draft-ietf-asid-nis-schema-00.txt   draft-ietf-asid-nis-schema-01.txt 
Application Working Group L. Howard Application Working Group L. Howard
INTERNET-DRAFT Xedoc Software Development INTERNET-DRAFT Independent Consultant
Expires in six months
Intended Category: Experimental
An Approach for Using LDAP as a Network Information Service An Approach for Using LDAP as a Network Information Service
<draft-ietf-asid-nis-schema-00.txt> <draft-ietf-asid-nis-schema-01.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months. Internet-Drafts may be updated, replaced, or made obsolete by months. Internet-Drafts may be updated, replaced, or made obsolete by
skipping to change at page 2, line 7 skipping to change at page 2, line 7
The intention is to assist the deployment of LDAP as an The intention is to assist the deployment of LDAP as an
organizational nameservice. No proposed solutions are intended as organizational nameservice. No proposed solutions are intended as
standards for the Internet. Rather, it is hoped that a general standards for the Internet. Rather, it is hoped that a general
consensus will emerge as to the appropriate solution to such consensus will emerge as to the appropriate solution to such
problems, leading eventually to the adoption of standards. The problems, leading eventually to the adoption of standards. The
proposed mechanism has already been implemented with some success. proposed mechanism has already been implemented with some success.
1. Background and Motivation 1. Background and Motivation
The UNIX operating system, and its derivatives (in this context, The Unix operating system, and its derivatives (specifically, those
those which support TCP/IP and conform to the POSIX XPG.4 which support TCP/IP and conform to the POSIX XPG.4 specification)
specification) require a means of resolving entities, by matching require a means of looking up entities, by matching them against
them against search criteria or by enumeration. search criteria or by enumeration. (Other operating systems that
support TCP/IP may provide some means of resolving some of these
entities. This schema applies to those environments also.)
These entities include users, groups, IP services, (which map names These entities include users, groups, IP services (which map names to
to IP ports and protocols, and vice versa) IP protocols, (which map IP ports and protocols, and vice versa), IP protocols (which map
names to IP protocol numbers and vice versa) RPCs, (which map names names to IP protocol numbers and vice versa), RPCs (which map names
to ONC Remote Procedure Call [12] numbers and vice versa) NIS to ONC Remote Procedure Call [12] numbers and vice versa), NIS
netgroups, booting information (boot parameters and MAC address netgroups, booting information (boot parameters and MAC address
mappings), filesystem mounts, IP hosts and networks, and RFC822 mail mappings), filesystem mounts, IP hosts and networks, and RFC822 mail
aliases. aliases.
Resolution requests are made through a set of C functions, provided Resolution requests are made through a set of C functions, provided
in the Unix C library. For example, the Unix command line tool 'ls', in the Unix C library. For example, the Unix command line tool 'ls',
which enumerates the contents of a filesystem directory, uses the C which enumerates the contents of a filesystem directory, uses the C
library function getpwuid(3c) in order to map user IDs to login library function getpwuid(3c) in order to map user IDs to login
names. Once the request is made, it is resolved using a 'nameservice' names. Once the request is made, it is resolved using a 'nameservice'
which is supported by the client library. The nameservice may be, at which is supported by the client library. The nameservice may be, at
skipping to change at page 3, line 19 skipping to change at page 3, line 20
2. General Issues 2. General Issues
2.1. Terminology 2.1. Terminology
In this document, the term 'NIS-related entities' is used rather In this document, the term 'NIS-related entities' is used rather
loosely to refer to those entities (described in the previous loosely to refer to those entities (described in the previous
section) which are typically repesented in the Network Information section) which are typically repesented in the Network Information
Service. (NIS was previously known as Yellow Pages, or YP.) It should Service. (NIS was previously known as Yellow Pages, or YP.) It should
not be inferred from this that deploying LDAP for resolving such not be inferred from this that deploying LDAP for resolving such
entities requires NIS to be used (as a gateway or otherwise). entities requires NIS to be used (as a gateway or otherwise). The
host and network classes are generically applicable, and may be
implemented on operating systems other than Unix that wish to use
LDAP to resolve these entities.
The 'DUA' (directory user agent) refers to the LDAP client querying The 'DUA' (directory user agent) refers to the LDAP client querying
these entities, such as an LDAP to NIS gateway or the C library. The these entities, such as an LDAP to NIS gateway or the C library. The
'client' refers to the application which ultimately makes use of the 'client' refers to the application which ultimately makes use of the
information returned by the resolution. It is irrelevant whether the information returned by the resolution. It is irrelevant whether the
DUA and the client reside within the same address space. The act of DUA and the client reside within the same address space. The act of
the DUA making this information to the client is termed the DUA making this information to the client is termed
'republishing'. 'republishing'.
To avoid confusion, the term 'login name' refers to the user's login To avoid confusion, the term 'login name' refers to the user's login
skipping to change at page 4, line 4 skipping to change at page 4, line 9
The phrase 'resolving an entity' or 'resolution of entities' refers The phrase 'resolving an entity' or 'resolution of entities' refers
to enumerating NIS-related entities of a given type, or matching them to enumerating NIS-related entities of a given type, or matching them
against a given search criterion. One or more entities are returned against a given search criterion. One or more entities are returned
as a result of successful 'resolutions' (a 'match' operation will as a result of successful 'resolutions' (a 'match' operation will
only return one entity). only return one entity).
Note that the use of the attribute and class prefix 'posix' does not Note that the use of the attribute and class prefix 'posix' does not
confer any endorsement of this schema by the POSIX standards body. confer any endorsement of this schema by the POSIX standards body.
The prefix was chosen as a more appropriate prefix than 'unix', the The prefix was chosen as a more appropriate prefix than 'unix', the
other suitable candidate. Where necessary, the term 'POSIX entity' other suitable candidate. Where necessary, the term 'POSIX entity'
is used to refer to users and groups and the term 'TCP/IP entity' is is used to refer to users and groups; the term 'TCP/IP entity' is
used to refer to protocols, services, hosts, networks, NIS netgroups, used to refer to protocols, services, hosts, and networks. (The
and RPCs. (Hence the set of 'NIS-related entities' is the union of latter category does not mandate the host operating system supporting
the former two categories.) It is acknowledged that shadow passwords the interfaces required for resolving POSIX entities.) NIS netgroups,
are not defined in POSIX. ONC RPC binding information, and mounts fall outside these
categories.
2.2. Attributes 2.2. Attributes
The attributes and classes defined in this document are summarized The attributes and classes defined in this document are summarized
below. The reader is referred to [2] for the BFN for attribute type below. The reader is referred to [2] for the BFN for attribute type
definitions. definitions.
The following attributes are defined in this document: The following attributes are defined in this document:
posixUidNumber posixUidNumber
posixPrimaryGidNumber posixPrimaryGidNumber
posixGidNumber posixGidNumber
posixGecos posixGecos
posixHomeDirectory posixHomeDirectory
posixShell posixShell
posixShadowLastChange shadowLastChange
posixShadowMin shadowMin
posixShadowMax shadowMax
posixShadowWarn shadowWarn
posixShadowInactive shadowInactive
posixShadowExpire shadowExpire
posixShadowFlag shadowFlag
memberUid memberUid
memberNISNetgroup memberNISNetgroup
memberHost memberHost
ipServicePort ipServicePort
ipServiceProtocol ipServiceProtocol
ipProtocolNumber ipProtocolNumber
oNCRPCNumber oNCRPCNumber
mountOption mountOption
mountType mountType
mountDirectory mountDirectory
mountDumpFrequency mountDumpFrequency
mountPassNo mountPassNo
ipHostNumber ipHostNumber
ipNetworkNumber ipNetworkNumber
ipNetmaskNumber ipNetmaskNumber
macAddress macAddress
bootParameter bootParameter
bootFile bootFile
hostVendor
hostModel
hostOS
hostFunction
nISDomain nISDomain
Additionally, the attributes defined in [2] and [9] are imported. Additionally, the attributes defined in [2] and [9] are imported.
2.3. Object classes 2.3. Object classes
The reader is referred to [2] for the BFN for object class The reader is referred to [2] for the BFN for object class
definition. definition.
The following object classes are defined in this document: The following object classes are defined in this document:
skipping to change at page 5, line 49 skipping to change at page 5, line 50
DESC 'An integer uniquely identifying a group in an DESC 'An integer uniquely identifying a group in an
administrative domain' administrative domain'
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.2 NAME 'posixGidNumber' ( TBD.0.2 NAME 'posixGidNumber'
DESC 'An integer uniquely identifying a group in an DESC 'An integer uniquely identifying a group in an
administrative domain' administrative domain'
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.3 NAME 'posixGecos' ( TBD.0.3 NAME 'posixGecos'
DESC 'GECOS password field' DESC 'The GECOS field (the user's full name et al)'
EQUALITY caseIgnoreIA5Match EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String' SINGLE-VALUE ) SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.4 NAME 'posixHomeDirectory' ( TBD.0.4 NAME 'posixHomeDirectory'
DESC 'The absolute path of the user's home directory' DESC 'The absolute path of the user's home directory'
EQUALITY caseExactIA5Match EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE ) SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.5 NAME 'posixShell' ( TBD.0.5 NAME 'posixShell'
DESC 'The absolute path of the user's shell' DESC 'The absolute path of the user's shell'
EQUALITY caseExactIA5Match EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE ) SYNTAX 'IA5String' SINGLE-VALUE )
skipping to change at page 6, line 14 skipping to change at page 6, line 17
( TBD.0.4 NAME 'posixHomeDirectory' ( TBD.0.4 NAME 'posixHomeDirectory'
DESC 'The absolute path of the user's home directory' DESC 'The absolute path of the user's home directory'
EQUALITY caseExactIA5Match EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE ) SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.5 NAME 'posixShell' ( TBD.0.5 NAME 'posixShell'
DESC 'The absolute path of the user's shell' DESC 'The absolute path of the user's shell'
EQUALITY caseExactIA5Match EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE ) SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.6 NAME 'posixShadowLastChange' EQUALITY integerMatch ( TBD.0.6 NAME 'shadowLastChange' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.7 NAME 'posixShadowMin' EQUALITY integerMatch ( TBD.0.7 NAME 'shadowMin' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.8 NAME 'posixShadowMax' EQUALITY integerMatch ( TBD.0.8 NAME 'shadowMax' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.9 NAME 'posixShadowWarn' EQUALITY integerMatch ( TBD.0.9 NAME 'shadowWarn' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.10 NAME 'posixShadowInactive' EQUALITY integerMatch ( TBD.0.10 NAME 'shadowInactive' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.11 NAME 'posixShadowExpire' EQUALITY integerMatch ( TBD.0.11 NAME 'shadowExpire' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.12 NAME 'posixShadowFlag' EQUALITY integerMatch ( TBD.0.12 NAME 'shadowFlag' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.13 NAME 'memberUid' EQUALITY caseIgnoreIA5Match ( TBD.0.13 NAME 'memberUid' EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String{128}' ) SYNTAX 'IA5String{128}' )
( TBD.0.14 NAME 'memberNISNetgroup' EQUALITY caseIgnoreIA5Match ( TBD.0.14 NAME 'memberNISNetgroup' EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String' ) SYNTAX 'IA5String' )
( TBD.0.15 NAME 'memberHost' EQUALITY caseIgnoreIA5Match ( TBD.0.15 NAME 'memberHost' EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String' ) SYNTAX 'IA5String' )
( TBD.0.16 NAME 'ipServicePort' EQUALITY integerMatch ( TBD.0.16 NAME 'ipServicePort' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.17 NAME 'ipServiceProtocol' EQUALITY caseIgnoreIA5Match ( TBD.0.17 NAME 'ipServiceProtocol' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' ) SYNTAX 'IA5String' )
( TBD.0.18 NAME 'ipProtocolNumber' EQUALITY integerMatch ( TBD.0.18 NAME 'ipProtocolNumber' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.19 NAME 'oNCRPCNumber' EQUALITY integerMatch ( TBD.0.19 NAME 'oNCRPCNumber' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.20 NAME 'mountOption' EQUALITY caseIgnoreIA5Match ( TBD.0.20 NAME 'mountOption' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' ) SYNTAX 'IA5String' )
( TBD.0.21 NAME 'mountType' EQUALITY caseIgnoreIA5Match ( TBD.0.21 NAME 'mountType' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' SINGLE-VALUE ) SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.22 NAME 'mountDirectory' EQUALITY caseExactIA5Match ( TBD.0.22 NAME 'mountDirectory' EQUALITY caseExactIA5Match
skipping to change at page 7, line 51 skipping to change at page 8, line 9
SYNTAX 'IA5String{128}' ) SYNTAX 'IA5String{128}' )
( TBD.0.29 NAME 'bootParameter' ( TBD.0.29 NAME 'bootParameter'
DESC 'rpc.bootparamd parameter; informal syntax is key=value' DESC 'rpc.bootparamd parameter; informal syntax is key=value'
EQUALITY caseExactIA5Match EQUALITY caseExactIA5Match
SYNTAX 'IA5String' ) SYNTAX 'IA5String' )
( TBD.0.30 NAME 'bootFile' EQUALITY caseExactIA5Match ( TBD.0.30 NAME 'bootFile' EQUALITY caseExactIA5Match
STRINGS caseExactSubstringsIA5Match SYNTAX 'IA5String' ) STRINGS caseExactSubstringsIA5Match SYNTAX 'IA5String' )
( TBD.0.31 NAME 'hostVendor' EQUALITY caseIgnoreIA5Match ( TBD.0.31 NAME 'nISDomain' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' ) SUBSTRINGS caseIgnoreIA5SubstringsMatch
( TBD.0.32 NAME 'hostModel' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' )
( TBD.0.33 NAME 'hostOS' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' )
( TBD.0.34 NAME 'hostFunction' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' )
( TBD.0.35 NAME 'nISDomain' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' ) SYNTAX 'IA5String' )
4. Class definitions 4. Class definitions
This section contains class definitions which must be implemented by This section contains class definitions which must be implemented by
DUAs supporting the schema. DUAs supporting the schema.
The definitions under the OID 2.5.6 are imported. The rfc822MailGroup The definitions under the OID 2.5.6 are imported. The rfc822MailGroup
object class is used to represent a mail group for the purpose of object class may used to represent a mail group for the purpose of
alias expansion. (An alternative schema for aliases, proposed in [4], alias expansion. (Several alternative schemes for mail routing and
is not considered here.) delivery using LDAP directories have been proposed [4]; these issues
will not be considered in detail here.)
( TBD.1.0 NAME 'posixAccount' SUP top STRUCTURAL ( TBD.1.0 NAME 'posixAccount' SUP top STRUCTURAL
DESC 'Abstraction of an account. DESC 'Abstraction of an account.
The uid attribute represents the account's login name.' The uid attribute is the account's login name.'
MUST ( cn $ uid $ posixUidNumber $ MUST ( cn $ uid $ posixUidNumber $
posixPrimaryGidNumber $ posixHomeDirectory ) posixPrimaryGidNumber $ posixHomeDirectory )
MAY ( userPassword $ posixShell $ posixGecos $ MAY ( userPassword $ posixShell $ posixGecos $
posixShadowLastChange $ posixShadowMin $ shadowLastChange $ shadowMin $ shadowMax $
posixShadowMax $ posixShadowWarn $ shadowWarn $ shadowInactive $ shadowExpire $
posixShadowInactive $ posixShadowExpire $ shadowFlag ) )
posixShadowFlag ) )
( TBD.1.1 NAME 'posixGroup' SUP top STRUCTURAL ( TBD.1.1 NAME 'posixGroup' SUP top STRUCTURAL
DESC 'Abstraction of a group of accounts.' DESC 'Abstraction of a group of accounts.'
MUST ( cn $ posixGidNumber ) MAY ( groupPassword $ memberUid ) ) MUST ( cn $ posixGidNumber ) MAY ( groupPassword $ memberUid ) )
( TBD.1.2 NAME 'ipService' SUP top STRUCTURAL ( TBD.1.2 NAME 'ipService' SUP top STRUCTURAL
DESC 'Abstraction an Internet Protocol service. Maps an IP DESC 'Abstraction an Internet Protocol service. Maps an IP
port and protocol (eg. tcp or udp) to one or more names. port and protocol (eg. tcp or udp) to one or more names.
The distinguished value of the cn attribute denotes the The distinguished value of the cn attribute denotes the
service's canonical name.' service's canonical name.'
skipping to change at page 9, line 4 skipping to change at page 8, line 44
( TBD.1.1 NAME 'posixGroup' SUP top STRUCTURAL ( TBD.1.1 NAME 'posixGroup' SUP top STRUCTURAL
DESC 'Abstraction of a group of accounts.' DESC 'Abstraction of a group of accounts.'
MUST ( cn $ posixGidNumber ) MAY ( groupPassword $ memberUid ) ) MUST ( cn $ posixGidNumber ) MAY ( groupPassword $ memberUid ) )
( TBD.1.2 NAME 'ipService' SUP top STRUCTURAL ( TBD.1.2 NAME 'ipService' SUP top STRUCTURAL
DESC 'Abstraction an Internet Protocol service. Maps an IP DESC 'Abstraction an Internet Protocol service. Maps an IP
port and protocol (eg. tcp or udp) to one or more names. port and protocol (eg. tcp or udp) to one or more names.
The distinguished value of the cn attribute denotes the The distinguished value of the cn attribute denotes the
service's canonical name.' service's canonical name.'
MUST ( cn $ ipServicePort $ ipServiceProtocol ) ) MUST ( cn $ ipServicePort $ ipServiceProtocol ) )
( TBD.1.3 NAME 'ipProtocol' SUP top STRUCTURAL ( TBD.1.3 NAME 'ipProtocol' SUP top STRUCTURAL
DESC 'Abstraction of an IP protocol. Maps a protocol number to DESC 'Abstraction of an IP protocol. Maps a protocol number to
one or more names. The distinguished value of the cn one or more names. The distinguished value of the cn
attribute denotes the protocol's canonical name.' attribute denotes the protocol's canonical name.'
MUST ( cn $ ipProtocolNumber ) ) MUST ( cn $ ipProtocolNumber ) )
( TBD.1.4 NAME 'oNCRPC' SUP top STRUCTURAL ( TBD.1.4 NAME 'oNCRPC' SUP top STRUCTURAL
DESC 'Abstraction of an Open Network Computing (ONC) [12] DESC 'Abstraction of an Open Network Computing (ONC) [12]
Remote Procedure Call (RPC) service. Maps an ONC RPC Remote Procedure Call (RPC) binding. Maps an ONC RPC
number to a name. The distinguished value of the cn number to a name. The distinguished value of the cn
attribute denotes the RPC service's canonical name.' attribute denotes the RPC service's canonical name.'
MUST ( cn $ oNCRPCNumber ) ) MUST ( cn $ oNCRPCNumber ) )
( TBD.1.5 NAME 'mount' SUP top STRUCTURAL ( TBD.1.5 NAME 'mount' SUP top STRUCTURAL
DESC 'Abstraction of a filesystem mount.' DESC 'Abstraction of a filesystem mount.'
MUST ( cn $ mountDirectory $ mountType ) MUST ( cn $ mountDirectory $ mountType )
MAY ( mountOption $ mountDumpFrequency $ mountPassNo ) ) MAY ( mountOption $ mountDumpFrequency $ mountPassNo ) )
( TBD.1.6 NAME 'ipHost' SUP domainRelatedObject STRUCTURAL ( TBD.1.6 NAME 'ipHost' SUP domainRelatedObject STRUCTURAL
DESC 'Abstraction of a host. The schema defined in [3] is used DESC 'Abstraction of a host. The schema defined in [3] is used
to denote the canonical hostname, by mapping the to denote the canonical hostname, by mapping the
distinguished name into a DNS domain name. distinguished name into a DNS domain name.
The associatedDomain attribute is used for The associatedDomain attribute is used for
interrogating the DIT, and as such must contain values interrogating the DIT, and as such must contain values
for the host's canonical name and its aliases.' for the host's canonical name and its aliases.'
MUST ( dc $ ipHostNumber ) MUST ( dc $ ipHostNumber )
MAY ( macAddress $ bootParameter $ bootFile $ MAY ( macAddress $ bootParameter $ bootFile $
hostVendor $ hostModel $ hostOS $ hostFunction ) ) l $ description $ manager ) )
( TBD.1.7 NAME 'ipNetwork' SUP domainRelatedObject ( TBD.1.7 NAME 'ipNetwork' SUP domainRelatedObject
STRUCTURAL STRUCTURAL
DESC 'Abstraction of a network.' DESC 'Abstraction of a network.'
MUST ( dc $ ipNetworkNumber ) MUST ( dc $ ipNetworkNumber )
MAY ( ipNetmaskNumber $ manager $ locality $ description ) ) MAY ( ipNetmaskNumber $ l $ description $ manager ) )
( TBD.1.8 NAME 'nISNetgroup' SUP top STRUCTURAL ( TBD.1.8 NAME 'nISNetgroup' SUP top STRUCTURAL
DESC 'Abstraction of a netgroup. May reference other netgroups.' DESC 'Abstraction of a netgroup. May refer to other netgroups.'
MUST cn MUST cn
MAY ( memberUid $ memberHost $ memberNISNetgroup $ nISDomain ) ) MAY ( memberUid $ memberHost $ memberNISNetgroup $ nISDomain ) )
5. Implementation details 5. Implementation details
5.1. Resolution methods 5.1. Resolution methods
The ideal means of directing a client application (one using the The ideal means of directing a client application (one using the
shared services of the C library) to use LDAP as its information shared services of the C library) to use LDAP as its information
source for the functions listed in 5.2 is to modify the source code source for the functions listed in 5.2 is to modify the source code
skipping to change at page 11, line 35 skipping to change at page 11, line 29
getmntent(3c) (objectClass=mount) getmntent(3c) (objectClass=mount)
5.3. Interpreting user and group entries 5.3. Interpreting user and group entries
User and group resolution is initiated by the functions prefixed by User and group resolution is initiated by the functions prefixed by
getpw and getgr respectively. A user's login name is denoted by the getpw and getgr respectively. A user's login name is denoted by the
value of the uid attribute (which will typically be used as a value of the uid attribute (which will typically be used as a
relative distinguished name); a group's name is denoted by a value of relative distinguished name); a group's name is denoted by a value of
the cn attribute. the cn attribute.
A user's GECOS field is preferentially determined by a value of the An account's GECOS field is preferably determined by a value of the
posixGecos attribute. If no posixGecos attribute exists, the value of posixGecos attribute. If no posixGecos attribute exists, the value of
the cn attribute must be used. (The existence of the posixGecos the cn attribute must be used. (The existence of the posixGecos
attribute allows attributes embedded in the GECOS field, such as a attribute allows attributes embedded in the GECOS field, such as a
user's telephone number, to be returned to the client without user's telephone number, to be returned to the client without
overloading the cn attribute.) overloading the cn attribute.)
An entry of class posixAccount without a userPassword attribute must An entry of class posixAccount without a userPassword attribute must
be denied the opportunity to authenticate. For example, the client be denied the opportunity to authenticate. For example, the client
may be returned a non-matchable password such as "*" by the DUA. may be returned a non-matchable password such as "*" by the DUA.
skipping to change at page 12, line 17 skipping to change at page 12, line 11
<passwordValue> ::= <encryptionSchemePrefix> <encryptedPassword> <passwordValue> ::= <encryptionSchemePrefix> <encryptedPassword>
<encryptionSchemePrefix> ::= '{' <encryptionScheme> '}' <encryptionSchemePrefix> ::= '{' <encryptionScheme> '}'
<encryptionScheme> ::= 'crypt' <encryptionScheme> ::= 'crypt'
<encryptedPassword> ::= encrypted password <encryptedPassword> ::= encrypted password
(where the encrypted password consists of a plaintext key encrypted (where the encrypted password consists of a plaintext key encrypted
using crypt(3) with a two-character random salt) using crypt(3) with a two-character random salt)
Operating systems which support different one way encoding functions Operating systems which support different one way encoding functions
may choose a different encryptionScheme, such as 'md5'; crypt(3) is may choose a different encryptionScheme; crypt(3) is only considered
only considered here. here.
userPassword and groupPassword values which do not adhere to the BNF userPassword and groupPassword values which do not adhere to the BNF
above must not be used for authentication. (The DUA must iterate above must not be used for authentication. (The DUA must iterate
through the values of the attribute until a value matching the above through the values of the attribute until a value matching the above
BNF is found.) Only if encryptedPassword is an empty string does the BNF is found.) Only if encryptedPassword is an empty string does the
user have no password. user have no password.
A DUA may make use of the attributes prefixed by posixShadow in order A DUA may make use of the attributes prefixed by shadow in order to
to provide shadow password service (getspnam(3c) and getspent(3c)). provide shadow password service (getspnam(3c) and getspent(3c)). In
In such cases, the DUA must not make use of the userPassword such cases, the DUA must not make use of the userPassword attribute
attribute for getpwnam(3c) et al, and must return a non-matchable for getpwnam(3c) et al, and must return a non-matchable password
password (such as "x") to the client instead. (such as "x") to the client instead.
5.4. Interpreting hosts and networks 5.4. Interpreting hosts and networks
The means for representing DNS [6] domains in LDAP distinguished The means for representing DNS [6] domains in LDAP distinguished
names described in [3] and [9] is used in part to represent NIS hosts names described in [3] and [9] is used in part to represent TCP/IP
and networks in LDAP. hosts and networks in LDAP.
A potential point of contention is the use of the ipHostNumber Potentially contentious is the use of the ipHostNumber attribute
attribute instead of the aRecord or dNSRecord attributes. The instead of the dNSRecord attribute. The rationale is that, in order
rationale is that, in order to minimize the responsibility placed on to minimize the responsibility placed on the DUA, attribute values
the DUA, attribute values ought to directly contain the information ought to directly contain the information they seek to represent.
they seek to represent. This contrasts with, for example, a dNSRecord This contrasts with, for example, a dNSRecord value which expresses a
value which expresses a complete DNS resource record including time complete DNS resource record including time to live and class data.
to live and class data.
While dNSRecords, aRecords, etc may be suitable for building a DNS While dNSRecords are suitable for building a DNS gateway to LDAP
gateway to LDAP, (which may ultimately fulfill the purpose of (which may ultimately fulfill the purpose of resolving hosts), this
resolving hosts) this information is extraneous to performing host information is extraneous to performing host lookups directly with
lookups directly with LDAP. LDAP.
Additionally, it is considered more appropriate for an entity, and Additionally, it is considered more appropriate for an entity, and
all its aliases, to be represented by a single entry in the DIT, all its aliases, to be represented by a single entry in the DIT,
which is not always possible when a DNS resource record is mapped which is not always possible when a DNS resource record is mapped
directly to an LDAP entry. directly to an LDAP entry.
This document redefines (although not to the extent of excluding the This document redefines (although not to the extent of excluding the
existing definition) the ipNetwork class defined in [3], for naming existing definition) the ipNetwork class defined in [3], for naming
consistency with ipHost. consistency with ipHost. The ipNetworkNumber attribute is also used
in the siteContact object class [14]. (The trailing zeros in a
network address should be omitted.)
If an entry of class ipHost or ipNetwork belongs to a naming context If an entry of class ipHost or ipNetwork belongs to a naming context
denoted by relative distinguished names (RDNs) [10] of attribute type denoted by relative distinguished names (RDNs) [10] of attribute type
dc (domainComponent), then the distinguished name (DN) is transformed dc (domainComponent), then the distinguished name (DN) is transformed
into a domain name system (DNS) suffix by concatenating each RDN into a domain name system (DNS) suffix by concatenating each RDN
value with a period ('.'). value with a period ('.').
For example, an entry of class ipHost with a DN of dc=foo, dc=bar, For example, an entry of class ipHost with a DN of dc=foo, dc=bar,
dc=edu or dc=foo, dc=bar, dc=edu, o=Internet is parsed into the host dc=edu or dc=foo, dc=bar, dc=edu, o=Internet is parsed into the host
name foo.bar.edu. If the naming context is does not contain 'dc' name foo.bar.edu. If the naming context is does not contain 'dc'
values, a non-qualified host name is returned. For organizations values, a non-qualified host name is returned. For organizations
which wish to use existing X.500 container classes to form their which wish to use existing X.500 container classes to form their
context (ie. organization and organizationalUnit) the RDN components context (ie. organization and organizationalUnit) the RDN components
of incorrect type are skipped by the DUA in determining the domain of incorrect type are skipped by the DUA in determining the domain
name. As such, a DN of dc=foo, dc=bar, dc=edu, o=Xedoc Software name. As such, a DN of dc=foo, dc=bar, dc=edu, o=Ace Industry, c=US
Development, c=US may be parsed as foo.bar.edu. As this may be may be parsed as foo.bar.edu. As this may be considered a naming
considered a naming violation, this document does not specifically violation, this document does not specifically endorse this.
endorse this.
5.5. Interpreting other entities 5.5. Interpreting other entities
In general, a one-to-one mapping between entities and LDAP entries is In general, a one-to-one mapping between entities and LDAP entries is
proposed, in that each entity has exactly one representation in the proposed, in that each entity has exactly one representation in the
DIT. In some cases this is not feasible; for example, a service which DIT. In some cases this is not feasible; for example, a service which
is represented in more than one protocol domain. Consider the is represented in more than one protocol domain. Consider the
following entry: following entry:
dn: cn=domain, o=Xedoc Software Development, c=US dn: cn=domain, dc=aceindustry, dc=com
cn: domain cn: domain
cn: nameserver cn: nameserver
objectClass: top objectClass: top
objectClass: ipService objectClass: ipService
ipServicePort: 53 ipServicePort: 53
ipServiceProtocol: tcp ipServiceProtocol: tcp
ipServiceProtocol: udp ipServiceProtocol: udp
This entry would map to the following two (2) services entities: This entry would map to the following two (2) services entities:
domain 53/tcp nameserver domain 53/tcp nameserver
domain 53/udp nameserver domain 53/udp nameserver
While the above two entities could have been equally represented as While the above two entities could have been equally represented as
separate LDAP entities, with different distinguished names (such as separate LDAP entities, with different distinguished names (such as
cn=domain, ou=tcp, ... and cn=domain, ou=udp, ...) it is considered cn=domain+ipServiceProtocol=tcp, ... and
that representing them as a single entry is more convenient. cn=domain+ipServiceProtocol=udp, ...) it is considered that
representing them as a single entry is more convenient.
The mount class represents mount entities as they would be found The mount class represents mount entities as they would be found
directly in /etc/fstab. Granted, this information is used primarily directly in /etc/fstab. Granted, this information is used primarily
at boot time when access to non-local nameservices may be restricted. at boot time when access to non-local nameservices may be restricted.
It may be considered useful to use LDAP to represent the It may be considered useful to use LDAP to represent the
configuration data for automount daemons; such a schema is outside configuration data for automount daemons; such a schema is outside
the scope of this document. (However, the DUA may hint to the client the scope of this document. (However, the DUA may hint to the client
that certain information is to be used by the automounter using the that certain information is to be used by the automounter using the
mountOption attribute.) mountOption attribute.)
With the exception of userPassword and groupPassword values, which With the exception of userPassword and groupPassword values, which
must be parsed according to the BNF considered in section 5.2, any must be parsed according to the BNF considered in section 5.2, any
empty values (those that consist of a zero length string) are empty values (those that consist of a zero length string) are
returned by the DUA to the client. The client may not make sense of returned by the DUA to the client. The client may not make sense of
them, but this situation is no different to parsing files which them, but this situation is no different to parsing files which
contain empty fields. (By contrast, the DUA must reject any entries contain empty fields. (By contrast, the DUA must reject any entries
which do not conform to the schema, ie. are missing certain required which do not conform to the schema, ie. are missing certain mandatory
attributes.) attributes.)
5.6. Canonicalizing entries with multi-valued naming attributes 5.6. Canonicalizing entries with multi-valued naming attributes
For entities such as services, protocols, and RPCs, where there may For entities such as services, protocols, and RPCs, where there may
be one or more aliases, the respective entry's relative distinguished be one or more aliases, the respective entry's relative distinguished
name is used to form the canonical name. Any other values for the name is used to form the canonical name. Any other values for the
same attribute are used as aliases. For example, the service same attribute are used as aliases. For example, the service
described in section 5.5 has the canonical name 'domain' and exactly described in section 5.5 has the canonical name 'domain' and exactly
one alias, 'nameserver'. one alias, 'nameserver'.
skipping to change at page 15, line 16 skipping to change at page 15, line 12
deterministic fashion may require the DUA to maintain a mapping deterministic fashion may require the DUA to maintain a mapping
between entries' DNs and their canonical names as considered by the between entries' DNs and their canonical names as considered by the
DUA. This document does not require this, nor does it advocate that DUA. This document does not require this, nor does it advocate that
such situations be resolved by mapping one DIT entry into multiple such situations be resolved by mapping one DIT entry into multiple
entities. entities.
6. Implementation focus 6. Implementation focus
A NIS to LDAP gateway daemon has been developed which supports the A NIS to LDAP gateway daemon has been developed which supports the
schema defined in this document. A set of extensions to a particular schema defined in this document. A set of extensions to a particular
implementation of the BSD operating system has also been developed, implementation of the Mach operating system has also been developed,
which sidesteps NIS and uses LDAP directly. which sidesteps NIS and uses LDAP directly.
Work is underway to develop a freely available (under the GNU General Work is underway to develop a freely available (under the GNU General
Library Public License) reference implementation of the C library Library Public License) reference implementation of the C library
resolution code that supports LDAP using the draft schema. The code resolution code that supports LDAP using the draft schema. The code
will be compatible with the Free Software Foundation's GNU C library will be compatible with the Free Software Foundation's GNU C library
and other C libraries which support the Name Service Switch (NSS). and other C libraries which support the Name Service Switch (NSS).
The alias lookup functions referred to in section 5.2 are presently The alias lookup functions referred to in section 5.2 are presently
available only in the GNU C library, and (albeit with different available only in the GNU C library, and (albeit with different
skipping to change at page 15, line 50 skipping to change at page 15, line 46
7. Security considerations 7. Security considerations
The entirety of related security considerations are outside the scope The entirety of related security considerations are outside the scope
of this document. However, it should be noted that making passwords of this document. However, it should be noted that making passwords
encrypted with a widely understood one way function (such as encrypted with a widely understood one way function (such as
crypt(3)) available to non-privileged users is potentially dangerous crypt(3)) available to non-privileged users is potentially dangerous
because it exposes them to dictionary and brute-force attacks. It is because it exposes them to dictionary and brute-force attacks. It is
proposed only for compatibility with existing Unix implementations. proposed only for compatibility with existing Unix implementations.
Sites where security is critical may consider using Kerberos or Sites where security is critical may consider using Kerberos or
another authentication service for logins. A variation on this is to another authentication service for logins. A variation on this is to
authenticate to an LDAP server over an encrypted connection (such as authenticate to an LDAP server by binding over an encrypted
SSL [8]) without performing a search. connection (such as SSL [8]).
Alternatively, the encrypted password could be made available only to Alternatively, the encrypted password could be made available only to
a subset of privileged DUAs, which would provide 'shadow' password a subset of privileged DUAs, which would provide 'shadow' password
service to client applications. service to client applications.
Because the schema represents operating system-level entities, access Because the schema represents operating system-level entities, access
to these entities should be granted on a discretionary basis. (That to these entities should be granted on a discretionary basis. (That
said, there is little point in restricting access to data which will said, there is little point in restricting access to data which will
be republished without restriction, eg. by a NIS server.) It is be republished without restriction, eg. by a NIS server.) It is
particularly important that only administrators can modify entries particularly important that only administrators can modify entries
defined in this schema, with the exception of allowing a principal to defined in this schema, with the exception of allowing a principal to
change their password (which may be done on behalf of the user by a change their password (which may be done on behalf of the user by a
client bound as a superior principal, such that password restrictions client bound as a superior principal, such that password restrictions
may be enforced). For example, if a user were allowed to change the may be enforced). For example, if a user were allowed to change the
value of their posixUidNumber attribute, they could subvert security value of their posixUidNumber attribute, they could subvert security
by equivalencing their account with the root account. by equivalencing their account with the root account.
A subtree of the DIT which is to be republished by a DUA (such as a A subtree of the DIT which is to be republished by a DUA (such as a
NIS gateway) should be within the same administrative domain that the NIS gateway) should be within the same administrative domain that the
republishing DUA represents. (For example, principals outside an republishing DUA represents. (For example, principals outside an
organisation, while conceivably part of the DIT, should not be organization, while conceivably part of the DIT, should not be
considered with the same degree of authority as those within the considered with the same degree of authority as those within the
organisation.) organization.)
8. References 8. Acknowledgements
Thanks to Leif Hedstrom of Netscape Communications Corporation and
Mark Wahl of Critical Angle Inc. for their contributions to the
development of this schema.
9. References
[1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access [1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
Protocol (Version 3)", INTERNET-DRAFT <draft-ietf-asid-ldapv3- Protocol (Version 3)", INTERNET-DRAFT <draft-ietf-asid-ldapv3-
protocol-03.txt>, October 1996. protocol-03.txt>, October 1996.
[2] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access [2] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
Protocol: Standard and Pilot Attribute Definitions", INTERNET- Protocol: Standard and Pilot Attribute Definitions", INTERNET-
DRAFT <draft-ietf-asid-ldapv3-attributes-03.txt>, October 1996. DRAFT <draft-ietf-asid-ldapv3-attributes-03.txt>, October 1996.
[3] S. Kille, "X.500 and Domains", RFC 1279, November 1991. [3] S. Kille, "X.500 and Domains", RFC 1279, November 1991.
skipping to change at page 17, line 27 skipping to change at page 17, line 30
[11] G. Good, "The LDAP Data Interchange Format (LDIF)", INTERNET- [11] G. Good, "The LDAP Data Interchange Format (LDIF)", INTERNET-
DRAFT <draft-ietf-asid-ldif-00.txt>, November 1996. DRAFT <draft-ietf-asid-ldif-00.txt>, November 1996.
[12] Sun Microsystems, Inc., "RPC: Remote Procedure Call: Protocol [12] Sun Microsystems, Inc., "RPC: Remote Procedure Call: Protocol
Specification Version 2", RFC 1057, June 1988. Specification Version 2", RFC 1057, June 1988.
[13] ISO/IEC 9945-1:1990, Information Technology - Portable Operating [13] ISO/IEC 9945-1:1990, Information Technology - Portable Operating
Systems Interface (POSIX) - Part 1: Systems Application Systems Interface (POSIX) - Part 1: Systems Application
Programming Interface (API) [C Language] Programming Interface (API) [C Language]
9. Author's Address [14] M. T. Rose, "The Little Black Book: Mail Bonding with OSI
Directory Services", ISBN 0-13-683210-5, Prentice-Hall, Inc.,
1992.
10. Author's Address
Luke Howard Luke Howard
Xedoc Software Development Inc PO Box 59
PO Box 33015 Central Park Vic 3145
Los Gatos, CA 95031 Australia
USA
Phone: +61-3-9428-0788
Fax: +61-3-9428-0786
Email: lukeh@xedoc.com Email: lukeh@xedoc.com
A. Example entries A. Example entries
The examples described in this section are provided to illustrate the The examples described in this section are provided to illustrate the
schema described in this draft. They do not purport to be a schema described in this draft. They do not purport to be a
authoritative reference. Entries are presented in LDIF notation [11]. authoritative reference. Entries are presented in LDIF notation [11].
The following entry is an example of the posixAccount class: The following entry is an example of the posixAccount class:
dn: uid=lukeh, o=Xedoc Software Development, c=US dn: uid=lukeh, dc=aceindustry, dc=com
cn: Luke Howard cn: Luke Howard
objectClass: top objectClass: top
objectClass: person objectClass: person
objectClass: posixAccount objectClass: posixAccount
sn: Howard sn: Howard
telephoneNumber: +61 3 9428 0788 telephoneNumber: +61 3 9428 0788
uid: lukeh uid: lukeh
userPassword: {crypt}X5/DBrWPOQQaI userPassword: {crypt}X5/DBrWPOQQaI
posixGecos: Luke Howard posixGecos: Luke Howard
posixShell: /bin/csh posixShell: /bin/csh
skipping to change at page 18, line 27 skipping to change at page 18, line 30
Note that the userPassword value is parsed into a password suitable Note that the userPassword value is parsed into a password suitable
for matching with crypt(3). Attributes such as telephoneNumber and sn for matching with crypt(3). Attributes such as telephoneNumber and sn
(which belong to classes other than posixAccount), are not used in (which belong to classes other than posixAccount), are not used in
determining the corresponding password file entry but may be useful determining the corresponding password file entry but may be useful
to other LDAP clients. (In most cases, entries of class posixAccount to other LDAP clients. (In most cases, entries of class posixAccount
will also inherit from person or organizationalPerson.) will also inherit from person or organizationalPerson.)
The following entry is an example of the ipHost class: The following entry is an example of the ipHost class:
dn: dc=grualdo, dc=xedoc, dc=com, o=Internet dn: dc=yoyo, dc=aceindustry, dc=com
dc: grualdo dc: yoyo
objectClass: top objectClass: top
objectClass: ipHost objectClass: ipHost
objectClass: domainRelatedObject objectClass: domainRelatedObject
associatedDomain: grualdo.xedoc.com associatedDomain: yoyo.aceindustry.com
associatedDomain: www.xedoc.com associatedDomain: www.aceindustry.com
ipHostNumber: 10.0.0.1 ipHostNumber: 10.0.0.1
macAddress: 0:0:92:90:ee:e2 macAddress: 0:0:92:90:ee:e2
bootFile: unix bootFile: unix
bootParameter: root=fs:/nfsroot/grualdo bootParameter: root=fs:/nfsroot/yoyo
bootParameter: swap=fs:/nfsswap/grualdo bootParameter: swap=fs:/nfsswap/yoyo
bootParameter: dump=fs:/nfsdump/grualdo bootParameter: dump=fs:/nfsdump/yoyo
This entry represents the host grualdo.xedoc.com, also known as This entry represents the host yoyo.aceindustry.com, also known as
www.xedoc.com. Note that the associatedDomain values are used in www.aceindustry.com. Note that the associatedDomain values are used
searching for the entry, but the distinguished name is parsed to in searching for the entry, but the distinguished name is parsed to
determine the host's canonical name. The MAC address, boot image, and determine the host's canonical name. The MAC address, boot image, and
two boot parameters are also specified in this entry. (Thus, the NIS two boot parameters are also specified in this entry. (Thus, the NIS
maps prefixed by 'hosts', 'ethers', and 'bootparams' could all be maps prefixed by 'hosts', 'ethers', and 'bootparams' could all be
derived from similar entries.) derived from similar entries.)
An example of the nISNetgroup class: An example of the nISNetgroup class:
dn: cn=nightfly, o=Xedoc Software Development, c=US dn: cn=nightfly, dc=aceindustry, dc=com
cn: nightfly cn: nightfly
objectClass: top objectClass: top
objectClass: nISNetgroup objectClass: nISNetgroup
memberUid: lukeh memberUid: lukeh
memberUid: fagen memberUid: fagen
memberHost: grualdo.xedoc.com memberHost: yoyo.aceindustry.com
nISDomain: nis.xedoc.com nISDomain: yp.aceindustry.com
This entry represents the netgroup 'nightfly' which contains the This entry represents the netgroup 'nightfly' which contains the
users lukeh and fagen, and the host grualdo.xedoc.com; and which users lukeh and fagen, and the host yoyo.aceindustry.com; and which
belongs to the NIS domain nis.xedoc.com. belongs to the NIS domain yp.aceindustry.com.
Finally, an example of the ipProtocol class: Finally, an example of the ipProtocol class:
dn: cn=tcp, o=Xedoc Software Development, c=US dn: cn=tcp, dc=aceindustry, dc=com
objectClass: top objectClass: top
objectClass: ipProtocol objectClass: ipProtocol
cn: tcp cn: tcp
cn: TCP cn: TCP
ipProtocolNumber: 6 ipProtocolNumber: 6
This entry represents the protocol named 'tcp' whose protocol number This entry represents the protocol named 'tcp' whose protocol number
is 6. is 6.
 End of changes. 61 change blocks. 
124 lines changed or deleted 129 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/