idnits 2.17.1 draft-ietf-ldapbis-user-schema-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document is more than 15 pages and seems to lack a Table of Contents. == The page length should not exceed 58 lines per page, but there was 24 longer pages, the longest (page 1) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 24 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There is 1 instance of too long lines in the document, the longest one being 2 characters in excess of 72. ** The abstract seems to contain references ([6]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (04 April 2001) is 8424 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '6' on line 1075 looks like a reference -- Missing reference section? '1' on line 1138 looks like a reference -- Missing reference section? '2' on line 1064 looks like a reference -- Missing reference section? '3' on line 1066 looks like a reference -- Missing reference section? '4' on line 1069 looks like a reference -- Missing reference section? '5' on line 1072 looks like a reference Summary: 6 errors (**), 0 flaws (~~), 2 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT K. Dally, Editor 2 Intended Category: Standard Track The MITRE Corp. 3 Expires 04 October 2001 04 April 2001 4 Obsoletes: 2256 6 A Summary of the X.500(3rd edition) User Schema for use with LDAPv3 7 9 [Editor's note: 10 This Internet-Draft (I-D) is a modified version of the text of 11 RFC 2256, in order to bring it up to date. This action is part of 12 the maintenance activity that is needed in order to progress LDAPv3 13 to Draft Standard. The changes are described in Annex A of this 14 document. 15 End of Editor's note] 17 Status of this Memo 19 This document is an Internet-Draft and is in full conformance with 20 all provisions of Section 10 of RFC2026. 22 This document is intended to be, after appropriate review and 23 revision, submitted to the RFC Editor as a Standard Track document. 24 Distribution of this memo is unlimited. Technical discussion of 25 this document will take place on the IETF LDAP Revision Working 26 Group (LDAPbis) mailing list . Please 27 send editorial comments directly to the author . 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF), its areas, and its working groups. Note that 31 other groups may also distribute working documents as 32 Internet-Drafts. Internet-Drafts are draft documents valid for a 33 maximum of six months and may be updated, replaced, or obsoleted by 34 other documents at any time. It is inappropriate to use 35 Internet-Drafts as reference material or to cite them other than as 36 "work in progress." 38 The list of current Internet-Drafts can be accessed at 39 http://www.ietf.org/ietf/1id-abstracts.txt. The list of 40 Internet-Draft Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 Copyright 2000, The Internet Society. All Rights Reserved. 45 Please see the Copyright section near the end of this document for 46 more information. 48 Abstract 50 This document provides an overview of the attribute types and object 51 classes defined by the ISO/IEC JTC1 and ITU-T committees in the 52 IS0/IEC 9594 and X.500 documents, in particular those intended for 53 use by directory clients. This is the most widely used schema for 54 LDAP/X.500 directories, and many other schema definitions for white 55 pages objects use it as a basis. This document does not cover 56 attributes used for the administration of X.500 directory servers, 57 nor does it include attributes defined by other ISO/ITU-T documents. 59 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 60 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 61 document are to be interpreted as described in RFC 2119 [6]. 63 Table of Contents 65 Status of this Memo 1 66 Abstract 2 67 1. General Issues 5 68 2. Source 5 69 3. Attribute Types 5 70 3.1 "MUST" Attribute Types 5 71 3.1.1 objectClass 5 72 3.2 "SHOULD" Attribute Types 6 73 3.2.1 aliasedObjectName 6 74 3.2.2 cn 6 75 3.2.3 sn 6 76 3.2.4 serialNumber 6 77 3.2.5 c 6 78 3.2.6 l 6 79 3.2.7 st 7 80 3.2.8 street 7 81 3.2.9 o 7 82 3.2.10 ou 7 83 3.2.11 title 7 84 3.2.12 description 7 85 3.2.13 businessCategory 8 86 3.2.14 postalAddress 8 87 3.2.15 postalCode 8 88 3.2.16 postOfficeBox 8 89 3.2.17 physicalDeliveryOfficeName 8 90 3.2.18 telephoneNumber 9 91 3.2.19 telexNumber 9 92 3.2.20 facsimileTelephoneNumber 9 93 3.2.21 x121Address 9 94 3.2.22 internationalISDNNumber 9 95 3.2.23 registeredAddress 9 96 3.2.24 destinationIndicator 10 97 3.2.25 preferredDeliveryMethod 10 98 3.2.26 presentationAddress 10 99 3.2.27 supportedApplicationContext 10 100 3.2.28 member 10 101 3.2.29 owner 10 102 3.2.30 roleOccupant 11 103 3.2.31 seeAlso 11 104 3.2.32 userPassword 11 105 3.2.33 userCertificate 11 106 3.2.34 cACertificate 11 107 3.2.35 authorityRevocationList 12 108 3.2.36 certificateRevocationList 12 109 3.2.37 crossCertificatePair 12 110 3.2.38 name 12 111 3.2.39 givenName 12 112 3.2.40 initials 12 113 3.2.41 generationQualifier 13 114 3.2.42 x500UniqueIdentifier 13 115 3.2.43 dnQualifier 13 116 3.2.44 enhancedSearchGuide 13 117 3.2.45 protocolInformation 13 118 3.2.46 distinguishedName 14 119 3.2.47 uniqueMember 14 120 3.2.48 houseIdentifier 14 121 3.2.49 supportedAlgorithms 14 122 3.2.50 deltaRevocationList 14 123 3.2.51 dmdName 15 124 3.3 Superseded and Withdrawn Attribute Types 15 125 3.3.1 knowledgeInformation 15 126 3.3.2 searchGuide 15 127 3.3.3 teletexTerminalIdentifier 15 128 4. Syntaxes 15 129 4.1 Delivery Method 15 130 4.2 Enhanced Guide 16 131 4.3 Guide 16 132 4.4 Octet String 16 133 4.5 Teletex Terminal Identifier 17 134 4.6 Telex Number 17 135 4.7 Supported Algorithm 17 136 5. Object Classes 18 137 5.1 top 18 138 5.2 alias 18 139 5.3 country 18 140 5.4 locality 18 141 5.5 organization 18 142 5.6 organizationalUnit 18 143 5.7 person 18 144 5.8 organizationalPerson 19 145 5.9 organizationalRole 19 146 5.10 groupOfNames 19 147 5.11 residentialPerson 19 148 5.12 applicationProcess 19 149 5.13 applicationEntity 19 150 5.14 dSA 19 151 5.15 device 20 152 5.16 strongAuthenticationUser 20 153 5.17 certificationAuthority 20 154 5.18 groupOfUniqueNames 20 155 5.19 userSecurityInformation 20 156 5.20 certificationAuthority-V2 20 157 5.21 cRLDistributionPoint 20 158 5.22 dmd 20 159 6. Matching Rules 21 160 6.1 octetStringMatch 21 161 7. Security Considerations 21 162 8. Acknowledgements 21 163 9. Bibliography 22 164 10. Author's Address 22 165 Annex A Change Log 23 166 1. General Issues 168 This document references syntaxes given in section 4 of this 169 document and section 6 of [1]. Matching rules are listed in 170 section 6 of this document and section 8 of [1]. 172 The attribute type and object class definitions are written using the 173 BNF form of AttributeTypeDescription and ObjectClassDescription given 174 in [1]. Lines have been folded for readability. 176 2. Source 178 The schema definitions in this document are based on those found in 179 X.500 [2], [3], [4], and [5], specifically: 181 Sections Source 182 ============ ============ 183 3.1 - 3.2 X.501 [2] 184 3.3 - 3.36 X.520 [4] 185 3.37 - 3.41 X.509 [3] 186 3.42 - 3.52 X.520 [4] 187 3.53 - 3.54 X.509 [3] 188 3.55 X.520 [4] 189 4.1 - 4.6 X.520 [4] 190 4.7 X.509 [4] 191 5.1 - 5.2 X.501 [2] 192 5.3 - 5.18 X.521 [5] 193 5.19 - 5.21 X.509 [3] 194 5.22 X.521 [5] 195 6.1 X.520 [4] 197 Three new attributes: supportedAlgorithms, deltaRevocationList and 198 dmdName, and the objectClass dmd, which were not specified in X.500 199 edition 2 (1993), are defined in the X.500 edition 3 (1997)[2, 3, 4, 200 5] documents. 202 3. Attribute Types 204 Two kinds of attribute types are contained in this section: ones 205 for holding user information and others which have been superseded 206 or withdrawn. 208 3.1 "MUST" Attribute Types 210 An LDAP server implementation MUST recognize the attribute types 211 described in this section. 213 3.1.1 objectClass 215 The values of the objectClass attribute describe the kind of object 216 which an entry represents. The objectClass attribute is present in 217 every entry. 219 ( 2.5.4.0 NAME 'objectClass' 220 EQUALITY objectIdentifierMatch 221 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 223 3.2 "SHOULD" Attribute Types 225 An LDAP server implementation SHOULD recognize the attribute types 226 described in this section. 228 3.2.1 aliasedObjectName 230 The aliasedObjectName attribute is used by the directory service if 231 the entry containing this attribute is an alias. In X.500, this 232 attribute is called aliasedEntryName. 234 ( 2.5.4.1 NAME 'aliasedObjectName' 235 EQUALITY distinguishedNameMatch 236 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 238 3.2.2 cn 240 This is the X.500 commonName attribute, which contains a name of an 241 object. If the object corresponds to a person, it is typically the 242 person's full name. 244 ( 2.5.4.3 NAME 'cn' SUP name ) 246 3.2.3 sn 248 This is the X.500 surname attribute, which contains the family name 249 of a person. 251 ( 2.5.4.4 NAME 'sn' SUP name ) 253 3.2.4 serialNumber 255 This attribute contains the serial number of a device. 257 ( 2.5.4.5 NAME 'serialNumber' 258 EQUALITY caseIgnoreMatch 259 SUBSTR caseIgnoreSubstringsMatch 260 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) 262 3.2.5 c 264 This is the X.500 countryName attribute, which contains a two-letter 265 ISO 3166 country code. 267 ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE ) 269 3.2.6 l 271 This is the X.500 localityName attribute, which contains the name of 272 a locality, such as a city, county or other geographic region. 274 ( 2.5.4.7 NAME 'l' SUP name ) 276 3.2.7 st 278 This is the X.500 stateOrProvinceName attribute, which contains the 279 full name of a state or province. 281 ( 2.5.4.8 NAME 'st' SUP name ) 283 3.2.8 street 285 This is the X.500 streetAddress attribute, which contains the 286 physical address of the object to which the entry corresponds, such 287 as an address for package delivery. 289 ( 2.5.4.9 NAME 'street' 290 EQUALITY caseIgnoreMatch 291 SUBSTR caseIgnoreSubstringsMatch 292 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 294 3.2.9 o 296 This is the X.500 organizationName attribute, which contains the 297 name of an organization. 299 ( 2.5.4.10 NAME 'o' SUP name ) 301 3.2.10 ou 303 This is the X.500 organizationalUnitName attribute, which contains 304 the name of an organizational unit. 306 ( 2.5.4.11 NAME 'ou' SUP name ) 308 3.2.11 title 310 This attribute contains the title, such as "Vice President", of a 311 person in their organizational context. The "personalTitle" 312 attribute would be used for a person's title independent of their job 313 function. 315 ( 2.5.4.12 NAME 'title' SUP name ) 317 3.2.12 description 319 This attribute contains a human-readable description of the object. 321 ( 2.5.4.13 NAME 'description' 322 EQUALITY caseIgnoreMatch 323 SUBSTR caseIgnoreSubstringsMatch 324 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) 326 3.2.13 businessCategory 328 This attribute describes the kind of business performed by an 329 organization. 331 ( 2.5.4.15 NAME 'businessCategory' 332 EQUALITY caseIgnoreMatch 333 SUBSTR caseIgnoreSubstringsMatch 334 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 336 3.2.14 postalAddress 338 This attribute contains an address used by a Postal Service to 339 perform services for the object. 341 ( 2.5.4.16 NAME 'postalAddress' 342 EQUALITY caseIgnoreListMatch 343 SUBSTR caseIgnoreListSubstringsMatch 344 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 346 3.2.15 postalCode 348 This attribute contains a code used by a Postal Service to identify 349 a postal service zone, such as the southern quadrant of a city. 351 ( 2.5.4.17 NAME 'postalCode' 352 EQUALITY caseIgnoreMatch 353 SUBSTR caseIgnoreSubstringsMatch 354 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) 356 3.2.16 postOfficeBox 358 This attribute contains the number that a Postal Service uses when a 359 customer arranges to receive mail at a box on premises of the Postal 360 Service. 362 ( 2.5.4.18 NAME 'postOfficeBox' 363 EQUALITY caseIgnoreMatch 364 SUBSTR caseIgnoreSubstringsMatch 365 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) 367 3.2.17 physicalDeliveryOfficeName 369 This attribute contains the name that a Postal Service uses to identify 370 a post office. 372 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' 373 EQUALITY caseIgnoreMatch 374 SUBSTR caseIgnoreSubstringsMatch 375 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 377 3.2.18 telephoneNumber 379 A value of this attribute is a telephone number complying with CCITT 380 Rec. E.123. 382 ( 2.5.4.20 NAME 'telephoneNumber' 383 EQUALITY telephoneNumberMatch 384 SUBSTR telephoneNumberSubstringsMatch 385 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) 387 3.2.19 telexNumber 389 A value of this attribute is a telex number , country code, and 390 answerback code of a telex terminal. 392 ( 2.5.4.21 NAME 'telexNumber' 393 SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) 395 3.2.20 facsimileTelephoneNumber 397 A value of this attribute is a telephone number for a facsimile 398 terminal (and, optionally, its parameters). 400 ( 2.5.4.23 NAME 'facsimileTelephoneNumber' 401 SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) 403 3.2.21 x121Address 405 A value of this attribute is a data network address as defined by 406 CCITT Recommendation X.121. 408 ( 2.5.4.24 NAME 'x121Address' 409 EQUALITY numericStringMatch 410 SUBSTR numericStringSubstringsMatch 411 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) 413 3.2.22 internationalISDNNumber 415 A value of this attribute is an ISDN address, as defined in CCITT 416 Recommendation E.164. 418 ( 2.5.4.25 NAME 'internationalISDNNumber' 419 EQUALITY numericStringMatch 420 SUBSTR numericStringSubstringsMatch 421 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) 423 3.2.23 registeredAddress 425 This attribute holds a postal address suitable for reception of 426 telegrams or expedited documents, where it is necessary to have the 427 recipient accept delivery. 429 ( 2.5.4.26 NAME 'registeredAddress' 430 SUP postalAddress 431 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 433 3.2.24 destinationIndicator 435 This attribute is used for the telegram service. 437 ( 2.5.4.27 NAME 'destinationIndicator' 438 EQUALITY caseIgnoreMatch 439 SUBSTR caseIgnoreSubstringsMatch 440 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) 442 3.2.25 preferredDeliveryMethod 444 This attribute contains an indication of the preferred method of 445 getting a message to the object. 447 ( 2.5.4.28 NAME 'preferredDeliveryMethod' 448 SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 449 SINGLE-VALUE ) 451 3.2.26 presentationAddress 453 This attribute contains an OSI presentation address. 455 ( 2.5.4.29 NAME 'presentationAddress' 456 EQUALITY presentationAddressMatch 457 SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 458 SINGLE-VALUE ) 460 3.2.27 supportedApplicationContext 462 This attribute contains the identifiers of OSI application contexts. 464 ( 2.5.4.30 NAME 'supportedApplicationContext' 465 EQUALITY objectIdentifierMatch 466 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 468 3.2.28 member 470 A value of this attribute is the Distinguished Name of an object 471 that is on a list or in a group. 473 ( 2.5.4.31 NAME 'member' SUP distinguishedName ) 475 3.2.29 owner 477 A value of this attribute is the Distinguished Name of an object 478 that has an ownership responsibility for the object that is owned. 480 ( 2.5.4.32 NAME 'owner' SUP distinguishedName ) 482 3.2.30 roleOccupant 484 A value of this attribute is the Distinguished Name of an object 485 (normally a person) that fulfills the responsibilities of a role 486 object. 488 ( 2.5.4.33 NAME 'roleOccupant' SUP distinguishedName ) 490 3.2.31 seeAlso 492 A value of this attribute is the Distinguished Name of an object 493 that is related to the subject object. 495 ( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName ) 497 3.2.32 userPassword 499 A value of this attribute is a character string that is known only 500 to the user and the system to which the user has access. 502 ( 2.5.4.35 NAME 'userPassword' 503 EQUALITY octetStringMatch 504 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) 506 Passwords are stored using an Octet String syntax and are not 507 encrypted. Transfer of cleartext passwords is strongly discouraged 508 where the underlying transport service cannot guarantee 509 confidentiality and may result in disclosure of the password to 510 unauthorized parties. 512 3.2.33 userCertificate 514 A value of this attribute is a set of information that is used to 515 protect business systems, including the directory system and its 516 contents, from a number of threats. The protection is realized by 517 verifying the object is authorized to use the business system for 518 certain purposes. This attribute is to be stored and requested in 519 the binary form, as 'userCertificate;binary'. 521 ( 2.5.4.36 NAME 'userCertificate' 522 SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) 524 3.2.34 cACertificate 526 A value of this attribute is a set of information that is used to 527 establish a traceable chain of authority for issuing user 528 certificates. This attribute is to be stored and requested in the 529 binary form, as 'cACertificate;binary'. 531 ( 2.5.4.37 NAME 'cACertificate' 532 SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) 534 3.2.35 authorityRevocationList 536 A value of this attribute is a list of CA certificates that are no 537 longer valid. This attribute is to be stored and requested in the 538 binary form, as 'authorityRevocationList;binary'. 540 ( 2.5.4.38 NAME 'authorityRevocationList' 541 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 543 3.2.36 certificateRevocationList 545 A value of this attribute is a list of user certificates that are no 546 longer valid. This attribute is to be stored and requested in the 547 binary form, as 'certificateRevocationList;binary'. 549 ( 2.5.4.39 NAME 'certificateRevocationList' 550 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 552 3.2.37 crossCertificatePair 554 A value of this attribute is a set of two certificates that are used 555 to enable the certificates issued in two security domains to be 556 usable in both domains. This attribute is to be stored and requested 557 in the binary form, as 'crossCertificatePair;binary'. 559 ( 2.5.4.40 NAME 'crossCertificatePair' 560 SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) 562 3.2.38 name 564 The name attribute type is the attribute supertype from which string 565 attribute types typically used for naming may be formed. It is 566 unlikely that values of this type itself will occur in an entry. LDAP 567 server implementations which do not support attribute subtyping need 568 not recognize this attribute in requests. Client implementations 569 MUST NOT assume that LDAP servers are capable of performing attribute 570 subtyping. 572 ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch 573 SUBSTR caseIgnoreSubstringsMatch 574 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 576 3.2.39 givenName 578 The givenName attribute is used to hold the part of a person's name 579 which is not their surname nor middle name. 581 ( 2.5.4.42 NAME 'givenName' SUP name ) 583 3.2.40 initials 585 The initials attribute contains the initials of some or all of an 586 individuals names, but not the surname(s). 588 ( 2.5.4.43 NAME 'initials' SUP name ) 590 3.2.41 generationQualifier 592 The generationQualifier attribute contains the part of the name which 593 typically is the suffix, as in "IIIrd". 595 ( 2.5.4.44 NAME 'generationQualifier' SUP name ) 597 3.2.42 x500UniqueIdentifier 599 The x500UniqueIdentifier attribute is used to distinguish between 600 objects when a distinguished name has been reused. In X.500, this 601 attribute is called uniqueIdentifier. This is a different attribute 602 type from both the "uid" and "uniqueIdentifier" (defined in ??) 603 types. 605 ( 2.5.4.45 NAME 'x500UniqueIdentifier' 606 EQUALITY bitStringMatch 607 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) 609 3.2.43 dnQualifier 611 The dnQualifier attribute type specifies disambiguating information 612 to add to the relative distinguished name of an entry. It is 613 intended for use when merging data from multiple sources in order to 614 prevent conflicts between entries which would otherwise have the same 615 name. It is recommended that the value of the dnQualifier attribute 616 be the same for all entries from a particular source. 618 ( 2.5.4.46 NAME 'dnQualifier' 619 EQUALITY caseIgnoreMatch 620 ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch 621 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) 623 3.2.44 enhancedSearchGuide 625 This attribute is for use by X.500 clients in constructing search 626 filters. 628 ( 2.5.4.47 NAME 'enhancedSearchGuide' 629 SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) 631 3.2.45 protocolInformation 633 This attribute is used in conjunction with the presentationAddress 634 attribute, to provide additional information to the OSI network 635 service. 637 ( 2.5.4.48 NAME 'protocolInformation' 638 EQUALITY protocolInformationMatch 639 SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 ) 641 3.2.46 distinguishedName 643 This attribute type is not used as the name of the object itself, but 644 it is instead a base type from which attributes with DN syntax 645 inherit. 647 It is unlikely that values of this type itself will occur in an 648 entry. LDAP server implementations which do not support attribute 649 subtyping need not recognize this attribute in requests. Client 650 implementations MUST NOT assume that LDAP servers are capable of 651 performing attribute subtyping. 653 ( 2.5.4.49 NAME 'distinguishedName' 654 EQUALITY distinguishedNameMatch 655 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 657 3.2.47 uniqueMember 659 A value of this attribute is the Distinguished Name of an object 660 that is on a list or in a group, where the Relative Distinguished 661 Name of the object includes a value that distinguishs between 662 objects when a distinguished name has been reused. 664 ( 2.5.4.50 NAME 'uniqueMember' 665 EQUALITY uniqueMemberMatch 666 SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) 668 3.2.48 houseIdentifier 670 This attribute is used to identify a building within a location. 672 ( 2.5.4.51 NAME 'houseIdentifier' 673 EQUALITY caseIgnoreMatch 674 SUBSTR caseIgnoreSubstringsMatch 675 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 677 3.2.49 supportedAlgorithms 679 This attribute contains the identifiers of cryptographic algorithms 680 that the object implements. This attribute is to be stored and 681 requested in the binary form, as 'supportedAlgorithms;binary'. 683 ( 2.5.4.52 NAME 'supportedAlgorithms' 684 SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) 686 3.2.50 deltaRevocationList 688 This attribute contains a list of revoked user certificates that is 689 an addition to a previous certificate revocation list. This 690 attribute is to be stored and requested in the binary form, as 691 'deltaRevocationList;binary'. 693 ( 2.5.4.53 NAME 'deltaRevocationList' 694 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 696 3.2.51 dmdName 698 The value of this attribute specifies a directory management domain 699 (DMD), the administrative authority which operates the directory 700 server. 702 ( 2.5.4.54 NAME 'dmdName' SUP name ) 704 3.3 Superseded and Withdrawn Attribute Types 706 There is no requirement that servers implement the attribute types 707 in this section. In fact, their use is greatly discouraged. 709 3.3.1 knowledgeInformation 711 This attribute is superseded by some system schema attributes. 713 ( 2.5.4.2 NAME 'knowledgeInformation' EQUALITY caseIgnoreMatch 714 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 716 3.3.2 searchGuide 718 This attribute is for use by clients in constructing search filters. 719 It is superseded by enhancedSearchGuide, described above in 3.2.43. 721 ( 2.5.4.14 NAME 'searchGuide' 722 SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) 724 3.3.3 teletexTerminalIdentifier 726 The withdrawal of Rec. F.200 has resulted in the withdrawal of this 727 attribute. 729 ( 2.5.4.22 NAME 'teletexTerminalIdentifier' 730 SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) 732 4. Syntaxes 734 Servers SHOULD recognize the syntaxes defined in this section. Each 735 syntax begins with a sample value of the ldapSyntaxes attribute 736 which defines the OBJECT IDENTIFIER of the syntax. The descriptions 737 of syntax names are not carried in protocol, and are not guaranteed 738 to be unique. 740 4.1 Delivery Method 742 ( 1.3.6.1.4.1.1466.115.121.1.14 DESC 'Delivery Method' ) 744 Values in this syntax are encoded according to the following BNF: 746 delivery-value = pdm / ( pdm whsp "$" whsp delivery-value ) 747 pdm = "any" / "mhs" / "physical" / "telex" / "teletex" / 748 "g3fax" / "g4fax" / "ia5" / "videotex" / "telephone" 750 Example: 752 telephone 754 4.2 Enhanced Guide 756 ( 1.3.6.1.4.1.1466.115.121.1.21 DESC 'Enhanced Guide' ) 758 Values in this syntax are encoded according to the following BNF: 760 EnhancedGuide = woid whsp "#" whsp criteria whsp "#" whsp subset 762 subset = "baseobject" / "oneLevel" / "wholeSubtree" 764 The criteria production is defined in the Guide syntax below. This 765 syntax has been added subsequent to RFC 1778. 767 Example: 769 person#(sn)#oneLevel 771 4.3 Guide 773 ( 1.3.6.1.4.1.1466.115.121.1.25 DESC 'Guide' ) 775 Values in this syntax are encoded according to the following BNF: 777 guide-value = [ object-class "#" ] criteria 779 object-class = woid 781 criteria = criteria-item / criteria-set / ( "!" criteria ) 783 criteria-set = ( [ "(" ] criteria "&" criteria-set [ ")" ] ) / 784 ( [ "(" ] criteria "|" criteria-set [ ")" ] ) 786 criteria-item = [ "(" ] attributetype "$" match-type [ ")" ] 788 match-type = "EQ" / "SUBSTR" / "GE" / "LE" / "APPROX" 790 This syntax should not be used for defining new attributes. 792 4.4 Octet String 794 ( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' ) 796 Values in this syntax are encoded as octet strings. 798 Example: 800 secret 802 4.5 Teletex Terminal Identifier 804 ( 1.3.6.1.4.1.1466.115.121.1.51 DESC 'Teletex Terminal Identifier' ) 806 Values in this syntax are encoded according to the following BNF: 808 teletex-id = ttx-term 0*("$" ttx-param) 810 ttx-term = printablestring 812 ttx-param = ttx-key ":" ttx-value 814 ttx-key = "graphic" / "control" / "misc" / "page" / "private" 816 ttx-value = octetstring 818 In the above, the first printablestring is the encoding of the first 819 portion of the teletex terminal identifier to be encoded, and the 820 subsequent 0 or more octetstrings are subsequent portions of the 821 teletex terminal identifier. 823 4.6 Telex Number 825 ( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' ) 827 Values in this syntax are encoded according to the following BNF: 829 telex-number = actual-number "$" country "$" answerback 831 actual-number = printablestring 833 country = printablestring 835 answerback = printablestring 837 In the above, actual-number is the syntactic representation of the 838 number portion of the TELEX number being encoded, country is the 839 TELEX country code, and answerback is the answerback code of a TELEX 840 terminal. 842 4.7 Supported Algorithm 844 ( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' ) 846 No printable representation of values of the supportedAlgorithms 847 attribute is defined in this document. Clients which wish to store 848 and retrieve this attribute MUST use "supportedAlgorithms;binary", 849 in which the value is transferred as a binary encoding. 851 5. Object Classes 853 LDAP servers MUST recognize the object class "top". LDAP servers 854 SHOULD recognize all the other object classes listed here as values 855 of the objectClass attribute. 857 5.1 top 859 ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) 861 5.2 alias 863 ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName ) 865 5.3 country 867 ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c 868 MAY ( searchGuide $ description ) ) 870 5.4 locality 872 ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL 873 MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) 875 5.5 organization 877 ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o 878 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 879 x121Address $ registeredAddress $ destinationIndicator $ 880 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 881 telephoneNumber $ internationaliSDNNumber $ 882 facsimileTelephoneNumber $ 883 street $ postOfficeBox $ postalCode $ postalAddress $ 884 physicalDeliveryOfficeName $ st $ l $ description ) ) 886 5.6 organizationalUnit 888 ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou 889 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 890 x121Address $ registeredAddress $ destinationIndicator $ 891 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 892 telephoneNumber $ internationaliSDNNumber $ 893 facsimileTelephoneNumber $ 894 street $ postOfficeBox $ postalCode $ postalAddress $ 895 physicalDeliveryOfficeName $ st $ l $ description ) ) 897 5.7 person 899 ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn ) 900 MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) 902 5.8 organizationalPerson 904 ( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL 905 MAY ( title $ x121Address $ registeredAddress $ 906 destinationIndicator $ 907 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 908 telephoneNumber $ internationaliSDNNumber $ 909 facsimileTelephoneNumber $ 910 street $ postOfficeBox $ postalCode $ postalAddress $ 911 physicalDeliveryOfficeName $ ou $ st $ l ) ) 913 5.9 organizationalRole 915 ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn 916 MAY ( x121Address $ registeredAddress $ destinationIndicator $ 917 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 918 telephoneNumber $ internationaliSDNNumber $ 919 facsimileTelephoneNumber $ 920 seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ 921 postOfficeBox $ postalCode $ postalAddress $ 922 physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) 924 5.10 groupOfNames 926 ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( member $ cn ) 927 MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) 929 5.11 residentialPerson 931 ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l 932 MAY ( businessCategory $ x121Address $ registeredAddress $ 933 destinationIndicator $ preferredDeliveryMethod $ telexNumber $ 934 teletexTerminalIdentifier $ telephoneNumber $ 935 internationaliSDNNumber $ 936 facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ 937 postOfficeBox $ postalCode $ postalAddress $ 938 physicalDeliveryOfficeName $ st $ l ) ) 940 5.12 applicationProcess 942 ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn 943 MAY ( seeAlso $ ou $ l $ description ) ) 945 5.13 applicationEntity 947 ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL 948 MUST ( presentationAddress $ cn ) 949 MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ 950 description ) ) 952 5.14 dSA 954 ( 2.5.6.13 NAME 'dSA' SUP applicationEntity STRUCTURAL 955 MAY knowledgeInformation ) 957 5.15 device 959 ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn 960 MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) 962 5.16 strongAuthenticationUser 964 ( 2.5.6.15 NAME 'strongAuthenticationUser' SUP top AUXILIARY 965 MUST userCertificate ) 967 5.17 certificationAuthority 969 ( 2.5.6.16 NAME 'certificationAuthority' SUP top AUXILIARY 970 MUST ( authorityRevocationList $ certificateRevocationList $ 971 cACertificate ) MAY crossCertificatePair ) 973 5.18 groupOfUniqueNames 975 ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL 976 MUST ( uniqueMember $ cn ) 977 MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) 979 5.19 userSecurityInformation 981 ( 2.5.6.18 NAME 'userSecurityInformation' SUP top AUXILIARY 982 MAY ( supportedAlgorithms ) ) 984 5.20 certificationAuthority-V2 986 ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP 987 certificationAuthority 988 AUXILIARY MAY ( deltaRevocationList ) ) 990 5.21 cRLDistributionPoint 992 ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL 993 MUST ( cn ) MAY ( certificateRevocationList $ 994 authorityRevocationList $ 995 deltaRevocationList ) ) 997 5.22 dmd 999 ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName ) 1000 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 1001 x121Address $ registeredAddress $ destinationIndicator $ 1002 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 1003 telephoneNumber $ internationaliSDNNumber $ 1004 facsimileTelephoneNumber $ 1005 street $ postOfficeBox $ postalCode $ postalAddress $ 1006 physicalDeliveryOfficeName $ st $ l $ description ) ) 1008 6. Matching Rules 1010 Servers MAY implement additional matching rules. 1012 6.1 octetStringMatch 1014 Servers which implement the extensibleMatch filter SHOULD allow the 1015 matching rule listed in this section to be used in the 1016 extensibleMatch. In general these servers SHOULD allow matching 1017 rules to be used with all attribute types known to the server, when 1018 the assertion syntax of the matching rule is the same as the value 1019 syntax of the attribute. 1021 The Octet String Match rule compares for equality an asserted octet 1022 string with an attribute value of type OCTET STRING. 1024 The strings match if they are the same length and corresponding 1025 octets are identical. 1027 ( 2.5.13.17 NAME 'octetStringMatch' 1028 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) 1030 7. Security Considerations 1032 Attributes of directory entries are used to provide descriptive 1033 information about the real-world objects they represent, which can be 1034 people, organizations or devices. Most countries have privacy laws 1035 regarding the publication of information about people. 1037 Transfer of cleartext passwords is strongly discouraged where the 1038 underlying transport service cannot guarantee confidentiality and may 1039 result in disclosure of the password to unauthorized parties. 1041 It is required that strong authentication be performed in order to 1042 modify directory entries using LDAP. 1044 8. Acknowledgements 1046 The definitions, on which this document is based, have been developed 1047 by committees for telecommunications and international standards. 1048 No new attribute definitions have been added. 1050 This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a 1051 product of the IETF LDAPBIS Working Group. 1053 This document is based upon input of the IETF LDAPBIS working group. 1054 The authors wish to thank ___ for their significant contribution to 1055 this update. 1057 9. Bibliography 1059 [1] replacement (draft-hinckley-ldapbis-rfc2252-nn) for Wahl, M., 1060 Coulbeck, A., Howes, T., and S. Kille, "Lightweight X.500 1061 Directory Access Protocol(v3): Attribute Syntax Definitions", 1062 RFC 2252, December 1997 1064 [2] The Directory: Models, ITU-T Recommendation X.501, 1997 1066 [3] The Directory: Authentication Framework, ITU-T Recommendation 1067 X.509, 1997 1069 [4] The Directory: Selected Attribute Types, ITU-T Recommendation 1070 X.520, 1997 1072 [5] The Directory: Selected Object Classes. ITU-T Recommendation 1073 X.521, 1997 1075 [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1076 Levels", RFC 2119, March 1997 1078 10. Author's Address 1080 Kathy Dally 1081 The MITRE Corp. 1082 1820 Dolley Madison Blvd., ms-W650 1083 McLean VA 22102 1084 USA 1086 Phone: +1 703 883 6058 1087 Email: kdally@mitre.org 1088 Annex A Change Log 1090 This annex lists the changes that have been made from RFC 2256 to 1091 this I-D. The changes made in this latest version are items 12 - 15. 1093 1. Revision of the Status of this Memo. 1095 2. Dependencies on RFC 1274 have been eliminated. 1097 3. The references to X.500(96) have been expressed in terms of 1098 the "edition", rather than the standard date. Note that the 1099 version of X.500 which is the basis for this document, is the 1100 third edition, which was finalized in 1996, but approved in 1101 1997. 1103 4. The "teletexTerminalNumber" attribute and syntax are marked 1104 as obsolete. 1106 5. Removed "The syntax definitions are based on the ISODE "QUIPU" 1107 implementation of X.500." from section 6. 1109 6. Added text to 6.1, the octetString syntax, in accordance 1110 with X.520. 1112 7. Some of the attribute types MUST be recognized by servers. 1113 Also, several attributes are obsolete. Therefore, the various 1114 kinds of attribute types have been placed in separate sections: 1116 - necessary for the directory to operate (section 3.1) 1118 - for holding user information (section 3.2) 1120 - superseded or withdrawn (section 3.3). 1122 8. Since "top" may be implicitly specified and "alias" is not 1123 abstract, the last sentence in the description of the 1124 "objectClass" attribute type, section 3.1.1, has been deleted. 1125 The clause that preceded the deleted sentence has been 1126 removed, also. 1128 9. Add a description to the definition of the "telephoneNumber" 1129 attribute type, section 3.2.17. 1131 10. Add text to mark the "teletexTerminalIdentifier" attribute 1132 type as obsolete. 1134 11. Add a security consideration requiring strong authentication 1135 in order to modify directory entries. 1137 12. Delete the conformance requirement for subschema object 1138 classes in favor of a statement in [1]. 1140 13. Add a Table of Contents 1141 14. Replace the term "obsolete" with "superseded or withdrawn" 1143 15. Add explanations to many attributes.