idnits 2.17.1 

draft-ietf-ldapbis-models-13.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3667, Section 5.1 on line 22.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 2310.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2283.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2290.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2296.

  ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line
     2302), which is fine, but *also* found old RFC 2026, Section 10.4C,
     paragraph 1 text on line 39.

  ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure
     Acknowledgement -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.

  ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate
     instead of verbatim RFC 3978 boilerplate.  After 6 May 2005, submission
     of drafts without verbatim RFC 3978 boilerplate is not accepted.

     The following non-3978 patterns matched text found in the document. 
     That text should be removed or replaced:

        By submitting this Internet-Draft, I certify that any applicable patent
        or other IPR claims of which I am aware have been disclosed, or
        will be disclosed, and any of which I become aware will be
        disclosed, in accordance with RFC 3668.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 39 instances of lines with non-RFC6890-compliant IPv4
     addresses in the document.  If these are example addresses, they should
     be changed.

  == The 'Obsoletes: ' line in the draft header should list only the
     _numbers_ of the RFCs which will be obsoleted by this document (if
     approved); it should not include the word 'RFC' in the list.

  -- The draft header indicates that this document obsoletes RFC2251, but the
     abstract doesn't seem to mention this, which it should.

  -- The draft header indicates that this document obsoletes RFC2252, but the
     abstract doesn't seem to mention this, which it should.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (9 February 2005) is 7016 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'UTF-8' is mentioned on line 211, but not defined

  ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234)

  -- No information found for draft-ietf-ldapbis-bcp64-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'BCP64bis' 

  -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Roadmap' 

  -- No information found for draft-ietf-ldapbis-protocol-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Protocol' 

  -- No information found for draft-ietf-ldapbis-authmeth-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'AuthMeth' 

  -- No information found for draft-ietf-ldapbis-filter-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Filters' 

  -- No information found for draft-ietf-ldapbis-dn-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPDN' 

  -- No information found for draft-ietf-ldapbis-url-xx - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'LDAPURL' 

  -- No information found for draft-ietf-sasl-rfc2222bis-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'SASL' 

  -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' 

  -- No information found for draft-ietf-ldapbis-user-schema-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Schema' 

  -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode'


     Summary: 7 errors (**), 0 flaws (~~), 5 warnings (==), 30 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	INTERNET-DRAFT                              Editor: Kurt D. Zeilenga
3	Intended Category: Standard Track                OpenLDAP Foundation
4	Expires in six months                                9 February 2005
5	Obsoletes: RFC 2251, RFC 2252, RFC 2256

7	                    LDAP: Directory Information Models
8	                    <draft-ietf-ldapbis-models-13.txt>

10	Status of this Memo

12	  This document is intended to be published as a Standard Track RFC.
13	  Distribution of this memo is unlimited.  Technical discussion of this
14	  document will take place on the IETF LDAP Revision Working Group
15	  mailing list <ietf-ldapbis@openldap.org>.  Please send editorial
16	  comments directly to the editor <Kurt@OpenLDAP.org>.

18	  By submitting this Internet-Draft, I accept the provisions of Section
19	  4 of RFC 3667.  By submitting this Internet-Draft, I certify that any
20	  applicable patent or other IPR claims of which I am aware have been
21	  disclosed, or will be disclosed, and any of which I become aware will
22	  be disclosed, in accordance with RFC 3668.

24	  Internet-Drafts are working documents of the Internet Engineering Task
25	  Force (IETF), its areas, and its working groups. Note that other
26	  groups may also distribute working documents as Internet-Drafts.

28	  Internet-Drafts are draft documents valid for a maximum of six months
29	  and may be updated, replaced, or obsoleted by other documents at any
30	  time. It is inappropriate to use Internet-Drafts as reference material
31	  or to cite them other than as "work in progress."

33	  The list of current Internet-Drafts can be accessed at
34	  http://www.ietf.org/1id-abstracts.html

36	  The list of Internet-Draft Shadow Directories can be accessed at
37	  http://www.ietf.org/shadow.html

39	  Copyright (C) The Internet Society (2005).  All Rights Reserved.

41	  Please see the Full Copyright section near the end of this document
42	  for more information.

44	Abstract

46	  The Lightweight Directory Access Protocol (LDAP) is an Internet
47	  protocol for accessing distributed directory services which act in
48	  accordance with X.500 data and service models.  This document
49	  describes the X.500 Directory Information Models, as used in LDAP.

51	Table of Contents

53	  Status of this Memo                                             1
54	  Abstract                                                        2
55	  Table of Contents
56	  1.       Introduction                                           3
57	  1.1.     Relationship to Other LDAP Specifications
58	  1.2.     Relationship to X.501                                  4
59	  1.3.     Conventions
60	  1.4.     Common ABNF Productions
61	  2.       Model of Directory User Information                    6
62	  2.1.     The Directory Information Tree                         7
63	  2.2.     Structure of an Entry
64	  2.3.     Naming of Entries                                      8
65	  2.4.     Object Classes                                         9
66	  2.5.     Attribute Descriptions                                12
67	  2.6.     Alias Entries                                         15
68	  3.       Directory Administrative and Operational Information  17
69	  3.1.     Subtrees
70	  3.2.     Subentries
71	  3.3.     The 'objectClass' attribute                           18
72	  3.4.     Operational attributes                                19
73	  4.       Directory Schema                                      20
74	  4.1.     Schema Definitions                                    23
75	  4.2.     Subschema Subentries                                  30
76	  4.3.     'extensibleObject'                                    35
77	  4.4.     Subschema Discovery
78	  5.       DSA (Server) Informational Model                      36
79	  5.1.     Server-specific Data Requirements
80	  6.       Other Considerations                                  39
81	  6.1.     Preservation of User Information                      40
82	  6.2.     Short Names
83	  6.3.     Cache and Shadowing                                   41
84	  7.       Implementation Guidelines
85	  7.1.     Server Guidelines
86	  7.2.     Client Guidelines
87	  8.       Security Considerations                               42
88	  9.       IANA Considerations
89	  10.      Acknowledgments                                       43
90	  11.      Editor's Address
91	  12.      References                                            44
92	  12.1.    Normative References
93	  12.2.    Informative References                                45
94	  Appendix A.  Changes
95	  Intellectual Property Rights                                   50
96	  Full Copyright

98	1. Introduction

100	  This document discusses the X.500 Directory Information Models
101	  [X.501], as used by the Lightweight Directory Access Protocol (LDAP)
102	  [Roadmap].

104	  The Directory is "a collection of open systems cooperating to provide
105	  directory services" [X.500].  The information held in the Directory is
106	  collectively known as the Directory Information Base (DIB).  A
107	  Directory user, which may be a human or other entity, accesses the
108	  Directory through a client (or Directory User Agent (DUA)).  The
109	  client, on behalf of the directory user, interacts with one or more
110	  servers (or Directory System Agents (DSA)).  A server holds a fragment
111	  of the DIB.

113	  The DIB contains two classes of information:

115	      1) user information (e.g., information provided and administrated
116	         by users).  Section 2 describes the Model of User Information.

118	      2) administrative and operational information (e.g., information
119	         used to administer and/or operate the directory).  Section 3
120	         describes the model of Directory Administrative and Operational
121	         Information.

123	  These two models, referred to as the generic Directory Information
124	  Models, describe how information is represented in the Directory.
125	  These generic models provide a framework for other information models.
126	  Section 4 discusses the subschema information model and subschema
127	  discovery.  Section 5 discusses the DSA (Server) Informational Model.

129	  Other X.500 information models, such as access control distribution
130	  knowledge, and replication knowledge information models, may be
131	  adapted for use in LDAP.  Specification of how these models apply to
132	  LDAP is left to future documents.

134	1.1. Relationship to Other LDAP Specifications

136	  This document is a integral part of the LDAP technical specification
137	  [Roadmap] which obsoletes the previously defined LDAP technical
138	  specification, RFC 3377, in its entirety.

140	  This document obsoletes RFC 2251 sections 3.2 and 3.4, as well as
141	  portions of sections 4 and 6.  Appendix A.1 summaries changes to these
142	  sections.  The remainder of RFC 2251 is obsoleted by the [Protocol],
143	  [AuthMeth], and [Roadmap] documents.

145	  This document obsoletes RFC 2252 sections 4, 5 and 7.  Appendix A.2
146	  summaries changes to these sections.  The remainder of RFC 2252 is
147	  obsoleted by [Syntaxes].

149	  This document obsoletes RFC 2256 sections 5.1, 5.2, 7.1 and 7.2.
150	  Appendix A.3 summarizes changes to these sections.  The remainder of
151	  RFC 2256 is obsoleted by [Schema] and [Syntaxes].

153	1.2. Relationship to X.501

155	  This document includes material, with and without adaptation, from
156	  [X.501] as necessary to describe this protocol.  These adaptations
157	  (and any other differences herein) apply to this protocol, and only
158	  this protocol.

160	1.3. Conventions

162	  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
163	  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
164	  document are to be interpreted as described in BCP 14 [RFC2119].

166	  Schema definitions are provided using LDAP description formats (as
167	  defined in Section 4.1).  Definitions provided here are formatted
168	  (line wrapped) for readability.  Matching rules and LDAP syntaxes
169	  referenced in these definitions are specified in [Syntaxes].

171	1.4. Common ABNF Productions

173	  A number of syntaxes in this document are described using Augmented
174	  Backus-Naur Form (ABNF) [RFC2234].  These syntaxes (as well as a
175	  number of syntaxes defined in other documents) rely on the following
176	  common productions:

178	      keystring = leadkeychar *keychar
179	      leadkeychar = ALPHA
180	      keychar = ALPHA / DIGIT / HYPHEN
181	      number  = DIGIT / ( LDIGIT 1*DIGIT )
182	      ALPHA   = %x41-5A / %x61-7A   ; "A"-"Z" / "a"-"z"
183	      DIGIT   = %x30 / LDIGIT       ; "0"-"9"
184	      LDIGIT  = %x31-39             ; "1"-"9"
185	      HEX     = DIGIT / %x41-46 / %x61-66 ; "0"-"9" / "A"-"F" / "a"-"f"

187	      SP      = 1*SPACE  ; one or more " "
188	      WSP     = 0*SPACE  ; zero or more " "

190	      NULL    = %x00 ; null (0)
191	      SPACE   = %x20 ; space (" ")
192	      DQUOTE  = %x22 ; quote (""")
193	      SHARP   = %x23 ; octothorpe (or sharp sign) ("#")
194	      DOLLAR  = %x24 ; dollar sign ("$")
195	      SQUOTE  = %x27 ; single quote ("'")
196	      LPAREN  = %x28 ; left paren ("(")
197	      RPAREN  = %x29 ; right paren (")")
198	      PLUS    = %x2B ; plus sign ("+")
199	      COMMA   = %x2C ; comma (",")
200	      HYPHEN  = %x2D ; hyphen ("-")
201	      DOT     = %x2E ; period (".")
202	      SEMI    = %x3B ; semicolon (";")
203	      LANGLE  = %x3C ; left angle bracket ("<")
204	      EQUALS  = %x3D ; equals sign ("=")
205	      RANGLE  = %x3E ; right angle bracket (">")
206	      ESC     = %x5C ; backslash ("\")
207	      USCORE  = %x5F ; underscore ("_")
208	      LCURLY  = %x7B ; left curly brace "{"
209	      RCURLY  = %x7D ; right curly brace "}"

211	      ; Any UTF-8 [UTF-8] encoded Unicode [Unicode] character
212	      UTF8    = UTF1 / UTFMB
213	      UTFMB   = UTF2 / UTF3 / UTF4
214	      UTF0    = %x80-BF
215	      UTF1    = %x00-7F
216	      UTF2    = %xC2-DF UTF0
217	      UTF3    = %xE0 %xA0-BF UTF0 / %xE1-EC 2(UTF0) /
218	                %xED %x80-9F UTF0 / %xEE-EF 2(UTF0)
219	      UTF4    = %xF0 %x90-BF 2(UTF0) / %xF1-F3 3(UTF0) /
220	                %xF4 %x80-8F 2(UTF0)

222	      OCTET   = %x00-FF ; Any octet (8-bit data unit)

224	  Object identifiers (OIDs) [X.680] are represented in LDAP using a
225	  dot-decimal format conforming to the ABNF:

227	      numericoid = number 1*( DOT number )

229	  Short names, also known as descriptors, are used as more readable
230	  aliases for object identifiers.  Short names are case insensitive and
231	  conform to the ABNF:

233	      descr = keystring

235	  Where either an object identifier or a short name may be specified,
236	  the following production is used:

238	      oid = descr / numericoid

240	  While the <descr> form is generally preferred when the usage is
241	  restricted to short names referring to object identifiers which
242	  identify like kinds of objects (e.g., attribute type descriptions,
243	  matching rule descriptions, object class descriptions), the
244	  <numericoid> form should be used when the object identifiers may
245	  identify multiple kinds of objects or when an unambiguous short name
246	  (descriptor) is not available.

248	  Implementations SHOULD treat short names (descriptors) used in an
249	  ambiguous manner (as discussed above) as unrecognized.

251	  Short Names (descriptors) are discussed further in Section 6.2.

253	2. Model of Directory User Information

255	  As [X.501] states:

257	      The purpose of the Directory is to hold, and provide access to,
258	      information about objects of interest (objects) in some 'world'.
259	      An object can be anything which is identifiable (can be named).

261	      An object class is an identified family of objects, or conceivable
262	      objects, which share certain characteristics. Every object belongs
263	      to at least one class.  An object class may be a subclass of other
264	      object classes, in which case the members of the former class, the
265	      subclass, are also considered to be members of the latter classes,
266	      the superclasses.  There may be subclasses of subclasses, etc., to
267	      an arbitrary depth.

269	  A directory entry, a named collection of information, is the basic
270	  unit of information held in the Directory.  There are multiple kinds
271	  of directory entries.

273	  An object entry represents a particular object.  An alias entry
274	  provides alternative naming.  A subentry holds administrative and/or
275	  operational information.

277	  The set of entries representing the DIB are organized hierarchically
278	  in a tree structure known as the Directory Information Tree (DIT).

280	  Section 2.1 describes the Directory Information Tree
281	  Section 2.2 discusses the structure of entries.
282	  Section 2.3 discusses naming of entries.
283	  Section 2.4 discusses object classes.
284	  Section 2.5 discusses attribute descriptions.
285	  Section 2.6 discusses alias entries.

287	2.1. The Directory Information Tree

289	  As noted above, the DIB is composed of a set of entries organized
290	  hierarchically in a tree structure known as the Directory Information
291	  Tree (DIT).  Specifically, a tree where vertices are the entries.

293	  The arcs between vertices define relations between entries.  If an arc
294	  exists from X to Y, then the entry at X is the immediate superior of Y
295	  and Y is the immediate subordinate of X.  An entry's superiors are the
296	  entry's immediate superior and its superiors.  An entry's subordinates
297	  are all of its immediate subordinates and their subordinates.

299	  Similarly, the superior/subordinate relationship between object
300	  entries can be used to derive a relation between the objects they
301	  represent.  DIT structure rules can be used to govern relationships
302	  between objects.

304	  Note: An entry's immediate superior is also known as the entry's
305	        parent and an entry's immediate subordinate is also known as the
306	        entry's child.  Entries which have the same parent are known as
307	        siblings.

309	2.2. Structure of an Entry

311	  An entry consists of a set of attributes which hold information about
312	  the object which the entry represents.  Some attributes represent user
313	  information and are called user attributes.  Other attributes
314	  represent operational and/or administrative information and are called
315	  operational attributes.

317	  An attribute is an attribute description (a type and zero or more
318	  options) with one or more associated values.  An attribute is often
319	  referred to by its attribute description.  For example, the
320	  'givenName' attribute is the attribute which consists of the attribute
321	  description 'givenName' (the 'givenName' attribute type [Schema] and
322	  zero options) and one or more associated values.

324	  The attribute type governs whether the attribute can have multiple
325	  values, the syntax and matching rules used to construct and compare
326	  values of that attribute, and other functions.  Options indicate
327	  subtypes and other functions.

329	  Attribute values conform to the defined syntax of the attribute type.

331	  No two values of an attribute may be equivalent.  Two values are
332	  considered equivalent only if they would match according to the
333	  equality matching rule of the attribute type.  If the attribute type
334	  is defined with no equality matching rule, two values are equivalent
335	  if and only if they are identical.  (See 2.5.1 for other
336	  restrictions.)

338	  For example, a 'givenName' attribute can have more than one value,
339	  they must be Directory Strings, and they are case insensitive.  A
340	  'givenName' attribute cannot hold both "John" and "JOHN" as these are
341	  equivalent values per the equality matching rule of the attribute
342	  type.

344	  When an attribute is used for naming of the entry, one and only one
345	  value of the attribute is used in forming the Relative Distinguished
346	  Name.  This value is known as a distinguished value.

348	2.3. Naming of Entries

350	2.3.1.  Relative Distinguished Names

352	  Each entry is named relative to its immediate superior.  This relative
353	  name, known as its Relative Distinguished Name (RDN) [X.501], is
354	  composed of an unordered set of one or more attribute value assertions
355	  (AVA) consisting of an attribute description with zero options and an
356	  attribute value.  These AVAs are chosen to match attribute values
357	  (each a distinguished value) of the entry.

359	  An entry's relative distinguished name must be unique among all
360	  immediate subordinates of the entry's immediate superior (i.e., all
361	  siblings).

363	  The following are examples of string representations of RDNs [LDAPDN]:

365	      UID=12345
366	      OU=Engineering
367	      CN=Kurt Zeilenga+L=Redwood Shores

369	  The last is an example of a multi-valued RDN.  That is, an RDN
370	  composed of multiple AVAs.

372	2.3.2. Distinguished Names

374	  An entry's fully qualified name, known as its Distinguished Name (DN)
375	  [X.501], is the concatenation of its RDN and its immediate superior's
376	  DN.  A Distinguished Name unambiguously refers to an entry in the
377	  tree.  The following are examples of string representations of DNs
378	  [LDAPDN]:

380	      UID=nobody@example.com,DC=example,DC=com
381	      CN=John Smith,OU=Sales,O=ACME Limited,L=Moab,ST=Utah,C=US

383	2.3.3. Alias Names

385	  An alias, or alias name, is "an name for an object, provided by the
386	  use of alias entries" [X.501].  Alias entries are described in Section
387	  2.6.

389	2.4. Object Classes

391	  An object class is "an identified family of objects (or conceivable
392	  objects) which share certain characteristics" [X.501].

394	  As defined in [X.501]:

396	      Object classes are used in the Directory for a number of purposes:

398	        - describing and categorising objects and the entries that
399	          correspond to these objects;

401	        - where appropriate, controlling the operation of the Directory;

403	        - regulating, in conjunction with DIT structure rule
404	          specifications, the position of entries in the DIT;

406	        - regulating, in conjunction with DIT content rule
407	          specifications, the attributes that are contained in entries;

409	        - identifying classes of entry that are to be associated with a
410	          particular policy by the appropriate administrative authority.

412	      An object class (a subclass) may be derived from an object class
413	      (its direct superclass) which is itself derived from an even more
414	      generic object class.  For structural object classes, this process
415	      stops at the most generic object class, 'top' (defined in Section
416	      2.4.1).  An ordered set of superclasses up to the most superior
417	      object class of an object class is its superclass chain.

419	      An object class may be derived from two or more direct
420	      superclasses (superclasses not part of the same superclass chain).
421	      This feature of subclassing is termed multiple inheritance.

423	  Each object class identifies the set of attributes required to be
424	  present in entries belonging to the class and the set of attributes
425	  allowed to be present in entries belonging to the class.  As an entry
426	  of a class must meet the requirements of each class it belongs to, it
427	  can be said that an object class inherits the sets of allowed and
428	  required attributes from its superclasses.  A subclass can identify an
429	  attribute allowed by its superclass as being required.  If an
430	  attribute is a member of both sets, it is required to be present.

432	  Each object class is defined to be one of three kinds of object
433	  classes: Abstract, Structural, or Auxiliary.

435	  Each object class is identified by an object identifier (OID) and,
436	  optionally, one or more short names (descriptors).

438	2.4.1. Abstract Object Classes

440	  An abstract object class, as the name implies, provides a base of
441	  characteristics from which other object classes can be defined to
442	  inherit from.  An entry cannot belong to an abstract object class
443	  unless it belongs to a structural or auxiliary class which inherits
444	  from that abstract class.

446	  Abstract object classes can not derive from structural nor auxiliary
447	  object classes.

449	  All structural object classes derive (directly or indirectly) from the
450	  'top' abstract object class.  Auxiliary object classes do not
451	  necessarily derive from 'top'.

453	  The following is the object class definition (see Section 4.1.1) for
454	  the 'top' object class:

456	      ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )

458	  All entries belong to the 'top' abstract object class.

460	2.4.2. Structural Object Classes

462	  As stated in [X.501]:

464	      An object class defined for use in the structural specification of
465	      the DIT is termed a structural object class.  Structural object
466	      classes are used in the definition of the structure of the names
467	      of the objects for compliant entries.

469	      An object or alias entry is characterised by precisely one
470	      structural object class superclass chain which has a single
471	      structural object class as the most subordinate object class.
472	      This structural object class is referred to as the structural
473	      object class of the entry.

475	      Structural object classes are related to associated entries:

477	        - an entry conforming to a structural object class shall
478	          represent the real-world object constrained by the object
479	          class;

481	        - DIT structure rules only refer to structural object classes;
482	          the structural object class of an entry is used to specify the
483	          position of the entry in the DIT;

485	        - the structural object class of an entry is used, along with an
486	          associated DIT content rule, to control the content of an
487	          entry.

489	        The structural object class of an entry shall not be changed.

491	  Each structural object class is a (direct or indirect) subclass of the
492	  'top' abstract object class.

494	  Structural object classes cannot subclass auxiliary object classes.

496	  Each entry is said to belong to its structural object class as well as
497	  all classes in its structural object class's superclass chain.

499	2.4.3. Auxiliary Object Classes

501	  Auxiliary object classes are used to augment the characteristics of
502	  entries.  They are commonly used to augment the sets of attributes
503	  required and allowed to be present in an entry.  They can be used to
504	  describe entries or classes of entries.

506	  Auxiliary object classes cannot subclass structural object classes.

508	  An entry can belong to any subset of the set of auxiliary object
509	  classes allowed by the DIT content rule associated with the structural
510	  object class of the entry.  If no DIT content rule is associated with
511	  the structural object class of the entry, the entry cannot belong to
512	  any auxiliary object class.

514	  The set of auxiliary object classes which an entry belongs to can
515	  change over time.

517	2.5. Attribute Descriptions

519	  An attribute description is composed of an attribute type (see Section
520	  2.5.1) and a set of zero or more attribute options (see Section
521	  2.5.2).

523	  An attribute description is represented by the ABNF:

525	      attributedescription = attributetype options
526	      attributetype = oid
527	      options = *( SEMI option )
528	      option = 1*keychar

530	  where <attributetype> identifies the attribute type and each <option>
531	  identifies an attribute option.  Both <attributetype> and <option>
532	  productions are case insensitive.  The order in which <option>s appear
533	  is irrelevant.  That is, any two <attributedescription>s which consist
534	  of the same <attributetype> and same set of <option>s are equivalent.

536	  Examples of valid attribute descriptions:

538	      2.5.4.0
539	      cn;lang-de;lang-en
540	      owner

542	  An attribute description with an unrecognized attribute type is to be
543	  treated as unrecognized.  Servers SHALL treat an attribute description
544	  with an unrecognized attribute option as unrecognized.  Clients MAY
545	  treat an unrecognized attribute option as a tagging option (see
546	  Section 2.5.2.1).

548	  All attributes of an entry must have distinct attribute descriptions.

550	2.5.1. Attribute Types

552	  An attribute type governs whether the attribute can have multiple
553	  values, the syntax and matching rules used to construct and compare
554	  values of that attribute, and other functions.

556	  If no equality matching is specified for the attribute type:
557	    - the attribute (of the type) cannot be used for naming;
558	    - when adding the attribute (or replacing all values), no two values
559	      may be equivalent (see 2.2);
560	    - individual values of a multi-valued attribute are not to be
561	      independently added or deleted;
562	    - attribute value assertions (such as matching in search filters and
563	      comparisons) using values of such a type cannot be performed.

565	  Otherwise, the equality matching rule is to be used for the purposes
566	  of evaluating attribute value assertions concerning the attribute
567	  type.

569	  The attribute type indicates whether the attribute is a user attribute
570	  or an operational attribute.  If operational, the attribute type
571	  indicates the operational usage and whether the attribute is
572	  modifiable by users or not.  Operational attributes are discussed in
573	  Section 3.4.

575	  An attribute type (a subtype) may derive from a more generic attribute
576	  type (a direct supertype).  The following restrictions apply to
577	  subtyping:
578	    - a subtype must have the same usage as its direct supertype,
579	    - a subtype's syntax must be the same, or a refinement of, its
580	      supertype's syntax, and
581	    - a subtype must be collective [RFC3671] if its supertype is
582	      collective.

584	  An attribute description consisting of a subtype and no options is
585	  said to be the direct description subtype of the attribute description
586	  consisting of the subtype's direct supertype and no options.

588	  Each attribute type is identified by an object identifier (OID) and,
589	  optionally, one or more short names (descriptors).

591	2.5.2. Attribute Options

593	  There are multiple kinds of attribute description options.  The LDAP
594	  technical specification details one kind: tagging options.

596	  Not all options can be associated with attributes held in the
597	  directory.  Tagging options can be.

599	  Not all options can be used in conjunction with all attribute types.
600	  In such cases, the attribute description is to be treated as
601	  unrecognized.

603	  An attribute description that contains mutually exclusive options
604	  shall be treated as unrecognized.  That is, "cn;x-bar;x-foo", where
605	  "x-foo" and "x-bar" are mutually exclusive, is to be treated as
606	  unrecognized.

608	  Other kinds of options may be specified in future documents.  These
609	  documents must detail how new kinds of options they define relate to
610	  tagging options.  In particular, these documents must detail whether
611	  or not new kinds of options can be associated with attributes held in
612	  the directory, how new kinds of options affect transfer of attribute
613	  values, and how new kinds of options are treated in attribute
614	  description hierarchies.

616	  Options are represented as short case insensitive textual strings
617	  conforming to the <option> production defined in Section 2.5 of this
618	  document.

620	  Procedures for registering options are detailed in BCP 64 [BCP64bis].

622	2.5.2.1. Tagging Options

624	  Attributes held in the directory can have attribute descriptions with
625	  any number of tagging options.  Tagging options are never mutually
626	  exclusive.

628	  An attribute description with N tagging options is a direct
629	  (description) subtype of all attribute descriptions of the same
630	  attribute type and all but one of the N options.  If the attribute
631	  type has a supertype, then the attribute description is also a direct
632	  (description) subtype of the attribute description of the supertype
633	  and the N tagging options.  That is, 'cn;lang-de;lang-en' is a direct
634	  (description) subtype of 'cn;lang-de', 'cn;lang-en', and
635	  'name;lang-de;lang-en' ('cn' is a subtype of 'name', both are defined
636	  in [Schema]).

638	2.5.3. Attribute Description Hierarchies

640	  An attribute description can be the direct subtype of zero or more
641	  other attribute descriptions as indicated by attribute type subtyping
642	  (as described in Section 2.5.1) or attribute tagging option subtyping
643	  (as described in Section 2.5.2.1).  These subtyping relationships are
644	  used to form hierarchies of attribute descriptions and attributes.

646	  As adapted from [X.501]:

648	      Attribute hierarchies allow access to the DIB with varying degrees
649	      of granularity.  This is achieved by allowing the value components
650	      of attributes to be accessed by using either their specific
651	      attribute description (a direct reference to the attribute) or by
652	      a more generic attribute description (an indirect reference).

654	      Semantically related attributes may be placed in a hierarchical
655	      relationship, the more specialized being placed subordinate to the
656	      more generalized.  Searching for, or retrieving attributes and
657	      their values is made easier by quoting the more generalized
658	      attribute description; a filter item so specified is evaluated for
659	      the more specialized descriptions as well as for the quoted
660	      description.

662	      Where subordinate specialized descriptions are selected to be
663	      returned as part of a search result these descriptions shall be
664	      returned if available.  Where the more general descriptions are
665	      selected to be returned as part of a search result both the
666	      general and the specialized descriptions shall be returned, if
667	      available.  An attribute value shall always be returned as a value
668	      of its own attribute description.

670	      All of the attribute descriptions in an attribute hierarchy are
671	      treated as distinct and unrelated descriptions for user
672	      modification of entry content.

674	      An attribute value stored in an object or alias entry is of
675	      precisely one attribute description.  The description is indicated
676	      when the value is originally added to the entry.

678	  For the purpose of subschema administration of the entry, a
679	  specification that an attribute is required is fulfilled if the entry
680	  contains a value of an attribute description belonging to an attribute
681	  hierarchy where the attribute type of that description is the same as
682	  the required attribute's type.  That is, a "MUST name" specification
683	  is fulfilled by 'name' or 'name;x-tag-option', but is not fulfilled by
684	  'CN' nor by 'CN;x-tag-option' (even though 'CN' is a subtype of
685	  'name').  Likewise, an entry may contain a value of an attribute
686	  description belonging to an attribute hierarchy where the attribute
687	  type of that description is either explicitly included in the
688	  definition of an object class to which the entry belongs or allowed by
689	  the DIT content rule applicable to that entry.  That is, 'name' and
690	  'name;x-tag-option' are allowed by "MAY name" (or by "MUST name"), but
691	  'CN' and 'CN;x-tag-option' are not allowed by "MAY name" (nor by "MUST
692	  name").

694	  For the purposes of other policy administration, unless stated
695	  otherwise in the specification of the particular administrative model,
696	  all of the attribute descriptions in an attribute hierarchy are
697	  treated as distinct and unrelated descriptions.

699	2.6. Alias Entries

701	  As adapted from [X.501]:

703	      An alias, or an alias name, for an object is an alternative name
704	      for an object or object entry which is provided by the use of
705	      alias entries.

707	      Each alias entry contains, within the 'aliasedObjectName'
708	      attribute (known as the 'aliasedEntryName' attribute in X.500]), a
709	      name of some object.  The distinguished name of the alias entry is
710	      thus also a name for this object.

712	          NOTE - The name within the 'aliasedObjectName' is said to be
713	                 pointed to by the alias.  It does not have to be the
714	                 distinguished name of any entry.

716	      The conversion of an alias name to an object name is termed
717	      (alias) dereferencing and comprises the systematic replacement of
718	      alias names, where found within a purported name, by the value of
719	      the corresponding 'aliasedObjectName' attribute.  The process may
720	      require the examination of more than one alias entry.

722	      Any particular entry in the DIT may have zero or more alias names.
723	      It therefore follows that several alias entries may point to the
724	      same entry.  An alias entry may point to an entry that is not a
725	      leaf entry and may point to another alias entry.

727	      An alias entry shall have no subordinates, so that an alias entry
728	      is always a leaf entry.

730	      Every alias entry shall belong to the 'alias' object class.

732	  An entry with the 'alias' object class must also belong to an object
733	  class (or classes), or be governed by a DIT content rule, which allows
734	  suitable naming attributes to be present.

736	  Example:
737	      dn: cn=bar,dc=example,dc=com
738	      objectClass: top
739	      objectClass: alias
740	      objectClass: extensibleObject
741	      cn: bar
742	      aliasedObjectName: cn=foo,dc=example,dc=com

744	2.6.1. 'alias' object class
745	  Alias entries belong to the 'alias' object class.

747	     ( 2.5.6.1 NAME 'alias'
748	       SUP top STRUCTURAL
749	       MUST aliasedObjectName )

751	2.6.2. 'aliasedObjectName' attribute type

753	  The 'aliasedObjectName' attribute holds the name of the entry an alias
754	  points to.  The 'aliasedObjectName' attribute is known as the
755	  'aliasedEntryName' attribute in X.500.

757	      ( 2.5.4.1 NAME 'aliasedObjectName'
758	        EQUALITY distinguishedNameMatch
759	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
760	        SINGLE-VALUE )

762	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
763	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

765	3. Directory Administrative and Operational Information

767	  This section discusses select aspects of the X.500 Directory
768	  Administrative and Operational Information model [X.501].  LDAP
769	  implementations MAY support other aspects of this model.

771	3.1. Subtrees

773	  As defined in [X.501]:

775	      A subtree is a collection of object and alias entries situated at
776	      the vertices of a tree.  Subtrees do not contain subentries.  The
777	      prefix sub, in subtree, emphasizes that the base (or root) vertex
778	      of this tree is usually subordinate to the root of the DIT.

780	      A subtree begins at some vertex and extends to some identifiable
781	      lower boundary, possibly extending to leaves.  A subtree is always
782	      defined within a context which implicitly bounds the subtree.  For
783	      example, the vertex and lower boundaries of a subtree defining a
784	      replicated area are bounded by a naming context.

786	3.2. Subentries

788	  A subentry is a "special sort of entry, known by the Directory, used
789	  to hold information associated with a subtree or subtree refinement"
790	  [X.501].  Subentries are used in Directory to hold for administrative
791	  and operational purposes as defined in [X.501].  Their use in LDAP is
792	  detailed in [RFC3672].

794	  The term "(sub)entry" in this specification indicates that servers
795	  implementing X.500(93) models are, in accordance with X.500(93) as
796	  described in [RFC3672], to use a subentry and that other servers are
797	  to use an object entry belonging to the appropriate auxiliary class
798	  normally used with the subentry (e.g., 'subschema' for subschema
799	  subentries) to mimic the subentry.  This object entry's RDN SHALL be
800	  formed from a value of the 'cn' (commonName) attribute [Schema] (as
801	  all subentries are named with 'cn').

803	3.3. The 'objectClass' attribute

805	  Each entry in the DIT has an 'objectClass' attribute.

807	      ( 2.5.4.0 NAME 'objectClass'
808	        EQUALITY objectIdentifierMatch
809	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

811	  The 'objectIdentifierMatch' matching rule and the OBJECT IDENTIFIER
812	  (1.3.6.1.4.1.1466.115.121.1.38) syntax are defined in [Syntaxes].

814	  The 'objectClass' attribute specifies the object classes of an entry,
815	  which (among other things) is used in conjunction with the controlling
816	  schema to determine the permitted attributes of an entry.  Values of
817	  this attribute can be modified by clients, but the 'objectClass'
818	  attribute cannot be removed.

820	  Servers which follow X.500(93) models SHALL restrict modifications of
821	  this attribute to prevent the basic structural class of the entry from
822	  being changed.  That is, one cannot change a 'person' into a
823	  'country'.

825	  When creating an entry or adding an 'objectClass' value to an entry,
826	  all superclasses of the named classes SHALL be implicitly added as
827	  well if not already present.  That is, if the auxiliary class 'x-a' is
828	  a subclass of the class 'x-b', adding 'x-a' to 'objectClass' causes
829	  'x-b' to be implicitly added (if is not already present).

831	  Servers SHALL restrict modifications of this attribute to prevent
832	  superclasses of remaining 'objectClass' values from being deleted.
833	  That is, if the auxiliary class 'x-a' is a subclass of the auxiliary
834	  class 'x-b' and the 'objectClass' attribute contains 'x-a' and 'x-b',
835	  an attempt to delete only 'x-b' from the 'objectClass' attribute is an
836	  error.

838	3.4. Operational attributes

840	  Some attributes, termed operational attributes, are used or maintained
841	  by servers for administrative and operational purposes.  As stated in
842	  [X.501]: "There are three varieties of operational attributes:
843	  Directory operational attributes, DSA-shared operational attributes,
844	  and DSA-specific operational attributes."

846	  A directory operational attribute is used to represent operational
847	  and/or administrative information in the Directory Information Model.
848	  This includes operational attributes maintained by the server (e.g.
849	  'createTimestamp') as well as operational attributes which hold values
850	  administrated by the user (e.g. 'ditContentRules').

852	  A DSA-shared operational attribute is used to represent information of
853	  the DSA Information Model which is shared between DSAs.

855	  A DSA-specific operational attribute is used to represent information
856	  of the DSA Information Model which is specific to the DSA (though, in
857	  some cases, may be derived from information shared between DSAs)
858	  (e.g., 'namingContexts').

860	  The DSA Information Model operational attributes are detailed in
861	  [X.501].

863	  Operational attributes are not normally visible.  They are not
864	  returned in search results unless explicitly requested by name.

866	  Not all operational attributes are user modifiable.

868	  Entries may contain, among others, the following operational
869	  attributes:

871	    - creatorsName: the Distinguished Name of the user who added this
872	      entry to the directory,

874	    - createTimestamp: the time this entry was added to the directory,

876	    - modifiersName: the Distinguished Name of the user who last
877	      modified this entry, and

879	    - modifyTimestamp: the time this entry was last modified.

881	  Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
882	  'modifiersName', and 'modifyTimestamp' attributes for all entries of
883	  the DIT.

885	3.4.1. 'creatorsName'

887	  This attribute appears in entries which were added using the protocol
888	  (e.g., using the Add operation).  The value is the distinguished name
889	  of the creator.

891	      ( 2.5.18.3 NAME 'creatorsName'
892	        EQUALITY distinguishedNameMatch
893	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
894	        SINGLE-VALUE NO-USER-MODIFICATION
895	        USAGE directoryOperation )

897	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
898	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

900	3.4.2. 'createTimestamp'

902	  This attribute appears in entries which were added using the protocol
903	  (e.g., using the Add operation).  The value is the time the entry was
904	  added.

906	      ( 2.5.18.1 NAME 'createTimestamp'
907	        EQUALITY generalizedTimeMatch
908	        ORDERING generalizedTimeOrderingMatch
909	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
910	        SINGLE-VALUE NO-USER-MODIFICATION
911	        USAGE directoryOperation )

913	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
914	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
915	  are defined in [Syntaxes].

917	3.4.3. 'modifiersName'

919	  This attribute appears in entries which have been modified using the
920	  protocol (e.g., using Modify operation).  The value is the
921	  distinguished name of the last modifier.

923	      ( 2.5.18.4 NAME 'modifiersName'
924	        EQUALITY distinguishedNameMatch
925	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
926	        SINGLE-VALUE NO-USER-MODIFICATION
927	        USAGE directoryOperation )

929	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
930	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

932	3.4.4. 'modifyTimestamp'

934	  This attribute appears in entries which have been modified using the
935	  protocol (e.g., using the Modify operation).  The value is the time
936	  the entry was last modified.

938	      ( 2.5.18.2 NAME 'modifyTimestamp'
939	        EQUALITY generalizedTimeMatch
940	        ORDERING generalizedTimeOrderingMatch
941	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
942	        SINGLE-VALUE NO-USER-MODIFICATION
943	        USAGE directoryOperation )

945	  The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
946	  rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
947	  are defined in [Syntaxes].

949	3.4.5. 'structuralObjectClass'

951	  This attribute indicates the structural object class of the entry.

953	      ( 2.5.21.9 NAME 'structuralObjectClass'
954	        EQUALITY objectIdentifierMatch
955	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
956	        SINGLE-VALUE NO-USER-MODIFICATION
957	        USAGE directoryOperation )

959	  The 'objectIdentifierMatch' matching rule and OBJECT IDENTIFIER
960	  (1.3.6.1.4.1.1466.115.121.1.38) syntax is defined in [Syntaxes].

962	3.4.6. 'governingStructureRule'

964	  This attribute indicates the structure rule governing the entry.

966	      ( 2.5.21.10 NAME 'governingStructureRule'
967	        EQUALITY integerMatch
968	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
969	        SINGLE-VALUE NO-USER-MODIFICATION
970	        USAGE directoryOperation )

972	  The 'integerMatch' matching rule and INTEGER
973	  (1.3.6.1.4.1.1466.115.121.1.27) syntax is defined in [Syntaxes].

975	4. Directory Schema

977	  As defined in [X.501]:

979	      The Directory Schema is a set of definitions and constraints
980	      concerning the structure of the DIT, the possible ways entries are
981	      named, the information that can be held in an entry, the
982	      attributes used to represent that information and their
983	      organization into hierarchies to facilitate search and retrieval
984	      of the information and the ways in which values of attributes may
985	      be matched in attribute value and matching rule assertions.

987	      NOTE 1 - The schema enables the Directory system to, for example:

989	      - prevent the creation of subordinate entries of the wrong
990	        object-class (e.g. a country as a subordinate of a person);

992	      - prevent the addition of attribute-types to an entry
993	        inappropriate to the object-class (e.g. a serial number to a
994	        person's entry);

996	      - prevent the addition of an attribute value of a syntax not
997	        matching that defined for the attribute-type (e.g. a printable
998	        string to a bit string).

1000	        Formally, the Directory Schema comprises a set of:

1002	      a) Name Form definitions that define primitive naming relations
1003	         for structural object classes;

1005	      b) DIT Structure Rule definitions that define the names that
1006	         entries may have and the ways in which the entries may be
1007	         related to one another in the DIT;

1009	      c) DIT Content Rule definitions that extend the specification of
1010	         allowable attributes for entries beyond those indicated by the
1011	         structural object classes of the entries;

1013	      d) Object Class definitions that define the basic set of mandatory
1014	         and optional attributes that shall be present, and may be
1015	         present, respectively, in an entry of a given class, and which
1016	         indicate the kind of object class that is being defined;

1018	      e) Attribute Type definitions that identify the object identifier
1019	         by which an attribute is known, its syntax, associated matching
1020	         rules, whether it is an operational attribute and if so its
1021	         type, whether it is a collective attribute, whether it is
1022	         permitted to have multiple values and whether or not it is
1023	         derived from another attribute type;

1025	      f) Matching Rule definitions that define matching rules.

1027	  And in LDAP:

1029	      g) LDAP Syntax definitions that define encodings used in LDAP.

1031	4.1. Schema Definitions

1033	  Schema definitions in this section are described using ABNF and rely
1034	  on the common productions specified in Section 1.2 as well as these:

1036	      noidlen = numericoid [ LCURLY len RCURLY ]
1037	      len = number

1039	      oids = oid / ( LPAREN WSP oidlist WSP RPAREN )
1040	      oidlist = oid *( WSP DOLLAR WSP oid )

1042	      extensions = *( SP xstring SP qdstrings )
1043	      xstring = "X" HYPHEN 1*( ALPHA / HYPHEN / USCORE )

1045	      qdescrs = qdescr / ( LPAREN WSP qdescrlist WSP RPAREN )
1046	      qdescrlist = [ qdescr *( SP qdescr ) ]
1047	      qdescr = SQUOTE descr SQUOTE

1049	      qdstrings = qdstring / ( LPAREN WSP qdstringlist WSP RPAREN )
1050	      qdstringlist = [ qdstring *( SP qdstring ) ]
1051	      qdstring = SQUOTE dstring SQUOTE
1052	      dstring = 1*( QS / QQ / QUTF8 )   ; escaped UTF-8 string

1054	      QQ =  ESC %x32 %x37 ; "\27"
1055	      QS =  ESC %x35 ( %x43 / %x63 ) ; "\5C" / "\5c"

1057	      ; Any UTF-8 encoded Unicode character
1058	      ; except %x27 ("'") and %x5C ("\")
1059	      QUTF8    = QUTF1 / UTFMB

1061	      ; Any ASCII character except %x27 ("'") and %x5C ("\")
1062	      QUTF1    = %x00-26 / %x28-5B / %x5D-7F

1064	  Schema definitions in this section also share a number of common
1065	  terms.

1067	  The NAME field provides a set of short names (descriptors) which are
1068	  to be used as aliases for the OID.

1070	  The DESC field optionally allows a descriptive string to be provided
1071	  by the directory administrator and/or implementor.  While
1072	  specifications may suggest a descriptive string, there is no
1073	  requirement that the suggested (or any) descriptive string be used.

1075	  The OBSOLETE field, if present, indicates the element is not active.

1077	  Implementors should note that future versions of this document may
1078	  expand these definitions to include additional terms.  Terms whose
1079	  identifier begins with "X-" are reserved for private experiments, and
1080	  are followed by <SP> and <qdstrings> tokens.

1082	4.1.1. Object Class Definitions

1084	  Object Class definitions are written according to the ABNF:

1086	    ObjectClassDescription = LPAREN WSP
1087	        numericoid                 ; object identifier
1088	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1089	        [ SP "DESC" SP qdstring ]  ; description
1090	        [ SP "OBSOLETE" ]          ; not active
1091	        [ SP "SUP" SP oids ]       ; superior object classes
1092	        [ SP kind ]                ; kind of class
1093	        [ SP "MUST" SP oids ]      ; attribute types
1094	        [ SP "MAY" SP oids ]       ; attribute types
1095	        extensions WSP RPAREN

1097	    kind = "ABSTRACT" / "STRUCTURAL" / "AUXILIARY"

1099	  where:
1100	    <numericoid> is object identifier assigned to this object class;
1101	    NAME <qdescrs> are short names (descriptors) identifying this object
1102	        class;
1103	    DESC <qdstring> is a short descriptive string;
1104	    OBSOLETE indicates this object class is not active;
1105	    SUP <oids> specifies the direct superclasses of this object class;
1106	    the kind of object class is indicated by one of ABSTRACT,
1107	        STRUCTURAL, or AUXILIARY, default is STRUCTURAL;
1108	    MUST and MAY specify the sets of required and allowed attribute
1109	        types, respectively; and
1110	    <extensions> describe extensions.

1112	4.1.2. Attribute Types

1114	  Attribute Type definitions are written according to the ABNF:

1116	    AttributeTypeDescription = LPAREN WSP
1117	        numericoid                    ; object identifier
1118	        [ SP "NAME" SP qdescrs ]      ; short names (descriptors)
1119	        [ SP "DESC" SP qdstring ]     ; description
1120	        [ SP "OBSOLETE" ]             ; not active
1121	        [ SP "SUP" SP oid ]           ; supertype
1122	        [ SP "EQUALITY" SP oid ]      ; equality matching rule
1123	        [ SP "ORDERING" SP oid ]      ; ordering matching rule
1124	        [ SP "SUBSTR" SP oid ]        ; substrings matching rule
1125	        [ SP "SYNTAX" SP noidlen ]    ; value syntax
1126	        [ SP "SINGLE-VALUE" ]         ; single-value
1127	        [ SP "COLLECTIVE" ]           ; collective
1128	        [ SP "NO-USER-MODIFICATION" ] ; not user modifiable
1129	        [ SP "USAGE" SP usage ]       ; usage
1130	        extensions WSP RPAREN         ; extensions

1132	    usage = "userApplications"     /  ; user
1133	            "directoryOperation"   /  ; directory operational
1134	            "distributedOperation" /  ; DSA-shared operational
1135	            "dSAOperation"            ; DSA-specific operational

1137	  where:
1138	    <numericoid> is object identifier assigned to this attribute type;
1139	    NAME <qdescrs> are short names (descriptors) identifying this
1140	        attribute type;
1141	    DESC <qdstring> is a short descriptive string;
1142	    OBSOLETE indicates this attribute type is not active;
1143	    SUP oid specifies the direct supertype of this type;
1144	    EQUALITY, ORDERING, SUBSTR provide the oid of the equality,
1145	        ordering, and substrings matching rules, respectively;
1146	    SYNTAX identifies value syntax by object identifier and may suggest
1147	        a minimum upper bound;
1148	    SINGLE-VALUE indicates attributes of this type are restricted to a
1149	        single value;
1150	    COLLECTIVE indicates this attribute type is collective
1151	        [X.501][RFC3671];
1152	    NO-USER-MODIFICATION indicates this attribute type is not user
1153	        modifiable;
1154	    USAGE indicates the application of this attribute type; and
1155	    <extensions> describe extensions.

1157	  Each attribute type description must contain at least one of the SUP
1158	  or SYNTAX fields.  If no SYNTAX field is provided, the attribute type
1159	  description takes its value from the supertype.

1161	  If SUP field is provided, the EQUALITY, ORDERING, and SUBSTRING
1162	  fields, if not specified, take their value from the supertype.

1164	  Usage of userApplications, the default, indicates that attributes of
1165	  this type represent user information.  That is, they are user
1166	  attributes.

1168	  A usage of directoryOperation, distributedOperation, or dSAOperation
1169	  indicates that attributes of this type represent operational and/or
1170	  administrative information.  That is, they are operational attributes.

1172	  directoryOperation usage indicates that the attribute of this type is
1173	  a directory operational attribute.  distributedOperation usage
1174	  indicates that the attribute of this DSA-shared usage operational
1175	  attribute.  dSAOperation usage indicates that the attribute of this
1176	  type is a DSA-specific operational attribute.

1178	  COLLECTIVE requires usage userApplications.  Use of collective
1179	  attribute types in LDAP is discussed in [RFC3671].

1181	  NO-USER-MODIFICATION requires an operational usage.

1183	  Note that the <AttributeTypeDescription> does not list the matching
1184	  rules which can be used with that attribute type in an extensibleMatch
1185	  search filter [Protocol].  This is done using the 'matchingRuleUse'
1186	  attribute described in Section 4.1.4.

1188	  This document refines the schema description of X.501 by requiring
1189	  that the SYNTAX field in an <AttributeTypeDescription> be a string
1190	  representation of an object identifier for the LDAP string syntax
1191	  definition with an optional indication of the suggested minimum bound
1192	  of a value of this attribute.

1194	  A suggested minimum upper bound on the number of characters in a value
1195	  with a string-based syntax, or the number of bytes in a value for all
1196	  other syntaxes, may be indicated by appending this bound count inside
1197	  of curly braces following the syntax's OBJECT IDENTIFIER in an
1198	  Attribute Type Description.  This bound is not part of the syntax name
1199	  itself.  For instance, "1.3.6.4.1.1466.0{64}" suggests that server
1200	  implementations should allow a string to be 64 characters long,
1201	  although they may allow longer strings.  Note that a single character
1202	  of the Directory String syntax may be encoded in more than one octet
1203	  since UTF-8 [RFC3629] is a variable-length encoding.

1205	4.1.3. Matching Rules

1207	  Matching rules are used in performance of attribute value assertions,
1208	  such as in performance of a Compare operation.  They are also used in
1209	  evaluation of a Search filters, in determining which individual values
1210	  are be added or deleted during performance of a Modify operation, and
1211	  used in comparison of distinguished names.

1213	  Each matching rule is identified by an object identifier (OID) and,
1214	  optionally, one or more short names (descriptors).

1216	  Matching rule definitions are written according to the ABNF:

1218	    MatchingRuleDescription = LPAREN WSP
1219	        numericoid                 ; object identifier
1220	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1221	        [ SP "DESC" SP qdstring ]  ; description
1222	        [ SP "OBSOLETE" ]          ; not active
1223	        SP "SYNTAX" SP numericoid  ; assertion syntax
1224	        extensions WSP RPAREN      ; extensions

1226	  where:
1227	    <numericoid> is object identifier assigned to this matching rule;
1228	    NAME <qdescrs> are short names (descriptors) identifying this
1229	        matching rule;
1230	    DESC <qdstring> is a short descriptive string;
1231	    OBSOLETE indicates this matching rule is not active;
1232	    SYNTAX identifies the assertion syntax (the syntax of the assertion
1233	        value) by object identifier; and
1234	    <extensions> describe extensions.

1236	4.1.4. Matching Rule Uses

1238	  A matching rule use lists the attributes which are suitable for use
1239	  with an extensibleMatch search filter.

1241	  Matching rule use descriptions are written according to the following
1242	  ABNF:

1244	    MatchingRuleUseDescription = LPAREN WSP
1245	        numericoid                 ; object identifier
1246	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1247	        [ SP "DESC" SP qdstring ]  ; description
1248	        [ SP "OBSOLETE" ]          ; not active
1249	        SP "APPLIES" SP oids       ; attribute types
1250	        extensions WSP RPAREN      ; extensions

1252	  where:
1253	    <numericoid> is the object identifier of the matching rule
1254	        associated with this matching rule use description;
1255	    NAME <qdescrs> are short names (descriptors) identifying this
1256	        matching rule use;
1257	    DESC <qdstring> is a short descriptive string;
1258	    OBSOLETE indicates this matching rule use is not active;
1259	    APPLIES provides a list of attribute types the matching rule applies
1260	        to; and
1261	    <extensions> describe extensions.

1263	4.1.5. LDAP Syntaxes

1265	  LDAP Syntaxes of (attribute and assertion) values are described in
1266	  terms of ASN.1 [X.680] and, optionally, have an octet string encoding
1267	  known as the LDAP-specific encoding.  Commonly, the LDAP-specific
1268	  encoding is constrained to a string of Unicode [Unicode] characters in
1269	  UTF-8 [RFC3629] form.

1271	  Each LDAP syntax is identified by an object identifier (OID).

1273	  LDAP syntax definitions are written according to the ABNF:

1275	    SyntaxDescription = LPAREN WSP
1276	        numericoid                 ; object identifier
1277	        [ SP "DESC" SP qdstring ]  ; description
1278	        extensions WSP RPAREN      ; extensions

1280	  where:
1281	    <numericoid> is the object identifier assigned to this LDAP syntax;
1282	    DESC <qdstring> is a short descriptive string; and
1283	    <extensions> describe extensions.

1285	4.1.6. DIT Content Rules

1287	  A DIT content rule is a "rule governing the content of entries of a
1288	  particular structural object class" [X.501].

1290	  For DIT entries of a particular structural object class, a DIT content
1291	  rule specifies which auxiliary object classes the entries are allowed
1292	  to belong to and which additional attributes (by type) are required,
1293	  allowed or not allowed to appear in the entries.

1295	  The list of precluded attributes cannot include any attribute listed
1296	  as mandatory in the rule, the structural object class, or any of the
1297	  allowed auxiliary object classes.

1299	  Each content rule is identified by the object identifier, as well as
1300	  any short names (descriptors), of the structural object class it
1301	  applies to.

1303	  An entry may only belong to auxiliary object classes listed in the
1304	  governing content rule.

1306	  An entry must contain all attributes required by the object classes
1307	  the entry belongs to as well as all attributes required by the
1308	  governing content rule.

1310	  An entry may contain any non-precluded attributes allowed by the
1311	  object classes the entry belongs to as well as all attributes allowed
1312	  by the governing content rule.

1314	  An entry cannot include any attribute precluded by the governing
1315	  content rule.

1317	  An entry is governed by (if present and active in the subschema) the
1318	  DIT content rule which applies to the structural object class of the
1319	  entry (see Section 2.4.2).  If no active rule is present for the
1320	  entry's structural object class, the entry's content is governed by
1321	  the structural object class (and possibly other aspects of user and
1322	  system schema).  DIT content rules for superclasses of the structural
1323	  object class of an entry are not applicable to that entry.

1325	  DIT content rule descriptions are written according to the ABNF:

1327	    DITContentRuleDescription = LPAREN WSP
1328	        numericoid                 ; object identifier
1329	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1330	        [ SP "DESC" SP qdstring ]  ; description
1331	        [ SP "OBSOLETE" ]          ; not active
1332	        [ SP "AUX" SP oids ]       ; auxiliary object classes
1333	        [ SP "MUST" SP oids ]      ; attribute types
1334	        [ SP "MAY" SP oids ]       ; attribute types
1335	        [ SP "NOT" SP oids ]       ; attribute types
1336	        extensions WSP RPAREN      ; extensions

1338	  where:
1339	    <numericoid> is the object identifier of the structural object class
1340	        associated with this DIT content rule;
1341	    NAME <qdescrs> are short names (descriptors) identifying this DIT
1342	        content rule;
1343	    DESC <qdstring> is a short descriptive string;
1344	    OBSOLETE indicates this DIT content rule use is not active;
1345	    AUX specifies a list of auxiliary object classes which entries
1346	        subject to this DIT content rule may belong to;
1347	    MUST, MAY, and NOT specify lists of attribute types which are
1348	        required, allowed, or precluded, respectively, from appearing in
1349	        entries subject to this DIT content rule; and
1350	    <extensions> describe extensions.

1352	4.1.7. DIT Structure Rules and Name Forms

1354	  It is sometimes desirable to regulate where object and alias entries
1355	  can be placed in the DIT and how they can be named based upon their
1356	  structural object class.

1358	4.1.7.1. DIT Structure Rules

1360	  A DIT structure rule is a "rule governing the structure of the DIT by
1361	  specifying a permitted superior to subordinate entry relationship.  A
1362	  structure rule relates a name form, and therefore a structural object
1363	  class, to superior structure rules.  This permits entries of the
1364	  structural object class identified by the name form to exist in the
1365	  DIT as subordinates to entries governed by the indicated superior
1366	  structure rules" [X.501].

1368	  DIT structure rule descriptions are written according to the ABNF:

1370	    DITStructureRuleDescription = LPAREN WSP
1371	        ruleid                     ; rule identifier
1372	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1373	        [ SP "DESC" SP qdstring ]  ; description
1374	        [ SP "OBSOLETE" ]          ; not active
1375	        SP "FORM" SP oid           ; NameForm
1376	        [ SP "SUP" ruleids ]       ; superior rules
1377	        extensions WSP RPAREN      ; extensions

1379	    ruleids = ruleid / ( LPAREN WSP ruleidlist WSP RPAREN )
1380	    ruleidlist = ruleid *( SP ruleid )
1381	    ruleid = number

1383	  where:
1384	    <ruleid> is the rule identifier of this DIT structure rule;
1385	    NAME <qdescrs> are short names (descriptors) identifying this DIT
1386	        structure rule;
1387	    DESC <qdstring> is a short descriptive string;
1388	    OBSOLETE indicates this DIT structure rule use is not active;
1389	    FORM is specifies the name form associated with this DIT structure
1390	        rule;
1391	    SUP identifies superior rules (by rule id); and
1392	    <extensions> describe extensions.

1394	  If no superior rules are identified, the DIT structure rule applies
1395	  to an autonomous administrative point (e.g. the root vertex of the
1396	  subtree controlled by the subschema) [X.501].

1398	4.1.7.2. Name Forms

1400	  A name form "specifies a permissible RDN for entries of a particular
1401	  structural object class.  A name form identifies a named object
1402	  class and one or more attribute types to be used for naming (i.e.
1403	  for the RDN).  Name forms are primitive pieces of specification
1404	  used in the definition of DIT structure rules" [X.501].

1406	  Each name form indicates the structural object class to be named,
1407	  a set of required attribute types, and a set of allowed attribute
1408	  types.  A particular attribute type cannot be in both sets.

1410	  Entries governed by the form must be named using a value from each
1411	  required attribute type and zero or more values from the allowed
1412	  attribute types.

1414	  Each name form is identified by an object identifier (OID) and,
1415	  optionally, one or more short names (descriptors).

1417	  Name form descriptions are written according to the ABNF:

1419	    NameFormDescription = LPAREN WSP
1420	        numericoid                 ; object identifier
1421	        [ SP "NAME" SP qdescrs ]   ; short names (descriptors)
1422	        [ SP "DESC" SP qdstring ]  ; description
1423	        [ SP "OBSOLETE" ]          ; not active
1424	        SP "OC" SP oid             ; structural object class
1425	        SP "MUST" SP oids          ; attribute types
1426	        [ SP "MAY" SP oids ]       ; attribute types
1427	        extensions WSP RPAREN      ; extensions

1429	  where:
1430	    <numericoid> is object identifier which identifies this name form;
1431	    NAME <qdescrs> are short names (descriptors) identifying this name
1432	        form;
1433	    DESC <qdstring> is a short descriptive string;
1434	    OBSOLETE indicates this name form is not active;
1435	    OC identifies the structural object class this rule applies to,
1436	    MUST and MAY specify the sets of required and allowed, respectively,
1437	        naming attributes for this name form; and
1438	    <extensions> describe extensions.

1440	  All attribute types in the required ("MUST") and allowed ("MAY") lists
1441	  shall be different.

1443	4.2. Subschema Subentries
1444	  Subschema (sub)entries are used for administering information about
1445	  the directory schema.  A single subschema (sub)entry contains all
1446	  schema definitions (see Section 4.1) used by entries in a particular
1447	  part of the directory tree.

1449	  Servers which follow X.500(93) models SHOULD implement subschema using
1450	  the X.500 subschema mechanisms (as detailed in Section 12 of [X.501]),
1451	  and so these are not ordinary object entries but subentries (see
1452	  Section 3.2).  LDAP clients SHOULD NOT assume that servers implement
1453	  any of the other aspects of X.500 subschema.

1455	  Servers MAY allow subschema modification.  Procedures for subschema
1456	  modification are discussed in Section 14.5 of [X.501].

1458	  A server which masters entries and permits clients to modify these
1459	  entries SHALL implement and provide access to these subschema
1460	  (sub)entries including providing a 'subschemaSubentry' attribute in
1461	  each modifiable entry.  This is so clients may discover the attributes
1462	  and object classes which are permitted to be present.  It is strongly
1463	  RECOMMENDED that all other servers implement this as well.

1465	  The value of the 'subschemaSubentry' attribute is the name of the
1466	  subschema (sub)entry holding the subschema controlling the entry.

1468	      ( 2.5.18.10 NAME 'subschemaSubentry'
1469	        EQUALITY distinguishedNameMatch
1470	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1471	        NO-USER-MODIFICATION SINGLE-VALUE
1472	        USAGE directoryOperation )

1474	  The 'distinguishedNameMatch' matching rule and the DistinguishedName
1475	  (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].

1477	  Subschema is held in (sub)entries belonging to the subschema auxiliary
1478	  object class.

1480	      ( 2.5.20.1 NAME 'subschema' AUXILIARY
1481	        MAY ( dITStructureRules $ nameForms $ ditContentRules $
1482	          objectClasses $ attributeTypes $ matchingRules $
1483	          matchingRuleUse ) )

1485	  The 'ldapSyntaxes' operational attribute may also be present in
1486	  subschema entries.

1488	  Servers MAY provide additional attributes (described in other
1489	  documents) in subschema (sub)entries.

1491	  Servers SHOULD provide the attributes 'createTimestamp' and
1492	  'modifyTimestamp' in subschema (sub)entries, in order to allow clients
1493	  to maintain their caches of schema information.

1495	  The following subsections provide attribute type definitions for each
1496	  of schema definition attribute types.

1498	4.2.1. 'objectClasses'

1500	  This attribute holds definitions of object classes.

1502	      ( 2.5.21.6 NAME 'objectClasses'
1503	        EQUALITY objectIdentifierFirstComponentMatch
1504	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.37
1505	        USAGE directoryOperation )

1507	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1508	  ObjectClassDescription (1.3.6.1.4.1.1466.115.121.1.37) syntax are
1509	  defined in [Syntaxes].

1511	4.2.2. 'attributeTypes'

1513	  This attribute holds definitions of attribute types.

1515	      ( 2.5.21.5 NAME 'attributeTypes'
1516	        EQUALITY objectIdentifierFirstComponentMatch
1517	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.3
1518	        USAGE directoryOperation )

1520	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1521	  AttributeTypeDescription (1.3.6.1.4.1.1466.115.121.1.3) syntax are
1522	  defined in [Syntaxes].

1524	4.2.3. 'matchingRules'

1526	  This attribute holds definitions of matching rules.

1528	      ( 2.5.21.4 NAME 'matchingRules'
1529	        EQUALITY objectIdentifierFirstComponentMatch
1530	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.30
1531	        USAGE directoryOperation )

1533	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1534	  MatchingRuleDescription (1.3.6.1.4.1.1466.115.121.1.30) syntax are
1535	  defined in [Syntaxes].

1537	4.2.4 'matchingRuleUse'

1539	  This attribute holds definitions of matching rule uses.

1541	      ( 2.5.21.8 NAME 'matchingRuleUse'
1542	        EQUALITY objectIdentifierFirstComponentMatch
1543	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.31
1544	        USAGE directoryOperation )

1546	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1547	  MatchingRuleUseDescription (1.3.6.1.4.1.1466.115.121.1.31) syntax are
1548	  defined in [Syntaxes].

1550	4.2.5. 'ldapSyntaxes'

1552	  This attribute holds definitions of LDAP syntaxes.

1554	      ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
1555	        EQUALITY objectIdentifierFirstComponentMatch
1556	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.54
1557	        USAGE directoryOperation )

1559	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1560	  SyntaxDescription (1.3.6.1.4.1.1466.115.121.1.54) syntax are defined
1561	  in [Syntaxes].

1563	4.2.6. 'dITContentRules'

1565	  This attribute lists DIT Content Rules which are present in the
1566	  subschema.

1568	      ( 2.5.21.2 NAME 'dITContentRules'
1569	        EQUALITY objectIdentifierFirstComponentMatch
1570	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.16
1571	        USAGE directoryOperation )

1573	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1574	  DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are
1575	  defined in [Syntaxes].

1577	4.2.7. 'dITStructureRules'

1579	  This attribute lists DIT Structure Rules which are present in the
1580	  subschema.

1582	      ( 2.5.21.1 NAME 'dITStructureRules'
1583	        EQUALITY integerFirstComponentMatch
1584	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.17
1585	        USAGE directoryOperation )

1587	  The 'integerFirstComponentMatch' matching rule and the
1588	  DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax are
1589	  defined in [Syntaxes].

1591	4.2.8 'nameForms'

1593	  This attribute lists Name Forms which are in force.

1595	      ( 2.5.21.7 NAME 'nameForms'
1596	        EQUALITY objectIdentifierFirstComponentMatch
1597	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.35
1598	        USAGE directoryOperation )

1600	  The 'objectIdentifierFirstComponentMatch' matching rule and the
1601	  NameFormDescription (1.3.6.1.4.1.1466.115.121.1.35) syntax are defined
1602	  in [Syntaxes].

1604	4.3. 'extensibleObject' object class

1606	  The 'extensibleObject' auxiliary object class allows entries that
1607	  belong to it to hold any user attribute.  The set of allowed attribute
1608	  types of this object class is implicitly the set of all attribute
1609	  types of userApplications usage.

1611	      ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
1612	        SUP top AUXILIARY )

1614	  The mandatory attributes of the other object classes of this entry are
1615	  still required to be present and any precluded attributes are still
1616	  not allowed to be present.

1618	4.4. Subschema Discovery

1620	  To discover the DN of the subschema (sub)entry holding the subschema
1621	  controlling a particular entry, a client reads that entry's
1622	  'subschemaSubentry' operational attribute.  To read schema attributes
1623	  from the subschema (sub)entry, clients MUST issue a Search operation
1624	  [Protocol] where baseObject is the DN of the subschema (sub)entry,
1625	  scope is baseObject, filter is "(objectClass=subschema)" [Filters],
1626	  and attributes field lists the names of the desired schema attributes
1627	  (as they are operational).  Note: the "(objectClass=subschema)" filter
1628	  allows LDAP servers which gateway to X.500 to detect that subentry
1629	  information is being requested.

1631	  Clients SHOULD NOT assume a published subschema is complete nor assume
1632	  the server supports all of the schema elements it publishes nor assume
1633	  the server does not support an unpublished element.

1635	5. DSA (Server) Informational Model

1637	  The LDAP protocol assumes there are one or more servers which jointly
1638	  provide access to a Directory Information Tree (DIT).  The server
1639	  holding the original information is called the "master" (for that
1640	  information).  Servers which hold copies of the original information
1641	  are referred to as "shadowing" or "caching" servers.

1643	  As defined in [X.501]:

1645	      context prefix: The sequence of RDNs leading from the Root of the
1646	          DIT to the initial vertex of a naming context; corresponds to
1647	          the distinguished name of that vertex.

1649	  and:

1651	      naming context: A subtree of entries held in a single master DSA.

1653	  That is, a naming context is the largest collection of entries,
1654	  starting at an entry that is mastered by a particular server, and
1655	  including all its subordinates and their subordinates, down to the
1656	  entries which are mastered by different servers.  The context prefix
1657	  is the name of the initial entry.

1659	  The root of the DIT is a DSA-specific Entry (DSE) and not part of any
1660	  naming context (or any subtree); each server has different attribute
1661	  values in the root DSE.

1663	5.1. Server-specific Data Requirements

1665	  An LDAP server SHALL provide information about itself and other
1666	  information that is specific to each server.  This is represented as a
1667	  group of attributes located in the root DSE, which is named with the
1668	  DN with zero RDNs (whose [LDAPDN] representation is as the zero-length
1669	  string).

1671	  These attributes are retrievable, subject to access control and other
1672	  restrictions, if a client performs a Search operation [Protocol] with
1673	  an empty baseObject, scope of baseObject, the filter "(objectClass=*)"
1674	  [Filters], and with the attributes field listing the names of the
1675	  desired attributes.  It is noted that root DSE attributes are
1676	  operational, and like other operational attributes, are not returned
1677	  in search requests unless requested by name.

1679	  The root DSE SHALL NOT be included if the client performs a subtree
1680	  search starting from the root.

1682	  Servers may allow clients to modify attributes of the root DSE where
1683	  appropriate.

1685	  The following attributes of the root DSE are defined in [Syntaxes].
1686	  Additional attributes may be defined in other documents.

1688	    - altServer: alternative servers;

1690	    - namingContexts: naming contexts;

1692	    - supportedControl: recognized LDAP controls;

1694	    - supportedExtension: recognized LDAP extended operations;

1696	    - supportedLDAPVersion: LDAP versions supported; and

1698	    - supportedSASLMechanisms: recognized Simple Authentication and
1699	      Security Layers (SASL) [SASL] mechanisms.

1701	  The values provided for these attributes may depend on
1702	  session-specific and other factors.  For example, a server supporting
1703	  the SASL EXTERNAL mechanism might only list "EXTERNAL" when the
1704	  client's identity has been established by a lower level.  See
1705	  [AuthMeth].

1707	  The root DSE may also include a 'subschemaSubentry' attribute.  If so,
1708	  it refers to the subschema (sub)entry holding the schema controlling
1709	  the root DSE.  Clients SHOULD NOT assume that this subschema
1710	  (sub)entry controls other entries held by the server.  General
1711	  subschema discovery procedures are provided in Section 4.4.

1713	5.1.1. 'altServer'

1715	  The 'altServer' attribute lists URIs referring to alternative servers
1716	  which may be contacted when this server becomes unavailable.  URIs for
1717	  servers implementing the LDAP are written according to [LDAPURL].
1718	  Other kinds of URIs may be provided.  If the server does not know of
1719	  any other servers which could be used this attribute will be absent.
1720	  Clients may cache this information in case their preferred server
1721	  later becomes unavailable.

1723	      ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
1724	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
1725	        USAGE dSAOperation )

1727	  The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax is defined in
1728	  [Syntaxes].

1730	5.1.2. 'namingContexts'

1732	  The 'namingContexts' attribute lists the context prefixes of the
1733	  naming contexts the server masters or shadows (in part or in whole).
1734	  If the server is a first-level DSA [X.501], it should list (in
1735	  addition) an empty string (indicating the root of the DIT).  If the
1736	  server does not master or shadow any information (e.g. it is an LDAP
1737	  gateway to a public X.500 directory) this attribute will be absent.
1738	  If the server believes it masters or shadows the entire directory, the
1739	  attribute will have a single value, and that value will be the empty
1740	  string (indicating the root of the DIT).

1742	  This attribute may be used, for example, to select a suitable entry
1743	  name for subsequent operations with this server.

1745	      ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
1746	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1747	        USAGE dSAOperation )

1749	  The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax is
1750	  defined in [Syntaxes].

1752	5.1.3. 'supportedControl'

1754	  The 'supportedControl' attribute lists object identifiers identifying
1755	  the request controls [Protocol] the server supports.  If the server
1756	  does not support any request controls, this attribute will be absent.
1757	  Object identifiers identifying response controls need not be listed.

1759	  Procedures for registering object identifiers used to discovery of
1760	  protocol mechanisms are detailed in BCP 64 [BCP64bis].

1762	      ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
1763	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
1764	        USAGE dSAOperation )

1766	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1767	  defined in [Syntaxes].

1769	5.1.4. 'supportedExtension'

1771	  The 'supportedExtension' attribute lists object identifiers
1772	  identifying the extended operations [Protocol] which the server
1773	  supports.  If the server does not support any extended operations,
1774	  this attribute will be absent.

1776	  An extended operation generally consists of an extended request and an
1777	  extended response but may also include other protocol data units (such
1778	  as intermediate responses).  The object identifier assigned to the
1779	  extended request is used to identify the extended operation.  Other
1780	  object identifiers used in the extended operation need not be listed
1781	  as values of this attribute.

1783	  Procedures for registering object identifiers used to discovery of
1784	  protocol mechanisms are detailed in BCP 64 [BCP64bis].

1786	      ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
1787	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
1788	        USAGE dSAOperation )

1790	  The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
1791	  defined in [Syntaxes].

1793	5.1.5. 'supportedLDAPVersion'

1795	  The 'supportedLDAPVersion' attribute lists the versions of LDAP which
1796	  the server supports.

1798	      ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
1799	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
1800	        USAGE dSAOperation )

1802	  The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax are defined in
1803	  [Syntaxes].

1805	5.1.6. 'supportedSASLMechanisms'

1807	  The 'supportedSASLMechanisms' attribute lists the SASL mechanisms
1808	  [SASL] which the server recognizes and/or supports [AuthMeth].  The
1809	  contents of this attribute may depend on the current session state.
1810	  If the server does not support any SASL mechanisms this attribute will
1811	  not be present.

1813	      ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
1814	        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
1815	        USAGE dSAOperation )

1817	  The Directory String (1.3.6.1.4.1.1466.115.121.1.15) syntax is defined
1818	  in [Syntaxes].

1820	6. Other Considerations

1822	6.1. Preservation of User Information

1824	  Syntaxes may be defined which have specific value and/or value form
1825	  (representation) preservation requirements.  For example, a syntax
1826	  containing digitally signed data can mandate the server preserve both
1827	  the value and form of value presented to ensure signature is not
1828	  invalidated.

1830	  Where such requirements have not been explicitly stated, servers
1831	  SHOULD preserve the value of user information but MAY return the value
1832	  in a different form.  And where a server is unable (or unwilling) to
1833	  preserve the value of user information, the server SHALL ensure that
1834	  an equivalent value (per Section 2.3) is returned.

1836	6.2. Short Names

1838	  Short names, also known as descriptors, are used as more readable
1839	  aliases for object identifiers and are used to identify various schema
1840	  elements.  However, it is not expected that LDAP implementations with
1841	  human user interface would display these short names (nor the object
1842	  identifiers they refer to) to the user, but would most likely be
1843	  performing translations (such as expressing the short name in one of
1844	  the local national languages).  For example, the short name "st"
1845	  (stateOrProvinceName) might be displayed to a German-speaking user as
1846	  "Land".

1848	  The same short name might have different meaning in different
1849	  subschemas and, within a particular subschema, the same short name
1850	  might refer to different object identifiers each identifying a
1851	  different kind of schema element.

1853	  Implementations MUST be prepared that the same short name might be
1854	  used in a subschema to refer to the different kinds of schema
1855	  elements.  That is, there might be an object class 'x-fubar' and an
1856	  attribute type 'x-fubar' in a subschema.

1858	  Implementations MUST be prepared that the same short name might be
1859	  used in the different subschemas to refer to the different schema
1860	  elements.  That is, there might be two matching rules 'x-fubar', each
1861	  in different subschemas.

1863	  Procedures for registering short names (descriptors) are detailed in
1864	  BCP 64 [BCP64bis].

1866	6.3. Cache and Shadowing

1868	  Some servers may hold cache or shadow copies of entries, which can be
1869	  used to answer search and comparison queries, but will return
1870	  referrals or contact other servers if modification operations are
1871	  requested.  Servers that perform shadowing or caching MUST ensure that
1872	  they do not violate any access control constraints placed on the data
1873	  by the originating server.

1875	7. Implementation Guidelines

1877	7.1 Server Guidelines

1879	  Servers MUST recognize all names of attribute types and object classes
1880	  defined in this document but, unless stated otherwise, need not
1881	  support the associated functionality.  Servers SHOULD recognize all
1882	  the names of attribute types and object classes defined in Section 3
1883	  and 4, respectively, of [Schema].

1885	  Servers MUST ensure that entries conform to user and system schema
1886	  rules or other data model constraints.

1888	  Servers MAY support DIT Content Rules.  Servers MAY support DIT
1889	  Structure Rules and Name Forms.

1891	  Servers MAY support alias entries.

1893	  Servers MAY support the 'extensibleObject' object class.

1895	  Servers MAY support subentries.  If so, they MUST do so in accordance
1896	  with [RFC3672].  Servers which do not support subentries SHOULD use
1897	  object entries to mimic subentries as detailed in Section 3.2.

1899	  Servers MAY implement additional schema elements.  Servers SHOULD
1900	  provide definitions of all schema elements they support in subschema
1901	  (sub)entries.

1903	7.2 Client Guidelines

1905	  In the absence of prior agreements with servers, clients SHOULD NOT
1906	  assume that servers support any particular schema elements beyond
1907	  those referenced in Section 7.1.  The client can retrieve subschema
1908	  information as described in Section 4.4.

1910	  Clients MUST NOT display nor attempt to decode as ASN.1, a value if
1911	  its syntax is not known.   Clients MUST NOT assume the LDAP-specific
1912	  string encoding is restricted to a UTF-8 encoded string of Unicode
1913	  characters or any particular subset of Unicode (such as a printable
1914	  subset) unless such restriction is explicitly stated.  Clients SHOULD
1915	  NOT send attribute values in a request that are not valid according to
1916	  the syntax defined for the attributes.

1918	8. Security Considerations

1920	  Attributes of directory entries are used to provide descriptive
1921	  information about the real-world objects they represent, which can be
1922	  people, organizations or devices.  Most countries have privacy laws
1923	  regarding the publication of information about people.

1925	  General security considerations for accessing directory information
1926	  with LDAP are discussed in [Protocol] and [AuthMeth].

1928	9. IANA Considerations

1930	  It is requested that the Internet Assigned Numbers Authority (IANA)
1931	  update the LDAP descriptors registry as indicated in the following
1932	  template:

1934	      Subject: Request for LDAP Descriptor Registration Update
1935	      Descriptor (short name): see comment
1936	      Object Identifier: see comment
1937	      Person & email address to contact for further information:
1938	          Kurt Zeilenga <kurt@OpenLDAP.org>
1939	      Usage: see comment
1940	      Specification: RFC XXXX
1941	      Author/Change Controller: IESG
1942	      Comments:

1944	      The following descriptors (short names) should be added to
1945	      the registry.

1947	        NAME                         Type OID
1948	        ------------------------     ---- -----------------
1949	        governingStructureRule          A 2.5.21.10
1950	        structuralObjectClass           A 2.5.21.9

1952	      The following descriptors (short names) should be updated to
1953	      refer to this RFC.

1955	        NAME                         Type OID
1956	        ------------------------     ---- -----------------
1957	        alias                           O 2.5.6.1
1958	        aliasedObjectName               A 2.5.4.1
1959	        altServer                       A 1.3.6.1.4.1.1466.101.120.6
1960	        attributeTypes                  A 2.5.21.5
1961	        createTimestamp                 A 2.5.18.1
1962	        creatorsName                    A 2.5.18.3
1963	        dITContentRules                 A 2.5.21.2
1964	        dITStructureRules               A 2.5.21.1
1965	        extensibleObject                O 1.3.6.1.4.1.1466.101.120.111
1966	        ldapSyntaxes                    A 1.3.6.1.4.1.1466.101.120.16
1967	        matchingRuleUse                 A 2.5.21.8
1968	        matchingRules                   A 2.5.21.4
1969	        modifiersName                   A 2.5.18.4
1970	        modifyTimestamp                 A 2.5.18.2
1971	        nameForms                       A 2.5.21.7
1972	        namingContexts                  A 1.3.6.1.4.1.1466.101.120.5
1973	        objectClass                     A 2.5.4.0
1974	        objectClasses                   A 2.5.21.6
1975	        subschema                       O 2.5.20.1
1976	        subschemaSubentry               A 2.5.18.10
1977	        supportedControl                A 1.3.6.1.4.1.1466.101.120.13
1978	        supportedExtension              A 1.3.6.1.4.1.1466.101.120.7
1979	        supportedLDAPVersion            A 1.3.6.1.4.1.1466.101.120.15
1980	        supportedSASLMechanisms         A 1.3.6.1.4.1.1466.101.120.14
1981	        top                             O 2.5.6.0

1983	10. Acknowledgments

1985	  This document is based in part on RFC 2251 by M. Wahl, T.  Howes, and
1986	  S. Kille; RFC 2252 by M. Wahl, A. Coulbeck, T. Howes, S.  Kille; and
1987	  RFC 2556 by M. Wahl, all products of the IETF Access, Searching and
1988	  Indexing of Directories (ASID) Working Group.  This document is also
1989	  based in part on "The Directory: Models" [X.501], a product of the
1990	  International Telephone Union (ITU).  Additional text was borrowed
1991	  from RFC 2253 by M. Wahl, T. Howes, and S. Kille.

1993	  This document is a product of the IETF LDAP Revision (LDAPBIS) Working
1994	  Group.

1996	11. Editor's Address

1998	  Kurt D. Zeilenga
1999	  OpenLDAP Foundation

2001	  Email: Kurt@OpenLDAP.org

2003	12. References

2005	  [[Note to the RFC Editor: please replace the citation tags used in
2006	  referencing Internet-Drafts with tags of the form RFCnnnn where
2007	  possible.]]

2009	12.1. Normative References

2011	  [RFC2119]     Bradner, S., "Key words for use in RFCs to Indicate
2012	                Requirement Levels", BCP 14 (also RFC 2119), March 1997.

2014	  [RFC2234]     Crocker, D. and P. Overell, "Augmented BNF for Syntax
2015	                Specifications: ABNF", RFC 2234, November 1997.

2017	  [RFC3629]     Yergeau, F., "UTF-8, a transformation format of ISO
2018	                10646", RFC 3629 (also STD 63), November 2003.

2020	  [RFC3671]     Zeilenga, K., "Collective Attributes in LDAP", RFC 3671,
2021	                December 2003.

2023	  [RFC3672]     Zeilenga, K. and S. Legg, "Subentries in LDAP", RFC
2024	                3672, December 2003.

2026	  [BCP64bis]    Zeilenga, K., "IANA Considerations for LDAP",
2027	                draft-ietf-ldapbis-bcp64-xx.txt, a work in progress.

2029	  [Roadmap]     Zeilenga, K. (editor), "LDAP: Technical Specification
2030	                Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
2031	                progress.

2033	  [Protocol]    Sermersheim, J. (editor), "LDAP: The Protocol",
2034	                draft-ietf-ldapbis-protocol-xx.txt, a work in progress.

2036	  [AuthMeth]    Harrison, R. (editor), "LDAP: Authentication Methods and
2037	                Connection Level Security Mechanisms",
2038	                draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.

2040	  [Filters]     Smith, M. (editor), LDAPbis WG, "LDAP: String
2041	                Representation of Search Filters",
2042	                draft-ietf-ldapbis-filter-xx.txt, a work in progress.

2044	  [LDAPDN]      Zeilenga, K. (editor), "LDAP: String Representation of
2045	                Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, a
2046	                work in progress.

2048	  [LDAPURL]     Smith, M. (editor), "LDAP: Uniform Resource Locator",
2049	                draft-ietf-ldapbis-url-xx.txt, a work in progress.

2051	  [SASL]        Melnikov, A. (Editor), "Simple Authentication and
2052	                Security Layer (SASL)",
2053	                draft-ietf-sasl-rfc2222bis-xx.txt, a work in progress.

2055	  [Syntaxes]    Legg, S. (editor), "LDAP: Syntaxes and Matching Rules",
2056	                draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.

2058	  [Schema]      Dally, K. (editor), "LDAP: User Schema",
2059	                draft-ietf-ldapbis-user-schema-xx.txt, a work in
2060	                progress.

2062	  [Unicode]     The Unicode Consortium, "The Unicode Standard, Version
2063	                3.2.0" is defined by "The Unicode Standard, Version 3.0"
2064	                (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
2065	                as amended by the "Unicode Standard Annex #27: Unicode
2066	                3.1" (http://www.unicode.org/reports/tr27/) and by the
2067	                "Unicode Standard Annex #28: Unicode 3.2"
2068	                (http://www.unicode.org/reports/tr28/).

2070	  [X.500]       International Telecommunication Union -
2071	                Telecommunication Standardization Sector, "The Directory
2072	                -- Overview of concepts, models and services,"
2073	                X.500(1993) (also ISO/IEC 9594-1:1994).

2075	  [X.501]       International Telecommunication Union -
2076	                Telecommunication Standardization Sector, "The Directory
2077	                -- Models," X.501(1993) (also ISO/IEC 9594-2:1994).

2079	  [X.680]       International Telecommunication Union -
2080	                Telecommunication Standardization Sector, "Abstract
2081	                Syntax Notation One (ASN.1) - Specification of Basic
2082	                Notation", X.680(1997) (also ISO/IEC 8824-1:1998).

2084	12.2. Informative References

2086	  None.

2088	Appendix A.  Changes

2090	  This appendix is non-normative.

2092	  This document amounts to nearly a complete rewrite of portions of RFC
2093	  2251, RFC 2252, and RFC 2256.  This rewrite was undertaken to improve
2094	  overall clarity of technical specification.  This appendix provides a
2095	  summary of substantive changes made to the portions of these documents
2096	  incorporated into this document.  Readers should consult [Roadmap],
2097	  [Protocol], [Syntaxes], and [Schema] for summaries of remaining
2098	  portions of these documents.

2100	A.1 Changes to RFC 2251

2102	  This document incorporates from RFC 2251 sections 3.2 and 3.4,
2103	  portions of Section 4 and 6 as summarized below.

2105	A.1.1 Section 3.2 of RFC 2251

2107	  Section 3.2 of RFC 2251 provided a brief introduction to the X.500
2108	  data model, as used by LDAP.  The previous specification relied on
2109	  [X.501] but lacked clarity in how X.500 models are adapted for use by
2110	  LDAP.  This document describes the X.500 data models, as used by LDAP
2111	  in greater detail, especially in areas where adaptation is needed.

2113	  Section 3.2.1 of RFC 2251 described an attribute as "a type with one
2114	  or more associated values."  In LDAP, an attribute is better described
2115	  as an attribute description, a type with zero or more options, and one
2116	  or more associated values.

2118	  Section 3.2.2 of RFC 2251 mandated that subschema subentries contain
2119	  objectClasses and attributeTypes attributes, yet X.500(93) treats
2120	  these attributes as optional.  While generally all implementations
2121	  that support X.500(93) subschema mechanisms will provide both of these
2122	  attributes, it is not absolutely required for interoperability that
2123	  all servers do.  The mandate was removed for consistency with
2124	  X.500(93).   The subschema discovery mechanism was also clarified to
2125	  indicate that subschema controlling an entry is obtained by reading
2126	  the (sub)entry referred to by that entry's 'subschemaSubentry'
2127	  attribute.

2129	A.1.2 Section 3.4 of RFC 2251

2131	  Section 3.4 of RFC 2251 provided "Server-specific Data Requirements".
2132	  This material, with changes, was incorporated in Section 5.1 of this
2133	  document.

2135	  Changes:

2137	  - Clarify that attributes of the root DSE are subject to "other
2138	    restrictions" in addition to access controls.

2140	  - Clarify that only recognized extended requests need to be enumerated
2141	    'supportedExtension'.

2143	  - Clarify that only recognized request controls need to be enumerated
2144	    'supportedControl'.

2146	  - Clarify that root DSE attributes are operational and, like other
2147	    operational attributes, will not be returned in search requests
2148	    unless requested by name.

2150	  - Clarify that not all root DSE attributes are user modifiable.

2152	  - Remove inconsistent text regarding handling of the
2153	    'subschemaSubentry' attribute within the root DSE.  The previous
2154	    specification stated that the 'subschemaSubentry' attribute held in
2155	    the root DSE referred to "subschema entries (or subentries) known by
2156	    this server."  This is inconsistent with the attribute intended use
2157	    as well as its formal definition as a single valued attribute
2158	    [X.501].  It is also noted that a simple (possibly incomplete) list
2159	    of subschema (sub)entries is not terrible useful.  This document (in
2160	    section 5.1) specifies that the 'subschemaSubentry' attribute of the
2161	    root DSE refers to the subschema controlling the root DSE.  It is
2162	    noted that the general subschema discovery mechanism remains
2163	    available (see Section 4.4 of this document).

2165	A.1.2 Section 4 of RFC 2251

2167	  Portions of Section 4 of RFC 2251 detailing aspects of the information
2168	  model used by LDAP were incorporated in this document, including:

2170	  - Restriction of distinguished values to attributes whose descriptions
2171	    have no options (from Section 4.1.3);

2173	  - Data model aspects of Attribute Types (from Section 4.1.4),
2174	    Attribute Descriptions (from 4.1.5), Attribute (from 4.1.8),
2175	    Matching Rule Identifier (from 4.1.9); and

2177	  - User schema requirements (from Section 4.1.6, 4.5.1, and 4.7).

2179	Clarifications to these portions include:

2181	  - Subtyping and AttributeDescriptions with options.

2183	A.1.3 Section 6 of RFC 2251

2185	    The Section 6.1 and the second paragraph of Section 6.2 of RFC 2251
2186	    where incorporated into this document.

2188	A.2 Changes to RFC 2252

2190	    This document incorporates Sections 4, 5 and 7 from RFC 2252.

2192	A.2.1 Section 4 of RFC 2252

2194	    The specification was updated to use Augmented BNF [RFC2234].  The
2195	    string representation of an OBJECT IDENTIFIER was tighten to
2196	    disallow leading zeros as described in RFC 2252 text.

2198	    The <descr> syntax was changed to disallow semicolon (U+003B)
2199	    characters to appear to be consistent its natural language
2200	    specification "descr is the syntactic representation of an object
2201	    descriptor, which consists of letters and digits, starting with a
2202	    letter."  In a related change, the statement "an
2203	    AttributeDescription can be used as the value in a NAME part of an
2204	    AttributeTypeDescription" was deleted.  RFC 2252 provided no
2205	    specification of the semantics of attribute options appearing in
2206	    NAME fields.

2208	    RFC 2252 stated that the <descr> form of <oid> SHOULD be preferred
2209	    over the <numericoid> form.  However, <descr> form can be ambiguous.
2210	    To address this issue, the imperative was replaced with a statement
2211	    (in Section 1.4) that while the <descr> form is generally preferred,
2212	    <numericoid> should be used where an unambiguous <descr> is not
2213	    available.  Additionally, an expanded discussion of descriptor
2214	    issues is discussed in Section 6.2 (Short Names).

2216	    The ABNF for a quoted string (qdstring) was updated to reflect
2217	    support for the escaping mechanism described in 4.3 of RFC 2252.

2219	A.2.2 Section 5 of RFC 2252
2220	    Definitions of operational attributes provided in Section 5 of RFC
2221	    2252 where incorporated into this document.

2223	    The 'namingContexts' description was clarified.  A first-level DSA
2224	    should publish, in addition to other values, "" indicating the root
2225	    of the DIT.

2227	    The 'altServer' description was clarified.  It may hold any URI.

2229	    The 'supportedExtension' description was clarified.  A server need
2230	    only list the OBJECT IDENTIFIERs associated with the extended
2231	    requests of the extended operations it recognizes.

2233	    The 'supportedControl' description was clarified.  A server need
2234	    only list the OBJECT IDENTIFIERs associated with the request
2235	    controls it recognizes.

2237	    Descriptions for the 'structuralObjectClass' and
2238	    'governingStructureRule' operational attribute types were added.

2240	A.2.3 Section 7 of RFC 2252

2242	    Section 7 of RFC 2252 provides definitions of the 'subschema' and
2243	    'extensibleObject' object classes.  These definitions where
2244	    integrated into Section 4.2 and Section 4.3 of this document,
2245	    respectively.  Section 7 of RFC 2252 also contained the object class
2246	    implementation requirement.  This was incorporated into Section 7 of
2247	    this document.

2249	    The specification of 'extensibleObject' was clarified of how it
2250	    interacts with precluded attributes.

2252	A.3 Changes to RFC 2256

2254	    This document incorporates Sections 5.1, 5.2, 7.1, and 7.2 of RFC
2255	    2256.

2257	    Section 5.1 of RFC 2256 provided the definition of the 'objectClass'
2258	    attribute type.  This was integrated into Section 2.4.1 of this
2259	    document.  The statement "One of the values is either 'top' or
2260	    'alias'" was replaced with statement that one of the values is 'top'
2261	    as entries belonging to 'alias' also belong to 'top'.

2263	    Section 5.2 of RFC 2256 provided the definition of the
2264	    'aliasedObjectName' attribute type.  This was integrated into
2265	    Section 2.6.2 of this document.

2267	    Section 7.1 of RFC 2256 provided the definition of the 'top' object
2268	    class.  This was integrated into Section 2.4.1 of this document.

2270	    Section 7.2 of RFC 2256 provided the definition of the 'alias'
2271	    object class.  This was integrated into Section 2.6.1 of this
2272	    document.

2274	Intellectual Property Rights

2276	  The IETF takes no position regarding the validity or scope of any
2277	  Intellectual Property Rights or other rights that might be claimed to
2278	  pertain to the implementation or use of the technology described in
2279	  this document or the extent to which any license under such rights
2280	  might or might not be available; nor does it represent that it has
2281	  made any independent effort to identify any such rights.  Information
2282	  on the procedures with respect to rights in RFC documents can be found
2283	  in BCP 78 and BCP 79.

2285	  Copies of IPR disclosures made to the IETF Secretariat and any
2286	  assurances of licenses to be made available, or the result of an
2287	  attempt made to obtain a general license or permission for the use of
2288	  such proprietary rights by implementers or users of this specification
2289	  can be obtained from the IETF on-line IPR repository at
2290	  http://www.ietf.org/ipr.

2292	  The IETF invites any interested party to bring to its attention any
2293	  copyrights, patents or patent applications, or other proprietary
2294	  rights that may cover technology that may be required to implement
2295	  this standard.  Please address the information to the IETF at
2296	  ietf-ipr@ietf.org.

2298	Full Copyright

2300	  Copyright (C) The Internet Society (2005).  This document is subject
2301	  to the rights, licenses and restrictions contained in BCP 78, and
2302	  except as set forth therein, the authors retain all their rights.

2304	  This document and the information contained herein are provided on an
2305	  "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
2306	  OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
2307	  ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
2308	  INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
2309	  INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2310	  WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.