# $OpenLDAP$ ## This work is part of OpenLDAP Software <http://www.openldap.org/>. ## ## Copyright 1998-2005 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## <http://www.OpenLDAP.org/license.html>. # DUA schema from draft-joslin-config-schema (a work in progress) # Contents of this file are subject to change (including deletion) # without notice. # # Not recommended for production use! # Use with extreme caution! ## Notes: ## - The matching rule for attributes followReferrals and dereferenceAliases ## has been changed to booleanMatch since their syntax is boolean ## - There was a typo in the name of the dereferenceAliases attributeType ## in the DUAConfigProfile objectClass definition ## - Credit goes to the original Authors # # Application Working Group M. Ansari # INTERNET-DRAFT Sun Microsystems, Inc. # Expires Febuary 2003 L. Howard # PADL Software Pty. Ltd. # B. Joslin [ed.] # Hewlett-Packard Company # # September 15th, 2003 # Intended Category: Informational # # # A Configuration Schema for LDAP Based # Directory User Agents # <draft-joslin-config-schema-07.txt> # #Status of this Memo # # This memo provides information for the Internet community. This # memo does not specify an Internet standard of any kind. Distribu- # tion of this memo is unlimited. # # This document is an Internet-Draft and is in full conformance with # all provisions of Section 10 of RFC2026. # # This document is an Internet-Draft. Internet-Drafts are working # documents of the Internet Engineering Task Force (IETF), its areas, # and its working groups. Note that other groups may also distribute # working documents as Internet-Drafts. # # Internet-Drafts are draft documents valid for a maximum of six # months. Internet-Drafts may be updated, replaced, or made obsolete # by other documents at any time. It is not appropriate to use # Internet-Drafts as reference material or to cite them other than as # a "working draft" or "work in progress". # # To learn the current status of any Internet-Draft, please check the # 1id-abstracts.txt listing contained in the Internet-Drafts Shadow # Directories on ds.internic.net (US East Coast), nic.nordu.net # (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific # Rim). # # Distribution of this document is unlimited. # # # Abstract # # This document describes a mechanism for global configuration of # similar directory user agents. This document defines a schema for # configuration of these DUAs that may be discovered using the Light- # weight Directory Access Protocol in RFC 2251[17]. A set of attri- # bute types and an objectclass are proposed, along with specific # guidelines for interpreting them. A significant feature of the # global configuration policy for DUAs is a mechanism that allows # DUAs to re-configure their schema to that of the end user's # environment. This configuration is achieved through attribute and # objectclass mapping. This document is intended to be a skeleton # for future documents that describe configuration of specific DUA # services. # # # [trimmed] # # # 2. General Issues # # The schema defined by this document is defined under the "DUA Con- # figuration Schema." This schema is derived from the OID: iso (1) # org (3) dod (6) internet (1) private (4) enterprises (1) Hewlett- # Packard Company (11) directory (1) LDAP-UX Integration Project (3) # DUA Configuration Schema (1). This OID is represented in this # document by the keystring "DUAConfSchemaOID" # (1.3.6.1.4.1.11.1.3.1). objectidentifier DUAConfSchemaOID 1.3.6.1.4.1.11.1.3.1 # # 2.2 Attributes # # The attributes and classes defined in this document are summarized # below. # # The following attributes are defined in this document: # # preferredServerList # defaultServerList # defaultSearchBase # defaultSearchScope # authenticationMethod # credentialLevel # serviceSearchDescriptor # # # # Joslin [Page 3] # Internet-Draft DUA Configuration Schema October 2002 # # # serviceCredentialLevel # serviceAuthenticationMethod # attributeMap # objectclassMap # searchTimeLimit # bindTimeLimit # followReferrals # dereferenceAliases # profileTTL # # 2.3 Object Classes # # The following object class is defined in this document: # # DUAConfigProfile # # attributeType ( DUAConfSchemaOID:1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeType ( DUAConfSchemaOID:1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeType ( DUAConfSchemaOID:1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeType ( DUAConfSchemaOID:1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeType ( DUAConfSchemaOID:1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeType ( DUAConfSchemaOID:1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeType ( DUAConfSchemaOID:1.16 NAME 'dereferenceAliases' DESC 'Tells DUA if it should dereference aliases' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeType ( DUAConfSchemaOID:1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeType ( DUAConfSchemaOID:1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeType ( DUAConfSchemaOID:1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeType ( DUAConfSchemaOID:1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeType ( DUAConfSchemaOID:1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeType ( DUAConfSchemaOID:1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeType ( DUAConfSchemaOID:1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeType ( DUAConfSchemaOID:1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeType ( DUAConfSchemaOID:1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # # 4. Class Definition # # The objectclass below is constructed from the attributes defined in # 3, with the exception of the cn attribute, which is defined in RFC # 2256 [8]. cn is used to represent the name of the DUA configura- # tion profile. # objectClass ( DUAConfSchemaOID:2.5 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ dereferenceAliases $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )