idnits 2.17.1 draft-ietf-ldapbis-user-schema-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document is more than 15 pages and seems to lack a Table of Contents. == It seems as if not all pages are separated by form feeds - found 0 form feeds but 25 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([ROADMAP]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 106 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 2003) is 7654 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'ISO3166' is defined on line 1021, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO3166' -- No information found for draft-ietf-pkix-ldap-pki-schema-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'LDAP-PKI' -- No information found for draft-ietf-ldapbis-models-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Models' ** Obsolete normative reference: RFC 3377 (Obsoleted by RFC 4510) -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'ROADMAP' -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' Summary: 4 errors (**), 0 flaws (~~), 6 warnings (==), 11 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT K. Dally, Editor 2 Intended Category: Standard Track The MITRE Corp. 3 Expires: October 2003 April 2003 4 Updates: RFC 2247 5 Obsoletes: RFC 2256 7 LDAP: User Schema 8 10 Status of this Memo 12 This document is an Internet-Draft and is in full conformance with 13 all provisions of Section 10 of RFC 2026. 15 This document is intended to be, after appropriate review and 16 revision, submitted to the RFC Editor as a Standard Track document. 17 Distribution of this memo is unlimited. Technical discussion of 18 this document will take place on the IETF LDAP Revision Working 19 Group (LDAPbis) mailing list . Please 20 send editorial comments directly to the author . 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF), its areas, and its working groups. Note that 24 other groups may also distribute working documents as 25 Internet-Drafts. Internet-Drafts are draft documents valid for a 26 maximum of six months and may be updated, replaced, or obsoleted by 27 other documents at any time. It is inappropriate to use 28 Internet-Drafts as reference material or to cite them other than as 29 "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt. 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 Copyright Notice 39 Copyright 2003, The Internet Society. All Rights Reserved. 41 Abstract 43 This document is a integral part of the LDAP technical specification 44 [ROADMAP]. It provides an overview of attribute types and object 45 classes intended for use by LDAP directory clients for many 46 directory services, such as, White Pages. Originally specified the 47 ISO/IEC 9594 and X.500 documents, these objects are widely used as a 48 basis for the schema in many LDAP directories. This document does 49 not cover attributes used for the administration of directory 50 servers, nor does it include directory objects defined for specific 51 uses in other documents. 53 Table of Contents 55 Status of this Memo 1 57 Copyright Notice 1 59 Abstract 1 61 Table of Contents 2 63 1. Introduction 4 64 1.1 Situation 4 65 1.2 Conventions 4 66 1.3 General Issues 4 67 1.4 Source 5 69 2. Attribute Types 5 70 2.1 businessCategory 5 71 2.2 c 5 72 2.3 cn 6 73 2.4 dc 6 74 2.5 description 6 75 2.6 destinationIndicator 6 76 2.7 distinguishedName 7 77 2.8 dnQualifier 7 78 2.9 enhancedSearchGuide 7 79 2.10 facsimileTelephoneNumber 7 80 2.11 generationQualifier 8 81 2.12 givenName 8 82 2.13 houseIdentifier 8 83 2.14 initials 8 84 2.15 internationalISDNNumber 8 85 2.16 l 9 86 2.17 member 9 87 2.18 name 9 88 2.19 o 9 89 2.20 ou 9 90 2.21 owner 10 91 2.22 physicalDeliveryOfficeName 10 92 2.23 postalAddress 10 93 2.24 postalCode 10 94 2.25 postOfficeBox 10 95 2.26 preferredDeliveryMethod 11 96 2.27 registeredAddress 11 97 2.28 roleOccupant 11 98 2.29 searchGuide 11 99 2.30 seeAlso 12 100 2.31 serialNumber 12 101 2.32 sn 12 102 2.33 st 12 103 2.34 street 12 104 2.35 telephoneNumber 12 105 2.36 teletexTerminalIdentifier 13 106 2.37 telexNumber 13 107 2.38 title 13 108 2.39 uniqueMember 13 109 2.40 userPassword 14 110 2.41 x121Address 14 111 2.42 x500UniqueIdentifier 14 113 3. Object Classes 15 114 3.1 applicationProcess 15 115 3.2 country 15 116 3.3 device 15 117 3.4 domain 15 118 3.5 groupOfNames 16 119 3.6 groupOfUniqueNames 16 120 3.7 locality 17 121 3.8 organization 17 122 3.9 organizationalPerson 17 123 3.10 organizationalRole 18 124 3.11 organizationalUnit 18 125 3.12 person 18 126 3.13 residentialPerson 19 128 4. IANA Considerations 19 130 5. Security Considerations 19 132 6. Acknowledgements 19 134 7. References 20 135 7.1 Normative 20 136 7.2 Informative 20 138 8. Author's Address 21 140 9. Full Copyright Statement 21 141 1. Introduction 143 This document provides an overview of attribute types and object 144 classes intended for use by LDAP directory clients for many 145 directory services, such as, White Pages. Originally specified in 146 the ISO/IEC 9594 and X.500 documents, these objects are widely used 147 as a basis for the schema in many LDAP directories. This document 148 does not cover attributes used for the administration of directory 149 servers, nor does it include directory objects defined for specific 150 uses in other documents. 152 1.1 Situation 154 This document is a integral part of the LDAP technical specification 155 [ROADMAP] which obsoletes the previously defined LDAP technical 156 specification [RFC3377] in its entirety. In terms of RFC 2256, 157 Sections 6 and 8 of RFC 2256 are obsoleted by [Syntaxes]. 158 Sections 5.1, 5.2, 7.1 and 7.2 of RFC 2256 are obsoleted by [Models]. 159 The remainder of RFC 2256 is obsoleted by this document. Sections 160 3.4 and 4.4 of this document supercede the technical specifications 161 for the 'dc' attribute type and 'domain' object class found in 162 RFC 2247. The remainder of RFC 2247 remains in force. 164 A number of schema elements which were included in the previous 165 revision of the LDAP Technical Specification are not included in this 166 revision of LDAP. PKI-related schema elements are now specified in 167 [LDAP-PKI]. Unless reintroduced in future technical specifications, 168 the remainder are to be considered Historic. 170 1.2 Conventions 172 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 173 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 174 document are to be interpreted as described in RFC 2119 [RFC2119]. 176 1.3 General Issues 178 This document references Syntaxes given in Section 3 of [Syntaxes] 179 and Matching Rules specified in Section 4 of [Syntaxes]. 181 The definitions of Attribute Types and Object Classes are written 182 using the ABNF form of AttributeTypeDescription and 183 ObjectClassDescription given in [Models]. Lines have been folded 184 for readability. 186 1.4 Source 188 The schema definitions in this document are based on those found in 189 the X.500-series [X.520] and [X.521] and RFC 2247 [RFC2247], 190 specifically: 192 Sections Source 193 ============ ================== 194 2.1 - 2.3 X.520 [X.520] 195 2.4 RFC 2247 [RFC2247] 196 2.5 - 2.42 X.520 [X.520] 197 3.1 - 3.3 X.521 [X.521] 198 3.4 RFC 2247 [RFC2247] 199 3.5 - 3.13 X.521 [X.521] 201 2. Attribute Types 203 The Attribute Types contained in this section hold user information. 205 There is no requirement that servers implement the following 206 Attribute Types: 208 searchGuide 209 teletexTerminalIdentifier 211 In fact, their use is greatly discouraged. 213 An LDAP server implementation SHOULD recognize the rest of the 214 Attribute Types described in this section. 216 2.1 businessCategory 218 This Attribute Type describes the kind of business performed by 219 an organization. 221 ( 2.5.4.15 NAME 'businessCategory' 222 EQUALITY caseIgnoreMatch 223 SUBSTR caseIgnoreSubstringsMatch 224 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 226 The SYNTAX oid indicates the Directory String syntax. 228 2.2 c 230 This is the X.520 [X.520] countryName Attribute Type, which contains 231 a two-letter ISO 3166 [ISO3166]country code. 233 ( 2.5.4.6 NAME 'c' 234 SUP name 235 SINGLE-VALUE ) 237 2.3 cn 239 This is the X.520 [X.520] commonName Attribute Type, which contains 240 a name of an object. If the object corresponds to a person, it is 241 typically the person's full name. 243 ( 2.5.4.3 NAME 'cn' 244 SUP name ) 246 2.4 dc 248 The dc (short for domainComponent) attribute type is defined as 249 follows: 251 ( 0.9.2342.19200300.100.1.25 NAME 'dc' 252 EQUALITY caseIgnoreIA5Match 253 SUBSTR caseIgnoreIA5SubstringsMatch 254 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 255 SINGLE-VALUE ) 257 The value of this attribute is a string holding one component of a 258 DNS domain name. The encoding of IA5String for use in LDAP is simply 259 the characters of the string itself. The equality matching rule is 260 case insensitive, as is today's DNS. 262 2.5 description 264 This Attribute Type contains a human-readable description of 265 the object. 267 ( 2.5.4.13 NAME 'description' 268 EQUALITY caseIgnoreMatch 269 SUBSTR caseIgnoreSubstringsMatch 270 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) 272 The SYNTAX oid indicates the Directory String syntax. 274 2.6 destinationIndicator 276 This attribute is used for the telegram service. 278 ( 2.5.4.27 NAME 'destinationIndicator' 279 EQUALITY caseIgnoreMatch 280 SUBSTR caseIgnoreSubstringsMatch 281 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) 283 The SYNTAX oid indicates the Printable String syntax. 285 2.7 distinguishedName 287 This Attribute Type is not used as the name of the object itself, 288 but it is instead a base type from which attributes with DN syntax 289 inherit. 291 It is unlikely that values of this type itself will occur in an 292 entry. LDAP server implementations which do not support attribute 293 subtyping need not recognize this attribute in requests. Client 294 implementations MUST NOT assume that LDAP servers are capable of 295 performing attribute subtyping. 297 ( 2.5.4.49 NAME 'distinguishedName' 298 EQUALITY distinguishedNameMatch 299 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 301 The SYNTAX oid indicates the DN syntax. 303 2.8 dnQualifier 305 The dnQualifier Attribute Type specifies disambiguating information 306 to add to the relative distinguished name of an entry. It is 307 intended for use when merging data from multiple sources in order to 308 prevent conflicts between entries which would otherwise have the same 309 name. It is recommended that the value of the dnQualifier attribute 310 be the same for all entries from a particular source. 312 ( 2.5.4.46 NAME 'dnQualifier' 313 EQUALITY caseIgnoreMatch 314 ORDERING caseIgnoreOrderingMatch 315 SUBSTR caseIgnoreSubstringsMatch 316 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) 318 The SYNTAX oid indicates the Printable String syntax. 320 2.9 enhancedSearchGuide 322 This attribute is for use by X.500 clients in constructing search 323 filters. 325 ( 2.5.4.47 NAME 'enhancedSearchGuide' 326 SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) 328 The SYNTAX oid indicates the Enhanced Guide syntax. 330 2.10 facsimileTelephoneNumber 332 A value of this Attribute Type is a telephone number for a facsimile 333 terminal (and, optionally, its parameters). 335 ( 2.5.4.23 NAME 'facsimileTelephoneNumber' 336 SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) 338 The SYNTAX oid indicates the Facsimile Telephone Number syntax. 340 2.11 generationQualifier 342 The generationQualifier Attribute Type contains the part of a 343 person's name which typically is the suffix, as in "IIIrd". 345 ( 2.5.4.44 NAME 'generationQualifier' 346 SUP name ) 348 2.12 givenName 350 The givenName Attribute Type is used to hold the part of a person's 351 name which is not their surname nor middle name. 353 ( 2.5.4.42 NAME 'givenName' 354 SUP name ) 356 2.13 houseIdentifier 358 This Attribute Type is used to identify a building within a location. 360 ( 2.5.4.51 NAME 'houseIdentifier' 361 EQUALITY caseIgnoreMatch 362 SUBSTR caseIgnoreSubstringsMatch 363 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 365 The SYNTAX oid indicates the Directory String syntax. 367 2.14 initials 369 The initials Attribute Type contains the initials of some or all of 370 an individuals names, except the surname(s). 372 ( 2.5.4.43 NAME 'initials' 373 SUP name ) 375 2.15 internationalISDNNumber 377 A value of this Attribute Type is an ISDN address, as defined in 378 ITU Recommendation E.164 [E.164]. 380 ( 2.5.4.25 NAME 'internationalISDNNumber' 381 EQUALITY numericStringMatch 382 SUBSTR numericStringSubstringsMatch 383 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i 385 The SYNTAX oid indicates the Numeric String syntax. 387 2.16 l 389 This is the X.520 [X.520] localityName Attribute Type, which 390 contains the name of a locality or place, such as a city, county or 391 other geographic region. 393 ( 2.5.4.7 NAME 'l' 394 SUP name ) 396 2.17 member 398 A value of this Attribute Type is the Distinguished Name of an 399 object that is on a list or in a group. 401 ( 2.5.4.31 NAME 'member' 402 SUP distinguishedName ) 404 2.18 name 406 The name Attribute Type is the attribute supertype from which string 407 Attribute Types typically used for naming may be formed. It is 408 unlikely that values of this type itself will occur in an entry. 409 LDAP server implementations which do not support attribute subtyping 410 need not recognize this attribute in requests. Client 411 implementations MUST NOT assume that LDAP servers are capable of 412 performing attribute subtyping. 414 ( 2.5.4.41 NAME 'name' 415 EQUALITY caseIgnoreMatch 416 SUBSTR caseIgnoreSubstringsMatch 417 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 419 The SYNTAX oid indicates the Directory String syntax. 421 2.19 o 423 This is the X.520 [X.520] organizationName Attribute Type, which 424 contains the name of an organization. 426 ( 2.5.4.10 NAME 'o' 427 SUP name ) 429 2.20 ou 431 This is the X.520 [X.520] organizationalUnitName Attribute Type, 432 which contains the name of an organizational unit. 434 ( 2.5.4.11 NAME 'ou' 435 SUP name ) 437 2.21 owner 439 A value of this Attribute Type is the Distinguished Name of an 440 object that has an ownership responsibility for the object that 441 is owned. 443 ( 2.5.4.32 NAME 'owner' 444 SUP distinguishedName ) 446 2.22 physicalDeliveryOfficeName 448 This attribute contains the name that a Postal Service uses to 449 identify a post office. 451 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' 452 EQUALITY caseIgnoreMatch 453 SUBSTR caseIgnoreSubstringsMatch 454 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 456 The SYNTAX oid indicates the Directory String syntax. 458 2.23 postalAddress 460 This attribute contains an address used by a Postal Service to 461 perform services for the object. 463 ( 2.5.4.16 NAME 'postalAddress' 464 EQUALITY caseIgnoreListMatch 465 SUBSTR caseIgnoreListSubstringsMatch 466 SYNTAX 1.5.6.1.4.1.1466.115.121.1.41 ) 468 The SYNTAX oid indicates the Postal Address syntax. 470 2.24 postalCode 472 This attribute contains a code used by a Postal Service to identify 473 a postal service zone, such as the southern quadrant of a city. 475 ( 2.5.4.17 NAME 'postalCode' 476 EQUALITY caseIgnoreMatch 477 SUBSTR caseIgnoreSubstringsMatch 478 SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} ) 480 The SYNTAX oid indicates the Directory String syntax. 482 2.25 postOfficeBox 484 This attribute contains the number that a Postal Service uses when a 485 customer arranges to receive mail at a box on premises of the Postal 486 Service. 488 ( 2.5.4.18 NAME 'postOfficeBox' 489 EQUALITY caseIgnoreMatch 490 SUBSTR caseIgnoreSubstringsMatch 491 SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} ) 493 The SYNTAX oid indicates the Directory String syntax. 495 2.26 preferredDeliveryMethod 497 This attribute contains an indication of the preferred method of 498 getting a message to the object. 500 ( 2.5.4.28 NAME 'preferredDeliveryMethod' 501 SYNTAX 1.5.6.1.4.1.1466.115.121.1.14 502 SINGLE-VALUE ) 504 The SYNTAX oid indicates the Delivery Method syntax. 506 2.27 registeredAddress 508 This attribute holds a postal address suitable for reception of 509 telegrams or expedited documents, where it is necessary to have the 510 recipient accept delivery. 512 ( 2.5.4.26 NAME 'registeredAddress' 513 SUP postalAddress 514 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 516 The SYNTAX oid indicates the Postal Address syntax. 518 2.28 roleOccupant 520 A value of this Attribute Type is the Distinguished Name of an 521 object (normally a person) that fulfills the responsibilities of a 522 role object. 524 ( 2.5.4.33 NAME 'roleOccupant' 525 SUP distinguishedName ) 527 2.29 searchGuide 529 This Attribute Type is for use by clients in constructing search 530 filters. It is superseded by enhancedSearchGuide, described above 531 in section 2.9. 533 ( 2.5.4.14 NAME 'searchGuide' 534 SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide 536 The SYNTAX oid indicates the Guide syntax. 538 2.30 seeAlso 540 A value of this Attribute Type is the Distinguished Name of an 541 object that is related to the subject object. 543 ( 2.5.4.34 NAME 'seeAlso' 544 SUP distinguishedName ) 546 2.31 serialNumber 548 This attribute contains the serial number of a device. 550 ( 2.5.4.5 NAME 'serialNumber' 551 EQUALITY caseIgnoreMatch 552 SUBSTR caseIgnoreSubstringsMatch 553 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) 555 The SYNTAX oid indicates the Printable String syntax. 557 2.32 sn 559 This is the X.520 [X.520] surname Attribute Type, which contains the 560 family name of a person. 562 ( 2.5.4.4 NAME 'sn' 563 SUP name ) 565 2.33 st 567 This is the X.520 [X.520] stateOrProvinceName attribute, which 568 contains the full name of a state or province. 570 ( 2.5.4.8 NAME 'st' 571 SUP name ) 573 2.34 street 575 This is the X.520 [X.520] streetAddress attribute, which contains the 576 physical address of the object to which the entry corresponds, such 577 as an address for package delivery. 579 ( 2.5.4.9 NAME 'street' 580 EQUALITY caseIgnoreMatch 581 SUBSTR caseIgnoreSubstringsMatch 582 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 584 The SYNTAX oid indicates the Directory String syntax. 586 2.35 telephoneNumber 588 A value of this Attribute Type is a telephone number complying with 589 ITU Recommendation E.123 [E.123]. 591 ( 2.5.4.20 NAME 'telephoneNumber' 592 EQUALITY telephoneNumberMatch 593 SUBSTR telephoneNumberSubstringsMatch 594 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) 596 The SYNTAX oid indicates the Telephone Number syntax. 598 2.36 teletexTerminalIdentifier 600 The withdrawal of Rec. F.200 has resulted in the withdrawal of this 601 attribute. 603 ( 2.5.4.22 NAME 'teletexTerminalIdentifier' 604 SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) 606 The SYNTAX oid indicates the Teletex Terminal Identifier syntax. 608 2.37 telexNumber 610 A value of this Attribute Type is a telex number, country code, and 611 answerback code of a telex terminal. 613 ( 2.5.4.21 NAME 'telexNumber' 614 SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) 616 The SYNTAX oid indicates the Telex Number syntax. 618 2.38 title 620 This attribute contains the title, such as "Vice President", of a 621 person in their organizational context. The "personalTitle" 622 attribute would be used for a person's title independent of their 623 job function. 625 ( 2.5.4.12 NAME 'title' 626 SUP name ) 628 2.39 uniqueMember 630 A value of this Attribute Type is the Distinguished Name of an 631 object that is on a list or in a group, where the Relative 632 Distinguished Name of the object includes a value that distinguishs 633 between objects when a distinguished name has been reused. 635 ( 2.5.4.50 NAME 'uniqueMember' 636 EQUALITY uniqueMemberMatch 637 SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) 639 The SYNTAX oid indicates the Name and Optional UID syntax. 641 2.40 userPassword 643 A value of this Attribute Type is a character string that is known 644 only to the user and the system to which the user has access. 646 ( 2.5.4.35 NAME 'userPassword' 647 EQUALITY octetStringMatch 648 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) 650 The SYNTAX oid indicates the Octet String syntax. 652 Passwords are stored using an Octet String syntax and are not 653 encrypted. Transfer of cleartext passwords is strongly discouraged 654 where the underlying transport service cannot guarantee 655 confidentiality and may result in disclosure of the password to 656 unauthorized parties. 658 2.41 x121Address 660 A value of this Attribute Type is a data network address as defined 661 by ITU Recommendation X.121 [X.121]. 663 ( 2.5.4.24 NAME 'x121Address' 664 EQUALITY numericStringMatch 665 SUBSTR numericStringSubstringsMatch 666 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) 668 The SYNTAX oid indicates the Numeric String syntax. 670 2.42 x500UniqueIdentifier 672 The x500UniqueIdentifier Attribute Type is used to distinguish 673 between objects when a distinguished name has been reused. In X.520 674 [X.520], this Attribute Type is called uniqueIdentifier. This is a 675 different Attribute Type from both the "uid" and "uniqueIdentifier" 676 Attribute Types. 678 ( 2.5.4.45 NAME 'x500UniqueIdentifier' 679 EQUALITY bitStringMatch 680 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) 682 The SYNTAX oid indicates the Bit String syntax. 684 3. Object Classes 686 LDAP servers SHOULD recognize all the Object Classes listed here as 687 values of the objectClass attribute. 689 3.1 applicationProcess 691 The applicationProcess Object Class definition is the basis of an 692 entry which represents an application executing in a computer system. 694 ( 2.5.6.11 NAME 'applicationProcess' 695 SUP top 696 STRUCTURAL 697 MUST cn 698 MAY ( seeAlso $ 699 ou $ 700 l $ 701 description ) ) 703 3.2 country 705 The country Object Class definition is the basis of an entry which 706 represents a country. 708 ( 2.5.6.2 NAME 'country' 709 SUP top 710 STRUCTURAL 711 MUST c 712 MAY ( searchGuide $ 713 description ) ) 715 3.3 device 717 The device Object Class is the basis of an entry which represents 718 an appliance or computer or network element. 720 ( 2.5.6.14 NAME 'device' 721 SUP top 722 STRUCTURAL 723 MUST cn 724 MAY ( serialNumber $ 725 seeAlso $ 726 owner $ 727 ou $ 728 o $ 729 l $ 730 description ) ) 732 3.4 domain 734 The domain Object Class is the basis of an entry which represents a 735 portion of a network, as organized by DNS. 737 ( 0.9.2342.19200300.100.4.13 NAME 'domain' 738 SUP top 739 STRUCTURAL 740 MUST dc 741 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ 742 x121Address $ registeredAddress $ destinationIndicator $ 743 preferredDeliveryMethod $ telexNumber $ 744 teletexTerminalIdentifier $ telephoneNumber $ 745 internationaliSDNNumber $ facsimileTelephoneNumber $ street $ 746 postOfficeBox $ postalCode $ postalAddress $ 747 physicalDeliveryOfficeName $ st $ l $ description $ o $ 748 associatedName ) ) 750 An example entry would be: 752 dn: dc=tcp,dc=critical-angle,dc=com 753 objectClass: top 754 objectClass: domain 755 dc: tcp 756 description: a placeholder entry used with SRV records 758 3.5 groupOfNames 760 The groupOfNames Object Class is the basis of an entry which 761 represents a set of named objects including information related to 762 the purpose or maintenance of the set. 764 ( 2.5.6.9 NAME 'groupOfNames' 765 SUP top 766 STRUCTURAL 767 MUST ( member $ 768 cn ) 769 MAY ( businessCategory $ 770 seeAlso $ 771 owner $ 772 ou $ 773 o $ 774 description ) ) 776 3.6 groupOfUniqueNames 778 The groupOfUniqueNames Object Class is the same as the groupOfNames 779 object class except that the object names are not repeated or 780 reassigned within a set scope. 782 ( 2.5.6.17 NAME 'groupOfUniqueNames' 783 SUP top 784 STRUCTURAL 785 MUST ( uniqueMember $ 786 cn ) 787 MAY ( businessCategory $ 788 seeAlso $ 789 owner $ 790 ou $ 791 o $ 792 description ) ) 794 3.7 locality 796 The locality Object Class is the basis of an entry which 797 represents a place in the physical world. 799 ( 2.5.6.3 NAME 'locality' 800 SUP top 801 STRUCTURAL 802 MAY ( street $ 803 seeAlso $ 804 searchGuide $ 805 st $ 806 l $ 807 description ) ) 809 3.8 organization 811 The organization Object Class is the basis of an entry which 812 represents a structured group of people. 814 ( 2.5.6.4 NAME 'organization' 815 SUP top 816 STRUCTURAL 817 MUST o 818 MAY ( userPassword $ searchGuide $ seeAlso $ 819 businessCategory $ x121Address $ registeredAddress $ 820 destinationIndicator $ preferredDeliveryMethod $ 821 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 822 internationaliSDNNumber $ facsimileTelephoneNumber $ 823 street $ postOfficeBox $ postalCode $ 824 postalAddress $ physicalDeliveryOfficeName $ st $ 825 l $ description ) ) 827 3.9 organizationalPerson 829 The organizationalPerson Object Class is the basis of an entry which 830 represents a person in relation to an organization. 832 ( 2.5.6.7 NAME 'organizationalPerson' 833 SUP person 834 STRUCTURAL 835 MAY ( title $ x121Address $ registeredAddress $ 836 destinationIndicator $ preferredDeliveryMethod $ 837 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 838 internationaliSDNNumber $ facsimileTelephoneNumber $ 839 street $ postOfficeBox $ postalCode $ postalAddress $ 840 physicalDeliveryOfficeName $ ou $ st $ l ) ) 842 3.10 organizationalRole 844 The organizationalRole Object Class is the basis of an entry which 845 represents a job or function or position in an organization. 847 ( 2.5.6.8 NAME 'organizationalRole' 848 SUP top 849 STRUCTURAL 850 MUST cn 851 MAY ( x121Address $ registeredAddress $ destinationIndicator $ 852 preferredDeliveryMethod $ telexNumber $ 853 teletexTerminalIdentifier $ telephoneNumber $ 854 internationaliSDNNumber $ facsimileTelephoneNumber $ 855 seeAlso $ roleOccupant $ preferredDeliveryMethod $ 856 street $ postOfficeBox $ postalCode $ postalAddress $ 857 physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) 859 3.11 organizationalUnit 861 The organizationalUnit Object Class is the basis of an entry which 862 represents a piece of an organization. 864 ( 2.5.6.5 NAME 'organizationalUnit' 865 SUP top 866 STRUCTURAL 867 MUST ou 868 MAY ( businessCategory $ description $ destinationIndicator $ 869 facsimileTelephoneNumber $ internationaliSDNNumber $ l $ 870 physicalDeliveryOfficeName $ postalAddress $ postalCode $ 871 postOfficeBox $ preferredDeliveryMethod $ 872 registeredAddress $ searchGuide $ seeAlso $ st $ street $ 873 telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ 874 userPassword $ x121Address ) ) 876 3.12 person 878 The person Object Class is the basis of an entry which represents a 879 human being. 881 ( 2.5.6.6 NAME 'person' 882 SUP top 883 STRUCTURAL 884 MUST ( sn $ 885 cn ) 886 MAY ( userPassword $ 887 telephoneNumber $ 888 seeAlso $ 889 description ) ) 891 3.13 residentialPerson 893 The residentialPerson Object Class is the basis of an entry which 894 includes a person's residence in the representation of the person. 896 ( 2.5.6.10 NAME 'residentialPerson' 897 SUP person 898 STRUCTURAL 899 MUST l 900 MAY ( businessCategory $ x121Address $ registeredAddress $ 901 destinationIndicator $ preferredDeliveryMethod $ 902 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 903 internationaliSDNNumber $ facsimileTelephoneNumber $ 904 preferredDeliveryMethod $ street $ postOfficeBox $ 905 postalCode $ postalAddress $ physicalDeliveryOfficeName $ 906 st $ l ) ) 908 4. IANA Considerations 910 It is requested that the Internet Assigned Numbers Authority (IANA) 911 update the LDAP descriptors registry as indicated in the following 912 template: 914 Subject: Request for LDAP Descriptor Registration Update 915 Descriptor (short name): see comment 916 Object Identifier: see comment 917 Person & email address to contact for further information: 918 Kathy Dally 919 Usage: (A = Attribute Type, O = Object Class) see comment 920 Specification: RFC XXXX 921 Author/Change Controller: IESG 922 Comments: 923 The following descriptors (short names) should be updated to 924 refer to RFC XXXX. 926 NAME Type OID 927 ------------------------ ---- ---------------------------- 928 applicationProcess O 2.5.6.11 929 businessCategory A 2.5.4.15 930 c A 2.5.4.6 931 cn A 2.5.4.3 932 country O 2.5.6.2 933 dc A 0.9.2342.19200300.100.1.25 934 description A 2.5.4.13 935 destinationIndicator A 2.5.4.27 936 device O 2.5.6.14 937 distinguishedName A 2.5.4.49 938 dnQualifier A 2.5.4.46 939 domain O 0.9.2342.19200300.100.4.13 940 enhancedSearchGuide A 2.5.4.47 941 facsimileTelephoneNumber A 2.5.4.23 942 generationQualifier A 2.5.4.44 943 givenName A 2.5.4.42 944 groupOfNames O 2.5.6.9 945 groupOfUniqueNames O 2.5.6.17 946 houseIdentifier A 2.5.4.51 947 initials A 2.5.4.43 948 internationalISDNNumber A 2.5.4.25 949 l A 2.5.4.7 950 locality O 2.5.6.3 951 member A 2.5.4.31 952 name A 2.5.4.41 953 o A 2.5.4.10 954 organization O 2.5.6.4 955 organizationalPerson O 2.5.6.7 956 organizationalRole O 2.5.6.8 957 organizationalUnit O 2.5.6.5 958 ou A 2.5.4.11 959 owner A 2.5.4.32 960 person O 2.5.6.6 961 physicalDeliveryOfficeName A 2.5.4.19 962 postalAddress A 2.5.4.16 963 postalCode A 2.5.4.17 964 postOfficeBox A 2.5.4.18 965 preferredDeliveryMethod A 2.5.4.28 966 registeredAddress A 2.5.4.26 967 residentialPerson O 2.5.6.10 968 roleOccupant A 2.5.4.33 969 searchGuide A 2.5.4.14 970 seeAlso A 2.5.4.34 971 serialNumber A 2.5.4.5 972 sn A 2.5.4.4 973 st A 2.5.4.8 974 street A 2.5.4.9 975 telephoneNumber A 2.5.4.20 976 teletexTerminalIdentifier A 2.5.4.22 977 telexNumber A 2.5.4.21 978 title A 2.5.4.12 979 uniqueMember A 2.5.4.50 980 userPassword A 2.5.4.35 981 x121Address A 2.5.4.24 982 x500UniqueIdentifier A 2.5.4.45 984 5. Security Considerations 986 Attributes of directory entries are used to provide descriptive 987 information about the real-world objects they represent, which can be 988 people, organizations or devices. Most countries have privacy laws 989 regarding the publication of information about people. 991 Transfer of cleartext passwords is strongly discouraged where the 992 underlying transport service cannot guarantee confidentiality and may 993 result in disclosure of the password to unauthorized parties. 995 It is required that strong authentication be performed in order to 996 modify directory entries using LDAP. 998 6. Acknowledgements 1000 The definitions, on which this document is based, have been developed 1001 by committees for telecommunications and international standards. 1002 No new attribute definitions have been added. 1004 This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a 1005 product of the IETF ASID Working Group. 1007 This document is based upon input of the IETF LDAPBIS working group. 1008 The author wishes to thank S. Legg and K. Zeilenga for their 1009 significant contribution to this update. 1011 7. References 1013 7.1 Normative 1015 [E.123] Notation for national and international telephone numbers, 1016 ITU-T Recommendation E.123, 1988 1018 [E.164] The international public telecommunication numbering plan, 1019 ITU-T Recommendation E.164, 1997 1021 [ISO3166] ISO 3166, "Codes for the representation of names of 1022 countries". 1024 [LDAP-PKI] Chadwick, D. W., Legg S., "LDAP Schema and Syntaxes for 1025 PKIs", draft-ietf-pkix-ldap-pki-schema-xx (a work in 1026 progress) 1028 [Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis- 1029 models-xx (a work in progress) 1031 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1032 Requirement Levels", RFC 2119, March 1997 1034 [RFC3377] Hodges, J., Morgan, R., "Lightweight Directory Access 1035 Protocol (v3): Technical Specification", RFC 3377, 1036 September 2002 1038 ...[ROADMAP] Zeilenga, K., "LDAP: Technical Specification Road Map", 1039 draft-ietf-ldapbis-roadmap-xx (a work in progress) 1041 [Syntaxes] S. Legg (editor), "LDAP: Syntaxes", 1042 draft-ietf-ldapbis-syntaxes-xx (a work in progress) 1044 [X.121] International numbering plan for public data networks, 1045 ITU-T Recommendation X.121, 1996 1047 [X.509] The Directory: Authentication Framework, ITU-T 1048 Recommendation X.509, 1993 1050 [X.520] The Directory: Selected Attribute Types, ITU-T 1051 Recommendation X.520, 1993 1053 [X.521] The Directory: Selected Object Classes. ITU-T 1054 Recommendation X.521, 1993 1056 7.2 Informative 1058 [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and 1059 Sataluri, S., "Using Domains in LDAP/X.500 Distinguished Names", 1060 RFC 2247, January 1998 1062 8. Author's Address 1064 Kathy Dally 1065 The MITRE Corp. 1066 1575 Colshire Dr., H300 1067 McLean VA 22102 1068 USA 1070 Phone: +1 703 883 6058 1071 Email: kdally@mitre.org 1073 9. Full Copyright Statement 1075 Copyright (C) The Internet Society (2002). All Rights Reserved. 1077 This document and translations of it may be copied and furnished to 1078 others, and derivative works that comment on or otherwise explain it 1079 or assist in its implementation may be prepared, copied, published 1080 and distributed, in whole or in part, without restriction of any 1081 kind, provided that the above copyright notice and this paragraph are 1082 included on all such copies and derivative works. However, this 1083 document itself may not be modified in any way, such as by removing 1084 the copyright notice or references to the Internet Society or other 1085 Internet organizations, except as needed for the purpose of 1086 developing Internet standards in which case the procedures for 1087 copyrights defined in the Internet Standards process must be 1088 followed, or as required to translate it into languages other than 1089 English. 1091 The limited permissions granted above are perpetual and will not be 1092 revoked by the Internet Society or its successors or assigns. 1094 This document and the information contained herein is provided on an 1095 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 1096 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 1097 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 1098 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 1099 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1101 Appendix A Changes RFC 2256 1103 This appendix lists the changes that have been made from RFC 2256 to 1104 this I-D. 1106 1. Revised the Status of this Memo. 1108 2. Removed the IESG Note. 1110 3. Dependencies on RFC 1274 have been eliminated. 1112 4. Added a Security Considerations section, requiring strong 1113 authentication in order to modify directory entries. 1115 5. Deleted the conformance requirement for subschema object 1116 classes in favor of a statement in [Syntaxes]. 1118 6. Added a Table of Contents. 1120 7. Added explanations to many attributes. 1122 8. Removed Section 4, Syntaxes, and Section 6, Matching Rules, 1123 (moved to [Syntaxes]). 1125 9. Reordered Section 3, Attributes, and Section 4, Object 1126 Classes, alphabetically. 1128 10. Added an explanation for each object class. 1130 11. Removed the certificate-related Attribute Types: 1131 authorityRevocationList, 1132 cACertificate, 1133 certificateRevocationList, 1134 crossCertificatePair, 1135 deltaRevocationList, 1136 supportedAlgorithms, and 1137 userCertificate. 1139 Removed the certificate-related Object Classes: 1140 certificationAuthority, 1141 certificationAuthority-V2, 1142 cRLDistributionPoint, 1143 strongAuthenticationUser, and 1144 userSecurityInformation 1146 Noted that they are covered in PKIX WG documents. 1148 12. Removed the dmdName Attribute Type and dmd Object Class 1149 because they are not in the version of X.500 which 1150 is referenced. 1152 ......13. Deleted the 'aliasedObjectName' and 'objectClass' attribute 1153 type definitions. They are included in [Models]. 1155 14. Deleted the 'alias' and 'top' object class definitions. They 1156 are included in [Models]. 1158 15. Replaced the document title. 1160 16. Added the 'dc' attribute and the 'domain' object class from 1161 RFC 2247. 1163 17. Deleted the 'knowledgeInformation', 'presentationAddress', 1164 'protocolInformation', and 'supportedApplicationContext' 1165 attributes. 1167 18. Deleted the 'applicationEntity' and 'dSA' object classes. 1169 19. Added an IANA Considerations section.