idnits 2.17.1 draft-ietf-ldapbis-user-schema-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document is more than 15 pages and seems to lack a Table of Contents. == It seems as if not all pages are separated by form feeds - found 0 form feeds but 27 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([KEYWD]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (27 February 2002) is 8094 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'Codes' is defined on line 1027, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'Codes' -- Possible downref: Non-RFC (?) normative reference: ref. 'E123' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISDN' == Outdated reference: A later version (-11) exists of draft-ietf-ldapbis-syntaxes-02 -- Possible downref: Non-RFC (?) normative reference: ref. 'X121' -- Possible downref: Non-RFC (?) normative reference: ref. 'X501' -- Possible downref: Non-RFC (?) normative reference: ref. 'X509' -- Possible downref: Non-RFC (?) normative reference: ref. 'X520' -- Possible downref: Non-RFC (?) normative reference: ref. 'X521' Summary: 5 errors (**), 0 flaws (~~), 4 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT K. Dally, Editor 2 Intended Category: Standard Track The MITRE Corp. 3 Expires 27 August 2002 27 February 2002 4 Obsoletes: RFC 2256 6 A Summary of the X.500(2nd edition) User Schema for use with LDAPv3 7 9 [Editor's note: 10 This Internet-Draft (I-D) is a modified version of the text of 11 RFC 2256, in order to bring it up to date. This action is part of 12 the maintenance activity that is needed in order to progress 13 LDAP (v3) to Draft Standard. The changes are described in Annex A 14 of this document. 15 End of Editor's note] 17 Status of this Memo 19 This document is an Internet-Draft and is in full conformance with 20 all provisions of Section 10 of RFC 2026. 22 This document is intended to be, after appropriate review and 23 revision, submitted to the RFC Editor as a Standard Track document. 24 Distribution of this memo is unlimited. Technical discussion of 25 this document will take place on the IETF LDAP Revision Working 26 Group (LDAPbis) mailing list . Please 27 send editorial comments directly to the author . 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF), its areas, and its working groups. Note that 31 other groups may also distribute working documents as 32 Internet-Drafts. Internet-Drafts are draft documents valid for a 33 maximum of six months and may be updated, replaced, or obsoleted by 34 other documents at any time. It is inappropriate to use 35 Internet-Drafts as reference material or to cite them other than as 36 "work in progress." 38 The list of current Internet-Drafts can be accessed at 39 http://www.ietf.org/ietf/1id-abstracts.txt. The list of 40 Internet-Draft Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 Copyright 2000, The Internet Society. All Rights Reserved. 45 Please see the Copyright section near the end of this document for 46 more information. 48 Abstract 50 This document provides an overview of the attribute types and object 51 classes defined by the ISO/IEC JTC1 and ITU-T committees in the 52 IS0/IEC 9594 and X.500 documents, in particular those intended for 53 use by directory clients. This is the most widely used schema for 54 LDAP/X.500 directories, and many other schema definitions for white 55 pages objects use it as a basis. This document does not cover 56 attributes used for the administration of X.500 directory servers, 57 nor does it include attributes defined by other ISO/ITU-T documents. 59 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 60 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 61 document are to be interpreted as described in RFC 2119 [KEYWD]. 63 Table of Contents 65 Status of this Memo 1 67 Abstract 2 69 1. General Issues 5 71 2. Source 5 73 3. Attribute Types 6 74 3.1 aliasedObjectName 6 75 3.2 businessCategory 6 76 3.3 c 6 77 3.4 cn 7 78 3.5 description 7 79 3.6 destinationIndicator 7 80 3.7 distinguishedName 7 81 3.8 dnQualifier 8 82 3.9 enhancedSearchGuide 8 83 3.10 facsimileTelephoneNumber 8 84 3.11 generationQualifier 8 85 3.12 givenName 8 86 3.13 houseIdentifier 9 87 3.14 initials 9 88 3.15 internationalISDNNumber 9 89 3.16 knowledgeInformation 9 90 3.17 l 9 91 3.18 member 10 92 3.19 name 10 93 3.20 o 10 94 3.21 objectClass 10 95 3.22 ou 10 96 3.23 owner 11 97 3.24 physicalDeliveryOfficeName 11 98 3.25 postalAddress 11 99 3.26 postalCode 11 100 3.27 postOfficeBox 11 101 3.28 preferredDeliveryMethod 12 102 3.29 presentationAddress 12 103 3.30 protocolInformation 12 104 3.31 registeredAddress 12 105 3.32 roleOccupant 13 106 3.33 searchGuide 13 107 3.34 seeAlso 13 108 3.35 serialNumber 13 109 3.36 sn 13 110 3.37 st 13 111 3.38 street 14 112 3.39 supportedApplicationContext 14 113 3.40 telephoneNumber 14 114 3.41 teletexTerminalIdentifier 14 115 3.42 telexNumber 15 116 3.43 title 15 117 3.44 uniqueMember 15 118 3.45 userPassword 15 119 3.46 x121Address 16 120 3.47 x500UniqueIdentifier 16 122 4. Object Classes 17 123 4.1 alias 17 124 4.2 applicationEntity 17 125 4.3 applicationProcess 17 126 4.4 country 18 127 4.5 device 18 128 4.6 dSA 18 129 4.7 groupOfNames 18 130 4.8 groupOfUniqueNames 19 131 4.9 locality 19 132 4.10 organization 19 133 4.11 organizationalPerson 20 134 4.12 organizationalRole 20 135 4.13 organizationalUnit 20 136 4.14 person 21 137 4.15 residentialPerson 21 138 4.16 top 21 140 5. Security Considerations 22 142 6. Acknowledgements 22 144 7. References 23 145 7.1 Normative 23 146 7.2 Informative 23 148 8. Author's Address 24 150 Annex A Change Log 25 151 1. General Issues 153 This document references Syntaxes given in Section 3 of [SYNTAX] and 154 Matching Rules specified in Section 4 of [SYNTAX]. 156 The Attribute Type and Object Class definitions are written using the 157 ABNF form of AttributeTypeDescription and ObjectClassDescription 158 given in [SYNTAX]. Lines have been folded for readability. 160 2. Source 162 The schema definitions in this document are based on those found in 163 X.500 [X501], [X509], [X520], and [X521], specifically: 165 Sections Source 166 ============ ============ 167 3.1 X.501 [X501] 168 3.2 - 3.20 X.520 [X520] 169 3.21 X.501 [X501] 170 3.22 - 3.44 X.520 [X520] 171 3.45 X.509 [X509] 172 3.46 - 3.47 X.520 [X520] 173 4.1 X.501 [X501] 174 4.2 - 4.15 X.521 [X521] 175 4.16 X.501 [X501] 177 3. Attribute Types 179 The Attribute Types contained in this section hold user information. 181 An LDAP server implementation MUST recognize the objectClass 182 Attribute Type. 184 There is no requirement that servers implement the following 185 Attribute Types: 187 knowledgeInformation 188 searchGuide 189 teletexTerminalIdentifier 191 In fact, their use is greatly discouraged. 193 An LDAP server implementation SHOULD recognize the rest of the 194 Attribute Types described in this section. 196 3.1 aliasedObjectName 198 The aliasedObjectName Attribute Type is used by the directory 199 service if the entry containing this attribute is an alias. In 200 X.501 [X501], this Attribute Type is called aliasedEntryName. 202 ( 2.5.4.1 NAME 'aliasedObjectName' 203 EQUALITY distinguishedNameMatch 204 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 205 SINGLE-VALUE ) 207 The SYNTAX oid indicates the DN syntax. 209 3.2 businessCategory 211 This Attribute Type describes the kind of business performed by 212 an organization. 214 ( 2.5.4.15 NAME 'businessCategory' 215 EQUALITY caseIgnoreMatch 216 SUBSTR caseIgnoreSubstringsMatch 217 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 219 The SYNTAX oid indicates the Directory String syntax. 221 3.3 c 223 This is the X.520 [X520] countryName Attribute Type, which contains 224 a two-letter ISO 3166 [Codes]country code. 226 ( 2.5.4.6 NAME 'c' 227 SUP name 228 SINGLE-VALUE ) 230 3.4 cn 232 This is the X.520 [X520] commonName Attribute Type, which contains 233 a name of an object. If the object corresponds to a person, it is 234 typically the person's full name. 236 ( 2.5.4.3 NAME 'cn' 237 SUP name ) 239 3.5 description 241 This Attribute Type contains a human-readable description of 242 the object. 244 ( 2.5.4.13 NAME 'description' 245 EQUALITY caseIgnoreMatch 246 SUBSTR caseIgnoreSubstringsMatch 247 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) 249 The SYNTAX oid indicates the Directory String syntax. 251 3.6 destinationIndicator 253 This attribute is used for the telegram service. 255 ( 2.5.4.27 NAME 'destinationIndicator' 256 EQUALITY caseIgnoreMatch 257 SUBSTR caseIgnoreSubstringsMatch 258 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) 260 The SYNTAX oid indicates the Printable String syntax. 262 3.7 distinguishedName 264 This Attribute Type is not used as the name of the object itself, 265 but it is instead a base type from which attributes with DN syntax 266 inherit. 268 It is unlikely that values of this type itself will occur in an 269 entry. LDAP server implementations which do not support attribute 270 subtyping need not recognize this attribute in requests. Client 271 implementations MUST NOT assume that LDAP servers are capable of 272 performing attribute subtyping. 274 ( 2.5.4.49 NAME 'distinguishedName' 275 EQUALITY distinguishedNameMatch 276 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 278 The SYNTAX oid indicates the DN syntax. 280 3.8 dnQualifier 282 The dnQualifier Attribute Type specifies disambiguating information 283 to add to the relative distinguished name of an entry. It is 284 intended for use when merging data from multiple sources in order to 285 prevent conflicts between entries which would otherwise have the same 286 name. It is recommended that the value of the dnQualifier attribute 287 be the same for all entries from a particular source. 289 ( 2.5.4.46 NAME 'dnQualifier' 290 EQUALITY caseIgnoreMatch 291 ORDERING caseIgnoreOrderingMatch 292 SUBSTR caseIgnoreSubstringsMatch 293 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) 295 The SYNTAX oid indicates the Printable String syntax. 297 3.9 enhancedSearchGuide 299 This attribute is for use by X.500 clients in constructing search 300 filters. 302 ( 2.5.4.47 NAME 'enhancedSearchGuide' 303 SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) 305 The SYNTAX oid indicates the Enhanced Guide syntax. 307 3.10 facsimileTelephoneNumber 309 A value of this Attribute Type is a telephone number for a facsimile 310 terminal (and, optionally, its parameters). 312 ( 2.5.4.23 NAME 'facsimileTelephoneNumber' 313 SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) 315 The SYNTAX oid indicates the Facsimile Telephone Number syntax. 317 3.11 generationQualifier 319 The generationQualifier Attribute Type contains the part of a 320 person's name which typically is the suffix, as in "IIIrd". 322 ( 2.5.4.44 NAME 'generationQualifier' 323 SUP name ) 325 3.12 givenName 327 The givenName Attribute Type is used to hold the part of a person's 328 name which is not their surname nor middle name. 330 ( 2.5.4.42 NAME 'givenName' 331 SUP name ) 333 3.13 houseIdentifier 335 This Attribute Type is used to identify a building within a location. 337 ( 2.5.4.51 NAME 'houseIdentifier' 338 EQUALITY caseIgnoreMatch 339 SUBSTR caseIgnoreSubstringsMatch 340 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 342 The SYNTAX oid indicates the Directory String syntax. 344 3.14 initials 346 The initials Attribute Type contains the initials of some or all of 347 an individuals names, except the surname(s). 349 ( 2.5.4.43 NAME 'initials' 350 SUP name ) 352 3.15 internationalISDNNumber 354 A value of this Attribute Type is an ISDN address, as defined in 355 ITU Recommendation E.164 [ISDN]. 357 ( 2.5.4.25 NAME 'internationalISDNNumber' 358 EQUALITY numericStringMatch 359 SUBSTR numericStringSubstringsMatch 360 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i 362 The SYNTAX oid indicates the Numeric String syntax. 364 3.16 knowledgeInformation 366 This attribute is superseded by the system schema attributes which 367 hold the pointers to other LDAP servers. 369 ( 2.5.4.2 NAME 'knowledgeInformation' 370 EQUALITY caseIgnoreMatch 371 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 373 The SYNTAX oid indicates the Directory String syntax. 375 3.17 l 377 This is the X.520 [X520] localityName Attribute Type, which contains 378 the name of a locality or place, such as a city, county or other 379 geographic region. 381 ( 2.5.4.7 NAME 'l' 382 SUP name ) 384 3.18 member 386 A value of this Attribute Type is the Distinguished Name of an 387 object that is on a list or in a group. 389 ( 2.5.4.31 NAME 'member' 390 SUP distinguishedName ) 392 3.19 name 394 The name Attribute Type is the attribute supertype from which string 395 Attribute Types typically used for naming may be formed. It is 396 unlikely that values of this type itself will occur in an entry. 397 LDAP server implementations which do not support attribute subtyping 398 need not recognize this attribute in requests. Client 399 implementations MUST NOT assume that LDAP servers are capable of 400 performing attribute subtyping. 402 ( 2.5.4.41 NAME 'name' 403 EQUALITY caseIgnoreMatch 404 SUBSTR caseIgnoreSubstringsMatch 405 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 407 The SYNTAX oid indicates the Directory String syntax. 409 3.20 o 411 This is the X.520 [X520] organizationName Attribute Type, which 412 contains the name of an organization. 414 ( 2.5.4.10 NAME 'o' 415 SUP name ) 417 3.21 objectClass 419 The values of the objectClass Attribute Type describe the kind of 420 object which an entry represents. The objectClass attribute is 421 present in every entry. 423 ( 2.5.4.0 NAME 'objectClass' 424 EQUALITY objectIdentifierMatch 425 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 427 The SYNTAX oid indicates the OID syntax. 429 3.22 ou 431 This is the X.520 [X520] organizationalUnitName Attribute Type, 432 which contains the name of an organizational unit. 434 ( 2.5.4.11 NAME 'ou' 435 SUP name ) 437 3.23 owner 439 A value of this Attribute Type is the Distinguished Name of an 440 object that has an ownership responsibility for the object that 441 is owned. 443 ( 2.5.4.32 NAME 'owner' 444 SUP distinguishedName ) 446 3.24 physicalDeliveryOfficeName 448 This attribute contains the name that a Postal Service uses to 449 identify a post office. 451 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' 452 EQUALITY caseIgnoreMatch 453 SUBSTR caseIgnoreSubstringsMatch 454 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 456 The SYNTAX oid indicates the Directory String syntax. 458 3.25 postalAddress 460 This attribute contains an address used by a Postal Service to 461 perform services for the object. 463 ( 2.5.4.16 NAME 'postalAddress' 464 EQUALITY caseIgnoreListMatch 465 SUBSTR caseIgnoreListSubstringsMatch 466 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 468 The SYNTAX oid indicates the Postal Address syntax. 470 3.26 postalCode 472 This attribute contains a code used by a Postal Service to identify 473 a postal service zone, such as the southern quadrant of a city. 475 ( 2.5.4.17 NAME 'postalCode' 476 EQUALITY caseIgnoreMatch 477 SUBSTR caseIgnoreSubstringsMatch 478 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) 480 The SYNTAX oid indicates the Directory String syntax. 482 3.27 postOfficeBox 484 This attribute contains the number that a Postal Service uses when a 485 customer arranges to receive mail at a box on premises of the Postal 486 Service. 488 ( 2.5.4.18 NAME 'postOfficeBox' 489 EQUALITY caseIgnoreMatch 490 SUBSTR caseIgnoreSubstringsMatch 491 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) 493 The SYNTAX oid indicates the Directory String syntax. 495 3.28 preferredDeliveryMethod 497 This attribute contains an indication of the preferred method of 498 getting a message to the object. 500 ( 2.5.4.28 NAME 'preferredDeliveryMethod' 501 SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 502 SINGLE-VALUE ) 504 The SYNTAX oid indicates the Delivery Method syntax. 506 3.29 presentationAddress 508 This attribute contains an OSI presentation layer address. 510 ( 2.5.4.29 NAME 'presentationAddress' 511 EQUALITY presentationAddressMatch 512 SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 513 SINGLE-VALUE ) 515 The SYNTAX oid indicates the Presentation Address syntax. 517 3.30 protocolInformation 519 This Attribute Type is used in conjunction with the 520 presentationAddress Attribute Type, to provide additional 521 information to the OSI network service. 523 ( 2.5.4.48 NAME 'protocolInformation' 524 EQUALITY protocolInformationMatch 525 SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 ) 527 The SYNTAX oid indicates the Protocol Information syntax. 529 3.31 registeredAddress 531 This attribute holds a postal address suitable for reception of 532 telegrams or expedited documents, where it is necessary to have the 533 recipient accept delivery. 535 ( 2.5.4.26 NAME 'registeredAddress' 536 SUP postalAddress 537 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 539 The SYNTAX oid indicates the Postal Address syntax. 541 3.32 roleOccupant 543 A value of this Attribute Type is the Distinguished Name of an 544 object (normally a person) that fulfills the responsibilities of a 545 role object. 547 ( 2.5.4.33 NAME 'roleOccupant' 548 SUP distinguishedName ) 550 3.33 searchGuide 552 This Attribute Type is for use by clients in constructing search 553 filters. It is superseded by enhancedSearchGuide, described above 554 in section 3.9. 556 ( 2.5.4.14 NAME 'searchGuide' 557 SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide 559 The SYNTAX oid indicates the Guide syntax. 561 3.34 seeAlso 563 A value of this Attribute Type is the Distinguished Name of an 564 object that is related to the subject object. 566 ( 2.5.4.34 NAME 'seeAlso' 567 SUP distinguishedName ) 569 3.35 serialNumber 571 This attribute contains the serial number of a device. 573 ( 2.5.4.5 NAME 'serialNumber' 574 EQUALITY caseIgnoreMatch 575 SUBSTR caseIgnoreSubstringsMatch 576 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) 578 The SYNTAX oid indicates the Printable String syntax. 580 3.36 sn 582 This is the X.520 [X520] surname Attribute Type, which contains the 583 family name of a person. 585 ( 2.5.4.4 NAME 'sn' 586 SUP name ) 588 3.37 st 590 This is the X.520 [X520] stateOrProvinceName attribute, which 591 contains the full name of a state or province. 593 ( 2.5.4.8 NAME 'st' 594 SUP name ) 596 3.44 street 598 This is the X.520 [X520] streetAddress attribute, which contains the 599 physical address of the object to which the entry corresponds, such 600 as an address for package delivery. 602 ( 2.5.4.9 NAME 'street' 603 EQUALITY caseIgnoreMatch 604 SUBSTR caseIgnoreSubstringsMatch 605 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 607 The SYNTAX oid indicates the Directory String syntax. 609 3.39 supportedApplicationContext 611 This attribute contains the identifiers of OSI application 612 contexts. 614 ( 2.5.4.30 NAME 'supportedApplicationContext' 615 EQUALITY objectIdentifierMatch 616 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 618 The SYNTAX oid indicates the OID syntax. 620 3.40 telephoneNumber 622 A value of this Attribute Type is a telephone number complying with 623 ITU Recommendation E.123 [E123]. 625 ( 2.5.4.20 NAME 'telephoneNumber' 626 EQUALITY telephoneNumberMatch 627 SUBSTR telephoneNumberSubstringsMatch 628 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) ; TelephoneNumber 630 The SYNTAX oid indicates the Telephone Number syntax. 632 3.41 teletexTerminalIdentifier 634 The withdrawal of Rec. F.200 has resulted in the withdrawal of this 635 attribute. 637 ( 2.5.4.22 NAME 'teletexTerminalIdentifier' 638 SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) 640 The SYNTAX oid indicates the Teletex Terminal Identifier syntax. 642 3.42 telexNumber 644 A value of this Attribute Type is a telex number, country code, and 645 answerback code of a telex terminal. 647 ( 2.5.4.21 NAME 'telexNumber' 648 SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) 650 The SYNTAX oid indicates the Telex Number syntax. 652 3.43 title 654 This attribute contains the title, such as "Vice President", of a 655 person in their organizational context. The "personalTitle" 656 attribute would be used for a person's title independent of their 657 job function. 659 ( 2.5.4.12 NAME 'title' 660 SUP name ) 662 3.44 uniqueMember 664 A value of this Attribute Type is the Distinguished Name of an 665 object that is on a list or in a group, where the Relative 666 Distinguished Name of the object includes a value that distinguishs 667 between objects when a distinguished name has been reused. 669 ( 2.5.4.50 NAME 'uniqueMember' 670 EQUALITY uniqueMemberMatch 671 SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) 673 The SYNTAX oid indicates the Name and Optional UID syntax. 675 3.45 userPassword 677 A value of this Attribute Type is a character string that is known 678 only to the user and the system to which the user has access. 680 ( 2.5.4.35 NAME 'userPassword' 681 EQUALITY octetStringMatch 682 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) 684 The SYNTAX oid indicates the Octet String syntax. 686 Passwords are stored using an Octet String syntax and are not 687 encrypted. Transfer of cleartext passwords is strongly discouraged 688 where the underlying transport service cannot guarantee 689 confidentiality and may result in disclosure of the password to 690 unauthorized parties. 692 3.46 x121Address 694 A value of this Attribute Type is a data network address as defined 695 by ITU Recommendation X.121 [X121]. 697 ( 2.5.4.24 NAME 'x121Address' 698 EQUALITY numericStringMatch 699 SUBSTR numericStringSubstringsMatch 700 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) 702 The SYNTAX oid indicates the Numeric String syntax. 704 3.55 x500UniqueIdentifier 706 The x500UniqueIdentifier Attribute Type is used to distinguish 707 between objects when a distinguished name has been reused. In X.520 708 [X520], this Attribute Type is called uniqueIdentifier. This is a 709 different Attribute Type from both the "uid" and "uniqueIdentifier" 710 Attribute Types. 712 ( 2.5.4.45 NAME 'x500UniqueIdentifier' 713 EQUALITY bitStringMatch 714 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) 716 The SYNTAX oid indicates the Bit String syntax. 718 4. Object Classes 720 LDAP servers MUST recognize the Object Class "top". LDAP servers 721 SHOULD recognize all the other Object Classes listed here as values 722 of the objectClass attribute. 724 4.1 alias 726 The alias Object Class enables more than one Distinguished Name to 727 designate an entry by providing an alias entry. The alias entry 728 contains a pointer to the other entry. The pointer is automatically 729 followed when the alias entry is found in the process of locating 730 the target entry(s) of an operation. 732 ( 2.5.6.1 NAME 'alias' 733 SUP top 734 STRUCTURAL 735 MUST aliasedObjectName ) 737 4.2 applicationEntity 739 The applicationEntity Object Class definition is the basis of an 740 entry which represents the interconnection aspects of an application 741 process in a distributed environment. 743 ( 2.5.6.12 NAME 'applicationEntity' 744 SUP top 745 STRUCTURAL 746 MUST ( presentationAddress $ 747 cn ) 748 MAY ( supportedApplicationContext $ 749 seeAlso $ 750 ou $ 751 o $ 752 l $ 753 description ) ) 755 4.3 applicationProcess 757 The applicationProcess Object Class definition is the basis of an 758 entry which represents an application executing in a computer system. 760 ( 2.5.6.11 NAME 'applicationProcess' 761 SUP top 762 STRUCTURAL 763 MUST cn 764 MAY ( seeAlso $ 765 ou $ 766 l $ 767 description ) ) 769 4.4 country 771 The country Object Class definition is the basis of an entry which 772 represents a country. 774 ( 2.5.6.2 NAME 'country' 775 SUP top 776 STRUCTURAL 777 MUST c 778 MAY ( searchGuide $ 779 description ) ) 781 4.5 device 783 The device Object Class is the basis of an entry which represents 784 an appliance or computer or network element. 786 ( 2.5.6.14 NAME 'device' 787 SUP top 788 STRUCTURAL 789 MUST cn 790 MAY ( serialNumber $ 791 seeAlso $ 792 owner $ 793 ou $ 794 o $ 795 l $ 796 description ) ) 798 4.6 dSA 800 The dSA (Directory System Agent) Object Class is the basis of an 801 entry which represents a server in a directory system. 803 ( 2.5.6.13 NAME 'dSA' 804 SUP applicationEntity 805 STRUCTURAL 806 MAY knowledgeInformation ) 808 4.7 groupOfNames 810 The groupOfNames Object Class is the basis of an entry which 811 represents a set of named objects including information related to 812 the purpose or maintenance of the set. 814 ( 2.5.6.9 NAME 'groupOfNames' 815 SUP top 816 STRUCTURAL 817 MUST ( member $ 818 cn ) 819 MAY ( businessCategory $ 820 seeAlso $ 821 owner $ 822 ou $ 823 o $ 824 description ) ) 826 4.8 groupOfUniqueNames 828 The groupOfUniqueNames Object Class is the same as the groupOfNames 829 object class except that the object names are not repeated or 830 reassigned within a set scope. 832 ( 2.5.6.17 NAME 'groupOfUniqueNames' 833 SUP top 834 STRUCTURAL 835 MUST ( uniqueMember $ 836 cn ) 837 MAY ( businessCategory $ 838 seeAlso $ 839 owner $ 840 ou $ 841 o $ 842 description ) ) 844 4.9 locality 846 The locality Object Class is the basis of an entry which 847 represents a place in the physical world. 849 ( 2.5.6.3 NAME 'locality' 850 SUP top 851 STRUCTURAL 852 MAY ( street $ 853 seeAlso $ 854 searchGuide $ 855 st $ 856 l $ 857 description ) ) 859 4.10 organization 861 The organization Object Class is the basis of an entry which 862 represents a structured group of people. 864 ( 2.5.6.4 NAME 'organization' 865 SUP top 866 STRUCTURAL 867 MUST o 868 MAY ( userPassword $ searchGuide $ seeAlso $ 869 businessCategory $ x121Address $ registeredAddress $ 870 destinationIndicator $ preferredDeliveryMethod $ 871 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 872 internationaliSDNNumber $ facsimileTelephoneNumber $ 873 street $ postOfficeBox $ postalCode $ 874 postalAddress $ physicalDeliveryOfficeName $ st $ 875 l $ description ) ) 877 4.11 organizationalPerson 879 The organizationalPerson Object Class is the basis of an entry which 880 represents a person in relation to an organization. 882 ( 2.5.6.7 NAME 'organizationalPerson' 883 SUP person 884 STRUCTURAL 885 MAY ( title $ x121Address $ registeredAddress $ 886 destinationIndicator $ preferredDeliveryMethod $ 887 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 888 internationaliSDNNumber $ facsimileTelephoneNumber $ 889 street $ postOfficeBox $ postalCode $ postalAddress $ 890 physicalDeliveryOfficeName $ ou $ st $ l ) ) 892 4.12 organizationalRole 894 The organizationalRole Object Class is the basis of an entry which 895 represents a job or function or position in an organization. 897 ( 2.5.6.8 NAME 'organizationalRole' 898 SUP top 899 STRUCTURAL 900 MUST cn 901 MAY ( x121Address $ registeredAddress $ destinationIndicator $ 902 preferredDeliveryMethod $ telexNumber $ 903 teletexTerminalIdentifier $ telephoneNumber $ 904 internationaliSDNNumber $ facsimileTelephoneNumber $ 905 seeAlso $ roleOccupant $ preferredDeliveryMethod $ 906 street $ postOfficeBox $ postalCode $ postalAddress $ 907 physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) 909 4.13 organizationalUnit 911 The organizationalUnit Object Class is the basis of an entry which 912 represents a piece of an organization. 914 ( 2.5.6.5 NAME 'organizationalUnit' 915 SUP top 916 STRUCTURAL 917 MUST ou 918 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 919 x121Address $ registeredAddress $ destinationIndicator $ 920 preferredDeliveryMethod $ telexNumber $ 921 teletexTerminalIdentifier $ telephoneNumber $ 922 internationaliSDNNumber $ facsimileTelephoneNumber $ 923 street $ postOfficeBox $ postalCode $ postalAddress $ 924 physicalDeliveryOfficeName $ st $ l $ description ) ) 926 4.14 person 928 The person Object Class is the basis of an entry which represents a 929 human being. 931 ( 2.5.6.6 NAME 'person' 932 SUP top 933 STRUCTURAL 934 MUST ( sn $ 935 cn ) 936 MAY ( userPassword $ 937 telephoneNumber $ 938 seeAlso $ 939 description ) ) 941 4.15 residentialPerson 943 The residentialPerson Object Class is the basis of an entry which 944 includes a person's residence in the representation of the person. 946 ( 2.5.6.10 NAME 'residentialPerson' 947 SUP person 948 STRUCTURAL 949 MUST l 950 MAY ( businessCategory $ x121Address $ registeredAddress $ 951 destinationIndicator $ preferredDeliveryMethod $ 952 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 953 internationaliSDNNumber $ facsimileTelephoneNumber $ 954 preferredDeliveryMethod $ street $ postOfficeBox $ 955 postalCode $ postalAddress $ physicalDeliveryOfficeName $ 956 st $ l ) ) 958 4.16 top 960 The top Object Class is the conceptual beginning of the inheritance 961 hierarchy of object classes. Top guarantees that every entry has 962 the objectClass attribute, which identifies the type of the entry. 964 ( 2.5.6.0 NAME 'top' 965 ABSTRACT 966 MUST objectClass ) 968 5. Security Considerations 970 Attributes of directory entries are used to provide descriptive 971 information about the real-world objects they represent, which can be 972 people, organizations or devices. Most countries have privacy laws 973 regarding the publication of information about people. 975 Transfer of cleartext passwords is strongly discouraged where the 976 underlying transport service cannot guarantee confidentiality and may 977 result in disclosure of the password to unauthorized parties. 979 It is required that strong authentication be performed in order to 980 modify directory entries using LDAP. 982 Several X.500 Attribute Types and Object Classes, such as, the 983 userCertificate Attribute Type or the certificationAuthority Object 984 Class, are used to include key-based security information in 985 directory entries. The Attribute Types are: 987 authorityRevocationList 988 cACertificate 989 certificateRevocationList 990 crossCertificatePair 991 deltaRevocationList 992 supportedAlgorithms 993 userCertificate 995 The Object Classes are: 997 certificationAuthority 998 certificationAuthority-V2 999 cRLDistributionPoint 1000 strongAuthenticationUser 1001 userSecurityInformation 1003 These Attribute Types and Object Classes are specified for LDAP by 1004 the PKIX Working Group, and so, are not included in this document. 1006 The BNF notation in RFC 1778 [Syn String] for User Certificate, 1007 Authority Revocation List, and Certificate Pair are not recommended 1008 to be used. 1010 6. Acknowledgements 1012 The definitions, on which this document is based, have been developed 1013 by committees for telecommunications and international standards. 1014 No new attribute definitions have been added. 1016 This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a 1017 product of the IETF ASID Working Group. 1019 This document is based upon input of the IETF LDAPBIS working group. 1020 The author wishes to thank S. Legg and K. Zeilenga for their 1021 significant contribution to this update. 1023 7. References 1025 7.1 Normative 1027 [Codes] ISO 3166, "Codes for the representation of names 1028 of countries". 1030 [E123] Notation for national and international telephone numbers, 1031 ITU-T Recommendation E.123, 1988 1033 [ISDN] The international public telecommunication numbering plan, 1034 ITU-T Recommendation E.164, 1997 1036 [KEYWD] Bradner, S., "Key words for use in RFCs to Indicate 1037 Requirement Levels", RFC 2119, March 1997 1039 [SYNTAX] replacement (draft-ietf-ldapbis-syntaxes-02) for Wahl, M., 1040 Coulbeck, A., Howes, T., and S. Kille, "Lightweight X.500 1041 Directory Access Protocol(v3): Attribute Syntax Definitions", 1042 RFC 2252, December 1997 1044 [X121] International numbering plan for public data networks, 1045 ITU-T Recommendation X.121, 1996 1047 [X501] The Directory: Models, ITU-T Recommendation X.501, 1995 1049 [X509] The Directory: Authentication Framework, ITU-T Recommendation 1050 X.509, 1995 1052 [X520] The Directory: Selected Attribute Types, ITU-T Recommendation 1053 X.520, 1995 1055 [X521] The Directory: Selected Object Classes. ITU-T Recommendation 1056 X.521, 1995 1058 7.2 Informative 1060 [Syn String] Howes, T., Kille, S., Yeong, W., Robbins, C., "The 1061 String Representation of Standard Attribute Syntaxes", RFC 1778, 1062 March 1995. 1064 8. Author's Address 1066 Kathy Dally 1067 The MITRE Corp. 1068 1575 Colshire Dr., ms-W650 1069 McLean VA 22102 1070 USA 1072 Phone: +1 703 883 6058 1073 Email: kdally@mitre.org 1074 Annex A Change Log 1076 This annex lists the changes that have been made from RFC 2256 to 1077 this I-D. 1079 Changes to RFC 2256 resulting in 1080 draft-ietf-ldapbis-user-schema-00.txt: 1082 1. Revision of the Status of this Memo. 1084 2. Dependencies on RFC 1274 have been eliminated. 1086 3. The references to X.500(96) have been expressed in terms of 1087 the "edition", rather than the standard date. Note that the 1088 version of X.500 which is the basis for this document, is the 1089 third edition, which was finalized in 1996, but approved in 1090 1997. 1092 4. The "teletexTerminalNumber" attribute and syntax are marked 1093 as obsolete. 1095 5. Removed "The syntax definitions are based on the ISODE "QUIPU" 1096 implementation of X.500." from section 6. 1098 6. Added text to 6.1, the octetString syntax, in accordance 1099 with X.520. 1101 7. Some of the attribute types MUST be recognized by servers. 1102 Also, several attributes are obsolete. Therefore, the 1103 various kinds of attribute types have been placed in separate 1104 sections: 1106 - necessary for the directory to operate (section 3.1) 1108 - for holding user information (section 3.2) 1110 - superseded or withdrawn (section 3.3). 1112 8. Since "top" may be implicitly specified and "alias" is not 1113 abstract, the last sentence in the description of the 1114 "objectClass" attribute type, section 3.1.1, has been deleted. 1115 The clause that preceded the deleted sentence has been 1116 removed, also. 1118 9. Add a description to the definition of the "telephoneNumber" 1119 attribute type, section 3.2.17. 1121 10. Add text to mark the "teletexTerminalIdentifier" attribute 1122 type as obsolete. 1124 11. Add a security consideration requiring strong authentication 1125 in order to modify directory entries. 1127 Changes to draft-ietf-ldapbis-user-schema-00.txt, resulting in draft- 1128 ietf-ldapbis-user-schema-01.txt: 1130 12. Delete the conformance requirement for subschema object 1131 classes in favor of a statement in [SYNTAX]. 1133 13. Add a Table of Contents 1135 14. Replace the term "obsolete" with "superseded or withdrawn" 1137 15. Added explanations to many attributes. 1139 16. In the title, correct the X.500 reference to have the second 1140 edition as the basis. 1142 17. Throughout this I-D, cleaned up whitespace in the BNF 1143 definitions. 1145 18. Removed Section 4, Syntaxes, and Section 6, Matching Rules, 1146 (moved to draft-ietf-ldapbis-syntaxes-01.txt). 1148 19. Reorganized Section 3, Attributes, to eliminate grouping 1149 attributes according to conformance requirements. Reordered 1150 Section 3, Attributes, and Section 4, Object Classes, 1151 alphabetically. 1153 20. Added an explanation for each object class. 1155 Changes to draft-ietf-ldapbis-user-schema-01.txt, resulting in draft- 1156 ietf-ldapbis-user-schema-02.txt: 1158 21. Removed the certificate-related Attribute Types: 1159 authorityRevocationList, 1160 cACertificate, 1161 certificateRevocationList, 1162 crossCertificatePair, 1163 deltaRevocationList, 1164 supportedAlgorithms, and 1165 userCertificate. 1167 Removed the certificate-related Object Classes: 1168 certificationAuthority, 1169 certificationAuthority-V2, 1170 cRLDistributionPoint, 1171 strongAuthenticationUser, and 1172 userSecurityInformation 1174 Noted in the Security Considerations (Section 7) that they 1175 are covered in PKIX WG documents. 1177 22. Removed the dmdName Attribute Type and dmd Object Class 1178 because they are not in the version of X.500 which 1179 is referenced. 1181 23. Removed embedded comments from the ABNF productions 1182 throughout the document. 1184 24. Cleaned up the references; adopted word instead of number 1185 tags; split Section 7 into normative and informative 1186 subsections.