draft-ietf-asid-nis-schema-01.txt   draft-ietf-asid-nis-schema-02.txt 
Application Working Group L. Howard Application Working Group L. Howard
INTERNET-DRAFT Independent Consultant INTERNET-DRAFT Independent Consultant
Intended Category: Experimental Intended Category: Experimental
An Approach for Using LDAP as a Network Information Service An Approach for Using LDAP as a Network Information Service
<draft-ietf-asid-nis-schema-01.txt> <draft-ietf-asid-nis-schema-02.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months. Internet-Drafts may be updated, replaced, or made obsolete by months. Internet-Drafts may be updated, replaced, or made obsolete by
skipping to change at page 1, line 34 skipping to change at page 1, line 34
To learn the current status of any Internet-Draft, please check the To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow 1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim). Rim).
Distribution of this document is unlimited. Distribution of this document is unlimited.
Abstract Abstract
This document describes an experimental mechanism for mapping POSIX This document describes an experimental mechanism for mapping
[13] and TCP/IP network-related entities into X.500 entries so that entities related to TCP/IP and the UNIX system into X.500 entries so
they may be resolved with the Lightweight Directory Access Protocol that they may be resolved with the Lightweight Directory Access
[1]. A set of attribute types and object classes are proposed, along Protocol [1]. A set of attribute types and object classes are
with specific guidelines for interpreting them. proposed, along with specific guidelines for interpreting them.
The intention is to assist the deployment of LDAP as an The intention is to assist the deployment of LDAP as an
organizational nameservice. No proposed solutions are intended as organizational nameservice. No proposed solutions are intended as
standards for the Internet. Rather, it is hoped that a general standards for the Internet. Rather, it is hoped that a general
consensus will emerge as to the appropriate solution to such consensus will emerge as to the appropriate solution to such
problems, leading eventually to the adoption of standards. The problems, leading eventually to the adoption of standards. The
proposed mechanism has already been implemented with some success. proposed mechanism has already been implemented with some success.
1. Background and Motivation 1. Background and Motivation
The Unix operating system, and its derivatives (specifically, those The UNIX (R) operating system, and its derivatives (specifically,
which support TCP/IP and conform to the POSIX XPG.4 specification) those which support TCP/IP and conform to the X/Open Single UNIX
require a means of looking up entities, by matching them against specification [13]) require a means of looking up entities, by
search criteria or by enumeration. (Other operating systems that matching them against search criteria or by enumeration. (Other
support TCP/IP may provide some means of resolving some of these operating systems that support TCP/IP may provide some means of
entities. This schema applies to those environments also.) resolving some of these entities. This schema is applicable to those
environments also.)
These entities include users, groups, IP services (which map names to These entities include users, groups, IP services (which map names to
IP ports and protocols, and vice versa), IP protocols (which map IP ports and protocols, and vice versa), IP protocols (which map
names to IP protocol numbers and vice versa), RPCs (which map names names to IP protocol numbers and vice versa), RPCs (which map names
to ONC Remote Procedure Call [12] numbers and vice versa), NIS to ONC Remote Procedure Call [12] numbers and vice versa), NIS
netgroups, booting information (boot parameters and MAC address netgroups, booting information (boot parameters and MAC address
mappings), filesystem mounts, IP hosts and networks, and RFC822 mail mappings), filesystem mounts, IP hosts and networks, and RFC822 mail
aliases. aliases.
Resolution requests are made through a set of C functions, provided Resolution requests are made through a set of C functions, provided
in the Unix C library. For example, the Unix command line tool 'ls', in the UNIX system's C library. For example, the UNIX system utility
which enumerates the contents of a filesystem directory, uses the C 'ls', which enumerates the contents of a filesystem directory, uses
library function getpwuid(3c) in order to map user IDs to login the C library function getpwuid(3c) in order to map user IDs to login
names. Once the request is made, it is resolved using a 'nameservice' names. Once the request is made, it is resolved using a 'nameservice'
which is supported by the client library. The nameservice may be, at which is supported by the client library. The nameservice may be, at
its simplest, a collection of files in the local filesystem which are its simplest, a collection of files in the local filesystem which are
opened and searched by the C library. Other common nameservices opened and searched by the C library. Other common nameservices
include the Network Information Service (NIS) and the Domain Name include the Network Information Service (NIS) and the Domain Name
System (DNS). (The latter is typically only used for resolving hosts System (DNS). (The latter is typically only used for resolving hosts,
and networks.) Both these nameservices have the advantage of being services and networks.) Both these nameservices have the advantage of
distributed and thus permitting a common set of entities to be shared being distributed and thus permitting a common set of entities to be
amongst many clients. shared amongst many clients.
LDAP is a distributed, hierarchical directory service access protocol LDAP is a distributed, hierarchical directory service access protocol
which is used to access repositories of users and other network- which is used to access repositories of users and other network-
related entities. Because LDAP is usually not tightly integrated with related entities. Because LDAP is usually not tightly integrated with
the operating system, information such as users needs to be kept both the operating system, information such as users needs to be kept both
in LDAP and in an operating system supported nameservice such as NIS. in LDAP and in an operating system supported nameservice such as NIS.
By using LDAP as the the primary means of resolving these entities, By using LDAP as the the primary means of resolving these entities,
these redundancy issues are minimized and the scalability of LDAP can these redundancy issues are minimized and the scalability of LDAP can
be exploited. (By comparison, NIS services based on flat files do not be exploited. (By comparison, NIS services based on flat files do not
have the scalability or extensibility of LDAP or X.500.) have the scalability or extensibility of LDAP or X.500.)
skipping to change at page 3, line 17 skipping to change at page 3, line 19
deemed to be authoritative, it is considered desirable to have a deemed to be authoritative, it is considered desirable to have a
single, open schema rather than the proliferation of multiple single, open schema rather than the proliferation of multiple
proprietary schema. This document is one step towards such a schema. proprietary schema. This document is one step towards such a schema.
2. General Issues 2. General Issues
2.1. Terminology 2.1. Terminology
In this document, the term 'NIS-related entities' is used rather In this document, the term 'NIS-related entities' is used rather
loosely to refer to those entities (described in the previous loosely to refer to those entities (described in the previous
section) which are typically repesented in the Network Information section) which are typically represented in the Network Information
Service. (NIS was previously known as Yellow Pages, or YP.) It should Service. (NIS was previously known as Yellow Pages, or YP.) It should
not be inferred from this that deploying LDAP for resolving such not be inferred from this that deploying LDAP for resolving such
entities requires NIS to be used (as a gateway or otherwise). The entities (nisObject excluded) requires NIS to be used, as a gateway
host and network classes are generically applicable, and may be or otherwise. The host and network classes are generically
implemented on operating systems other than Unix that wish to use applicable, and may be implemented on operating systems other than
LDAP to resolve these entities. the UNIX system that wish to use LDAP to resolve these entities.
The 'DUA' (directory user agent) refers to the LDAP client querying The 'DUA' (directory user agent) refers to the LDAP client querying
these entities, such as an LDAP to NIS gateway or the C library. The these entities, such as an LDAP to NIS gateway or the C library. The
'client' refers to the application which ultimately makes use of the 'client' refers to the application which ultimately makes use of the
information returned by the resolution. It is irrelevant whether the information returned by the resolution. It is irrelevant whether the
DUA and the client reside within the same address space. The act of DUA and the client reside within the same address space. The act of
the DUA making this information to the client is termed the DUA making this information to the client is termed
'republishing'. 'republishing'.
To avoid confusion, the term 'login name' refers to the user's login To avoid confusion, the term 'login name' refers to the user's login
name (being the value of the uid attribute) and the term 'user ID' name (being the value of the uid attribute) and the term 'user ID'
refers to he user's integer identification number (being the value of refers to he user's integer identification number (being the value of
the posixUidNumber attribute). The term 'principal' is used to the uidNumber attribute). The term 'principal' is used to
distinguish accounts that may be used for authentication from those distinguish accounts that may be used for authentication from those
that are not. that are not.
The term 'nameservice' refers to a service, such as NIS or flat The term 'nameservice' refers to a service, such as NIS or flat
files, that is used by the operating system to resolve entities files, that is used by the operating system to resolve entities
within a single, local naming context. Contrast this with a within a single, local naming context. Contrast this with a
'directory service' such as LDAP, which support extensible schema and 'directory service' such as LDAP, which support extensible schema and
multiple naming contexts. multiple naming contexts.
The phrase 'resolving an entity' or 'resolution of entities' refers The phrase 'resolving an entity' or 'resolution of entities' refers
to enumerating NIS-related entities of a given type, or matching them to enumerating NIS-related entities of a given type, or matching them
against a given search criterion. One or more entities are returned against a given search criterion. One or more entities are returned
as a result of successful 'resolutions' (a 'match' operation will as a result of successful 'resolutions' (a 'match' operation will
only return one entity). only return one entity).
Note that the use of the attribute and class prefix 'posix' does not The use of the term UNIX does not confer upon this schema the
confer any endorsement of this schema by the POSIX standards body. endorsement of owners of the UNIX trademark. Where necessary, the
The prefix was chosen as a more appropriate prefix than 'unix', the term 'TCP/IP entity' is used to refer to protocols, services, hosts,
other suitable candidate. Where necessary, the term 'POSIX entity' and networks, and the term 'UNIX entity' to its complement. (The
is used to refer to users and groups; the term 'TCP/IP entity' is former category does not mandate the host operating system supporting
used to refer to protocols, services, hosts, and networks. (The the interfaces required for resolving UNIX entities.)
latter category does not mandate the host operating system supporting
the interfaces required for resolving POSIX entities.) NIS netgroups, The OIDs used by this schema are rooted at nisSchema, canonically
ONC RPC binding information, and mounts fall outside these iso.org.dod.internet.directory.nisSchema (OID 1.3.6.1.1.1).
categories.
2.2. Attributes 2.2. Attributes
The attributes and classes defined in this document are summarized The attributes and classes defined in this document are summarized
below. The reader is referred to [2] for the BFN for attribute type below. The reader is referred to [2] for the BFN for attribute type
definitions. definitions.
The following attributes are defined in this document: The following attributes are defined in this document:
posixUidNumber uidNumber
posixPrimaryGidNumber gidNumber
posixGidNumber gecos
posixGecos homeDirectory
posixHomeDirectory loginShell
posixShell
shadowLastChange shadowLastChange
shadowMin shadowMin
shadowMax shadowMax
shadowWarn shadowWarning
shadowInactive shadowInactive
shadowExpire shadowExpire
shadowFlag shadowFlag
memberUid memberUid
memberNISNetgroup memberNisNetgroup
memberHost nisNetgroupTriple
ipServicePort ipServicePort
ipServiceProtocol ipServiceProtocol
ipProtocolNumber ipProtocolNumber
oNCRPCNumber oncRpcNumber
mountOption
mountType
mountDirectory
mountDumpFrequency
mountPassNo
ipHostNumber ipHostNumber
ipNetworkNumber ipNetworkNumber
ipNetmaskNumber ipNetmaskNumber
macAddress macAddress
bootParameter bootParameter
bootFile bootFile
nISDomain automountInformation
nisMapName
Additionally, the attributes defined in [2] and [9] are imported. nisValue
Additionally, the attributes defined in [2], [9] and [16] are
imported.
2.3. Object classes 2.3. Object classes
The reader is referred to [2] for the BFN for object class The reader is referred to [2] for the BFN for object class
definition. definition.
The following object classes are defined in this document: The following object classes are defined in this document:
posixAccount posixAccount
shadowAccount
posixGroup posixGroup
ipService ipService
ipProtocol ipProtocol
oNCRPC oncRpc
mount
ipHost ipHost
ipNetwork ipNetwork
nISNetgroup nisNetgroup
automount
nisObject
Additionally, the classes defined in [2] and [9] are imported. Additionally, the classes defined in [2] and [9] are imported.
2.4. Syntax definitions
The following syntax definition [2] is used in representing NIS
netgroup triples.
( nisSchema.0.0 NAME 'nisNetgroupTripleSyntax'
DESC 'NIS netgroup triple' )
Values in this syntax are encoded according to the following BNF:
nisnetgrouptriple = "(" hostname "," username "," domainname ")"
hostname = "" / "-" / keystring
username = "" / "-" / keystring
domainname = "" / "-" / keystring
3. Attribute definitions 3. Attribute definitions
This section contains attribute definitions which must be implemented This section contains attribute definitions which must be implemented
by DUAs supporting the schema. by DUAs supporting the schema.
( TBD.0.0 NAME 'posixUidNumber' ( nisSchema.1.0 NAME 'uidNumber'
DESC 'An integer uniquely identifying a user in an DESC 'An integer uniquely identifying a user in an
administrative domain' administrative domain'
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.1 NAME 'posixPrimaryGidNumber' ( nisSchema.1.1 NAME 'gidNumber'
DESC 'An integer uniquely identifying a group in an
administrative domain'
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.2 NAME 'posixGidNumber'
DESC 'An integer uniquely identifying a group in an DESC 'An integer uniquely identifying a group in an
administrative domain' administrative domain'
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.3 NAME 'posixGecos' ( nisSchema.1.2 NAME 'gecos'
DESC 'The GECOS field (the user's full name et al)' DESC 'The GECOS field, including the user's common name'
EQUALITY caseIgnoreIA5Match EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String' SINGLE-VALUE ) SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.4 NAME 'posixHomeDirectory' ( nisSchema.1.3 NAME 'homeDirectory'
DESC 'The absolute path of the user's home directory' DESC 'The absolute path of the user's home directory'
EQUALITY caseExactIA5Match EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE ) SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.5 NAME 'posixShell' ( nisSchema.1.4 NAME 'loginShell'
DESC 'The absolute path of the user's shell' DESC 'The absolute path of the user's shell'
EQUALITY caseExactIA5Match EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE ) SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.6 NAME 'shadowLastChange' EQUALITY integerMatch ( nisSchema.1.5 NAME 'shadowLastChange' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.7 NAME 'shadowMin' EQUALITY integerMatch ( nisSchema.1.6 NAME 'shadowMin' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.8 NAME 'shadowMax' EQUALITY integerMatch ( nisSchema.1.7 NAME 'shadowMax' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.9 NAME 'shadowWarn' EQUALITY integerMatch ( nisSchema.1.8 NAME 'shadowWarning' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.10 NAME 'shadowInactive' EQUALITY integerMatch ( nisSchema.1.9 NAME 'shadowInactive' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.11 NAME 'shadowExpire' EQUALITY integerMatch ( nisSchema.1.10 NAME 'shadowExpire' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.12 NAME 'shadowFlag' EQUALITY integerMatch ( nisSchema.1.11 NAME 'shadowFlag' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.13 NAME 'memberUid' EQUALITY caseIgnoreIA5Match ( nisSchema.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX 'IA5String{128}' ) SYNTAX 'IA5String{128}' )
( nisSchema.1.13 NAME 'memberNisNetgroup' EQUALITY caseExactIA5Match
( TBD.0.14 NAME 'memberNISNetgroup' EQUALITY caseIgnoreIA5Match SUBSTRINGS caseExactIA5SubstringsMatch
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String' )
( TBD.0.15 NAME 'memberHost' EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String' )
( TBD.0.16 NAME 'ipServicePort' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.17 NAME 'ipServiceProtocol' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' ) SYNTAX 'IA5String' )
( TBD.0.18 NAME 'ipProtocolNumber' EQUALITY integerMatch ( nisSchema.1.14 NAME 'nisNetgroupTriple'
SYNTAX 'INTEGER' SINGLE-VALUE ) DESC 'Netgroup triple' SYNTAX 'nisNetgroupTripleSyntax' )
( TBD.0.19 NAME 'oNCRPCNumber' EQUALITY integerMatch ( nisSchema.1.15 NAME 'ipServicePort' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.20 NAME 'mountOption' EQUALITY caseIgnoreIA5Match ( nisSchema.1.16 NAME 'ipServiceProtocol' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' ) SYNTAX 'IA5String' )
( TBD.0.21 NAME 'mountType' EQUALITY caseIgnoreIA5Match ( nisSchema.1.17 NAME 'ipProtocolNumber' EQUALITY integerMatch
SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.22 NAME 'mountDirectory' EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.23 NAME 'mountDumpFrequency' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.24 NAME 'mountPassNo' EQUALITY integerMatch ( nisSchema.1.18 NAME 'oncRpcNumber' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE ) SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.25 NAME 'ipHostNumber' ( nisSchema.1.19 NAME 'ipHostNumber'
DESC 'IP address in dotted decimal notation, eg. 192.168.1.1' DESC 'IP address in dotted decimal notation, eg. 192.168.1.1'
EQUALITY caseIgnoreIA5Match EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' ) SYNTAX 'IA5String{128}' )
( TBD.0.26 NAME 'ipNetworkNumber' ( nisSchema.1.20 NAME 'ipNetworkNumber'
DESC 'IP address in dotted decimal notation, eg. 192.168' DESC 'IP address in dotted decimal notation, eg. 192.168'
EQUALITY caseIgnoreIA5Match EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' ) SYNTAX 'IA5String{128}' )
( TBD.0.27 NAME 'ipNetmaskNumber' ( nisSchema.1.21 NAME 'ipNetmaskNumber'
DESC 'IP address in dotted decimal notation, eg. 255.255.255.0' DESC 'IP address in dotted decimal notation, eg. 255.255.255.0'
EQUALITY caseIgnoreIA5Match EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' ) SYNTAX 'IA5String{128}' )
( TBD.0.28 NAME 'macAddress' ( nisSchema.1.22 NAME 'macAddress'
DESC 'MAC address in colon-separated hex notation, for DESC 'MAC address in colon-separated hex notation, for
example 0:0:92:90:ee:e2' example 0:0:92:90:ee:e2'
EQUALITY caseIgnoreIA5Match EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' ) SYNTAX 'IA5String{128}' )
( TBD.0.29 NAME 'bootParameter' ( nisSchema.1.23 NAME 'bootParameter'
DESC 'rpc.bootparamd parameter; informal syntax is key=value' DESC 'rpc.bootparamd parameter; informal syntax is key=value'
EQUALITY caseExactIA5Match EQUALITY caseExactIA5Match
SYNTAX 'IA5String' ) SYNTAX 'IA5String' )
( TBD.0.30 NAME 'bootFile' EQUALITY caseExactIA5Match ( nisSchema.1.24 NAME 'bootFile'
STRINGS caseExactSubstringsIA5Match SYNTAX 'IA5String' ) DESC 'name of the boot image, which may be used by bootpd.
Alternatively, this may specified as a value of
bootParameter.'
EQUALITY caseExactIA5Match
SYNTAX 'IA5String' )
( TBD.0.31 NAME 'nISDomain' EQUALITY caseIgnoreIA5Match ( nisSchema.1.25 NAME 'automountInformation'
SUBSTRINGS caseIgnoreIA5SubstringsMatch DESC 'An entry in an automount map.'
EQUALITY caseExactIA5Match
SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX 'IA5String' ) SYNTAX 'IA5String' )
( nisSchema.1.26 NAME 'nisMapName'
EQUALITY caseExactIA5Match
SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX 'IA5String{1024}' SINGLE-VALUE )
( nisSchema.1.27 NAME 'nisValue'
EQUALITY caseExactIA5Match
SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX 'IA5String{1024}' SINGLE-VALUE )
4. Class definitions 4. Class definitions
This section contains class definitions which must be implemented by This section contains class definitions which must be implemented by
DUAs supporting the schema. DUAs supporting the schema.
The definitions under the OID 2.5.6 are imported. The rfc822MailGroup The definitions under the OID 2.5.6 are imported. The rfc822MailGroup
object class may used to represent a mail group for the purpose of object class may used to represent a mail group for the purpose of
alias expansion. (Several alternative schemes for mail routing and alias expansion. (Several alternative schemes for mail routing and
delivery using LDAP directories have been proposed [4]; these issues delivery using LDAP directories have been proposed [4]; these issues
will not be considered in detail here.) will not be considered in detail here.)
( TBD.1.0 NAME 'posixAccount' SUP top STRUCTURAL ( nisSchema.2.0 NAME 'posixAccount' SUP top STRUCTURAL
DESC 'Abstraction of an account. DESC 'Abstraction of an account with POSIX attributes.'
The uid attribute is the account's login name.' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
MUST ( cn $ uid $ posixUidNumber $ MAY ( userPassword $ loginShell $ gecos $ description ) )
posixPrimaryGidNumber $ posixHomeDirectory )
MAY ( userPassword $ posixShell $ posixGecos $
shadowLastChange $ shadowMin $ shadowMax $
shadowWarn $ shadowInactive $ shadowExpire $
shadowFlag ) )
( TBD.1.1 NAME 'posixGroup' SUP top STRUCTURAL ( nisSchema.2.1 NAME 'shadowAccount' SUP top AUXILIARY
DESC 'Abstraction of a group of accounts.' DESC 'Additional attributes for shadow passwords.'
MUST ( cn $ posixGidNumber ) MAY ( groupPassword $ memberUid ) ) MUST uid
MAY ( userPassword $ shadowLastChange $ shadowMin
shadowMax $ shadowWarning $ shadowInactive $
shadowExpire $ shadowFlag $ description ) )
( TBD.1.2 NAME 'ipService' SUP top STRUCTURAL ( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL
DESC 'Abstraction of a group of posixAccounts.'
MUST ( cn $ gidNumber )
MAY ( groupPassword $ memberUid $ description ) )
( nisSchema.2.3 NAME 'ipService' SUP top STRUCTURAL
DESC 'Abstraction an Internet Protocol service. Maps an IP DESC 'Abstraction an Internet Protocol service. Maps an IP
port and protocol (eg. tcp or udp) to one or more names. port and protocol (eg. tcp or udp) to one or more names.
The distinguished value of the cn attribute denotes the The distinguished value of the cn attribute denotes the
service's canonical name.' service's canonical name.'
MUST ( cn $ ipServicePort $ ipServiceProtocol ) ) MUST ( cn $ ipServicePort $ ipServiceProtocol )
MAY description )
( TBD.1.3 NAME 'ipProtocol' SUP top STRUCTURAL ( nisSchema.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
DESC 'Abstraction of an IP protocol. Maps a protocol number to DESC 'Abstraction of an IP protocol. Maps a protocol number to
one or more names. The distinguished value of the cn one or more names. The distinguished value of the cn
attribute denotes the protocol's canonical name.' attribute denotes the protocol's canonical name.'
MUST ( cn $ ipProtocolNumber ) ) MUST ( cn $ ipProtocolNumber $ description )
( TBD.1.4 NAME 'oNCRPC' SUP top STRUCTURAL MAY description )
( nisSchema.2.5 NAME 'oncRpc' SUP top STRUCTURAL
DESC 'Abstraction of an Open Network Computing (ONC) [12] DESC 'Abstraction of an Open Network Computing (ONC) [12]
Remote Procedure Call (RPC) binding. Maps an ONC RPC Remote Procedure Call (RPC) binding. Maps an ONC RPC
number to a name. The distinguished value of the cn number to a name. The distinguished value of the cn
attribute denotes the RPC service's canonical name.' attribute denotes the RPC service's canonical name.'
MUST ( cn $ oNCRPCNumber ) ) MUST ( cn $ oncRpcNumber $ description )
MAY description )
( TBD.1.5 NAME 'mount' SUP top STRUCTURAL
DESC 'Abstraction of a filesystem mount.'
MUST ( cn $ mountDirectory $ mountType )
MAY ( mountOption $ mountDumpFrequency $ mountPassNo ) )
( TBD.1.6 NAME 'ipHost' SUP domainRelatedObject STRUCTURAL ( nisSchema.2.6 NAME 'ipHost' SUP top STRUCTURAL
DESC 'Abstraction of a host. The schema defined in [3] is used DESC 'Abstraction of a host. The schema defined in [3] is used
to denote the canonical hostname, by mapping the to denote the canonical hostname, by mapping the
distinguished name into a DNS domain name. distinguished name into a DNS domain name.
The associatedDomain attribute is used for The associatedDomain attribute is used for interrogating
interrogating the DIT, and as such must contain values the DIT, and as such must contain values for the host's
for the host's canonical name and its aliases.' canonical name and its aliases.'
MUST ( dc $ ipHostNumber ) MUST ( dc $ ipHostNumber $ associatedDomain )
MAY ( macAddress $ bootParameter $ bootFile $ MAY ( macAddress $ bootParameter $ bootFile $
l $ description $ manager ) ) l $ description $ manager $ serialNumber ) )
( TBD.1.7 NAME 'ipNetwork' SUP domainRelatedObject ( nisSchema.2.7 NAME 'ipNetwork' SUP top
STRUCTURAL STRUCTURAL
DESC 'Abstraction of a network.' DESC 'Abstraction of a network.'
MUST ( dc $ ipNetworkNumber ) MUST ( dc $ ipNetworkNumber $ associatedDomain )
MAY ( ipNetmaskNumber $ l $ description $ manager ) ) MAY ( ipNetmaskNumber $ l $ description $ manager ) )
( TBD.1.8 NAME 'nISNetgroup' SUP top STRUCTURAL ( nisSchema.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
DESC 'Abstraction of a netgroup. May refer to other netgroups.' DESC 'Abstraction of a netgroup. May refer to other netgroups.'
MUST cn MUST cn
MAY ( memberUid $ memberHost $ memberNISNetgroup $ nISDomain ) ) MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
( nisSchema.2.9 NAME 'automount' SUP top STRUCTURAL
DESC 'Abstraction of an automount map; each entry in the map
is represented by a value of the automountInformation
attribute. The map name is given by the cn attribute.
Each value of the automountInformation attribute
constitutes a mount entry.'
MUST cn
MAY ( automountInformation $ description ) )
( nisSchema.2.10 NAME 'nisObject' SUP top STRUCTURAL
DESC 'Abstraction of a generic NIS map or entry.'
MUST nisMapName
MAY ( cn $ nisValue $ description ) )
5. Implementation details 5. Implementation details
5.1. Resolution methods 5.1. Resolution methods
The ideal means of directing a client application (one using the The ideal means of directing a client application (one using the
shared services of the C library) to use LDAP as its information shared services of the C library) to use LDAP as its information
source for the functions listed in 5.2 is to modify the source code source for the functions listed in 5.2 is to modify the source code
to directly query LDAP. As the source code to commercial C libraries to directly query LDAP. As the source code to commercial C libraries
and applications is rarely available to the end-user, it is and applications is rarely available to the end-user, it is
acceptable to emulate a supported nameservice (such as NIS) and acceptable to emulate a supported nameservice (such as NIS) and
modify the resolution code to use LDAP. (This is also an appropriate modify the resolution code to use LDAP. (This is also an appropriate
opportunity to perform caching of entries across client address opportunity to perform caching of entries across client address
spaces.) In the case of NIS, reference implementations are widely spaces.) In the case of NIS, reference implementations are widely
available and the client-server RPC interface is well known. Some available and the client-server RPC interface is well known.
operating systems and C libraries support end-user extensible
There exists no standard mechanism, other than NIS, for resolving
automount and nisObject entries. The former may be supported by the
automounter itself; both classes should be supported by an LDAP to
NIS gateway. However, an implementation which claims to conform to
this specification is not required to support these classes. (To
mandate otherwise would exclude implementations integrated with the C
library.)
Some operating systems and C libraries support end-user extensible
resolvers using dynamically loadable libraries and a nameservice resolvers using dynamically loadable libraries and a nameservice
"switch". In any case, the precise means by which the operating "switch". Others allow end-user defined symbols to be substituted at
system is directed to use LDAP is not at issue; this is left to the runtime. Regardless, the means by which the operating system is
implementor to decide. directed to use LDAP is implementation dependent, as is the means by
which the DUA locates LDAP servers. (It is anticipated that the
Dynamic Host Configuration Protocol (DHCP) may be used for the latter
[16].)
5.2. Affected resolver calls 5.2. Affected resolver calls
The following entry points are found in the C libraries of most UNIX
The following entry points are found in the C libraries of most Unix
and POSIX compliant systems. An LDAP search filter [5] which may be and POSIX compliant systems. An LDAP search filter [5] which may be
used to satisfy the function call is included alongside each function used to satisfy the function call is included alongside each function
name, with printf(3s) format notation used to denote the function name, with printf(3s) format notation used to denote the function
parameter(s), if any. Note that the POSIX specification does not parameter(s), if any. Generally, those functions in section 3n of the
define the enumeration routines (such as getpwent(3c)); however, the UNIX system's manual pages refer to TCP/IP entries, and those in
filters are included here for completeness. With the exception of section 3c refer to the remainder. Long lines are broken with the '\'
getmntent(3c), those functions in section 3c of Unix manual pages character.
relate to POSIX entities, and those in section 3n relate to TCP/IP
entities. Long lines are broken with the '\' character.
getpwnam(3c) (&(objectClass=posixAccount)(uid=%s)) getpwnam(3c) (&(objectClass=posixAccount)(uid=%s))
getpwuid(3c) (&(objectClass=posixAccount)\ getpwuid(3c) (&(objectClass=posixAccount)\
(posixUidNumber=%d)) (uidNumber=%d))
getpwent(3c) (objectClass=posixAccount) getpwent(3c) (objectClass=posixAccount)
getspnam(3c) (&(objectClass=shadowAccount)(uid=%s))
getspent(3c) (objectclass=shadowAccount)
getgrnam(3c) (&(objectClass=posixGroup)(cn=%s)) getgrnam(3c) (&(objectClass=posixGroup)(cn=%s))
getgrgid(3c) (&(objectClass=posixGroup)\ getgrgid(3c) (&(objectClass=posixGroup)\
(posixGidNumber=%d)) (gidNumber=%d))
getgrent(3c) (objectClass=posixGroup) getgrent(3c) (objectClass=posixGroup)
getservbyname(3n) (&(objectClass=ipService)\ getservbyname(3n) (&(objectClass=ipService)\
(&(cn=%s)(ipServiceProtocol=%s))) (cn=%s)(ipServiceProtocol=%s))
getservbyport(3n) (&(objectClass=ipService)\ getservbyport(3n) (&(objectClass=ipService)\
(&(ipServicePort=%d)\ (ipServicePort=%d)\
(ipServiceProtocol=%s))) (ipServiceProtocol=%s))
getservent(3n) (objectClass=ipService) getservent(3n) (objectClass=ipService)
getrpcbyname(3n) (&(objectClass=oNCRPC)(cn=%s)) getrpcbyname(3n) (&(objectClass=oncRpc)(cn=%s))
getrpcbynumber(3n) (&(objectClass=oNCRPC)(oNCRPCNumber=%d)) getrpcbynumber(3n) (&(objectClass=oncRpc)(oncRpcNumber=%d))
getrpcent(3n) (objectClass=oNCRPC) getrpcent(3n) (objectClass=oncRpc)
getprotobyname(3n) (&(objectClass=ipProtocol)(cn=%s)) getprotobyname(3n) (&(objectClass=ipProtocol)(cn=%s))
getprotobynumber(3n) (&(objectClass=ipProtocol)\ getprotobynumber(3n) (&(objectClass=ipProtocol)\
(ipProtocolNumber=%d)) (ipProtocolNumber=%d))
getprotoent(3n) (objectClass=ipProtocol) getprotoent(3n) (objectClass=ipProtocol)
gethostbyname(3n) (&(objectClass=ipHost)\ gethostbyname(3n) (&(objectClass=ipHost)\
(associatedDomain=%s)) (associatedDomain=%s))
gethostbyaddr(3n) (&(objectClass=ipHost)(ipHostNumber=%s)) gethostbyaddr(3n) (&(objectClass=ipHost)(ipHostNumber=%s))
gethostent(3n) (objectClass=ipHost) gethostent(3n) (objectClass=ipHost)
getnetbyname(3n) (&(objectClass=ipNetwork)\ getnetbyname(3n) (&(objectClass=ipNetwork)\
(associatedDomain=%s)) (associatedDomain=%s))
getnetbyaddr(3n) (&(objectClass=ipNetwork)\ getnetbyaddr(3n) (&(objectClass=ipNetwork)\
(ipNetworkNumber=%s)) (ipNetworkNumber=%s))
getnetent(3n) (objectClass=ipNetwork) getnetent(3n) (objectClass=ipNetwork)
setnetgrent(3n) (&(objectClass=nisNetgroup)(cn=%s))
getnetgrent(3n) (objectClass=nISNetgroup)
getaliasbyname(3n) (&(objectClass=rfc822MailGroup)(cn=%s)) getaliasbyname(3n) (&(objectClass=rfc822MailGroup)(cn=%s))
getaliasent(3n) (objectClass=rfc822MailGroup) getaliasent(3n) (objectClass=rfc822MailGroup)
getmntent(3c) (objectClass=mount)
5.3. Interpreting user and group entries 5.3. Interpreting user and group entries
User and group resolution is initiated by the functions prefixed by User and group resolution is initiated by the functions prefixed by
getpw and getgr respectively. A user's login name is denoted by the getpw and getgr respectively. A user's login name is denoted by the
value of the uid attribute (which will typically be used as a value of the uid attribute (which will typically be used as a
relative distinguished name); a group's name is denoted by a value of relative distinguished name); a group's name is denoted by a value of
the cn attribute. the cn attribute.
An account's GECOS field is preferably determined by a value of the An account's GECOS field is preferably determined by a value of the
posixGecos attribute. If no posixGecos attribute exists, the value of gecos attribute. If no gecos attribute exists, the value of the cn
the cn attribute must be used. (The existence of the posixGecos attribute must be used. (The existence of the gecos attribute allows
attribute allows attributes embedded in the GECOS field, such as a attributes embedded in the GECOS field, such as a user's telephone
user's telephone number, to be returned to the client without number, to be returned to the client without overloading the cn
overloading the cn attribute.) attribute.)
An entry of class posixAccount without a userPassword attribute must An entry of class posixAccount or shadowAccount without a
be denied the opportunity to authenticate. For example, the client userPassword attribute must be denied the opportunity to
may be returned a non-matchable password such as "*" by the DUA. authenticate. For example, the client may be returned a non-matchable
password such as "*" by the DUA.
A user which is a member of a posixGroup which has no groupPassword A user which is a member of a posixGroup which has no groupPassword
attribute must not be allowed to authenticate themself as a member of attribute must not be allowed to authenticate themself as a member of
that group, unless the user's posixPrimaryGidNumber attribute implies that group, unless the user's gidNumber attribute implies a user has
a user has the same group ID (in which case the operating system may the same group ID (in which case the operating system may determine
determine this implicitly). this implicitly).
userPassword and groupPassword values must be represented by userPassword and groupPassword values must be represented by
following BNF syntax: following BNF syntax:
<passwordValue> ::= <encryptionSchemePrefix> <encryptedPassword> passwordvalue = schemeprefix encryptedpassword
<encryptionSchemePrefix> ::= '{' <encryptionScheme> '}' schemeprefix = "{" scheme "}"
<encryptionScheme> ::= 'crypt' scheme = "crypt" / "md5" / "sha" / altscheme
<encryptedPassword> ::= encrypted password altscheme = keystring
encryptedpassword = encrypted password
(where the encrypted password consists of a plaintext key encrypted (where the encrypted password consists of a plaintext key encrypted
using crypt(3) with a two-character random salt) using appropriate encoding algorithm; for example, crypt(3) with a
two-character random salt for "crypt")
Operating systems which support different one way encoding functions
may choose a different encryptionScheme; crypt(3) is only considered
here.
userPassword and groupPassword values which do not adhere to the BNF userPassword and groupPassword values which do not adhere to the BNF
above must not be used for authentication. (The DUA must iterate above must not be used for authentication. (The DUA must iterate
through the values of the attribute until a value matching the above through the values of the attribute until a value matching the above
BNF is found.) Only if encryptedPassword is an empty string does the BNF is found.) Only if encryptedPassword is an empty string does the
user have no password. user have no password. DUAs are not required to consider encryption
schemes which the client will not recognise; in many cases, it may be
sufficient to consider only "crypt".
A DUA may make use of the attributes prefixed by shadow in order to A DUA may make use of the attributes in the shadowAccount class to
provide shadow password service (getspnam(3c) and getspent(3c)). In provide shadow password service (getspnam(3c) and getspent(3c)). In
such cases, the DUA must not make use of the userPassword attribute such cases, the DUA must not make use of the userPassword attribute
for getpwnam(3c) et al, and must return a non-matchable password for getpwnam(3c) et al, and must return a non-matchable password
(such as "x") to the client instead. (such as "x") to the client instead.
5.4. Interpreting hosts and networks 5.4. Interpreting hosts and networks
The means for representing DNS [6] domains in LDAP distinguished The means for representing DNS [6] domains in LDAP distinguished
names described in [3] and [9] is used in part to represent TCP/IP names described in [3] and [9] is used in part to represent TCP/IP
hosts and networks in LDAP. hosts and networks in LDAP.
Potentially contentious is the use of the ipHostNumber attribute Note the use of the ipHostNumber attribute instead of the dNSRecord
instead of the dNSRecord attribute. The rationale is that, in order attribute. The rationale is that, in order to minimize the
to minimize the responsibility placed on the DUA, attribute values responsibility placed on the DUA, attribute values ought to directly
ought to directly contain the information they seek to represent. contain the information they seek to represent. This contrasts with,
This contrasts with, for example, a dNSRecord value which expresses a for example, a dNSRecord value which expresses a complete DNS
complete DNS resource record including time to live and class data. resource record including time to live and class data. It is
considered that this information is extraneous to using LDAP as a
While dNSRecords are suitable for building a DNS gateway to LDAP direct means to resolve hosts and networks. Additionally, it is
(which may ultimately fulfill the purpose of resolving hosts), this considered more appropriate for an entity, and all its aliases, to be
information is extraneous to performing host lookups directly with represented by a single entry in the DIT, which is not always
LDAP. possible when a DNS resource record is mapped directly to an LDAP
entry.
Additionally, it is considered more appropriate for an entity, and
all its aliases, to be represented by a single entry in the DIT,
which is not always possible when a DNS resource record is mapped
directly to an LDAP entry.
This document redefines (although not to the extent of excluding the This document redefines (although not to the extent of excluding the
existing definition) the ipNetwork class defined in [3], for naming existing definition) the ipNetwork class defined in [3], for naming
consistency with ipHost. The ipNetworkNumber attribute is also used consistency with ipHost. The ipNetworkNumber attribute is also used
in the siteContact object class [14]. (The trailing zeros in a in the siteContact object class [14]. (The trailing zeros in a
network address should be omitted.) network address should be omitted.) CIDR-style network addresses (eg.
192.168.1/24) can be used but this is not required.
If an entry of class ipHost or ipNetwork belongs to a naming context If an entry of class ipHost or ipNetwork belongs to a naming context
denoted by relative distinguished names (RDNs) [10] of attribute type denoted by relative distinguished names (RDNs) [10] of attribute type
dc (domainComponent), then the distinguished name (DN) is transformed dc (domainComponent), then the distinguished name (DN) is transformed
into a domain name system (DNS) suffix by concatenating each RDN into a domain name system (DNS) suffix by concatenating each RDN
value with a period ('.'). value with a period ('.').
For example, an entry of class ipHost with a DN of dc=foo, dc=bar, For example, an entry of class ipHost with a DN of dc=foo, dc=bar,
dc=edu or dc=foo, dc=bar, dc=edu, o=Internet is parsed into the host dc=edu or dc=foo, dc=bar, dc=edu, o=Internet is parsed into the host
name foo.bar.edu. If the naming context is does not contain 'dc' name foo.bar.edu. If the naming context is does not contain 'dc'
values, a non-qualified host name is returned. For organizations values, a non-qualified host name is returned. For organizations
which wish to use existing X.500 container classes to form their which wish to use existing X.500 container classes to form their
context (ie. organization and organizationalUnit) the RDN components context (ie. organization and organizationalUnit) the RDN values of
of incorrect type are skipped by the DUA in determining the domain unrequired type are skipped by the DUA in determining the domain
name. As such, a DN of dc=foo, dc=bar, dc=edu, o=Ace Industry, c=US name. As such, a DN of dc=foo, dc=bar, dc=edu, o=Ace Industry, c=US
may be parsed as foo.bar.edu. As this may be considered a naming may be parsed as foo.bar.edu. As this may be considered a naming
violation, this document does not specifically endorse this. violation, this document does not specifically endorse this.
Hosts with IPv6 addresses should be written in their "preferred" form
as defined in section 2.2.1 of [15], such that all components of the
address are indicated and leading zeros are omitted. This is to
provide a consistent means of resolving ipHosts by address.
5.5. Interpreting other entities 5.5. Interpreting other entities
In general, a one-to-one mapping between entities and LDAP entries is In general, a one-to-one mapping between entities and LDAP entries is
proposed, in that each entity has exactly one representation in the proposed, in that each entity has exactly one representation in the
DIT. In some cases this is not feasible; for example, a service which DIT. In some cases this is not feasible; for example, a service which
is represented in more than one protocol domain. Consider the is represented in more than one protocol domain. Consider the
following entry: following entry:
dn: cn=domain, dc=aceindustry, dc=com dn: cn=domain, dc=aceindustry, dc=com
cn: domain cn: domain
skipping to change at page 13, line 50 skipping to change at page 14, line 41
This entry would map to the following two (2) services entities: This entry would map to the following two (2) services entities:
domain 53/tcp nameserver domain 53/tcp nameserver
domain 53/udp nameserver domain 53/udp nameserver
While the above two entities could have been equally represented as While the above two entities could have been equally represented as
separate LDAP entities, with different distinguished names (such as separate LDAP entities, with different distinguished names (such as
cn=domain+ipServiceProtocol=tcp, ... and cn=domain+ipServiceProtocol=tcp, ... and
cn=domain+ipServiceProtocol=udp, ...) it is considered that cn=domain+ipServiceProtocol=udp, ...) it is considered that
representing them as a single entry is more convenient. representing them as a single entry is more convenient. (If a service
is represented in multiple protocol domains with different respective
ports, then multiple entries are mandatory, with multivalued RDNs
being used to distinguish between them.)
The mount class represents mount entities as they would be found Entries of class automount inherently represent more than one entity:
directly in /etc/fstab. Granted, this information is used primarily each value of the automountInformation attribute is a NIS record.
at boot time when access to non-local nameservices may be restricted.
It may be considered useful to use LDAP to represent the
configuration data for automount daemons; such a schema is outside
the scope of this document. (However, the DUA may hint to the client
that certain information is to be used by the automounter using the
mountOption attribute.)
With the exception of userPassword and groupPassword values, which With the exception of userPassword and groupPassword values, which
must be parsed according to the BNF considered in section 5.2, any must be parsed according to the BNF considered in section 5.2, any
empty values (those that consist of a zero length string) are empty values (those that consist of a zero length string) are
returned by the DUA to the client. The client may not make sense of returned by the DUA to the client. The client may not make sense of
them, but this situation is no different to parsing files which them, but this situation is no different to parsing files which
contain empty fields. (By contrast, the DUA must reject any entries contain empty fields. (By contrast, the DUA must reject any entries
which do not conform to the schema, ie. are missing certain mandatory which do not conform to the schema, ie. are missing certain mandatory
attributes.) attributes. Non-conforming entries should be ignored while
enumerating entries; whether the enumeration is terminated at such an
entry is implementation dependent, although it is strongly suggested
that the offending entry be treated as if it were not present.)
The nisObject object class is provided as a generic means of
representing NIS entities. Its use is not encouraged; where support
for entities not described in this schema is desired, an appropriate
schema should be devised. Implementors are strongly advised to
support end-user extensible mappings between NIS entities and object
classes. The nisObject class may be useful were one to use LDAP to
query a NIS server, although it is anticipated that the converse will
be more common. (Where the nisObject class is used, the nisMapName
attribute may establish part of the DN, to assist the DUA in locating
entries belonging to a particular map.)
Entries which inherit also from the cacheObject object class (and
thus contain the 'ttl' attribute) may be used by DUAs to perform
cache validation. [17]
5.6. Canonicalizing entries with multi-valued naming attributes 5.6. Canonicalizing entries with multi-valued naming attributes
For entities such as services, protocols, and RPCs, where there may For entities such as services, protocols, and RPCs, where there may
be one or more aliases, the respective entry's relative distinguished be one or more aliases, the respective entry's relative distinguished
name is used to form the canonical name. Any other values for the name is used to form the canonical name. Any other values for the
same attribute are used as aliases. For example, the service same attribute are used as aliases. For example, the service
described in section 5.5 has the canonical name 'domain' and exactly described in section 5.5 has the canonical name 'domain' and exactly
one alias, 'nameserver'. one alias, 'nameserver'.
skipping to change at page 15, line 10 skipping to change at page 16, line 16
canonical name. Because the directory server guarantees no ordering canonical name. Because the directory server guarantees no ordering
of attribute values, attempting to distinguish an entry in a of attribute values, attempting to distinguish an entry in a
deterministic fashion may require the DUA to maintain a mapping deterministic fashion may require the DUA to maintain a mapping
between entries' DNs and their canonical names as considered by the between entries' DNs and their canonical names as considered by the
DUA. This document does not require this, nor does it advocate that DUA. This document does not require this, nor does it advocate that
such situations be resolved by mapping one DIT entry into multiple such situations be resolved by mapping one DIT entry into multiple
entities. entities.
6. Implementation focus 6. Implementation focus
A NIS to LDAP gateway daemon has been developed which supports the A NIS daemon which uses LDAP instead of local files has been
schema defined in this document. A set of extensions to a particular developed which supports the schema defined in this document. A set
implementation of the Mach operating system has also been developed, of extensions to a particular implementation of the Mach operating
which sidesteps NIS and uses LDAP directly. system has also been developed, which sidesteps NIS and uses LDAP
directly.
Work is underway to develop a freely available (under the GNU General Work is underway to develop a freely available (under the GNU General
Library Public License) reference implementation of the C library Library Public License) reference implementation of the C library
resolution code that supports LDAP using the draft schema. The code resolution code that supports LDAP using the draft schema. The code
will be compatible with the Free Software Foundation's GNU C library will be compatible with the Free Software Foundation's GNU C library
and other C libraries which support the Name Service Switch (NSS). and other C libraries which support the Name Service Switch (NSS) or
Information Retrieval Service (IRS).
The alias lookup functions referred to in section 5.2 are presently The alias lookup functions referred to in section 5.2 are presently
available only in the GNU C library, and (albeit with different available only in the GNU C library, and (albeit with different
names) in the C library of one commercial Unix vendor. It is names) in the C library of one commercial UNIX system vendor. It is
anticipated that the mail transport agent (MTA) will typically anticipated that the mail transport agent (MTA) will typically
consult LDAP or NIS directly instead of using the C library; however, consult LDAP or NIS directly instead of using the C library; however,
support for the suggested library calls is encouraged. support for the suggested library calls is encouraged.
The author has made available a freely distributable set of Perl The author has made available a freely distributable set of Perl
scripts for parsing configuration files such as /etc/passwd and scripts for parsing configuration files such as /etc/passwd and
/etc/hosts and generating LDIF data suitable for preparing an LDIF /etc/hosts and generating LDIF data suitable for preparing an LDIF
database. It would be a relatively trivial effort to write utilities database. It would be a relatively trivial effort to write utilities
to export LDIF data to flat files, such that information stored in an to export LDIF data to flat files, such that information stored in an
LDAP-compatible directory service could be regularly dumped into NIS LDAP-compatible directory service could be regularly dumped into NIS
maps or flat files. maps or flat files.
7. Security considerations 7. Security considerations
The entirety of related security considerations are outside the scope The entirety of related security considerations are outside the scope
of this document. However, it should be noted that making passwords of this document. However, it should be noted that making passwords
encrypted with a widely understood one way function (such as encrypted with a widely understood one way function (such as
crypt(3)) available to non-privileged users is potentially dangerous crypt(3)) available to non-privileged users is potentially dangerous
because it exposes them to dictionary and brute-force attacks. It is because it exposes them to dictionary and brute-force attacks. It is
proposed only for compatibility with existing Unix implementations. proposed only for compatibility with existing UNIX system
Sites where security is critical may consider using Kerberos or implementations. Sites where security is critical may consider using
another authentication service for logins. A variation on this is to Kerberos or another authentication service for logins. A variation on
authenticate to an LDAP server by binding over an encrypted this is to authenticate to an LDAP server by binding over an
connection (such as SSL [8]). encrypted connection (such as SSL [8]).
Alternatively, the encrypted password could be made available only to Alternatively, the encrypted password could be made available only to
a subset of privileged DUAs, which would provide 'shadow' password a subset of privileged DUAs, which would provide 'shadow' password
service to client applications. service to client applications.
Because the schema represents operating system-level entities, access Because the schema represents operating system-level entities, access
to these entities should be granted on a discretionary basis. (That to these entities should be granted on a discretionary basis. (That
said, there is little point in restricting access to data which will said, there is little point in restricting access to data which will
be republished without restriction, eg. by a NIS server.) It is be republished without restriction, eg. by a NIS server.) It is
particularly important that only administrators can modify entries particularly important that only administrators can modify entries
defined in this schema, with the exception of allowing a principal to defined in this schema, with the exception of allowing a principal to
change their password (which may be done on behalf of the user by a change their password (which may be done on behalf of the user by a
client bound as a superior principal, such that password restrictions client bound as a superior principal, such that password restrictions
may be enforced). For example, if a user were allowed to change the may be enforced). For example, if a user were allowed to change the
value of their posixUidNumber attribute, they could subvert security value of their uidNumber attribute, they could subvert security by
by equivalencing their account with the root account. equivalencing their account with the root account.
A subtree of the DIT which is to be republished by a DUA (such as a A subtree of the DIT which is to be republished by a DUA (such as a
NIS gateway) should be within the same administrative domain that the NIS gateway) should be within the same administrative domain that the
republishing DUA represents. (For example, principals outside an republishing DUA represents. (For example, principals outside an
organization, while conceivably part of the DIT, should not be organization, while conceivably part of the DIT, should not be
considered with the same degree of authority as those within the considered with the same degree of authority as those within the
organization.) organization.)
Finally, care should be exercised with integer attributes of a
sensitive nature (particularly the uidNumber and gidNumber
attributes) which contain zero-length values. It may be wiser to
treat such values as corresponding to the "nobody" or "nogroup" user
and group, respectively.
8. Acknowledgements 8. Acknowledgements
Thanks to Leif Hedstrom of Netscape Communications Corporation and Thanks to Leif Hedstrom of Netscape Communications Corporation,
Mark Wahl of Critical Angle Inc. for their contributions to the Rosanna Lee of Sun Microsystems Inc., and Mark Wahl of Critical Angle
development of this schema. Inc. for their valuable contributions to the development of this
schema. Thanks to Andrew Josey of The Open Group for clarifying the
use of the UNIX trademark.
UNIX is a registered trademark of The Open Group.
9. References 9. References
[1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access [1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
Protocol (Version 3)", INTERNET-DRAFT <draft-ietf-asid-ldapv3- Protocol (Version 3)", INTERNET-DRAFT <draft-ietf-asid-ldapv3-
protocol-03.txt>, October 1996. protocol-06.txt>, June 1997.
[2] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access [2] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
Protocol: Standard and Pilot Attribute Definitions", INTERNET- Protocol: Standard and Pilot Attribute Definitions", INTERNET-
DRAFT <draft-ietf-asid-ldapv3-attributes-03.txt>, October 1996. DRAFT <draft-ietf-asid-ldapv3-attributes-06.txt>, June 1997.
[3] S. Kille, "X.500 and Domains", RFC 1279, November 1991. [3] S. Kille, "X.500 and Domains", RFC 1279, November 1991.
[4] H. Lachman, "LDAP-based Routing of SMTP Messages: Approach Used [4] H. Lachman, "LDAP-based Routing of SMTP Messages: Approach Used
by Netscape", INTERNET-DRAFT <draft-ietf-asid-email-routing-ns- by Netscape", INTERNET-DRAFT <draft-ietf-asid-email-routing-ns-
00.txt>, March 1997. 00.txt>, March 1997.
[5] T. Howes, "A String Representation of LDAP Search Filters", [5] T. Howes, "A String Representation of LDAP Search Filters",
INTERNET-DRAFT <draft-ietf-asid-ldapv3-filter-00.txt>, March INTERNET-DRAFT <draft-ietf-asid-ldapv3-filter-00.txt>, March
1997. See also [10]. 1997. See also [10].
skipping to change at page 17, line 34 skipping to change at page 19, line 5
Specification Version 2", RFC 1057, June 1988. Specification Version 2", RFC 1057, June 1988.
[13] ISO/IEC 9945-1:1990, Information Technology - Portable Operating [13] ISO/IEC 9945-1:1990, Information Technology - Portable Operating
Systems Interface (POSIX) - Part 1: Systems Application Systems Interface (POSIX) - Part 1: Systems Application
Programming Interface (API) [C Language] Programming Interface (API) [C Language]
[14] M. T. Rose, "The Little Black Book: Mail Bonding with OSI [14] M. T. Rose, "The Little Black Book: Mail Bonding with OSI
Directory Services", ISBN 0-13-683210-5, Prentice-Hall, Inc., Directory Services", ISBN 0-13-683210-5, Prentice-Hall, Inc.,
1992. 1992.
[15] R. Hinden, S. Deering, "IP Version 6 Addressing Architecture",
RFC 1884, December 1995.
[16] L. Hedstrom, L. Howard, "DHCP Options for LDAP", INTERNET-DRAFT
<draft-hedstrom-dhcp-ldap-00.txt>, July 1997.
[17] T. Howes, L. Howard, "A Simple Caching Scheme for LDAP and X.500
Directories", INTERNET-DRAFT <draft-ietf-asid-ldap-cache-
01.txt>, July 1997.
10. Author's Address 10. Author's Address
Luke Howard Luke Howard
PO Box 59 PO Box 59
Central Park Vic 3145 Central Park Vic 3145
Australia Australia
Email: lukeh@xedoc.com Email: lukeh@xedoc.com
A. Example entries A. Example entries
The examples described in this section are provided to illustrate the The examples described in this section are provided to illustrate the
schema described in this draft. They do not purport to be a schema described in this draft. They are not an authoritative
authoritative reference. Entries are presented in LDIF notation [11]. reference. Entries are presented in LDIF notation [11].
The following entry is an example of the posixAccount class: The following entry is an example of the posixAccount class:
dn: uid=lukeh, dc=aceindustry, dc=com dn: uid=lukeh, dc=aceindustry, dc=com
cn: Luke Howard cn: Luke Howard
objectClass: top objectClass: top
objectClass: person objectClass: person
objectClass: posixAccount objectClass: posixAccount
sn: Howard sn: Howard
telephoneNumber: +61 3 9428 0788 telephoneNumber: +61 3 9428 0788
uid: lukeh uid: lukeh
userPassword: {crypt}X5/DBrWPOQQaI userPassword: {crypt}X5/DBrWPOQQaI
posixGecos: Luke Howard gecos: Luke Howard
posixShell: /bin/csh loginShell: /bin/csh
posixUidNumber: 10 uidNumber: 10
posixPrimaryGidNumber: 10 gidNumber: 10
posixHomeDirectory: /home/lukeh homeDirectory: /home/lukeh
This corresponds the Unix password file entry: This corresponds the UNIX system password file entry:
lukeh:X5/DBrWPOQQaI:10:10:Luke Howard:/home/lukeh:/bin/sh lukeh:X5/DBrWPOQQaI:10:10:Luke Howard:/home/lukeh:/bin/sh
Note that the userPassword value is parsed into a password suitable Note that the userPassword value is parsed into a password suitable
for matching with crypt(3). Attributes such as telephoneNumber and sn for matching with crypt(3). Attributes such as telephoneNumber and sn
(which belong to classes other than posixAccount), are not used in (which belong to classes other than posixAccount), are not used in
determining the corresponding password file entry but may be useful determining the corresponding password file entry but may be useful
to other LDAP clients. (In most cases, entries of class posixAccount to other LDAP clients. (In most cases, entries of class posixAccount
will also inherit from person or organizationalPerson.) will also inherit from person or organizationalPerson.)
skipping to change at page 18, line 39 skipping to change at page 20, line 21
dn: dc=yoyo, dc=aceindustry, dc=com dn: dc=yoyo, dc=aceindustry, dc=com
dc: yoyo dc: yoyo
objectClass: top objectClass: top
objectClass: ipHost objectClass: ipHost
objectClass: domainRelatedObject objectClass: domainRelatedObject
associatedDomain: yoyo.aceindustry.com associatedDomain: yoyo.aceindustry.com
associatedDomain: www.aceindustry.com associatedDomain: www.aceindustry.com
ipHostNumber: 10.0.0.1 ipHostNumber: 10.0.0.1
macAddress: 0:0:92:90:ee:e2 macAddress: 0:0:92:90:ee:e2
bootFile: unix bootParameter: bootfile=mach
bootParameter: root=fs:/nfsroot/yoyo bootParameter: root=fs:/nfsroot/yoyo
bootParameter: swap=fs:/nfsswap/yoyo bootParameter: swap=fs:/nfsswap/yoyo
bootParameter: dump=fs:/nfsdump/yoyo bootParameter: dump=fs:/nfsdump/yoyo
This entry represents the host yoyo.aceindustry.com, also known as This entry represents the host yoyo.aceindustry.com, also known as
www.aceindustry.com. Note that the associatedDomain values are used www.aceindustry.com. Note that the associatedDomain values are used
in searching for the entry, but the distinguished name is parsed to in searching for the entry, but the distinguished name is parsed to
determine the host's canonical name. The MAC address, boot image, and determine the host's canonical name. The MAC address, boot image, and
two boot parameters are also specified in this entry. (Thus, the NIS two boot parameters are also specified in this entry. The auxilary
maps prefixed by 'hosts', 'ethers', and 'bootparams' could all be class domainRelatedObject is not mandatory. (Thus, the NIS maps
derived from similar entries.) prefixed by 'hosts', 'ethers', and 'bootparams' could all be derived
An example of the nISNetgroup class: from similar entries.)
An example of the nisNetgroup class:
dn: cn=nightfly, dc=aceindustry, dc=com dn: cn=nightfly, dc=aceindustry, dc=com
cn: nightfly cn: nightfly
objectClass: top objectClass: top
objectClass: nISNetgroup objectClass: nisNetgroup
memberUid: lukeh nisNetgroupTriple: (fagen,peg,dunes.aceindustry.com)
memberUid: fagen nisNetgroupTriple: (becker,-,)
memberHost: yoyo.aceindustry.com memberNisNetgroup: kamakiriad
nISDomain: yp.aceindustry.com
This entry represents the netgroup 'nightfly' which contains the This entry represents the netgroup nightfly, which contains two
users lukeh and fagen, and the host yoyo.aceindustry.com; and which triples (the user fagen, the host peg, and the domain
belongs to the NIS domain yp.aceindustry.com. dunes.aceindustry.com; and, the user becker, no host, and any domain)
and one netgroup (kamakiriad).
Finally, an example of the ipProtocol class: Finally, an example of the nisObject class:
dn: cn=tcp, dc=aceindustry, dc=com dn: nisMapName=quote.byname, dc=dunes, dc=aceindustry, dc=com
objectClass: top objectClass: top
objectClass: ipProtocol objectClass: nisObject
cn: tcp nisMapName: quote.byname
cn: TCP
ipProtocolNumber: 6
This entry represents the protocol named 'tcp' whose protocol number dn: cn=foobar, nisMapName=quote.byname, dc=dunes, dc=aceindustry, dc=com
is 6. objectClass: top
objectClass: nisObject
objectClass: cacheObject
ttl: 86400
cn: foobar
nisMapName: quote.byname
nisValue: 75.00
This entry represents the NIS map quote.byname, and a constitutent
entry, with the key of foobar and a value of 75.00. The latter entry
has a time-to-live of 24 hours.
 End of changes. 106 change blocks. 
263 lines changed or deleted 336 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/