openldap/doc/drafts/draft-ietf-ldapbis-user-schema-xx.txt

1426 lines
45 KiB
Plaintext
Raw Normal View History

2003-06-01 06:47:07 +08:00
INTERNET-DRAFT K. Dally, Editor
Intended Category: Standard Track The MITRE Corp.
Expires: October 2003 April 2003
Updates: RFC 2247
Obsoletes: RFC 2256
LDAP: User Schema
<draft-ietf-ldapbis-user-schema-05>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026.
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as a Standard Track document.
Distribution of this memo is unlimited. Technical discussion of
this document will take place on the IETF LDAP Revision Working
Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please
send editorial comments directly to the author <kdally@mitre.org>.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts are draft documents valid for a
maximum of six months and may be updated, replaced, or obsoleted by
other documents at any time. It is inappropriate to use
Internet-Drafts as reference material or to cite them other than as
"work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright 2003, The Internet Society. All Rights Reserved.
Abstract
This document is a integral part of the LDAP technical specification
[ROADMAP]. It provides an overview of attribute types and object
classes intended for use by LDAP directory clients for many
directory services, such as, White Pages. Originally specified the
ISO/IEC 9594 and X.500 documents, these objects are widely used as a
basis for the schema in many LDAP directories. This document does
not cover attributes used for the administration of directory
servers, nor does it include directory objects defined for specific
uses in other documents.
Dally Expires October 2003 [Page 1]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
Table of Contents
Status of this Memo 1
Copyright Notice 1
Abstract 1
Table of Contents 2
1. Introduction 4
1.1 Situation 4
1.2 Conventions 4
1.3 General Issues 4
1.4 Source 5
2. Attribute Types 5
2.1 businessCategory 5
2.2 c 5
2.3 cn 6
2.4 dc 6
2.5 description 6
2.6 destinationIndicator 6
2.7 distinguishedName 7
2.8 dnQualifier 7
2.9 enhancedSearchGuide 7
2.10 facsimileTelephoneNumber 7
2.11 generationQualifier 8
2.12 givenName 8
2.13 houseIdentifier 8
2.14 initials 8
2.15 internationalISDNNumber 8
2.16 l 9
2.17 member 9
2.18 name 9
2.19 o 9
2.20 ou 9
2.21 owner 10
2.22 physicalDeliveryOfficeName 10
2.23 postalAddress 10
2.24 postalCode 10
2.25 postOfficeBox 10
2.26 preferredDeliveryMethod 11
2.27 registeredAddress 11
2.28 roleOccupant 11
2.29 searchGuide 11
2.30 seeAlso 12
2.31 serialNumber 12
2.32 sn 12
2.33 st 12
2.34 street 12
2.35 telephoneNumber 12
Dally Expires October 2003 [Page 2]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
2.36 teletexTerminalIdentifier 13
2.37 telexNumber 13
2.38 title 13
2.39 uniqueMember 13
2.40 userPassword 14
2.41 x121Address 14
2.42 x500UniqueIdentifier 14
3. Object Classes 15
3.1 applicationProcess 15
3.2 country 15
3.3 device 15
3.4 domain 15
3.5 groupOfNames 16
3.6 groupOfUniqueNames 16
3.7 locality 17
3.8 organization 17
3.9 organizationalPerson 17
3.10 organizationalRole 18
3.11 organizationalUnit 18
3.12 person 18
3.13 residentialPerson 19
4. IANA Considerations 19
5. Security Considerations 19
6. Acknowledgements 19
7. References 20
7.1 Normative 20
7.2 Informative 20
8. Author's Address 21
9. Full Copyright Statement 21
Dally Expires October 2003 [Page 3]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2002
1. Introduction
This document provides an overview of attribute types and object
classes intended for use by LDAP directory clients for many
directory services, such as, White Pages. Originally specified in
the ISO/IEC 9594 and X.500 documents, these objects are widely used
as a basis for the schema in many LDAP directories. This document
does not cover attributes used for the administration of directory
servers, nor does it include directory objects defined for specific
uses in other documents.
1.1 Situation
This document is a integral part of the LDAP technical specification
[ROADMAP] which obsoletes the previously defined LDAP technical
specification [RFC3377] in its entirety. In terms of RFC 2256,
Sections 6 and 8 of RFC 2256 are obsoleted by [Syntaxes].
Sections 5.1, 5.2, 7.1 and 7.2 of RFC 2256 are obsoleted by [Models].
The remainder of RFC 2256 is obsoleted by this document. Sections
3.4 and 4.4 of this document supercede the technical specifications
for the 'dc' attribute type and 'domain' object class found in
RFC 2247. The remainder of RFC 2247 remains in force.
A number of schema elements which were included in the previous
revision of the LDAP Technical Specification are not included in this
revision of LDAP. PKI-related schema elements are now specified in
[LDAP-PKI]. Unless reintroduced in future technical specifications,
the remainder are to be considered Historic.
1.2 Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
1.3 General Issues
This document references Syntaxes given in Section 3 of [Syntaxes]
and Matching Rules specified in Section 4 of [Syntaxes].
The definitions of Attribute Types and Object Classes are written
using the ABNF form of AttributeTypeDescription and
ObjectClassDescription given in [Models]. Lines have been folded
for readability.
Dally Expires October 2003 [Page 4]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
1.4 Source
The schema definitions in this document are based on those found in
the X.500-series [X.520] and [X.521] and RFC 2247 [RFC2247],
specifically:
Sections Source
============ ==================
2.1 - 2.3 X.520 [X.520]
2.4 RFC 2247 [RFC2247]
2.5 - 2.42 X.520 [X.520]
3.1 - 3.3 X.521 [X.521]
3.4 RFC 2247 [RFC2247]
3.5 - 3.13 X.521 [X.521]
2. Attribute Types
The Attribute Types contained in this section hold user information.
There is no requirement that servers implement the following
Attribute Types:
searchGuide
teletexTerminalIdentifier
In fact, their use is greatly discouraged.
An LDAP server implementation SHOULD recognize the rest of the
Attribute Types described in this section.
2.1 businessCategory
This Attribute Type describes the kind of business performed by
an organization.
( 2.5.4.15 NAME 'businessCategory'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
The SYNTAX oid indicates the Directory String syntax.
2.2 c
This is the X.520 [X.520] countryName Attribute Type, which contains
a two-letter ISO 3166 [ISO3166]country code.
( 2.5.4.6 NAME 'c'
SUP name
SINGLE-VALUE )
Dally Expires October 2003 [Page 5]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
2.3 cn
This is the X.520 [X.520] commonName Attribute Type, which contains
a name of an object. If the object corresponds to a person, it is
typically the person's full name.
( 2.5.4.3 NAME 'cn'
SUP name )
2.4 dc
The dc (short for domainComponent) attribute type is defined as
follows:
( 0.9.2342.19200300.100.1.25 NAME 'dc'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
The value of this attribute is a string holding one component of a
DNS domain name. The encoding of IA5String for use in LDAP is simply
the characters of the string itself. The equality matching rule is
case insensitive, as is today's DNS.
2.5 description
This Attribute Type contains a human-readable description of
the object.
( 2.5.4.13 NAME 'description'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
The SYNTAX oid indicates the Directory String syntax.
2.6 destinationIndicator
This attribute is used for the telegram service.
( 2.5.4.27 NAME 'destinationIndicator'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
The SYNTAX oid indicates the Printable String syntax.
Dally Expires October 2003 [Page 6]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
2.7 distinguishedName
This Attribute Type is not used as the name of the object itself,
but it is instead a base type from which attributes with DN syntax
inherit.
It is unlikely that values of this type itself will occur in an
entry. LDAP server implementations which do not support attribute
subtyping need not recognize this attribute in requests. Client
implementations MUST NOT assume that LDAP servers are capable of
performing attribute subtyping.
( 2.5.4.49 NAME 'distinguishedName'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
The SYNTAX oid indicates the DN syntax.
2.8 dnQualifier
The dnQualifier Attribute Type specifies disambiguating information
to add to the relative distinguished name of an entry. It is
intended for use when merging data from multiple sources in order to
prevent conflicts between entries which would otherwise have the same
name. It is recommended that the value of the dnQualifier attribute
be the same for all entries from a particular source.
( 2.5.4.46 NAME 'dnQualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
The SYNTAX oid indicates the Printable String syntax.
2.9 enhancedSearchGuide
This attribute is for use by X.500 clients in constructing search
filters.
( 2.5.4.47 NAME 'enhancedSearchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
The SYNTAX oid indicates the Enhanced Guide syntax.
2.10 facsimileTelephoneNumber
A value of this Attribute Type is a telephone number for a facsimile
terminal (and, optionally, its parameters).
( 2.5.4.23 NAME 'facsimileTelephoneNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
Dally Expires October 2003 [Page 7]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
The SYNTAX oid indicates the Facsimile Telephone Number syntax.
2.11 generationQualifier
The generationQualifier Attribute Type contains the part of a
person's name which typically is the suffix, as in "IIIrd".
( 2.5.4.44 NAME 'generationQualifier'
SUP name )
2.12 givenName
The givenName Attribute Type is used to hold the part of a person's
name which is not their surname nor middle name.
( 2.5.4.42 NAME 'givenName'
SUP name )
2.13 houseIdentifier
This Attribute Type is used to identify a building within a location.
( 2.5.4.51 NAME 'houseIdentifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
The SYNTAX oid indicates the Directory String syntax.
2.14 initials
The initials Attribute Type contains the initials of some or all of
an individuals names, except the surname(s).
( 2.5.4.43 NAME 'initials'
SUP name )
2.15 internationalISDNNumber
A value of this Attribute Type is an ISDN address, as defined in
ITU Recommendation E.164 [E.164].
( 2.5.4.25 NAME 'internationalISDNNumber'
EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i
The SYNTAX oid indicates the Numeric String syntax.
Dally Expires October 2003 [Page 8]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
2.16 l
This is the X.520 [X.520] localityName Attribute Type, which
contains the name of a locality or place, such as a city, county or
other geographic region.
( 2.5.4.7 NAME 'l'
SUP name )
2.17 member
A value of this Attribute Type is the Distinguished Name of an
object that is on a list or in a group.
( 2.5.4.31 NAME 'member'
SUP distinguishedName )
2.18 name
The name Attribute Type is the attribute supertype from which string
Attribute Types typically used for naming may be formed. It is
unlikely that values of this type itself will occur in an entry.
LDAP server implementations which do not support attribute subtyping
need not recognize this attribute in requests. Client
implementations MUST NOT assume that LDAP servers are capable of
performing attribute subtyping.
( 2.5.4.41 NAME 'name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
The SYNTAX oid indicates the Directory String syntax.
2.19 o
This is the X.520 [X.520] organizationName Attribute Type, which
contains the name of an organization.
( 2.5.4.10 NAME 'o'
SUP name )
2.20 ou
This is the X.520 [X.520] organizationalUnitName Attribute Type,
which contains the name of an organizational unit.
( 2.5.4.11 NAME 'ou'
SUP name )
Dally Expires October 2003 [Page 9]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
2.21 owner
A value of this Attribute Type is the Distinguished Name of an
object that has an ownership responsibility for the object that
is owned.
( 2.5.4.32 NAME 'owner'
SUP distinguishedName )
2.22 physicalDeliveryOfficeName
This attribute contains the name that a Postal Service uses to
identify a post office.
( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
The SYNTAX oid indicates the Directory String syntax.
2.23 postalAddress
This attribute contains an address used by a Postal Service to
perform services for the object.
( 2.5.4.16 NAME 'postalAddress'
EQUALITY caseIgnoreListMatch
SUBSTR caseIgnoreListSubstringsMatch
SYNTAX 1.5.6.1.4.1.1466.115.121.1.41 )
The SYNTAX oid indicates the Postal Address syntax.
2.24 postalCode
This attribute contains a code used by a Postal Service to identify
a postal service zone, such as the southern quadrant of a city.
( 2.5.4.17 NAME 'postalCode'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} )
The SYNTAX oid indicates the Directory String syntax.
2.25 postOfficeBox
This attribute contains the number that a Postal Service uses when a
customer arranges to receive mail at a box on premises of the Postal
Service.
Dally Expires October 2003 [Page 10]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
( 2.5.4.18 NAME 'postOfficeBox'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} )
The SYNTAX oid indicates the Directory String syntax.
2.26 preferredDeliveryMethod
This attribute contains an indication of the preferred method of
getting a message to the object.
( 2.5.4.28 NAME 'preferredDeliveryMethod'
SYNTAX 1.5.6.1.4.1.1466.115.121.1.14
SINGLE-VALUE )
The SYNTAX oid indicates the Delivery Method syntax.
2.27 registeredAddress
This attribute holds a postal address suitable for reception of
telegrams or expedited documents, where it is necessary to have the
recipient accept delivery.
( 2.5.4.26 NAME 'registeredAddress'
SUP postalAddress
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
The SYNTAX oid indicates the Postal Address syntax.
2.28 roleOccupant
A value of this Attribute Type is the Distinguished Name of an
object (normally a person) that fulfills the responsibilities of a
role object.
( 2.5.4.33 NAME 'roleOccupant'
SUP distinguishedName )
2.29 searchGuide
This Attribute Type is for use by clients in constructing search
filters. It is superseded by enhancedSearchGuide, described above
in section 2.9.
( 2.5.4.14 NAME 'searchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide
The SYNTAX oid indicates the Guide syntax.
Dally Expires October 2003 [Page 11]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
2.30 seeAlso
A value of this Attribute Type is the Distinguished Name of an
object that is related to the subject object.
( 2.5.4.34 NAME 'seeAlso'
SUP distinguishedName )
2.31 serialNumber
This attribute contains the serial number of a device.
( 2.5.4.5 NAME 'serialNumber'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
The SYNTAX oid indicates the Printable String syntax.
2.32 sn
This is the X.520 [X.520] surname Attribute Type, which contains the
family name of a person.
( 2.5.4.4 NAME 'sn'
SUP name )
2.33 st
This is the X.520 [X.520] stateOrProvinceName attribute, which
contains the full name of a state or province.
( 2.5.4.8 NAME 'st'
SUP name )
2.34 street
This is the X.520 [X.520] streetAddress attribute, which contains the
physical address of the object to which the entry corresponds, such
as an address for package delivery.
( 2.5.4.9 NAME 'street'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
The SYNTAX oid indicates the Directory String syntax.
2.35 telephoneNumber
A value of this Attribute Type is a telephone number complying with
ITU Recommendation E.123 [E.123].
Dally Expires October 2003 [Page 12]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
( 2.5.4.20 NAME 'telephoneNumber'
EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
The SYNTAX oid indicates the Telephone Number syntax.
2.36 teletexTerminalIdentifier
The withdrawal of Rec. F.200 has resulted in the withdrawal of this
attribute.
( 2.5.4.22 NAME 'teletexTerminalIdentifier'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
The SYNTAX oid indicates the Teletex Terminal Identifier syntax.
2.37 telexNumber
A value of this Attribute Type is a telex number, country code, and
answerback code of a telex terminal.
( 2.5.4.21 NAME 'telexNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
The SYNTAX oid indicates the Telex Number syntax.
2.38 title
This attribute contains the title, such as "Vice President", of a
person in their organizational context. The "personalTitle"
attribute would be used for a person's title independent of their
job function.
( 2.5.4.12 NAME 'title'
SUP name )
2.39 uniqueMember
A value of this Attribute Type is the Distinguished Name of an
object that is on a list or in a group, where the Relative
Distinguished Name of the object includes a value that distinguishs
between objects when a distinguished name has been reused.
( 2.5.4.50 NAME 'uniqueMember'
EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
The SYNTAX oid indicates the Name and Optional UID syntax.
Dally Expires October 2003 [Page 13]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
2.40 userPassword
A value of this Attribute Type is a character string that is known
only to the user and the system to which the user has access.
( 2.5.4.35 NAME 'userPassword'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
The SYNTAX oid indicates the Octet String syntax.
Passwords are stored using an Octet String syntax and are not
encrypted. Transfer of cleartext passwords is strongly discouraged
where the underlying transport service cannot guarantee
confidentiality and may result in disclosure of the password to
unauthorized parties.
2.41 x121Address
A value of this Attribute Type is a data network address as defined
by ITU Recommendation X.121 [X.121].
( 2.5.4.24 NAME 'x121Address'
EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
The SYNTAX oid indicates the Numeric String syntax.
2.42 x500UniqueIdentifier
The x500UniqueIdentifier Attribute Type is used to distinguish
between objects when a distinguished name has been reused. In X.520
[X.520], this Attribute Type is called uniqueIdentifier. This is a
different Attribute Type from both the "uid" and "uniqueIdentifier"
Attribute Types.
( 2.5.4.45 NAME 'x500UniqueIdentifier'
EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
The SYNTAX oid indicates the Bit String syntax.
Dally Expires October 2003 [Page 14]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
3. Object Classes
LDAP servers SHOULD recognize all the Object Classes listed here as
values of the objectClass attribute.
3.1 applicationProcess
The applicationProcess Object Class definition is the basis of an
entry which represents an application executing in a computer system.
( 2.5.6.11 NAME 'applicationProcess'
SUP top
STRUCTURAL
MUST cn
MAY ( seeAlso $
ou $
l $
description ) )
3.2 country
The country Object Class definition is the basis of an entry which
represents a country.
( 2.5.6.2 NAME 'country'
SUP top
STRUCTURAL
MUST c
MAY ( searchGuide $
description ) )
3.3 device
The device Object Class is the basis of an entry which represents
an appliance or computer or network element.
( 2.5.6.14 NAME 'device'
SUP top
STRUCTURAL
MUST cn
MAY ( serialNumber $
seeAlso $
owner $
ou $
o $
l $
description ) )
3.4 domain
The domain Object Class is the basis of an entry which represents a
portion of a network, as organized by DNS.
Dally Expires October 2003 [Page 15]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
( 0.9.2342.19200300.100.4.13 NAME 'domain'
SUP top
STRUCTURAL
MUST dc
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ street $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $ description $ o $
associatedName ) )
An example entry would be:
dn: dc=tcp,dc=critical-angle,dc=com
objectClass: top
objectClass: domain
dc: tcp
description: a placeholder entry used with SRV records
3.5 groupOfNames
The groupOfNames Object Class is the basis of an entry which
represents a set of named objects including information related to
the purpose or maintenance of the set.
( 2.5.6.9 NAME 'groupOfNames'
SUP top
STRUCTURAL
MUST ( member $
cn )
MAY ( businessCategory $
seeAlso $
owner $
ou $
o $
description ) )
3.6 groupOfUniqueNames
The groupOfUniqueNames Object Class is the same as the groupOfNames
object class except that the object names are not repeated or
reassigned within a set scope.
( 2.5.6.17 NAME 'groupOfUniqueNames'
SUP top
STRUCTURAL
MUST ( uniqueMember $
cn )
MAY ( businessCategory $
seeAlso $
Dally Expires October 2003 [Page 16]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
owner $
ou $
o $
description ) )
3.7 locality
The locality Object Class is the basis of an entry which
represents a place in the physical world.
( 2.5.6.3 NAME 'locality'
SUP top
STRUCTURAL
MAY ( street $
seeAlso $
searchGuide $
st $
l $
description ) )
3.8 organization
The organization Object Class is the basis of an entry which
represents a structured group of people.
( 2.5.6.4 NAME 'organization'
SUP top
STRUCTURAL
MUST o
MAY ( userPassword $ searchGuide $ seeAlso $
businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $
l $ description ) )
3.9 organizationalPerson
The organizationalPerson Object Class is the basis of an entry which
represents a person in relation to an organization.
( 2.5.6.7 NAME 'organizationalPerson'
SUP person
STRUCTURAL
MAY ( title $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l ) )
Dally Expires October 2003 [Page 17]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
3.10 organizationalRole
The organizationalRole Object Class is the basis of an entry which
represents a job or function or position in an organization.
( 2.5.6.8 NAME 'organizationalRole'
SUP top
STRUCTURAL
MUST cn
MAY ( x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $
seeAlso $ roleOccupant $ preferredDeliveryMethod $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
3.11 organizationalUnit
The organizationalUnit Object Class is the basis of an entry which
represents a piece of an organization.
( 2.5.6.5 NAME 'organizationalUnit'
SUP top
STRUCTURAL
MUST ou
MAY ( businessCategory $ description $ destinationIndicator $
facsimileTelephoneNumber $ internationaliSDNNumber $ l $
physicalDeliveryOfficeName $ postalAddress $ postalCode $
postOfficeBox $ preferredDeliveryMethod $
registeredAddress $ searchGuide $ seeAlso $ st $ street $
telephoneNumber $ teletexTerminalIdentifier $ telexNumber $
userPassword $ x121Address ) )
3.12 person
The person Object Class is the basis of an entry which represents a
human being.
( 2.5.6.6 NAME 'person'
SUP top
STRUCTURAL
MUST ( sn $
cn )
MAY ( userPassword $
telephoneNumber $
seeAlso $
description ) )
Dally Expires October 2003 [Page 18]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
3.13 residentialPerson
The residentialPerson Object Class is the basis of an entry which
includes a person's residence in the representation of the person.
( 2.5.6.10 NAME 'residentialPerson'
SUP person
STRUCTURAL
MUST l
MAY ( businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $
preferredDeliveryMethod $ street $ postOfficeBox $
postalCode $ postalAddress $ physicalDeliveryOfficeName $
st $ l ) )
4. IANA Considerations
It is requested that the Internet Assigned Numbers Authority (IANA)
update the LDAP descriptors registry as indicated in the following
template:
Subject: Request for LDAP Descriptor Registration Update
Descriptor (short name): see comment
Object Identifier: see comment
Person & email address to contact for further information:
Kathy Dally <kdally@mitre.org>
Usage: (A = Attribute Type, O = Object Class) see comment
Specification: RFC XXXX
Author/Change Controller: IESG
Dally Expires October 2003 [Page 19]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
Comments:
The following descriptors (short names) should be updated to
refer to RFC XXXX.
NAME Type OID
------------------------ ---- ----------------------------
applicationProcess O 2.5.6.11
businessCategory A 2.5.4.15
c A 2.5.4.6
cn A 2.5.4.3
country O 2.5.6.2
dc A 0.9.2342.19200300.100.1.25
description A 2.5.4.13
destinationIndicator A 2.5.4.27
device O 2.5.6.14
distinguishedName A 2.5.4.49
dnQualifier A 2.5.4.46
domain O 0.9.2342.19200300.100.4.13
enhancedSearchGuide A 2.5.4.47
facsimileTelephoneNumber A 2.5.4.23
generationQualifier A 2.5.4.44
givenName A 2.5.4.42
groupOfNames O 2.5.6.9
groupOfUniqueNames O 2.5.6.17
houseIdentifier A 2.5.4.51
initials A 2.5.4.43
internationalISDNNumber A 2.5.4.25
l A 2.5.4.7
locality O 2.5.6.3
member A 2.5.4.31
name A 2.5.4.41
o A 2.5.4.10
organization O 2.5.6.4
organizationalPerson O 2.5.6.7
organizationalRole O 2.5.6.8
organizationalUnit O 2.5.6.5
ou A 2.5.4.11
owner A 2.5.4.32
person O 2.5.6.6
physicalDeliveryOfficeName A 2.5.4.19
postalAddress A 2.5.4.16
postalCode A 2.5.4.17
postOfficeBox A 2.5.4.18
preferredDeliveryMethod A 2.5.4.28
registeredAddress A 2.5.4.26
residentialPerson O 2.5.6.10
roleOccupant A 2.5.4.33
searchGuide A 2.5.4.14
seeAlso A 2.5.4.34
serialNumber A 2.5.4.5
sn A 2.5.4.4
Dally Expires October 2003 [Page 20]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
st A 2.5.4.8
street A 2.5.4.9
telephoneNumber A 2.5.4.20
teletexTerminalIdentifier A 2.5.4.22
telexNumber A 2.5.4.21
title A 2.5.4.12
uniqueMember A 2.5.4.50
userPassword A 2.5.4.35
x121Address A 2.5.4.24
x500UniqueIdentifier A 2.5.4.45
5. Security Considerations
Attributes of directory entries are used to provide descriptive
information about the real-world objects they represent, which can be
people, organizations or devices. Most countries have privacy laws
regarding the publication of information about people.
Transfer of cleartext passwords is strongly discouraged where the
underlying transport service cannot guarantee confidentiality and may
result in disclosure of the password to unauthorized parties.
It is required that strong authentication be performed in order to
modify directory entries using LDAP.
6. Acknowledgements
The definitions, on which this document is based, have been developed
by committees for telecommunications and international standards.
No new attribute definitions have been added.
This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a
product of the IETF ASID Working Group.
This document is based upon input of the IETF LDAPBIS working group.
The author wishes to thank S. Legg and K. Zeilenga for their
significant contribution to this update.
7. References
7.1 Normative
[E.123] Notation for national and international telephone numbers,
ITU-T Recommendation E.123, 1988
[E.164] The international public telecommunication numbering plan,
ITU-T Recommendation E.164, 1997
Dally Expires October 2003 [Page 21]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
[ISO3166] ISO 3166, "Codes for the representation of names of
countries".
[LDAP-PKI] Chadwick, D. W., Legg S., "LDAP Schema and Syntaxes for
PKIs", draft-ietf-pkix-ldap-pki-schema-xx (a work in
progress)
[Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis-
models-xx (a work in progress)
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997
[RFC3377] Hodges, J., Morgan, R., "Lightweight Directory Access
Protocol (v3): Technical Specification", RFC 3377,
September 2002
...[ROADMAP] Zeilenga, K., "LDAP: Technical Specification Road Map",
draft-ietf-ldapbis-roadmap-xx (a work in progress)
[Syntaxes] S. Legg (editor), "LDAP: Syntaxes",
draft-ietf-ldapbis-syntaxes-xx (a work in progress)
[X.121] International numbering plan for public data networks,
ITU-T Recommendation X.121, 1996
[X.509] The Directory: Authentication Framework, ITU-T
Recommendation X.509, 1993
[X.520] The Directory: Selected Attribute Types, ITU-T
Recommendation X.520, 1993
[X.521] The Directory: Selected Object Classes. ITU-T
Recommendation X.521, 1993
7.2 Informative
[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and
Sataluri, S., "Using Domains in LDAP/X.500 Distinguished Names",
RFC 2247, January 1998
Dally Expires October 2003 [Page 22]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
8. Author's Address
Kathy Dally
The MITRE Corp.
1575 Colshire Dr., H300
McLean VA 22102
USA
Phone: +1 703 883 6058
Email: kdally@mitre.org
9. Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Dally Expires October 2003 [Page 23]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
Appendix A Changes RFC 2256
This appendix lists the changes that have been made from RFC 2256 to
this I-D.
1. Revised the Status of this Memo.
2. Removed the IESG Note.
3. Dependencies on RFC 1274 have been eliminated.
4. Added a Security Considerations section, requiring strong
authentication in order to modify directory entries.
5. Deleted the conformance requirement for subschema object
classes in favor of a statement in [Syntaxes].
6. Added a Table of Contents.
7. Added explanations to many attributes.
8. Removed Section 4, Syntaxes, and Section 6, Matching Rules,
(moved to [Syntaxes]).
9. Reordered Section 3, Attributes, and Section 4, Object
Classes, alphabetically.
10. Added an explanation for each object class.
11. Removed the certificate-related Attribute Types:
authorityRevocationList,
cACertificate,
certificateRevocationList,
crossCertificatePair,
deltaRevocationList,
supportedAlgorithms, and
userCertificate.
Removed the certificate-related Object Classes:
certificationAuthority,
certificationAuthority-V2,
cRLDistributionPoint,
strongAuthenticationUser, and
userSecurityInformation
Noted that they are covered in PKIX WG documents.
12. Removed the dmdName Attribute Type and dmd Object Class
because they are not in the version of X.500 which
is referenced.
Dally Expires October 2003 [Page 24]
INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
......13. Deleted the 'aliasedObjectName' and 'objectClass' attribute
type definitions. They are included in [Models].
14. Deleted the 'alias' and 'top' object class definitions. They
are included in [Models].
15. Replaced the document title.
16. Added the 'dc' attribute and the 'domain' object class from
RFC 2247.
17. Deleted the 'knowledgeInformation', 'presentationAddress',
'protocolInformation', and 'supportedApplicationContext'
attributes.
18. Deleted the 'applicationEntity' and 'dSA' object classes.
19. Added an IANA Considerations section.
Dally Expires October 2003 [Page 25]