idnits 2.17.1 

draft-ietf-ldapbis-user-schema-08.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3667, Section 5.1 on line 1249.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 1289.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1260.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1267.

  ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure
     Acknowledgement -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.

  ** The document seems to lack an RFC 3979 Section 5, para. 3 IPR Disclosure
     Invitation -- however, there's a paragraph with a matching beginning.
     Boilerplate error?

  ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate
     instead of verbatim RFC 3978 boilerplate.  After 6 May 2005, submission
     of drafts without verbatim RFC 3978 boilerplate is not accepted.

     The following non-3978 patterns matched text found in the document. 
     That text should be removed or replaced:

        By submitting this Internet-Draft, I certify that any applicable patent
        or other IPR claims of which I am aware have been disclosed, or
        will be disclosed, and any of which I become aware will be
        disclosed, in accordance with RFC 3668.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document is more than 15 pages and seems to lack a Table of Contents.

  == The page length should not exceed 58 lines per page, but there was 2
     longer pages, the longest (page 5) being 62 lines

  == It seems as if not all pages are separated by form feeds - found 0 form
     feeds but 29 pages


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The abstract seems to contain references ([ROADMAP]), which it
     shouldn't.  Please replace those with straight textual mentions of the
     documents in question.

  == There are 106 instances of lines with non-RFC6890-compliant IPv4
     addresses in the document.  If these are example addresses, they should
     be changed.

  == The 'Obsoletes: ' line in the draft header should list only the
     _numbers_ of the RFCs which will be obsoleted by this document (if
     approved); it should not include the word 'RFC' in the list.

  == The 'Updates: ' line in the draft header should list only the _numbers_
     of the RFCs which will be updated by this document (if approved); it
     should not include the word 'RFC' in the list.

  -- The draft header indicates that this document updates RFC2247, but the
     abstract doesn't seem to mention this, which it should.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

     (Using the creation date from RFC2247, updated by this document, for
     RFC5378 checks: 1996-08-01)

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (July 2004) is 7224 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: '2798' on line 202

  == Missing Reference: 'AuthMeth' is mentioned on line 1121, but not defined

  == Unused Reference: 'RFC2234' is defined on line 1167, but no explicit
     reference was found in the text

  == Unused Reference: 'AUTHMETH' is defined on line 1194, but no explicit
     reference was found in the text

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO3166'

  -- No information found for draft-ietf-ldapbis-models-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Models' 

  ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234)

  ** Obsolete normative reference: RFC 3490 (Obsoleted by RFC 5890, RFC 5891)

  -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'ROADMAP' 

  -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' 

  -- No information found for draft-ietf-ldapbis-authmeth-xx - is the name
     correct?

  -- No information found for draft-klasen-ldap-x509certificate-schema-xx -
     is the name correct?

  -- No information found for draft-ietf-pkix-ldap-crl-schema-xx - is the
     name correct?

  -- Obsolete informational reference (is this intentional?): RFC 1274
     (Obsoleted by RFC 4524)

  -- Obsolete informational reference (is this intentional?): RFC 3377
     (Obsoleted by RFC 4510)

  -- No information found for draft-ietf-sasl-saslprep-xx - is the name
     correct?


     Summary: 10 errors (**), 0 flaws (~~), 9 warnings (==), 21 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	INTERNET-DRAFT                                          K. Dally, Editor
2	Intended Category:  Standard Track                       The MITRE Corp.
3	Expires:  January 2005                                         July 2004
4	Updates:  RFC 2247, RFC 2798
5	Obsoletes:  RFC 2256

7	                   LDAP:  Schema for User Applications
8	                  <draft-ietf-ldapbis-user-schema-08>

10	Status of this Memo

12	   This document is intended to be, after appropriate review and
13	   revision, submitted to the RFC Editor as a Standard Track document.
14	   Distribution of this memo is unlimited.  Technical discussion of
15	   this document will take place on the IETF LDAP Revision Working
16	   Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>.  Please
17	   send editorial comments directly to the author <kdally@mitre.org>.

19	   Internet-Drafts are working documents of the Internet Engineering
20	   Task Force (IETF), its areas, and its working groups.  Note that
21	   other groups may also distribute working documents as
22	   Internet-Drafts.

24	   Internet-Drafts are draft documents valid for a maximum of six
25	   months and may be updated, replaced, or obsoleted by other documents
26	   at any time.  It is inappropriate to use Internet-Drafts as reference
27	   material or to cite them other than as "work in progress."

29	   The list of current Internet-Drafts can be accessed at
30	   http://www.ietf.org/ietf/1id-abstracts.html.

32	   The list of Internet-Draft Shadow Directories can be accessed at
33	   http://www.ietf.org/shadow.html.

35	Copyright Notice
36	   Copyright 2004, The Internet Society.  All Rights Reserved.

38	Abstract

40	   This document is a integral part of the Lightweight Directory Access
41	   Protocol (LDAP) technical specification [ROADMAP].  It provides a
42	   technical specification of attribute types and object classes
43	   intended for use by LDAP directory clients for many directory
44	   services, such as, White Pages.  These objects are widely used as a
45	   basis for the schema in many LDAP directories.  This document does
46	   not cover attributes used for the administration of directory
47	   servers, nor does it include directory objects defined for specific
48	   uses in other documents.

50	                            Table of Contents

52	Status of this Memo                                                    1

54	Copyright Notice                                                       1

56	Abstract                                                               1

58	Table of Contents                                                      2

60	1.  Introduction                                                       4
61	    1.1  Situation                                                     4
62	    1.2  Conventions                                                   4
63	    1.3  General Issues                                                4
64	    1.4  Source                                                        5

66	2.  Attribute Types                                                    5
67	    2.1  businessCategory                                              5
68	    2.2  c                                                             6
69	    2.3  cn                                                            6
70	    2.4  dc                                                            6
71	    2.5  description                                                   7
72	    2.6  destinationIndicator                                          7
73	    2.7  distinguishedName                                             7
74	    2.8  dnQualifier                                                   8
75	    2.9  enhancedSearchGuide                                           8
76	    2.10 facsimileTelephoneNumber                                      8
77	    2.11 generationQualifier                                           8
78	    2.12 givenName                                                     9
79	    2.13 houseIdentifier                                               9
80	    2.14 initials                                                      9
81	    2.15 internationalISDNNumber                                       9
82	    2.16 l                                                            10
83	    2.17 member                                                       10
84	    2.18 name                                                         10
85	    2.19 o                                                            10
86	    2.20 ou                                                           11
87	    2.21 owner                                                        11
88	    2.22 physicalDeliveryOfficeName                                   11
89	    2.23 postalAddress                                                11
90	    2.24 postalCode                                                   12
91	    2.25 postOfficeBox                                                12
92	    2.26 preferredDeliveryMethod                                      12
93	    2.27 registeredAddress                                            13
94	    2.28 roleOccupant                                                 13
95	    2.29 searchGuide                                                  13
96	    2.30 seeAlso                                                      13
97	    2.31 serialNumber                                                 14
98	    2.32 sn                                                           14
99	    2.33 st                                                           14
100	    2.34 street                                                       14
101	    2.35 telephoneNumber                                              15
102	    2.36 teletexTerminalIdentifier                                    15
103	    2.37 telexNumber                                                  15
104	    2.38 title                                                        15
105	    2.39 uid                                                          15
106	    2.40 uniqueMember                                                 16
107	    2.41 userPassword                                                 16
108	    2.42 x121Address                                                  17
109	    2.43 x500UniqueIdentifier                                         17

111	3.  Object Classes                                                    18
112	    3.1  applicationProcess                                           18
113	    3.2  country                                                      18
114	    3.3  device                                                       18
115	    3.4  groupOfNames                                                 19
116	    3.5  groupOfUniqueNames                                           19
117	    3.6  locality                                                     19
118	    3.7  organization                                                 20
119	    3.8  organizationalPerson                                         20
120	    3.9 organizationalRole                                            20
121	    3.10 organizationalUnit                                           21
122	    3.11 person                                                       21
123	    3.12 residentialPerson                                            21

125	4.  IANA Considerations                                               22

127	5.  Security Considerations                                           23

129	6.  Acknowledgements                                                  24

131	7.  References                                                        24
132	    7.1  Normative                                                    24
133	    7.2  Informative                                                  25

135	8.  Author's Address                                                  26

137	9.  Intellectual Property Rights (IPR) Disclosure                     26

139	10. IPR Notice                                                        26

141	11. Copyright Notice and Disclaimer                                   27
142	1.  Introduction

144	   This document provides an overview of attribute types and object
145	   classes intended for use by Lightweight Directory Access Protocol
146	   directory clients for many directory services, such as, White Pages.
147	   Originally specified in the X.500 [X.500] documents, these objects
148	   are widely used as a basis for the schema in many LDAP directories.
149	   This document does not cover attributes used for the administration
150	   of directory servers, nor does it include directory objects defined
151	   for specific uses in other documents.

153	1.1  Situation

155	   This document is a integral part of the LDAP technical specification
156	   [ROADMAP] which obsoletes the previously defined LDAP technical
157	   specification [RFC3377] in its entirety.  In terms of RFC 2256,
158	   Sections 6 and 8 of RFC 2256 are obsoleted by [Syntaxes].  Sections
159	   5.1, 5.2, 7.1 and 7.2 of RFC 2256 are obsoleted by [Models].  The
160	   remainder of RFC 2256 is obsoleted by this document.  Section 2.4 of
161	   this document supercedes the technical specification for the 'dc'
162	   attribute type found in RFC 2247.  The remainder of RFC 2247 remains
163	   in force.

165	   This document updates RFC 2798 by replacing the informative
166	   description of the 'uid' attribute type, with the definitive
167	   description provided in Section 2.39 of this document.

169	   A number of schema elements which were included in the previous
170	   revision of the LDAP Technical Specification are not included in this
171	   revision of LDAP.  PKI-related schema elements are now specified in
172	   [LDAP-CERT] and [LDAP-CRL].  Unless reintroduced in future technical
173	   specifications, the remainder are to be considered Historic.

175	1.2  Conventions

177	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
178	   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
179	   document are to be interpreted as described in RFC 2119 [RFC2119].

181	1.3  General Issues

183	   This document references Syntaxes given in Section 3 of [Syntaxes]
184	   and Matching Rules specified in Section 4 of [Syntaxes].

186	   The definitions of Attribute Types and Object Classes are written
187	   using the ABNF form of AttributeTypeDescription and
188	   ObjectClassDescription given in [Models].  Lines have been folded
189	   for readability.

191	1.4  Source

193	   The schema definitions in this document are based on those found in
194	   the X.500-series [X.520] and [X.521], RFC 2798 [RFC2798] and
195	   RFC 2247 [RFC2247], specifically:

197	      Sections             Source
198	      ============         ==================
199	      2.1 - 2.3            X.520 [X.520]
200	      2.4                  RFC 2247 [RFC2247]
201	      2.5 - 2.38           X.520 [X.520]
202	      2.39                 RFC 2798 [2798]
203	      2.40 - 2.43          X.520 [X.520]
204	      3.1  - 3.12          X.521 [X.521]

206	   However, the descriptions in this document SHALL be considered
207	   definitive for use in LDAP.

209	2.  Attribute Types

211	   The Attribute Types contained in this section hold user information.

213	   There is no requirement that servers implement the following
214	   attribute types:

216	      searchGuide
217	      teletexTerminalIdentifier

219	   In fact, their use is greatly discouraged.

221	   An LDAP server implementation SHOULD recognize the rest of the
222	   attribute types described in this section.

224	2.1  businessCategory

226	   The businessCategory attribute type describes the kinds of business
227	   performed by an organization (e.g., "banking", "transportation").
228	   Each kind is one value of this multi-valued attribute.

230	   ( 2.5.4.15 NAME 'businessCategory'
231	      EQUALITY caseIgnoreMatch
232	      SUBSTR caseIgnoreSubstringsMatch
233	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

235	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
236	   syntax [Syntaxes].

238	2.2  c

240	   The c (countryName) attribute type contains a two-letter ISO 3166
241	   [ISO3166] country code (e.g., "DE").  (Source:  X.520)

243	   ( 2.5.4.6 NAME 'c'
244	      SUP name
245	      SINGLE-VALUE )

247	2.3  cn

249	   The cn (commonName) attribute type contains names of an object
250	   (e.g., "Martin K Smith", "Marty Smith", "printer12").  Each name is
251	   one value of this multi-valued attribute.  If the object corresponds
252	   to a person, it is typically the person's full name.
253	   (Source:  X.520)

255	   ( 2.5.4.3 NAME 'cn'
256	      SUP name )

258	2.4  dc

260	   The dc (short for domainComponent) attribute type is a string
261	   holding one component, a <label> [RFC1034}, of a DNS domain name
262	   (e.g., "example" or "com", but not "example.com").  The encoding of
263	   IA5String for use in LDAP is simply the characters of the string
264	   itself.  The equality matching rule is case insensitive, as is
265	   today's DNS.

267	   ( 0.9.2342.19200300.100.1.25 NAME 'dc'
268	      EQUALITY caseIgnoreIA5Match
269	      SUBSTR caseIgnoreIA5SubstringsMatch
270	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
271	      SINGLE-VALUE )

273	   1.3.6.1.4.1.1466.115.121.1.26 refers to the IA5 String
274	   syntax [Syntaxes].

276	   It is noted that the directory will not ensure that values of this
277	   attribute conform to the label production [RFC1034].  It is the
278	   application responsibility to ensure domains it stores in this
279	   attribute are appropriately represented.

281	   It is also noted that applications supporting Internationalized
282	   Domain Names SHALL use the ToASCII method [RFC3490] to produce
283	   <label> components of the <domain> production.

285	2.5  description

287	   The description attribute type contains human-readable descriptive
288	   phrases about the object (e.g., "a color printer", "Maintenance is
289	   done every Monday, at 1pm.").  Each description is one value of this
290	   multi-valued attribute.

292	   ( 2.5.4.13 NAME 'description'
293	      EQUALITY caseIgnoreMatch
294	      SUBSTR caseIgnoreSubstringsMatch
295	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

297	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
298	   syntax [Syntaxes].

300	2.6  destinationIndicator

302	   The destinationIndicator attribute type contains country and city
303	   strings, associated with the object (the addressee), needed to
304	   provide the Public Telegram Service.  Each string is one value of
305	   this multi-valued attribute.  The strings are composed in accordance
306	   with CCITT Recommendations F.1 [F.1] and F.31 [F.31].

308	   ( 2.5.4.27 NAME 'destinationIndicator'
309	      EQUALITY caseIgnoreMatch
310	      SUBSTR caseIgnoreSubstringsMatch
311	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )

313	   1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String
314	   syntax [Syntaxes].

316	2.7  distinguishedName

318	   The distinguishedName attribute type is the attribute supertype from
319	   which attribute types with DN syntax inherit, instead of containing
320	   values which name the object itself.  The attribute type is
321	   multi-valued.

323	   It is unlikely that values of this type itself will occur in an
324	   entry.  LDAP server implementations which do not support attribute
325	   subtyping need not recognize this attribute in requests.  Client
326	   implementations MUST NOT assume that LDAP servers are capable of
327	   performing attribute subtyping.

329	   ( 2.5.4.49 NAME 'distinguishedName'
330	      EQUALITY distinguishedNameMatch
331	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

333	   1.3.6.1.4.1.1466.115.121.1.12 refers to the DN syntax [Syntaxes].

335	2.8  dnQualifier

337	   The dnQualifier attribute type contains disambiguating information
338	   strings to add to the relative distinguished name of an entry.  The
339	   information is intended for use when merging data from multiple

341	   sources in order to prevent conflicts between entries which would
342	   otherwise have the same name.  Each string is one value of this
343	   multi-valued attribute.  It is recommended that a value of the
344	   dnQualifier attribute be the same for all entries from a
345	   particular source.

347	   ( 2.5.4.46 NAME 'dnQualifier'
348	      EQUALITY caseIgnoreMatch
349	      ORDERING caseIgnoreOrderingMatch
350	      SUBSTR caseIgnoreSubstringsMatch
351	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )

353	   1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String
354	   syntax [Syntaxes].

356	2.9  enhancedSearchGuide

358	   The enhancedSearchGuide attribute type contains sets of information
359	   for use by directory clients in constructing search filters.  Each
360	   set is one value of this multi-valued attribute.

362	   ( 2.5.4.47 NAME 'enhancedSearchGuide'
363	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )

365	   1.3.6.1.4.1.1466.115.121.1.21 refers to the Enhanced Guide
366	   syntax [Syntaxes].

368	2.10  facsimileTelephoneNumber

370	   The facsimileTelephoneNumber attribute type contains telephone
371	   numbers (and, optionally, the parameters) for facsimile terminals.
372	   Each telephone number is one value of this multi-valued attribute.

374	   ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
375	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )

377	   1.3.6.1.4.1.1466.115.121.1.22 refers to the Facsimile Telephone
378	   Number syntax [Syntaxes].

380	2.11  generationQualifier

382	   The generationQualifier attribute type contains name strings that
383	   are the part of a person's name which typically is the suffix, as in
384	   "IIIrd" or "3rd".  Each string is one value of this multi-valued
385	   attribute.

387	   ( 2.5.4.44 NAME 'generationQualifier'
388	      SUP name )

390	2.12  givenName

392	   The givenName attribute type contains name strings that are the part
393	   of a person's name which is not their surname.  Each string is one
394	   value of this multi-valued attribute.

396	   ( 2.5.4.42 NAME 'givenName'
397	      SUP name )

399	2.13  houseIdentifier

401	   The houseIdentifier attribute type contains identifiers for a
402	   building within a location.  Each identifier is one value of this
403	   multi-valued attribute.

405	   ( 2.5.4.51 NAME 'houseIdentifier'
406	      EQUALITY caseIgnoreMatch
407	      SUBSTR caseIgnoreSubstringsMatch
408	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

410	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
411	   syntax [Syntaxes].

413	2.14  initials

415	   The initials attribute type contains strings of initials of some or
416	   all of an individual's names, except the surname(s)
417	   (e.g., "K. A.", "K").  Each string is one value of this multi-valued
418	   attribute.

420	   ( 2.5.4.43 NAME 'initials'
421	      SUP name )

423	2.15  internationalISDNNumber

425	   The internationalISDNNumber attribute type contains ISDN addresses,
426	   as defined in ITU Recommendation E.164 [E.164].  Each address is one
427	   value of this multi-valued attribute.

429	   ( 2.5.4.25 NAME 'internationalISDNNumber'
430	      EQUALITY numericStringMatch
431	      SUBSTR numericStringSubstringsMatch
432	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )

434	   1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String
435	   syntax [Syntaxes].

437	2.16  l

439	   The l (localityName) attribute type contains names of a locality or
440	   place, such as a city, county or other geographic region (e.g.,
441	   "Geneva").  Each name is one value of this multi-valued attribute.
442	   (Source:  X.520)

444	   ( 2.5.4.7 NAME 'l'
445	      SUP name )

447	2.17  member

449	   The member attribute type contains the Distinguished Names of
450	   objects that are on a list or in a group.  Each name is one value of
451	   this multi-valued attribute.

453	   ( 2.5.4.31 NAME 'member'
454	      SUP distinguishedName )

456	2.18  name

458	   The name attribute type is the attribute supertype from which
459	   attributes with the name syntax inherit.  Such attributes are
460	   typically used for naming.  The attribute type is multi-valued.

462	   It is unlikely that values of this type itself will occur in an
463	   entry.  LDAP server implementations which do not support attribute
464	   subtyping need not recognize this attribute in requests.  Client
465	   implementations MUST NOT assume that LDAP servers are capable of
466	   performing attribute subtyping.

468	   ( 2.5.4.41 NAME 'name'
469	      EQUALITY caseIgnoreMatch
470	      SUBSTR caseIgnoreSubstringsMatch
471	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

473	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
474	   syntax [Syntaxes].

476	2.19  o

478	   The o (organizationName) attribute type contains the names of an
479	   organization (e.g., "IETF", "Internet Engineering Task Force").
480	   Each name is one value of this multi-valued attribute.
481	   (Source:  X.520)

483	   ( 2.5.4.10 NAME 'o'
484	      SUP name )

486	2.20  ou

488	   The ou (organizationalUnitName) attribute type contains the names of
489	   an organizational unit (e.g., "Application Area", "LDAPbis WG").
490	   Each name is one value of this multi-valued attribute.
491	   (Source:  X.520)

493	   ( 2.5.4.11 NAME 'ou'
494	      SUP name )

496	2.21  owner

498	   The owner attribute type contains the Distinguished Names of objects
499	   that have an ownership responsibility for the object that is owned.
500	   Each owner's name is one value of this multi-valued attribute.
501	   (e.g., The list object which has DN:  "cn=All Employees,
502	   ou=Mailing List,o=Widget\, Inc.", is owned by the Human Resources
503	   Director.  Therefore, the DN of the director (role) would be a value
504	   of the owner attribute:  "cn=Human Resources Director,
505	   ou=employee,o=Widget\, Inc.")

507	   ( 2.5.4.32 NAME 'owner'
508	      SUP distinguishedName )

510	2.22  physicalDeliveryOfficeName

512	   The physicalDeliveryOfficeName attribute type contains names that a
513	   Postal Service uses to identify a post office (e.g., "Bremerhaven,
514	   Main", "Bremerhaven, Bonnstrasse").

516	   ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
517	      EQUALITY caseIgnoreMatch
518	      SUBSTR caseIgnoreSubstringsMatch
519	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

521	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
522	   syntax [Syntaxes].

524	2.23  postalAddress

526	   The postalAddress attribute type contains addresses used by a Postal
527	   Service to perform services for the object.  Each address is one
528	   value of this multi-valued attribute.(e.g., one value is "15 Main
529	   St.$Ottawa$Canada").

531	   ( 2.5.4.16 NAME 'postalAddress'
532	      EQUALITY caseIgnoreListMatch
533	      SUBSTR caseIgnoreListSubstringsMatch
534	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )

536	   1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address
537	   syntax [Syntaxes].

539	2.24  postalCode

541	   The postalCode attribute type contains codes used by a Postal
542	   Service to identify a postal service zones, such as the southern
543	   quadrant of a city (e.g., "22180").  Each code is one value of this
544	   multi-valued attribute.

546	   ( 2.5.4.17 NAME 'postalCode'
547	      EQUALITY caseIgnoreMatch
548	      SUBSTR caseIgnoreSubstringsMatch
549	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

551	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
552	   syntax [Syntaxes].

554	2.25  postOfficeBox

556	   The postOfficeBox attribute type contains numbers that a Postal
557	   Service uses when a customer arranges to receive mail at a box on
558	   premises of the Postal Service (e.g., "Box 45").  Each number is one
559	   value of this multi-valued attribute.

561	   ( 2.5.4.18 NAME 'postOfficeBox'
562	      EQUALITY caseIgnoreMatch
563	      SUBSTR caseIgnoreSubstringsMatch
564	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

566	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
567	   syntax [Syntaxes].

569	2.26  preferredDeliveryMethod

571	   The preferredDeliveryMethod attribute type contains an indication of
572	   the preferred method of getting a message to the object.  For
573	   example, if mhs-delivery is preferred over telephone-delivery, which
574	   is preferred over all other methods, the value would be:
575	      mhs $ telephone

577	   ( 2.5.4.28 NAME 'preferredDeliveryMethod'
578	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
579	      SINGLE-VALUE )

581	   1.3.6.1.4.1.1466.115.121.1.14 refers to the Delivery Method
582	   syntax [Syntaxes].

584	2.27  registeredAddress

586	   The registeredAddress attribute type contains postal addresses
587	   suitable for reception of telegrams or expedited documents, where it
588	   is necessary to have the recipient accept delivery.  Each address is
589	   one value of this multi-valued attribute.   (e.g., one value is
590	   "Receptionist\, Widget Inc.\, 15 Main St.\, Ottawa\, Canada")

592	   ( 2.5.4.26 NAME 'registeredAddress'
593	      SUP postalAddress
594	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )

596	   1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address
597	   syntax [Syntaxes].

599	2.28  roleOccupant

601	   The roleOccupant attribute type contains the Distinguished Names of
602	   objects (normally people) that fulfill the responsibilities of a
603	   role object.  For example, the role object, "cn=Human Resources
604	   Director,ou=Position,o=Widget\, Inc.", is fulfilled by two people
605	   whose object names are "cn=Mary Smith,ou=employee,o=Widget\, Inc."
606	   and "cn=James Brown,ou=employee,o=Widget\, Inc."  The roleOccupant
607	   attribute would have two values, one for each occupant.

609	   ( 2.5.4.33 NAME 'roleOccupant'
610	      SUP distinguishedName )

612	2.29  searchGuide

614	   The searchGuide attribute type contains sets of information for use
615	   by clients in constructing search filters.  It is superseded by
616	   enhancedSearchGuide, described above in section 2.9.

618	   ( 2.5.4.14 NAME 'searchGuide'
619	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )

621	   1.3.6.1.4.1.1466.115.121.1.25 refers to the Guide syntax [Syntaxes].

623	2.30  seeAlso

625	   The seeAlso attribute type contains Distinguished Names of objects
626	   that are related to the subject object.  For example, the person
627	   object, "cn=James Brown,ou=employee,o=Widget Inc." is related to
628	   the role objects, "cn=Football Team Captain,ou=sponsored activities,
629	   o=Widget Inc." and "cn=Chess Team,ou=sponsored activities,o=Widget
630	   Inc.".  Each related object name is one value of this multi-valued
631	   attribute.

633	   ( 2.5.4.34 NAME 'seeAlso'
634	      SUP distinguishedName )

636	2.31  serialNumber

638	   The serialNumber attribute type contains the serial numbers of
639	   devices (e.g., "WI-3005".  Each number is one value of this
640	   multi-valued attribute.

642	   ( 2.5.4.5 NAME 'serialNumber'
643	      EQUALITY caseIgnoreMatch
644	      SUBSTR caseIgnoreSubstringsMatch
645	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )

647	   1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String
648	   syntax [Syntaxes].

650	2.32  sn

652	   The sn (surname)attribute type contains name strings for the family
653	   names of a person (e.g., "Smith").  Each string is one value of this
654	   multi-valued attribute.  (Source:  X.520)

656	   ( 2.5.4.4 NAME 'sn'
657	      SUP name )

659	2.33  st

661	   The st (stateOrProvinceName) attribute type contains the full names
662	   of states or provinces, (e.g. "California").  Each name is one value
663	   of this multi-valued attribute.

665	   ( 2.5.4.8 NAME 'st'
666	      SUP name )

668	2.34  street

670	   The street (streetAddress) attribute type contains physical
671	   addresses of the object to which the entry corresponds, such as an
672	   address for package delivery.  Each address is one value of this
673	   multi-valued attribute.

675	   ( 2.5.4.9 NAME 'street'
676	      EQUALITY caseIgnoreMatch
677	      SUBSTR caseIgnoreSubstringsMatch
678	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

680	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String
681	   syntax [Syntaxes].

683	2.35  telephoneNumber

685	   The telephoneNumber attribute type contains telephone numbers
686	   complying with ITU Recommendation E.123 [E.123] (e.g.,
687	   +1 234 567 8901)  Each number is one value of this multi-valued
688	   attribute.

690	   ( 2.5.4.20 NAME 'telephoneNumber'
691	      EQUALITY telephoneNumberMatch
692	      SUBSTR telephoneNumberSubstringsMatch
693	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )

695	   1.3.6.1.4.1.1466.115.121.1.50 refers to the Telephone Number
696	   syntax [Syntaxes].

698	2.36  teletexTerminalIdentifier

700	   The withdrawal of Rec. F.200 has resulted in the withdrawal of this
701	   attribute.

703	   ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
704	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )

706	2.37  telexNumber

708	   The telexNumber attribute type contains sets of strings which are a
709	   telex number, country code, and answerback code of a telex terminal.
710	   Each set is one value of this multi-valued attribute.

712	   ( 2.5.4.21 NAME 'telexNumber'
713	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )

715	   1.3.6.1.4.1.1466.115.121.1.52 refers to the Telex Number
716	   syntax [Syntaxes].

718	2.38  title

720	   This attribute contains the title, such as "Vice President", of a
721	   person in their organizational context.

723	   ( 2.5.4.12 NAME 'title'
724	      SUP name )

726	2.39  uid

728	   The uid attribute type contains computer system login names
729	   associated with the object.  (Source: RFC 1274).  Each name is one
730	   value of this multi-valued attribute.

732	   ( 0.9.2342.19200300.100.1.1
733	      NAME 'uid'
734	      EQUALITY caseIgnoreMatch
735	      SUBSTR caseIgnoreSubstringsMatch
736	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

738	   1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String

740	   syntax [Syntaxes].

742	2.40  uniqueMember

744	   The uniqueMember attribute type contains the Distinguished Names of
745	   an object that is on a list or in a group, where the Relative
746	   Distinguished Names of the object include a value that distinguishes
747	   between objects when a distinguished name has been reused.  For
748	   example, if "ou=1st Battalion,o=Defense,c=US" is a battalion that
749	   was disbanded, establishing a new battalion with the "same" name
750	   would have a uid value added, resulting in "ou=1st Battalion,
751	   o=Defense,c=US#'010101'B".

753	   ( 2.5.4.50 NAME 'uniqueMember'
754	      EQUALITY uniqueMemberMatch
755	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )

757	   1.3.6.1.4.1.1466.115.121.1.34 refers to the Name and Optional UID
758	   syntax [Syntaxes].

760	2.41  userPassword

762	   The userPassword attribute contains octet strings that are known
763	   only to the user and the system to which the user has access.  Each
764	   string is one value of this multi-valued attribute.

766	   The application SHOULD prepare textual strings used as passwords by
767	   transcoding them to Unicode, applying SASLprep [SASLprep], and
768	   encoding as UTF-8.

770	   ( 2.5.4.35 NAME 'userPassword'
771	      EQUALITY octetStringMatch
772	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

774	   1.3.6.1.4.1.1466.115.121.1.40 refers to the Octet String
775	   syntax [Syntaxes].

777	   Passwords are stored using an Octet String syntax and are not
778	   encrypted.  Transfer of cleartext passwords is strongly discouraged
779	   where the underlying transport service cannot guarantee
780	   confidentiality and may result in disclosure of the password to
781	   unauthorized parties.

783	   An example of a need for multiple values in the userPassword
784	   attribute is an environment where every month the user was expected
785	   to use a different password generated by some automated system.
786	   During transitional periods, like say the last and first day of the
787	   periods, it may be necessary to allow two passwords for the two
788	   consecutive periods to be valid in the system.

790	2.42  x121Address

792	   The x121Address attribute type contains data network addresses
793	   (e.g., 36111222333444555) as defined by ITU Recommendation X.121
794	   [X.121].  Each address is one value of this multi-valued attribute.

796	   ( 2.5.4.24 NAME 'x121Address'
797	      EQUALITY numericStringMatch
798	      SUBSTR numericStringSubstringsMatch
799	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )

801	   1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String
802	   syntax [Syntaxes].

804	2.43  x500UniqueIdentifier

806	   The x500UniqueIdentifier attribute type contains binary strings that
807	   are used to distinguish between objects when a distinguished name
808	   has been reused.  Each string is one value of this multi-valued
809	   attribute.  In X.520 [X.520], this attribute type is called
810	   uniqueIdentifier.  This is a different attribute type from both the
811	   "uid" and "uniqueIdentifier" LDAP attribute types.  The
812	   uniqueIdentifier attribute type is defined in [RFC1274].

814	   ( 2.5.4.45 NAME 'x500UniqueIdentifier'
815	      EQUALITY bitStringMatch
816	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )

818	   1.3.6.1.4.1.1466.115.121.1.6 refers to the Bit String
819	   syntax [Syntaxes].

821	3.  Object Classes

823	   LDAP servers SHOULD recognize all the Object Classes listed here as
824	   values of the objectClass attribute (see [Models]).

826	3.1  applicationProcess

828	   The applicationProcess object class definition is the basis of an
829	   entry which represents an application executing in a computer system.

831	   ( 2.5.6.11 NAME 'applicationProcess'
832	      SUP top
833	      STRUCTURAL
834	      MUST cn
835	      MAY ( seeAlso $
836	            ou $
837	            l $
838	            description ) )

840	3.2  country

842	   The country object class definition is the basis of an entry which
843	   represents a country.

845	   ( 2.5.6.2 NAME 'country'
846	      SUP top
847	      STRUCTURAL
848	      MUST c
849	      MAY ( searchGuide $
850	            description ) )

852	3.3  device

854	   The device object class is the basis of an entry which represents an
855	   appliance or computer or network element.

857	   ( 2.5.6.14 NAME 'device'
858	      SUP top
859	      STRUCTURAL
860	      MUST cn
861	      MAY ( serialNumber $
862	            seeAlso $
863	            owner $
864	            ou $
865	            o $
866	            l $
867	            description ) )

869	3.4  groupOfNames

871	   The groupOfNames object class is the basis of an entry which
872	   represents a set of named objects including information related to
873	   the purpose or maintenance of the set.

875	   ( 2.5.6.9 NAME 'groupOfNames'
876	      SUP top
877	      STRUCTURAL
878	      MUST ( member $
879	            cn )
880	      MAY ( businessCategory $
881	            seeAlso $
882	            owner $
883	            ou $
884	            o $
885	            description ) )

887	3.5  groupOfUniqueNames

889	   The groupOfUniqueNames object class is the same as the groupOfNames
890	   object class except that the object names are not repeated or
891	   reassigned within a set scope.

893	   ( 2.5.6.17 NAME 'groupOfUniqueNames'
894	      SUP top
895	      STRUCTURAL
896	      MUST ( uniqueMember $
897	            cn )
898	      MAY ( businessCategory $
899	            seeAlso $
900	            owner $
901	            ou $
902	            o $
903	            description ) )

905	3.6  locality

907	   The locality object class is the basis of an entry which represents
908	   a place in the physical world.

910	   ( 2.5.6.3 NAME 'locality'
911	      SUP top
912	      STRUCTURAL
913	      MAY ( street $
914	            seeAlso $
915	            searchGuide $
916	            st $
917	            l $
918	            description ) )

920	3.7  organization

922	   The organization object class is the basis of an entry which
923	   represents a structured group of people.

925	   ( 2.5.6.4 NAME 'organization'

927	      SUP top
928	      STRUCTURAL
929	      MUST o
930	      MAY ( userPassword $ searchGuide $ seeAlso $
931	            businessCategory $ x121Address $ registeredAddress $
932	            destinationIndicator $ preferredDeliveryMethod $
933	            telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
934	            internationaliSDNNumber $ facsimileTelephoneNumber $
935	            street $ postOfficeBox $ postalCode $
936	            postalAddress $ physicalDeliveryOfficeName $ st $
937	            l $ description ) )

939	3.8  organizationalPerson

941	   The organizationalPerson object class is the basis of an entry which
942	   represents a person in relation to an organization.

944	   ( 2.5.6.7 NAME 'organizationalPerson'
945	      SUP person
946	      STRUCTURAL
947	      MAY ( title $ x121Address $ registeredAddress $
948	            destinationIndicator $ preferredDeliveryMethod $
949	            telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
950	            internationaliSDNNumber $ facsimileTelephoneNumber $
951	            street $ postOfficeBox $ postalCode $ postalAddress $
952	            physicalDeliveryOfficeName $ ou $ st $ l ) )

954	3.9  organizationalRole

956	   The organizationalRole object class is the basis of an entry which
957	   represents a job or function or position in an organization.

959	   ( 2.5.6.8 NAME 'organizationalRole'
960	      SUP top
961	      STRUCTURAL
962	      MUST cn
963	      MAY ( x121Address $ registeredAddress $ destinationIndicator $
964	            preferredDeliveryMethod $ telexNumber $
965	            teletexTerminalIdentifier $ telephoneNumber $
966	            internationaliSDNNumber $ facsimileTelephoneNumber $
967	            seeAlso $ roleOccupant $ preferredDeliveryMethod $
968	            street $ postOfficeBox $ postalCode $ postalAddress $
969	            physicalDeliveryOfficeName $ ou $ st $ l $ description ) )

971	3.10  organizationalUnit

973	   The organizationalUnit object class is the basis of an entry which
974	   represents a piece of an organization.

976	   ( 2.5.6.5 NAME 'organizationalUnit'
977	      SUP top
978	      STRUCTURAL
979	      MUST ou
980	      MAY ( businessCategory $ description $ destinationIndicator $
981	            facsimileTelephoneNumber $ internationaliSDNNumber $ l $
982	            physicalDeliveryOfficeName $ postalAddress $ postalCode $
983	            postOfficeBox $ preferredDeliveryMethod $
984	            registeredAddress $ searchGuide $ seeAlso $ st $ street $
985	            telephoneNumber $ teletexTerminalIdentifier $ telexNumber $
986	            userPassword $ x121Address ) )

988	3.11  person

990	   The person object class is the basis of an entry which represents a
991	   human being.

993	   ( 2.5.6.6 NAME 'person'
994	      SUP top
995	      STRUCTURAL
996	      MUST ( sn $
997	            cn )
998	      MAY ( userPassword $
999	            telephoneNumber $
1000	            seeAlso $ description ) )

1002	3.12  residentialPerson

1004	   The residentialPerson object class is the basis of an entry which
1005	   includes a person's residence in the representation of the person.

1007	   ( 2.5.6.10 NAME 'residentialPerson'
1008	      SUP person
1009	      STRUCTURAL
1010	      MUST l
1011	      MAY ( businessCategory $ x121Address $ registeredAddress $
1012	            destinationIndicator $ preferredDeliveryMethod $
1013	            telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
1014	            internationaliSDNNumber $ facsimileTelephoneNumber $
1015	            preferredDeliveryMethod $ street $ postOfficeBox $
1016	            postalCode $ postalAddress $ physicalDeliveryOfficeName $
1017	            st $ l ) )

1019	4.  IANA Considerations

1021	   It is requested that the Internet Assigned Numbers Authority (IANA)
1022	   update the LDAP descriptors registry as indicated in the following
1023	   template:

1025	      Subject: Request for LDAP Descriptor Registration Update
1026	      Descriptor (short name): see comment
1027	      Object Identifier: see comment
1028	      Person & email address to contact for further information:
1029	            Kathy Dally <kdally@mitre.org>
1030	      Usage: (A = attribute type, O = Object Class) see comment
1031	      Specification: RFC XXXX [editor's note:  The RFC number will be
1032	            the one assigned to this document.]
1033	      Author/Change Controller: IESG

1035	   Comments
1036	   In the LDAP descriptors registry, the following descriptors (short
1037	   names) should be updated to refer to RFC XXXX [editor's note:  This
1038	   document].

1040	      NAME                         Type OID
1041	      ------------------------     ---- ----------------------------
1042	      applicationProcess           O    2.5.6.11
1043	      businessCategory             A    2.5.4.15
1044	      c                            A    2.5.4.6
1045	      cn                           A    2.5.4.3
1046	      country                      O    2.5.6.2
1047	      dc                           A    0.9.2342.19200300.100.1.25
1048	      description                  A    2.5.4.13
1049	      destinationIndicator         A    2.5.4.27
1050	      device                       O    2.5.6.14
1051	      distinguishedName            A    2.5.4.49
1052	      dnQualifier                  A    2.5.4.46
1053	      enhancedSearchGuide          A    2.5.4.47
1054	      facsimileTelephoneNumber     A    2.5.4.23
1055	      generationQualifier          A    2.5.4.44
1056	      givenName                    A    2.5.4.42
1057	      groupOfNames                 O    2.5.6.9
1058	      groupOfUniqueNames           O    2.5.6.17
1059	      houseIdentifier              A    2.5.4.51
1060	      initials                     A    2.5.4.43
1061	      internationalISDNNumber      A    2.5.4.25
1062	      l                            A    2.5.4.7
1063	      locality                     O    2.5.6.3
1064	      member                       A    2.5.4.31
1065	      name                         A    2.5.4.41
1066	      o                            A    2.5.4.10
1067	      organization                 O    2.5.6.4
1068	      organizationalPerson         O    2.5.6.7
1069	      organizationalRole           O    2.5.6.8
1070	      organizationalUnit           O    2.5.6.5
1071	      ou                           A    2.5.4.11
1072	      owner                        A    2.5.4.32
1073	      person                       O    2.5.6.6
1074	      physicalDeliveryOfficeName   A    2.5.4.19
1075	      postalAddress                A    2.5.4.16
1076	      postalCode                   A    2.5.4.17
1077	      postOfficeBox                A    2.5.4.18

1079	      preferredDeliveryMethod      A    2.5.4.28
1080	      registeredAddress            A    2.5.4.26
1081	      residentialPerson            O    2.5.6.10
1082	      roleOccupant                 A    2.5.4.33
1083	      searchGuide                  A    2.5.4.14
1084	      seeAlso                      A    2.5.4.34
1085	      serialNumber                 A    2.5.4.5
1086	      sn                           A    2.5.4.4
1087	      st                           A    2.5.4.8
1088	      street                       A    2.5.4.9
1089	      telephoneNumber              A    2.5.4.20
1090	      teletexTerminalIdentifier    A    2.5.4.22
1091	      telexNumber                  A    2.5.4.21
1092	      title                        A    2.5.4.12
1093	      uid                          A    0.9.2342.19200300.100.1.1
1094	      uniqueMember                 A    2.5.4.50
1095	      userPassword                 A    2.5.4.35
1096	      x121Address                  A    2.5.4.24
1097	      x500UniqueIdentifier         A    2.5.4.45

1099	5.  Security Considerations

1101	   Attributes of directory entries are used to provide descriptive
1102	   information about the real-world objects they represent, which can be
1103	   people, organizations or devices.  Most countries have privacy laws
1104	   regarding the publication of information about people.

1106	   Transfer of cleartext passwords is strongly discouraged where the
1107	   underlying transport service cannot guarantee confidentiality and may
1108	   result in disclosure of the password to unauthorized parties.

1110	   Multiple attribute values for the userPassword needs to be used with
1111	   care. Especially reset/deletion of a password by an admin without
1112	   knowing the old user password gets tricky or impossible if multiple
1113	   values for different applications are present.

1115	   Certainly, applications which intend to replace the userPassword
1116	   value(s) with new value(s) should use modify/replaceValues (or
1117	   modify/deleteAttribute+addAttribute).  Additionally, server
1118	   implementations are encouraged to provide administrative controls
1119	   which, if enabled, restrict the userPassword attributer to one value.

1121	   Note that when used for authentication purposes [AuthMeth], the user
1122	   need only prove knowledge of one of the values, not all of
1123	   the values.

1125	6.  Acknowledgements

1127	   The definitions, on which this document is based, have been developed
1128	   by committees for telecommunications and international standards.

1130	   This document is an update of RFC 2256 by Mark Wahl.  RFC 2256 was a
1131	   product of the IETF ASID Working Group.

1133	   The dc attribute type definition in this document supercedes the
1134	   specification in RFC 2247 by S. Kille, M. Wahl, A. Grimstad,
1135	   R. Huber, and S. Sataluri.

1137	   The uid attribute type definition in this document supercedes the
1138	   specification of the userid in RFC 1274 by P. Barker and S. Kille
1139	   and of the uid in RFC 2798 by M. Smith.

1141	   This document is based upon input of the IETF LDAPBIS working group.
1142	   The author wishes to thank S. Legg and K. Zeilenga for their
1143	   significant contribution to this update.

1145	7.  References

1147	7.1  Normative

1149	   [E.123]  Notation for national and international telephone numbers,
1150	            ITU-T Recommendation E.123, 1988

1152	   [E.164]  The international public telecommunication numbering plan,
1153	            ITU-T Recommendation E.164, 1997

1155	   [ISO3166]  ISO 3166, "Codes for the representation of names of
1156	              countries".

1158	   [Models]  K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis-
1159	             models-xx (a work in progress)

1161	   [RFC1034]  P. Mockapetris, " DOMAIN NAMES - CONCEPTS AND
1162	              FACILITIES", RFC 1034,  January 1987

1164	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1165	              Requirement Levels", RFC 2119, March 1997

1167	   [RFC2234]  Crocker, D., Overell P., "Augmented BNF for Syntax
1168	              Specifications: ABNF", RFC 2234, November 1997

1170	   [RFC3490]  Faltstrom P., Hoffman P., Costello A.,
1171	              "Internationalizing Domain Names in Applications (IDNA)",
1172	              RFC 3490, March 2003

1174	   [ROADMAP]  Zeilenga, K., "LDAP:  Technical Specification Road Map",
1175	              draft-ietf-ldapbis-roadmap-xx (a work in progress)

1177	   [Syntaxes]  S. Legg (editor), "LDAP: Syntaxes", draft-ietf-ldapbis-
1178	               syntaxes-xx (a work in progress)

1180	   [X.121]  International numbering plan for public data networks,
1181	            ITU-T Recommendation X.121, 1996

1183	   [X.509]  The Directory:  Authentication Framework, ITU-T
1184	            Recommendation X.509, 1993

1186	   [X.520]  The Directory: Selected Attribute Types, ITU-T
1187	            Recommendation X.520, 1993

1189	   [X.521]  The Directory: Selected Object Classes.  ITU-T
1190	            Recommendation X.521, 1993

1192	7.2  Informative

1194	   [AUTHMETH]  Harrison R., "LDAP: Authentication Methods and
1195	               Connection Level Security Mechanisms", draft-ietf-
1196	               ldapbis-authmeth-xx (a work in progress)

1198	   [F.1]  Operational Provisions For The International Public Telegram
1199	          Service Transmission System, CCITT Recommmendation F.1, 1992

1201	   [F.31]  Telegram Retransmission System, CCITT Recommendation
1202	           F.31, 1988

1204	   [LDAP-CERT]  Klasen, N., Gietz, P. "An LDAPv3 Schema for X.509
1205	                Certificates", Internet Draft draft-klasen-ldap-
1206	                x509certificate-schema-xx (a work in progress)

1208	   [LDAP-CRL]  Chadwick, D. W. and M. V. Sahalayev, "Internet X.509
1209	               Public Key Infrastructure - LDAP Schema for X.509 CRLs",
1210	               Internet Draft  draft-ietf-pkix-ldap-crl-schema-xx (a
1211	               work in progress)

1213	   [RFC1274]  Barker, P, Kille, S.,"The COSINE and Internet X.500
1214	              Schema", RFC 1274, November 1991

1216	   [RFC2247]  Kille, S., Wahl, M., Grimstad, A., Huber, R., and
1217	              Sataluri, S., "Using Domains in LDAP/X.500 Distinguished
1218	              Names", RFC 2247, January 1998

1220	   [RFC2798]  Smith, M., "Definition of the inetOrgPerson LDAP Object
1221	              Class", RFC 2798, April 2000

1223	   [RFC3377]  Hodges, J., Morgan, R., "Lightweight Directory Access
1224	              Protocol (v3):  Technical Specification", RFC 3377,
1225	              September 2002

1227	   [SASLprep]  Zeilenga K., "SASLprep: Stringprep profile for user
1228	               names and passwords", draft-ietf-sasl-saslprep-xx (a
1229	               work in progress)

1231	   [X.500]  The Directory, ITU-T Recommendations X.501-X.525, 1993

1233	8.  Author's Address

1235	   Kathy Dally
1236	   The MITRE Corp.
1237	   7515 Colshire Dr., H300
1238	   McLean VA 22102
1239	   USA

1241	   Phone:  +1 703 883 6058
1242	   Email:  kdally@mitre.org

1244	9.  Intellectual Property Rights (IPR) Disclosure

1246	   By submitting this Internet-Draft, I certify that any applicable
1247	   patent or other IPR claims of which I am aware have been disclosed,
1248	   or will be disclosed, and any of which I become aware will be
1249	   disclosed, in accordance with RFC 3668.

1251	10. IPR Notice

1253	   The IETF takes no position regarding the validity or scope of any
1254	   Intellectual Property Rights or other rights that might be claimed
1255	   to pertain to the implementation or use of the technology
1256	   described in this document or the extent to which any license
1257	   under such rights might or might not be available; nor does it
1258	   represent that it has made any independent effort to identify any
1259	   such rights.  Information on the procedures with respect to rights
1260	   in RFC documents can be found in BCP 78 and BCP 79.

1262	   Copies of IPR disclosures made to the IETF Secretariat and any
1263	   assurances of licenses to be made available, or the result of an
1264	   attempt made to obtain a general license or permission for the use
1265	   of such proprietary rights by implementers or users of this
1266	   specification can be obtained from the IETF on-line IPR repository
1267	   at http://www.ietf.org/ipr.

1269	   The IETF invites any interested party to bring to its attention any
1270	   copyrights, patents or patent applications, or otherproprietary
1271	   rights that may cover technology that may be required to implement
1272	   this standard.  Please address the information to the IETF at:
1273	   ietf-ipr@ietf.org.

1275	11.  Copyright Notice and Disclaimer

1277	   Copyright (C) The Internet Society (2004).  This document is
1278	   subject to the rights, licenses and restrictions contained in BCP
1279	   78, and except as set forth therein, the authors retain all their
1280	   rights.

1282	   This document and the information contained herein are provided on
1283	   an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
1284	   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
1285	   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
1286	   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
1287	   THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
1288	   ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
1289	   PARTICULAR PURPOSE.

1291	                    Appendix A  Changes Made Since RFC 2256

1293	   This appendix lists the changes that have been made from RFC 2256 to
1294	   this I-D.

1296	      1.  Replaced the document title.

1298	      2.  Removed the IESG Note.

1300	      3.  Dependencies on RFC 1274 have been eliminated.

1302	      4.  Added a Security Considerations section and an IANA
1303	          considerations section.

1305	      5.  Deleted the conformance requirement for subschema object
1306	          classes in favor of a statement in [Syntaxes].

1308	      6.  Added explanation to attribute types and to each object class.

1310	      7.  Removed Section 4, Syntaxes, and Section 6, Matching Rules,
1311	          (moved to [Syntaxes]).

1313	      8.  Removed the certificate-related attribute types:
1314	             authorityRevocationList,
1315	             cACertificate,
1316	             certificateRevocationList,
1317	             crossCertificatePair,
1318	             deltaRevocationList,
1319	             supportedAlgorithms, and
1320	             userCertificate.

1322	          Removed the certificate-related Object Classes:
1323	             certificationAuthority,
1324	             certificationAuthority-V2,
1325	             cRLDistributionPoint,
1326	             strongAuthenticationUser, and
1327	             userSecurityInformation

1329	          LDAP PKI is now discussed in [LDAP-CRL] and {LDAP-CERT].

1331	      9.  Removed the dmdName, knowledgeInformation,
1332	          presentationAddress, protocolInformation, and
1333	          supportedApplicationContext attribute types and the dmd,
1334	          applicationEntity, and dSA object classes.

1336	      10. Deleted the aliasedObjectName and objectClass attribute
1337	          type definitions.  Deleted the alias and top object class
1338	          definitions.  They are included in [Models].

1340	      11. Added the 'dc' attribute type from RFC 2247.

1342	      12. Numerous edititorial changes.

1344	      13. Removed upper bound after the SYNTAX oid in all attribute
1345	          definitions where it appeared.

1347	      14. Added text about Unicode, SASLprep and UTF-8 for userPassword.

1349	changes since 07:

1351	      15. Corrected examples in preferredDeliveryMethod, uniqueMember,
1352	          postalAddress, and registeredAddress attribute types.

1354	      16. Clarified and corrected examples in owner and roleOccupant
1355	          attribute types.

1357	      17. Added RFC 2234 to normative references.

1359	      18. Added RFC 1274 and RFC 2798 to informative references.

1361	      19. Removed the statement about RFC 2026 conformance.

1363	      20. Added the IPR Disclosure and Notice

1365	      21. Updated the Copyright text.