mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-15 03:01:09 +08:00
1180 lines
40 KiB
Plaintext
1180 lines
40 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group L. Howard
|
||
Request for Comments: 2307 Independent Consultant
|
||
Category: Experimental March 1998
|
||
|
||
|
||
An Approach for Using LDAP as a Network Information Service
|
||
|
||
Status of this Memo
|
||
|
||
This memo defines an Experimental Protocol for the Internet
|
||
community. It does not specify an Internet standard of any kind.
|
||
Discussion and suggestions for improvement are requested.
|
||
Distribution of this memo is unlimited.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (1998). All Rights Reserved.
|
||
|
||
Abstract
|
||
|
||
This document describes an experimental mechanism for mapping
|
||
entities related to TCP/IP and the UNIX system into X.500 [X500]
|
||
entries so that they may be resolved with the Lightweight Directory
|
||
Access Protocol [RFC2251]. A set of attribute types and object
|
||
classes are proposed, along with specific guidelines for interpreting
|
||
them.
|
||
|
||
The intention is to assist the deployment of LDAP as an
|
||
organizational nameservice. No proposed solutions are intended as
|
||
standards for the Internet. Rather, it is hoped that a general
|
||
consensus will emerge as to the appropriate solution to such
|
||
problems, leading eventually to the adoption of standards. The
|
||
proposed mechanism has already been implemented with some success.
|
||
|
||
1. Background and Motivation
|
||
|
||
The UNIX (R) operating system, and its derivatives (specifically,
|
||
those which support TCP/IP and conform to the X/Open Single UNIX
|
||
specification [XOPEN]) require a means of looking up entities, by
|
||
matching them against search criteria or by enumeration. (Other
|
||
operating systems that support TCP/IP may provide some means of
|
||
resolving some of these entities. This schema is applicable to those
|
||
environments also.)
|
||
|
||
These entities include users, groups, IP services (which map names to
|
||
IP ports and protocols, and vice versa), IP protocols (which map
|
||
names to IP protocol numbers and vice versa), RPCs (which map names
|
||
to ONC Remote Procedure Call [RFC1057] numbers and vice versa), NIS
|
||
|
||
|
||
|
||
Howard Experimental [Page 1]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
netgroups, booting information (boot parameters and MAC address
|
||
mappings), filesystem mounts, IP hosts and networks, and RFC822 mail
|
||
aliases.
|
||
|
||
Resolution requests are made through a set of C functions, provided
|
||
in the UNIX system's C library. For example, the UNIX system utility
|
||
"ls", which enumerates the contents of a filesystem directory, uses
|
||
the C library function getpwuid() in order to map user IDs to login
|
||
names. Once the request is made, it is resolved using a "nameservice"
|
||
which is supported by the client library. The nameservice may be, at
|
||
its simplest, a collection of files in the local filesystem which are
|
||
opened and searched by the C library. Other common nameservices
|
||
include the Network Information Service (NIS) and the Domain Name
|
||
System (DNS). (The latter is typically used for resolving hosts,
|
||
services and networks.) Both these nameservices have the advantage of
|
||
being distributed and thus permitting a common set of entities to be
|
||
shared amongst many clients.
|
||
|
||
LDAP is a distributed, hierarchical directory service access protocol
|
||
which is used to access repositories of users and other network-
|
||
related entities. Because LDAP is often not tightly integrated with
|
||
the host operating system, information such as users may need to be
|
||
kept both in LDAP and in an operating system supported nameservice
|
||
such as NIS. By using LDAP as the the primary means of resolving
|
||
these entities, these redundancy issues are minimized and the
|
||
scalability of LDAP can be exploited. (By comparison, NIS services
|
||
based on flat files do not have the scalability or extensibility of
|
||
LDAP or X.500.)
|
||
|
||
The object classes and attributes defined below are suitable for
|
||
representing the aforementioned entities in a form compatible with
|
||
LDAP and X.500 directory services.
|
||
|
||
2. General Issues
|
||
|
||
2.1. Terminology
|
||
|
||
The key words "MUST", "SHOULD", and "MAY" used in this document are
|
||
to be interpreted as described in [RFC2119].
|
||
|
||
For the purposes of this document, the term "nameservice" refers to a
|
||
service, such as NIS or flat files, that is used by the operating
|
||
system to resolve entities within a single, local naming context.
|
||
Contrast this with a "directory service" such as LDAP, which supports
|
||
extensible schema and multiple naming contexts.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 2]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
The term "NIS-related entities" broadly refers to entities which are
|
||
typically resolved using the Network Information Service. (NIS was
|
||
previously known as YP.) Deploying LDAP for resolving these entities
|
||
does not imply that NIS be used, as a gateway or otherwise. In
|
||
particular, the host and network classes are generically applicable,
|
||
and may be implemented on any system that wishes to use LDAP or X.500
|
||
for host and network resolution.
|
||
|
||
The "DUA" (directory user agent) refers to the LDAP client querying
|
||
these entities, such as an LDAP to NIS gateway or the C library. The
|
||
"client" refers to the application which ultimately makes use of the
|
||
information returned by the resolution. It is irrelevant whether the
|
||
DUA and the client reside within the same address space. The act of
|
||
the DUA making this information to the client is termed
|
||
"republishing".
|
||
|
||
To avoid confusion, the term "login name" refers to the user's login
|
||
name (being the value of the uid attribute) and the term "user ID"
|
||
refers to he user's integer identification number (being the value of
|
||
the uidNumber attribute).
|
||
|
||
The phrases "resolving an entity" and "resolution of entities" refer
|
||
respectively to enumerating NIS-related entities of a given type, and
|
||
matching them against a given search criterion. One or more entities
|
||
are returned as a result of successful "resolutions" (a "match"
|
||
operation will only return one entity).
|
||
|
||
The use of the term UNIX does not confer upon this schema the
|
||
endorsement of owners of the UNIX trademark. Where necessary, the
|
||
term "TCP/IP entity" is used to refer to protocols, services, hosts,
|
||
and networks, and the term "UNIX entity" to its complement. (The
|
||
former category does not mandate the host operating system supporting
|
||
the interfaces required for resolving UNIX entities.)
|
||
|
||
The OIDs defined below are derived from iso(1) org(3) dod(6)
|
||
internet(1) directory(1) nisSchema(1).
|
||
|
||
2.2. Attributes
|
||
|
||
The attributes and classes defined in this document are summarized
|
||
below.
|
||
|
||
The following attributes are defined in this document:
|
||
|
||
uidNumber
|
||
gidNumber
|
||
gecos
|
||
homeDirectory
|
||
|
||
|
||
|
||
Howard Experimental [Page 3]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
loginShell
|
||
shadowLastChange
|
||
shadowMin
|
||
shadowMax
|
||
shadowWarning
|
||
shadowInactive
|
||
shadowExpire
|
||
shadowFlag
|
||
memberUid
|
||
memberNisNetgroup
|
||
nisNetgroupTriple
|
||
ipServicePort
|
||
ipServiceProtocol
|
||
ipProtocolNumber
|
||
oncRpcNumber
|
||
ipHostNumber
|
||
ipNetworkNumber
|
||
ipNetmaskNumber
|
||
macAddress
|
||
bootParameter
|
||
bootFile
|
||
nisMapName
|
||
nisMapEntry
|
||
|
||
Additionally, some of the attributes defined in [RFC2256] are
|
||
required.
|
||
|
||
2.3. Object classes
|
||
|
||
The following object classes are defined in this document:
|
||
|
||
posixAccount
|
||
shadowAccount
|
||
posixGroup
|
||
ipService
|
||
ipProtocol
|
||
oncRpc
|
||
ipHost
|
||
ipNetwork
|
||
nisNetgroup
|
||
nisMap
|
||
nisObject
|
||
ieee802Device
|
||
bootableDevice
|
||
|
||
Additionally, some of the classes defined in [RFC2256] are required.
|
||
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 4]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
2.4. Syntax definitions
|
||
|
||
The following syntax definitions [RFC2252] are used by this schema.
|
||
The nisNetgroupTripleSyntax represents NIS netgroup triples:
|
||
|
||
( nisSchema.0.0 NAME 'nisNetgroupTripleSyntax'
|
||
DESC 'NIS netgroup triple' )
|
||
|
||
Values in this syntax are represented by the following:
|
||
|
||
nisnetgrouptriple = "(" hostname "," username "," domainname ")"
|
||
hostname = "" / "-" / keystring
|
||
username = "" / "-" / keystring
|
||
domainname = "" / "-" / keystring
|
||
|
||
X.500 servers may use the following representation of the above
|
||
syntax:
|
||
|
||
nisNetgroupTripleSyntax ::= SEQUENCE {
|
||
hostname [0] IA5String OPTIONAL,
|
||
username [1] IA5String OPTIONAL,
|
||
domainname [2] IA5String OPTIONAL
|
||
}
|
||
|
||
The bootParameterSyntax syntax represents boot parameters:
|
||
|
||
( nisSchema.0.1 NAME 'bootParameterSyntax'
|
||
DESC 'Boot parameter' )
|
||
|
||
where:
|
||
|
||
bootparameter = key "=" server ":" path
|
||
key = keystring
|
||
server = keystring
|
||
path = keystring
|
||
|
||
X.500 servers may use the following representation of the above
|
||
syntax:
|
||
|
||
bootParameterSyntax ::= SEQUENCE {
|
||
key IA5String,
|
||
server IA5String,
|
||
path IA5String
|
||
}
|
||
|
||
Values adhering to these syntaxes are encoded as strings by LDAP
|
||
servers.
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 5]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
3. Attribute definitions
|
||
|
||
This section contains attribute definitions to be implemented by DUAs
|
||
supporting this schema.
|
||
|
||
( nisSchema.1.0 NAME 'uidNumber'
|
||
DESC 'An integer uniquely identifying a user in an
|
||
administrative domain'
|
||
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.1 NAME 'gidNumber'
|
||
DESC 'An integer uniquely identifying a group in an
|
||
administrative domain'
|
||
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.2 NAME 'gecos'
|
||
DESC 'The GECOS field; the common name'
|
||
EQUALITY caseIgnoreIA5Match
|
||
SUBSTRINGS caseIgnoreIA5SubstringsMatch
|
||
SYNTAX 'IA5String' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.3 NAME 'homeDirectory'
|
||
DESC 'The absolute path to the home directory'
|
||
EQUALITY caseExactIA5Match
|
||
SYNTAX 'IA5String' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.4 NAME 'loginShell'
|
||
DESC 'The path to the login shell'
|
||
EQUALITY caseExactIA5Match
|
||
SYNTAX 'IA5String' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.5 NAME 'shadowLastChange'
|
||
EQUALITY integerMatch
|
||
SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.6 NAME 'shadowMin'
|
||
EQUALITY integerMatch
|
||
SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.7 NAME 'shadowMax'
|
||
EQUALITY integerMatch
|
||
SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.8 NAME 'shadowWarning'
|
||
EQUALITY integerMatch
|
||
SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.9 NAME 'shadowInactive'
|
||
|
||
|
||
|
||
Howard Experimental [Page 6]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
EQUALITY integerMatch
|
||
SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.10 NAME 'shadowExpire'
|
||
EQUALITY integerMatch
|
||
SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.11 NAME 'shadowFlag'
|
||
EQUALITY integerMatch
|
||
SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.12 NAME 'memberUid'
|
||
EQUALITY caseExactIA5Match
|
||
SUBSTRINGS caseExactIA5SubstringsMatch
|
||
SYNTAX 'IA5String' )
|
||
|
||
( nisSchema.1.13 NAME 'memberNisNetgroup'
|
||
EQUALITY caseExactIA5Match
|
||
SUBSTRINGS caseExactIA5SubstringsMatch
|
||
SYNTAX 'IA5String' )
|
||
|
||
( nisSchema.1.14 NAME 'nisNetgroupTriple'
|
||
DESC 'Netgroup triple'
|
||
SYNTAX 'nisNetgroupTripleSyntax' )
|
||
|
||
( nisSchema.1.15 NAME 'ipServicePort'
|
||
EQUALITY integerMatch
|
||
SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.16 NAME 'ipServiceProtocol'
|
||
SUP name )
|
||
|
||
( nisSchema.1.17 NAME 'ipProtocolNumber'
|
||
EQUALITY integerMatch
|
||
SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.18 NAME 'oncRpcNumber'
|
||
EQUALITY integerMatch
|
||
SYNTAX 'INTEGER' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.19 NAME 'ipHostNumber'
|
||
DESC 'IP address as a dotted decimal, eg. 192.168.1.1,
|
||
omitting leading zeros'
|
||
EQUALITY caseIgnoreIA5Match
|
||
SYNTAX 'IA5String{128}' )
|
||
|
||
( nisSchema.1.20 NAME 'ipNetworkNumber'
|
||
DESC 'IP network as a dotted decimal, eg. 192.168,
|
||
|
||
|
||
|
||
Howard Experimental [Page 7]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
omitting leading zeros'
|
||
EQUALITY caseIgnoreIA5Match
|
||
SYNTAX 'IA5String{128}' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.21 NAME 'ipNetmaskNumber'
|
||
DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0,
|
||
omitting leading zeros'
|
||
EQUALITY caseIgnoreIA5Match
|
||
SYNTAX 'IA5String{128}' SINGLE-VALUE )
|
||
|
||
( nisSchema.1.22 NAME 'macAddress'
|
||
DESC 'MAC address in maximal, colon separated hex
|
||
notation, eg. 00:00:92:90:ee:e2'
|
||
EQUALITY caseIgnoreIA5Match
|
||
SYNTAX 'IA5String{128}' )
|
||
|
||
( nisSchema.1.23 NAME 'bootParameter'
|
||
DESC 'rpc.bootparamd parameter'
|
||
SYNTAX 'bootParameterSyntax' )
|
||
|
||
( nisSchema.1.24 NAME 'bootFile'
|
||
DESC 'Boot image name'
|
||
EQUALITY caseExactIA5Match
|
||
SYNTAX 'IA5String' )
|
||
|
||
( nisSchema.1.26 NAME 'nisMapName'
|
||
SUP name )
|
||
|
||
( nisSchema.1.27 NAME 'nisMapEntry'
|
||
EQUALITY caseExactIA5Match
|
||
SUBSTRINGS caseExactIA5SubstringsMatch
|
||
SYNTAX 'IA5String{1024}' SINGLE-VALUE )
|
||
|
||
4. Class definitions
|
||
|
||
This section contains class definitions to be implemented by DUAs
|
||
supporting the schema.
|
||
|
||
The rfc822MailGroup object class MAY be used to represent a mail
|
||
group for the purpose of alias expansion. Several alternative schemes
|
||
for mail routing and delivery using LDAP directories, which are
|
||
outside the scope of this document.
|
||
|
||
( nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY
|
||
DESC 'Abstraction of an account with POSIX attributes'
|
||
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
|
||
MAY ( userPassword $ loginShell $ gecos $ description ) )
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 8]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
( nisSchema.2.1 NAME 'shadowAccount' SUP top AUXILIARY
|
||
DESC 'Additional attributes for shadow passwords'
|
||
MUST uid
|
||
MAY ( userPassword $ shadowLastChange $ shadowMin
|
||
shadowMax $ shadowWarning $ shadowInactive $
|
||
shadowExpire $ shadowFlag $ description ) )
|
||
|
||
( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL
|
||
DESC 'Abstraction of a group of accounts'
|
||
MUST ( cn $ gidNumber )
|
||
MAY ( userPassword $ memberUid $ description ) )
|
||
|
||
( nisSchema.2.3 NAME 'ipService' SUP top STRUCTURAL
|
||
DESC 'Abstraction an Internet Protocol service.
|
||
Maps an IP port and protocol (such as tcp or udp)
|
||
to one or more names; the distinguished value of
|
||
the cn attribute denotes the service's canonical
|
||
name'
|
||
MUST ( cn $ ipServicePort $ ipServiceProtocol )
|
||
MAY ( description ) )
|
||
|
||
( nisSchema.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
|
||
DESC 'Abstraction of an IP protocol. Maps a protocol number
|
||
to one or more names. The distinguished value of the cn
|
||
attribute denotes the protocol's canonical name'
|
||
MUST ( cn $ ipProtocolNumber $ description )
|
||
MAY description )
|
||
|
||
( nisSchema.2.5 NAME 'oncRpc' SUP top STRUCTURAL
|
||
DESC 'Abstraction of an Open Network Computing (ONC)
|
||
[RFC1057] Remote Procedure Call (RPC) binding.
|
||
This class maps an ONC RPC number to a name.
|
||
The distinguished value of the cn attribute denotes
|
||
the RPC service's canonical name'
|
||
MUST ( cn $ oncRpcNumber $ description )
|
||
MAY description )
|
||
|
||
( nisSchema.2.6 NAME 'ipHost' SUP top AUXILIARY
|
||
|
||
DESC 'Abstraction of a host, an IP device. The distinguished
|
||
value of the cn attribute denotes the host's canonical
|
||
name. Device SHOULD be used as a structural class'
|
||
MUST ( cn $ ipHostNumber )
|
||
MAY ( l $ description $ manager ) )
|
||
|
||
( nisSchema.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
|
||
DESC 'Abstraction of a network. The distinguished value of
|
||
the cn attribute denotes the network's canonical name'
|
||
|
||
|
||
|
||
Howard Experimental [Page 9]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
MUST ( cn $ ipNetworkNumber )
|
||
MAY ( ipNetmaskNumber $ l $ description $ manager ) )
|
||
|
||
( nisSchema.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
|
||
DESC 'Abstraction of a netgroup. May refer to other netgroups'
|
||
MUST cn
|
||
MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
|
||
|
||
( nisSchema.2.09 NAME 'nisMap' SUP top STRUCTURAL
|
||
DESC 'A generic abstraction of a NIS map'
|
||
MUST nisMapName
|
||
MAY description )
|
||
|
||
( nisSchema.2.10 NAME 'nisObject' SUP top STRUCTURAL
|
||
DESC 'An entry in a NIS map'
|
||
MUST ( cn $ nisMapEntry $ nisMapName )
|
||
MAY description )
|
||
|
||
( nisSchema.2.11 NAME 'ieee802Device' SUP top AUXILIARY
|
||
DESC 'A device with a MAC address; device SHOULD be
|
||
used as a structural class'
|
||
MAY macAddress )
|
||
|
||
( nisSchema.2.12 NAME 'bootableDevice' SUP top AUXILIARY
|
||
DESC 'A device with boot parameters; device SHOULD be
|
||
used as a structural class'
|
||
MAY ( bootFile $ bootParameter ) )
|
||
|
||
5. Implementation details
|
||
|
||
5.1. Suggested resolution methods
|
||
|
||
The preferred means of directing a client application (one using the
|
||
shared services of the C library) to use LDAP as its information
|
||
source for the functions listed in 5.2 is to modify the source code
|
||
to directly query LDAP. As the source to commercial C libraries and
|
||
applications is rarely available to the end-user, one could emulate a
|
||
supported nameservice (such as NIS). (This is also an appropriate
|
||
opportunity to perform caching of entries across process address
|
||
spaces.) In the case of NIS, reference implementations are widely
|
||
available and the RPC interface is well known.
|
||
|
||
The means by which the operating system is directed to use LDAP is
|
||
implementation dependent. For example, some operating systems and C
|
||
libraries support end-user extensible resolvers using dynamically
|
||
loadable libraries and a nameservice "switch". The means in which the
|
||
DUA locates LDAP servers is also implementation dependent.
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 10]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
5.2. Affected library functions
|
||
|
||
The following functions are typically found in the C libraries of
|
||
most UNIX and POSIX compliant systems. An LDAP search filter
|
||
[RFC2254] which may be used to satisfy the function call is included
|
||
alongside each function name. Parameters are denoted by %s and %d for
|
||
string and integer arguments, respectively. Long lines are broken.
|
||
|
||
getpwnam() (&(objectClass=posixAccount)(uid=%s))
|
||
getpwuid() (&(objectClass=posixAccount)
|
||
(uidNumber=%d))
|
||
getpwent() (objectClass=posixAccount)
|
||
|
||
getspnam() (&(objectClass=shadowAccount)(uid=%s))
|
||
getspent() (objectClass=shadowAccount)
|
||
|
||
getgrnam() (&(objectClass=posixGroup)(cn=%s))
|
||
getgrgid() (&(objectClass=posixGroup)
|
||
(gidNumber=%d))
|
||
getgrent() (objectClass=posixGroup)
|
||
|
||
getservbyname() (&(objectClass=ipService)
|
||
(cn=%s)(ipServiceProtocol=%s))
|
||
getservbyport() (&(objectClass=ipService)
|
||
(ipServicePort=%d)
|
||
(ipServiceProtocol=%s))
|
||
getservent() (objectClass=ipService)
|
||
|
||
getrpcbyname() (&(objectClass=oncRpc)(cn=%s))
|
||
getrpcbynumber() (&(objectClass=oncRpc)(oncRpcNumber=%d))
|
||
getrpcent() (objectClass=oncRpc)
|
||
|
||
getprotobyname() (&(objectClass=ipProtocol)(cn=%s))
|
||
getprotobynumber() (&(objectClass=ipProtocol)
|
||
(ipProtocolNumber=%d))
|
||
getprotoent() (objectClass=ipProtocol)
|
||
|
||
gethostbyname() (&(objectClass=ipHost)(cn=%s))
|
||
gethostbyaddr() (&(objectClass=ipHost)(ipHostNumber=%s))
|
||
gethostent() (objectClass=ipHost)
|
||
|
||
getnetbyname() (&(objectClass=ipNetwork)(cn=%s))
|
||
getnetbyaddr() (&(objectClass=ipNetwork)
|
||
(ipNetworkNumber=%s))
|
||
getnetent() (objectClass=ipNetwork)
|
||
|
||
setnetgrent() (&(objectClass=nisNetgroup)(cn=%s))
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 11]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
5.3. Interpreting user and group entries
|
||
|
||
User and group resolution is initiated by the functions prefixed by
|
||
getpw and getgr respectively. The uid attribute contains the user's
|
||
login name. The cn attribute, in posixGroup entries, contains the
|
||
group's name.
|
||
|
||
The account object class provides a convenient structural class for
|
||
posixAccount, and SHOULD be used where additional attributes are not
|
||
required.
|
||
|
||
It is suggested that uid and cn are used as the RDN attribute type
|
||
for posixAccount and posixGroup entries, respectively.
|
||
|
||
An account's GECOS field is preferably determined by a value of the
|
||
gecos attribute. If no gecos attribute exists, the value of the cn
|
||
attribute MUST be used. (The existence of the gecos attribute allows
|
||
information embedded in the GECOS field, such as a user's telephone
|
||
number, to be returned to the client without overloading the cn
|
||
attribute. It also accommodates directories where the common name
|
||
does not contain the user's full name.)
|
||
|
||
An entry of class posixAccount, posixGroup, or shadowAccount without
|
||
a userPassword attribute MUST NOT be used for authentication. The
|
||
client should be returned a non-matchable password such as "x".
|
||
|
||
userPassword values MUST be represented by following syntax:
|
||
|
||
passwordvalue = schemeprefix encryptedpassword
|
||
schemeprefix = "{" scheme "}"
|
||
scheme = "crypt" / "md5" / "sha" / altscheme
|
||
altscheme = "x-" keystring
|
||
encryptedpassword = encrypted password
|
||
|
||
The encrypted password contains of a plaintext key hashed using the
|
||
algorithm scheme.
|
||
|
||
userPassword values which do not adhere to this syntax MUST NOT be
|
||
used for authentication. The DUA MUST iterate through the values of
|
||
the attribute until a value matching the above syntax is found. Only
|
||
if encryptedpassword is an empty string does the user have no
|
||
password. DUAs are not required to consider encryption schemes which
|
||
the client will not recognize; in most cases, it may be sufficient to
|
||
consider only "crypt".
|
||
|
||
Below is an example of a userPassword attribute:
|
||
|
||
userPassword: {crypt}X5/DBrWPOQQaI
|
||
|
||
|
||
|
||
Howard Experimental [Page 12]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
A future standard may specify LDAP v3 attribute descriptions to
|
||
represent hashed userPasswords, as noted below. This schema MUST NOT
|
||
be used with LDAP v2 DUAs and DSAs.
|
||
|
||
attributetype = attributename sep attributeoption
|
||
attributename = "userPassword"
|
||
sep = ";"
|
||
attributeoption = schemeclass "-" scheme
|
||
schemeclass = "hash" / altschemeclass
|
||
scheme = "crypt" / "md5" / "sha" / altscheme
|
||
altschemeclass = "x-" keystring
|
||
altscheme = keystring
|
||
|
||
|
||
Below is an example of a userPassword attribute, represented with an
|
||
LDAP v3 attribute description:
|
||
|
||
userPassword;hash-crypt: X5/DBrWPOQQaI
|
||
|
||
|
||
A DUA MAY utilise the attributes in the shadowAccount class to
|
||
provide shadow password service (getspnam() and getspent()). In such
|
||
cases, the DUA MUST NOT make use of the userPassword attribute for
|
||
getpwnam() et al, and MUST return a non-matchable password (such as
|
||
"x") to the client instead.
|
||
|
||
5.4. Interpreting hosts and networks
|
||
|
||
The ipHostNumber and ipNetworkNumber attributes are defined in
|
||
preference to dNSRecord (defined in [RFC1279]), in order to simplify
|
||
the DUA's role in interpreting entries in the directory. A dNSRecord
|
||
expresses a complete resource record, including time to live and
|
||
class data, which is extraneous to this schema.
|
||
|
||
Additionally, the ipHost and ipNetwork classes permit a host or
|
||
network (respectively) and all its aliases to be represented by a
|
||
single entry in the directory. This is not necessarily possible if a
|
||
DNS resource record is mapped directly to an LDAP entry.
|
||
Implementations that wish to use LDAP to master DNS zone information
|
||
are not precluded from doing so, and may simply avoid the ipHost and
|
||
ipNetwork classes.
|
||
|
||
This document redefines, although not exclusively, the ipNetwork
|
||
class defined in [RFC1279], in order to achieve consistent naming
|
||
with ipHost. The ipNetworkNumber attribute is also used in the
|
||
siteContact object class [ROSE].
|
||
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 13]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
The trailing zeros in a network address MUST be omitted. CIDR-style
|
||
network addresses (eg. 192.168.1/24) MAY be used.
|
||
|
||
Hosts with IPv6 addresses MUST be written in their "preferred" form
|
||
as defined in section 2.2.1 of [RFC1884], such that all components of
|
||
the address are indicated and leading zeros are omitted. This
|
||
provides a consistent means of resolving ipHosts by address.
|
||
|
||
5.5. Interpreting other entities
|
||
|
||
In general, a one-to-one mapping between entities and LDAP entries is
|
||
proposed, in that each entity has exactly one representation in the
|
||
DIT. In some cases this is not feasible; for example, a service which
|
||
is represented in more than one protocol domain. Consider the
|
||
following entry:
|
||
|
||
dn: cn=domain, dc=aja, dc=com
|
||
cn: domain
|
||
cn: nameserver
|
||
objectClass: top
|
||
objectClass: ipService
|
||
ipServicePort: 53
|
||
ipServiceProtocol: tcp
|
||
ipServiceProtocol: udp
|
||
|
||
This entry MUST map to the following two (2) services entities:
|
||
|
||
domain 53/tcp nameserver
|
||
domain 53/udp nameserver
|
||
|
||
While the above two entities may be represented as separate LDAP
|
||
entities, with different distinguished names (such as
|
||
cn=domain+ipServiceProtocol=tcp, ... and
|
||
cn=domain+ipServiceProtocol=udp, ...) it is convenient to represent
|
||
them as a single entry. (If a service is represented in multiple
|
||
protocol domains with different ports, then multiple entries are
|
||
required; multivalued RDNs may be used to distinguish them.)
|
||
|
||
With the exception of userPassword values, which are parsed according
|
||
to the syntax considered in section 5.2, any empty values (consisting
|
||
of a zero length string) are returned by the DUA to the client. The
|
||
DUA MUST reject any entries which do not conform to the schema
|
||
(missing mandatory attributes). Non-conforming entries SHOULD be
|
||
ignored while enumerating entries.
|
||
|
||
The nisObject object class MAY be used as a generic means of
|
||
representing NIS entities. Its use is not encouraged; where support
|
||
for entities not described in this schema is desired, an appropriate
|
||
|
||
|
||
|
||
Howard Experimental [Page 14]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
schema should be devised. Implementors are strongly advised to
|
||
support end-user extensible mappings between NIS entities and object
|
||
classes. (Where the nisObject class is used, the nisMapName attribute
|
||
may be used as a RDN.)
|
||
|
||
5.6. Canonicalizing entries with multi-valued naming attributes
|
||
|
||
For entities such as hosts, services, networks, protocols, and RPCs,
|
||
where there may be one or more aliases, the respective entry's
|
||
relative distinguished name SHOULD be used to determine the canonical
|
||
name. Any other values for the same attribute are used as aliases.
|
||
For example, the service described in section 5.5 has the canonical
|
||
name "domain" and exactly one alias, "nameserver".
|
||
|
||
The schema in this document generally only defines one attribute per
|
||
class which is suitable for distinguishing an entity (excluding any
|
||
attributes with integer syntax; it is assumed that entries will be
|
||
distinguished on name). Usually, this is the common name (cn)
|
||
attribute. This aids the DUA in determining the canonical name of an
|
||
entity, as it can examine the value of the relative distinguished
|
||
name. Aliases are thus any values of the distinguishing attribute
|
||
(such as cn) which do not match the canonical name of the entity.
|
||
|
||
In the event that a different attribute is used to distinguish the
|
||
entry, as may be the case where these object classes are used as
|
||
auxiliary classes, the entry's canonical name may not be present in
|
||
the RDN. In this case, the DUA MUST choose one of the non-
|
||
distinguished values to represent the entity's canonical name. As the
|
||
directory server guarantees no ordering of attribute values, it may
|
||
not be possible to distinguish an entry deterministically. This
|
||
ambiguity SHOULD NOT be resolved by mapping one directory entry into
|
||
multiple entities.
|
||
|
||
6. Implementation focus
|
||
|
||
A NIS server which uses LDAP instead of local files has been
|
||
developed which supports the schema defined in this document.
|
||
|
||
A reference implementation of the C library resolution code has been
|
||
written for the Free Software Foundation. It may support other C
|
||
libraries which support the Name Service Switch (NSS) or the
|
||
Information Retrieval Service (IRS).
|
||
|
||
The author has made available a freely distributable set of scripts
|
||
which parses local databases such as /etc/passwd and /etc/hosts into
|
||
a form suitable for loading into an LDAP server.
|
||
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 15]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
7. Security Considerations
|
||
|
||
The entirety of related security considerations are outside the scope
|
||
of this document. It is noted that making passwords encrypted with a
|
||
widely understood hash function (such as crypt()) available to non-
|
||
privileged users is dangerous because it exposes them to dictionary
|
||
and brute-force attacks. This is proposed only for compatibility
|
||
with existing UNIX system implementations. Sites where security is
|
||
critical SHOULD consider using a strong authentication service for
|
||
user authentication.
|
||
|
||
Alternatively, the encrypted password could be made available only to
|
||
a subset of privileged DUAs, which would provide "shadow" password
|
||
service to client applications. This may be difficult to enforce.
|
||
|
||
Because the schema represents operating system-level entities, access
|
||
to these entities SHOULD be granted on a discretionary basis. (There
|
||
is little point in restricting access to data which will be
|
||
republished without restriction, however.) It is particularly
|
||
important that only administrators can modify entries defined in this
|
||
schema, with the exception of allowing a principal to change their
|
||
password (which may be done on behalf of the user by a client bound
|
||
as a superior principal, such that password restrictions may be
|
||
enforced). For example, if a user were allowed to change the value of
|
||
their uidNumber attribute, they could subvert security by
|
||
equivalencing their account with the superuser account.
|
||
|
||
A subtree of the DIT which is to be republished by a DUA (such as a
|
||
NIS gateway) SHOULD be within the same administrative domain that the
|
||
republishing DUA represents. (For example, principals outside an
|
||
organization, while conceivably part of the DIT, should not be
|
||
considered with the same degree of authority as those within the
|
||
organization.)
|
||
|
||
Finally, care should be exercised with integer attributes of a
|
||
sensitive nature (particularly the uidNumber and gidNumber
|
||
attributes) which contain zero-length values. DUAs MAY treat such
|
||
values as corresponding to the "nobody" or "nogroup" user and group,
|
||
respectively.
|
||
|
||
8. Acknowledgements
|
||
|
||
Thanks to Leif Hedstrom of Netscape Communications Corporation,
|
||
Michael Grant and Rosanna Lee of Sun Microsystems Inc., Ed Reed of
|
||
Novell Inc., and Mark Wahl of Critical Angle Inc. for their valuable
|
||
contributions to the development of this schema. Thanks to Andrew
|
||
Josey of The Open Group for clarifying the use of the UNIX trademark,
|
||
and to Tim Howes and Peter J. Cherny for their support.
|
||
|
||
|
||
|
||
Howard Experimental [Page 16]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
UNIX is a registered trademark of The Open Group.
|
||
|
||
9. References
|
||
|
||
[RFC1057]
|
||
Sun Microsystems, Inc., "RPC: Remote Procedure Call: Protocol
|
||
Specification Version 2", RFC 1057, June 1988.
|
||
|
||
[RFC1279]
|
||
Kille, S., "X.500 and Domains", RFC 1279, November 1991.
|
||
|
||
[RFC1884]
|
||
Hinden, R., and S. Deering, "IP Version 6 Addressing
|
||
Architecture", RFC 1884, December 1995.
|
||
|
||
[RFC2119]
|
||
Bradner, S., "Key Words for use in RFCs to Indicate Requirement
|
||
Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
[RFC2251]
|
||
Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access
|
||
Protocol (v3)", RFC 2251, December 1997.
|
||
|
||
[RFC2252]
|
||
Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
|
||
Directory Access Protocol (v3): Attribute Syntax Definitions",
|
||
RFC 2252, December 1997.
|
||
|
||
[RFC2254]
|
||
Howes, T., "The String Representation of LDAP Search Filters",
|
||
RFC 2254, December 1997.
|
||
|
||
[RFC2256]
|
||
Wahl, M., "A Summary of the X.500(96) User Schema for use with
|
||
LDAPv3", RFC 2256, December 1997.
|
||
|
||
[ROSE]
|
||
M. T. Rose, "The Little Black Book: Mail Bonding with OSI
|
||
Directory Services", ISBN 0-13-683210-5, Prentice-Hall, Inc.,
|
||
1992.
|
||
|
||
[X500]
|
||
"Information Processing Systems - Open Systems Interconnection -
|
||
The Directory: Overview of Concepts, Models and Service",
|
||
ISO/IEC JTC 1/SC21, International Standard 9594-1, 1988.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 17]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
[XOPEN]
|
||
ISO/IEC 9945-1:1990, Information Technology - Portable Operating
|
||
Systems Interface (POSIX) - Part 1: Systems Application
|
||
Programming Interface (API) [C Language]
|
||
|
||
10. Author's Address
|
||
|
||
Luke Howard
|
||
PO Box 59
|
||
Central Park Vic 3145
|
||
Australia
|
||
|
||
EMail: lukeh@xedoc.com
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 18]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
A. Example entries
|
||
|
||
The examples described in this section are provided to illustrate the
|
||
schema described in this memo. They are not meant to be exhaustive.
|
||
|
||
The following entry is an example of the posixAccount class:
|
||
|
||
dn: uid=lester, dc=aja, dc=com
|
||
objectClass: top
|
||
objectClass: account
|
||
objectClass: posixAccount
|
||
uid: lester
|
||
cn: Lester the Nightfly
|
||
userPassword: {crypt}X5/DBrWPOQQaI
|
||
gecos: Lester
|
||
loginShell: /bin/csh
|
||
uidNumber: 10
|
||
gidNumber: 10
|
||
homeDirectory: /home/lester
|
||
|
||
|
||
This corresponds the UNIX system password file entry:
|
||
|
||
lester:X5/DBrWPOQQaI:10:10:Lester:/home/lester:/bin/sh
|
||
|
||
The following entry is an example of the ipHost class:
|
||
|
||
dn: cn=peg.aja.com, dc=aja, dc=com
|
||
objectClass: top
|
||
objectClass: device
|
||
objectClass: ipHost
|
||
objectClass: bootableDevice
|
||
objectClass: ieee802Device
|
||
cn: peg.aja.com
|
||
cn: www.aja.com
|
||
ipHostNumber: 10.0.0.1
|
||
macAddress: 00:00:92:90:ee:e2
|
||
bootFile: mach
|
||
bootParameter: root=fs:/nfsroot/peg
|
||
bootParameter: swap=fs:/nfsswap/peg
|
||
bootParameter: dump=fs:/nfsdump/peg
|
||
|
||
This entry represents the host canonically peg.aja.com, also known as
|
||
www.aja.com. The Ethernet address and four boot parameters are also
|
||
specified.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 19]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
An example of the nisNetgroup class:
|
||
|
||
dn: cn=nightfly, dc=aja, dc=com
|
||
objectClass: top
|
||
objectClass: nisNetgroup
|
||
cn: nightfly
|
||
nisNetgroupTriple: (charlemagne,peg,dunes.aja.com)
|
||
nisNetgroupTriple: (lester,-,)
|
||
memberNisNetgroup: kamakiriad
|
||
|
||
This entry represents the netgroup nightfly, which contains two
|
||
triples (the user charlemagne, the host peg, and the domain
|
||
dunes.aja.com; and, the user lester, no host, and any domain) and one
|
||
netgroup (kamakiriad).
|
||
|
||
Finally, an example of the nisObject class:
|
||
|
||
dn: nisMapName=tracks, dc=dunes, dc=aja, dc=com
|
||
objectClass: top
|
||
objectClass: nisMap
|
||
nisMapName: tracks
|
||
|
||
dn: cn=Maxine, nisMapName=tracks, dc=dunes, dc=aja, dc=com
|
||
objectClass: top
|
||
objectClass: nisObject
|
||
cn: Maxine
|
||
nisMapName: tracks
|
||
nisMapEntry: Nightfly$4
|
||
|
||
This entry represents the NIS map tracks, and a single map entry.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 20]
|
||
|
||
RFC 2307 Using LDAP as a Network Information Service March 1998
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (1998). All Rights Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implementation may be prepared, copied, published
|
||
and distributed, in whole or in part, without restriction of any
|
||
kind, provided that the above copyright notice and this paragraph are
|
||
included on all such copies and derivative works. However, this
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
copyrights defined in the Internet Standards process must be
|
||
followed, or as required to translate it into languages other than
|
||
English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Howard Experimental [Page 21]
|
||
|