idnits 2.17.1 draft-ietf-ldapbis-user-schema-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document is more than 15 pages and seems to lack a Table of Contents. == The page length should not exceed 58 lines per page, but there was 24 longer pages, the longest (page 1) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 24 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([RFC2119]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. -- The draft header indicates that this document obsoletes RFC2256, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (4 November 2002) is 7844 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'SYNTAX' is mentioned on line 1074, but not defined == Unused Reference: 'ISO3166' is defined on line 973, but no explicit reference was found in the text == Unused Reference: 'RFC2252' is defined on line 1003, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO3166' -- No information found for draft-ietf-ldapbis-models-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Models' -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' -- Obsolete informational reference (is this intentional?): RFC 2252 (Obsoleted by RFC 4510, RFC 4512, RFC 4517, RFC 4523) Summary: 5 errors (**), 0 flaws (~~), 6 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT K. Dally, Editor 2 Intended Category: Standard Track The MITRE Corp. 3 Expires 4 May 2003 4 November 2002 4 Obsoletes: RFC 2256, RFC 2252 6 LDAP: User Schema 7 9 [Editor's note: 10 This Internet-Draft (I-D) is a modified version of the text of 11 RFC 2256, in order to bring it up to date. This action is part of 12 the maintenance activity that is needed in order to progress 13 LDAP (v3) to Draft Standard. The changes are described in Annex A 14 of this document. 15 End of Editor's note] 17 Status of this Memo 19 This document is an Internet-Draft and is in full conformance with 20 all provisions of Section 10 of RFC 2026. 22 This document is intended to be, after appropriate review and 23 revision, submitted to the RFC Editor as a Standard Track document. 24 Distribution of this memo is unlimited. Technical discussion of 25 this document will take place on the IETF LDAP Revision Working 26 Group (LDAPbis) mailing list . Please 27 send editorial comments directly to the author . 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF), its areas, and its working groups. Note that 31 other groups may also distribute working documents as 32 Internet-Drafts. Internet-Drafts are draft documents valid for a 33 maximum of six months and may be updated, replaced, or obsoleted by 34 other documents at any time. It is inappropriate to use 35 Internet-Drafts as reference material or to cite them other than as 36 "work in progress." 38 The list of current Internet-Drafts can be accessed at 39 http://www.ietf.org/ietf/1id-abstracts.txt. The list of 40 Internet-Draft Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 Copyright 2002, The Internet Society. All Rights Reserved. 45 Please see the Copyright section near the end of this document for 46 more information. 48 Abstract 50 This document provides an overview of attribute types and object 51 classes defined by the ISO/IEC JTC1 and ITU-T committees in the 52 IS0/IEC 9594 and X.500 documents, in particular those intended for 53 use by directory clients. This is the most widely used schema for 54 LDAP/X.500 directories. It is used as a basis for many other white 55 pages objects schema definitions. This document does not cover 56 attributes used for the administration of X.500 directory servers, 57 nor does it include attributes defined by other ISO/ITU-T documents. 59 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 60 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 61 document are to be interpreted as described in RFC 2119 [RFC2119]. 63 Table of Contents 65 Status of this Memo 1 67 Abstract 2 69 1. General Issues 5 71 2. Source 5 73 3. Attribute Types 5 74 3.1 businessCategory 5 75 3.2 c 6 76 3.3 cn 6 77 3.4 description 6 78 3.5 destinationIndicator 6 79 3.6 distinguishedName 6 80 3.7 dnQualifier 7 81 3.8 enhancedSearchGuide 7 82 3.9 facsimileTelephoneNumber 7 83 3.10 generationQualifier 7 84 3.11 givenName 8 85 3.12 houseIdentifier 8 86 3.13 initials 8 87 3.14 internationalISDNNumber 8 88 3.15 knowledgeInformation 8 89 3.16 l 9 90 3.17 member 9 91 3.18 name 9 92 3.19 o 9 93 3.20 ou 9 94 3.21 owner 10 95 3.22 physicalDeliveryOfficeName 10 96 3.23 postalAddress 10 97 3.24 postalCode 10 98 3.25 postOfficeBox 10 99 3.26 preferredDeliveryMethod 11 100 3.27 presentationAddress 11 101 3.28 protocolInformation 11 102 3.29 registeredAddress 11 103 3.30 roleOccupant 12 104 3.31 searchGuide 12 105 3.32 seeAlso 12 106 3.33 serialNumber 12 107 3.34 sn 12 108 3.35 st 12 109 3.36 street 13 110 3.37 supportedApplicationContext 13 111 3.38 telephoneNumber 13 112 3.39 teletexTerminalIdentifier 13 113 3.40 telexNumber 13 114 3.41 title 14 115 3.42 uniqueMember 14 116 3.43 userPassword 14 117 3.44 x121Address 14 118 3.45 x500UniqueIdentifier 15 120 4. Object Classes 15 121 4.1 applicationEntity 15 122 4.2 applicationProcess 15 123 4.3 country 16 124 4.4 device 16 125 4.5 dSA 16 126 4.6 groupOfNames 16 127 4.7 groupOfUniqueNames 17 128 4.8 locality 17 129 4.9 organization 17 130 4.10 organizationalPerson 18 131 4.11 organizationalRole 18 132 4.12 organizationalUnit 18 133 4.13 person 19 134 4.14 residentialPerson 19 136 5. Security Considerations 19 138 6. Acknowledgements 20 140 7. References 21 141 7.1 Normative 21 142 7.2 Informative 21 144 8. Author's Address 21 146 Annex A Change Log 22 147 1. General Issues 149 This document references Syntaxes given in Section 3 of [Syntaxes] 150 and Matching Rules specified in Section 4 of [Syntaxes]. 152 The definitions of Attribute Types and Object Classes are written 153 using the ABNF form of AttributeTypeDescription and 154 ObjectClassDescription given in [Models]. Lines have been folded 155 for readability. 157 2. Source 159 The schema definitions in this document are based on those found in 160 the X.500-series [X.509], [X.520], and [X.521], specifically: 162 Sections Source 163 ============ ============= 164 3.1 - 3.42 X.520 [X.520] 165 3.43 X.509 [X.509] 166 3.44 - 3.45 X.520 [X.520] 167 4.1 - 4.14 X.521 [X.521] 169 3. Attribute Types 171 The Attribute Types contained in this section hold user information. 173 There is no requirement that servers implement the following 174 Attribute Types: 176 knowledgeInformation 177 searchGuide 178 teletexTerminalIdentifier 180 In fact, their use is greatly discouraged. 182 An LDAP server implementation SHOULD recognize the rest of the 183 Attribute Types described in this section. 185 3.1 businessCategory 187 This Attribute Type describes the kind of business performed by 188 an organization. 190 ( 2.5.4.15 NAME 'businessCategory' 191 EQUALITY caseIgnoreMatch 192 SUBSTR caseIgnoreSubstringsMatch 193 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 195 The SYNTAX oid indicates the Directory String syntax. 197 3.2 c 199 This is the X.520 [X.520] countryName Attribute Type, which contains 200 a two-letter ISO 3166 [ISO3166]country code. 202 ( 2.5.4.6 NAME 'c' 203 SUP name 204 SINGLE-VALUE ) 206 3.3 cn 208 This is the X.520 [X.520] commonName Attribute Type, which contains 209 a name of an object. If the object corresponds to a person, it is 210 typically the person's full name. 212 ( 2.5.4.3 NAME 'cn' 213 SUP name ) 215 3.4 description 217 This Attribute Type contains a human-readable description of 218 the object. 220 ( 2.5.4.13 NAME 'description' 221 EQUALITY caseIgnoreMatch 222 SUBSTR caseIgnoreSubstringsMatch 223 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) 225 The SYNTAX oid indicates the Directory String syntax. 227 3.5 destinationIndicator 229 This attribute is used for the telegram service. 231 ( 2.5.4.27 NAME 'destinationIndicator' 232 EQUALITY caseIgnoreMatch 233 SUBSTR caseIgnoreSubstringsMatch 234 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) 236 The SYNTAX oid indicates the Printable String syntax. 238 3.6 distinguishedName 240 This Attribute Type is not used as the name of the object itself, 241 but it is instead a base type from which attributes with DN syntax 242 inherit. 244 It is unlikely that values of this type itself will occur in an 245 entry. LDAP server implementations which do not support attribute 246 subtyping need not recognize this attribute in requests. Client 247 implementations MUST NOT assume that LDAP servers are capable of 248 performing attribute subtyping. 250 ( 2.5.4.49 NAME 'distinguishedName' 251 EQUALITY distinguishedNameMatch 252 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 254 The SYNTAX oid indicates the DN syntax. 256 3.7 dnQualifier 258 The dnQualifier Attribute Type specifies disambiguating information 259 to add to the relative distinguished name of an entry. It is 260 intended for use when merging data from multiple sources in order to 261 prevent conflicts between entries which would otherwise have the same 262 name. It is recommended that the value of the dnQualifier attribute 263 be the same for all entries from a particular source. 265 ( 2.5.4.46 NAME 'dnQualifier' 266 EQUALITY caseIgnoreMatch 267 ORDERING caseIgnoreOrderingMatch 268 SUBSTR caseIgnoreSubstringsMatch 269 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) 271 The SYNTAX oid indicates the Printable String syntax. 273 3.8 enhancedSearchGuide 275 This attribute is for use by X.500 clients in constructing search 276 filters. 278 ( 2.5.4.47 NAME 'enhancedSearchGuide' 279 SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) 281 The SYNTAX oid indicates the Enhanced Guide syntax. 283 3.9 facsimileTelephoneNumber 285 A value of this Attribute Type is a telephone number for a facsimile 286 terminal (and, optionally, its parameters). 288 ( 2.5.4.23 NAME 'facsimileTelephoneNumber' 289 SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) 291 The SYNTAX oid indicates the Facsimile Telephone Number syntax. 293 3.10 generationQualifier 295 The generationQualifier Attribute Type contains the part of a 296 person's name which typically is the suffix, as in "IIIrd". 298 ( 2.5.4.44 NAME 'generationQualifier' 299 SUP name ) 301 3.11 givenName 303 The givenName Attribute Type is used to hold the part of a person's 304 name which is not their surname nor middle name. 306 ( 2.5.4.42 NAME 'givenName' 307 SUP name ) 309 3.12 houseIdentifier 311 This Attribute Type is used to identify a building within a location. 313 ( 2.5.4.51 NAME 'houseIdentifier' 314 EQUALITY caseIgnoreMatch 315 SUBSTR caseIgnoreSubstringsMatch 316 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 318 The SYNTAX oid indicates the Directory String syntax. 320 3.13 initials 322 The initials Attribute Type contains the initials of some or all of 323 an individuals names, except the surname(s). 325 ( 2.5.4.43 NAME 'initials' 326 SUP name ) 328 3.14 internationalISDNNumber 330 A value of this Attribute Type is an ISDN address, as defined in 331 ITU Recommendation E.164 [E.164]. 333 ( 2.5.4.25 NAME 'internationalISDNNumber' 334 EQUALITY numericStringMatch 335 SUBSTR numericStringSubstringsMatch 336 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i 338 The SYNTAX oid indicates the Numeric String syntax. 340 3.15 knowledgeInformation 342 This attribute is superseded by the system schema attributes which 343 hold the pointers to other LDAP servers. 345 ( 2.5.4.2 NAME 'knowledgeInformation' 346 EQUALITY caseIgnoreMatch 347 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 349 The SYNTAX oid indicates the Directory String syntax. 351 3.16 l 353 This is the X.520 [X.520] localityName Attribute Type, which 354 contains the name of a locality or place, such as a city, county or 355 other geographic region. 357 ( 2.5.4.7 NAME 'l' 358 SUP name ) 360 3.17 member 362 A value of this Attribute Type is the Distinguished Name of an 363 object that is on a list or in a group. 365 ( 2.5.4.31 NAME 'member' 366 SUP distinguishedName ) 368 3.18 name 370 The name Attribute Type is the attribute supertype from which string 371 Attribute Types typically used for naming may be formed. It is 372 unlikely that values of this type itself will occur in an entry. 373 LDAP server implementations which do not support attribute subtyping 374 need not recognize this attribute in requests. Client 375 implementations MUST NOT assume that LDAP servers are capable of 376 performing attribute subtyping. 378 ( 2.5.4.41 NAME 'name' 379 EQUALITY caseIgnoreMatch 380 SUBSTR caseIgnoreSubstringsMatch 381 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 383 The SYNTAX oid indicates the Directory String syntax. 385 3.19 o 387 This is the X.520 [X.520] organizationName Attribute Type, which 388 contains the name of an organization. 390 ( 2.5.4.10 NAME 'o' 391 SUP name ) 393 3.20 ou 395 This is the X.520 [X.520] organizationalUnitName Attribute Type, 396 which contains the name of an organizational unit. 398 ( 2.5.4.11 NAME 'ou' 399 SUP name ) 401 3.21 owner 403 A value of this Attribute Type is the Distinguished Name of an 404 object that has an ownership responsibility for the object that 405 is owned. 407 ( 2.5.4.32 NAME 'owner' 408 SUP distinguishedName ) 410 3.22 physicalDeliveryOfficeName 412 This attribute contains the name that a Postal Service uses to 413 identify a post office. 415 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' 416 EQUALITY caseIgnoreMatch 417 SUBSTR caseIgnoreSubstringsMatch 418 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 420 The SYNTAX oid indicates the Directory String syntax. 422 3.23 postalAddress 424 This attribute contains an address used by a Postal Service to 425 perform services for the object. 427 ( 2.5.4.16 NAME 'postalAddress' 428 EQUALITY caseIgnoreListMatch 429 SUBSTR caseIgnoreListSubstringsMatch 430 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 432 The SYNTAX oid indicates the Postal Address syntax. 434 3.24 postalCode 436 This attribute contains a code used by a Postal Service to identify 437 a postal service zone, such as the southern quadrant of a city. 439 ( 2.5.4.17 NAME 'postalCode' 440 EQUALITY caseIgnoreMatch 441 SUBSTR caseIgnoreSubstringsMatch 442 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) 444 The SYNTAX oid indicates the Directory String syntax. 446 3.25 postOfficeBox 448 This attribute contains the number that a Postal Service uses when a 449 customer arranges to receive mail at a box on premises of the Postal 450 Service. 452 ( 2.5.4.18 NAME 'postOfficeBox' 453 EQUALITY caseIgnoreMatch 454 SUBSTR caseIgnoreSubstringsMatch 455 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) 457 The SYNTAX oid indicates the Directory String syntax. 459 3.26 preferredDeliveryMethod 461 This attribute contains an indication of the preferred method of 462 getting a message to the object. 464 ( 2.5.4.28 NAME 'preferredDeliveryMethod' 465 SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 466 SINGLE-VALUE ) 468 The SYNTAX oid indicates the Delivery Method syntax. 470 3.27 presentationAddress 472 This attribute contains an OSI presentation layer address. 474 ( 2.5.4.29 NAME 'presentationAddress' 475 EQUALITY presentationAddressMatch 476 SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 477 SINGLE-VALUE ) 479 The SYNTAX oid indicates the Presentation Address syntax. 481 3.28 protocolInformation 483 This Attribute Type is used in conjunction with the 484 presentationAddress Attribute Type, to provide additional 485 information to the OSI network service. 487 ( 2.5.4.48 NAME 'protocolInformation' 488 EQUALITY protocolInformationMatch 489 SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 ) 491 The SYNTAX oid indicates the Protocol Information syntax. 493 3.29 registeredAddress 495 This attribute holds a postal address suitable for reception of 496 telegrams or expedited documents, where it is necessary to have the 497 recipient accept delivery. 499 ( 2.5.4.26 NAME 'registeredAddress' 500 SUP postalAddress 501 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 503 The SYNTAX oid indicates the Postal Address syntax. 505 3.30 roleOccupant 507 A value of this Attribute Type is the Distinguished Name of an 508 object (normally a person) that fulfills the responsibilities of a 509 role object. 511 ( 2.5.4.33 NAME 'roleOccupant' 512 SUP distinguishedName ) 514 3.31 searchGuide 516 This Attribute Type is for use by clients in constructing search 517 filters. It is superseded by enhancedSearchGuide, described above 518 in section 3.9. 520 ( 2.5.4.14 NAME 'searchGuide' 521 SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide 523 The SYNTAX oid indicates the Guide syntax. 525 3.32 seeAlso 527 A value of this Attribute Type is the Distinguished Name of an 528 object that is related to the subject object. 530 ( 2.5.4.34 NAME 'seeAlso' 531 SUP distinguishedName ) 533 3.33 serialNumber 535 This attribute contains the serial number of a device. 537 ( 2.5.4.5 NAME 'serialNumber' 538 EQUALITY caseIgnoreMatch 539 SUBSTR caseIgnoreSubstringsMatch 540 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) 542 The SYNTAX oid indicates the Printable String syntax. 544 3.34 sn 546 This is the X.520 [X.520] surname Attribute Type, which contains the 547 family name of a person. 549 ( 2.5.4.4 NAME 'sn' 550 SUP name ) 552 3.35 st 554 This is the X.520 [X.520] stateOrProvinceName attribute, which 555 contains the full name of a state or province. 557 ( 2.5.4.8 NAME 'st' 558 SUP name ) 560 3.36 street 562 This is the X.520 [X.520] streetAddress attribute, which contains the 563 physical address of the object to which the entry corresponds, such 564 as an address for package delivery. 566 ( 2.5.4.9 NAME 'street' 567 EQUALITY caseIgnoreMatch 568 SUBSTR caseIgnoreSubstringsMatch 569 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 571 The SYNTAX oid indicates the Directory String syntax. 573 3.37 supportedApplicationContext 575 This attribute contains the identifiers of OSI application 576 contexts. 578 ( 2.5.4.30 NAME 'supportedApplicationContext' 579 EQUALITY objectIdentifierMatch 580 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 582 The SYNTAX oid indicates the OID syntax. 584 3.38 telephoneNumber 586 A value of this Attribute Type is a telephone number complying with 587 ITU Recommendation E.123 [E.123]. 589 ( 2.5.4.20 NAME 'telephoneNumber' 590 EQUALITY telephoneNumberMatch 591 SUBSTR telephoneNumberSubstringsMatch 592 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) ; TelephoneNumber 594 The SYNTAX oid indicates the Telephone Number syntax. 596 3.39 teletexTerminalIdentifier 598 The withdrawal of Rec. F.200 has resulted in the withdrawal of this 599 attribute. 601 ( 2.5.4.22 NAME 'teletexTerminalIdentifier' 602 SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) 604 The SYNTAX oid indicates the Teletex Terminal Identifier syntax. 606 3.40 telexNumber 608 A value of this Attribute Type is a telex number, country code, and 609 answerback code of a telex terminal. 611 ( 2.5.4.21 NAME 'telexNumber' 612 SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) 614 The SYNTAX oid indicates the Telex Number syntax. 616 3.41 title 618 This attribute contains the title, such as "Vice President", of a 619 person in their organizational context. The "personalTitle" 620 attribute would be used for a person's title independent of their 621 job function. 623 ( 2.5.4.12 NAME 'title' 624 SUP name ) 626 3.42 uniqueMember 628 A value of this Attribute Type is the Distinguished Name of an 629 object that is on a list or in a group, where the Relative 630 Distinguished Name of the object includes a value that distinguishs 631 between objects when a distinguished name has been reused. 633 ( 2.5.4.50 NAME 'uniqueMember' 634 EQUALITY uniqueMemberMatch 635 SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) 637 The SYNTAX oid indicates the Name and Optional UID syntax. 639 3.43 userPassword 641 A value of this Attribute Type is a character string that is known 642 only to the user and the system to which the user has access. 644 ( 2.5.4.35 NAME 'userPassword' 645 EQUALITY octetStringMatch 646 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) 648 The SYNTAX oid indicates the Octet String syntax. 650 Passwords are stored using an Octet String syntax and are not 651 encrypted. Transfer of cleartext passwords is strongly discouraged 652 where the underlying transport service cannot guarantee 653 confidentiality and may result in disclosure of the password to 654 unauthorized parties. 656 3.44 x121Address 658 A value of this Attribute Type is a data network address as defined 659 by ITU Recommendation X.121 [X.121]. 661 ( 2.5.4.24 NAME 'x121Address' 662 EQUALITY numericStringMatch 663 SUBSTR numericStringSubstringsMatch 664 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) 666 The SYNTAX oid indicates the Numeric String syntax. 668 3.45 x500UniqueIdentifier 670 The x500UniqueIdentifier Attribute Type is used to distinguish 671 between objects when a distinguished name has been reused. In X.520 672 [X.520], this Attribute Type is called uniqueIdentifier. This is a 673 different Attribute Type from both the "uid" and "uniqueIdentifier" 674 Attribute Types. 676 ( 2.5.4.45 NAME 'x500UniqueIdentifier' 677 EQUALITY bitStringMatch 678 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) 680 The SYNTAX oid indicates the Bit String syntax. 682 4. Object Classes 684 LDAP servers 685 SHOULD recognize all the Object Classes listed here as values 686 of the objectClass attribute. 688 4.1 applicationEntity 690 The applicationEntity Object Class definition is the basis of an 691 entry which represents the interconnection aspects of an application 692 process in a distributed environment. 694 ( 2.5.6.12 NAME 'applicationEntity' 695 SUP top 696 STRUCTURAL 697 MUST ( presentationAddress $ 698 cn ) 699 MAY ( supportedApplicationContext $ 700 seeAlso $ 701 ou $ 702 o $ 703 l $ 704 description ) ) 706 4.2 applicationProcess 708 The applicationProcess Object Class definition is the basis of an 709 entry which represents an application executing in a computer system. 711 ( 2.5.6.11 NAME 'applicationProcess' 712 SUP top 713 STRUCTURAL 714 MUST cn 715 MAY ( seeAlso $ 716 ou $ 717 l $ 718 description ) ) 720 4.3 country 722 The country Object Class definition is the basis of an entry which 723 represents a country. 725 ( 2.5.6.2 NAME 'country' 726 SUP top 727 STRUCTURAL 728 MUST c 729 MAY ( searchGuide $ 730 description ) ) 732 4.4 device 734 The device Object Class is the basis of an entry which represents 735 an appliance or computer or network element. 737 ( 2.5.6.14 NAME 'device' 738 SUP top 739 STRUCTURAL 740 MUST cn 741 MAY ( serialNumber $ 742 seeAlso $ 743 owner $ 744 ou $ 745 o $ 746 l $ 747 description ) ) 749 4.5 dSA 751 The dSA (Directory System Agent) Object Class is the basis of an 752 entry which represents a server in a directory system. 754 ( 2.5.6.13 NAME 'dSA' 755 SUP applicationEntity 756 STRUCTURAL 757 MAY knowledgeInformation ) 759 4.6 groupOfNames 761 The groupOfNames Object Class is the basis of an entry which 762 represents a set of named objects including information related to 763 the purpose or maintenance of the set. 765 ( 2.5.6.9 NAME 'groupOfNames' 766 SUP top 767 STRUCTURAL 768 MUST ( member $ 769 cn ) 770 MAY ( businessCategory $ 771 seeAlso $ 772 owner $ 773 ou $ 774 o $ 775 description ) ) 777 4.7 groupOfUniqueNames 779 The groupOfUniqueNames Object Class is the same as the groupOfNames 780 object class except that the object names are not repeated or 781 reassigned within a set scope. 783 ( 2.5.6.17 NAME 'groupOfUniqueNames' 784 SUP top 785 STRUCTURAL 786 MUST ( uniqueMember $ 787 cn ) 788 MAY ( businessCategory $ 789 seeAlso $ 790 owner $ 791 ou $ 792 o $ 793 description ) ) 795 4.8 locality 797 The locality Object Class is the basis of an entry which 798 represents a place in the physical world. 800 ( 2.5.6.3 NAME 'locality' 801 SUP top 802 STRUCTURAL 803 MAY ( street $ 804 seeAlso $ 805 searchGuide $ 806 st $ 807 l $ 808 description ) ) 810 4.9 organization 812 The organization Object Class is the basis of an entry which 813 represents a structured group of people. 815 ( 2.5.6.4 NAME 'organization' 816 SUP top 817 STRUCTURAL 818 MUST o 819 MAY ( userPassword $ searchGuide $ seeAlso $ 820 businessCategory $ x121Address $ registeredAddress $ 821 destinationIndicator $ preferredDeliveryMethod $ 822 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 823 internationaliSDNNumber $ facsimileTelephoneNumber $ 824 street $ postOfficeBox $ postalCode $ 825 postalAddress $ physicalDeliveryOfficeName $ st $ 826 l $ description ) ) 828 4.10 organizationalPerson 830 The organizationalPerson Object Class is the basis of an entry which 831 represents a person in relation to an organization. 833 ( 2.5.6.7 NAME 'organizationalPerson' 834 SUP person 835 STRUCTURAL 836 MAY ( title $ x121Address $ registeredAddress $ 837 destinationIndicator $ preferredDeliveryMethod $ 838 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 839 internationaliSDNNumber $ facsimileTelephoneNumber $ 840 street $ postOfficeBox $ postalCode $ postalAddress $ 841 physicalDeliveryOfficeName $ ou $ st $ l ) ) 843 4.11 organizationalRole 845 The organizationalRole Object Class is the basis of an entry which 846 represents a job or function or position in an organization. 848 ( 2.5.6.8 NAME 'organizationalRole' 849 SUP top 850 STRUCTURAL 851 MUST cn 852 MAY ( x121Address $ registeredAddress $ destinationIndicator $ 853 preferredDeliveryMethod $ telexNumber $ 854 teletexTerminalIdentifier $ telephoneNumber $ 855 internationaliSDNNumber $ facsimileTelephoneNumber $ 856 seeAlso $ roleOccupant $ preferredDeliveryMethod $ 857 street $ postOfficeBox $ postalCode $ postalAddress $ 858 physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) 860 4.12 organizationalUnit 862 The organizationalUnit Object Class is the basis of an entry which 863 represents a piece of an organization. 865 ( 2.5.6.5 NAME 'organizationalUnit' 866 SUP top 867 STRUCTURAL 868 MUST ou 869 MAY ( businessCategory $ description $ destinationIndicator $ 870 facsimileTelephoneNumber $ internationaliSDNNumber $ l $ 871 physicalDeliveryOfficeName $ postalAddress $ postalCode $ 872 postOfficeBox $ preferredDeliveryMethod $ 873 registeredAddress $ searchGuide $ seeAlso $ st $ street $ 874 telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ 875 userPassword $ x121Address ) ) 877 4.13 person 879 The person Object Class is the basis of an entry which represents a 880 human being. 882 ( 2.5.6.6 NAME 'person' 883 SUP top 884 STRUCTURAL 885 MUST ( sn $ 886 cn ) 887 MAY ( userPassword $ 888 telephoneNumber $ 889 seeAlso $ 890 description ) ) 892 4.14 residentialPerson 894 The residentialPerson Object Class is the basis of an entry which 895 includes a person's residence in the representation of the person. 897 ( 2.5.6.10 NAME 'residentialPerson' 898 SUP person 899 STRUCTURAL 900 MUST l 901 MAY ( businessCategory $ x121Address $ registeredAddress $ 902 destinationIndicator $ preferredDeliveryMethod $ 903 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 904 internationaliSDNNumber $ facsimileTelephoneNumber $ 905 preferredDeliveryMethod $ street $ postOfficeBox $ 906 postalCode $ postalAddress $ physicalDeliveryOfficeName $ 907 st $ l ) ) 909 5. Security Considerations 911 Attributes of directory entries are used to provide descriptive 912 information about the real-world objects they represent, which can be 913 people, organizations or devices. Most countries have privacy laws 914 regarding the publication of information about people. 916 Transfer of cleartext passwords is strongly discouraged where the 917 underlying transport service cannot guarantee confidentiality and may 918 result in disclosure of the password to unauthorized parties. 920 It is required that strong authentication be performed in order to 921 modify directory entries using LDAP. 923 Several X.500 Attribute Types and Object Classes, such as, the 924 userCertificate Attribute Type or the certificationAuthority Object 925 Class, are used to include key-based security information in 926 directory entries. The Attribute Types are: 928 authorityRevocationList 929 cACertificate 930 certificateRevocationList 931 crossCertificatePair 932 deltaRevocationList 933 supportedAlgorithms 934 userCertificate 936 The Object Classes are: 938 certificationAuthority 939 certificationAuthority-V2 940 cRLDistributionPoint 941 strongAuthenticationUser 942 userSecurityInformation 944 These Attribute Types and Object Classes are specified for LDAP by 945 the PKIX Working Group, and so, are not included in this document. 947 It is recommended that the BNF notation in RFC 1778 [Syn String] not 948 be used for User Certificate, Authority Revocation List, and 949 Certificate Pair. 951 6. Acknowledgements 953 The definitions, on which this document is based, have been developed 954 by committees for telecommunications and international standards. 955 No new attribute definitions have been added. 957 This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a 958 product of the IETF ASID Working Group. 960 This document is based upon input of the IETF LDAPBIS working group. 961 The author wishes to thank S. Legg and K. Zeilenga for their 962 significant contribution to this update. 964 7. References 965 7.1 Normative 967 [E.123] Notation for national and international telephone numbers, 968 ITU-T Recommendation E.123, 1988 970 [E.164] The international public telecommunication numbering plan, 971 ITU-T Recommendation E.164, 1997 973 [ISO3166] ISO 3166, "Codes for the representation of names of 974 countries". 976 [Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis- 977 models-xx.txt (a work in progress). 979 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 980 Requirement Levels", RFC 2119, March 1997 982 [Syntaxes] K. Dally (editor), "LDAP: Syntaxes", 983 draft-ietf-ldapbis-syntaxes-xx, a work in progress 985 [X.121] International numbering plan for public data networks, 986 ITU-T Recommendation X.121, 1996 988 [X.509] The Directory: Authentication Framework, ITU-T 989 Recommendation X.509, 1995 991 [X.520] The Directory: Selected Attribute Types, ITU-T Recommendation 992 X.520, 1995 994 [X.521] The Directory: Selected Object Classes. ITU-T Recommendation 995 X.521, 1995 997 7.2 Informative 999 [Syn String] Howes, T., Kille, S., Yeong, W., Robbins, C., "The 1000 String Representation of Standard Attribute Syntaxes", RFC 1778, 1001 March 1995. 1003 [RFC2252] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, 1004 "Lightweight X.500 Directory Access Protocol(v3): Attribute 1005 Syntax Definitions", RFC 2252, December 1997 1007 8. Author's Address 1009 Kathy Dally 1010 The MITRE Corp. 1011 1575 Colshire Dr., ms-W650 1012 McLean VA 22102 1013 USA 1015 Phone: +1 703 883 6058 1016 Email: kdally@mitre.org 1017 Annex A Change Log 1019 This annex lists the changes that have been made from RFC 2256 to 1020 this I-D. 1022 Changes to RFC 2256 resulting in 1023 draft-ietf-ldapbis-user-schema-00.txt: 1025 1. Revision of the Status of this Memo. 1027 2. Dependencies on RFC 1274 have been eliminated. 1029 3. The references to X.500(96) have been expressed in terms of 1030 the "edition", rather than the standard date. Note that the 1031 version of X.500 which is the basis for this document, is the 1032 third edition, which was finalized in 1996, but approved in 1033 1997. 1035 4. The "teletexTerminalNumber" attribute and syntax are marked 1036 as obsolete. 1038 5. Removed "The syntax definitions are based on the ISODE "QUIPU" 1039 implementation of X.500." from section 6. 1041 6. Added text to 6.1, the octetString syntax, in accordance 1042 with X.520. 1044 7. Some of the attribute types MUST be recognized by servers. 1045 Also, several attributes are obsolete. Therefore, the 1046 various kinds of attribute types have been placed in separate 1047 sections: 1049 - necessary for the directory to operate (section 3.1) 1051 - for holding user information (section 3.2) 1053 - superseded or withdrawn (section 3.3). 1055 8. Since "top" may be implicitly specified and "alias" is not 1056 abstract, the last sentence in the description of the 1057 "objectClass" attribute type, section 3.1.1, has been deleted. 1058 The clause that preceded the deleted sentence has been 1059 removed, also. 1061 9. Add a description to the definition of the "telephoneNumber" 1062 attribute type, section 3.2.17. 1064 10. Add text to mark the "teletexTerminalIdentifier" attribute 1065 type as obsolete. 1067 11. Add a security consideration requiring strong authentication 1068 in order to modify directory entries. 1070 Changes to draft-ietf-ldapbis-user-schema-00.txt, resulting in draft- 1071 ietf-ldapbis-user-schema-01.txt: 1073 12. Delete the conformance requirement for subschema object 1074 classes in favor of a statement in [SYNTAX]. 1076 13. Add a Table of Contents 1078 14. Replace the term "obsolete" with "superseded or withdrawn" 1080 15. Added explanations to many attributes. 1082 16. In the title, correct the X.500 reference to have the second 1083 edition as the basis. 1085 17. Throughout this I-D, cleaned up whitespace in the BNF 1086 definitions. 1088 18. Removed Section 4, Syntaxes, and Section 6, Matching Rules, 1089 (moved to draft-ietf-ldapbis-syntaxes-01.txt). 1091 19. Reorganized Section 3, Attributes, to eliminate grouping 1092 attributes according to conformance requirements. Reordered 1093 Section 3, Attributes, and Section 4, Object Classes, 1094 alphabetically. 1096 20. Added an explanation for each object class. 1098 Changes to draft-ietf-ldapbis-user-schema-01.txt, resulting in draft- 1099 ietf-ldapbis-user-schema-02.txt: 1101 21. Removed the certificate-related Attribute Types: 1102 authorityRevocationList, 1103 cACertificate, 1104 certificateRevocationList, 1105 crossCertificatePair, 1106 deltaRevocationList, 1107 supportedAlgorithms, and 1108 userCertificate. 1110 Removed the certificate-related Object Classes: 1111 certificationAuthority, 1112 certificationAuthority-V2, 1113 cRLDistributionPoint, 1114 strongAuthenticationUser, and 1115 userSecurityInformation 1117 Noted in the Security Considerations (Section 7) that they 1118 are covered in PKIX WG documents. 1120 22. Removed the dmdName Attribute Type and dmd Object Class 1121 because they are not in the version of X.500 which 1122 is referenced. 1124 23. Removed embedded comments from the ABNF productions 1125 throughout the document. 1127 24. Cleaned up the references; adopted word instead of number 1128 tags; split Section 7 into normative and informative 1129 subsections. 1131 Changes to draft-ietf-ldapbis-user-schema-02.txt, resulting in draft- 1132 ietf-ldapbis-user-schema-03.txt: 1134 ......25. Deleted the 'aliasedObjectName' and 'objectClass' attribute 1135 type definitions. They are included in [Models]. 1137 26. Deleted the 'alias' and 'top' object class definitions. They 1138 are included in [Models]. 1140 27. Replaced the document title. 1142 28. Changed reference citations to be consistent with the rest of 1143 the LDAPbis documents.