Application Working Group                                      L. Howard
INTERNET-DRAFT                                Xedoc Software Development
Expires in six months                                    Independent Consultant

Intended Category: Experimental

      An Approach for Using LDAP as a Network Information Service

Status of this Memo

   This document is an Internet-Draft. Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups. Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months. Internet-Drafts may be updated, replaced, or made obsolete by
   other documents at any time. It is not appropriate to use Internet-
   Drafts as reference material or to cite them other than as a "working
   draft" or "work in progress".

   To learn the current status of any Internet-Draft, please check the
   1id-abstracts.txt listing contained in the Internet-Drafts Shadow
   Directories on (US East Coast),
   (Europe), (US West Coast), or (Pacific

   Distribution of this document is unlimited.


   This document describes an experimental mechanism for mapping POSIX
   [13] and TCP/IP network-related entities into X.500 entries so that
   they may be resolved with the Lightweight Directory Access Protocol
   [1]. A set of attribute types and object classes are proposed, along
   with specific guidelines for interpreting them.

   The intention is to assist the deployment of LDAP as an
   organizational nameservice. No proposed solutions are intended as
   standards for the Internet. Rather, it is hoped that a general
   consensus will emerge as to the appropriate solution to such
   problems, leading eventually to the adoption of standards. The
   proposed mechanism has already been implemented with some success.

1. Background and Motivation

   The UNIX Unix operating system, and its derivatives (in this context, (specifically, those
   which support TCP/IP and conform to the POSIX XPG.4 specification)
   require a means of resolving looking up entities, by matching them against
   search criteria or by enumeration. (Other operating systems that
   support TCP/IP may provide some means of resolving some of these
   entities. This schema applies to those environments also.)

   These entities include users, groups, IP services, services (which map names to
   IP ports and protocols, and vice versa) versa), IP protocols, protocols (which map
   names to IP protocol numbers and vice versa) RPCs, versa), RPCs (which map names
   to ONC Remote Procedure Call [12] numbers and vice versa) versa), NIS
   netgroups, booting information (boot parameters and MAC address
   mappings), filesystem mounts, IP hosts and networks, and RFC822 mail

   Resolution requests are made through a set of C functions, provided
   in the Unix C library. For example, the Unix command line tool 'ls',
   which enumerates the contents of a filesystem directory, uses the C
   library function getpwuid(3c) in order to map user IDs to login
   names. Once the request is made, it is resolved using a 'nameservice'
   which is supported by the client library. The nameservice may be, at
   its simplest, a collection of files in the local filesystem which are
   opened and searched by the C library. Other common nameservices
   include the Network Information Service (NIS) and the Domain Name
   System (DNS). (The latter is typically only used for resolving hosts
   and networks.) Both these nameservices have the advantage of being
   distributed and thus permitting a common set of entities to be shared
   amongst many clients.

   LDAP is a distributed, hierarchical directory service access protocol
   which is used to access repositories of users and other network-
   related entities. Because LDAP is usually not tightly integrated with
   the operating system, information such as users needs to be kept both
   in LDAP and in an operating system supported nameservice such as NIS.
   By using LDAP as the the primary means of resolving these entities,
   these redundancy issues are minimized and the scalability of LDAP can
   be exploited. (By comparison, NIS services based on flat files do not
   have the scalability or extensibility of LDAP or X.500.)

        "In general, it is advantageous for different network
        applications and services to refer to the directory for
        user account information, rather than each service keeping
        its own collection of user account records, which requires
        the network administrator to separately create or destroy
        user entities, passwords, etc., in many different systems
        each time a user joins or leaves the organization." [4]
   The object classes and attributes defined below are suitable for
   representing the aforementioned entities in a form compatible with
   LDAP and X.500 directory services. While the schema is by no means
   deemed to be authoritative, it is considered desirable to have a
   single, open schema rather than the proliferation of multiple
   proprietary schema.  This document is one step towards such a schema.

2. General Issues

2.1. Terminology

   In this document, the term 'NIS-related entities' is used rather
   loosely to refer to those entities (described in the previous
   section) which are typically repesented in the Network Information
   Service. (NIS was previously known as Yellow Pages, or YP.) It should
   not be inferred from this that deploying LDAP for resolving such
   entities requires NIS to be used (as a gateway or otherwise). The
   host and network classes are generically applicable, and may be
   implemented on operating systems other than Unix that wish to use
   LDAP to resolve these entities.

   The 'DUA' (directory user agent) refers to the LDAP client querying
   these entities, such as an LDAP to NIS gateway or the C library.  The
   'client' refers to the application which ultimately makes use of the
   information returned by the resolution. It is irrelevant whether the
   DUA and the client reside within the same address space. The act of
   the DUA making this information to the client is termed

   To avoid confusion, the term 'login name' refers to the user's login
   name (being the value of the uid attribute) and the term 'user ID'
   refers to he user's integer identification number (being the value of
   the posixUidNumber attribute).  The term 'principal' is used to
   distinguish accounts that may be used for authentication from those
   that are not.

   The term 'nameservice' refers to a service, such as NIS or flat
   files, that is used by the operating system to resolve entities
   within a single, local naming context. Contrast this with a
   'directory service' such as LDAP, which support extensible schema and
   multiple naming contexts.

   The phrase 'resolving an entity' or 'resolution of entities' refers
   to enumerating NIS-related entities of a given type, or matching them
   against a given search criterion. One or more entities are returned
   as a result of successful 'resolutions' (a 'match' operation will
   only return one entity).

   Note that the use of the attribute and class prefix 'posix' does not
   confer any endorsement of this schema by the POSIX standards body.
   The prefix was chosen as a more appropriate prefix than 'unix', the
   other suitable candidate.  Where necessary, the term 'POSIX entity'
   is used to refer to users and groups and groups; the term 'TCP/IP entity' is
   used to refer to protocols, services, hosts, networks, NIS netgroups, and RPCs. (Hence the set of 'NIS-related entities' is networks. (The
   latter category does not mandate the union of host operating system supporting
   the former two categories.) It is acknowledged that shadow passwords
   are not defined in POSIX. interfaces required for resolving POSIX entities.) NIS netgroups,
   ONC RPC binding information, and mounts fall outside these

2.2. Attributes

   The attributes and classes defined in this document are summarized
   below.  The reader is referred to [2] for the BFN for attribute type

   The following attributes are defined in this document:


   Additionally, the attributes defined in [2] and [9] are imported.

2.3. Object classes

   The reader is referred to [2] for the BFN for object class

   The following object classes are defined in this document:


   Additionally, the classes defined in [2] and [9] are imported.

3. Attribute definitions

   This section contains attribute definitions which must be implemented
   by DUAs supporting the schema.

        ( TBD.0.0 NAME 'posixUidNumber'
          DESC 'An integer uniquely identifying a user in an
                administrative domain'

        ( TBD.0.1 NAME 'posixPrimaryGidNumber'
          DESC 'An integer uniquely identifying a group in an
                administrative domain'

        ( TBD.0.2 NAME 'posixGidNumber'
          DESC 'An integer uniquely identifying a group in an
                administrative domain'

        ( TBD.0.3 NAME 'posixGecos'
          DESC 'GECOS password field' 'The GECOS field (the user's full name et al)'
          EQUALITY caseIgnoreIA5Match
          SUBSTRINGS caseIgnoreIA5SubstringsMatch
          SYNTAX 'IA5String' SINGLE-VALUE )

        ( TBD.0.4 NAME 'posixHomeDirectory'
          DESC 'The absolute path of the user's home directory'
          EQUALITY caseExactIA5Match
          SYNTAX 'IA5String' SINGLE-VALUE )

        ( TBD.0.5 NAME 'posixShell'
          DESC 'The absolute path of the user's shell'
          EQUALITY caseExactIA5Match
          SYNTAX 'IA5String' SINGLE-VALUE )

        ( TBD.0.6 NAME 'posixShadowLastChange' 'shadowLastChange' EQUALITY integerMatch

        ( TBD.0.7 NAME 'posixShadowMin' 'shadowMin' EQUALITY integerMatch

        ( TBD.0.8 NAME 'posixShadowMax' 'shadowMax' EQUALITY integerMatch

        ( TBD.0.9 NAME 'posixShadowWarn' 'shadowWarn' EQUALITY integerMatch

        ( TBD.0.10 NAME 'posixShadowInactive' 'shadowInactive' EQUALITY integerMatch

        ( TBD.0.11 NAME 'posixShadowExpire' 'shadowExpire' EQUALITY integerMatch

        ( TBD.0.12 NAME 'posixShadowFlag' 'shadowFlag' EQUALITY integerMatch

        ( TBD.0.13 NAME 'memberUid' EQUALITY caseIgnoreIA5Match
          SUBSTRINGS caseIgnoreIA5SubstringsMatch
          SYNTAX 'IA5String{128}' )

        ( TBD.0.14 NAME 'memberNISNetgroup' EQUALITY caseIgnoreIA5Match
          SUBSTRINGS caseIgnoreIA5SubstringsMatch
          SYNTAX 'IA5String' )

        ( TBD.0.15 NAME 'memberHost' EQUALITY caseIgnoreIA5Match
          SUBSTRINGS caseIgnoreIA5SubstringsMatch
          SYNTAX 'IA5String' )

        ( TBD.0.16 NAME 'ipServicePort' EQUALITY integerMatch
        ( TBD.0.17 NAME 'ipServiceProtocol' EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String' )

        ( TBD.0.18 NAME 'ipProtocolNumber' EQUALITY integerMatch

        ( TBD.0.19 NAME 'oNCRPCNumber' EQUALITY integerMatch

        ( TBD.0.20 NAME 'mountOption' EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String' )

        ( TBD.0.21 NAME 'mountType' EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String' SINGLE-VALUE )

        ( TBD.0.22 NAME 'mountDirectory' EQUALITY caseExactIA5Match
          SYNTAX 'IA5String' SINGLE-VALUE )

        ( TBD.0.23 NAME 'mountDumpFrequency' EQUALITY integerMatch

        ( TBD.0.24 NAME 'mountPassNo' EQUALITY integerMatch

        ( TBD.0.25 NAME 'ipHostNumber'
          DESC 'IP address in dotted decimal notation, eg.'
          EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String{128}' )

        ( TBD.0.26 NAME 'ipNetworkNumber'
          DESC 'IP address in dotted decimal notation, eg. 192.168'
          EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String{128}' )

        ( TBD.0.27 NAME 'ipNetmaskNumber'
          DESC 'IP address in dotted decimal notation, eg.'
          EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String{128}' )

        ( TBD.0.28 NAME 'macAddress'
          DESC 'MAC address in colon-separated hex notation, for
                example 0:0:92:90:ee:e2'
          EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String{128}' )

        ( TBD.0.29 NAME 'bootParameter'
          DESC 'rpc.bootparamd parameter; informal syntax is key=value'
          EQUALITY caseExactIA5Match
          SYNTAX 'IA5String' )

        ( TBD.0.30 NAME 'bootFile' EQUALITY caseExactIA5Match
          STRINGS caseExactSubstringsIA5Match SYNTAX 'IA5String' )

        ( TBD.0.31 NAME 'hostVendor' EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String' )

        ( TBD.0.32 NAME 'hostModel' EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String' )

        ( TBD.0.33 NAME 'hostOS' EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String' )

        ( TBD.0.34 NAME 'hostFunction' EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String' )

        ( TBD.0.35 NAME 'nISDomain' EQUALITY caseIgnoreIA5Match
          SUBSTRINGS caseIgnoreIA5SubstringsMatch
          SYNTAX 'IA5String' )

4. Class definitions

   This section contains class definitions which must be implemented by
   DUAs supporting the schema.

   The definitions under the OID 2.5.6 are imported. The rfc822MailGroup
   object class is may used to represent a mail group for the purpose of
   alias expansion. (An (Several alternative schema schemes for aliases, mail routing and
   delivery using LDAP directories have been proposed in [4],
   is [4]; these issues
   will not be considered in detail here.)

        ( TBD.1.0 NAME 'posixAccount' SUP top STRUCTURAL
          DESC 'Abstraction of an account.
                The uid attribute represents is the account's login name.'
          MUST ( cn $ uid $ posixUidNumber $
                 posixPrimaryGidNumber $ posixHomeDirectory )
          MAY ( userPassword $ posixShell $ posixGecos $
                shadowLastChange $ posixShadowMin shadowMin $
                posixShadowMax shadowMax $ posixShadowWarn
                shadowWarn $
                posixShadowInactive shadowInactive $ posixShadowExpire shadowExpire $
                shadowFlag ) )

        ( TBD.1.1 NAME 'posixGroup' SUP top STRUCTURAL
          DESC 'Abstraction of a group of accounts.'
          MUST ( cn $ posixGidNumber ) MAY ( groupPassword $ memberUid ) )

        ( TBD.1.2 NAME 'ipService' SUP top STRUCTURAL
          DESC 'Abstraction an Internet Protocol service. Maps an IP
                port and protocol (eg. tcp or udp) to one or more names.
                The distinguished value of the cn attribute denotes the
                service's canonical name.'
          MUST ( cn $ ipServicePort $ ipServiceProtocol ) )

        ( TBD.1.3 NAME 'ipProtocol' SUP top STRUCTURAL
          DESC 'Abstraction of an IP protocol. Maps a protocol number to
                one or more names. The distinguished value of the cn
                attribute denotes the protocol's canonical name.'
          MUST ( cn $ ipProtocolNumber ) )
        ( TBD.1.4 NAME 'oNCRPC' SUP top STRUCTURAL
          DESC 'Abstraction of an Open Network Computing (ONC) [12]
                Remote Procedure Call (RPC) service. binding. Maps an ONC RPC
                number to a name. The distinguished value of the cn
                attribute denotes the RPC service's canonical name.'
          MUST ( cn $ oNCRPCNumber ) )

        ( TBD.1.5 NAME 'mount' SUP top STRUCTURAL
          DESC 'Abstraction of a filesystem mount.'
          MUST ( cn $ mountDirectory $ mountType )
          MAY ( mountOption $ mountDumpFrequency $ mountPassNo ) )

        ( TBD.1.6 NAME 'ipHost' SUP domainRelatedObject STRUCTURAL
          DESC 'Abstraction of a host. The schema defined in [3] is used
                to denote the canonical hostname, by mapping the
                distinguished name into a DNS domain name.
                The associatedDomain attribute is used for
                interrogating the DIT, and as such must contain values
                for the host's canonical name and its aliases.'
          MUST ( dc $ ipHostNumber )
          MAY ( macAddress $ bootParameter $ bootFile $
                l $ hostModel $ hostOS description $ hostFunction manager ) )

        ( TBD.1.7 NAME 'ipNetwork' SUP domainRelatedObject
          DESC 'Abstraction of a network.'
          MUST ( dc $ ipNetworkNumber )
          MAY ( ipNetmaskNumber $ manager $ locality l $ description $ manager ) )

        ( TBD.1.8 NAME 'nISNetgroup' SUP top STRUCTURAL
          DESC 'Abstraction of a netgroup. May reference refer to other netgroups.'
          MUST cn
          MAY ( memberUid $ memberHost $ memberNISNetgroup $ nISDomain ) )

5. Implementation details

5.1. Resolution methods

   The ideal means of directing a client application (one using the
   shared services of the C library) to use LDAP as its information
   source for the functions listed in 5.2 is to modify the source code
   to directly query LDAP. As the source code to commercial C libraries
   and applications is rarely available to the end-user, it is
   acceptable to emulate a supported nameservice (such as NIS) and
   modify the resolution code to use LDAP.  (This is also an appropriate
   opportunity to perform caching of entries across client address
   spaces.) In the case of NIS, reference implementations are widely
   available and the client-server RPC interface is well known.  Some
   operating systems and C libraries support end-user extensible
   resolvers using dynamically loadable libraries and a nameservice
   "switch". In any case, the precise means by which the operating
   system is directed to use LDAP is not at issue; this is left to the
   implementor to decide.

5.2. Affected resolver calls

   The following entry points are found in the C libraries of most Unix
   and POSIX compliant systems. An LDAP search filter [5] which may be
   used to satisfy the function call is included alongside each function
   name, with printf(3s) format notation used to denote the function
   parameter(s), if any. Note that the POSIX specification does not
   define the enumeration routines (such as getpwent(3c)); however, the
   filters are included here for completeness. With the exception of
   getmntent(3c), those functions in section 3c of Unix manual pages
   relate to POSIX entities, and those in section 3n relate to TCP/IP
   entities. Long lines are broken with the '\' character.

        getpwnam(3c)            (&(objectClass=posixAccount)(uid=%s))
        getpwuid(3c)            (&(objectClass=posixAccount)\
        getpwent(3c)            (objectClass=posixAccount)

        getgrnam(3c)            (&(objectClass=posixGroup)(cn=%s))
        getgrgid(3c)            (&(objectClass=posixGroup)\
        getgrent(3c)            (objectClass=posixGroup)

        getservbyname(3n)       (&(objectClass=ipService)\
        getservbyport(3n)       (&(objectClass=ipService)\
        getservent(3n)          (objectClass=ipService)

        getrpcbyname(3n)        (&(objectClass=oNCRPC)(cn=%s))
        getrpcbynumber(3n)      (&(objectClass=oNCRPC)(oNCRPCNumber=%d))
        getrpcent(3n)           (objectClass=oNCRPC)

        getprotobyname(3n)      (&(objectClass=ipProtocol)(cn=%s))
        getprotobynumber(3n)    (&(objectClass=ipProtocol)\
        getprotoent(3n)         (objectClass=ipProtocol)

        gethostbyname(3n)       (&(objectClass=ipHost)\
        gethostbyaddr(3n)       (&(objectClass=ipHost)(ipHostNumber=%s))
        gethostent(3n)          (objectClass=ipHost)

        getnetbyname(3n)        (&(objectClass=ipNetwork)\
        getnetbyaddr(3n)        (&(objectClass=ipNetwork)\
        getnetent(3n)           (objectClass=ipNetwork)

        getnetgrent(3n)         (objectClass=nISNetgroup)

        getaliasbyname(3n)      (&(objectClass=rfc822MailGroup)(cn=%s))
        getaliasent(3n)         (objectClass=rfc822MailGroup)

        getmntent(3c)           (objectClass=mount)

5.3. Interpreting user and group entries

   User and group resolution is initiated by the functions prefixed by
   getpw and getgr respectively. A user's login name is denoted by the
   value of the uid attribute (which will typically be used as a
   relative distinguished name); a group's name is denoted by a value of
   the cn attribute.

   A user's

   An account's GECOS field is preferentially preferably determined by a value of the
   posixGecos attribute. If no posixGecos attribute exists, the value of
   the cn attribute must be used. (The existence of the posixGecos
   attribute allows attributes embedded in the GECOS field, such as a
   user's telephone number, to be returned to the client without
   overloading the cn attribute.)

   An entry of class posixAccount without a userPassword attribute must
   be denied the opportunity to authenticate. For example, the client
   may be returned a non-matchable password such as "*" by the DUA.

   A user which is a member of a posixGroup which has no groupPassword
   attribute must not be allowed to authenticate themself as a member of
   that group, unless the user's posixPrimaryGidNumber attribute implies
   a user has the same group ID (in which case the operating system may
   determine this implicitly).

   userPassword and groupPassword values must be represented by
   following BNF syntax:

        <passwordValue> ::= <encryptionSchemePrefix> <encryptedPassword>
        <encryptionSchemePrefix> ::= '{' <encryptionScheme> '}'
        <encryptionScheme> ::= 'crypt'
        <encryptedPassword> ::= encrypted password

   (where the encrypted password consists of a plaintext key encrypted
   using crypt(3) with a two-character random salt)

   Operating systems which support different one way encoding functions
   may choose a different encryptionScheme, such as 'md5'; encryptionScheme; crypt(3) is only considered

   userPassword and groupPassword values which do not adhere to the BNF
   above must not be used for authentication. (The DUA must iterate
   through the values of the attribute until a value matching the above
   BNF is found.) Only if encryptedPassword is an empty string does the
   user have no password.

   A DUA may make use of the attributes prefixed by posixShadow shadow in order to
   provide shadow password service (getspnam(3c) and getspent(3c)). In
   such cases, the DUA must not make use of the userPassword attribute
   for getpwnam(3c) et al, and must return a non-matchable password
   (such as "x") to the client instead.

5.4. Interpreting hosts and networks

   The means for representing DNS [6] domains in LDAP distinguished
   names described in [3] and [9] is used in part to represent NIS TCP/IP
   hosts and networks in LDAP.

   A potential point of contention

   Potentially contentious is the use of the ipHostNumber attribute
   instead of the aRecord or dNSRecord attributes. attribute.  The rationale is that, in order
   to minimize the responsibility placed on the DUA, attribute values
   ought to directly contain the information they seek to represent.
   This contrasts with, for example, a dNSRecord value which expresses a
   complete DNS resource record including time to live and class data.

   While dNSRecords, aRecords, etc may be dNSRecords are suitable for building a DNS gateway to LDAP, LDAP
   (which may ultimately fulfill the purpose of resolving hosts) hosts), this
   information is extraneous to performing host lookups directly with

   Additionally, it is considered more appropriate for an entity, and
   all its aliases, to be represented by a single entry in the DIT,
   which is not always possible when a DNS resource record is mapped
   directly to an LDAP entry.

   This document redefines (although not to the extent of excluding the
   existing definition) the ipNetwork class defined in [3], for naming
   consistency with ipHost.  The ipNetworkNumber attribute is also used
   in the siteContact object class [14].  (The trailing zeros in a
   network address should be omitted.)

   If an entry of class ipHost or ipNetwork belongs to a naming context
   denoted by relative distinguished names (RDNs) [10] of attribute type
   dc (domainComponent), then the distinguished name (DN) is transformed
   into a domain name system (DNS) suffix by concatenating each RDN
   value with a period ('.').

   For example, an entry of class ipHost with a DN of dc=foo, dc=bar,
   dc=edu or dc=foo, dc=bar, dc=edu, o=Internet is parsed into the host
   name If the naming context is does not contain 'dc'
   values, a non-qualified host name is returned. For organizations
   which wish to use existing X.500 container classes to form their
   context (ie. organization and organizationalUnit) the RDN components
   of incorrect type are skipped by the DUA in determining the domain
   name. As such, a DN of dc=foo, dc=bar, dc=edu, o=Xedoc Software
   Development, o=Ace Industry, c=US
   may be parsed as As this may be considered a naming
   violation, this document does not specifically endorse this.

5.5. Interpreting other entities

   In general, a one-to-one mapping between entities and LDAP entries is
   proposed, in that each entity has exactly one representation in the
   DIT. In some cases this is not feasible; for example, a service which
   is represented in more than one protocol domain. Consider the
   following entry:

           dn: cn=domain, o=Xedoc Software Development, c=US dc=aceindustry, dc=com
           cn: domain
           cn: nameserver
           objectClass: top
           objectClass: ipService
           ipServicePort: 53
           ipServiceProtocol: tcp
           ipServiceProtocol: udp

   This entry would map to the following two (2) services entities:

           domain  53/tcp  nameserver
           domain  53/udp  nameserver

   While the above two entities could have been equally represented as
   separate LDAP entities, with different distinguished names (such as
   cn=domain, ou=tcp,
   cn=domain+ipServiceProtocol=tcp, ... and cn=domain, ou=udp,
   cn=domain+ipServiceProtocol=udp, ...) it is considered that
   representing them as a single entry is more convenient.

   The mount class represents mount entities as they would be found
   directly in /etc/fstab. Granted, this information is used primarily
   at boot time when access to non-local nameservices may be restricted.
   It may be considered useful to use LDAP to represent the
   configuration data for automount daemons; such a schema is outside
   the scope of this document. (However, the DUA may hint to the client
   that certain information is to be used by the automounter using the
   mountOption attribute.)

   With the exception of userPassword and groupPassword values, which
   must be parsed according to the BNF considered in section 5.2, any
   empty values (those that consist of a zero length string) are
   returned by the DUA to the client. The client may not make sense of
   them, but this situation is no different to parsing files which
   contain empty fields. (By contrast, the DUA must reject any entries
   which do not conform to the schema, ie. are missing certain required mandatory

5.6. Canonicalizing entries with multi-valued naming attributes

   For entities such as services, protocols, and RPCs, where there may
   be one or more aliases, the respective entry's relative distinguished
   name is used to form the canonical name.  Any other values for the
   same attribute are used as aliases. For example, the service
   described in section 5.5 has the canonical name 'domain' and exactly
   one alias, 'nameserver'.

   The schema in this document generally only defines one attribute per
   class which is suitable for distinguishing an entity (excluding any
   attributes with integer syntax; it is assumed that entries will be
   distinguished based on name). Usually, this is the common name (cn)
   attribute.  (For users, either the cn or uid attributes may be used
   to canonicalize an entry. For hosts and networks, the entire
   distinguished name is considered, as per section 5.4.) This fact aids
   the DUA in determining the canonical name of an entity: it can simply
   examine the value of the relative distinguished name. Aliases are
   thus any values of the distinguishing attribute (such as cn) which do
   not match the canonical name of the entity.

   In the event that a different attribute is used to distinguish the
   entry, as may be the case with conforming entries that belong to
   additional object classes, it is possible that the entity's canonical
   name cannot be deduced from the RDN. In this situation, the DUA must
   choose one of the non-distinguished values to represent the entity's
   canonical name. Because the directory server guarantees no ordering
   of attribute values, attempting to distinguish an entry in a
   deterministic fashion may require the DUA to maintain a mapping
   between entries' DNs and their canonical names as considered by the
   DUA. This document does not require this, nor does it advocate that
   such situations be resolved by mapping one DIT entry into multiple

6. Implementation focus

   A NIS to LDAP gateway daemon has been developed which supports the
   schema defined in this document. A set of extensions to a particular
   implementation of the BSD Mach operating system has also been developed,
   which sidesteps NIS and uses LDAP directly.

   Work is underway to develop a freely available (under the GNU General
   Library Public License) reference implementation of the C library
   resolution code that supports LDAP using the draft schema. The code
   will be compatible with the Free Software Foundation's GNU C library
   and other C libraries which support the Name Service Switch (NSS).

   The alias lookup functions referred to in section 5.2 are presently
   available only in the GNU C library, and (albeit with different
   names) in the C library of one commercial Unix vendor. It is
   anticipated that the mail transport agent (MTA) will typically
   consult LDAP or NIS directly instead of using the C library; however,
   support for the suggested library calls is encouraged.

   The author has made available a freely distributable set of Perl
   scripts for parsing configuration files such as /etc/passwd and
   /etc/hosts and generating LDIF data suitable for preparing an LDIF
   database. It would be a relatively trivial effort to write utilities
   to export LDIF data to flat files, such that information stored in an
   LDAP-compatible directory service could be regularly dumped into NIS
   maps or flat files.

7. Security considerations

   The entirety of related security considerations are outside the scope
   of this document. However, it should be noted that making passwords
   encrypted with a widely understood one way function (such as
   crypt(3)) available to non-privileged users is potentially dangerous
   because it exposes them to dictionary and brute-force attacks.  It is
   proposed only for compatibility with existing Unix implementations.
   Sites where security is critical may consider using Kerberos or
   another authentication service for logins. A variation on this is to
   authenticate to an LDAP server by binding over an encrypted
   connection (such as SSL [8]) without performing a search. [8]).

   Alternatively, the encrypted password could be made available only to
   a subset of privileged DUAs, which would provide 'shadow' password
   service to client applications.

   Because the schema represents operating system-level entities, access
   to these entities should be granted on a discretionary basis.  (That
   said, there is little point in restricting access to data which will
   be republished without restriction, eg. by a NIS server.) It is
   particularly important that only administrators can modify entries
   defined in this schema, with the exception of allowing a principal to
   change their password (which may be done on behalf of the user by a
   client bound as a superior principal, such that password restrictions
   may be enforced). For example, if a user were allowed to change the
   value of their posixUidNumber attribute, they could subvert security
   by equivalencing their account with the root account.

   A subtree of the DIT which is to be republished by a DUA (such as a
   NIS gateway) should be within the same administrative domain that the
   republishing DUA represents. (For example, principals outside an
   organization, while conceivably part of the DIT, should not be
   considered with the same degree of authority as those within the

8. Acknowledgements

   Thanks to Leif Hedstrom of Netscape Communications Corporation and
   Mark Wahl of Critical Angle Inc. for their contributions to the
   development of this schema.

9. References

   [1]  M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
        Protocol (Version 3)", INTERNET-DRAFT <draft-ietf-asid-ldapv3-
        protocol-03.txt>, October 1996.

   [2]  M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
        Protocol: Standard and Pilot Attribute Definitions", INTERNET-
        DRAFT <draft-ietf-asid-ldapv3-attributes-03.txt>, October 1996.

   [3]  S. Kille, "X.500 and Domains", RFC 1279, November 1991.

   [4]  H. Lachman, "LDAP-based Routing of SMTP Messages: Approach Used
        by Netscape", INTERNET-DRAFT <draft-ietf-asid-email-routing-ns-
        00.txt>, March 1997.

   [5]  T. Howes, "A String Representation of LDAP Search Filters",
        INTERNET-DRAFT <draft-ietf-asid-ldapv3-filter-00.txt>, March
        1997. See also [10].

   [6]  P. Mockapetris, "Domain names - concepts and facilities", RFC
        1034, November 1987.

   [7]  "Information Processing Systems - Open Systems Interconnection -
        The Directory: Overview of Concepts, Models and Service",
        ISO/IEC JTC 1/SC21, International Standard 9594-1, 1988.

   [8]  A. O. Freier, P. Karlton, P. Kocher, "The SSL Protocol, Version
        3.0", INTERNET-DRAFT <draft-ietf-tls-ssl-version3-00.txt>
        November 1996.

   [9]  S. Kille, M. Wahl, "An Approach for Using Domains in LDAP
        Distinguished Names", INTERNET-DRAFT <draft-ietf-asid-ldap-
        domains-00.txt>, July 1996.

   [10] S. Kille, "A String Representation of Distinguished Names", RFC
        1779, March 1995.

   [11] G. Good, "The LDAP Data Interchange Format (LDIF)", INTERNET-
        DRAFT <draft-ietf-asid-ldif-00.txt>, November 1996.

   [12] Sun Microsystems, Inc., "RPC: Remote Procedure Call: Protocol
        Specification Version 2", RFC 1057, June 1988.

   [13] ISO/IEC 9945-1:1990, Information Technology - Portable Operating
        Systems Interface (POSIX) - Part 1: Systems Application
        Programming Interface (API) [C Language]


   [14] M. T. Rose, "The Little Black Book: Mail Bonding with OSI
        Directory Services", ISBN 0-13-683210-5, Prentice-Hall, Inc.,

10. Author's Address

   Luke Howard
   Xedoc Software Development Inc
   PO Box 33015
   Los Gatos, CA 95031
   Phone: +61-3-9428-0788
   Fax: +61-3-9428-0786 59
   Central Park Vic 3145

A. Example entries

   The examples described in this section are provided to illustrate the
   schema described in this draft. They do not purport to be a
   authoritative reference. Entries are presented in LDIF notation [11].

   The following entry is an example of the posixAccount class:

           dn: uid=lukeh, o=Xedoc Software Development, c=US dc=aceindustry, dc=com
           cn: Luke Howard
           objectClass: top
           objectClass: person
           objectClass: posixAccount
           sn: Howard
           telephoneNumber: +61 3 9428 0788
           uid: lukeh
           userPassword: {crypt}X5/DBrWPOQQaI
           posixGecos: Luke Howard
           posixShell: /bin/csh
           posixUidNumber: 10
           posixPrimaryGidNumber: 10
           posixHomeDirectory: /home/lukeh

   This corresponds the Unix password file entry:

        lukeh:X5/DBrWPOQQaI:10:10:Luke Howard:/home/lukeh:/bin/sh

   Note that the userPassword value is parsed into a password suitable
   for matching with crypt(3). Attributes such as telephoneNumber and sn
   (which belong to classes other than posixAccount), are not used in
   determining the corresponding password file entry but may be useful
   to other LDAP clients. (In most cases, entries of class posixAccount
   will also inherit from person or organizationalPerson.)

   The following entry is an example of the ipHost class:

           dn: dc=grualdo, dc=xedoc, dc=com, o=Internet dc=yoyo, dc=aceindustry, dc=com
           dc: grualdo yoyo
           objectClass: top
           objectClass: ipHost
           objectClass: domainRelatedObject
           macAddress: 0:0:92:90:ee:e2
           bootFile: unix
           bootParameter: root=fs:/nfsroot/grualdo root=fs:/nfsroot/yoyo
           bootParameter: swap=fs:/nfsswap/grualdo swap=fs:/nfsswap/yoyo
           bootParameter: dump=fs:/nfsdump/grualdo dump=fs:/nfsdump/yoyo

   This entry represents the host,, also known as Note that the associatedDomain values are used
   in searching for the entry, but the distinguished name is parsed to
   determine the host's canonical name. The MAC address, boot image, and
   two boot parameters are also specified in this entry.  (Thus, the NIS
   maps prefixed by 'hosts', 'ethers', and 'bootparams' could all be
   derived from similar entries.)
   An example of the nISNetgroup class:

           dn: cn=nightfly, o=Xedoc Software Development, c=US dc=aceindustry, dc=com
           cn: nightfly
           objectClass: top
           objectClass: nISNetgroup
           memberUid: lukeh
           memberUid: fagen

   This entry represents the netgroup 'nightfly' which contains the
   users lukeh and fagen, and the host;; and which
   belongs to the NIS domain

   Finally, an example of the ipProtocol class:

           dn: cn=tcp, o=Xedoc Software Development, c=US dc=aceindustry, dc=com
           objectClass: top
           objectClass: ipProtocol
           cn: tcp
           cn: TCP
           ipProtocolNumber: 6

   This entry represents the protocol named 'tcp' whose protocol number
   is 6.