idnits 2.17.1 

draft-ietf-ldapbis-user-schema-07.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document is more than 15 pages and seems to lack a Table of Contents.

  == The page length should not exceed 58 lines per page, but there was 11
     longer pages, the longest (page 6) being 62 lines

  == It seems as if not all pages are separated by form feeds - found 0 form
     feeds but 26 pages


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The abstract seems to contain references ([ROADMAP]), which it
     shouldn't.  Please replace those with straight textual mentions of the
     documents in question.

  == There are 106 instances of lines with non-RFC6890-compliant IPv4
     addresses in the document.  If these are example addresses, they should
     be changed.

  == The 'Obsoletes: ' line in the draft header should list only the
     _numbers_ of the RFCs which will be obsoleted by this document (if
     approved); it should not include the word 'RFC' in the list.

  == The 'Updates: ' line in the draft header should list only the _numbers_
     of the RFCs which will be updated by this document (if approved); it
     should not include the word 'RFC' in the list.

  -- The draft header indicates that this document updates RFC2247, but the
     abstract doesn't seem to mention this, which it should.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

     (Using the creation date from RFC2247, updated by this document, for
     RFC5378 checks: 1996-08-01)

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (May 2004) is 7285 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'LDAP-PKI' is mentioned on line 172, but not defined

  == Missing Reference: 'RFC2798' is mentioned on line 194, but not defined

  -- Looks like a reference, but probably isn't: '2798' on line 203

  == Missing Reference: 'AuthMeth' is mentioned on line 1125, but not defined

  == Unused Reference: 'AUTHMETH' is defined on line 1196, but no explicit
     reference was found in the text

  == Unused Reference: 'LDAP-CERT' is defined on line 1206, but no explicit
     reference was found in the text

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO3166'

  -- No information found for draft-ietf-ldapbis-models-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Models' 

  ** Obsolete normative reference: RFC 3490 (Obsoleted by RFC 5890, RFC 5891)

  -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'ROADMAP' 

  -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' 

  -- No information found for draft-ietf-ldapbis-authmeth-xx - is the name
     correct?

  -- No information found for draft-klasen-ldap-x509certificate-schema-xx -
     is the name correct?

  -- No information found for draft-ietf-pkix-ldap-crl-schema-xx - is the
     name correct?

  -- Obsolete informational reference (is this intentional?): RFC 3377
     (Obsoleted by RFC 4510)

  -- No information found for draft-ietf-sasl-saslprep-xx - is the name
     correct?


     Summary: 4 errors (**), 0 flaws (~~), 11 warnings (==), 16 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	INTERNET-DRAFT                                          K. Dally, Editor
2	Intended Category:  Standard Track                       The MITRE Corp.
3	Expires:  November 2004                                         May 2004
4	Updates:  RFC 2247, RFC 2798
5	Obsoletes:  RFC 2256

7	                   LDAP:  Schema for User Applications
8	                  <draft-ietf-ldapbis-user-schema-07>

10	Status of this Memo

12	   This document is an Internet-Draft and is in full conformance with
13	   all provisions of Section 10 of RFC 2026.

15	   This document is intended to be, after appropriate review and
16	   revision, submitted to the RFC Editor as a Standard Track document.
17	   Distribution of this memo is unlimited.  Technical discussion of
18	   this document will take place on the IETF LDAP Revision Working
19	   Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>.  Please
20	   send editorial comments directly to the author <kdally@mitre.org>.

22	   Internet-Drafts are working documents of the Internet Engineering
23	   Task Force (IETF), its areas, and its working groups.  Note that
24	   other groups may also distribute working documents as
25	   Internet-Drafts.  Internet-Drafts are draft documents valid for a
26	   maximum of six months and may be updated, replaced, or obsoleted by
27	   other documents at any time.  It is inappropriate to use
28	   Internet-Drafts as reference material or to cite them other than as
29	   "work in progress."

31	   The list of current Internet-Drafts can be accessed at
32	   http://www.ietf.org/ietf/1id-abstracts.txt.

34	   The list of Internet-Draft Shadow Directories can be accessed at
35	   http://www.ietf.org/shadow.html.

37	Copyright Notice

39	   Copyright 2003, The Internet Society.  All Rights Reserved.

41	Abstract

43	   This document is a integral part of the Lightweight Directory Access
44	   Protocol (LDAP) technical specification [ROADMAP].  It provides a
45	   technical specification of attribute types and object classes
46	   intended for use by LDAP directory clients for many directory
47	   services, such as, White Pages.  These objects are widely used as a
48	   basis for the schema in many LDAP directories.  This document does
49	   not cover attributes used for the administration of directory
50	   servers, nor does it include directory objects defined for specific
51	   uses in other documents.

53	                            Table of Contents

55	Status of this Memo                                                    1

57	Copyright Notice                                                       1

59	Abstract                                                               1

61	Table of Contents                                                      2

63	1.  Introduction                                                       4
64	    1.1  Situation                                                     4
65	    1.2  Conventions                                                   4
66	    1.3  General Issues                                                4
67	    1.4  Source                                                        5

69	2.  Attribute Types                                                    5
70	    2.1  businessCategory                                              5
71	    2.2  c                                                             5
72	    2.3  cn                                                            6
73	    2.4  dc                                                            6
74	    2.5  description                                                   6
75	    2.6  destinationIndicator                                          7
76	    2.7  distinguishedName                                             7
77	    2.8  dnQualifier                                                   7
78	    2.9  enhancedSearchGuide                                           8
79	    2.10 facsimileTelephoneNumber                                      8
80	    2.11 generationQualifier                                           8
81	    2.12 givenName                                                     8
82	    2.13 houseIdentifier                                               9
83	    2.14 initials                                                      9
84	    2.15 internationalISDNNumber                                       9
85	    2.16 l                                                             9
86	    2.17 member                                                       10
87	    2.18 name                                                         10
88	    2.19 o                                                            10
89	    2.20 ou                                                           10
90	    2.21 owner                                                        11
91	    2.22 physicalDeliveryOfficeName                                   11
92	    2.23 postalAddress                                                11
93	    2.24 postalCode                                                   11
94	    2.25 postOfficeBox                                                12
95	    2.26 preferredDeliveryMethod                                      12
96	    2.27 registeredAddress                                            12
97	    2.28 roleOccupant                                                 12
98	    2.29 searchGuide                                                  13
99	    2.30 seeAlso                                                      13
100	    2.31 serialNumber                                                 13
101	    2.32 sn                                                           13
102	    2.33 st                                                           14
103	    2.34 street                                                       14
104	    2.35 telephoneNumber                                              14
105	    2.36 teletexTerminalIdentifier                                    14
106	    2.37 telexNumber                                                  15
107	    2.38 title                                                        15
108	    2.39 uid                                                          15
109	    2.40 uniqueMember                                                 15
110	    2.41 userPassword                                                 16
111	    2.42 x121Address                                                  16
112	    2.43 x500UniqueIdentifier                                         16

114	3.  Object Classes                                                    17
115	    3.1  applicationProcess                                           17
116	    3.2  country                                                      17
117	    3.3  device                                                       17
118	    3.4  groupOfNames                                                 18
119	    3.5  groupOfUniqueNames                                           18
120	    3.6  locality                                                     18
121	    3.7  organization                                                 19
122	    3.8  organizationalPerson                                         19
123	    3.9 organizationalRole                                            19
124	    3.10 organizationalUnit                                           20
125	    3.11 person                                                       20
126	    3.12 residentialPerson                                            20

128	4.  IANA Considerations                                               21

130	5.  Security Considerations                                           22

132	6.  Acknowledgements                                                  23

134	7.  References                                                        23
135	    7.1  Normative                                                    23
136	    7.2  Informative                                                  24

138	8.  Author's Address                                                  25

140	9.  Full Copyright Statement                                          25
141	1.  Introduction

143	   This document provides an overview of attribute types and object
144	   classes intended for use by Lightweight Directory Access Protocol
145	   directory clients for many directory services, such as, White Pages.
146	   Originally specified in the X.500 [X.500] documents, these objects
147	   are widely used as a basis for the schema in many LDAP
148	   directories.  This document does not cover attributes used for the
149	   administration of directory servers, nor does it include directory
150	   objects defined for specific uses in other documents.

152	1.1  Situation

154	   This document is a integral part of the LDAP technical specification
155	   [ROADMAP] which obsoletes the previously defined LDAP technical
156	   specification [RFC3377] in its entirety.  In terms of RFC 2256,
157	   Sections 6 and 8 of RFC 2256 are obsoleted by [Syntaxes].  Sections
158	   5.1, 5.2, 7.1 and 7.2 of RFC 2256 are obsoleted by [Models].  The
159	   remainder of RFC 2256 is obsoleted by this document.  Section 3.4 of
160	   this document supercedes the technical specification for the 'dc'
161	   attribute type found in RFC 2247.[editor's note:  Substitute
162	   replacement RFC at time of publication.]   The remainder of RFC 2247
163	   remains in force.

165	   This document updates RFC 2798 by replacing the informative
166	   description of the 'uid' attribute type, with the definitive
167	   description provided in Section 2.39 of this document.

169	   A number of schema elements which were included in the previous
170	   revision of the LDAP Technical Specification are not included in this
171	   revision of LDAP.  PKI-related schema elements are now specified in
172	   [LDAP-PKI].  Unless reintroduced in future technical specifications,
173	   the remainder are to be considered Historic.

175	1.2  Conventions

177	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
178	   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
179	   document are to be interpreted as described in RFC 2119 [RFC2119].

181	1.3  General Issues

183	   This document references Syntaxes given in Section 3 of [Syntaxes]
184	   and Matching Rules specified in Section 4 of [Syntaxes].

186	   The definitions of Attribute Types and Object Classes are written
187	   using the ABNF form of AttributeTypeDescription and
188	   ObjectClassDescription given in [Models].  Lines have been folded
189	   for readability.

191	1.4  Source

193	   The schema definitions in this document are based on those found in
194	   the X.500-series [X.520] and [X.521], RFC 2798 [RFC2798] and
195	   RFC 2247 [RFC2247], specifically:

197	   Sections             Source
198	   ============
199	==================
200	   2.1 - 2.3            X.520 [X.520]
201	   2.4                  RFC 2247 [RFC2247]
202	   2.5 - 2.38           X.520 [X.520]
203	   2.39                 RFC 2798 [2798]
204	   2.40 - 2.43          X.520 [X.520]
205	   3.1  - 3.12          X.521 [X.521]

207	   However, the descriptions in this document SHALL be considered
208	   definitive for use in LDAP.

210	2.  Attribute Types

212	   The Attribute Types contained in this section hold user information.

214	   There is no requirement that servers implement the following
215	   attribute types:

217	      searchGuide
218	      teletexTerminalIdentifier

220	   In fact, their use is greatly discouraged.

222	   An LDAP server implementation SHOULD recognize the rest of the
223	   attribute types described in this section.

225	2.1  businessCategory

227	   The businessCategory attribute type describes the kinds of business
228	   performed by an organization (e.g., "banking", "transportation").
229	   Each kind is one value of this multi-valued attribute.

231	   ( 2.5.4.15 NAME 'businessCategory'
232	      EQUALITY caseIgnoreMatch
233	      SUBSTR caseIgnoreSubstringsMatch
234	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

236	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
237	   syntax [Syntaxes].

239	2.2  c

241	   The c (countryName) attribute type contains a two-letter ISO 3166
242	   [ISO3166] country code (e.g., "DE").  (Source:  X.520)
243	   ( 2.5.4.6 NAME 'c'
244	      SUP name
245	      SINGLE-VALUE )

247	2.3  cn

249	   The cn (commonName) attribute type contains names of an object
250	   (e.g., "Martin K Smith", "Marty Smith", "printer12").  Each name is
251	   one value of this multi-valued attribute.  If the object corresponds
252	   to a person, it is typically the person's full name.
253	   (Source:  X.520)

255	   ( 2.5.4.3 NAME 'cn'
256	      SUP name )

258	2.4  dc

260	   The dc (short for domainComponent) attribute type is a string
261	   holding one component, a <label> [RFC1034}, of a DNS domain name
262	   (e.g., "example" or "com", but not "example.com").  The encoding of
263	   IA5String for use in LDAP is simply the characters of the string

265	   itself.  The equality matching rule is case insensitive, as is
266	   today's DNS.

268	   ( 0.9.2342.19200300.100.1.25 NAME 'dc'
269	      EQUALITY caseIgnoreIA5Match
270	      SUBSTR caseIgnoreIA5SubstringsMatch
271	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26

273	      SINGLE-VALUE )

275	   1.3.6.1.4.1.1466.115.121.1.26 refers to the IA5 String
276	   syntax [Syntaxes].

278	   It is noted that the directory will not ensure that values of this
279	   attribute conform to the label production [RFC1034].  It is the
280	   application responsibility to ensure domains it stores in this
281	   attribute are appropriately represented.

283	   It is also noted that applications supporting Internationalized
284	   Domain Names SHALL use the ToASCII method [RFC3490] to produce
285	   <label> components of the <domain> production.

287	2.5  description

289	   The description attribute type contains human-readable descriptive
290	   phrases about the object (e.g., "a color printer", "Maintenance is
291	   done every Monday, at 1pm.").  Each description is one value of this
292	   multi-valued attribute.

294	   ( 2.5.4.13 NAME 'description'
295	      EQUALITY caseIgnoreMatch
296	      SUBSTR caseIgnoreSubstringsMatch
297	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

299	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
300	   syntax [Syntaxes].

302	2.6  destinationIndicator

304	   The destinationIndicator attribute type contains country and city
305	   strings, associated with the object (the addressee), needed to
306	   provide the Public Telegram Service.  Each string is one value of
307	   this multi-valued attribute.  The strings are composed in accordance
308	   with CCITT Recommendations F.1 [F.1] and F.31 [F.31].

310	   ( 2.5.4.27 NAME 'destinationIndicator'
311	      EQUALITY caseIgnoreMatch
312	      SUBSTR caseIgnoreSubstringsMatch
313	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )

315	   1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String
316	   syntax [Syntaxes].

318	2.7  distinguishedName

320	   The distinguishedName attribute type is the attribute supertype from
321	   which attribute types with DN syntax inherit, instead of containing
322	   values which name the object itself.  The attribute type is
323	   multi-valued.

325	   It is unlikely that values of this type itself will occur in an
326	   entry.  LDAP server implementations which do not support attribute
327	   subtyping need not recognize this attribute in requests.  Client
328	   implementations MUST NOT assume that LDAP servers are capable of
329	   performing attribute subtyping.

331	   ( 2.5.4.49 NAME 'distinguishedName'
332	      EQUALITY distinguishedNameMatch
333	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

335	   1.3.6.1.4.1.1466.115.121.1.12 refers to the DN syntax [Syntaxes].

337	2.8  dnQualifier

339	   The dnQualifier attribute type contains disambiguating information
340	   strings to add to the relative distinguished name of an entry.  The
341	   information is intended for use when merging data from multiple
342	   sources in order to prevent conflicts between entries which would
343	   otherwise have the same name.  Each string is one value of this
344	   multi-valued attribute.  It is recommended that a value of the
345	   dnQualifier attribute be the same for all entries from a
346	   particular source.

348	   ( 2.5.4.46 NAME 'dnQualifier'
349	      EQUALITY caseIgnoreMatch
350	      ORDERING caseIgnoreOrderingMatch
351	      SUBSTR caseIgnoreSubstringsMatch
352	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )

354	   1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String
355	   syntax [Syntaxes].

357	2.9  enhancedSearchGuide

359	   The enhancedSearchGuide attribute type contains sets of information
360	   for use by directory clients in constructing search filters.  Each
361	   set is one value of this multi-valued attribute.

363	   ( 2.5.4.47 NAME 'enhancedSearchGuide'
364	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )

366	   1.3.6.1.4.1.1466.115.121.1.21 refers to the Enhanced Guide

368	   syntax [Syntaxes].

370	2.10  facsimileTelephoneNumber

372	   The facsimileTelephoneNumber attribute type contains telephone
373	   numbers (and, optionally, the parameters) for facsimile terrminals.
374	   Each telephone number is one value of this multi-valued attribute.

376	   ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
377	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )

379	   1.3.6.1.4.1.1466.115.121.1.22 refers to the Facsimile Telephone
380	   Number syntax [Syntaxes].

382	2.11  generationQualifier

384	   The generationQualifier attribute type contains name strings that
385	   are the part of a person's name which typically is the suffix, as in
386	   "IIIrd" or "3rd".  Each string is one value of this multi-valued
387	   attribute.

389	   ( 2.5.4.44 NAME 'generationQualifier'
390	      SUP name )

392	2.12  givenName

394	   The givenName attribute type contains name strings that are the part
395	   of a person's name which is not their surname.  Each string is one
396	   value of this multi-valued attribute.

398	   ( 2.5.4.42 NAME 'givenName'
399	      SUP name )

401	2.13  houseIdentifier

403	   The houseIdentifier attribute type contains identifiers for a
404	   building within a location.  Each identifier is one value of this
405	   multi-valued attribute.

407	   ( 2.5.4.51 NAME 'houseIdentifier'
408	      EQUALITY caseIgnoreMatch
409	      SUBSTR caseIgnoreSubstringsMatch
410	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

412	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
413	   syntax [Syntaxes].

415	2.14  initials

417	   The initials attribute type contains strings of initials of some or
418	   all of an individual's names, except the surname(s)
419	   (e.g., "K. A.", "K").  Each string is one value of this multi-valued
420	   attribute.

422	   ( 2.5.4.43 NAME 'initials'
423	      SUP name )

425	2.15  internationalISDNNumber

427	   The internationalISDNNumber attribute type contains ISDN addresses,
428	   as defined in ITU Recommendation E.164 [E.164].  Each address is one
429	   value of this multi-valued attribute.

431	   ( 2.5.4.25 NAME 'internationalISDNNumber'
432	      EQUALITY numericStringMatch
433	      SUBSTR numericStringSubstringsMatch
434	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )

436	   1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String
437	   syntax [Syntaxes].

439	2.16  l

441	   The l (localityName) attribute type contains names of a locality or
442	   place, such as a city, county or other geographic region (e.g.,
443	   "Geneva").  Each name is one value of this multi-valued attribute.
444	   (Source:  X.520)

446	   ( 2.5.4.7 NAME 'l'
447	      SUP name )

449	2.17  member

451	   The member attribute type contains the Distinguished Names of
452	   objects that are on a list or in a group.  Each name is one value of
453	   this multi-valued attribute.

455	   ( 2.5.4.31 NAME 'member'
456	      SUP distinguishedName )

458	2.18  name

460	   The name attribute type is the attribute supertype from which
461	   attributes with the name syntax inherit.  Such attributes are
462	   typically used for naming.  The attribute type is multi-valued.

464	   It is unlikely that values of this type itself will occur in an
465	   entry.  LDAP server implementations which do not support attribute
466	   subtyping need not recognize this attribute in requests.  Client
467	   implementations MUST NOT assume that LDAP servers are capable of
468	   performing attribute subtyping.

470	   ( 2.5.4.41 NAME 'name'
471	      EQUALITY caseIgnoreMatch
472	      SUBSTR caseIgnoreSubstringsMatch
473	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

475	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
476	   syntax [Syntaxes].

478	2.19  o

480	   The o (organizationName) attribute type contains the names of an
481	   organization (e.g., "IETF", "Internet Engineering Task Force").
482	   Each name is one value of this multi-valued attribute.
483	   (Source:  X.520)

485	   ( 2.5.4.10 NAME 'o'
486	      SUP name )

488	2.20  ou

490	   The ou (organizationalUnitName) attribute type contains the names of
491	   an organizational unit (e.g., "Application Area", "LDAPbis WG").
492	   Each name is one value of this multi-valued attribute.
493	   (Source:  X.520)

495	   ( 2.5.4.11 NAME 'ou'
496	      SUP name )

498	2.21  owner

500	   The owner attribute type contains the Distinguished Names of objects
501	   that have an ownership responsibility for the object that is owned.
502	   (e.g., The list object, "cn=All Employees, ou=Mailing List,
503	   o=Widget',' Inc.", is owned by the role object, "cn=ou=Human
504	Resources
505	   Director, ou=employee, o=Widget',' Inc.")  Each name is one value
506	of
507	   this multi-valued attribute.

509	   ( 2.5.4.32 NAME 'owner'
510	      SUP distinguishedName )

512	2.22  physicalDeliveryOfficeName

514	   The physicalDeliveryOfficeName attribute type contains names that a
515	   Postal Service uses to identify a post office (e.g., "Bremerhaven,
516	   Main", "Bremerhaven, Bonnstrasse").

518	   ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
519	      EQUALITY caseIgnoreMatch
520	      SUBSTR caseIgnoreSubstringsMatch
521	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

523	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
524	   syntax [Syntaxes].

526	2.23  postalAddress

528	   The postalAddress attribute type contains addresses used by a Postal
529	   Service to perform services for the object (e.g., "15 Main St.,
530	   Ottawa, Canada").  Each address is one value of this multi-valued
531	   attribute.

533	   ( 2.5.4.16 NAME 'postalAddress'
534	      EQUALITY caseIgnoreListMatch
535	      SUBSTR caseIgnoreListSubstringsMatch
536	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )

538	   1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address
539	   syntax [Syntaxes].

541	2.24  postalCode

543	   The postalCode attribute type contains codes used by a Postal
544	   Service to identify a postal service zones, such as the southern
545	   quadrant of a city (e.g., "22180").  Each code is one value of this
546	   multi-valued attribute.

548	   ( 2.5.4.17 NAME 'postalCode'
549	      EQUALITY caseIgnoreMatch
550	      SUBSTR caseIgnoreSubstringsMatch
551	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

553	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
554	   syntax [Syntaxes].

556	2.25  postOfficeBox

558	   The postOfficeBox attribute type contains numbers that a Postal
559	   Service uses when a customer arranges to receive mail at a box on
560	   premises of the Postal Service (e.g., "Box 45").  Each number is one
561	   value of this multi-valued attribute.

563	   ( 2.5.4.18 NAME 'postOfficeBox'
564	      EQUALITY caseIgnoreMatch
565	      SUBSTR caseIgnoreSubstringsMatch
566	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

568	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
569	   syntax [Syntaxes].

571	2.26  preferredDeliveryMethod

573	   The preferredDeliveryMethod attribute type contains an indication of
574	   the preferred method of getting a message to the object.  For
575	example,
576	   if mhs-delivery is preferred over telephone-delivery, which is
577	   preferred over all other methods, the value of the value would
578	   be {1, 9}.

580	   ( 2.5.4.28 NAME 'preferredDeliveryMethod'
581	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
582	      SINGLE-VALUE )

584	   1.3.6.1.4.1.1466.115.121.1.14 refers to the Delivery Method
585	   syntax [Syntaxes].

587	2.27  registeredAddress

589	   The registeredAddress attribute type contains postal addresses
590	   suitable for reception of telegrams or expedited documents, where it
591	   is necessary to have the recipient accept delivery (e.g.,
592	   "Receptionist, Widget Inc., 15 Main St., Ottawa, Canada").  Each
593	   address is one value of this multi-valued attribute.

595	   ( 2.5.4.26 NAME 'registeredAddress'
596	      SUP postalAddress
597	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )

599	   1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address
600	   syntax [Syntaxes].

602	2.28  roleOccupant

604	   The roleOccupant attribute type contains the Distinguished Names of
605	   objects(normally people) that fulfill the responsibilities of a role
606	   object.  For example, the role object, "cn=Human Resources
607	Director,
608	   ou=Position, o=Widget',' Inc.", is fulfilled by two people whose
609	   object names are "cn=Mary Smith, ou=employee, Widget',' Inc." and

611	   "cn=James Brown, ou=employee, o=Widget',' Inc."  Each name is
612	one
613	   value of this multi-valued attribute.

615	   ( 2.5.4.33 NAME 'roleOccupant'
616	      SUP distinguishedName )

618	2.29  searchGuide

620	   The searchGuide attribute type contains sets of information for use
621	   by clients in constructing search filters.  It is superseded by
622	   enhancedSearchGuide, described above in section 2.9.

624	   ( 2.5.4.14 NAME 'searchGuide'
625	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )

627	   1.3.6.1.4.1.1466.115.121.1.25 refers to the Guide syntax [Syntaxes].

629	2.30  seeAlso

631	   The seeAlso attribute type contains Distinguished Names of objects
632	   that are related to the subject object.  For example, the person
633	   object, "cn=James Brown, ou=employee, o=Widget Inc." is related
634	to
635	   the role objects, "cn=Football Team Captain, ou=sponsored
636	   activities, o=Widget Inc." and "cn=Chess Team, ou=sponsored
637	   activities, o=Widget Inc.".  Each name is one value of this
638	   multi-valued attribute.

640	   ( 2.5.4.34 NAME 'seeAlso'
641	      SUP distinguishedName )

643	2.31  serialNumber

645	   The serialNumber attribute type contains the serial numbers of
646	   devices (e.g., "WI-3005".  Each number is one value of this
647	   multi-valued attribute.

649	   ( 2.5.4.5 NAME 'serialNumber'
650	      EQUALITY caseIgnoreMatch
651	      SUBSTR caseIgnoreSubstringsMatch
652	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )

654	   1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String
655	   syntax [Syntaxes].

657	2.32  sn

659	   The sn (surname)attribute type contains name strings for the family
660	   names of a person (e.g., "Smith").  Each string is one value of this
661	   multi-valued attribute.  (Source:  X.520)

663	   ( 2.5.4.4 NAME 'sn'
664	      SUP name )

666	2.33  st

668	   The st (stateOrProvinceName) attribute type contains the full names
669	   of states or provinces, (e.g. "California").  Each name is one value
670	   of this multi-valued attribute.

672	   ( 2.5.4.8 NAME 'st'
673	      SUP name )

675	2.34  street

677	   The street (streetAddress) attribute type contains physical
678	   addresses of the object to which the entry corresponds, such as an
679	   address for package delivery.  Each address is one value of this
680	   multi-valued attribute.

682	   ( 2.5.4.9 NAME 'street'
683	      EQUALITY caseIgnoreMatch
684	      SUBSTR caseIgnoreSubstringsMatch
685	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

687	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
688	   syntax [Syntaxes].

690	2.35  telephoneNumber

692	   The telephoneNumber attribute type contains telephone numbers
693	   complying with ITU Recommendation E.123 [E.123]
694	   (e.g., 1 234 567 8901)  Each number is one value of this
695	   multi-valued attribute.
696	   ( 2.5.4.20 NAME 'telephoneNumber'
697	      EQUALITY telephoneNumberMatch
698	      SUBSTR telephoneNumberSubstringsMatch
699	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )

701	   1.3.6.1.4.1.1466.115.121.1.50 refers to the Telephone Number
702	   syntax [Syntaxes].

704	2.36  teletexTerminalIdentifier

706	   The withdrawal of Rec. F.200 has resulted in the withdrawal of this
707	   attribute.

709	   ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
710	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )

712	2.37  telexNumber

714	   The telexNumber attribute type contains sets of strings which are a
715	   telex number, country code, and answerback code of a telex
716	   terminal.  Each set is one value of this multi-valued attribute.

718	   ( 2.5.4.21 NAME 'telexNumber'
719	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )

721	   1.3.6.1.4.1.1466.115.121.1.52 refers to the Telex Number
722	   syntax [Syntaxes].

724	2.38  title

726	   This attribute contains the title, such as "Vice President", of a
727	   person in their organizational context.

729	   ( 2.5.4.12 NAME 'title'
730	      SUP name )

732	2.39  uid

734	   The uid attribute type contains computer system login names
735	   associated with the object.  (Source: RFC 1274,
736	   RFC 2798).  Each name is one value of this multi-valued attribute.

738	   ( 0.9.2342.19200300.100.1.1
739	      NAME 'uid'
740	      EQUALITY caseIgnoreMatch
741	      SUBSTR caseIgnoreSubstringsMatch
742	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

744	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
745	   syntax [Syntaxes].

747	2.40  uniqueMember

749	   The uniqueMember attribute type contains the Distinguished Names of
750	   an object that is on a list or in a group, where the Relative
751	   Distinguished Names of the object include a value that distinguishs
752	   between objects when a distinguished name has been reused.  For
753	   example, if "ou=1st Battalion, o=Defense, c=US" is a battalion
754	that
755	   was disbanded, establishing a new battalion with the "same" name
756	   would have a uid value added, resulting in
757	   "ou=1st Battalion#'010101', o=Defense, c=US".

759	   ( 2.5.4.50 NAME 'uniqueMember'
760	      EQUALITY uniqueMemberMatch
761	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )

763	   1.3.6.1.4.1.1466.115.121.1.34 refers to the Name and Optional UID
764	   syntax [Syntaxes].

766	2.41  userPassword

768	   The userPassword attribute type contains character strings that are
769	   known only to the user and the system to which the user has access.
770	   Each string is one value of this multi-valued attribute.

772	   The application SHOULD prepare textual strings used as passwords by
773	   transcoding them to Unicode, applying SASLprep [SASLprep], and
774	   encoding as UTF-8.

776	   ( 2.5.4.35 NAME 'userPassword'
777	      EQUALITY octetStringMatch
778	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

780	   1.3.6.1.4.1.1466.115.121.1.40 refers to the Octet String
781	   syntax [Syntaxes].

783	   Passwords are stored using an Octet String syntax and are not
784	   encrypted.  Transfer of cleartext passwords is strongly discouraged
785	   where the underlying transport service cannot guarantee
786	   confidentiality and may result in disclosure of the password to
787	   unauthorized parties.

789	   An example of a need for multiple values in the userPassword
790	   attribute is an environment where every month the user was expected
791	   to use a different password generated by some automated system.
792	   During transitional periods, like say the last and first day of the
793	   periods, it may be necessary to allow two passwords for the two
794	   consecutive periods to be valid in the system.

796	2.42  x121Address

798	   The x121Address attribute type contains data network addresses
799	   (e.g., 36111222333444555) as defined by ITU Recommendation X.121

801	   [X.121].  Each address is one value of this multi-valued attribute.

803	   ( 2.5.4.24 NAME 'x121Address'
804	      EQUALITY numericStringMatch
805	      SUBSTR numericStringSubstringsMatch
806	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )

808	   1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String
809	   syntax [Syntaxes].

811	2.43  x500UniqueIdentifier

813	   The x500UniqueIdentifier attribute type contains binary strings that
814	   are used to distinguish between objects when a distinguished name
815	   has been reused.  Each string is one value of this multi-valued
816	   attribute.  In X.520 [X.520], this attribute type is called
817	   uniqueIdentifier.  This is a different attribute type from both the
818	   "uid" and "uniqueIdentifier" attribute types.

820	   ( 2.5.4.45 NAME 'x500UniqueIdentifier'
821	      EQUALITY bitStringMatch
822	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )

824	   1.3.6.1.4.1.1466.115.121.1.6 refers to the Bit String
825	   syntax [Syntaxes].

827	3.  Object Classes

829	   LDAP servers SHOULD recognize all the Object Classes listed here as
830	   values of the objectClass attribute (see [Models]).

832	3.1  applicationProcess

834	   The applicationProcess object class definition is the basis of an
835	   entry which represents an application executing in a computer system.

837	   ( 2.5.6.11 NAME 'applicationProcess'
838	      SUP top
839	      STRUCTURAL
840	      MUST cn
841	      MAY ( seeAlso $
842	            ou $
843	            l $
844	            description ) )

846	3.2  country

848	   The country object class definition is the basis of an entry which
849	   represents a country.

851	   ( 2.5.6.2 NAME 'country'
852	      SUP top
853	      STRUCTURAL
854	      MUST c
855	      MAY ( searchGuide $
856	            description ) )

858	3.3  device

860	   The device object class is the basis of an entry which represents an
861	   appliance or computer or network element.

863	   ( 2.5.6.14 NAME 'device'
864	      SUP top
865	      STRUCTURAL
866	      MUST cn
867	      MAY ( serialNumber $
868	            seeAlso $
869	            owner $
870	            ou $
871	            o $
872	            l $
873	            description ) )

875	3.4  groupOfNames

877	   The groupOfNames object class is the basis of an entry which
878	   represents a set of named objects including information related to
879	   the purpose or maintenance of the set.

881	   ( 2.5.6.9 NAME 'groupOfNames'
882	      SUP top
883	      STRUCTURAL
884	      MUST ( member $
885	            cn )
886	      MAY ( businessCategory $
887	            seeAlso $
888	            owner $
889	            ou $
890	            o $
891	            description ) )

893	3.5  groupOfUniqueNames

895	   The groupOfUniqueNames object class is the same as the groupOfNames
896	   object class except that the object names are not repeated or
897	   reassigned within a set scope.

899	   ( 2.5.6.17 NAME 'groupOfUniqueNames'
900	      SUP top
901	      STRUCTURAL
902	      MUST ( uniqueMember $
903	            cn )
904	      MAY ( businessCategory $
905	            seeAlso $
906	            owner $
907	            ou $
908	            o $
909	            description ) )

911	3.6  locality

913	   The locality object class is the basis of an entry which represents
914	   a place in the physical world.

916	   ( 2.5.6.3 NAME 'locality'
917	      SUP top
918	      STRUCTURAL
919	      MAY ( street $
920	            seeAlso $
921	            searchGuide $
922	            st $
923	            l $
924	            description ) )

926	3.7  organization

928	   The organization object class is the basis of an entry which
929	   represents a structured group of people.

931	   ( 2.5.6.4 NAME 'organization'
932	      SUP top
933	      STRUCTURAL
934	      MUST o
935	      MAY ( userPassword $ searchGuide $ seeAlso $
936	            businessCategory $ x121Address $ registeredAddress $
937	            destinationIndicator $ preferredDeliveryMethod $
938	            telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
939	            internationaliSDNNumber $ facsimileTelephoneNumber $
940	            street $ postOfficeBox $ postalCode $
941	            postalAddress $ physicalDeliveryOfficeName $ st $
942	            l $ description ) )

944	3.8  organizationalPerson

946	   The organizationalPerson object class is the basis of an entry which
947	   represents a person in relation to an organization.

949	   ( 2.5.6.7 NAME 'organizationalPerson'
950	      SUP person
951	      STRUCTURAL
952	      MAY ( title $ x121Address $ registeredAddress $
953	            destinationIndicator $ preferredDeliveryMethod $
954	            telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
955	            internationaliSDNNumber $ facsimileTelephoneNumber $
956	            street $ postOfficeBox $ postalCode $ postalAddress $
957	            physicalDeliveryOfficeName $ ou $ st $ l ) )

959	3.9  organizationalRole

961	   The organizationalRole object class is the basis of an entry which
962	   represents a job or function or position in an organization.

964	   ( 2.5.6.8 NAME 'organizationalRole'
965	      SUP top
966	      STRUCTURAL
967	      MUST cn
968	      MAY ( x121Address $ registeredAddress $ destinationIndicator $
969	            preferredDeliveryMethod $ telexNumber $
970	            teletexTerminalIdentifier $ telephoneNumber $
971	            internationaliSDNNumber $ facsimileTelephoneNumber $
972	            seeAlso $ roleOccupant $ preferredDeliveryMethod $
973	            street $ postOfficeBox $ postalCode $ postalAddress $
974	            physicalDeliveryOfficeName $ ou $ st $ l $ description ) )

976	3.10  organizationalUnit

978	   The organizationalUnit object class is the basis of an entry which
979	   represents a piece of an organization.

981	   ( 2.5.6.5 NAME 'organizationalUnit'
982	      SUP top
983	      STRUCTURAL
984	      MUST ou
985	      MAY ( businessCategory $ description $ destinationIndicator $
986	            facsimileTelephoneNumber $ internationaliSDNNumber $ l $
987	            physicalDeliveryOfficeName $ postalAddress $ postalCode $
988	            postOfficeBox $ preferredDeliveryMethod $
989	            registeredAddress $ searchGuide $ seeAlso $ st $ street $
990	            telephoneNumber $ teletexTerminalIdentifier $ telexNumber $
991	            userPassword $ x121Address ) )

993	3.11  person

995	   The person object class is the basis of an entry which represents a
996	   human being.

998	   ( 2.5.6.6 NAME 'person'
999	      SUP top
1000	      STRUCTURAL
1001	      MUST ( sn $
1002	            cn )
1003	      MAY ( userPassword $
1004	            telephoneNumber $
1005	            seeAlso $ description ) )

1007	3.12  residentialPerson

1009	   The residentialPerson object class is the basis of an entry which
1010	   includes a person's residence in the representation of the person.

1012	   ( 2.5.6.10 NAME 'residentialPerson'
1013	      SUP person
1014	      STRUCTURAL
1015	      MUST l
1016	      MAY ( businessCategory $ x121Address $ registeredAddress $
1017	            destinationIndicator $ preferredDeliveryMethod $
1018	            telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
1019	            internationaliSDNNumber $ facsimileTelephoneNumber $
1020	            preferredDeliveryMethod $ street $ postOfficeBox $
1021	            postalCode $ postalAddress $ physicalDeliveryOfficeName $
1022	            st $ l ) )

1024	4.  IANA Considerations

1026	   It is requested that the Internet Assigned Numbers Authority (IANA)
1027	   update the LDAP descriptors registry as indicated in the following
1028	   template:

1030	      Subject: Request for LDAP Descriptor Registration Update
1031	      Descriptor (short name): see comment
1032	      Object Identifier: see comment
1033	      Person & email address to contact for further information:
1034	            Kathy Dally <kdally@mitre.org>
1035	      Usage: (A = attribute type, O = Object Class) see comment
1036	      Specification: RFC XXXX [editor's note:  The RFC number will be
1037	            the one assigned to this document.
1038	      Author/Change Controller: IESG

1040	   Comments
1041	   In the LDAP descriptors registry, the following descriptors (short
1042	   names) should be updated to refer to RFC XXXX [editor's note:  This
1043	   document].

1045	      NAME                         Type OID
1046	      ------------------------     ---- ----------------------------
1047	      applicationProcess           O    2.5.6.11
1048	      businessCategory             A    2.5.4.15
1049	      c                            A    2.5.4.6
1050	      cn                           A    2.5.4.3
1051	      country                      O    2.5.6.2
1052	      dc                           A    0.9.2342.19200300.100.1.25
1053	      description                  A    2.5.4.13
1054	      destinationIndicator         A    2.5.4.27
1055	      device                       O    2.5.6.14
1056	      distinguishedName            A    2.5.4.49
1057	      dnQualifier                  A    2.5.4.46
1058	      enhancedSearchGuide          A    2.5.4.47
1059	      facsimileTelephoneNumber     A    2.5.4.23
1060	      generationQualifier          A    2.5.4.44
1061	      givenName                    A    2.5.4.42
1062	      groupOfNames                 O    2.5.6.9
1063	      groupOfUniqueNames           O    2.5.6.17
1064	      houseIdentifier              A    2.5.4.51
1065	      initials                     A    2.5.4.43
1066	      internationalISDNNumber      A    2.5.4.25
1067	      l                            A    2.5.4.7
1068	      locality                     O    2.5.6.3
1069	      member                       A    2.5.4.31
1070	      name                         A    2.5.4.41
1071	      o                            A    2.5.4.10
1072	      organization                 O    2.5.6.4
1073	      organizationalPerson         O    2.5.6.7
1074	      organizationalRole           O    2.5.6.8
1075	      organizationalUnit           O    2.5.6.5
1076	      ou                           A    2.5.4.11
1077	      owner                        A    2.5.4.32
1078	      person                       O    2.5.6.6
1079	      physicalDeliveryOfficeName   A    2.5.4.19
1080	      postalAddress                A    2.5.4.16
1081	      postalCode                   A    2.5.4.17
1082	      postOfficeBox                A    2.5.4.18
1083	      preferredDeliveryMethod      A    2.5.4.28
1084	      registeredAddress            A    2.5.4.26
1085	      residentialPerson            O    2.5.6.10
1086	      roleOccupant                 A    2.5.4.33
1087	      searchGuide                  A    2.5.4.14
1088	      seeAlso                      A    2.5.4.34
1089	      serialNumber                 A    2.5.4.5
1090	      sn                           A    2.5.4.4
1091	      st                           A    2.5.4.8
1092	      street                       A    2.5.4.9
1093	      telephoneNumber              A    2.5.4.20
1094	      teletexTerminalIdentifier    A    2.5.4.22
1095	      telexNumber                  A    2.5.4.21
1096	      title                        A    2.5.4.12
1097	      uid                          A    0.9.2342.19200300.100.1.1
1098	      uniqueMember                 A    2.5.4.50
1099	      userPassword                 A    2.5.4.35
1100	      x121Address                  A    2.5.4.24
1101	      x500UniqueIdentifier         A    2.5.4.45

1103	5.  Security Considerations

1105	   Attributes of directory entries are used to provide descriptive
1106	   information about the real-world objects they represent, which can be
1107	   people, organizations or devices.  Most countries have privacy laws
1108	   regarding the publication of information about people.

1110	   Transfer of cleartext passwords is strongly discouraged where the
1111	   underlying transport service cannot guarantee confidentiality and may
1112	   result in disclosure of the password to unauthorized parties.

1114	   Multiple attribute values for the userPassword needs to be used with
1115	   care. Especially reset/deletion of a password by an admin without
1116	   knowing the old user password gets tricky or impossible if multiple
1117	   values for different applications are present.

1119	   Certainly, applications which intend to replace the userPassword
1120	   value(s) with new value(s) should use modify/replaceValues (or
1121	   modify/deleteAttribute+addAttribute).  Additionally, server
1122	   implementations are encouraged to provide administrative controls
1123	   which, if enabled, restrict the userPassword attributer to one value.

1125	   Note that when used for authentication purposes [AuthMeth], the user
1126	   need only prove knowledge of one of the values, not all of
1127	   the values.

1129	6.  Acknowledgements

1131	   The definitions, on which this document is based, have been developed
1132	   by committees for telecommunications and international standards.

1134	   This document is an update of RFC 2256 by Mark Wahl.  RFC 2256 was a
1135	   product of the IETF ASID Working Group.

1137	   The dc attribute type definition in this document supercedes the

1139	   specification in RFC 2247 by S. Kille, M. Wahl, A. Grimstad,
1140	   R. Huber, and S. Sataluri.

1142	   The uid attribute type definition in this document supercedes the
1143	   specification of the userid in RFC 1274 by P. Barker and S. Kille
1144	   and of the uid in RFC 2798 by M. Smith.

1146	   This document is based upon input of the IETF LDAPBIS working group.
1147	   The author wishes to thank S. Legg and K. Zeilenga for their
1148	   significant contribution to this update.

1150	7.  References

1152	7.1  Normative

1154	   [E.123]  Notation for national and international telephone numbers,
1155	            ITU-T Recommendation E.123, 1988

1157	   [E.164]  The international public telecommunication numbering plan,
1158	            ITU-T Recommendation E.164, 1997

1160	   [ISO3166]  ISO 3166, "Codes for the representation of names of
1161	              countries".

1163	   [Models]  K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis-
1164	             models-xx (a work in progress)

1166	   [RFC1034]  P. Mockapetris, " DOMAIN NAMES - CONCEPTS AND
1167	              FACILITIES", RFC 1034, November 1987

1169	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1170	              Requirement Levels", RFC 2119, March 1997

1172	   [RFC3490]   Faltstrom P., Hoffman P., Costello A.,
1173	               "Internationalizing Domain Names in Applications (IDNA)",
1174	               RFC 3490, March 2003

1176	...[ROADMAP]  Zeilenga, K., "LDAP:  Technical Specification Road Map",
1177	              draft-ietf-ldapbis-roadmap-xx (a work in progress)

1179	   [Syntaxes]  S. Legg (editor), "LDAP: Syntaxes", draft-ietf-ldapbis-
1180	               syntaxes-xx (a work in progress)

1182	   [X.121]  International numbering plan for public data networks,
1183	            ITU-T Recommendation X.121, 1996

1185	   [X.509]  The Directory:  Authentication Framework, ITU-T
1186	            Recommendation X.509, 1993

1188	   [X.520]  The Directory: Selected Attribute Types, ITU-T
1189	            Recommendation X.520, 1993

1191	   [X.521]  The Directory: Selected Object Classes.  ITU-T
1192	            Recommendation X.521, 1993

1194	7.2  Informative

1196	   [AUTHMETH]  Harrison R., "LDAP: Authentication Methods and
1197	               Connection Level Security Mechanisms", draft-ietf-
1198	               ldapbis-authmeth-xx (a work in progress)

1200	   [F.1]  Operational Provisions For The International Public Telegram
1201	   Service Transmission System, CCITT Recommmendation F.1, 1992

1203	   [F.31]  Telegram Retransmission System, CCITT Recommendation
1204	           F.31, 1988

1206	   [LDAP-CERT]  Klasen, N., Gietz, P. "An LDAPv3 Schema for X.509
1207	                Certificates", Internet Draft draft-klasen-ldap-
1208	                x509certificate-schema-xx (a work in progress)

1210	   [LDAP-CRL]  Chadwick, D. W. and M. V. Sahalayev, "Internet X.509
1211	               Public Key Infrastructure - LDAP Schema for X.509 CRLs",
1212	               Internet Draft  draft-ietf-pkix-ldap-crl-schema-xx (a
1213	               work in progress)

1215	   [RFC2247]  Kille, S., Wahl, M., Grimstad, A., Huber, R., and
1216	              Sataluri, S., "Using Domains in LDAP/X.500 Distinguished
1217	              Names", RFC 2247, January 1998

1219	   [RFC3377]  Hodges, J., Morgan, R., "Lightweight Directory Access
1220	              Protocol (v3):  Technical Specification", RFC 3377,
1221	              September 2002

1223	   [SASLprep]  Zeilenga K., "SASLprep: Stringprep profile for user
1224	               names and passwords", draft-ietf-sasl-saslprep-xx (a
1225	               work in progress)

1227	   [X.500]  The Directory, ITU-T Recommendations X.501-X.525, 1993

1229	8.  Author's Address

1231	   Kathy Dally
1232	   The MITRE Corp.
1233	   7515 Colshire Dr., H300
1234	   McLean VA 22102
1235	   USA

1237	   Phone:  +1 703 883 6058
1238	   Email:  kdally@mitre.org

1240	9.  Full Copyright Statement

1242	   Copyright (C) The Internet Society (2002).  All Rights Reserved.

1244	   This document and translations of it may be copied and furnished to
1245	   others, and derivative works that comment on or otherwise explain it
1246	   or assist in its implementation may be prepared, copied, published
1247	   and distributed, in whole or in part, without restriction of any
1248	   kind, provided that the above copyright notice and this paragraph are
1249	   included on all such copies and derivative works.  However, this
1250	   document itself may not be modified in any way, such as by removing
1251	   the copyright notice or references to the Internet Society or other
1252	   Internet organizations, except as needed for the purpose of
1253	   developing Internet standards in which case the procedures for
1254	   copyrights defined in the Internet Standards process must be
1255	   followed, or as required to translate it into languages other than
1256	   English.

1258	   The limited permissions granted above are perpetual and will not be
1259	   revoked by the Internet Society or its successors or assigns.

1261	   This document and the information contained herein is provided on an
1262	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
1263	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
1264	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
1265	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
1266	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

1268	                          Appendix A  Changes RFC 2256

1270	   This appendix lists the changes that have been made from RFC 2256 to
1271	   this I-D.

1273	      1.  Replaced the document title.

1275	      2.  Removed the IESG Note.

1277	      3.  Dependencies on RFC 1274 have been eliminated.

1279	      4.  Added a Security Considerations section and an IANA
1280	          considerations section.

1282	      5.  Deleted the conformance requirement for subschema object
1283	          classes in favor of a statement in [Syntaxes].

1285	      6.  Added explanation to attribute types and to each object class.

1287	      7.  Removed Section 4, Syntaxes, and Section 6, Matching Rules,
1288	          (moved to [Syntaxes]).

1290	      8.  Removed the certificate-related attribute types:
1291	             authorityRevocationList,
1292	             cACertificate,
1293	             certificateRevocationList,
1294	             crossCertificatePair,
1295	             deltaRevocationList,
1296	             supportedAlgorithms, and
1297	             userCertificate.

1299	          Removed the certificate-related Object Classes:
1300	             certificationAuthority,
1301	             certificationAuthority-V2,
1302	             cRLDistributionPoint,
1303	             strongAuthenticationUser, and
1304	             userSecurityInformation

1306	          LDAP PKI is now discussed in [LDAP-CRL] and {LDAP-CERT].

1308	      9.  Removed the dmdName, knowledgeInformation,
1309	          presentationAddress, protocolInformation, and
1310	          supportedApplicationContext attribute types and the dmd,
1311	          applicationEntity, and dSA object classes.

1313	      10. Deleted the aliasedObjectName and objectClass attribute
1314	          type definitions.  Deleted the alias and top object class
1315	          definitions.  They are included in [Models].

1317	      11. Added the 'dc' attribute type from RFC 2247.

1319	      12. Numerous edititorial changes.