mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
508 lines
16 KiB
Plaintext
508 lines
16 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
INTERNET-DRAFT Editor: Kurt D. Zeilenga
|
|||
|
Intended Category: Standard Track OpenLDAP Foundation
|
|||
|
Expires in six months 17 May 2002
|
|||
|
|
|||
|
|
|||
|
Collective Attributes in LDAP
|
|||
|
<draft-zeilenga-ldap-collective-07.txt>
|
|||
|
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
This document is an Internet-Draft and is in full conformance with all
|
|||
|
provisions of Section 10 of RFC2026.
|
|||
|
|
|||
|
This document is intended to be, after appropriate review and
|
|||
|
revision, submitted to the RFC Editor as a Standard Track document.
|
|||
|
Distribution of this memo is unlimited. Technical discussion of this
|
|||
|
document will take place on the IETF LDAP Extension Working Group
|
|||
|
mailing list <ietf-ldapext@netscape.com>. Please send editorial
|
|||
|
comments directly to the author <Kurt@OpenLDAP.org>.
|
|||
|
|
|||
|
Internet-Drafts are working documents of the Internet Engineering Task
|
|||
|
Force (IETF), its areas, and its working groups. Note that other
|
|||
|
groups may also distribute working documents as Internet-Drafts.
|
|||
|
Internet-Drafts are draft documents valid for a maximum of six months
|
|||
|
and may be updated, replaced, or obsoleted by other documents at any
|
|||
|
time. It is inappropriate to use Internet-Drafts as reference
|
|||
|
material or to cite them other than as ``work in progress.''
|
|||
|
|
|||
|
The list of current Internet-Drafts can be accessed at
|
|||
|
<http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
|
|||
|
Internet-Draft Shadow Directories can be accessed at
|
|||
|
<http://www.ietf.org/shadow.html>.
|
|||
|
|
|||
|
Copyright 2002, The Internet Society. All Rights Reserved.
|
|||
|
|
|||
|
Please see the Copyright section near the end of this document for
|
|||
|
more information.
|
|||
|
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
X.500 collective attributes allow common characteristics to be shared
|
|||
|
between collections of entries. This document summarizes the X.500
|
|||
|
information model for collective attributes and describes use of
|
|||
|
collective attributes in LDAP (Lightweight Directory Access Protocol).
|
|||
|
This document provides schema definitions for collective attributes
|
|||
|
for use in LDAP.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga draft-zeilenga-ldap-collective-07 [Page 1]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP Collective Attributes 17 May 2002
|
|||
|
|
|||
|
|
|||
|
Conventions
|
|||
|
|
|||
|
Schema definitions are provided using LDAPv3 description formats
|
|||
|
[RFC2252]. Definitions provided here are formatted (line wrapped) for
|
|||
|
readability.
|
|||
|
|
|||
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|||
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|||
|
document are to be interpreted as described in BCP 14 [RFC2119].
|
|||
|
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
In X.500, a collective attribute is "a user attribute whose values are
|
|||
|
the same for each member of an entry collection" [X.501]. This
|
|||
|
document details their use in the Lightweight Directory Access
|
|||
|
Protocol (LDAP) [LDAPTS].
|
|||
|
|
|||
|
|
|||
|
1.1. Entry Collections
|
|||
|
|
|||
|
A collection of entries is a grouping of object and alias entries
|
|||
|
based upon common properties or shared relationship between the
|
|||
|
corresponding entries which share certain attributes. An entry
|
|||
|
collection consists of all entries within scope of a collective
|
|||
|
attributes subentry [SUBENTRY]. An entry can belong to several entry
|
|||
|
collections.
|
|||
|
|
|||
|
|
|||
|
1.2. Collective Attributes
|
|||
|
|
|||
|
Attributes shared by the entries comprising an entry collection are
|
|||
|
called collective attributes. Values of collective attributes are
|
|||
|
visible but not updateable to clients accessing entries within the
|
|||
|
collection. Collective attributes are updated (i.e. modified) via
|
|||
|
their associated collective attributes subentry.
|
|||
|
|
|||
|
When an entry belongs to multiple entry collections, the entry's
|
|||
|
values of each collective attribute are combined such that independent
|
|||
|
sources of these values are not manifested to clients.
|
|||
|
|
|||
|
Entries can specifically exclude a particular collective attribute by
|
|||
|
listing the attribute as a value of the collectiveExclusions
|
|||
|
attribute. Like other user attributes, collective attributes are
|
|||
|
subject to a variety of controls including access, administrative, and
|
|||
|
content controls.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga draft-zeilenga-ldap-collective-07 [Page 2]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP Collective Attributes 17 May 2002
|
|||
|
|
|||
|
|
|||
|
2. System Schema for Collective Attributes
|
|||
|
|
|||
|
The following operational attributes are used to manage Collective
|
|||
|
Attributes. LDAP servers [LDAPTS] MUST act in accordance with the
|
|||
|
X.500 Directory Models [X.501] when providing this service.
|
|||
|
|
|||
|
|
|||
|
2.1. collectiveAttributeSubentry
|
|||
|
|
|||
|
Subentries of this object class are used to administer collective
|
|||
|
attributes and are referred to as collective attribute subentries.
|
|||
|
|
|||
|
( 2.5.20.2 NAME 'collectiveAttributeSubentry' AUXILIARY )
|
|||
|
|
|||
|
A collective attribute subentry SHOULD contain at least one collective
|
|||
|
attribute. The collective attributes contained within a collective
|
|||
|
attribute subentry are available for finding, searching, and
|
|||
|
comparison at every entry within the scope of the subentry. The
|
|||
|
collective attributes, however, are administered (e.g. modified) via
|
|||
|
the subentry.
|
|||
|
|
|||
|
Implementations of this specification SHOULD support collective
|
|||
|
attribute subentries in both collectiveAttributeSpecificArea
|
|||
|
(2.5.23.5) and collectiveAttributeInnerArea (2.5.23.6) administrative
|
|||
|
areas [SUBENTRY][X.501].
|
|||
|
|
|||
|
|
|||
|
2.2. collectiveAttributeSubentries
|
|||
|
|
|||
|
The collectiveAttributeSubentries operational attribute identifies all
|
|||
|
collective attribute subentries that affect the entry.
|
|||
|
|
|||
|
( 2.5.18.12 NAME 'collectiveAttributeSubentries'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|||
|
USAGE directoryOperation NO-USER-MODIFICATION )
|
|||
|
|
|||
|
|
|||
|
2.3. collectiveExclusions
|
|||
|
|
|||
|
The collectiveExclusions operational attribute allows particular
|
|||
|
collective attributes to be excluded from an entry. It MAY appear in
|
|||
|
any entry and MAY have multiple values.
|
|||
|
|
|||
|
( 2.5.18.7 NAME 'collectiveExclusions'
|
|||
|
EQUALITY objectIdentifierMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
|
|||
|
USAGE directoryOperation )
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga draft-zeilenga-ldap-collective-07 [Page 3]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP Collective Attributes 17 May 2002
|
|||
|
|
|||
|
|
|||
|
The descriptor excludeAllCollectiveAttributes is associated with the
|
|||
|
OID 2.5.18.0. When this descriptor or OID is present as a value of
|
|||
|
the collectiveExclusions attribute, all collective attributes are
|
|||
|
excluded from an entry.
|
|||
|
|
|||
|
|
|||
|
3. Collective Attribute Types
|
|||
|
|
|||
|
A userApplications attribute type can be defined to be COLLECTIVE
|
|||
|
[RFC2252]. This indicates that the same attribute values will appear
|
|||
|
in the entries of an entry collection subject to the use of the
|
|||
|
collectiveExclusions attribute and other administrative controls.
|
|||
|
These administrative controls MAY include DIT Content Rules, if
|
|||
|
implemented.
|
|||
|
|
|||
|
Collective attribute types are commonly defined as subtypes of non-
|
|||
|
collective attribute types. By convention, collective attributes are
|
|||
|
named by prefixing the name of their non-collective supertype with
|
|||
|
"c-". For example, the collective telephone attribute is named
|
|||
|
c-TelephoneNumber after its non-collective supertype telephoneNumber.
|
|||
|
|
|||
|
Non-collective attributes types SHALL NOT subtype collective
|
|||
|
attributes.
|
|||
|
|
|||
|
Collective attributes SHALL NOT be SINGLE-VALUED. Collective
|
|||
|
attribute types SHALL NOT appear in the attribute types of an object
|
|||
|
class definition.
|
|||
|
|
|||
|
Operational attributes SHALL NOT be defined to be collective.
|
|||
|
|
|||
|
The remainder of section provides a summary of collective attributes
|
|||
|
derived from those defined in [X.520]. The SUPerior attribute types
|
|||
|
are described in [RFC 2256] for use with LDAP.
|
|||
|
|
|||
|
Implementations of this specification SHOULD support the following
|
|||
|
collective attributes and MAY support additional collective
|
|||
|
attributes.
|
|||
|
|
|||
|
|
|||
|
3.1. Collective Locality Name
|
|||
|
|
|||
|
The c-l attribute type specifies a locality name for a collection of
|
|||
|
entries.
|
|||
|
|
|||
|
( 2.5.4.7.1 NAME 'c-l'
|
|||
|
SUP l COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga draft-zeilenga-ldap-collective-07 [Page 4]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP Collective Attributes 17 May 2002
|
|||
|
|
|||
|
|
|||
|
3.2. Collective State or Province Name
|
|||
|
|
|||
|
The c-st attribute type specifies a state or province name for a
|
|||
|
collection of entries.
|
|||
|
|
|||
|
( 2.5.4.8.1 NAME 'c-st'
|
|||
|
SUP st COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
3.3. Collective Street Address
|
|||
|
|
|||
|
The c-street attribute type specifies a street address for a
|
|||
|
collection of entries.
|
|||
|
|
|||
|
( 2.5.4.9.1 NAME 'c-street'
|
|||
|
SUP street COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
3.4. Collective Organization Name
|
|||
|
|
|||
|
The c-o attribute type specifies an organization name for a collection
|
|||
|
of entries.
|
|||
|
|
|||
|
( 2.5.4.10.1 NAME 'c-o'
|
|||
|
SUP o COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
3.5. Collective Organizational Unit Name
|
|||
|
|
|||
|
The c-ou attribute type specifies an organizational unit name for a
|
|||
|
collection of entries.
|
|||
|
|
|||
|
( 2.5.4.11.1 NAME 'c-ou'
|
|||
|
SUP ou COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
3.6. Collective Postal Address
|
|||
|
|
|||
|
The c-PostalAddress attribute type specifies a postal address for a
|
|||
|
collection of entries.
|
|||
|
|
|||
|
( 2.5.4.16.1 NAME 'c-PostalAddress'
|
|||
|
SUP postalAddress COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
3.7. Collective Postal Code
|
|||
|
|
|||
|
The c-PostalCode attribute type specifies a postal code for a
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga draft-zeilenga-ldap-collective-07 [Page 5]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP Collective Attributes 17 May 2002
|
|||
|
|
|||
|
|
|||
|
collection of entries.
|
|||
|
|
|||
|
( 2.5.4.17.1 NAME 'c-PostalCode'
|
|||
|
SUP postalCode COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
3.8. Collective Post Office Box
|
|||
|
|
|||
|
The c-PostOfficeBox attribute type specifies a post office box for a
|
|||
|
collection of entries.
|
|||
|
|
|||
|
( 2.5.4.18.1 NAME 'c-PostOfficeBox'
|
|||
|
SUP postOfficeBox COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
3.9. Collective Physical Delivery Office Name
|
|||
|
|
|||
|
The c-PhysicalDeliveryOfficeName attribute type specifies a physical
|
|||
|
delivery office name for a collection of entries.
|
|||
|
|
|||
|
( 2.5.4.19.1 NAME 'c-PhysicalDeliveryOfficeName'
|
|||
|
SUP physicalDeliveryOfficeName COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
3.10. Collective Telephone Number
|
|||
|
|
|||
|
The c-TelephoneNumber attribute type specifies a telephone number for
|
|||
|
a collection of entries.
|
|||
|
|
|||
|
( 2.5.4.20.1 NAME 'c-TelephoneNumber'
|
|||
|
SUP telephoneNumber COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
3.11. Collective Telex Number
|
|||
|
|
|||
|
The c-TelexNumber attribute type specifies a telex number for a
|
|||
|
collection of entries.
|
|||
|
|
|||
|
( 2.5.4.21.1 NAME 'c-TelexNumber'
|
|||
|
SUP telexNumber COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
3.13. Collective Facsimile Telephone Number
|
|||
|
|
|||
|
The c-FacsimileTelephoneNumber attribute type specifies a facsimile
|
|||
|
telephone number for a collection of entries.
|
|||
|
|
|||
|
( 2.5.4.23.1 NAME 'c-FacsimileTelephoneNumber'
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga draft-zeilenga-ldap-collective-07 [Page 6]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP Collective Attributes 17 May 2002
|
|||
|
|
|||
|
|
|||
|
SUP facsimileTelephoneNumber COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
3.14. Collective International ISDN Number
|
|||
|
|
|||
|
The c-InternationalISDNNumber attribute type specifies an
|
|||
|
international ISDN number for a collection of entries.
|
|||
|
|
|||
|
( 2.5.4.25.1 NAME 'c-InternationalISDNNumber'
|
|||
|
SUP internationalISDNNumber COLLECTIVE )
|
|||
|
|
|||
|
|
|||
|
4. Security Considerations
|
|||
|
|
|||
|
Collective attributes are not believed to introduce any additional
|
|||
|
security considerations to LDAP [LDAPTS].
|
|||
|
|
|||
|
|
|||
|
5. IANA Considerations
|
|||
|
|
|||
|
It is requested that IANA register the LDAP descriptors used in this
|
|||
|
document per the following registration template:
|
|||
|
|
|||
|
Subject: Request for LDAP Descriptor Registration
|
|||
|
Descriptor (short name): see comment
|
|||
|
Object Identifier: see comment
|
|||
|
Person & email address to contact for further information:
|
|||
|
Kurt Zeilenga <kurt@OpenLDAP.org>
|
|||
|
Usage: see comment
|
|||
|
Specification: RFCXXXX
|
|||
|
Author/Change Controller: IESG
|
|||
|
Comments:
|
|||
|
|
|||
|
NAME Type OID
|
|||
|
------------------------ ---- -----------------
|
|||
|
c-FacsimileTelephoneNumber A 2.5.4.23.1
|
|||
|
c-InternationalISDNNumber A 2.5.4.25.1
|
|||
|
c-PhysicalDeliveryOffice A 2.5.4.19.1
|
|||
|
c-PostOfficeBox A 2.5.4.18.1
|
|||
|
c-PostalAddress A 2.5.4.16.1
|
|||
|
c-PostalCode A 2.5.4.17.1
|
|||
|
c-TelephoneNumber A 2.5.4.20.1
|
|||
|
c-TelexNumber A 2.5.4.21.1
|
|||
|
c-l A 2.5.4.7.1
|
|||
|
c-o A 2.5.4.10.1
|
|||
|
c-ou A 2.5.4.11.1
|
|||
|
c-st A 2.5.4.8.1
|
|||
|
c-street A 2.5.4.9.1
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga draft-zeilenga-ldap-collective-07 [Page 7]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP Collective Attributes 17 May 2002
|
|||
|
|
|||
|
|
|||
|
collectiveAttributeSubentries A 2.5.18.12
|
|||
|
collectiveAttributeSubentry O 2.5.20.2
|
|||
|
collectiveExclusions A 2.5.18.7
|
|||
|
|
|||
|
where Type A is Attribute and Type O is ObjectClass.
|
|||
|
|
|||
|
|
|||
|
This document uses in this document were assigned by the ISO/IEC Joint
|
|||
|
Technical Committee 1 - Subcommitte 6 to identify elements of X.500
|
|||
|
schema. This document make no OID assignments, it only associates
|
|||
|
LDAP schema descriptions with existing elements of X.500 schema.
|
|||
|
|
|||
|
|
|||
|
6. Acknowledgments
|
|||
|
|
|||
|
This document is based upon the ITU Recommendations for the Directory
|
|||
|
[X.501][X.520].
|
|||
|
|
|||
|
|
|||
|
7. Author's Address
|
|||
|
|
|||
|
Kurt D. Zeilenga
|
|||
|
OpenLDAP Foundation
|
|||
|
<Kurt@OpenLDAP.org>
|
|||
|
|
|||
|
|
|||
|
8. Normative References
|
|||
|
|
|||
|
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
|
|||
|
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
|
|||
|
|
|||
|
[RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
|
|||
|
Protocol (v3)", RFC 2251, December 1997.
|
|||
|
|
|||
|
[RFC2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
|
|||
|
Directory Access Protocol (v3): Attribute Syntax
|
|||
|
Definitions", RFC 2252, December 1997.
|
|||
|
|
|||
|
[RFC2256] M. Wahl, "A Summary of the X.500(96) User Schema for use
|
|||
|
with LDAPv3", RFC 2256, December 1997.
|
|||
|
|
|||
|
[LDAPTS] J. Hodges, R.L. Morgan, "Lightweight Directory Access
|
|||
|
Protocol (v3): Technical Specification",
|
|||
|
draft-ietf-ldapbis-ldapv3-ts-xx.txt.
|
|||
|
|
|||
|
[SUBENTRY] K. Zeilenga, S. Legg, "Subentries in LDAP",
|
|||
|
draft-zeilenga-ldap-subentry-xx.txt, a work in progress.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga draft-zeilenga-ldap-collective-07 [Page 8]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP Collective Attributes 17 May 2002
|
|||
|
|
|||
|
|
|||
|
[X.501] "The Directory: Models", ITU-T Recommendation X.501, 1993.
|
|||
|
|
|||
|
|
|||
|
9. Informative References
|
|||
|
|
|||
|
[X.500] "The Directory: Overview of Concepts, Models", ITU-T
|
|||
|
Recommendation X.500, 1993.
|
|||
|
|
|||
|
[X.520] "The Directory: Selected Attribute Types", ITU-T
|
|||
|
Recommendation X.520, 1993.
|
|||
|
|
|||
|
|
|||
|
Copyright 2002, The Internet Society. All Rights Reserved.
|
|||
|
|
|||
|
This document and translations of it may be copied and furnished to
|
|||
|
others, and derivative works that comment on or otherwise explain it
|
|||
|
or assist in its implementation may be prepared, copied, published and
|
|||
|
distributed, in whole or in part, without restriction of any kind,
|
|||
|
provided that the above copyright notice and this paragraph are
|
|||
|
included on all such copies and derivative works. However, this
|
|||
|
document itself may not be modified in any way, such as by removing
|
|||
|
the copyright notice or references to the Internet Society or other
|
|||
|
Internet organizations, except as needed for the purpose of
|
|||
|
developing Internet standards in which case the procedures for
|
|||
|
copyrights defined in the Internet Standards process must be followed,
|
|||
|
or as required to translate it into languages other than English.
|
|||
|
|
|||
|
The limited permissions granted above are perpetual and will not be
|
|||
|
revoked by the Internet Society or its successors or assigns.
|
|||
|
|
|||
|
This document and the information contained herein is provided on an
|
|||
|
"AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
|
|||
|
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
|
|||
|
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
|||
|
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|||
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga draft-zeilenga-ldap-collective-07 [Page 9]
|
|||
|
|