mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
1012 lines
37 KiB
Plaintext
1012 lines
37 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Network Working Group A. Grimstad
|
|||
|
Request for Comments: 2377 R. Huber
|
|||
|
Category: Informational AT&T
|
|||
|
S. Sataluri
|
|||
|
Lucent Technologies
|
|||
|
M. Wahl
|
|||
|
Critical Angle Inc.
|
|||
|
September 1998
|
|||
|
|
|||
|
|
|||
|
Naming Plan for Internet Directory-Enabled Applications
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
This memo provides information for the Internet community. It does
|
|||
|
not specify an Internet standard of any kind. Distribution of this
|
|||
|
memo is unlimited.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (C) The Internet Society (1998). All Rights Reserved.
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
Application of the conventional X.500 approach to naming has
|
|||
|
heretofore, in the experience of the authors, proven to be an
|
|||
|
obstacle to the wide deployment of directory-enabled applications on
|
|||
|
the Internet. We propose a new directory naming plan that leverages
|
|||
|
the strengths of the most popular and successful Internet naming
|
|||
|
schemes for naming objects in a hierarchical directory. This plan
|
|||
|
can, we believe, by extending the X.500 approach to naming,
|
|||
|
facilitate the creation of an Internet White Pages Service (IWPS) and
|
|||
|
other directory-enabled applications by overcoming the problems
|
|||
|
encountered by those using the conventional X.500 approach.
|
|||
|
|
|||
|
1.0 Executive Summary
|
|||
|
|
|||
|
Application of the conventional X.500 approach to naming has
|
|||
|
heretofore, in the experience of the authors, proven to be an
|
|||
|
obstacle to the wide deployment of directory-enabled applications on
|
|||
|
the Internet. The required registration infrastructure is either
|
|||
|
non-existent or largely ignored. The infrastructure that does exist
|
|||
|
is cumbersome to use and tends to produce counterproductive results.
|
|||
|
The attributes used for naming have been confusing for users and
|
|||
|
inflexible to managers and operators of directory servers.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 1]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
This paper describes a directory naming plan for the construction of
|
|||
|
an Internet directory infrastructure to support directory-enabled
|
|||
|
applications that can serve as an alternative (or extension) to the
|
|||
|
conventional X.500 approach.
|
|||
|
|
|||
|
The plan has the following two main features. First, it bases the
|
|||
|
root and upper portions of the name hierarchy on the existing
|
|||
|
infrastructure of names from the Domain Name System (DNS). This
|
|||
|
component of the plan makes use of the ideas described in the
|
|||
|
companion paper to this plan, "Using Domains in LDAP Distinguished
|
|||
|
Names" [1]. And second, it provides a number of options for the
|
|||
|
assignment of names to directory leaf objects such as person objects,
|
|||
|
including an option that allows the reuse of existing Internet
|
|||
|
identifiers for people.
|
|||
|
|
|||
|
Just as the conventional X.500 style of naming is not a formal
|
|||
|
standard, use of the naming plan described here is not obligatory for
|
|||
|
directory-enabled applications on the Internet. Other approaches are
|
|||
|
permissible. However, we believe widespread use of this plan will
|
|||
|
largely eliminate naming as a typically thorny issue when
|
|||
|
administrators set up an LDAP-based directory service. Further, we
|
|||
|
strongly encourage developers of directory-enabled products,
|
|||
|
especially LDAP clients and user interfaces, to assume that this
|
|||
|
naming plan will see widespread use and design their products
|
|||
|
accordingly.
|
|||
|
|
|||
|
Here, in summary, is our proposal.
|
|||
|
|
|||
|
The upper portions of the hierarchical directory tree should be
|
|||
|
constructed using the components of registered DNS names using the
|
|||
|
domain component attribute "dc". The directory name for the
|
|||
|
organization having the domain name "acme.com" will then be, e.g.,
|
|||
|
|
|||
|
dc=acme, dc=com
|
|||
|
|
|||
|
Organizations can add additional directory structure, for example to
|
|||
|
support implementation of access control lists or partitioning of
|
|||
|
their directory information, by using registered subdomains of DNS
|
|||
|
names, e.g., the subdomain "corporate.acme.com" can be used as the
|
|||
|
basis for the directory name
|
|||
|
|
|||
|
dc=corporate, dc=acme, dc=com
|
|||
|
|
|||
|
For naming directory leaf objects such as persons, groups, server
|
|||
|
applications and certification authorities in a hierarchical
|
|||
|
directory, we propose the use of either the "uid" (user identifier)
|
|||
|
or the "cn" (common name) attribute for the relative distinguished
|
|||
|
name. This plan does not constrain how these two attributes are used.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 2]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
One approach to their use, for example, is to employ the uid
|
|||
|
attribute as the RDN when reusing an existing store of identifiers
|
|||
|
and the cn attribute as the RDN when creating new identifiers
|
|||
|
specifically for the directory. A convenient existing identification
|
|||
|
scheme for person objects is the RFC822 mailbox identifier. So an RDN
|
|||
|
for person employing this store of identifiers would be, e.g.,
|
|||
|
|
|||
|
uid=John.Smith@acme.com
|
|||
|
|
|||
|
For leaf objects not conveniently identified with such a scheme, the
|
|||
|
"cn" attribute is used, e.g.,
|
|||
|
|
|||
|
cn=Reading Room
|
|||
|
|
|||
|
Directory distinguished names will thus have the following structure,
|
|||
|
e.g.,
|
|||
|
|
|||
|
uid=John.Smith@acme.com, dc=acme, dc=com
|
|||
|
uid=Mary.Jones@acme.com, dc=corporate, dc=acme, dc=com
|
|||
|
uid=J.Smith@worldnet.att.net, dc=legal, dc=acme, dc=com
|
|||
|
cn=Reading Room, dc=physics, dc=national-lab, dc=edu
|
|||
|
|
|||
|
2.0 The Problem
|
|||
|
|
|||
|
The X.500 Directory model [2] can be used to create a world-wide
|
|||
|
distributed directory. The Internet X.500 Directory Pilot has been
|
|||
|
operational for several years and has grown to a size of about 1.5
|
|||
|
million entries of varying quality. The rate of growth of the pilot
|
|||
|
is far lower than the rate of growth of the Internet during the pilot
|
|||
|
period.
|
|||
|
|
|||
|
There are a substantial number of contributing factors that have
|
|||
|
inhibited the growth of this pilot. The common X.500 approach to
|
|||
|
naming, while not the preponderant problem, has contributed in
|
|||
|
several ways to limit the growth of an Internet White Pages Service
|
|||
|
based on X.500.
|
|||
|
|
|||
|
The conventional way to construct names in the X.500 community is
|
|||
|
documented as an informative (i.e., not officially standardized)
|
|||
|
Annex B to X.521. The relative distinguished name (RDN) of a user
|
|||
|
consists of a common name (cn) attribute. This is meant to be what --
|
|||
|
in the user's particular society -- is customarily understood to be
|
|||
|
the name of that user. The distinguished name of a user is the
|
|||
|
combination of the name of some general object, such as an
|
|||
|
organization or a geographical unit, with the common name. There are
|
|||
|
two main problems with this style of name construction.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 3]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
First, the common name attribute, while seeming to be user-friendly,
|
|||
|
cannot be used generally as an RDN in practice. In any significant
|
|||
|
set of users to be named under the same Directory Information Tree
|
|||
|
(DIT) node there will be collisions on common name. There is no way
|
|||
|
to overcome this other than either by forcing uniqueness on common
|
|||
|
names, something they do not possess, or by using an additional
|
|||
|
attribute to prevent collisions. This additional attribute normally
|
|||
|
needs to be unique in a much larger context to have any practical
|
|||
|
value. The end result is a RDN that is very long and unpopular with
|
|||
|
users.
|
|||
|
|
|||
|
Second, and more serious, X.500 has not been able to use any
|
|||
|
significant number of pre-existing names. Since X.500 naming models
|
|||
|
typically use organization names as part of the hierarchy [2, 3],
|
|||
|
organization names must be registered. As organization names are
|
|||
|
frequently tied to trademarks and are used in sales and promotions,
|
|||
|
registration can be a difficult and acrimonious process.
|
|||
|
|
|||
|
The North American Directory Forum (NADF, now the North Atlantic
|
|||
|
Directory Forum but still the NADF) proposed to avoid the problem of
|
|||
|
registration by using names that were already registered in the
|
|||
|
"civil naming infrastructure" [4][5]. Directory distinguished names
|
|||
|
would be based on an organization's legal name as recognized by some
|
|||
|
governmental agency (county clerk, state secretary of state, etc.) or
|
|||
|
other registering entity such as ANSI.
|
|||
|
|
|||
|
This scheme has the significant advantage of keeping directory
|
|||
|
service providers out of disputes about the right to use a particular
|
|||
|
name, but it leads to rather obscure names. Among these obscurities,
|
|||
|
the legal name almost invariably takes a form that is less familiar
|
|||
|
and longer than what users typically associate with the organization.
|
|||
|
For example, in the US a large proportion of legal organization names
|
|||
|
end with the text ", Inc." as in "Acme, Inc." Moreover, in the case
|
|||
|
of the US, the civil naming infrastructure does not operate
|
|||
|
nationally, so the organization names it provides must be located
|
|||
|
under state and regional DIT nodes, making them difficult to find
|
|||
|
while browsing the directory. NADF proposes a way to algorithmically
|
|||
|
derive multi-attribute RDNs which would allow placement of entries or
|
|||
|
aliases in more convenient places in the DIT, but these derived names
|
|||
|
are cumbersome and unpopular. For example, suppose Nadir is an
|
|||
|
organization that is registered in New Jersey civil naming
|
|||
|
infrastructure under the name "Nadir Networks, Inc." Its civil
|
|||
|
distinguished name (DN) would then be
|
|||
|
|
|||
|
o="Nadir Networks, Inc.", st=New Jersey, c=US
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 4]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
while its derived name which is unambiguous under c=US directly is
|
|||
|
|
|||
|
o="Nadir Networks, Inc." + st=New Jersey, c=US
|
|||
|
|
|||
|
More generally, the requirement for registration of organizations in
|
|||
|
X.500 naming has led to the establishment of national registration
|
|||
|
authorities whose function is mainly limited to assignment of X.500
|
|||
|
organization names. Because of the very limited attraction of X.500,
|
|||
|
interest in registering an organization with one of these national
|
|||
|
authorities has been minimal. Finally, multi-national organizations
|
|||
|
are frustrated by a lack of an international registration authority.
|
|||
|
|
|||
|
3.0 Requirements
|
|||
|
|
|||
|
A directory naming plan must provide a guide for the construction of
|
|||
|
names (identifiers, labels) for directory objects that are
|
|||
|
unambiguous (identify only one directory object) within some context
|
|||
|
(namespace), at a minimum within one isolated directory server.
|
|||
|
|
|||
|
A directory object is simply a set of attribute values. The
|
|||
|
association between a real-world object and a directory object is
|
|||
|
made by directory-enabled applications and is, in the general case,
|
|||
|
one to many.
|
|||
|
|
|||
|
The following additional naming characteristics are requirements that
|
|||
|
this naming plan seeks to satisfy:
|
|||
|
|
|||
|
a) hierarchical
|
|||
|
|
|||
|
The Internet, consisting of a very large number of objects and
|
|||
|
management domains, requires hierarchical names. Such names permit
|
|||
|
delegation in the name assignment process and partitioning of
|
|||
|
directory information among directory servers.
|
|||
|
|
|||
|
b) friendly to loose coupling of directory servers
|
|||
|
|
|||
|
One purpose of this naming plan is to define a naming pattern that
|
|||
|
will facilitate one form or another of loose coupling of potentially
|
|||
|
autonomous directory servers into a larger system.
|
|||
|
|
|||
|
A name in such a loosely-coupled system should unambiguously identify
|
|||
|
one real-world object. The real-world object may, however, be
|
|||
|
represented differently (i.e. by different directory objects having
|
|||
|
different attributes but the same DN) in different (e.g.
|
|||
|
independently managed) servers in the loosely-coupled system. The
|
|||
|
plan does not attempt to produce names to overcome this likely
|
|||
|
scenario. That is, it does not attempt to produce a single namespace
|
|||
|
for all directory objects. (This issue is considered in more detail
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 5]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
in Section 5.1.)
|
|||
|
|
|||
|
c) readily usable by LDAP clients and servers
|
|||
|
|
|||
|
As of this writing, a substantial number of the Lightweight Directory
|
|||
|
Access Protocol (LDAP) [6][7] implementations are currently available
|
|||
|
or soon will be. The names specified by this naming plan should be
|
|||
|
readily usable by these implementations and applications based on
|
|||
|
them.
|
|||
|
|
|||
|
d) friendly to re-use of existing Internet name registries
|
|||
|
|
|||
|
As described in Section 2 above, creation of new global name
|
|||
|
registries has been highly problematic. Therefore, a fundamental
|
|||
|
requirement this plan addresses is to enable the reuse of existing
|
|||
|
Internet name registries such as DNS names and RFC822 mailbox
|
|||
|
identifiers when constructing directory names.
|
|||
|
|
|||
|
e) minimally user-friendly
|
|||
|
|
|||
|
Although we expect that user interfaces of directory-enabled
|
|||
|
applications will avoid exposing users to DNs, it is unlikely that
|
|||
|
users can be totally insulated from them. For this reason, the
|
|||
|
naming plan should permit use of familiar information in name
|
|||
|
construction. Minimally, a user should be capable of recognizing the
|
|||
|
information encoded in his/her own DN. Names that are totally opaque
|
|||
|
to users cannot meet this requirement.
|
|||
|
|
|||
|
4.0 Name Construction
|
|||
|
|
|||
|
The paper assumes familiarity with the terminology and concepts
|
|||
|
behind the terms distinguished name (DN) and relative distinguished
|
|||
|
name (RDN) [2][8][9].
|
|||
|
|
|||
|
We describe how DNs can be constructed using three attribute types,
|
|||
|
domainComponent (dc), userID (uid) and commonName (cn). They are
|
|||
|
each described in turn.
|
|||
|
|
|||
|
4.1 Domain Component (dc)
|
|||
|
|
|||
|
The domain component attribute is defined and registered in RFC1274
|
|||
|
[3][10]. It is used in the construction of a DN from a domain name.
|
|||
|
Details of the construction algorithm is described in "Using Domains
|
|||
|
in LDAP Distinguished Names" [1].
|
|||
|
|
|||
|
An organization wishing to deploy a directory following this naming
|
|||
|
plan would proceed as follows. Consider an organization, for example
|
|||
|
"Acme, Inc.", having the registered domain name "acme.com". It would
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 6]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
construct the DN
|
|||
|
|
|||
|
dc=acme, dc=com
|
|||
|
|
|||
|
from its domain name. It would then use this DN as the root of its
|
|||
|
subtree of directory information.
|
|||
|
|
|||
|
The DN itself can be used to identify a directory organization object
|
|||
|
that represents information about the organization. The directory
|
|||
|
schema required to enable this is described below in section 5.2.
|
|||
|
|
|||
|
The subordinates of the DN will be directory objects related to the
|
|||
|
organization. The domain component attribute can be used to name
|
|||
|
subdivisions of the organization such as organizational units and
|
|||
|
localities. Acme, for example, might use the domain names
|
|||
|
"corporate.acme.com" and "richmond.acme.com" to construct the names
|
|||
|
|
|||
|
dc=corporate, dc=acme, dc=com
|
|||
|
dc=richmond, dc=acme, dc=com
|
|||
|
|
|||
|
under which to place its directory objects. The directory schema
|
|||
|
required to name organizationalUnit and locality objects in this way
|
|||
|
is described below in section 5.2.
|
|||
|
|
|||
|
Note that subdivisions of the organization such as organizational
|
|||
|
units and localities could also be assigned RDNs using the
|
|||
|
conventional X.500 naming attributes, e.g.
|
|||
|
|
|||
|
ou=corporate, dc=acme, dc=com
|
|||
|
l=richmond, dc=acme, dc=com.
|
|||
|
|
|||
|
Use of the dc attribute for the RDN of directory objects of class
|
|||
|
"domain" is also possible [1].
|
|||
|
|
|||
|
4.2 User ID (uid)
|
|||
|
|
|||
|
The userid (uid) attribute is defined and registered in RFC1274
|
|||
|
[3][10].
|
|||
|
|
|||
|
This attribute may be used to construct the RDN for directory objects
|
|||
|
subordinate to objects named according to the procedure described in
|
|||
|
Section 4.1. This plan does not constrain how this attribute is
|
|||
|
used.
|
|||
|
|
|||
|
4.3 Common Name (cn)
|
|||
|
|
|||
|
The commonName (cn) attribute is defined and registered in X.500
|
|||
|
[3][11].
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 7]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
This attribute may be used to construct the RDN for directory objects
|
|||
|
subordinate to objects named according to the procedure described in
|
|||
|
Section 4.1. This plan does not constrain how this attribute is
|
|||
|
used.
|
|||
|
|
|||
|
4.4 Examples of uid and cn Usage
|
|||
|
|
|||
|
Although this plan places no constraints on the use of the uid and cn
|
|||
|
attributes for name construction, we would like to offer some
|
|||
|
suggestions by way of examples.
|
|||
|
|
|||
|
In practice, we have used uid for the RDN for person objects were we
|
|||
|
could make use of an existing registry of names and cn for other
|
|||
|
objects.
|
|||
|
|
|||
|
Examples of existing registries of identifiers for person objects are
|
|||
|
RFC822 mailbox identifiers, employee numbers and employee "handles".
|
|||
|
Aside from the convenience to administrators of re-use of an existing
|
|||
|
store of identifiers, if it is ever necessary to display to a user
|
|||
|
his/her DN, there is some hope that it will be recognizable when such
|
|||
|
identifiers are used.
|
|||
|
|
|||
|
We have found RFC822 mailbox identifiers a particularly convenient
|
|||
|
source for name construction. When a person has several e-mail
|
|||
|
addresses, one will be selected for the purpose of user
|
|||
|
identification. We call this the "distinguished" e-mail address or
|
|||
|
the "distinguished" RFC822 mailbox identifier for the user.
|
|||
|
|
|||
|
For example, if there is a user affiliated with the organization Acme
|
|||
|
having distinguished e-mail address J.Smith@acme.com, the uid
|
|||
|
attribute will be:
|
|||
|
|
|||
|
uid=J.Smith@acme.com
|
|||
|
|
|||
|
The domain component attributes of a user's DN will normally be
|
|||
|
constructed from the domain name of his/her distinguished e-mail
|
|||
|
address. That is, for the user uid=J.Smith@acme.com the domain
|
|||
|
component attributes would typically be:
|
|||
|
|
|||
|
dc=acme, dc=com
|
|||
|
|
|||
|
The full LDAP DN for this user would then be:
|
|||
|
|
|||
|
uid=J.Smith@acme.com, dc=acme, dc=com
|
|||
|
|
|||
|
Directory administrators having several RFC822 identifiers to choose
|
|||
|
from when constructing a DN for a user should consider the following
|
|||
|
factors:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 8]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
o Machine-independent addresses are likely to be more stable,
|
|||
|
resulting in directory names that change less. Thus an
|
|||
|
identifier such as:
|
|||
|
|
|||
|
js@acme.com
|
|||
|
|
|||
|
may well be preferable to one such as:
|
|||
|
|
|||
|
js@blaster.third-floor.acme.com.
|
|||
|
|
|||
|
o Use of some form of "handle" for the "local" part that is
|
|||
|
distinct from a user's real name may result in fewer collisions
|
|||
|
and thereby lessen user pain and suffering. Thus the
|
|||
|
identifier:
|
|||
|
|
|||
|
js@acme.com
|
|||
|
|
|||
|
may well be preferable to one such as:
|
|||
|
|
|||
|
J.Smith@acme.com
|
|||
|
|
|||
|
Practical experience with use of the RFC822 mailbox identifier scheme
|
|||
|
described here has shown that there are situations where it is
|
|||
|
convenient to use such identifies for all users in a particular
|
|||
|
population, although a few users do not, in fact, possess working
|
|||
|
mailboxes. For example, an organization may have a existing unique
|
|||
|
identification scheme for all employees that is used as a alias to
|
|||
|
the employees' real mailboxes -- which may be quite heterogeneous in
|
|||
|
structure. The identification scheme works for all employees to
|
|||
|
identify unambiguously each employee; it only works as an e-mail
|
|||
|
alias for those employees having real mailboxes. For this reason it
|
|||
|
would be a bad assumption for directory-enabled applications to
|
|||
|
assume the uid to be a valid mailbox; the value(s) of the mail
|
|||
|
attribute should always be checked.
|
|||
|
|
|||
|
It is important to emphasize that the elements of the domain name of
|
|||
|
an RFC822 identifier may, BUT NEED NOT, be the same as the domain
|
|||
|
components of the DN. This means that the domain components provide
|
|||
|
a degree of freedom to support access control or other directory
|
|||
|
structuring requirements that need not be mechanically reflected in
|
|||
|
the user's e-mail address. We do not want under any condition to
|
|||
|
force the user's e-mail address to change just to facilitate a new
|
|||
|
system requirement such as a modification in an access control
|
|||
|
structure. It should also be noted that while we do not require that
|
|||
|
the domain components match the RFC822 identifier, we DO require that
|
|||
|
the concatenated domain components form a registered domain name,
|
|||
|
that is, one that is represented in the DNS. This automatically
|
|||
|
avoids name conflicts in the directory hierarchy.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 9]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
To provide an example of a DN which deviates from what might be
|
|||
|
considered the default structure, consider the following scenario.
|
|||
|
|
|||
|
Suppose that J.Smith needs to be granted special permissions to
|
|||
|
information in the dc=acme, dc=com part of the LDAP DIT. Since it
|
|||
|
will be, in general, easier to organize special users by their name
|
|||
|
structure than via groups (an arbitrary collection of DNs), we use
|
|||
|
subdomains for this purpose. Suppose the special permissions were
|
|||
|
required by users in the MIS organizational unit. A subdomain
|
|||
|
"mis.acme.com" is established, if it does not already exist,
|
|||
|
according to normal DNS procedures. The special permissions will be
|
|||
|
granted to users with the name structure:
|
|||
|
|
|||
|
uid=*, dc=mis, dc=acme, dc=com
|
|||
|
|
|||
|
The DN of J.Smith in this case will be:
|
|||
|
|
|||
|
uid=J.Smith@acme.com, dc=mis, dc=acme, dc=com
|
|||
|
|
|||
|
In principal, there is nothing to prevent the domain name elements of
|
|||
|
the RFC822 identifier from being completely different from the domain
|
|||
|
components of the DN. For instance, the DN for a J.Smith could be:
|
|||
|
|
|||
|
uid=J.Smith@worldnet.att.net, dc=mis, dc=acme, dc=com
|
|||
|
|
|||
|
While we do not REQUIRE that the domain name part of the uid match
|
|||
|
the dc components of the directory distinguished name, we suggest
|
|||
|
that this be done where possible. At a minimum, if the most
|
|||
|
significant pieces of the DN and the uid are the same (i.e.,
|
|||
|
"dc=acme, dc=com" and "acme.com") the likelihood, based on a
|
|||
|
knowledge of a user's e-mail address, of discovering an appropriate
|
|||
|
directory system to contact to find information about the user is
|
|||
|
greatly enhanced.
|
|||
|
|
|||
|
The example above represents a situation where this suggestion isn't
|
|||
|
possible because some of the users in a population have mailbox
|
|||
|
identifiers that differ from the pattern of the rest of the users,
|
|||
|
e.g., most mailboxes are of the form local@acme.com, but a
|
|||
|
subpopulation have mailboxes from an ISP and therefore mailboxes of
|
|||
|
the form local@worldnet.att.net.
|
|||
|
|
|||
|
5.0 Naming Plan and Directories
|
|||
|
|
|||
|
5.1 Directory Services Considerations
|
|||
|
|
|||
|
We envision the deployment of LDAP-based directory services on the
|
|||
|
Internet to take the form of loosely coupled LDAP servers. This
|
|||
|
coupling will occur at two levels.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 10]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
Firstly, LDAP servers will be loosely connected into islands (i.e. a
|
|||
|
set of servers sharing a single DN namespace). The glue connecting
|
|||
|
the islands will be LDAP referral [12] information configured into
|
|||
|
the LDAP servers. An LDAP search directed to any server in such an
|
|||
|
island can be answered, if the information is not available to that
|
|||
|
server, by an LDAP referral to another, more appropriate server
|
|||
|
within the same island.
|
|||
|
|
|||
|
Secondly, various techniques will be used span LDAP islands. The
|
|||
|
concept that enables such techniques is the LDAP URL [13]. By
|
|||
|
combining a DNS host name and port (corresponding to one or more LDAP
|
|||
|
servers) with a DN, the LDAP URL provides unified high-level
|
|||
|
identification scheme (an LDAP URL namespace) for directory objects.
|
|||
|
|
|||
|
Because an LDAP referral is expressed as one or more LDAP URL, these
|
|||
|
two levels of coupling may not sharply distinguished in practice.
|
|||
|
|
|||
|
We do not envision the X.500 model of a single DIT (i.e. a single DN
|
|||
|
namespace) to be viable in an environment of competing service
|
|||
|
providers. This naming plan does not attempt to produce DNs to hide
|
|||
|
the possibility that a given real-world object may have independently
|
|||
|
managed directory objects with the same DN associated with it.
|
|||
|
|
|||
|
5.2 Directory Schema Implications of the Naming Plan
|
|||
|
|
|||
|
The traditional directory schema(s) developed for the X.500 standard
|
|||
|
and its application to the Internet [4] require extension to be used
|
|||
|
with the naming plan developed here. The extensions described below
|
|||
|
attempt to reuse existing schema elements as much as possible. The
|
|||
|
directory objects for which extensions are required are:
|
|||
|
organization, organizational unit, and various classes of leaf
|
|||
|
objects. We describe the schema modifications below for organization,
|
|||
|
organizationalUnit and selected leaf classes.
|
|||
|
|
|||
|
So as to continue to use existing structural object classes to the
|
|||
|
extent possible, we propose supplementing entries based on these
|
|||
|
classes with additional information from two new auxiliary object
|
|||
|
classes, dcObject and uidObject. They are specified using the
|
|||
|
notation in Section 4 of [14].
|
|||
|
|
|||
|
The auxiliary object class dcObject is defined in "Using Domains in
|
|||
|
LDAP Distinguished Names" [1].
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 11]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
The auxiliary object class uidObject is defined as:
|
|||
|
|
|||
|
( 1.3.6.1.1.3.1
|
|||
|
NAME uidObject
|
|||
|
SUP top
|
|||
|
AUXILIARY
|
|||
|
MUST uid )
|
|||
|
|
|||
|
5.2.1 Organization Schema
|
|||
|
|
|||
|
The dc attribute is employed to construct the RDN of an organization
|
|||
|
object. This is enabled by adding the auxiliary class dcObject to
|
|||
|
the organization's objectClass attribute.
|
|||
|
|
|||
|
5.2.2 Organizational Unit Schema
|
|||
|
|
|||
|
The dc attribute is employed to construct the RDN of an
|
|||
|
organizationalUnit object (which is subordinate in the DIT to either
|
|||
|
an organization or an organizationalUnit object). This is enabled by
|
|||
|
adding the auxiliary class dcObject to the organizational unit's
|
|||
|
objectClass attribute.
|
|||
|
|
|||
|
5.2.3 Person Schema
|
|||
|
|
|||
|
No schema extensions are required for person objects if either the
|
|||
|
inetOrgPerson [15] (preferred) or the newPilotPerson object classes
|
|||
|
are used. The attribute uid is permissible in each class. For
|
|||
|
consistency, the uidObject could be added to person entry objectClass
|
|||
|
attributes to assist applications filtering on this object class
|
|||
|
attribute value. Use of other classes for person objects with RDN
|
|||
|
constructed with the uid attribute such as organizationalPerson
|
|||
|
requires the use of the uidObject class.
|
|||
|
|
|||
|
It has been traditional in X.500 and LDAP directory services to
|
|||
|
employ the common name (cn) attribute in naming. While this naming
|
|||
|
plan doesn't require use of the cn attribute in naming, it should be
|
|||
|
stressed that it is a required attribute in any class derived from
|
|||
|
the person class and is still quite important. It will play a
|
|||
|
significant role in enabling searches to find user entries of
|
|||
|
interest.
|
|||
|
|
|||
|
5.2.4 Certification Authority Schema
|
|||
|
|
|||
|
The certification authority (CA) object class is an auxiliary class,
|
|||
|
meaning it is essentially a set of additional attributes for a base
|
|||
|
class such as organizationalRole, organization, organizationalUnit or
|
|||
|
person. Except in the case where the base structural class is
|
|||
|
inetOrgPerson, use of the uid attribute to construct the RDN of a CA
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 12]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
will require the auxiliary class uidObject to permit the uid
|
|||
|
attribute to be used. In the cases where organizationalUnit or
|
|||
|
organization is the base class for a CA, use of the auxiliary class
|
|||
|
dcObject will permit the RDN of the CA to be a domain component.
|
|||
|
|
|||
|
5.2.5 Server and Server Application Schema
|
|||
|
|
|||
|
Servers and server applications are typically represented, for want
|
|||
|
of anything better, by entries of the object class applicationProcess
|
|||
|
(or a class derived from it). Sometimes the class applicationEntity
|
|||
|
is used. In either case, the uid attribute should probably not be
|
|||
|
employed to construct the RDN of a server or server application
|
|||
|
object. The standard schema uses the attribute cn for such RDNs.
|
|||
|
|
|||
|
Suppose one wants to use this naming plan both in the construction of
|
|||
|
DNs for SSL server certificates and for their storage in a directory.
|
|||
|
It is customary for clients connecting via SSL to compare the
|
|||
|
server's domain name (e.g. from the URL used to contact the server)
|
|||
|
with the value of the cn attribute in the subject field (i.e.
|
|||
|
subject's DN) of the server's certificate. For this reason, it is
|
|||
|
common practice to set the cn attribute to the server's domain name.
|
|||
|
|
|||
|
The naming and schema to handle this situation is best explained by
|
|||
|
an example. Consider the server "host.acme.com". Following the
|
|||
|
algorithm in "Using Domains in LDAP Distinguished Names" [1], the DN
|
|||
|
dc=host, dc=acme, dc=com is constructed. To conform to the existing
|
|||
|
practices just described, the server's subject DN for the SSL server
|
|||
|
certificate should be cn=host.acme.com, dc=host, dc=acme, dc=com and
|
|||
|
the server's certificate should be stored in a directory entry with
|
|||
|
this name. This entry should use application process or application
|
|||
|
entity as its structural object class and strong authentication user
|
|||
|
as is auxiliary class.
|
|||
|
|
|||
|
5.2.6 Name Forms
|
|||
|
|
|||
|
For X.500 servers or LDAP servers following the X.500 model, our
|
|||
|
schema requires the definition of new name forms, structure rules,
|
|||
|
and DIT content rules. Structure rules and DIT content rules are
|
|||
|
locally defined, and do not involve a globally significant object
|
|||
|
identifier.
|
|||
|
|
|||
|
The following name forms are defined using the syntax of section 6.22
|
|||
|
of [14] for the convenience of those using such servers.
|
|||
|
|
|||
|
Note that since the structural object classes organization,
|
|||
|
organizationalUnit, locality and organizationalPerson do not permit
|
|||
|
inclusion of the dc attribute, an auxiliary object class such as
|
|||
|
dcObject [1] must be used for instances of these classes.)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 13]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
5.2.6.1 Name Form for Domain Objects
|
|||
|
|
|||
|
The OIDs in this group are under the
|
|||
|
iso.org.dod.internet.directory.NameForm branch of the OID tree
|
|||
|
(1.3.6.1.1.2).
|
|||
|
|
|||
|
( 1.3.6.1.1.2.1
|
|||
|
NAME domainNameForm
|
|||
|
OC domain
|
|||
|
MUST dc )
|
|||
|
|
|||
|
The domainNameForm name form indicates that objects of structural
|
|||
|
object class domain have their RDN constructed from a value of the
|
|||
|
attribute dc.
|
|||
|
|
|||
|
5.2.6.2 Name Form for Organization Objects
|
|||
|
|
|||
|
( 1.3.6.1.1.2.2
|
|||
|
NAME dcOrganizationNameForm
|
|||
|
OC organization
|
|||
|
MUST dc )
|
|||
|
|
|||
|
The dcOrganizationNameForm name form indicates that objects of
|
|||
|
structural object class organization have their RDN constructed from
|
|||
|
a value of the attribute dc.
|
|||
|
|
|||
|
5.2.6.3 Name Form for Organizational Unit Objects
|
|||
|
|
|||
|
( 1.3.6.1.1.2.3
|
|||
|
NAME dcOrganizationalUnitNameForm
|
|||
|
OC organizationalUnit
|
|||
|
MUST dc )
|
|||
|
|
|||
|
The dcOrganizationalUnitNameForm name form indicates that objects of
|
|||
|
structural object class organizationalUnit have their RDN constructed
|
|||
|
from a value of the attribute dc.
|
|||
|
|
|||
|
5.2.6.4 Name Form for Locality Objects
|
|||
|
|
|||
|
( 1.3.6.1.1.2.4
|
|||
|
NAME dcLocalityNameForm
|
|||
|
OC locality
|
|||
|
MUST dc )
|
|||
|
|
|||
|
The dcLocalityNameForm name form indicates that objects of structural
|
|||
|
object class locality have their RDN constructed from a value of the
|
|||
|
attribute dc.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 14]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
5.2.6.5 Name Form for Organizational Person Objects
|
|||
|
|
|||
|
( 1.3.6.1.1.2.5
|
|||
|
NAME uidOrganizationalPersonNameForm
|
|||
|
OC organizationalPerson
|
|||
|
MUST uid )
|
|||
|
|
|||
|
The uidOrganizationalPersonNameForm name form indicates that objects
|
|||
|
of structural object class organizationalPerson have their RDN
|
|||
|
constructed from a value of the attribute uid.
|
|||
|
|
|||
|
6.0 Security Considerations
|
|||
|
|
|||
|
Although access controls may be placed on portions of the DIT to deny
|
|||
|
browse access to unauthorized clients, it may be possible to infer
|
|||
|
directory names and DIT structure in such sensitive portions of the
|
|||
|
DIT from the results of DNS queries. Providing public visibility to
|
|||
|
some portions of the DIT may assist those make such inferences.
|
|||
|
|
|||
|
7.0 Acknowledgments
|
|||
|
|
|||
|
This plan has emerged in the course of a number of fruitful
|
|||
|
discussions, especially with David Chadwick, John Dale, Joe Gajewski,
|
|||
|
Mark Jackson, Ryan Moats, Tom Spencer and Chris Tzu.
|
|||
|
|
|||
|
8.0 References
|
|||
|
|
|||
|
[1] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S.
|
|||
|
Sataluri, "Using Domains in LDAP Distinguished Names", RFC
|
|||
|
2247, January 1998.
|
|||
|
|
|||
|
[2] X.500: The Directory -- Overview of Concepts, Models, and
|
|||
|
Service, CCITT Recommendation X.500, December, 1988.
|
|||
|
|
|||
|
[3] Barker, P., and S. Kille, "The COSINE and Internet X.500
|
|||
|
Schema", RFC 1274, November 1991.
|
|||
|
|
|||
|
[4] The North American Directory Forum, "A Naming Scheme for
|
|||
|
c=US", RFC 1255, September 1991.
|
|||
|
|
|||
|
[5] The North American Directory Forum, "NADF Standing Documents:
|
|||
|
A Brief Overview", RFC 1417, February 1993.
|
|||
|
|
|||
|
[6] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory
|
|||
|
Access Protocol", RFC 1777, March 1995.
|
|||
|
|
|||
|
[7] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory
|
|||
|
Access Protocol (v3)", RFC 2251, December 1997.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 15]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
[8] Kille, S., "A String Representation of Distinguished Names",
|
|||
|
RFC 1779, March 1995.
|
|||
|
|
|||
|
[9] Wahl, M., Kille, S., and T. Howes, "Lightweight Directory
|
|||
|
Access Protocol (v3): UTF-8 String Representation of
|
|||
|
Distinguished Names", RFC 2253, December 1997.
|
|||
|
|
|||
|
[10] Wahl, M., "A Summary of the Pilot X.500 Schema for use
|
|||
|
in LDAPv3", Work in Progress.
|
|||
|
|
|||
|
[11] Wahl, M., "A Summary of the X.500 User Schema for use with
|
|||
|
LDAPv3", RFC 2256, December 1997.
|
|||
|
|
|||
|
[12] Howes, T., and M. Wahl, "Referrals and Knowledge References
|
|||
|
in LDAP Directories", Work in Progress.
|
|||
|
|
|||
|
[13] Howes, T., and M. Smith, "The LDAP URL Format", RFC 2255,
|
|||
|
December 1997.
|
|||
|
|
|||
|
[14] Wahl, M., Coulbeck, A., Howes, T., and S. Kille,
|
|||
|
"Lightweight Directory Access Protocol (v3): Attribute Syntax
|
|||
|
Definitions", RFC 2252, December 1997.
|
|||
|
|
|||
|
[15] Smith, M., "Definition of the inetOrgPerson Object Class",
|
|||
|
Work in Progress.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 16]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
12. Authors' Addresses
|
|||
|
|
|||
|
Al Grimstad
|
|||
|
AT&T
|
|||
|
Room 1C-429, 101 Crawfords Corner Road
|
|||
|
Holmdel, NJ 07733-3030
|
|||
|
USA
|
|||
|
|
|||
|
EMail: alg@att.com
|
|||
|
|
|||
|
|
|||
|
Rick Huber
|
|||
|
AT&T
|
|||
|
Room 1B-433, 101 Crawfords Corner Road
|
|||
|
Holmdel, NJ 07733-3030
|
|||
|
USA
|
|||
|
|
|||
|
EMail: rvh@att.com
|
|||
|
|
|||
|
|
|||
|
Sri Sataluri
|
|||
|
Lucent Technologies
|
|||
|
Room 4D-335, 101 Crawfords Corner Road
|
|||
|
Holmdel, NJ 07733-3030
|
|||
|
USA
|
|||
|
|
|||
|
EMail: srs@lucent.com
|
|||
|
|
|||
|
|
|||
|
Mark Wahl
|
|||
|
Critical Angle Inc.
|
|||
|
4815 W Braker Lane #502-385
|
|||
|
Austin, TX 78759
|
|||
|
USA
|
|||
|
|
|||
|
EMail: M.Wahl@critical-angle.com
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 17]
|
|||
|
|
|||
|
RFC 2377 A Directory Naming Plan September 1998
|
|||
|
|
|||
|
|
|||
|
13. Full Copyright Statement
|
|||
|
|
|||
|
Copyright (C) The Internet Society (1998). All Rights Reserved.
|
|||
|
|
|||
|
This document and translations of it may be copied and furnished to
|
|||
|
others, and derivative works that comment on or otherwise explain it
|
|||
|
or assist in its implementation may be prepared, copied, published
|
|||
|
and distributed, in whole or in part, without restriction of any
|
|||
|
kind, provided that the above copyright notice and this paragraph are
|
|||
|
included on all such copies and derivative works. However, this
|
|||
|
document itself may not be modified in any way, such as by removing
|
|||
|
the copyright notice or references to the Internet Society or other
|
|||
|
Internet organizations, except as needed for the purpose of
|
|||
|
developing Internet standards in which case the procedures for
|
|||
|
copyrights defined in the Internet Standards process must be
|
|||
|
followed, or as required to translate it into languages other than
|
|||
|
English.
|
|||
|
|
|||
|
The limited permissions granted above are perpetual and will not be
|
|||
|
revoked by the Internet Society or its successors or assigns.
|
|||
|
|
|||
|
This document and the information contained herein is provided on an
|
|||
|
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
|||
|
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
|||
|
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
|||
|
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
|||
|
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Grimstad, et. al. Informational [Page 18]
|
|||
|
|