagging options.

594	  Not all options can be associated with attributes held in the
595	  directory.  Tagging options can be.

597	  Not all options can be used in conjunction with all attribute types.
598	  In such cases, the attribute description is to be treated as
599	  unrecognized.

601	  An attribute description that contains mutually exclusive options
602	  shall be treated as unrecognized.  That is, "cn;x-bar;x-foo", where
603	  "x-foo" and "x-bar" are mutually exclusive, is to be treated as
604	  unrecognized.

606	  Other kinds of options may be specified in future documents.  These
607	  documents must detail how new kinds of options they define relate to
608	  tagging options.  In particular, these documents must detail whether
609	  or not new kinds of options can be associated with attributes held in
610	  the directory, how new kinds of options affect transfer of attribute
611	  values, and how new kinds of options are treated in attribute
612	  description hierarchies.

614	  Options are represented as short case insensitive textual strings
615	  conforming to the <option> production defined in Section 2.5 of this
616	  document.

618	  Procedures for registering options are detailed in BCP 64 [BCP64bis].

620	2.5.2.1. Tagging Options

622	  Attributes held in the directory can have attribute descriptions with
623	  any number of tagging options.  Tagging options are never mutually
624	  exclusive.

626	  An attribute description with N tagging options is a direct
627	  (description) subtype of all attribute descriptions of the same
628	  attribute type and all but one of the N options.  If the attribute
629	  type has a supertype, then the attribute description is also a direct
630	  (description) subtype of the attribute description of the supertype
631	  and the N tagging options.  That is, 'cn;lang-de;lang-en' is a direct
632	  (description) subtype of 'cn;lang-de', 'cn;lang-en', and
633	  'name;lang-de;lang-en' ('cn' is a subtype of 'name', both are defined
634	  in [Schema]).

636	2.5.3. Attribute Description Hierarchies

638	  An attribute description can be the direct subtype of zero or more
639	  other attribute descriptions as indicated by attribute type subtyping
640	  (as described in Section 2.5.1) or attribute tagging option subtyping
641	  (as described in Section 2.5.2.1).  These subtyping relationships are
642	  used to form hierarchies of attribute descriptions and attributes.

644	  As adapted from [X.501]:

646	      Attribute hierarchies allow access to the DIB with varying degrees
647	      of granularity.  This is achieved by allowing the value components
648	      of attributes to be accessed by using either their specific
649	      attribute description (a direct reference to the attribute) or by
650	      a more generic attribute description (an indirect reference).

652	      Semantically related attributes may be placed in a hierarchical
653	      relationship, the more specialized being placed subordinate to the
654	      more generalized.  Searching for, or retrieving attributes and
655	      their values is made easier by quoting the more generalized
656	      attribute description; a filter item so specified is evaluated for
657	      the more specialized descriptions as well as for the quoted
658	      description.

660	      Where subordinate specialized descriptions are selected to be
661	      returned as part of a search result these descriptions shall be
662	      returned if available.  Where the more general descriptions are
663	      selected to be returned as part of a search result both the
664	      general and the specialized descriptions shall be returned, if
665	      available.  An attribute value shall always be returned as a value
666	      of its own attribute description.

668	      All of the attribute descriptions in an attribute hierarchy are
669	      treated as distinct and unrelated descriptions for user
670	      modification of entry content.

672	      An attribute value stored in an object or alias entry is of
673	      precisely one attribute description.  The description is indicated
674	      when the value is originally added to the entry.

676	  For the purpose of subschema administration of the entry, a
677	  specification that an attribute is required is fulfilled if the entry
678	  contains a value of an attribute description belonging to an attribute
679	  hierarchy where the attribute type of that description is the same as
680	  the required attribute's type.  That is, a "MUST name" specification
681	  is fulfilled by 'name' or 'name;x-tag-option', but is not fulfilled by
682	  'CN' nor by 'CN;x-tag-option' (even though 'CN' is a subtype of
683	  'name').  Likewise, an entry may contain a value of an attribute
684	  description belonging to an attribute hierarchy where the attribute
685	  type of that description is either explicitly included in the
686	  definition of an object class to which the entry belongs or allowed by
687	  the DIT content rule applicable to that entry.  That is, 'name' and
688	  'name;x-tag-option' are allowed by "MAY name" (or by "MUST name"), but
689	  'CN' and 'CN;x-tag-option' are not allowed by "MAY name" (nor by "MUST
690	  name").

692	  For the purposes of other policy administration, unless stated
693	  otherwise in the specification of the particular administrative model,
694	  all of the attribute descriptions in an attribute hierarchy are
695	  treated as distinct and unrelated descriptions.

697	2.6. Alias Entries

699	  As adapted from [X.501]:

701	      An alias, or an alias name, for an object is an alternative name
702	      for an object or object entry which is provided by the use of
703	      alias entries.

705	      Each alias entry contains, within the 'aliasedObjectName'
706	      attribute (known as the 'aliasedEntryName' attribute in X.500]), a
707	      name of some object.  The distinguished name of the alias entry is
708	      thus also a name for this object.

710	          NOTE - The name within the 'aliasedObjectName' is said to be
711	                 pointed to by the alias.  It does not have to be the
712	                 distinguished name of any entry.

714	      The conversion of an alias name to an object name is termed
715	      (alias) dereferencing and comprises the systematic replacement of
716	      alias names, where found within a purported name, by the value of
717	      the corresponding 'aliasedObjectName' attribute.  The process may
718	      require the examination of more than one alias entry.

720	      Any particular entry in the DIT may have zero or more alias names.
721	      It therefore follows that several alias entries may point to the
722	      same entry.  An alias entry may point to an entry that is not a
723	      leaf entry and may point to another alias entry.

725	      An alias entry shall have no subordinates, so that an alias entry
726	      is always a leaf entry.

728	      Every alias entry shall belong to the 'alias' object class.

730	  An entry with the 'alias' object class must also belong to an object
731	  class (or classes), or be governed by a DIT content rule, which allows
732	  suitable naming attributes to be present.

734	  Example:
735	      dn: cn=bar,dc=example,dc=com
736	      objectClass: top
737	      objectClass: alias
738	      objectClass: extensibleObject
739	      cn: bar
740	      aliasedObjectName: cn=foo,dc=example,dc=com

742	2.6.1. 'alias' object class
743	  Alias entries belong to the 'alias' object class.

745	     ( 2.5.6.1 NAME 'alias'
746	       SUP top STRUCTURAL
747	       MUST aliasedObjectName )

749	2.6.2. 'aliasedObjectName' attribute type

751	  The 'aliasedObjectName' attribute holds the name of the entry an alias
752	  points to.  The 'aliasedObjectName' attribute is known as the
753	  'aliasedEntryName' attribute in X.500.

755	      ( 2.5.4.1 NAME 'aliasedObjectName'
756	        EQUALITY distinguishedNameMatch
757	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
758	        SINGLE-VALUE )

760	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
761	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

763	3. Directory Administrative and Operational Information

765	  This section discusses select aspects of the X.500 Directory
766	  Administrative and Operational Information model [X.501].  LDAP
767	  implementations MAY support other aspects of this model.

769	3.1. Subtrees

771	  As defined in [X.501]:

773	      A subtree is a collection of object and alias entries situated at
774	      the vertices of a tree.  Subtrees do not contain subentries.  The
775	      prefix sub, in subtree, emphasizes that the base (or root) vertex
776	      of this tree is usually subordinate to the root of the DIT.

778	      A subtree begins at some vertex and extends to some identifiable
779	      lower boundary, possibly extending to leaves.  A subtree is always
780	      defined within a context which implicitly bounds the subtree.  For
781	      example, the vertex and lower boundaries of a subtree defining a
782	      replicated area are bounded by a naming context.

784	3.2. Subentries

786	  A subentry is a "special sort of entry, known by the Directory, used
787	  to hold information associated with a subtree or subtree refinement"
788	  [X.501].  Subentries are used in Directory to hold for administrative
789	  and operational purposes as defined in [X.501].  Their use in LDAP is
790	  detailed in [RFC3672].

792	  The term "(sub)entry" in this specification indicates that servers
793	  implementing X.500(93) models are, in accordance with X.500(93) as
794	  described in [RFC3672], to use a subentry and that other servers are
795	  to use an object entry belonging to the appropriate auxiliary class
796	  normally used with the subentry (e.g., 'subschema' for subschema
797	  subentries) to mimic the subentry.  This object entry's RDN SHALL be
798	  formed from a value of the 'cn' (commonName) attribute [Schema] (as
799	  all subentries are named with 'cn').

801	3.3. The 'objectClass' attribute

803	  Each entry in the DIT has an 'objectClass' attribute.

805	      ( 2.5.4.0 NAME 'objectClass'
806	        EQUALITY objectIdentifierMatch
807	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

809	  The 'objectIdentifierMatch' matching rule and the OBJECT IDENTIFIER
810	  (1.3.6.1.4.1.1466.115.121.1.38) syntax are defined in [Syntaxes].

812	  The 'objectClass' attribute specifies the object classes of an entry,
813	  which (among other things) is used in conjunction with the controlling
814	  schema to determine the permitted attributes of an entry.  Values of
815	  this attribute can be modified by clients, but the 'objectClass'
816	  attribute cannot be removed.

818	  Servers which follow X.500(93) models SHALL restrict modifications of
819	  this attribute to prevent the basic structural class of the entry from
820	  being changed.  That is, one cannot change a 'person' into a
821	  'country'.

823	  When creating an entry or adding an 'objectClass' value to an entry,
824	  all superclasses of the named classes SHALL be implicitly added as
825	  well if not already present.  That is, if the auxiliary class 'x-a' is
826	  a subclass of the class 'x-b', adding 'x-a' to 'objectClass' causes
827	  'x-b' to be implicitly added (if is not already present).

829	  Servers SHALL restrict modifications of this attribute to prevent
830	  superclasses of remaining 'objectClass' values from being deleted.
831	  That is, if the auxiliary class 'x-a' is a subclass of the auxiliary
832	  class 'x-b' and the 'objectClass' attribute contains 'x-a' and 'x-b',
833	  an attempt to delete only 'x-b' from the 'objectClass' attribute is an
834	  error.

836	3.4. Operational attributes

838	  Some attributes, termed operational attributes, are used or maintained
839	  by servers for administrative and operational purposes.  As stated in
840	  [X.501]: "There are three varieties of operational attributes:
841	  Directory operational attributes, DSA-shared operational attributes,
842	  and DSA-specific operational attributes."

844	  A directory operational attribute is used to represent operational
845	  and/or administrative information in the Directory Information Model.
846	  This includes operational attributes maintained by the server (e.g.
847	  'createTimestamp') as well as operational attributes which hold values
848	  administrated by the user (e.g. 'ditContentRules').

850	  A DSA-shared operational attribute is used to represent information of
851	  the DSA Information Model which is shared between DSAs.

853	  A DSA-specific operational attribute is used to represent information
854	  of the DSA Information Model which is specific to the DSA (though, in
855	  some cases, may be derived from information shared between DSAs)
856	  (e.g., 'namingContexts').

858	  The DSA Information Model operational attributes are detailed in
859	  [X.501].

861	  Operational attributes are not normally visible.  They are not
862	  returned in search results unless explicitly requested by name.

864	  Not all operational attributes are user modifiable.

866	  Entries may contain, among others, the following operational
867	  attributes:

869	    - creatorsName: the Distinguished Name of the user who added this
870	      entry to the directory,

872	    - createTimestamp: the time this entry was added to the directory,

874	    - modifiersName: the Distinguished Name of the user who last
875	      modified this entry, and

877	    - modifyTimestamp: the time this entry was last modified.

879	  Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
880	  'modifiersName', and 'modifyTimestamp' attributes for all entries of
881	  the DIT.

883	3.4.1. 'creatorsName'

885	  This attribute appears in entries which were added using the protocol
886	  (e.g., using the Add operation).  The value is the distinguished name
887	  of the creator.

889	      ( 2.5.18.3 NAME 'creatorsName'
890	        EQUALITY distinguishedNameMatch
891	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
892	        SINGLE-VALUE NO-USER-MODIFICATION
893	        USAGE directoryOperation )

895	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
896	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

898	3.4.2. 'createTimestamp'

900	  This attribute appears in entries which were added using the protocol
901	  (e.g., using the Add operation).  The value is the time the entry was
902	  added.

904	      ( 2.5.18.1 NAME 'createTimestamp'
905	        EQUALITY generalizedTimeMatch
906	        ORDERING generalizedTimeOrderingMatch
907	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
908	        SINGLE-VALUE NO-USER-MODIFICATION
909	        USAGE directoryOperation )

911	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
912	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
913	  are defined in [Syntaxes].

915	3.4.3. 'modifiersName'

917	  This attribute appears in entries which have been modified using the
918	  protocol (e.g., using Modify operation).  The value is the
919	  distinguished name of the last modifier.

921	      ( 2.5.18.4 NAME 'modifiersName'
922	        EQUALITY distinguishedNameMatch
923	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
924	        SINGLE-VALUE NO-USER-MODIFICATION
925	        USAGE directoryOperation )

927	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
928	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

930	3.4.4. 'modifyTimestamp'

932	  This attribute appears in entries which have been modified using the
933	  protocol (e.g., using the Modify operation).  The value is the time
934	  the entry was last modified.

936	      ( 2.5.18.2 NAME 'modifyTimestamp'
937	        EQUALITY generalizedTimeMatch
938	        ORDERING generalizedTimeOrderingMatch
939	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
940	        SINGLE-VALUE NO-USER-MODIFICATION
941	        USAGE directoryOperation )

943	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
944	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
945	  are defined in [Syntaxes].

947	3.4.5. 'structuralObjectClass'

949	  This attribute indicates the structural object class of the entry.

951	      ( 2.5.21.9 NAME 'structuralObjectClass'
952	        EQUALITY objectIdentifierMatch
953	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
954	        SINGLE-VALUE NO-USER-MODIFICATION
955	        USAGE directoryOperation )

957	  The 'objectIdentifierMatch' matching rule and OBJECT IDENTIFIER
958	  (1.3.6.1.4.1.1466.115.121.1.38) syntax is defined in [Syntaxes].

960	3.4.6. 'governingStructureRule'

962	  This attribute indicates the structure rule governing the entry.

964	      ( 2.5.21.10 NAME 'governingStructureRule'
965	        EQUALITY integerMatch
966	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
967	        SINGLE-VALUE NO-USER-MODIFICATION
968	        USAGE directoryOperation )

970	  The 'integerMatch' matching rule and INTEGER
971	  (1.3.6.1.4.1.1466.115.121.1.27) syntax is defined in [Syntaxes].

973	4. Directory Schema

975	  As defined in [X.501]:

977	      The Directory Schema is a set of definitions and constraints
978	      concerning the structure of the DIT, the possible ways entries are
979	      named, the information that can be held in an entry, the
980	      attributes used to represent that information and their
981	      organization into hierarchies to facilitate search and retrieval
982	      of the information and the ways in which values of attributes may
983	      be matched in attribute value and matching rule assertions.

985	      NOTE 1 - The schema enables the Directory system to, for example:

987	      - prevent the creation of subordinate entries of the wrong
988	        object-class (e.g. a country as a subordinate of a person);

990	      - prevent the addition of attribute-types to an entry
991	        inappropriate to the object-class (e.g. a serial number to a
992	        person's entry);

994	      - prevent the addition of an attribute value of a syntax not
995	        matching that defined for the attribute-type (e.g. a printable
996	        string to a bit string).

998	        Formally, the Directory Schema comprises a set of:

1000	      a) Name Form definitions that define primitive naming relations
1001	         for structural object classes;

1003	      b) DIT Structure Rule definitions that define the names that
1004	         entries may have and the ways in which the entries may be
1005	         related to one another in the DIT;

1007	      c) DIT Content Rule definitions that extend the specification of
1008	         allowable attributes for entries beyond those indicated by the
1009	         structural object classes of the entries;

1011	      d) Object Class definitions that define the basic set of mandatory
1012	         and optional attributes that shall be present, and may be
1013	         present, respectively, in an entry of a given class, and which
1014	         indicate the kind of object class that is being defined;

1016	      e) Attribute Type definitions that identify the object identifier
1017	         by which an attribute is known, its syntax, associated matching
1018	         rules, whether it is an operational attribute and if so its
1019	         type, whether it is a collective attribute, whether it is
1020	         permitted to have multiple values and whether or not it is
1021	         derived from another attribute type;

1023	      f) Matching Rule definitions that define matching rules.

1025	  And in LDAP:

1027	      g) LDAP Syntax definitions that define encodings used in LDAP.

1029	4.1. Schema Definitions

1031	  Schema definitions in this section are described using ABNF and rely
1032	  on the common productions specified in Section 1.2 as well as these:

1034	      noidlen = numericoid [ LCURLY len RCURLY ]
1035	      len = number

1037	      oids = oid / ( LPAREN WSP oidlist WSP RPAREN )
1038	      oidlist = oid *( WSP DOLLAR WSP oid )

1040	      extensions = *( SP xstring SP qdstrings )
1041	      xstring = "X" HYPHEN 1*( ALPHA / HYPHEN / USCORE )

1043	      qdescrs = qdescr / ( LPAREN WSP qdescrlist WSP RPAREN )
1044	      qdescrlist = [ qdescr *( SP qdescr ) ]
1045	      qdescr = SQUOTE descr SQUOTE

1047	      qdstrings = qdstring / ( LPAREN WSP qdstringlist WSP RPAREN )
1048	      qdstringlist = [ qdstring *( SP qdstring ) ]
1049	      qdstring = SQUOTE dstring SQUOTE
1050	      dstring = 1*( QS / QQ / QUTF8 )   ; escaped UTF-8 string

1052	      QQ =  ESC %x32 %x37 ; "\27"
1053	      QS =  ESC %x35 ( %x43 / %x63 ) ; "\5C" / "\5c"

1055	      ; Any UTF-8 encoded Unicode character
1056	      ; except %x27 ("'") and %x5C ("\")
1057	      QUTF8    = QUTF1 / UTFMB

1059	      ; Any ASCII character except %x27 ("'") and %x5C ("\")
1060	      QUTF1    = %x00-26 / %x28-5B / %x5D-7F

1062	  Schema definitions in this section also share a number of common
1063	  terms.

1065	  The NAME field provides a set of short names (descriptors) which are
1066	  to be used as aliases for the OID.

1068	  The DESC field optionally allows a descriptive string to be provided
1069	  by the directory administrator and/or implementor.  While
1070	  specifications may suggest a descriptive string, there is no
1071	  requirement that the suggested (or any) descriptive string be used.

1073	  The OBSOLETE field, if present, indicates the element is not active.

1075	  Implementors should note that future versions of this document may
1076	  expand these definitions to include additional terms.  Terms whose
1077	  identifier begins with "X-" are reserved for private experiments, and
1078	  are followed by <SP> and <qdstrings> tokens.

1080	4.1.1. Object Class Definitions

1082	  Object Class definitions are written according to the ABNF:

1084	    ObjectClassDescription = LPAREN WSP
1085	        numericoid                 ; object identifier
1086	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1087	        [ SP "DESC" SP qdstring ]  ; description
1088	        [ SP "OBSOLETE" ]          ; not active
1089	        [ SP "SUP" SP oids ]       ; superior object classes
1090	        [ SP kind ]                ; kind of class
1091	        [ SP "MUST" SP oids ]      ; attribute types
1092	        [ SP "MAY" SP oids ]       ; attribute types
1093	        extensions WSP RPAREN

1095	    kind = "ABSTRACT" / "STRUCTURAL" / "AUXILIARY"

1097	  where:
1098	    <numericoid> is object identifier assigned to this object class;
1099	    NAME <qdescrs> are short names (descriptors) identifying this object
1100	        class;
1101	    DESC <qdstring> is a short descriptive string;
1102	    OBSOLETE indicates this object class is not active;
1103	    SUP <oids> specifies the direct superclasses of this object class;
1104	    the kind of object class is indicated by one of ABSTRACT,
1105	        STRUCTURAL, or AUXILIARY, default is STRUCTURAL;
1106	    MUST and MAY specify the sets of required and allowed attribute
1107	        types, respectively; and
1108	    <extensions> describe extensions.

1110	4.1.2. Attribute Types

1112	  Attribute Type definitions are written according to the ABNF:

1114	    AttributeTypeDescription = LPAREN WSP
1115	        numericoid                    ; object identifier
1116	        [ SP "NAME" SP qdescrs ]      ; short names (descriptors)
1117	        [ SP "DESC" SP qdstring ]     ; description
1118	        [ SP "OBSOLETE" ]             ; not active
1119	        [ SP "SUP" SP oid ]           ; supertype
1120	        [ SP "EQUALITY" SP oid ]      ; equality matching rule
1121	        [ SP "ORDERING" SP oid ]      ; ordering matching rule
1122	        [ SP "SUBSTR" SP oid ]        ; substrings matching rule
1123	        [ SP "SYNTAX" SP noidlen ]    ; value syntax
1124	        [ SP "SINGLE-VALUE" ]         ; single-value
1125	        [ SP "COLLECTIVE" ]           ; collective
1126	        [ SP "NO-USER-MODIFICATION" ] ; not user modifiable
1127	        [ SP "USAGE" SP usage ]       ; usage
1128	        extensions WSP RPAREN         ; extensions

1130	    usage = "userApplications"     /  ; user
1131	            "directoryOperation"   /  ; directory operational
1132	            "distributedOperation" /  ; DSA-shared operational
1133	            "dSAOperation"            ; DSA-specific operational

1135	  where:
1136	    <numericoid> is object identifier assigned to this attribute type;
1137	    NAME <qdescrs> are short names (descriptors) identifying this
1138	        attribute type;
1139	    DESC <qdstring> is a short descriptive string;
1140	    OBSOLETE indicates this attribute type is not active;
1141	    SUP oid specifies the direct supertype of this type;
1142	    EQUALITY, ORDERING, SUBSTR provide the oid of the equality,
1143	        ordering, and substrings matching rules, respectively;
1144	    SYNTAX identifies value syntax by object identifier and may suggest
1145	        a minimum upper bound;
1146	    SINGLE-VALUE indicates attributes of this type are restricted to a
1147	        single value;
1148	    COLLECTIVE indicates this attribute type is collective
1149	        [X.501][RFC3671];
1150	    NO-USER-MODIFICATION indicates this attribute type is not user
1151	        modifiable;
1152	    USAGE indicates the application of this attribute type; and
1153	    <extensions> describe extensions.

1155	  Each attribute type description must contain at least one of the SUP
1156	  or SYNTAX fields.  If no SYNTAX field is provided, the attribute type
1157	  description takes its value from the supertype.

1159	  If SUP field is provided, the EQUALITY, ORDERING, and SUBSTRING
1160	  fields, if not specified, take their value from the supertype.

1162	  Usage of userApplications, the default, indicates that attributes of
1163	  this type represent user information.  That is, they are user
1164	  attributes.

1166	  A usage of directoryOperation, distributedOperation, or dSAOperation
1167	  indicates that attributes of this type represent operational and/or
1168	  administrative information.  That is, they are operational attributes.

1170	  directoryOperation usage indicates that the attribute of this type is
1171	  a directory operational attribute.  distributedOperation usage
1172	  indicates that the attribute of this DSA-shared usage operational
1173	  attribute.  dSAOperation usage indicates that the attribute of this
1174	  type is a DSA-specific operational attribute.

1176	  COLLECTIVE requires usage userApplications.  Use of collective
1177	  attribute types in LDAP is discussed in [RFC3671].

1179	  NO-USER-MODIFICATION requires an operational usage.

1181	  Note that the <AttributeTypeDescription> does not list the matching
1182	  rules which can be used with that attribute type in an extensibleMatch
1183	  search filter [Protocol].  This is done using the 'matchingRuleUse'
1184	  attribute described in Section 4.1.4.

1186	  This document refines the schema description of X.501 by requiring
1187	  that the SYNTAX field in an <AttributeTypeDescription> be a string
1188	  representation of an object identifier for the LDAP string syntax
1189	  definition with an optional indication of the suggested minimum bound
1190	  of a value of this attribute.

1192	  A suggested minimum upper bound on the number of characters in a value
1193	  with a string-based syntax, or the number of bytes in a value for all
1194	  other syntaxes, may be indicated by appending this bound count inside
1195	  of curly braces following the syntax's OBJECT IDENTIFIER in an
1196	  Attribute Type Description.  This bound is not part of the syntax name
1197	  itself.  For instance, "1.3.6.4.1.1466.0{64}" suggests that server
1198	  implementations should allow a string to be 64 characters long,
1199	  although they may allow longer strings.  Note that a single character
1200	  of the Directory String syntax may be encoded in more than one octet
1201	  since UTF-8 [RFC3629] is a variable-length encoding.

1203	4.1.3. Matching Rules

1205	  Matching rules are used in performance of attribute value assertions,
1206	  such as in performance of a Compare operation.  They are also used in
1207	  evaluation of a Search filters, in determining which individual values
1208	  are be added or deleted during performance of a Modify operation, and
1209	  used in comparison of distinguished names.

1211	  Each matching rule is identified by an object identifier (OID) and,
1212	  optionally, one or more short names (descriptors).

1214	  Matching rule definitions are written according to the ABNF:

1216	    MatchingRuleDescription = LPAREN WSP
1217	        numericoid                 ; object identifier
1218	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1219	        [ SP "DESC" SP qdstring ]  ; description
1220	        [ SP "OBSOLETE" ]          ; not active
1221	        SP "SYNTAX" SP numericoid  ; assertion syntax
1222	        extensions WSP RPAREN      ; extensions

1224	  where:
1225	    <numericoid> is object identifier assigned to this matching rule;
1226	    NAME <qdescrs> are short names (descriptors) identifying this
1227	        matching rule;
1228	    DESC <qdstring> is a short descriptive string;
1229	    OBSOLETE indicates this matching rule is not active;
1230	    SYNTAX identifies the assertion syntax (the syntax of the assertion
1231	        value) by object identifier; and
1232	    <extensions> describe extensions.

1234	4.1.4. Matching Rule Uses

1236	  A matching rule use lists the attributes which are suitable for use
1237	  with an extensibleMatch search filter.

1239	  Matching rule use descriptions are written according to the following
1240	  ABNF:

1242	    MatchingRuleUseDescription = LPAREN WSP
1243	        numericoid                 ; object identifier
1244	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1245	        [ SP "DESC" SP qdstring ]  ; description
1246	        [ SP "OBSOLETE" ]          ; not active
1247	        SP "APPLIES" SP oids       ; attribute types
1248	        extensions WSP RPAREN      ; extensions

1250	  where:
1251	    <numericoid> is the object identifier of the matching rule
1252	        associated with this matching rule use description;
1253	    NAME <qdescrs> are short names (descriptors) identifying this
1254	        matching rule use;
1255	    DESC <qdstring> is a short descriptive string;
1256	    OBSOLETE indicates this matching rule use is not active;
1257	    APPLIES provides a list of attribute types the matching rule applies
1258	        to; and
1259	    <extensions> describe extensions.

1261	4.1.5. LDAP Syntaxes

1263	  LDAP Syntaxes of (attribute and assertion) values are described in
1264	  terms of ASN.1 [X.680] and, optionally, have an octet string encoding
1265	  known as the LDAP-specific encoding.  Commonly, the LDAP-specific
1266	  encoding is constrained to a string of Unicode [Unicode] characters in
1267	  UTF-8 [RFC3629] form.

1269	  Each LDAP syntax is identified by an object identifier (OID).

1271	  LDAP syntax definitions are written according to the ABNF:

1273	    SyntaxDescription = LPAREN WSP
1274	        numericoid                 ; object identifier
1275	        [ SP "DESC" SP qdstring ]  ; description
1276	        extensions WSP RPAREN      ; extensions

1278	  where:
1279	    <numericoid> is the object identifier assigned to this LDAP syntax;
1280	    DESC <qdstring> is a short descriptive string; and
1281	    <extensions> describe extensions.

1283	4.1.6. DIT Content Rules

1285	  A DIT content rule is a "rule governing the content of entries of a
1286	  particular structural object class" [X.501].

1288	  For DIT entries of a particular structural object class, a DIT content
1289	  rule specifies which auxiliary object classes the entries are allowed
1290	  to belong to and which additional attributes (by type) are required,
1291	  allowed or not allowed to appear in the entries.

1293	  The list of precluded attributes cannot include any attribute listed
1294	  as mandatory in the rule, the structural object class, or any of the
1295	  allowed auxiliary object classes.

1297	  Each content rule is identified by the object identifier, as well as
1298	  any short names (descriptors), of the structural object class it
1299	  applies to.

1301	  An entry may only belong to auxiliary object classes listed in the
1302	  governing content rule.

1304	  An entry must contain all attributes required by the object classes
1305	  the entry belongs to as well as all attributes required by the
1306	  governing content rule.

1308	  An entry may contain any non-precluded attributes allowed by the
1309	  object classes the entry belongs to as well as all attributes allowed
1310	  by the governing content rule.

1312	  An entry cannot include any attribute precluded by the governing
1313	  content rule.

1315	  An entry is governed by (if present and active in the subschema) the
1316	  DIT content rule which applies to the structural object class of the
1317	  entry (see Section 2.4.2).  If no active rule is present for the
1318	  entry's structural object class, the entry's content is governed by
1319	  the structural object class (and possibly other aspects of user and
1320	  system schema).  DIT content rules for superclasses of the structural
1321	  object class of an entry are not applicable to that entry.

1323	  DIT content rule descriptions are written according to the ABNF:

1325	    DITContentRuleDescription = LPAREN WSP
1326	        numericoid                 ; object identifier
1327	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1328	        [ SP "DESC" SP qdstring ]  ; description
1329	        [ SP "OBSOLETE" ]          ; not active
1330	        [ SP "AUX" SP oids ]       ; auxiliary object classes
1331	        [ SP "MUST" SP oids ]      ; attribute types
1332	        [ SP "MAY" SP oids ]       ; attribute types
1333	        [ SP "NOT" SP oids ]       ; attribute types
1334	        extensions WSP RPAREN      ; extensions

1336	  where:
1337	    <numericoid> is the object identifier of the structural object class
1338	        associated with this DIT content rule;
1339	    NAME <qdescrs> are short names (descriptors) identifying this DIT
1340	        content rule;
1341	    DESC <qdstring> is a short descriptive string;
1342	    OBSOLETE indicates this DIT content rule use is not active;
1343	    AUX specifies a list of auxiliary object classes which entries
1344	        subject to this DIT content rule may belong to;
1345	    MUST, MAY, and NOT specify lists of attribute types which are
1346	        required, allowed, or precluded, respectively, from appearing in
1347	        entries subject to this DIT content rule; and
1348	    <extensions> describe extensions.

1350	4.1.7. DIT Structure Rules and Name Forms

1352	  It is sometimes desirable to regulate where object and alias entries
1353	  can be placed in the DIT and how they can be named based upon their
1354	  structural object class.

1356	4.1.7.1. DIT Structure Rules

1358	  A DIT structure rule is a "rule governing the structure of the DIT by
1359	  specifying a permitted superior to subordinate entry relationship.  A
1360	  structure rule relates a name form, and therefore a structural object
1361	  class, to superior structure rules.  This permits entries of the
1362	  structural object class identified by the name form to exist in the
1363	  DIT as subordinates to entries governed by the indicated superior
1364	  structure rules" [X.501].

1366	  DIT structure rule descriptions are written according to the ABNF:

1368	    DITStructureRuleDescription = LPAREN WSP
1369	        ruleid                     ; rule identifier
1370	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1371	        [ SP "DESC" SP qdstring ]  ; description
1372	        [ SP "OBSOLETE" ]          ; not active
1373	        SP "FORM" SP oid           ; NameForm
1374	        [ SP "SUP" ruleids ]       ; superior rules
1375	        extensions WSP RPAREN      ; extensions

1377	    ruleids = ruleid / ( LPAREN WSP ruleidlist WSP RPAREN )
1378	    ruleidlist = ruleid *( SP ruleid )
1379	    ruleid = number

1381	  where:
1382	    <ruleid> is the rule identifier of this DIT structure rule;
1383	    NAME <qdescrs> are short names (descriptors) identifying this DIT
1384	        structure rule;
1385	    DESC <qdstring> is a short descriptive string;
1386	    OBSOLETE indicates this DIT structure rule use is not active;
1387	    FORM is specifies the name form associated with this DIT structure
1388	        rule;
1389	    SUP identifies superior rules (by rule id); and
1390	    <extensions> describe extensions.

1392	  If no superior rules are identified, the DIT structure rule applies
1393	  to an autonomous administrative point (e.g. the root vertex of the
1394	  subtree controlled by the subschema) [X.501].

1396	4.1.7.2. Name Forms

1398	  A name form "specifies a permissible RDN for entries of a particular
1399	  structural object class.  A name form identifies a named object
1400	  class and one or more attribute types to be used for naming (i.e.
1401	  for the RDN).  Name forms are primitive pieces of specification
1402	  used in the definition of DIT structure rules" [X.501].

1404	  Each name form indicates the structural object class to be named,
1405	  a set of required attribute types, and a set of allowed attribute
1406	  types.  A particular attribute type cannot be in both sets.

1408	  Entries governed by the form must be named using a value from each
1409	  required attribute type and zero or more values from the allowed
1410	  attribute types.

1412	  Each name form is identified by an object identifier (OID) and,
1413	  optionally, one or more short names (descriptors).

1415	  Name form descriptions are written according to the ABNF:

1417	    NameFormDescription = LPAREN WSP
1418	        numericoid                 ; object identifier
1419	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1420	        [ SP "DESC" SP qdstring ]  ; description
1421	        [ SP "OBSOLETE" ]          ; not active
1422	        SP "OC" SP oid             ; structural object class
1423	        SP "MUST" SP oids          ; attribute types
1424	        [ SP "MAY" SP oids ]       ; attribute types
1425	        extensions WSP RPAREN      ; extensions

1427	  where:
1428	    <numericoid> is object identifier which identifies this name form;
1429	    NAME <qdescrs> are short names (descriptors) identifying this name
1430	        form;
1431	    DESC <qdstring> is a short descriptive string;
1432	    OBSOLETE indicates this name form is not active;
1433	    OC identifies the structural object class this rule applies to,
1434	    MUST and MAY specify the sets of required and allowed, respectively,
1435	        naming attributes for this name form; and
1436	    <extensions> describe extensions.

1438	  All attribute types in the required ("MUST") and allowed ("MAY") lists
1439	  shall be different.

1441	4.2. Subschema Subentries
1442	  Subschema (sub)entries are used for administering information about
1443	  the directory schema.  A single subschema (sub)entry contains all
1444	  schema definitions (see Section 4.1) used by entries in a particular
1445	  part of the directory tree.

1447	  Servers which follow X.500(93) models SHOULD implement subschema using
1448	  the X.500 subschema mechanisms (as detailed in Section 12 of [X.501]),
1449	  and so these are not ordinary object entries but subentries (see
1450	  Section 3.2).  LDAP clients SHOULD NOT assume that servers implement
1451	  any of the other aspects of X.500 subschema.

1453	  Servers MAY allow subschema modification.  Procedures for subschema
1454	  modification are discussed in Section 14.5 of [X.501].

1456	  A server which masters entries and permits clients to modify these
1457	  entries SHALL implement and provide access to these subschema
1458	  (sub)entries including providing a 'subschemaSubentry' attribute in
1459	  each modifiable entry.  This is so clients may discover the attributes
1460	  and object classes which are permitted to be present.  It is strongly
1461	  RECOMMENDED that all other servers implement this as well.

1463	  The value of the 'subschemaSubentry' attribute is the name of the
1464	  subschema (sub)entry holding the subschema controlling the entry.

1466	      ( 2.5.18.10 NAME 'subschemaSubentry'
1467	        EQUALITY distinguishedNameMatch
1468	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1469	        NO-USER-MODIFICATION SINGLE-VALUE
1470	        USAGE directoryOperation )

1472	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
1473	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

1475	  Subschema is held in (sub)entries belonging to the subschema auxiliary
1476	  object class.

1478	      ( 2.5.20.1 NAME 'subschema' AUXILIARY
1479	        MAY ( dITStructureRules $ nameForms $ ditContentRules $
1480	          objectClasses $ attributeTypes $ matchingRules $
1481	          matchingRuleUse ) )

1483	  The 'ldapSyntaxes' operational attribute may also be present in
1484	  subschema entries.

1486	  Servers MAY provide additional attributes (described in other
1487	  documents) in subschema (sub)entries.

1489	  Servers SHOULD provide the attributes 'createTimestamp' and
1490	  'modifyTimestamp' in subschema (sub)entries, in order to allow clients
1491	  to maintain their caches of schema information.

1493	  The following subsections provide attribute type definitions for each
1494	  of schema definition attribute types.

1496	4.2.1. 'objectClasses'

1498	  This attribute holds definitions of object classes.

1500	      ( 2.5.21.6 NAME 'objectClasses'
1501	        EQUALITY objectIdentifierFirstComponentMatch
1502	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.37
1503	        USAGE directoryOperation )

1505	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1506	  ObjectClassDescription (1.3.6.1.4.1.1466.115.121.1.37) syntax are
1507	  defined in [Syntaxes].

1509	4.2.2. 'attributeTypes'

1511	  This attribute holds definitions of attribute types.

1513	      ( 2.5.21.5 NAME 'attributeTypes'
1514	        EQUALITY objectIdentifierFirstComponentMatch
1515	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.3
1516	        USAGE directoryOperation )

1518	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1519	  AttributeTypeDescription (1.3.6.1.4.1.1466.115.121.1.3) syntax are
1520	  defined in [Syntaxes].

1522	4.2.3. 'matchingRules'

1524	  This attribute holds definitions of matching rules.

1526	      ( 2.5.21.4 NAME 'matchingRules'
1527	        EQUALITY objectIdentifierFirstComponentMatch
1528	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.30
1529	        USAGE directoryOperation )

1531	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1532	  MatchingRuleDescription (1.3.6.1.4.1.1466.115.121.1.30) syntax are
1533	  defined in [Syntaxes].

1535	4.2.4 'matchingRuleUse'

1537	  This attribute holds definitions of matching rule uses.

1539	      ( 2.5.21.8 NAME 'matchingRuleUse'
1540	        EQUALITY objectIdentifierFirstComponentMatch
1541	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.31
1542	        USAGE directoryOperation )

1544	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1545	  MatchingRuleUseDescription (1.3.6.1.4.1.1466.115.121.1.31) syntax are
1546	  defined in [Syntaxes].

1548	4.2.5. 'ldapSyntaxes'

1550	  This attribute holds definitions of LDAP syntaxes.

1552	      ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
1553	        EQUALITY objectIdentifierFirstComponentMatch
1554	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.54
1555	        USAGE directoryOperation )

1557	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1558	  SyntaxDescription (1.3.6.1.4.1.1466.115.121.1.54) syntax are defined
1559	  in [Syntaxes].

1561	4.2.6. 'dITContentRules'

1563	  This attribute lists DIT Content Rules which are present in the
1564	  subschema.

1566	      ( 2.5.21.2 NAME 'dITContentRules'
1567	        EQUALITY objectIdentifierFirstComponentMatch
1568	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.16
1569	        USAGE directoryOperation )

1571	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1572	  DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are
1573	  defined in [Syntaxes].

1575	4.2.7. 'dITStructureRules'

1577	  This attribute lists DIT Structure Rules which are present in the
1578	  subschema.

1580	      ( 2.5.21.1 NAME 'dITStructureRules'
1581	        EQUALITY integerFirstComponentMatch
1582	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.17
1583	        USAGE directoryOperation )

1585	  The 'integerFirstComponentMatch' matching rule and the
1586	  DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax are
1587	  defined in [Syntaxes].

1589	4.2.8 'nameForms'

1591	  This attribute lists Name Forms which are in force.

1593	      ( 2.5.21.7 NAME 'nameForms'
1594	        EQUALITY objectIdentifierFirstComponentMatch
1595	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.35
1596	        USAGE directoryOperation )

1598	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1599	  NameFormDescription (1.3.6.1.4.1.1466.115.121.1.35) syntax are defined
1600	  in [Syntaxes].

1602	4.3. 'extensibleObject' object class

1604	  The 'extensibleObject' auxiliary object class allows entries that
1605	  belong to it to hold any user attribute.  The set of allowed attribute
1606	  types of this object class is implicitly the set of all attribute
1607	  types of userApplications usage.

1609	      ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
1610	        SUP top AUXILIARY )

1612	  The mandatory attributes of the other object classes of this entry are
1613	  still required to be present and any precluded attributes are still
1614	  not allowed to be present.

1616	4.4. Subschema Discovery

1618	  To discover the DN of the subschema (sub)entry holding the subschema
1619	  controlling a particular entry, a client reads that entry's
1620	  'subschemaSubentry' operational attribute.  To read schema attributes
1621	  from the subschema (sub)entry, clients MUST issue a Search operation
1622	  [Protocol] where baseObject is the DN of the subschema (sub)entry,
1623	  scope is baseObject, filter is "(objectClass=subschema)" [Filters],
1624	  and attributes field lists the names of the desired schema attributes
1625	  (as they are operational).  Note: the "(objectClass=subschema)" filter
1626	  allows LDAP servers which gateway to X.500 to detect that subentry
1627	  information is being requested.

1629	  Clients SHOULD NOT assume a published subschema is complete nor assume
1630	  the server supports all of the schema elements it publishes nor assume
1631	  the server does not support an unpublished element.

1633	5. DSA (Server) Informational Model

1635	  The LDAP protocol assumes there are one or more servers which jointly
1636	  provide access to a Directory Information Tree (DIT).  The server
1637	  holding the original information is called the "master" (for that
1638	  information).  Servers which hold copies of the original information
1639	  are referred to as "shadowing" or "caching" servers.

1641	  As defined in [X.501]:

1643	      context prefix: The sequence of RDNs leading from the Root of the
1644	          DIT to the initial vertex of a naming context; corresponds to
1645	          the distinguished name of that vertex.

1647	  and:

1649	      naming context: A subtree of entries held in a single master DSA.

1651	  That is, a naming context is the largest collection of entries,
1652	  starting at an entry that is mastered by a particular server, and
1653	  including all its subordinates and their subordinates, down to the
1654	  entries which are mastered by different servers.  The context prefix
1655	  is the name of the initial entry.

1657	  The root of the DIT is a DSA-specific Entry (DSE) and not part of any
1658	  naming context (or any subtree); each server has different attribute
1659	  values in the root DSE.

1661	5.1. Server-specific Data Requirements

1663	  An LDAP server SHALL provide information about itself and other
1664	  information that is specific to each server.  This is represented as a
1665	  group of attributes located in the root DSE, which is named with the
1666	  DN with zero RDNs (whose [LDAPDN] representation is as the zero-length
1667	  string).

1669	  These attributes are retrievable, subject to access control and other
1670	  restrictions, if a client performs a Search operation [Protocol] with
1671	  an empty baseObject, scope of baseObject, the filter "(objectClass=*)"
1672	  [Filters], and with the attributes field listing the names of the
1673	  desired attributes.  It is noted that root DSE attributes are
1674	  operational, and like other operational attributes, are not returned
1675	  in search requests unless requested by name.

1677	  The root DSE SHALL NOT be included if the client performs a subtree
1678	  search starting from the root.

1680	  Servers may allow clients to modify attributes of the root DSE where
1681	  appropriate.

1683	  The following attributes of the root DSE are defined in [Syntaxes].
1684	  Additional attributes may be defined in other documents.

1686	    - altServer: alternative servers;

1688	    - namingContexts: naming contexts;

1690	    - supportedControl: recognized LDAP controls;

1692	    - supportedExtension: recognized LDAP extended operations;

1694	    - supportedLDAPVersion: LDAP versions supported; and

1696	    - supportedSASLMechanisms: recognized Simple Authentication and
1697	      Security Layers (SASL) [SASL] mechanisms.

1699	  The values provided for these attributes may depend on
1700	  session-specific and other factors.  For example, a server supporting
1701	  the SASL EXTERNAL mechanism might only list "EXTERNAL" when the
1702	  client's identity has been established by a lower level.  See
1703	  [AuthMeth].

1705	  The root DSE may also include a 'subschemaSubentry' attribute.  If so,
1706	  it refers to the subschema (sub)entry holding the schema controlling
1707	  the root DSE.  Clients SHOULD NOT assume that this subschema
1708	  (sub)entry controls other entries held by the server.  General
1709	  subschema discovery procedures are provided in Section 4.4.

1711	5.1.1. 'altServer'

1713	  The 'altServer' attribute lists URIs referring to alternative servers
1714	  which may be contacted when this server becomes unavailable.  URIs for
1715	  servers implementing the LDAP are written according to [LDAPURL].
1716	  Other kinds of URIs may be provided.  If the server does not know of
1717	  any other servers which could be used this attribute will be absent.
1718	  Clients may cache this information in case their preferred server
1719	  later becomes unavailable.

1721	      ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
1722	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
1723	        USAGE dSAOperation )

1725	  The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax is defined in
1726	  [Syntaxes].

1728	5.1.2. 'namingContexts'

1730	  The 'namingContexts' attribute lists the context prefixes of the
1731	  naming contexts the server masters or shadows (in part or in whole).
1732	  If the server is a first-level DSA [X.501], it should list (in
1733	  addition) an empty string (indicating the root of the DIT).  If the
1734	  server does not master or shadow any information (e.g. it is an LDAP
1735	  gateway to a public X.500 directory) this attribute will be absent.
1736	  If the server believes it masters or shadows the entire directory, the
1737	  attribute will have a single value, and that value will be the empty
1738	  string (indicating the root of the DIT).

1740	  This attribute may be used, for example, to select a suitable entry
1741	  name for subsequent operations with this server.

1743	      ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
1744	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1745	        USAGE dSAOperation )

1747	  The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax is
1748	  defined in [Syntaxes].

1750	5.1.3. 'supportedControl'

1752	  The 'supportedControl' attribute lists object identifiers identifying
1753	  the request controls [Protocol] the server supports.  If the server
1754	  does not support any request controls, this attribute will be absent.
1755	  Object identifiers identifying response controls need not be listed.

1757	  Procedures for registering object identifiers used to discovery of
1758	  protocol mechanisms are detailed in BCP 64 [BCP64bis].

1760	      ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
1761	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
1762	        USAGE dSAOperation )

1764	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1765	  defined in [Syntaxes].

1767	5.1.4. 'supportedExtension'

1769	  The 'supportedExtension' attribute lists object identifiers
1770	  identifying the extended operations [Protocol] which the server
1771	  supports.  If the server does not support any extended operations,
1772	  this attribute will be absent.

1774	  An extended operation generally consists of an extended request and an
1775	  extended response but may also include other protocol data units (such
1776	  as intermediate responses).  The object identifier assigned to the
1777	  extended request is used to identify the extended operation.  Other
1778	  object identifiers used in the extended operation need not be listed
1779	  as values of this attribute.

1781	  Procedures for registering object identifiers used to discovery of
1782	  protocol mechanisms are detailed in BCP 64 [BCP64bis].

1784	      ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
1785	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
1786	        USAGE dSAOperation )

1788	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1789	  defined in [Syntaxes].

1791	5.1.5. 'supportedLDAPVersion'

1793	  The 'supportedLDAPVersion' attribute lists the versions of LDAP which
1794	  the server supports.

1796	      ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
1797	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
1798	        USAGE dSAOperation )

1800	  The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax are defined in
1801	  [Syntaxes].

1803	5.1.6. 'supportedSASLMechanisms'

1805	  The 'supportedSASLMechanisms' attribute lists the SASL mechanisms
1806	  [SASL] which the server recognizes and/or supports [AuthMeth].  The
1807	  contents of this attribute may depend on the current session state.
1808	  If the server does not support any SASL mechanisms this attribute will
1809	  not be present.

1811	      ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
1812	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
1813	        USAGE dSAOperation )

1815	  The Directory String (1.3.6.1.4.1.1466.115.121.1.15) syntax is defined
1816	  in [Syntaxes].

1818	6. Other Considerations

1820	6.1. Preservation of User Information

1822	  Syntaxes may be defined which have specific value and/or value form
1823	  (representation) preservation requirements.  For example, a syntax
1824	  containing digitally signed data can mandate the server preserve both
1825	  the value and form of value presented to ensure signature is not
1826	  invalidated.

1828	  Where such requirements have not been explicitly stated, servers
1829	  SHOULD preserve the value of user information but MAY return the value
1830	  in a different form.  And where a server is unable (or unwilling) to
1831	  preserve the value of user information, the server SHALL ensure that
1832	  an equivalent value (per Section 2.3) is returned.

1834	6.2. Short Names

1836	  Short names, also known as descriptors, are used as more readable
1837	  aliases for object identifiers and are used to identify various schema
1838	  elements.  However, it is not expected that LDAP implementations with
1839	  human user interface would display these short names (nor the object
1840	  identifiers they refer to) to the user, but would most likely be
1841	  performing translations (such as expressing the short name in one of
1842	  the local national languages).  For example, the short name "st"
1843	  (stateOrProvinceName) might be displayed to a German-speaking user as
1844	  "Land".

1846	  The same short name might have different meaning in different
1847	  subschemas and, within a particular subschema, the same short name
1848	  might refer to different object identifiers each identifying a
1849	  different kind of schema element.

1851	  Implementations MUST be prepared that the same short name might be
1852	  used in a subschema to refer to the different kinds of schema
1853	  elements.  That is, there might be an object class 'x-fubar' and an
1854	  attribute type 'x-fubar' in a subschema.

1856	  Implementations MUST be prepared that the same short name might be
1857	  used in the different subschemas to refer to the different schema
1858	  elements.  That is, there might be two matching rules 'x-fubar', each
1859	  in different subschemas.

1861	  Procedures for registering short names (descriptors) are detailed in
1862	  BCP 64 [BCP64bis].

1864	6.3. Cache and Shadowing

1866	  Some servers may hold cache or shadow copies of entries, which can be
1867	  used to answer search and comparison queries, but will return
1868	  referrals or contact other servers if modification operations are
1869	  requested.  Servers that perform shadowing or caching MUST ensure that
1870	  they do not violate any access control constraints placed on the data
1871	  by the originating server.

1873	7. Implementation Guidelines

1875	7.1 Server Guidelines

1877	  Servers MUST recognize all names of attribute types and object classes
1878	  defined in this document but, unless stated otherwise, need not
1879	  support the associated functionality.  Servers SHOULD recognize all
1880	  the names of attribute types and object classes defined in Section 3
1881	  and 4, respectively, of [Schema].

1883	  Servers MUST ensure that entries conform to user and system schema
1884	  rules or other data model constraints.

1886	  Servers MAY support DIT Content Rules.  Servers MAY support DIT
1887	  Structure Rules and Name Forms.

1889	  Servers MAY support alias entries.

1891	  Servers MAY support the 'extensibleObject' object class.

1893	  Servers MAY support subentries.  If so, they MUST do so in accordance
1894	  with [RFC3672].  Servers which do not support subentries SHOULD use
1895	  object entries to mimic subentries as detailed in Section 3.2.

1897	  Servers MAY implement additional schema elements.  Servers SHOULD
1898	  provide definitions of all schema elements they support in subschema
1899	  (sub)entries.

1901	7.2 Client Guidelines

1903	  In the absence of prior agreements with servers, clients SHOULD NOT
1904	  assume that servers support any particular schema elements beyond
1905	  those referenced in Section 7.1.  The client can retrieve subschema
1906	  information as described in Section 4.4.

1908	  Clients MUST NOT display nor attempt to decode as ASN.1, a value if
1909	  its syntax is not known.   Clients MUST NOT assume the LDAP-specific
1910	  string encoding is restricted to a UTF-8 encoded string of Unicode
1911	  characters or any particular subset of Unicode (such as a printable
1912	  subset) unless such restriction is explicitly stated.  Clients SHOULD
1913	  NOT send attribute values in a request that are not valid according to
1914	  the syntax defined for the attributes.

1916	8. Security Considerations

1918	  Attributes of directory entries are used to provide descriptive
1919	  information about the real-world objects they represent, which can be
1920	  people, organizations or devices.  Most countries have privacy laws
1921	  regarding the publication of information about people.

1923	  General security considerations for accessing directory information
1924	  with LDAP are discussed in [Protocol] and [AuthMeth].

1926	9. IANA Considerations

1928	  It is requested that the Internet Assigned Numbers Authority (IANA)
1929	  update the LDAP descriptors registry as indicated in the following
1930	  template:

1932	      Subject: Request for LDAP Descriptor Registration Update
1933	      Descriptor (short name): see comment
1934	      Object Identifier: see comment
1935	      Person & email address to contact for further information:
1936	          Kurt Zeilenga <kurt@OpenLDAP.org>
1937	      Usage: see comment
1938	      Specification: RFC XXXX
1939	      Author/Change Controller: IESG
1940	      Comments:

1942	      The following descriptors (short names) should be added to
1943	      the registry.

1945	        NAME                         Type OID
1946	        ------------------------     ---- -----------------
1947	        governingStructureRule          A 2.5.21.10
1948	        structuralObjectClass           A 2.5.21.9

1950	      The following descriptors (short names) should be updated to
1951	      refer to this RFC.

1953	        NAME                         Type OID
1954	        ------------------------     ---- -----------------
1955	        alias                           O 2.5.6.1
1956	        aliasedObjectName               A 2.5.4.1
1957	        altServer                       A 1.3.6.1.4.1.1466.101.120.6
1958	        attributeTypes                  A 2.5.21.5
1959	        createTimestamp                 A 2.5.18.1
1960	        creatorsName                    A 2.5.18.3
1961	        dITContentRules                 A 2.5.21.2
1962	        dITStructureRules               A 2.5.21.1
1963	        extensibleObject                O 1.3.6.1.4.1.1466.101.120.111
1964	        ldapSyntaxes                    A 1.3.6.1.4.1.1466.101.120.16
1965	        matchingRuleUse                 A 2.5.21.8
1966	        matchingRules                   A 2.5.21.4
1967	        modifiersName                   A 2.5.18.4
1968	        modifyTimestamp                 A 2.5.18.2
1969	        nameForms                       A 2.5.21.7
1970	        namingContexts                  A 1.3.6.1.4.1.1466.101.120.5
1971	        objectClass                     A 2.5.4.0
1972	        objectClasses                   A 2.5.21.6
1973	        subschema                       O 2.5.20.1
1974	        subschemaSubentry               A 2.5.18.10
1975	        supportedControl                A 1.3.6.1.4.1.1466.101.120.13
1976	        supportedExtension              A 1.3.6.1.4.1.1466.101.120.7
1977	        supportedLDAPVersion            A 1.3.6.1.4.1.1466.101.120.15
1978	        supportedSASLMechanisms         A 1.3.6.1.4.1.1466.101.120.14
1979	        top                             O 2.5.6.0

1981	10. Acknowledgments

1983	  This document is based in part on RFC 2251 by M. Wahl, T.  Howes, and
1984	  S. Kille; RFC 2252 by M. Wahl, A. Coulbeck, T. Howes, S.  Kille; and
1985	  RFC 2556 by M. Wahl, all products of the IETF Access, Searching and
1986	  Indexing of Directories (ASID) Working Group.  This document is also
1987	  based in part on "The Directory: Models" [X.501], a product of the
1988	  International Telephone Union (ITU).  Additional text was borrowed
1989	  from RFC 2253 by M. Wahl, T. Howes, and S. Kille.

1991	  This document is a product of the IETF LDAP Revision (LDAPBIS) Working
1992	  Group.

1994	11. Editor's Address

1996	  Kurt Zeilenga
1997	  E-mail: <kurt@openldap.org>

1999	12. References

2001	  [[Note to the RFC Editor: please replace the citation tags used in
2002	  referencing Internet-Drafts with tags of the form RFCnnnn.]]

2004	12.1. Normative References

2006	  [RFC2119]     Bradner, S., "Key words for use in RFCs to Indicate
2007	                Requirement Levels", BCP 14 (also RFC 2119), March 1997.

2009	  [RFC2234]     Crocker, D. and P. Overell, "Augmented BNF for Syntax
2010	                Specifications: ABNF", RFC 2234, November 1997.

2012	  [RFC3629]     Yergeau, F., "UTF-8, a transformation format of ISO
2013	                10646", RFC 3629 (also STD 63), November 2003.

2015	  [RFC3671]     Zeilenga, K., "Collective Attributes in LDAP", RFC 3671,
2016	                December 2003.

2018	  [RFC3672]     Zeilenga, K. and S. Legg, "Subentries in LDAP", RFC
2019	                3672, December 2003.

2021	  [BCP64bis]    Zeilenga, K., "IANA Considerations for LDAP",
2022	                draft-ietf-ldapbis-bcp64-xx.txt, a work in progress.

2024	  [Roadmap]     Zeilenga, K. (editor), "LDAP: Technical Specification
2025	                Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
2026	                progress.

2028	  [Protocol]    Sermersheim, J. (editor), "LDAP: The Protocol",
2029	                draft-ietf-ldapbis-protocol-xx.txt, a work in progress.

2031	  [AuthMeth]    Harrison, R. (editor), "LDAP: Authentication Methods and
2032	                Connection Level Security Mechanisms",
2033	                draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.

2035	  [Filters]     Smith, M. (editor), LDAPbis WG, "LDAP: String
2036	                Representation of Search Filters",
2037	                draft-ietf-ldapbis-filter-xx.txt, a work in progress.

2039	  [LDAPDN]      Zeilenga, K. (editor), "LDAP: String Representation of
2040	                Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a
2041	                work in progress.

2043	  [LDAPURL]     Smith, M. (editor), "LDAP: Uniform Resource Locator",
2044	                draft-ietf-ldapbis-url-xx.txt, a work in progress.

2046	  [SASL]        Melnikov, A. (Editor), "Simple Authentication and
2047	                Security Layer (SASL)",
2048	                draft-ietf-sasl-rfc2222bis-xx.txt, a work in progress.

2050	  [Syntaxes]    Legg, S. (editor), "LDAP: Syntaxes and Matching Rules",
2051	                draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.

2053	  [Schema]      Dally, K. (editor), "LDAP: User Schema",
2054	                draft-ietf-ldapbis-user-schema-xx.txt, a work in
2055	                progress.

2057	  [Unicode]     The Unicode Consortium, "The Unicode Standard, Version
2058	                3.2.0" is defined by "The Unicode Standard, Version 3.0"
2059	                (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
2060	                as amended by the "Unicode Standard Annex #27: Unicode
2061	                3.1" (http://www.unicode.org/reports/tr27/) and by the
2062	                "Unicode Standard Annex #28: Unicode 3.2"
2063	                (http://www.unicode.org/reports/tr28/).

2065	  [X.500]       International Telecommunication Union -
2066	                Telecommunication Standardization Sector, "The Directory
2067	                -- Overview of concepts, models and services,"
2068	                X.500(1993) (also ISO/IEC 9594-1:1994).

2070	  [X.501]       International Telecommunication Union -
2071	                Telecommunication Standardization Sector, "The Directory
2072	                -- Models," X.501(1993) (also ISO/IEC 9594-2:1994).

2074	  [X.680]       International Telecommunication Union -
2075	                Telecommunication Standardization Sector, "Abstract
2076	                Syntax Notation One (ASN.1) - Specification of Basic
2077	                Notation", X.680(1997) (also ISO/IEC 8824-1:1998).

2079	12.2. Informative References

2081	  None.

2083	Appendix A.  Changes

2085	  This appendix is non-normative.

2087	  This document amounts to nearly a complete rewrite of portions of RFC
2088	  2251, RFC 2252, and RFC 2256.  This rewrite was undertaken to improve
2089	  overall clarity of technical specification.  This appendix provides a
2090	  summary of substantive changes made to the portions of these documents
2091	  incorporated into this document.  Readers should consult [Roadmap],
2092	  [Protocol], [Syntaxes], and [Schema] for summaries of remaining
2093	  portions of these documents.

2095	A.1 Changes to RFC 2251

2097	  This document incorporates from RFC 2251 sections 3.2 and 3.4,
2098	  portions of Section 4 and 6 as summarized below.

2100	A.1.1 Section 3.2 of RFC 2251

2102	  Section 3.2 of RFC 2251 provided a brief introduction to the X.500
2103	  data model, as used by LDAP.  The previous specification relied on
2104	  [X.501] but lacked clarity in how X.500 models are adapted for use by
2105	  LDAP.  This document describes the X.500 data models, as used by LDAP
2106	  in greater detail, especially in areas where adaptation is needed.

2108	  Section 3.2.1 of RFC 2251 described an attribute as "a type with one
2109	  or more associated values."  In LDAP, an attribute is better described
2110	  as an attribute description, a type with zero or more options, and one
2111	  or more associated values.

2113	  Section 3.2.2 of RFC 2251 mandated that subschema subentries contain
2114	  objectClasses and attributeTypes attributes, yet X.500(93) treats
2115	  these attributes as optional.  While generally all implementations
2116	  that support X.500(93) subschema mechanisms will provide both of these
2117	  attributes, it is not absolutely required for interoperability that
2118	  all servers do.  The mandate was removed for consistency with
2119	  X.500(93).   The subschema discovery mechanism was also clarified to
2120	  indicate that subschema controlling an entry is obtained by reading
2121	  the (sub)entry referred to by that entry's 'subschemaSubentry'
2122	  attribute.

2124	A.1.2 Section 3.4 of RFC 2251

2126	  Section 3.4 of RFC 2251 provided "Server-specific Data Requirements".
2127	  This material, with changes, was incorporated in Section 5.1 of this
2128	  document.

2130	  Changes:

2132	  - Clarify that attributes of the root DSE are subject to "other
2133	    restrictions" in addition to access controls.

2135	  - Clarify that only recognized extended requests need to be enumerated
2136	    'supportedExtension'.

2138	  - Clarify that only recognized request controls need to be enumerated
2139	    'supportedControl'.

2141	  - Clarify that root DSE attributes are operational and, like other
2142	    operational attributes, will not be returned in search requests
2143	    unless requested by name.

2145	  - Clarify that not all root DSE attributes are user modifiable.

2147	  - Remove inconsistent text regarding handling of the
2148	    'subschemaSubentry' attribute within the root DSE.  The previous
2149	    specification stated that the 'subschemaSubentry' attribute held in
2150	    the root DSE referred to "subschema entries (or subentries) known by
2151	    this server."  This is inconsistent with the attribute intended use
2152	    as well as its formal definition as a single valued attribute
2153	    [X.501].  It is also noted that a simple (possibly incomplete) list
2154	    of subschema (sub)entries is not terrible useful.  This document (in
2155	    section 5.1) specifies that the 'subschemaSubentry' attribute of the
2156	    root DSE refers to the subschema controlling the root DSE.  It is
2157	    noted that the general subschema discovery mechanism remains
2158	    available (see Section 4.4 of this document).

2160	A.1.2 Section 4 of RFC 2251

2162	  Portions of Section 4 of RFC 2251 detailing aspects of the information
2163	  model used by LDAP were incorporated in this document, including:

2165	  - Restriction of distinguished values to attributes whose descriptions
2166	    have no options (from Section 4.1.3);

2168	  - Data model aspects of Attribute Types (from Section 4.1.4),
2169	    Attribute Descriptions (from 4.1.5), Attribute (from 4.1.8),
2170	    Matching Rule Identifier (from 4.1.9); and

2172	  - User schema requirements (from Section 4.1.6, 4.5.1, and 4.7).

2174	Clarifications to these portions include:

2176	  - Subtyping and AttributeDescriptions with options.

2178	A.1.3 Section 6 of RFC 2251

2180	    The Section 6.1 and the second paragraph of Section 6.2 of RFC 2251
2181	    where incorporated into this document.

2183	A.2 Changes to RFC 2252

2185	    This document incorporates Sections 4, 5 and 7 from RFC 2252.

2187	A.2.1 Section 4 of RFC 2252

2189	    The specification was updated to use Augmented BNF [RFC2234].  The
2190	    string representation of an OBJECT IDENTIFIER was tighten to
2191	    disallow leading zeros as described in RFC 2252 text.

2193	    The <descr> syntax was changed to disallow semicolon (U+003B)
2194	    characters to appear to be consistent its natural language
2195	    specification "descr is the syntactic representation of an object
2196	    descriptor, which consists of letters and digits, starting with a
2197	    letter."  In a related change, the statement "an
2198	    AttributeDescription can be used as the value in a NAME part of an
2199	    AttributeTypeDescription" was deleted.  RFC 2252 provided no
2200	    specification of the semantics of attribute options appearing in
2201	    NAME fields.

2203	    RFC 2252 stated that the <descr> form of <oid> SHOULD be preferred
2204	    over the <numericoid> form.  However, <descr> form can be ambiguous.
2205	    To address this issue, the imperative was replaced with a statement
2206	    (in Section 1.4) that while the <descr> form is generally preferred,
2207	    <numericoid> should be used where an unambiguous <descr> is not
2208	    available.  Additionally, an expanded discussion of descriptor
2209	    issues is discussed in Section 6.2 (Short Names).

2211	    The ABNF for a quoted string (qdstring) was updated to reflect
2212	    support for the escaping mechanism described in 4.3 of RFC 2252.

2214	A.2.2 Section 5 of RFC 2252

2216	    Definitions of operational attributes provided in Section 5 of RFC
2217	    2252 where incorporated into this document.

2219	    The 'namingContexts' description was clarified.  A first-level DSA
2220	    should publish, in addition to other values, "" indicating the root
2221	    of the DIT.

2223	    The 'altServer' description was clarified.  It may hold any URI.

2225	    The 'supportedExtension' description was clarified.  A server need
2226	    only list the OBJECT IDENTIFIERs associated with the extended
2227	    requests of the extended operations it recognizes.

2229	    The 'supportedControl' description was clarified.  A server need
2230	    only list the OBJECT IDENTIFIERs associated with the request
2231	    controls it recognizes.

2233	    Descriptions for the 'structuralObjectClass' and
2234	    'governingStructureRule' operational attribute types were added.

2236	A.2.3 Section 7 of RFC 2252

2238	    Section 7 of RFC 2252 provides definitions of the 'subschema' and
2239	    'extensibleObject' object classes.  These definitions where
2240	    integrated into Section 4.2 and Section 4.3 of this document,
2241	    respectively.  Section 7 of RFC 2252 also contained the object class
2242	    implementation requirement.  This was incorporated into Section 7 of
2243	    this document.

2245	    The specification of 'extensibleObject' was clarified of how it
2246	    interacts with precluded attributes.

2248	A.3 Changes to RFC 2256

2250	    This document incorporates Sections 5.1, 5.2, 7.1, and 7.2 of RFC
2251	    2256.

2253	    Section 5.1 of RFC 2256 provided the definition of the 'objectClass'
2254	    attribute type.  This was integrated into Section 2.4.1 of this
2255	    document.  The statement "One of the values is either 'top' or
2256	    'alias'" was replaced with statement that one of the values is 'top'
2257	    as entries belonging to 'alias' also belong to 'top'.

2259	    Section 5.2 of RFC 2256 provided the definition of the
2260	    'aliasedObjectName' attribute type.  This was integrated into
2261	    Section 2.6.2 of this document.

2263	    Section 7.1 of RFC 2256 provided the definition of the 'top' object
2264	    class.  This was integrated into Section 2.4.1 of this document.

2266	    Section 7.2 of RFC 2256 provided the definition of the 'alias'
2267	    object class.  This was integrated into Section 2.6.1 of this
2268	    document.

2270	Intellectual Property Rights

2272	  The IETF takes no position regarding the validity or scope of any
2273	  Intellectual Property Rights or other rights that might be claimed to
2274	  pertain to the implementation or use of the technology described in
2275	  this document or the extent to which any license under such rights
2276	  might or might not be available; nor does it represent that it has
2277	  made any independent effort to identify any such rights.  Information
2278	  on the procedures with respect to rights in RFC documents can be found
2279	  in BCP 78 and BCP 79.

2281	  Copies of IPR disclosures made to the IETF Secretariat and any
2282	  assurances of licenses to be made available, or the result of an
2283	  attempt made to obtain a general license or permission for the use of
2284	  such proprietary rights by implementers or users of this specification
2285	  can be obtained from the IETF on-line IPR repository at
2286	  http://www.ietf.org/ipr.

2288	  The IETF invites any interested party to bring to its attention any
2289	  copyrights, patents or patent applications, or other proprietary
2290	  rights that may cover technology that may be required to implement
2291	  this standard.  Please address the information to the IETF at
2292	  ietf-ipr@ietf.org.

2294	Full Copyright

2296	  Copyright (C) The Internet Society (2004).  This document is subject
2297	  to the rights, licenses and restrictions contained in BCP 78, and
2298	  except as set forth therein, the authors retain all their rights.

2300	  This document and the information contained herein are provided on an
2301	  "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
2302	  OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
2303	  ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
2304	  INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
2305	  INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2306	  WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.