mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
508 lines
16 KiB
Plaintext
508 lines
16 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
INTERNET-DRAFT Editor: Kurt D. Zeilenga
|
||
Intended Category: Standard Track OpenLDAP Foundation
|
||
Expires in six months 18 August 2002
|
||
|
||
|
||
Collective Attributes in LDAP
|
||
<draft-zeilenga-ldap-collective-08.txt>
|
||
|
||
|
||
Status of this Memo
|
||
|
||
This document is an Internet-Draft and is in full conformance with all
|
||
provisions of Section 10 of RFC2026.
|
||
|
||
This document is intended to be, after appropriate review and
|
||
revision, submitted to the RFC Editor as a Standard Track document.
|
||
Distribution of this memo is unlimited. Technical discussion of this
|
||
document will take place on the IETF LDAP Extension Working Group
|
||
mailing list <ldapext@ietf.org>. Please send editorial comments
|
||
directly to the author <Kurt@OpenLDAP.org>.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering Task
|
||
Force (IETF), its areas, and its working groups. Note that other
|
||
groups may also distribute working documents as Internet-Drafts.
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference
|
||
material or to cite them other than as ``work in progress.''
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
<http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
|
||
Internet-Draft Shadow Directories can be accessed at
|
||
<http://www.ietf.org/shadow.html>.
|
||
|
||
Copyright 2002, The Internet Society. All Rights Reserved.
|
||
|
||
Please see the Copyright section near the end of this document for
|
||
more information.
|
||
|
||
|
||
Abstract
|
||
|
||
X.500 collective attributes allow common characteristics to be shared
|
||
between collections of entries. This document summarizes the X.500
|
||
information model for collective attributes and describes use of
|
||
collective attributes in LDAP (Lightweight Directory Access Protocol).
|
||
This document provides schema definitions for collective attributes
|
||
for use in LDAP.
|
||
|
||
|
||
|
||
Zeilenga draft-zeilenga-ldap-collective-08 [Page 1]
|
||
|
||
INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
|
||
|
||
|
||
Conventions
|
||
|
||
Schema definitions are provided using LDAPv3 description formats
|
||
[RFC2252]. Definitions provided here are formatted (line wrapped) for
|
||
readability.
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in BCP 14 [RFC2119].
|
||
|
||
|
||
1. Introduction
|
||
|
||
In X.500, a collective attribute is "a user attribute whose values are
|
||
the same for each member of an entry collection" [X.501]. This
|
||
document details their use in the Lightweight Directory Access
|
||
Protocol (LDAP) [LDAPTS].
|
||
|
||
|
||
1.1. Entry Collections
|
||
|
||
A collection of entries is a grouping of object and alias entries
|
||
based upon common properties or shared relationship between the
|
||
corresponding entries which share certain attributes. An entry
|
||
collection consists of all entries within scope of a collective
|
||
attributes subentry [SUBENTRY]. An entry can belong to several entry
|
||
collections.
|
||
|
||
|
||
1.2. Collective Attributes
|
||
|
||
Attributes shared by the entries comprising an entry collection are
|
||
called collective attributes. Values of collective attributes are
|
||
visible but not updateable to clients accessing entries within the
|
||
collection. Collective attributes are updated (i.e. modified) via
|
||
their associated collective attributes subentry.
|
||
|
||
When an entry belongs to multiple entry collections, the entry's
|
||
values of each collective attribute are combined such that independent
|
||
sources of these values are not manifested to clients.
|
||
|
||
Entries can specifically exclude a particular collective attribute by
|
||
listing the attribute as a value of the collectiveExclusions
|
||
attribute. Like other user attributes, collective attributes are
|
||
subject to a variety of controls including access, administrative, and
|
||
content controls.
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga draft-zeilenga-ldap-collective-08 [Page 2]
|
||
|
||
INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
|
||
|
||
|
||
2. System Schema for Collective Attributes
|
||
|
||
The following operational attributes are used to manage Collective
|
||
Attributes. LDAP servers [LDAPTS] MUST act in accordance with the
|
||
X.500 Directory Models [X.501] when providing this service.
|
||
|
||
|
||
2.1. collectiveAttributeSubentry
|
||
|
||
Subentries of this object class are used to administer collective
|
||
attributes and are referred to as collective attribute subentries.
|
||
|
||
( 2.5.20.2 NAME 'collectiveAttributeSubentry' AUXILIARY )
|
||
|
||
A collective attribute subentry SHOULD contain at least one collective
|
||
attribute. The collective attributes contained within a collective
|
||
attribute subentry are available for finding, searching, and
|
||
comparison at every entry within the scope of the subentry. The
|
||
collective attributes, however, are administered (e.g. modified) via
|
||
the subentry.
|
||
|
||
Implementations of this specification SHOULD support collective
|
||
attribute subentries in both collectiveAttributeSpecificArea
|
||
(2.5.23.5) and collectiveAttributeInnerArea (2.5.23.6) administrative
|
||
areas [SUBENTRY][X.501].
|
||
|
||
|
||
2.2. collectiveAttributeSubentries
|
||
|
||
The collectiveAttributeSubentries operational attribute identifies all
|
||
collective attribute subentries that affect the entry.
|
||
|
||
( 2.5.18.12 NAME 'collectiveAttributeSubentries'
|
||
EQUALITY distinguishedNameMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||
USAGE directoryOperation NO-USER-MODIFICATION )
|
||
|
||
|
||
2.3. collectiveExclusions
|
||
|
||
The collectiveExclusions operational attribute allows particular
|
||
collective attributes to be excluded from an entry. It MAY appear in
|
||
any entry and MAY have multiple values.
|
||
|
||
( 2.5.18.7 NAME 'collectiveExclusions'
|
||
EQUALITY objectIdentifierMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
|
||
USAGE directoryOperation )
|
||
|
||
|
||
|
||
Zeilenga draft-zeilenga-ldap-collective-08 [Page 3]
|
||
|
||
INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
|
||
|
||
|
||
The descriptor excludeAllCollectiveAttributes is associated with the
|
||
OID 2.5.18.0. When this descriptor or OID is present as a value of
|
||
the collectiveExclusions attribute, all collective attributes are
|
||
excluded from an entry.
|
||
|
||
|
||
3. Collective Attribute Types
|
||
|
||
A userApplications attribute type can be defined to be COLLECTIVE
|
||
[RFC2252]. This indicates that the same attribute values will appear
|
||
in the entries of an entry collection subject to the use of the
|
||
collectiveExclusions attribute and other administrative controls.
|
||
These administrative controls MAY include DIT Content Rules, if
|
||
implemented.
|
||
|
||
Collective attribute types are commonly defined as subtypes of non-
|
||
collective attribute types. By convention, collective attributes are
|
||
named by prefixing the name of their non-collective supertype with
|
||
"c-". For example, the collective telephone attribute is named
|
||
c-TelephoneNumber after its non-collective supertype telephoneNumber.
|
||
|
||
Non-collective attributes types SHALL NOT subtype collective
|
||
attributes.
|
||
|
||
Collective attributes SHALL NOT be SINGLE-VALUED. Collective
|
||
attribute types SHALL NOT appear in the attribute types of an object
|
||
class definition.
|
||
|
||
Operational attributes SHALL NOT be defined to be collective.
|
||
|
||
The remainder of section provides a summary of collective attributes
|
||
derived from those defined in [X.520]. The SUPerior attribute types
|
||
are described in [RFC 2256] for use with LDAP.
|
||
|
||
Implementations of this specification SHOULD support the following
|
||
collective attributes and MAY support additional collective
|
||
attributes.
|
||
|
||
|
||
3.1. Collective Locality Name
|
||
|
||
The c-l attribute type specifies a locality name for a collection of
|
||
entries.
|
||
|
||
( 2.5.4.7.1 NAME 'c-l'
|
||
SUP l COLLECTIVE )
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga draft-zeilenga-ldap-collective-08 [Page 4]
|
||
|
||
INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
|
||
|
||
|
||
3.2. Collective State or Province Name
|
||
|
||
The c-st attribute type specifies a state or province name for a
|
||
collection of entries.
|
||
|
||
( 2.5.4.8.1 NAME 'c-st'
|
||
SUP st COLLECTIVE )
|
||
|
||
|
||
3.3. Collective Street Address
|
||
|
||
The c-street attribute type specifies a street address for a
|
||
collection of entries.
|
||
|
||
( 2.5.4.9.1 NAME 'c-street'
|
||
SUP street COLLECTIVE )
|
||
|
||
|
||
3.4. Collective Organization Name
|
||
|
||
The c-o attribute type specifies an organization name for a collection
|
||
of entries.
|
||
|
||
( 2.5.4.10.1 NAME 'c-o'
|
||
SUP o COLLECTIVE )
|
||
|
||
|
||
3.5. Collective Organizational Unit Name
|
||
|
||
The c-ou attribute type specifies an organizational unit name for a
|
||
collection of entries.
|
||
|
||
( 2.5.4.11.1 NAME 'c-ou'
|
||
SUP ou COLLECTIVE )
|
||
|
||
|
||
3.6. Collective Postal Address
|
||
|
||
The c-PostalAddress attribute type specifies a postal address for a
|
||
collection of entries.
|
||
|
||
( 2.5.4.16.1 NAME 'c-PostalAddress'
|
||
SUP postalAddress COLLECTIVE )
|
||
|
||
|
||
3.7. Collective Postal Code
|
||
|
||
The c-PostalCode attribute type specifies a postal code for a
|
||
|
||
|
||
|
||
Zeilenga draft-zeilenga-ldap-collective-08 [Page 5]
|
||
|
||
INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
|
||
|
||
|
||
collection of entries.
|
||
|
||
( 2.5.4.17.1 NAME 'c-PostalCode'
|
||
SUP postalCode COLLECTIVE )
|
||
|
||
|
||
3.8. Collective Post Office Box
|
||
|
||
The c-PostOfficeBox attribute type specifies a post office box for a
|
||
collection of entries.
|
||
|
||
( 2.5.4.18.1 NAME 'c-PostOfficeBox'
|
||
SUP postOfficeBox COLLECTIVE )
|
||
|
||
|
||
3.9. Collective Physical Delivery Office Name
|
||
|
||
The c-PhysicalDeliveryOfficeName attribute type specifies a physical
|
||
delivery office name for a collection of entries.
|
||
|
||
( 2.5.4.19.1 NAME 'c-PhysicalDeliveryOfficeName'
|
||
SUP physicalDeliveryOfficeName COLLECTIVE )
|
||
|
||
|
||
3.10. Collective Telephone Number
|
||
|
||
The c-TelephoneNumber attribute type specifies a telephone number for
|
||
a collection of entries.
|
||
|
||
( 2.5.4.20.1 NAME 'c-TelephoneNumber'
|
||
SUP telephoneNumber COLLECTIVE )
|
||
|
||
|
||
3.11. Collective Telex Number
|
||
|
||
The c-TelexNumber attribute type specifies a telex number for a
|
||
collection of entries.
|
||
|
||
( 2.5.4.21.1 NAME 'c-TelexNumber'
|
||
SUP telexNumber COLLECTIVE )
|
||
|
||
|
||
3.13. Collective Facsimile Telephone Number
|
||
|
||
The c-FacsimileTelephoneNumber attribute type specifies a facsimile
|
||
telephone number for a collection of entries.
|
||
|
||
( 2.5.4.23.1 NAME 'c-FacsimileTelephoneNumber'
|
||
|
||
|
||
|
||
Zeilenga draft-zeilenga-ldap-collective-08 [Page 6]
|
||
|
||
INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
|
||
|
||
|
||
SUP facsimileTelephoneNumber COLLECTIVE )
|
||
|
||
|
||
3.14. Collective International ISDN Number
|
||
|
||
The c-InternationalISDNNumber attribute type specifies an
|
||
international ISDN number for a collection of entries.
|
||
|
||
( 2.5.4.25.1 NAME 'c-InternationalISDNNumber'
|
||
SUP internationalISDNNumber COLLECTIVE )
|
||
|
||
|
||
4. Security Considerations
|
||
|
||
Collective attributes, like other attributes, are subject to access
|
||
control restrictions and other administrative policy. Generally
|
||
speaking, collective attributes accessed via an entry in a collection
|
||
are governed by rules restricting access to attributes of that entry.
|
||
And collective attributes access via a subentry are governed by rules
|
||
restricting access to attributes of that subentry. However, as LDAP
|
||
does not have a standard access model, the particulars of each
|
||
server's access control system may differ.
|
||
|
||
General LDAP security considerations [LDAPTS] also apply.
|
||
|
||
|
||
5. IANA Considerations
|
||
|
||
It is requested that IANA register upon Standards Action the LDAP
|
||
descriptors [LDAPIANA] defined in this technical specification. The
|
||
following registration template is suggested:
|
||
|
||
Subject: Request for LDAP Descriptor Registration
|
||
Descriptor see comments
|
||
Object Identifier: see comment
|
||
Person & email address to contact for further information:
|
||
Kurt Zeilenga <kurt@OpenLDAP.org>
|
||
Usage: see comment
|
||
Specification: RFCXXXX
|
||
Author/Change Controller: IESG
|
||
Comments:
|
||
|
||
NAME Type OID
|
||
------------------------ ---- -----------------
|
||
c-FacsimileTelephoneNumber A 2.5.4.23.1
|
||
c-InternationalISDNNumber A 2.5.4.25.1
|
||
c-PhysicalDeliveryOffice A 2.5.4.19.1
|
||
c-PostOfficeBox A 2.5.4.18.1
|
||
|
||
|
||
|
||
Zeilenga draft-zeilenga-ldap-collective-08 [Page 7]
|
||
|
||
INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
|
||
|
||
|
||
c-PostalAddress A 2.5.4.16.1
|
||
c-PostalCode A 2.5.4.17.1
|
||
c-TelephoneNumber A 2.5.4.20.1
|
||
c-TelexNumber A 2.5.4.21.1
|
||
c-l A 2.5.4.7.1
|
||
c-o A 2.5.4.10.1
|
||
c-ou A 2.5.4.11.1
|
||
c-st A 2.5.4.8.1
|
||
c-street A 2.5.4.9.1
|
||
collectiveAttributeSubentries A 2.5.18.12
|
||
collectiveAttributeSubentry O 2.5.20.2
|
||
collectiveExclusions A 2.5.18.7
|
||
|
||
where Type A is Attribute and Type O is ObjectClass.
|
||
|
||
|
||
The Object Identifiers used in this document were assigned by the
|
||
ISO/IEC Joint Technical Committee 1 - Subcommitte 6 to identify
|
||
elements of X.500 schema [X.520]. This document make no OID
|
||
assignments, it only provides LDAP schema descriptions with existing
|
||
elements of X.500 schema.
|
||
|
||
|
||
6. Acknowledgments
|
||
|
||
This document is based upon the ITU Recommendations for the Directory
|
||
[X.501][X.520].
|
||
|
||
|
||
7. Author's Address
|
||
|
||
Kurt D. Zeilenga
|
||
OpenLDAP Foundation
|
||
<Kurt@OpenLDAP.org>
|
||
|
||
|
||
8. Normative References
|
||
|
||
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
|
||
|
||
[RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
|
||
Protocol (v3)", RFC 2251, December 1997.
|
||
|
||
[RFC2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
|
||
Directory Access Protocol (v3): Attribute Syntax
|
||
Definitions", RFC 2252, December 1997.
|
||
|
||
|
||
|
||
|
||
Zeilenga draft-zeilenga-ldap-collective-08 [Page 8]
|
||
|
||
INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
|
||
|
||
|
||
[RFC2256] M. Wahl, "A Summary of the X.500(96) User Schema for use
|
||
with LDAPv3", RFC 2256, December 1997.
|
||
|
||
[LDAPTS] J. Hodges, R.L. Morgan, "Lightweight Directory Access
|
||
Protocol (v3): Technical Specification",
|
||
draft-ietf-ldapbis-ldapv3-ts-xx.txt.
|
||
|
||
[SUBENTRY] K. Zeilenga, S. Legg, "Subentries in LDAP",
|
||
draft-zeilenga-ldap-subentry-xx.txt, a work in progress.
|
||
|
||
[X.501] "The Directory: Models", ITU-T Recommendation X.501, 1993.
|
||
|
||
|
||
9. Informative References
|
||
|
||
[X.500] "The Directory: Overview of Concepts, Models", ITU-T
|
||
Recommendation X.500, 1993.
|
||
|
||
[X.520] "The Directory: Selected Attribute Types", ITU-T
|
||
Recommendation X.520, 1993.
|
||
|
||
|
||
Copyright 2002, The Internet Society. All Rights Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implementation may be prepared, copied, published and
|
||
distributed, in whole or in part, without restriction of any kind,
|
||
provided that the above copyright notice and this paragraph are
|
||
included on all such copies and derivative works. However, this
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
copyrights defined in the Internet Standards process must be followed,
|
||
or as required to translate it into languages other than English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga draft-zeilenga-ldap-collective-08 [Page 9]
|
||
|