idnits 2.17.1 draft-ietf-ldapbis-user-schema-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document is more than 15 pages and seems to lack a Table of Contents. == It seems as if not all pages are separated by form feeds - found 0 form feeds but 25 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([RFC2119]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. -- The draft header indicates that this document obsoletes RFC2256, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (25 February 2003) is 7729 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'SYNTAX' is mentioned on line 1047, but not defined == Unused Reference: 'ISO3166' is defined on line 939, but no explicit reference was found in the text == Unused Reference: 'RFC2252' is defined on line 976, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO3166' -- No information found for draft-ietf-ldapbis-models-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Models' -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' -- Obsolete informational reference (is this intentional?): RFC 1778 (Obsoleted by RFC 3494) -- Obsolete informational reference (is this intentional?): RFC 2252 (Obsoleted by RFC 4510, RFC 4512, RFC 4517, RFC 4523) Summary: 5 errors (**), 0 flaws (~~), 5 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT K. Dally, Editor 2 Intended Category: Standard Track The MITRE Corp. 3 Expires 25 August 2003 25 February 2003 4 Obsoletes: RFC 2256, RFC 2252 6 LDAP: User Schema 7 9 [Editor's note: 10 This Internet-Draft (I-D) is an updated version of text from 11 RFC 2256 and RFC 2252. This action is part of the maintenance 12 activity that is needed in order to progress LDAP (v3) to Draft 13 Standard. The changes are described in Annex A of this document. 14 End of Editor's note] 16 Status of this Memo 18 This document is an Internet-Draft and is in full conformance with 19 all provisions of Section 10 of RFC 2026 [RFC2026]. 21 This document is intended to be, after appropriate review and 22 revision, submitted to the RFC Editor as a Standard Track document. 23 Distribution of this memo is unlimited. Technical discussion of 24 this document will take place on the IETF LDAP Revision Working 25 Group (LDAPbis) mailing list . Please 26 send editorial comments directly to the author . 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF), its areas, and its working groups. Note that 30 other groups may also distribute working documents as 31 Internet-Drafts. Internet-Drafts are draft documents valid for a 32 maximum of six months and may be updated, replaced, or obsoleted by 33 other documents at any time. It is inappropriate to use 34 Internet-Drafts as reference material or to cite them other than as 35 "work in progress." 37 The list of current Internet-Drafts can be accessed at 38 http://www.ietf.org/ietf/1id-abstracts.txt. The list of 39 Internet-Draft Shadow Directories can be accessed at 40 http://www.ietf.org/shadow.html. 42 Copyright 2003, The Internet Society. All Rights Reserved. 44 Please see the Copyright section near the end of this document for 45 more information. 47 Abstract 49 This document provides an overview of attribute types and object 50 classes defined by the ISO/IEC JTC1 and ITU-T committees in the 51 IS0/IEC 9594 and X.500 documents, in particular those intended for 52 use by directory clients. This is the most widely used schema for 53 LDAP/X.500 directories. It is used as a basis for many other white 54 pages objects schema definitions. This document does not cover 55 attributes used for the administration of X.500 directory servers, 56 nor does it include attributes defined by other ISO/ITU-T documents. 58 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 59 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 60 document are to be interpreted as described in RFC 2119 [RFC2119]. 62 Table of Contents 64 Status of this Memo 1 66 Abstract 2 68 1. General Issues 5 70 2. Source 5 72 3. Attribute Types 5 73 3.1 businessCategory 5 74 3.2 c 6 75 3.3 cn 6 76 3.4 dc 77 3.5 description 6 78 3.6 destinationIndicator 6 79 3.7 distinguishedName 6 80 3.8 dnQualifier 7 81 3.9 enhancedSearchGuide 7 82 3.10 facsimileTelephoneNumber 7 83 3.11 generationQualifier 7 84 3.12 givenName 8 85 3.13 houseIdentifier 8 86 3.14 initials 8 87 3.15 internationalISDNNumber 8 88 3.16 l 9 89 3.17 member 9 90 3.18 name 9 91 3.19 o 9 92 3.20 ou 9 93 3.21 owner 10 94 3.22 physicalDeliveryOfficeName 10 95 3.23 postalAddress 10 96 3.24 postalCode 10 97 3.25 postOfficeBox 10 98 3.26 preferredDeliveryMethod 11 99 3.27 registeredAddress 11 100 3.28 roleOccupant 12 101 3.29 searchGuide 12 102 3.30 seeAlso 12 103 3.31 serialNumber 12 104 3.32 sn 12 105 3.33 st 12 106 3.34 street 13 107 3.35 telephoneNumber 13 108 3.36 teletexTerminalIdentifier 13 109 3.37 telexNumber 13 110 3.38 title 14 111 3.39 uniqueMember 14 112 3.40 userPassword 14 113 3.41 x121Address 14 114 3.42 x500UniqueIdentifier 15 116 4. Object Classes 15 117 4.1 applicationProcess 15 118 4.2 country 16 119 4.3 device 16 120 4.4 domain 16 121 4.5 groupOfNames 16 122 4.6 groupOfUniqueNames 17 123 4.7 locality 17 124 4.8 organization 17 125 4.9 organizationalPerson 18 126 4.10 organizationalRole 18 127 4.11 organizationalUnit 18 128 4.12 person 19 129 4.13 residentialPerson 19 131 5. Security Considerations 19 133 6. Acknowledgements 20 135 7. References 21 136 7.1 Normative 21 137 7.2 Informative 21 139 8. Author's Address 21 141 Annex A Change Log 22 142 1. General Issues 144 This document references Syntaxes given in Section 3 of [Syntaxes] 145 and Matching Rules specified in Section 4 of [Syntaxes]. 147 The definitions of Attribute Types and Object Classes are written 148 using the ABNF form of AttributeTypeDescription and 149 ObjectClassDescription given in [Models]. Lines have been folded 150 for readability. 152 2. Source 154 The schema definitions in this document are based on those found in 155 the X.500-series [X.520] and [X.521] and RFC 2247 [RFC2247], 156 specifically: 158 Sections Source 159 ============ ================== 160 3.1 - 3.3 X.520 [X.520] 161 3.4 RFC 2247 [RFC2247] 162 3.5 - 3.42 X.520 [X.520] 163 4.1 - 4.3 X.521 [X.521] 164 4.4 RFC 2247 [RFC2247] 165 4.5 - 4.13 X.521 [X.521] 167 3. Attribute Types 169 The Attribute Types contained in this section hold user information. 171 There is no requirement that servers implement the following 172 Attribute Types: 174 searchGuide 175 teletexTerminalIdentifier 177 In fact, their use is greatly discouraged. 179 An LDAP server implementation SHOULD recognize the rest of the 180 Attribute Types described in this section. 182 3.1 businessCategory 184 This Attribute Type describes the kind of business performed by 185 an organization. 187 ( 2.5.4.15 NAME 'businessCategory' 188 EQUALITY caseIgnoreMatch 189 SUBSTR caseIgnoreSubstringsMatch 190 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 192 The SYNTAX oid indicates the Directory String syntax. 194 3.2 c 196 This is the X.520 [X.520] countryName Attribute Type, which contains 197 a two-letter ISO 3166 [ISO3166]country code. 199 ( 2.5.4.6 NAME 'c' 200 SUP name 201 SINGLE-VALUE ) 203 3.3 cn 205 This is the X.520 [X.520] commonName Attribute Type, which contains 206 a name of an object. If the object corresponds to a person, it is 207 typically the person's full name. 209 ( 2.5.4.3 NAME 'cn' 210 SUP name ) 212 3.4 dc 214 The dc (short for domainComponent) attribute type is defined as 215 follows: 217 ( 0.9.2342.19200300.100.1.25 NAME 'dc' 218 EQUALITY caseIgnoreIA5Match 219 SUBSTR caseIgnoreIA5SubstringsMatch 220 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 221 SINGLE-VALUE ) 223 The value of this attribute is a string holding one component of a 224 DNS domain name. The encoding of IA5String for use in LDAP is simply 225 the characters of the string itself. The equality matching rule is 226 case insensitive, as is today's DNS. 228 3.5 description 230 This Attribute Type contains a human-readable description of 231 the object. 233 ( 2.5.4.13 NAME 'description' 234 EQUALITY caseIgnoreMatch 235 SUBSTR caseIgnoreSubstringsMatch 236 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) 238 The SYNTAX oid indicates the Directory String syntax. 240 3.6 destinationIndicator 242 This attribute is used for the telegram service. 244 ( 2.5.4.27 NAME 'destinationIndicator' 245 EQUALITY caseIgnoreMatch 246 SUBSTR caseIgnoreSubstringsMatch 247 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) 249 The SYNTAX oid indicates the Printable String syntax. 251 3.7 distinguishedName 253 This Attribute Type is not used as the name of the object itself, 254 but it is instead a base type from which attributes with DN syntax 255 inherit. 257 It is unlikely that values of this type itself will occur in an 258 entry. LDAP server implementations which do not support attribute 259 subtyping need not recognize this attribute in requests. Client 260 implementations MUST NOT assume that LDAP servers are capable of 261 performing attribute subtyping. 263 ( 2.5.4.49 NAME 'distinguishedName' 264 EQUALITY distinguishedNameMatch 265 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 267 The SYNTAX oid indicates the DN syntax. 269 3.8 dnQualifier 271 The dnQualifier Attribute Type specifies disambiguating information 272 to add to the relative distinguished name of an entry. It is 273 intended for use when merging data from multiple sources in order to 274 prevent conflicts between entries which would otherwise have the same 275 name. It is recommended that the value of the dnQualifier attribute 276 be the same for all entries from a particular source. 278 ( 2.5.4.46 NAME 'dnQualifier' 279 EQUALITY caseIgnoreMatch 280 ORDERING caseIgnoreOrderingMatch 281 SUBSTR caseIgnoreSubstringsMatch 282 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) 284 The SYNTAX oid indicates the Printable String syntax. 286 3.9 enhancedSearchGuide 288 This attribute is for use by X.500 clients in constructing search 289 filters. 291 ( 2.5.4.47 NAME 'enhancedSearchGuide' 292 SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) 294 The SYNTAX oid indicates the Enhanced Guide syntax. 296 3.10 facsimileTelephoneNumber 298 A value of this Attribute Type is a telephone number for a facsimile 299 terminal (and, optionally, its parameters). 301 ( 2.5.4.23 NAME 'facsimileTelephoneNumber' 302 SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) 304 The SYNTAX oid indicates the Facsimile Telephone Number syntax. 306 3.11 generationQualifier 308 The generationQualifier Attribute Type contains the part of a 309 person's name which typically is the suffix, as in "IIIrd". 311 ( 2.5.4.44 NAME 'generationQualifier' 312 SUP name ) 314 3.12 givenName 316 The givenName Attribute Type is used to hold the part of a person's 317 name which is not their surname nor middle name. 319 ( 2.5.4.42 NAME 'givenName' 320 SUP name ) 322 3.13 houseIdentifier 324 This Attribute Type is used to identify a building within a location. 326 ( 2.5.4.51 NAME 'houseIdentifier' 327 EQUALITY caseIgnoreMatch 328 SUBSTR caseIgnoreSubstringsMatch 329 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 331 The SYNTAX oid indicates the Directory String syntax. 333 3.14 initials 335 The initials Attribute Type contains the initials of some or all of 336 an individuals names, except the surname(s). 338 ( 2.5.4.43 NAME 'initials' 339 SUP name ) 341 3.15 internationalISDNNumber 343 A value of this Attribute Type is an ISDN address, as defined in 344 ITU Recommendation E.164 [E.164]. 346 ( 2.5.4.25 NAME 'internationalISDNNumber' 347 EQUALITY numericStringMatch 348 SUBSTR numericStringSubstringsMatch 349 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i 351 The SYNTAX oid indicates the Numeric String syntax. 353 3.16 l 355 This is the X.520 [X.520] localityName Attribute Type, which 356 contains the name of a locality or place, such as a city, county or 357 other geographic region. 359 ( 2.5.4.7 NAME 'l' 360 SUP name ) 362 3.17 member 364 A value of this Attribute Type is the Distinguished Name of an 365 object that is on a list or in a group. 367 ( 2.5.4.31 NAME 'member' 368 SUP distinguishedName ) 370 3.18 name 372 The name Attribute Type is the attribute supertype from which string 373 Attribute Types typically used for naming may be formed. It is 374 unlikely that values of this type itself will occur in an entry. 375 LDAP server implementations which do not support attribute subtyping 376 need not recognize this attribute in requests. Client 377 implementations MUST NOT assume that LDAP servers are capable of 378 performing attribute subtyping. 380 ( 2.5.4.41 NAME 'name' 381 EQUALITY caseIgnoreMatch 382 SUBSTR caseIgnoreSubstringsMatch 383 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 385 The SYNTAX oid indicates the Directory String syntax. 387 3.19 o 389 This is the X.520 [X.520] organizationName Attribute Type, which 390 contains the name of an organization. 392 ( 2.5.4.10 NAME 'o' 393 SUP name ) 395 3.20 ou 397 This is the X.520 [X.520] organizationalUnitName Attribute Type, 398 which contains the name of an organizational unit. 400 ( 2.5.4.11 NAME 'ou' 401 SUP name ) 403 3.21 owner 405 A value of this Attribute Type is the Distinguished Name of an 406 object that has an ownership responsibility for the object that 407 is owned. 409 ( 2.5.4.32 NAME 'owner' 410 SUP distinguishedName ) 412 3.22 physicalDeliveryOfficeName 414 This attribute contains the name that a Postal Service uses to 415 identify a post office. 417 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' 418 EQUALITY caseIgnoreMatch 419 SUBSTR caseIgnoreSubstringsMatch 420 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 422 The SYNTAX oid indicates the Directory String syntax. 424 3.23 postalAddress 426 This attribute contains an address used by a Postal Service to 427 perform services for the object. 429 ( 2.5.4.16 NAME 'postalAddress' 430 EQUALITY caseIgnoreListMatch 431 SUBSTR caseIgnoreListSubstringsMatch 432 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 434 The SYNTAX oid indicates the Postal Address syntax. 436 3.24 postalCode 438 This attribute contains a code used by a Postal Service to identify 439 a postal service zone, such as the southern quadrant of a city. 441 ( 2.5.4.17 NAME 'postalCode' 442 EQUALITY caseIgnoreMatch 443 SUBSTR caseIgnoreSubstringsMatch 444 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) 446 The SYNTAX oid indicates the Directory String syntax. 448 3.25 postOfficeBox 450 This attribute contains the number that a Postal Service uses when a 451 customer arranges to receive mail at a box on premises of the Postal 452 Service. 454 ( 2.5.4.18 NAME 'postOfficeBox' 455 EQUALITY caseIgnoreMatch 456 SUBSTR caseIgnoreSubstringsMatch 457 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) 459 The SYNTAX oid indicates the Directory String syntax. 461 3.26 preferredDeliveryMethod 463 This attribute contains an indication of the preferred method of 464 getting a message to the object. 466 ( 2.5.4.28 NAME 'preferredDeliveryMethod' 467 SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 468 SINGLE-VALUE ) 470 The SYNTAX oid indicates the Delivery Method syntax. 472 3.27 registeredAddress 474 This attribute holds a postal address suitable for reception of 475 telegrams or expedited documents, where it is necessary to have the 476 recipient accept delivery. 478 ( 2.5.4.26 NAME 'registeredAddress' 479 SUP postalAddress 480 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 482 The SYNTAX oid indicates the Postal Address syntax. 484 3.28 roleOccupant 486 A value of this Attribute Type is the Distinguished Name of an 487 object (normally a person) that fulfills the responsibilities of a 488 role object. 490 ( 2.5.4.33 NAME 'roleOccupant' 491 SUP distinguishedName ) 493 3.29 searchGuide 495 This Attribute Type is for use by clients in constructing search 496 filters. It is superseded by enhancedSearchGuide, described above 497 in section 3.9. 499 ( 2.5.4.14 NAME 'searchGuide' 500 SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide 502 The SYNTAX oid indicates the Guide syntax. 504 3.30 seeAlso 506 A value of this Attribute Type is the Distinguished Name of an 507 object that is related to the subject object. 509 ( 2.5.4.34 NAME 'seeAlso' 510 SUP distinguishedName ) 512 3.31 serialNumber 514 This attribute contains the serial number of a device. 516 ( 2.5.4.5 NAME 'serialNumber' 517 EQUALITY caseIgnoreMatch 518 SUBSTR caseIgnoreSubstringsMatch 519 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) 521 The SYNTAX oid indicates the Printable String syntax. 523 3.32 sn 525 This is the X.520 [X.520] surname Attribute Type, which contains the 526 family name of a person. 528 ( 2.5.4.4 NAME 'sn' 529 SUP name ) 531 3.33 st 533 This is the X.520 [X.520] stateOrProvinceName attribute, which 534 contains the full name of a state or province. 536 ( 2.5.4.8 NAME 'st' 537 SUP name ) 539 3.34 street 541 This is the X.520 [X.520] streetAddress attribute, which contains the 542 physical address of the object to which the entry corresponds, such 543 as an address for package delivery. 545 ( 2.5.4.9 NAME 'street' 546 EQUALITY caseIgnoreMatch 547 SUBSTR caseIgnoreSubstringsMatch 548 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 550 The SYNTAX oid indicates the Directory String syntax. 552 3.35 telephoneNumber 554 A value of this Attribute Type is a telephone number complying with 555 ITU Recommendation E.123 [E.123]. 557 ( 2.5.4.20 NAME 'telephoneNumber' 558 EQUALITY telephoneNumberMatch 559 SUBSTR telephoneNumberSubstringsMatch 560 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) ; TelephoneNumber 562 The SYNTAX oid indicates the Telephone Number syntax. 564 3.36 teletexTerminalIdentifier 566 The withdrawal of Rec. F.200 has resulted in the withdrawal of this 567 attribute. 569 ( 2.5.4.22 NAME 'teletexTerminalIdentifier' 570 SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) 572 The SYNTAX oid indicates the Teletex Terminal Identifier syntax. 574 3.37 telexNumber 576 A value of this Attribute Type is a telex number, country code, and 577 answerback code of a telex terminal. 579 ( 2.5.4.21 NAME 'telexNumber' 580 SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) 582 The SYNTAX oid indicates the Telex Number syntax. 584 3.38 title 586 This attribute contains the title, such as "Vice President", of a 587 person in their organizational context. The "personalTitle" 588 attribute would be used for a person's title independent of their 589 job function. 591 ( 2.5.4.12 NAME 'title' 592 SUP name ) 594 3.39 uniqueMember 596 A value of this Attribute Type is the Distinguished Name of an 597 object that is on a list or in a group, where the Relative 598 Distinguished Name of the object includes a value that distinguishs 599 between objects when a distinguished name has been reused. 601 ( 2.5.4.50 NAME 'uniqueMember' 602 EQUALITY uniqueMemberMatch 603 SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) 605 The SYNTAX oid indicates the Name and Optional UID syntax. 607 3.40 userPassword 609 A value of this Attribute Type is a character string that is known 610 only to the user and the system to which the user has access. 612 ( 2.5.4.35 NAME 'userPassword' 613 EQUALITY octetStringMatch 614 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) 616 The SYNTAX oid indicates the Octet String syntax. 618 Passwords are stored using an Octet String syntax and are not 619 encrypted. Transfer of cleartext passwords is strongly discouraged 620 where the underlying transport service cannot guarantee 621 confidentiality and may result in disclosure of the password to 622 unauthorized parties. 624 3.41 x121Address 626 A value of this Attribute Type is a data network address as defined 627 by ITU Recommendation X.121 [X.121]. 629 ( 2.5.4.24 NAME 'x121Address' 630 EQUALITY numericStringMatch 631 SUBSTR numericStringSubstringsMatch 632 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) 634 The SYNTAX oid indicates the Numeric String syntax. 636 3.42 x500UniqueIdentifier 638 The x500UniqueIdentifier Attribute Type is used to distinguish 639 between objects when a distinguished name has been reused. In X.520 640 [X.520], this Attribute Type is called uniqueIdentifier. This is a 641 different Attribute Type from both the "uid" and "uniqueIdentifier" 642 Attribute Types. 644 ( 2.5.4.45 NAME 'x500UniqueIdentifier' 645 EQUALITY bitStringMatch 646 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) 648 The SYNTAX oid indicates the Bit String syntax. 650 4. Object Classes 652 LDAP servers SHOULD recognize all the Object Classes listed here as 653 values of the objectClass attribute. 655 4.1 applicationProcess 657 The applicationProcess Object Class definition is the basis of an 658 entry which represents an application executing in a computer system. 660 ( 2.5.6.11 NAME 'applicationProcess' 661 SUP top 662 STRUCTURAL 663 MUST cn 664 MAY ( seeAlso $ 665 ou $ 666 l $ 667 description ) ) 669 4.2 country 671 The country Object Class definition is the basis of an entry which 672 represents a country. 674 ( 2.5.6.2 NAME 'country' 675 SUP top 676 STRUCTURAL 677 MUST c 678 MAY ( searchGuide $ 679 description ) ) 681 4.3 device 683 The device Object Class is the basis of an entry which represents 684 an appliance or computer or network element. 686 ( 2.5.6.14 NAME 'device' 687 SUP top 688 STRUCTURAL 689 MUST cn 690 MAY ( serialNumber $ 691 seeAlso $ 692 owner $ 693 ou $ 694 o $ 695 l $ 696 description ) ) 698 4.4 domain 700 The domain Object Class is the basis of an entry which represents a 701 portion of a network, as organized by DNS. 703 ( 0.9.2342.19200300.100.4.13 NAME 'domain' 704 SUP top 705 STRUCTURAL 706 MUST dc 707 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 708 x121Address $ registeredAddress $ destinationIndicator $ 709 preferredDeliveryMethod $ telexNumber $ 710 teletexTerminalIdentifier $ telephoneNumber $ 711 internationaliSDNNumber $ facsimileTelephoneNumber $ street $ 712 postOfficeBox $ postalCode $ postalAddress $ 713 physicalDeliveryOfficeName $ st $ l $ description $ o $ 714 associatedName ) ) 716 An example entry would be: 718 dn: dc=tcp,dc=critical-angle,dc=com 719 objectClass: top 720 objectClass: domain 721 dc: tcp 722 description: a placeholder entry used with SRV records 724 4.5 groupOfNames 726 The groupOfNames Object Class is the basis of an entry which 727 represents a set of named objects including information related to 728 the purpose or maintenance of the set. 730 ( 2.5.6.9 NAME 'groupOfNames' 731 SUP top 732 STRUCTURAL 733 MUST ( member $ 734 cn ) 735 MAY ( businessCategory $ 736 seeAlso $ 737 owner $ 738 ou $ 739 o $ 740 description ) ) 742 4.6 groupOfUniqueNames 744 The groupOfUniqueNames Object Class is the same as the groupOfNames 745 object class except that the object names are not repeated or 746 reassigned within a set scope. 748 ( 2.5.6.17 NAME 'groupOfUniqueNames' 749 SUP top 750 STRUCTURAL 751 MUST ( uniqueMember $ 752 cn ) 753 MAY ( businessCategory $ 754 seeAlso $ 755 owner $ 756 ou $ 757 o $ 758 description ) ) 760 4.7 locality 762 The locality Object Class is the basis of an entry which 763 represents a place in the physical world. 765 ( 2.5.6.3 NAME 'locality' 766 SUP top 767 STRUCTURAL 768 MAY ( street $ 769 seeAlso $ 770 searchGuide $ 771 st $ 772 l $ 773 description ) ) 775 4.8 organization 777 The organization Object Class is the basis of an entry which 778 represents a structured group of people. 780 ( 2.5.6.4 NAME 'organization' 781 SUP top 782 STRUCTURAL 783 MUST o 784 MAY ( userPassword $ searchGuide $ seeAlso $ 785 businessCategory $ x121Address $ registeredAddress $ 786 destinationIndicator $ preferredDeliveryMethod $ 787 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 788 internationaliSDNNumber $ facsimileTelephoneNumber $ 789 street $ postOfficeBox $ postalCode $ 790 postalAddress $ physicalDeliveryOfficeName $ st $ 791 l $ description ) ) 793 4.9 organizationalPerson 795 The organizationalPerson Object Class is the basis of an entry which 796 represents a person in relation to an organization. 798 ( 2.5.6.7 NAME 'organizationalPerson' 799 SUP person 800 STRUCTURAL 801 MAY ( title $ x121Address $ registeredAddress $ 802 destinationIndicator $ preferredDeliveryMethod $ 803 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 804 internationaliSDNNumber $ facsimileTelephoneNumber $ 805 street $ postOfficeBox $ postalCode $ postalAddress $ 806 physicalDeliveryOfficeName $ ou $ st $ l ) ) 808 4.10 organizationalRole 810 The organizationalRole Object Class is the basis of an entry which 811 represents a job or function or position in an organization. 813 ( 2.5.6.8 NAME 'organizationalRole' 814 SUP top 815 STRUCTURAL 816 MUST cn 817 MAY ( x121Address $ registeredAddress $ destinationIndicator $ 818 preferredDeliveryMethod $ telexNumber $ 819 teletexTerminalIdentifier $ telephoneNumber $ 820 internationaliSDNNumber $ facsimileTelephoneNumber $ 821 seeAlso $ roleOccupant $ preferredDeliveryMethod $ 822 street $ postOfficeBox $ postalCode $ postalAddress $ 823 physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) 825 4.11 organizationalUnit 827 The organizationalUnit Object Class is the basis of an entry which 828 represents a piece of an organization. 830 ( 2.5.6.5 NAME 'organizationalUnit' 831 SUP top 832 STRUCTURAL 833 MUST ou 834 MAY ( businessCategory $ description $ destinationIndicator $ 835 facsimileTelephoneNumber $ internationaliSDNNumber $ l $ 836 physicalDeliveryOfficeName $ postalAddress $ postalCode $ 837 postOfficeBox $ preferredDeliveryMethod $ 838 registeredAddress $ searchGuide $ seeAlso $ st $ street $ 839 telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ 840 userPassword $ x121Address ) ) 842 4.12 person 844 The person Object Class is the basis of an entry which represents a 845 human being. 847 ( 2.5.6.6 NAME 'person' 848 SUP top 849 STRUCTURAL 850 MUST ( sn $ 851 cn ) 852 MAY ( userPassword $ 853 telephoneNumber $ 854 seeAlso $ 855 description ) ) 857 4.13 residentialPerson 859 The residentialPerson Object Class is the basis of an entry which 860 includes a person's residence in the representation of the person. 862 ( 2.5.6.10 NAME 'residentialPerson' 863 SUP person 864 STRUCTURAL 865 MUST l 866 MAY ( businessCategory $ x121Address $ registeredAddress $ 867 destinationIndicator $ preferredDeliveryMethod $ 868 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 869 internationaliSDNNumber $ facsimileTelephoneNumber $ 870 preferredDeliveryMethod $ street $ postOfficeBox $ 871 postalCode $ postalAddress $ physicalDeliveryOfficeName $ 872 st $ l ) ) 874 5. Security Considerations 876 Attributes of directory entries are used to provide descriptive 877 information about the real-world objects they represent, which can be 878 people, organizations or devices. Most countries have privacy laws 879 regarding the publication of information about people. 881 Transfer of cleartext passwords is strongly discouraged where the 882 underlying transport service cannot guarantee confidentiality and may 883 result in disclosure of the password to unauthorized parties. 885 It is required that strong authentication be performed in order to 886 modify directory entries using LDAP. 888 Several X.500 Attribute Types and Object Classes, such as, the 889 userCertificate Attribute Type or the certificationAuthority Object 890 Class, are used to include key-based security information in 891 directory entries. The Attribute Types are: 893 authorityRevocationList 894 cACertificate 895 certificateRevocationList 896 crossCertificatePair 897 deltaRevocationList 898 supportedAlgorithms 899 userCertificate 901 The Object Classes are: 903 certificationAuthority 904 certificationAuthority-V2 905 cRLDistributionPoint 906 strongAuthenticationUser 907 userSecurityInformation 909 These Attribute Types and Object Classes are specified for LDAP by 910 the PKIX Working Group, and so, are not included in this document. 912 It is recommended that the BNF notation in RFC 1778 [RFC1778] not 913 be used for User Certificate, Authority Revocation List, and 914 Certificate Pair. 916 6. Acknowledgements 918 The definitions, on which this document is based, have been developed 919 by committees for telecommunications and international standards. 920 No new attribute definitions have been added. 922 This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a 923 product of the IETF ASID Working Group. 925 This document is based upon input of the IETF LDAPBIS working group. 926 The author wishes to thank S. Legg and K. Zeilenga for their 927 significant contribution to this update. 929 7. References 931 7.1 Normative 933 [E.123] Notation for national and international telephone numbers, 934 ITU-T Recommendation E.123, 1988 936 [E.164] The international public telecommunication numbering plan, 937 ITU-T Recommendation E.164, 1997 939 [ISO3166] ISO 3166, "Codes for the representation of names of 940 countries". 942 [Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis- 943 models-xx.txt (a work in progress). 945 [RFC2026] Bradner, S., "The Internet Standards Process -- 946 Revision 3", RFC 2026, October 1996 948 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 949 Requirement Levels", RFC 2119, March 1997 951 [Syntaxes] S. Legg (editor), "LDAP: Syntaxes", 952 draft-ietf-ldapbis-syntaxes-xx, a work in progress 954 [X.121] International numbering plan for public data networks, 955 ITU-T Recommendation X.121, 1996 957 [X.509] The Directory: Authentication Framework, ITU-T 958 Recommendation X.509, 1993 960 [X.520] The Directory: Selected Attribute Types, ITU-T Recommendation 961 X.520, 1993 963 [X.521] The Directory: Selected Object Classes. ITU-T Recommendation 964 X.521, 1993 966 7.2 Informative 968 [RFC1778] Howes, T., Kille, S., Yeong, W., Robbins, C., "The 969 String Representation of Standard Attribute Syntaxes", RFC 1778, 970 March 1995. 972 [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and 973 Sataluri, S., "Using Domains in LDAP/X.500 Distinguished Names", 974 RFC 2247, January 1998 976 [RFC2252] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, 977 "Lightweight X.500 Directory Access Protocol(v3): Attribute 978 Syntax Definitions", RFC 2252, December 1997 980 8. Author's Address 982 Kathy Dally 983 The MITRE Corp. 984 1575 Colshire Dr., H300 985 McLean VA 22102 986 USA 988 Phone: +1 703 883 6058 989 Email: kdally@mitre.org 990 Annex A Change Log 992 This annex lists the changes that have been made from RFC 2256 to 993 this I-D. 995 Changes to RFC 2256 resulting in 996 draft-ietf-ldapbis-user-schema-00.txt: 998 1. Revision of the Status of this Memo. 1000 2. Dependencies on RFC 1274 have been eliminated. 1002 3. The references to X.500(96) have been expressed in terms of 1003 the "edition", rather than the standard date. Note that the 1004 version of X.500 which is the basis for this document, is the 1005 third edition, which was finalized in 1996, but approved in 1006 1997. 1008 4. The "teletexTerminalNumber" attribute and syntax are marked 1009 as obsolete. 1011 5. Removed "The syntax definitions are based on the ISODE "QUIPU" 1012 implementation of X.500." from section 6. 1014 6. Added text to 6.1, the octetString syntax, in accordance 1015 with X.520. 1017 7. Some of the attribute types MUST be recognized by servers. 1018 Also, several attributes are obsolete. Therefore, the 1019 various kinds of attribute types have been placed in separate 1020 sections: 1022 - necessary for the directory to operate (section 3.1) 1024 - for holding user information (section 3.2) 1026 - superseded or withdrawn (section 3.3). 1028 8. Since "top" may be implicitly specified and "alias" is not 1029 abstract, the last sentence in the description of the 1030 "objectClass" attribute type, section 3.1.1, has been deleted. 1031 The clause that preceded the deleted sentence has been 1032 removed, also. 1034 9. Add a description to the definition of the "telephoneNumber" 1035 attribute type, section 3.2.17. 1037 10. Add text to mark the "teletexTerminalIdentifier" attribute 1038 type as obsolete. 1040 11. Add a security consideration requiring strong authentication 1041 in order to modify directory entries. 1043 Changes to draft-ietf-ldapbis-user-schema-00.txt, resulting in draft- 1044 ietf-ldapbis-user-schema-01.txt: 1046 12. Delete the conformance requirement for subschema object 1047 classes in favor of a statement in [SYNTAX]. 1049 13. Add a Table of Contents 1051 14. Replace the term "obsolete" with "superseded or withdrawn" 1053 15. Added explanations to many attributes. 1055 16. In the title, correct the X.500 reference to have the second 1056 edition as the basis. 1058 17. Throughout this I-D, cleaned up whitespace in the BNF 1059 definitions. 1061 18. Removed Section 4, Syntaxes, and Section 6, Matching Rules, 1062 (moved to draft-ietf-ldapbis-syntaxes-01.txt). 1064 19. Reorganized Section 3, Attributes, to eliminate grouping 1065 attributes according to conformance requirements. Reordered 1066 Section 3, Attributes, and Section 4, Object Classes, 1067 alphabetically. 1069 20. Added an explanation for each object class. 1071 Changes to draft-ietf-ldapbis-user-schema-01.txt, resulting in draft- 1072 ietf-ldapbis-user-schema-02.txt: 1074 21. Removed the certificate-related Attribute Types: 1075 authorityRevocationList, 1076 cACertificate, 1077 certificateRevocationList, 1078 crossCertificatePair, 1079 deltaRevocationList, 1080 supportedAlgorithms, and 1081 userCertificate. 1083 Removed the certificate-related Object Classes: 1084 certificationAuthority, 1085 certificationAuthority-V2, 1086 cRLDistributionPoint, 1087 strongAuthenticationUser, and 1088 userSecurityInformation 1090 Noted in the Security Considerations (Section 7) that they 1091 are covered in PKIX WG documents. 1093 22. Removed the dmdName Attribute Type and dmd Object Class 1094 because they are not in the version of X.500 which 1095 is referenced. 1097 23. Removed embedded comments from the ABNF productions 1098 throughout the document. 1100 24. Cleaned up the references; adopted word instead of number 1101 tags; split Section 7 into normative and informative 1102 subsections. 1104 Changes to draft-ietf-ldapbis-user-schema-02.txt, resulting in draft- 1105 ietf-ldapbis-user-schema-03.txt: 1107 ......25. Deleted the 'aliasedObjectName' and 'objectClass' attribute 1108 type definitions. They are included in [Models]. 1110 26. Deleted the 'alias' and 'top' object class definitions. They 1111 are included in [Models]. 1113 27. Replaced the document title. 1115 28. Changed reference citations to be consistent with the rest of 1116 the LDAPbis documents. 1118 Changes to draft-ietf-ldapbis-user-schema-03.txt, resulting in draft- 1119 ietf-ldapbis-user-schema-04.txt: 1121 29. Added references for RFC 2026 and RFC 2247. 1123 30. Corrected the copyright year. 1125 31. Added the 'dc' attribute and the 'domain' object class from 1126 RFC 2247. 1128 32. Deleted the 'knowledgeInformation', 'presentationAddress', 1129 'protocolInformation', and 'supportedApplicationContext' 1130 attributes. 1132 33. Deleted the 'applicationEntity' and 'dSA' object classes.