Application Working Group                                      L. Howard
INTERNET-DRAFT                                    Independent Consultant

Intended Category: Experimental

      An Approach for Using LDAP as a Network Information Service

Status of this Memo

   This document is an Internet-Draft. Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups. Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months. Internet-Drafts may be updated, replaced, or made obsolete by
   other documents at any time. It is not appropriate to use Internet-
   Drafts as reference material or to cite them other than as a "working
   draft" or "work in progress".

   To learn the current status of any Internet-Draft, please check the
   1id-abstracts.txt listing contained in the Internet-Drafts Shadow
   Directories on (US East Coast),
   (Europe), (US West Coast), or (Pacific

   Distribution of this document is unlimited.


   This document describes an experimental mechanism for mapping POSIX
   [13] and TCP/IP network-related
   entities related to TCP/IP and the UNIX system into X.500 entries so
   that they may be resolved with the Lightweight Directory Access
   Protocol [1]. A set of attribute types and object classes are
   proposed, along with specific guidelines for interpreting them.

   The intention is to assist the deployment of LDAP as an
   organizational nameservice. No proposed solutions are intended as
   standards for the Internet. Rather, it is hoped that a general
   consensus will emerge as to the appropriate solution to such
   problems, leading eventually to the adoption of standards. The
   proposed mechanism has already been implemented with some success.

1. Background and Motivation

   The Unix UNIX (R) operating system, and its derivatives (specifically,
   those which support TCP/IP and conform to the POSIX XPG.4 specification) X/Open Single UNIX
   specification [13]) require a means of looking up entities, by
   matching them against search criteria or by enumeration. (Other
   operating systems that support TCP/IP may provide some means of
   resolving some of these entities. This schema applies is applicable to those
   environments also.)

   These entities include users, groups, IP services (which map names to
   IP ports and protocols, and vice versa), IP protocols (which map
   names to IP protocol numbers and vice versa), RPCs (which map names
   to ONC Remote Procedure Call [12] numbers and vice versa), NIS
   netgroups, booting information (boot parameters and MAC address
   mappings), filesystem mounts, IP hosts and networks, and RFC822 mail

   Resolution requests are made through a set of C functions, provided
   in the Unix UNIX system's C library. For example, the Unix command line tool UNIX system utility
   'ls', which enumerates the contents of a filesystem directory, uses
   the C library function getpwuid(3c) in order to map user IDs to login
   names. Once the request is made, it is resolved using a 'nameservice'
   which is supported by the client library. The nameservice may be, at
   its simplest, a collection of files in the local filesystem which are
   opened and searched by the C library. Other common nameservices
   include the Network Information Service (NIS) and the Domain Name
   System (DNS). (The latter is typically only used for resolving hosts hosts,
   services and networks.) Both these nameservices have the advantage of
   being distributed and thus permitting a common set of entities to be
   shared amongst many clients.

   LDAP is a distributed, hierarchical directory service access protocol
   which is used to access repositories of users and other network-
   related entities. Because LDAP is usually not tightly integrated with
   the operating system, information such as users needs to be kept both
   in LDAP and in an operating system supported nameservice such as NIS.
   By using LDAP as the the primary means of resolving these entities,
   these redundancy issues are minimized and the scalability of LDAP can
   be exploited. (By comparison, NIS services based on flat files do not
   have the scalability or extensibility of LDAP or X.500.)

        "In general, it is advantageous for different network
        applications and services to refer to the directory for
        user account information, rather than each service keeping
        its own collection of user account records, which requires
        the network administrator to separately create or destroy
        user entities, passwords, etc., in many different systems
        each time a user joins or leaves the organization." [4]

   The object classes and attributes defined below are suitable for
   representing the aforementioned entities in a form compatible with
   LDAP and X.500 directory services. While the schema is by no means
   deemed to be authoritative, it is considered desirable to have a
   single, open schema rather than the proliferation of multiple
   proprietary schema. This document is one step towards such a schema.

2. General Issues

2.1. Terminology

   In this document, the term 'NIS-related entities' is used rather
   loosely to refer to those entities (described in the previous
   section) which are typically repesented represented in the Network Information
   Service. (NIS was previously known as Yellow Pages, or YP.) It should
   not be inferred from this that deploying LDAP for resolving such
   entities (nisObject excluded) requires NIS to be used (as used, as a gateway
   or otherwise). otherwise. The host and network classes are generically
   applicable, and may be implemented on operating systems other than Unix
   the UNIX system that wish to use LDAP to resolve these entities.

   The 'DUA' (directory user agent) refers to the LDAP client querying
   these entities, such as an LDAP to NIS gateway or the C library.  The
   'client' refers to the application which ultimately makes use of the
   information returned by the resolution. It is irrelevant whether the
   DUA and the client reside within the same address space. The act of
   the DUA making this information to the client is termed

   To avoid confusion, the term 'login name' refers to the user's login
   name (being the value of the uid attribute) and the term 'user ID'
   refers to he user's integer identification number (being the value of
   the posixUidNumber uidNumber attribute).  The term 'principal' is used to
   distinguish accounts that may be used for authentication from those
   that are not.

   The term 'nameservice' refers to a service, such as NIS or flat
   files, that is used by the operating system to resolve entities
   within a single, local naming context. Contrast this with a
   'directory service' such as LDAP, which support extensible schema and
   multiple naming contexts.

   The phrase 'resolving an entity' or 'resolution of entities' refers
   to enumerating NIS-related entities of a given type, or matching them
   against a given search criterion. One or more entities are returned
   as a result of successful 'resolutions' (a 'match' operation will
   only return one entity).

   Note that the

   The use of the attribute and class prefix 'posix' term UNIX does not confer any endorsement of upon this schema by the POSIX standards body.
   The prefix was chosen as a more appropriate prefix than 'unix',
   endorsement of owners of the
   other suitable candidate. UNIX trademark. Where necessary, the
   term 'POSIX entity'
   is used to refer to users and groups; the term 'TCP/IP entity' is used to refer to protocols, services, hosts,
   and networks. networks, and the term 'UNIX entity' to its complement. (The
   former category does not mandate the host operating system supporting
   the interfaces required for resolving POSIX UNIX entities.) NIS netgroups,
   ONC RPC binding information, and mounts fall outside these

   The OIDs used by this schema are rooted at nisSchema, canonically (OID

2.2. Attributes

   The attributes and classes defined in this document are summarized
   below.  The reader is referred to [2] for the BFN for attribute type

   The following attributes are defined in this document:


   Additionally, the attributes defined in [2] and [2], [9] and [16] are

2.3. Object classes

   The reader is referred to [2] for the BFN for object class

   The following object classes are defined in this document:


   Additionally, the classes defined in [2] and [9] are imported.

2.4. Syntax definitions

   The following syntax definition [2] is used in representing NIS
   netgroup triples.

           ( nisSchema.0.0 NAME 'nisNetgroupTripleSyntax'
             DESC 'NIS netgroup triple' )

   Values in this syntax are encoded according to the following BNF:

        nisnetgrouptriple = "(" hostname "," username "," domainname ")"
        hostname          = "" / "-" / keystring
        username          = "" / "-" / keystring
        domainname        = "" / "-" / keystring

3. Attribute definitions

   This section contains attribute definitions which must be implemented
   by DUAs supporting the schema.

        ( TBD.0.0 nisSchema.1.0 NAME 'posixUidNumber' 'uidNumber'
          DESC 'An integer uniquely identifying a user in an
                administrative domain'

        ( TBD.0.1 NAME 'posixPrimaryGidNumber'
          DESC 'An integer uniquely identifying a group in an
                administrative domain'

        ( TBD.0.2 nisSchema.1.1 NAME 'posixGidNumber' 'gidNumber'
          DESC 'An integer uniquely identifying a group in an
                administrative domain'

        ( TBD.0.3 nisSchema.1.2 NAME 'posixGecos' 'gecos'
          DESC 'The GECOS field (the field, including the user's full name et al)' common name'
          EQUALITY caseIgnoreIA5Match
          SUBSTRINGS caseIgnoreIA5SubstringsMatch
          SYNTAX 'IA5String' SINGLE-VALUE )

        ( TBD.0.4 nisSchema.1.3 NAME 'posixHomeDirectory' 'homeDirectory'
          DESC 'The absolute path of the user's home directory'
          EQUALITY caseExactIA5Match
          SYNTAX 'IA5String' SINGLE-VALUE )

        ( TBD.0.5 nisSchema.1.4 NAME 'posixShell' 'loginShell'
          DESC 'The absolute path of the user's shell'
          EQUALITY caseExactIA5Match
          SYNTAX 'IA5String' SINGLE-VALUE )

        ( TBD.0.6 nisSchema.1.5 NAME 'shadowLastChange' EQUALITY integerMatch

        ( TBD.0.7 nisSchema.1.6 NAME 'shadowMin' EQUALITY integerMatch

        ( TBD.0.8 nisSchema.1.7 NAME 'shadowMax' EQUALITY integerMatch

        ( TBD.0.9 nisSchema.1.8 NAME 'shadowWarn' 'shadowWarning' EQUALITY integerMatch

        ( TBD.0.10 nisSchema.1.9 NAME 'shadowInactive' EQUALITY integerMatch

        ( TBD.0.11 nisSchema.1.10 NAME 'shadowExpire' EQUALITY integerMatch

        ( TBD.0.12 nisSchema.1.11 NAME 'shadowFlag' EQUALITY integerMatch

        ( TBD.0.13 nisSchema.1.12 NAME 'memberUid' EQUALITY caseIgnoreIA5Match caseExactIA5Match
          SUBSTRINGS caseIgnoreIA5SubstringsMatch caseExactIA5SubstringsMatch
          SYNTAX 'IA5String{128}' )
        ( TBD.0.14 nisSchema.1.13 NAME 'memberNISNetgroup' 'memberNisNetgroup' EQUALITY caseIgnoreIA5Match caseExactIA5Match
          SUBSTRINGS caseIgnoreIA5SubstringsMatch caseExactIA5SubstringsMatch
          SYNTAX 'IA5String' )

        ( TBD.0.15 nisSchema.1.14 NAME 'memberHost' EQUALITY caseIgnoreIA5Match
          SUBSTRINGS caseIgnoreIA5SubstringsMatch 'nisNetgroupTriple'
          DESC 'Netgroup triple' SYNTAX 'IA5String' 'nisNetgroupTripleSyntax' )

        ( TBD.0.16 nisSchema.1.15 NAME 'ipServicePort' EQUALITY integerMatch

        ( TBD.0.17 nisSchema.1.16 NAME 'ipServiceProtocol' EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String' )

        ( TBD.0.18 nisSchema.1.17 NAME 'ipProtocolNumber' EQUALITY integerMatch

        ( TBD.0.19 NAME 'oNCRPCNumber' EQUALITY integerMatch

        ( TBD.0.20 NAME 'mountOption' EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String' )

        ( TBD.0.21 NAME 'mountType' EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String' SINGLE-VALUE )

        ( TBD.0.22 NAME 'mountDirectory' EQUALITY caseExactIA5Match
          SYNTAX 'IA5String' SINGLE-VALUE )

        ( TBD.0.23 NAME 'mountDumpFrequency' EQUALITY integerMatch

        ( TBD.0.24 nisSchema.1.18 NAME 'mountPassNo' 'oncRpcNumber' EQUALITY integerMatch

        ( TBD.0.25 nisSchema.1.19 NAME 'ipHostNumber'
          DESC 'IP address in dotted decimal notation, eg.'
          EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String{128}' )

        ( TBD.0.26 nisSchema.1.20 NAME 'ipNetworkNumber'
          DESC 'IP address in dotted decimal notation, eg. 192.168'
          EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String{128}' )

        ( TBD.0.27 nisSchema.1.21 NAME 'ipNetmaskNumber'
          DESC 'IP address in dotted decimal notation, eg.'
          EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String{128}' )

        ( TBD.0.28 nisSchema.1.22 NAME 'macAddress'
          DESC 'MAC address in colon-separated hex notation, for
                example 0:0:92:90:ee:e2'
          EQUALITY caseIgnoreIA5Match
          SYNTAX 'IA5String{128}' )

        ( TBD.0.29 nisSchema.1.23 NAME 'bootParameter'
          DESC 'rpc.bootparamd parameter; informal syntax is key=value'
          EQUALITY caseExactIA5Match
          SYNTAX 'IA5String' )

        ( TBD.0.30 nisSchema.1.24 NAME 'bootFile'
          DESC 'name of the boot image, which may be used by bootpd.
                Alternatively, this may specified as a value of
          EQUALITY caseExactIA5Match
          STRINGS caseExactSubstringsIA5Match
          SYNTAX 'IA5String' )

        ( TBD.0.31 nisSchema.1.25 NAME 'nISDomain' 'automountInformation'
          DESC 'An entry in an automount map.'
          EQUALITY caseIgnoreIA5Match caseExactIA5Match
          SUBSTRINGS caseIgnoreIA5SubstringsMatch caseExactIA5SubstringsMatch
          SYNTAX 'IA5String' )

        ( nisSchema.1.26 NAME 'nisMapName'
          EQUALITY caseExactIA5Match
          SUBSTRINGS caseExactIA5SubstringsMatch
          SYNTAX 'IA5String{1024}' SINGLE-VALUE )

        ( nisSchema.1.27 NAME 'nisValue'
          EQUALITY caseExactIA5Match
          SUBSTRINGS caseExactIA5SubstringsMatch
          SYNTAX 'IA5String{1024}' SINGLE-VALUE )

4. Class definitions

   This section contains class definitions which must be implemented by
   DUAs supporting the schema.

   The definitions under the OID 2.5.6 are imported. The rfc822MailGroup
   object class may used to represent a mail group for the purpose of
   alias expansion. (Several alternative schemes for mail routing and
   delivery using LDAP directories have been proposed [4]; these issues
   will not be considered in detail here.)

        ( TBD.1.0 nisSchema.2.0 NAME 'posixAccount' SUP top STRUCTURAL
          DESC 'Abstraction of an account.
                The uid attribute is the account's login name.' account with POSIX attributes.'
          MUST ( cn $ uid $ posixUidNumber uidNumber $
                 posixPrimaryGidNumber gidNumber $ posixHomeDirectory homeDirectory )
          MAY ( userPassword $ posixShell $ posixGecos loginShell $
                shadowLastChange $ shadowMin $ shadowMax $
                shadowWarn $ shadowInactive gecos $ description ) )

        ( nisSchema.2.1 NAME 'shadowAccount' SUP top AUXILIARY
          DESC 'Additional attributes for shadow passwords.'
          MUST uid
          MAY ( userPassword $ shadowLastChange $ shadowMin
                shadowMax $ shadowWarning $ shadowInactive $
                shadowExpire $ shadowFlag $ description ) )

        ( TBD.1.1 nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL
          DESC 'Abstraction of a group of accounts.' posixAccounts.'
          MUST ( cn $ posixGidNumber gidNumber )
          MAY ( groupPassword $ memberUid $ description ) )

        ( TBD.1.2 nisSchema.2.3 NAME 'ipService' SUP top STRUCTURAL
          DESC 'Abstraction an Internet Protocol service. Maps an IP
                port and protocol (eg. tcp or udp) to one or more names.
                The distinguished value of the cn attribute denotes the
                service's canonical name.'
          MUST ( cn $ ipServicePort $ ipServiceProtocol )
          MAY description )

        ( TBD.1.3 nisSchema.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
          DESC 'Abstraction of an IP protocol. Maps a protocol number to
                one or more names. The distinguished value of the cn
                attribute denotes the protocol's canonical name.'
          MUST ( cn $ ipProtocolNumber $ description )
          MAY description )

        ( TBD.1.4 nisSchema.2.5 NAME 'oNCRPC' 'oncRpc' SUP top STRUCTURAL
          DESC 'Abstraction of an Open Network Computing (ONC) [12]
                Remote Procedure Call (RPC) binding. Maps an ONC RPC
                number to a name. The distinguished value of the cn
                attribute denotes the RPC service's canonical name.'
          MUST ( cn $ oNCRPCNumber ) )

        ( TBD.1.5 NAME 'mount' SUP top STRUCTURAL
          DESC 'Abstraction of a filesystem mount.'
          MUST ( cn $ mountDirectory oncRpcNumber $ mountType description )
          MAY ( mountOption $ mountDumpFrequency $ mountPassNo ) description )

        ( TBD.1.6 nisSchema.2.6 NAME 'ipHost' SUP domainRelatedObject top STRUCTURAL
          DESC 'Abstraction of a host. The schema defined in [3] is used
                to denote the canonical hostname, by mapping the
                distinguished name into a DNS domain name.
                The associatedDomain attribute is used for interrogating
                the DIT, and as such must contain values for the host's
                canonical name and its aliases.'
          MUST ( dc $ ipHostNumber $ associatedDomain )
          MAY ( macAddress $ bootParameter $ bootFile $
                l $ description $ manager $ serialNumber ) )

        ( TBD.1.7 nisSchema.2.7 NAME 'ipNetwork' SUP domainRelatedObject top
          DESC 'Abstraction of a network.'
          MUST ( dc $ ipNetworkNumber $ associatedDomain )
          MAY ( ipNetmaskNumber $ l $ description $ manager ) )

        ( TBD.1.8 nisSchema.2.8 NAME 'nISNetgroup' 'nisNetgroup' SUP top STRUCTURAL
          DESC 'Abstraction of a netgroup. May refer to other netgroups.'
          MUST cn
          MAY ( memberUid nisNetgroupTriple $ memberNisNetgroup $ description ) )

        ( nisSchema.2.9 NAME 'automount' SUP top STRUCTURAL
          DESC 'Abstraction of an automount map; each entry in the map
                is represented by a value of the automountInformation
                attribute. The map name is given by the cn attribute.
                Each value of the automountInformation attribute
                constitutes a mount entry.'
          MUST cn
          MAY ( automountInformation $ memberHost description ) )

        ( nisSchema.2.10 NAME 'nisObject' SUP top STRUCTURAL
          DESC 'Abstraction of a generic NIS map or entry.'
          MUST nisMapName
          MAY ( cn $ memberNISNetgroup nisValue $ nISDomain description ) )

5. Implementation details

5.1. Resolution methods

   The ideal means of directing a client application (one using the
   shared services of the C library) to use LDAP as its information
   source for the functions listed in 5.2 is to modify the source code
   to directly query LDAP. As the source code to commercial C libraries
   and applications is rarely available to the end-user, it is
   acceptable to emulate a supported nameservice (such as NIS) and
   modify the resolution code to use LDAP. (This is also an appropriate
   opportunity to perform caching of entries across client address
   spaces.) In the case of NIS, reference implementations are widely
   available and the client-server RPC interface is well known.

   There exists no standard mechanism, other than NIS, for resolving
   automount and nisObject entries.  The former may be supported by the
   automounter itself; both classes should be supported by an LDAP to
   NIS gateway. However, an implementation which claims to conform to
   this specification is not required to support these classes. (To
   mandate otherwise would exclude implementations integrated with the C

   Some operating systems and C libraries support end-user extensible
   resolvers using dynamically loadable libraries and a nameservice
   "switch". In any case, Others allow end-user defined symbols to be substituted at
   runtime. Regardless, the precise means by which the operating system is
   directed to use LDAP is not at issue; this implementation dependent, as is left to the
   implementor to decide. means by
   which the DUA locates LDAP servers. (It is anticipated that the
   Dynamic Host Configuration Protocol (DHCP) may be used for the latter

5.2. Affected resolver calls
   The following entry points are found in the C libraries of most Unix UNIX
   and POSIX compliant systems. An LDAP search filter [5] which may be
   used to satisfy the function call is included alongside each function
   name, with printf(3s) format notation used to denote the function
   parameter(s), if any. Note that the POSIX specification does not
   define the enumeration routines (such as getpwent(3c)); however, the
   filters are included here for completeness. With the exception of
   getmntent(3c), Generally, those functions in section 3c 3n of Unix the
   UNIX system's manual pages
   relate refer to POSIX entities, TCP/IP entries, and those in
   section 3n relate 3c refer to TCP/IP
   entities. the remainder. Long lines are broken with the '\'

        getpwnam(3c)            (&(objectClass=posixAccount)(uid=%s))
        getpwuid(3c)            (&(objectClass=posixAccount)\
        getpwent(3c)            (objectClass=posixAccount)

        getspnam(3c)            (&(objectClass=shadowAccount)(uid=%s))
        getspent(3c)            (objectclass=shadowAccount)

        getgrnam(3c)            (&(objectClass=posixGroup)(cn=%s))
        getgrgid(3c)            (&(objectClass=posixGroup)\
        getgrent(3c)            (objectClass=posixGroup)

        getservbyname(3n)       (&(objectClass=ipService)\
        getservbyport(3n)       (&(objectClass=ipService)\
        getservent(3n)          (objectClass=ipService)

        getrpcbyname(3n)        (&(objectClass=oNCRPC)(cn=%s))        (&(objectClass=oncRpc)(cn=%s))
        getrpcbynumber(3n)      (&(objectClass=oNCRPC)(oNCRPCNumber=%d))      (&(objectClass=oncRpc)(oncRpcNumber=%d))
        getrpcent(3n)           (objectClass=oNCRPC)           (objectClass=oncRpc)

        getprotobyname(3n)      (&(objectClass=ipProtocol)(cn=%s))
        getprotobynumber(3n)    (&(objectClass=ipProtocol)\
        getprotoent(3n)         (objectClass=ipProtocol)

        gethostbyname(3n)       (&(objectClass=ipHost)\
        gethostbyaddr(3n)       (&(objectClass=ipHost)(ipHostNumber=%s))
        gethostent(3n)          (objectClass=ipHost)

        getnetbyname(3n)        (&(objectClass=ipNetwork)\
        getnetbyaddr(3n)        (&(objectClass=ipNetwork)\
        getnetent(3n)           (objectClass=ipNetwork)

        getnetgrent(3n)         (objectClass=nISNetgroup)
        setnetgrent(3n)         (&(objectClass=nisNetgroup)(cn=%s))

        getaliasbyname(3n)      (&(objectClass=rfc822MailGroup)(cn=%s))
        getaliasent(3n)         (objectClass=rfc822MailGroup)

        getmntent(3c)           (objectClass=mount)

5.3. Interpreting user and group entries

   User and group resolution is initiated by the functions prefixed by
   getpw and getgr respectively. A user's login name is denoted by the
   value of the uid attribute (which will typically be used as a
   relative distinguished name); a group's name is denoted by a value of
   the cn attribute.

   An account's GECOS field is preferably determined by a value of the
   gecos attribute. If no posixGecos gecos attribute exists, the value of the cn
   attribute must be used. (The existence of the posixGecos gecos attribute allows
   attributes embedded in the GECOS field, such as a user's telephone
   number, to be returned to the client without overloading the cn

   An entry of class posixAccount or shadowAccount without a
   userPassword attribute must be denied the opportunity to
   authenticate. For example, the client may be returned a non-matchable
   password such as "*" by the DUA.

   A user which is a member of a posixGroup which has no groupPassword
   attribute must not be allowed to authenticate themself as a member of
   that group, unless the user's posixPrimaryGidNumber gidNumber attribute implies a user has
   the same group ID (in which case the operating system may determine
   this implicitly).

   userPassword and groupPassword values must be represented by
   following BNF syntax:

        <passwordValue> ::= <encryptionSchemePrefix> <encryptedPassword>
        <encryptionSchemePrefix> ::= '{' <encryptionScheme> '}'
        <encryptionScheme> ::= 'crypt'
        <encryptedPassword> ::=

        passwordvalue          = schemeprefix encryptedpassword
        schemeprefix           = "{" scheme "}"
        scheme                 = "crypt" / "md5" / "sha" / altscheme
        altscheme              = keystring
        encryptedpassword      = encrypted password

   (where the encrypted password consists of a plaintext key encrypted
   using appropriate encoding algorithm; for example, crypt(3) with a
   two-character random salt)

   Operating systems which support different one way encoding functions
   may choose a different encryptionScheme; crypt(3) is only considered
   here. salt for "crypt")

   userPassword and groupPassword values which do not adhere to the BNF
   above must not be used for authentication. (The DUA must iterate
   through the values of the attribute until a value matching the above
   BNF is found.) Only if encryptedPassword is an empty string does the
   user have no password. DUAs are not required to consider encryption
   schemes which the client will not recognise; in many cases, it may be
   sufficient to consider only "crypt".

   A DUA may make use of the attributes prefixed by shadow in order the shadowAccount class to
   provide shadow password service (getspnam(3c) and getspent(3c)). In
   such cases, the DUA must not make use of the userPassword attribute
   for getpwnam(3c) et al, and must return a non-matchable password
   (such as "x") to the client instead.

5.4. Interpreting hosts and networks

   The means for representing DNS [6] domains in LDAP distinguished
   names described in [3] and [9] is used in part to represent TCP/IP
   hosts and networks in LDAP.

   Potentially contentious is

   Note the use of the ipHostNumber attribute instead of the dNSRecord
   attribute.  The rationale is that, in order to minimize the
   responsibility placed on the DUA, attribute values ought to directly
   contain the information they seek to represent. This contrasts with,
   for example, a dNSRecord value which expresses a complete DNS
   resource record including time to live and class data.

   While dNSRecords are suitable for building a DNS gateway to LDAP
   (which may ultimately fulfill the purpose of resolving hosts), It is
   considered that this information is extraneous to performing host lookups directly with
   LDAP. using LDAP as a
   direct means to resolve hosts and networks. Additionally, it is
   considered more appropriate for an entity, and all its aliases, to be
   represented by a single entry in the DIT, which is not always
   possible when a DNS resource record is mapped directly to an LDAP

   This document redefines (although not to the extent of excluding the
   existing definition) the ipNetwork class defined in [3], for naming
   consistency with ipHost. The ipNetworkNumber attribute is also used
   in the siteContact object class [14]. (The trailing zeros in a
   network address should be omitted.) CIDR-style network addresses (eg.
   192.168.1/24) can be used but this is not required.

   If an entry of class ipHost or ipNetwork belongs to a naming context
   denoted by relative distinguished names (RDNs) [10] of attribute type
   dc (domainComponent), then the distinguished name (DN) is transformed
   into a domain name system (DNS) suffix by concatenating each RDN
   value with a period ('.').

   For example, an entry of class ipHost with a DN of dc=foo, dc=bar,
   dc=edu or dc=foo, dc=bar, dc=edu, o=Internet is parsed into the host
   name If the naming context is does not contain 'dc'
   values, a non-qualified host name is returned. For organizations
   which wish to use existing X.500 container classes to form their
   context (ie. organization and organizationalUnit) the RDN components values of incorrect
   unrequired type are skipped by the DUA in determining the domain
   name. As such, a DN of dc=foo, dc=bar, dc=edu, o=Ace Industry, c=US
   may be parsed as As this may be considered a naming
   violation, this document does not specifically endorse this.

   Hosts with IPv6 addresses should be written in their "preferred" form
   as defined in section 2.2.1 of [15], such that all components of the
   address are indicated and leading zeros are omitted. This is to
   provide a consistent means of resolving ipHosts by address.

5.5. Interpreting other entities

   In general, a one-to-one mapping between entities and LDAP entries is
   proposed, in that each entity has exactly one representation in the
   DIT. In some cases this is not feasible; for example, a service which
   is represented in more than one protocol domain. Consider the
   following entry:

           dn: cn=domain, dc=aceindustry, dc=com
           cn: domain
           cn: nameserver
           objectClass: top
           objectClass: ipService
           ipServicePort: 53
           ipServiceProtocol: tcp
           ipServiceProtocol: udp

   This entry would map to the following two (2) services entities:

           domain  53/tcp  nameserver
           domain  53/udp  nameserver

   While the above two entities could have been equally represented as
   separate LDAP entities, with different distinguished names (such as
   cn=domain+ipServiceProtocol=tcp, ... and
   cn=domain+ipServiceProtocol=udp, ...) it is considered that
   representing them as a single entry is more convenient.

   The mount class represents mount entities as they would be found
   directly in /etc/fstab. Granted, this information (If a service
   is represented in multiple protocol domains with different respective
   ports, then multiple entries are mandatory, with multivalued RDNs
   being used primarily
   at boot time when access to non-local nameservices may be restricted.
   It may be considered useful to use LDAP to distinguish between them.)

   Entries of class automount inherently represent more than one entity:
   each value of the
   configuration data for automount daemons; such a schema automountInformation attribute is outside a NIS record.

   With the scope exception of this document. (However, userPassword and groupPassword values, which
   must be parsed according to the BNF considered in section 5.2, any
   empty values (those that consist of a zero length string) are
   returned by the DUA may hint to the client. The client
   that certain information may not make sense of
   them, but this situation is no different to be used by parsing files which
   contain empty fields. (By contrast, the automounter using DUA must reject any entries
   which do not conform to the
   mountOption attribute.)

   With schema, ie. are missing certain mandatory
   attributes. Non-conforming entries should be ignored while
   enumerating entries; whether the exception enumeration is terminated at such an
   entry is implementation dependent, although it is strongly suggested
   that the offending entry be treated as if it were not present.)

   The nisObject object class is provided as a generic means of userPassword
   representing NIS entities. Its use is not encouraged; where support
   for entities not described in this schema is desired, an appropriate
   schema should be devised. Implementors are strongly advised to
   support end-user extensible mappings between NIS entities and groupPassword values, which
   must object
   classes. The nisObject class may be parsed according useful were one to the BNF considered in section 5.2, any
   empty values (those that consist of use LDAP to
   query a zero length string) are
   returned by NIS server, although it is anticipated that the DUA to converse will
   be more common. (Where the client. The client nisObject class is used, the nisMapName
   attribute may not make sense establish part of
   them, but this situation is no different the DN, to parsing files which
   contain empty fields. (By contrast, assist the DUA must reject any in locating
   which do not conform belonging to a particular map.)

   Entries which inherit also from the schema, ie. are missing certain mandatory
   attributes.) cacheObject object class (and
   thus contain the 'ttl' attribute) may be used by DUAs to perform
   cache validation. [17]

5.6. Canonicalizing entries with multi-valued naming attributes

   For entities such as services, protocols, and RPCs, where there may
   be one or more aliases, the respective entry's relative distinguished
   name is used to form the canonical name.  Any other values for the
   same attribute are used as aliases. For example, the service
   described in section 5.5 has the canonical name 'domain' and exactly
   one alias, 'nameserver'.

   The schema in this document generally only defines one attribute per
   class which is suitable for distinguishing an entity (excluding any
   attributes with integer syntax; it is assumed that entries will be
   distinguished based on name). Usually, this is the common name (cn)
   attribute.  (For users, either the cn or uid attributes may be used
   to canonicalize an entry. For hosts and networks, the entire
   distinguished name is considered, as per section 5.4.) This fact aids
   the DUA in determining the canonical name of an entity: it can simply
   examine the value of the relative distinguished name. Aliases are
   thus any values of the distinguishing attribute (such as cn) which do
   not match the canonical name of the entity.

   In the event that a different attribute is used to distinguish the
   entry, as may be the case with conforming entries that belong to
   additional object classes, it is possible that the entity's canonical
   name cannot be deduced from the RDN. In this situation, the DUA must
   choose one of the non-distinguished values to represent the entity's
   canonical name. Because the directory server guarantees no ordering
   of attribute values, attempting to distinguish an entry in a
   deterministic fashion may require the DUA to maintain a mapping
   between entries' DNs and their canonical names as considered by the
   DUA. This document does not require this, nor does it advocate that
   such situations be resolved by mapping one DIT entry into multiple

6. Implementation focus

   A NIS to LDAP gateway daemon which uses LDAP instead of local files has been
   developed which supports the schema defined in this document. A set
   of extensions to a particular implementation of the Mach operating
   system has also been developed, which sidesteps NIS and uses LDAP

   Work is underway to develop a freely available (under the GNU General
   Library Public License) reference implementation of the C library
   resolution code that supports LDAP using the draft schema. The code
   will be compatible with the Free Software Foundation's GNU C library
   and other C libraries which support the Name Service Switch (NSS). (NSS) or
   Information Retrieval Service (IRS).

   The alias lookup functions referred to in section 5.2 are presently
   available only in the GNU C library, and (albeit with different
   names) in the C library of one commercial Unix UNIX system vendor. It is
   anticipated that the mail transport agent (MTA) will typically
   consult LDAP or NIS directly instead of using the C library; however,
   support for the suggested library calls is encouraged.

   The author has made available a freely distributable set of Perl
   scripts for parsing configuration files such as /etc/passwd and
   /etc/hosts and generating LDIF data suitable for preparing an LDIF
   database. It would be a relatively trivial effort to write utilities
   to export LDIF data to flat files, such that information stored in an
   LDAP-compatible directory service could be regularly dumped into NIS
   maps or flat files.

7. Security considerations

   The entirety of related security considerations are outside the scope
   of this document. However, it should be noted that making passwords
   encrypted with a widely understood one way function (such as
   crypt(3)) available to non-privileged users is potentially dangerous
   because it exposes them to dictionary and brute-force attacks.  It is
   proposed only for compatibility with existing Unix UNIX system
   implementations. Sites where security is critical may consider using
   Kerberos or another authentication service for logins. A variation on
   this is to authenticate to an LDAP server by binding over an
   encrypted connection (such as SSL [8]).

   Alternatively, the encrypted password could be made available only to
   a subset of privileged DUAs, which would provide 'shadow' password
   service to client applications.

   Because the schema represents operating system-level entities, access
   to these entities should be granted on a discretionary basis. (That
   said, there is little point in restricting access to data which will
   be republished without restriction, eg. by a NIS server.) It is
   particularly important that only administrators can modify entries
   defined in this schema, with the exception of allowing a principal to
   change their password (which may be done on behalf of the user by a
   client bound as a superior principal, such that password restrictions
   may be enforced). For example, if a user were allowed to change the
   value of their posixUidNumber uidNumber attribute, they could subvert security by
   equivalencing their account with the root account.

   A subtree of the DIT which is to be republished by a DUA (such as a
   NIS gateway) should be within the same administrative domain that the
   republishing DUA represents. (For example, principals outside an
   organization, while conceivably part of the DIT, should not be
   considered with the same degree of authority as those within the

   Finally, care should be exercised with integer attributes of a
   sensitive nature (particularly the uidNumber and gidNumber
   attributes) which contain zero-length values. It may be wiser to
   treat such values as corresponding to the "nobody" or "nogroup" user
   and group, respectively.

8. Acknowledgements

   Thanks to Leif Hedstrom of Netscape Communications Corporation Corporation,
   Rosanna Lee of Sun Microsystems Inc., and Mark Wahl of Critical Angle
   Inc. for their valuable contributions to the development of this
   schema. Thanks to Andrew Josey of The Open Group for clarifying the
   use of the UNIX trademark.

   UNIX is a registered trademark of The Open Group.

9. References

   [1]  M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
        Protocol (Version 3)", INTERNET-DRAFT <draft-ietf-asid-ldapv3-
        protocol-03.txt>, October 1996.
        protocol-06.txt>, June 1997.

   [2]  M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
        Protocol: Standard and Pilot Attribute Definitions", INTERNET-
        DRAFT <draft-ietf-asid-ldapv3-attributes-03.txt>, October 1996. <draft-ietf-asid-ldapv3-attributes-06.txt>, June 1997.

   [3]  S. Kille, "X.500 and Domains", RFC 1279, November 1991.

   [4]  H. Lachman, "LDAP-based Routing of SMTP Messages: Approach Used
        by Netscape", INTERNET-DRAFT <draft-ietf-asid-email-routing-ns-
        00.txt>, March 1997.

   [5]  T. Howes, "A String Representation of LDAP Search Filters",
        INTERNET-DRAFT <draft-ietf-asid-ldapv3-filter-00.txt>, March
        1997. See also [10].

   [6]  P. Mockapetris, "Domain names - concepts and facilities", RFC
        1034, November 1987.

   [7]  "Information Processing Systems - Open Systems Interconnection -
        The Directory: Overview of Concepts, Models and Service",
        ISO/IEC JTC 1/SC21, International Standard 9594-1, 1988.

   [8]  A. O. Freier, P. Karlton, P. Kocher, "The SSL Protocol, Version
        3.0", INTERNET-DRAFT <draft-ietf-tls-ssl-version3-00.txt>
        November 1996.

   [9]  S. Kille, M. Wahl, "An Approach for Using Domains in LDAP
        Distinguished Names", INTERNET-DRAFT <draft-ietf-asid-ldap-
        domains-00.txt>, July 1996.

   [10] S. Kille, "A String Representation of Distinguished Names", RFC
        1779, March 1995.

   [11] G. Good, "The LDAP Data Interchange Format (LDIF)", INTERNET-
        DRAFT <draft-ietf-asid-ldif-00.txt>, November 1996.

   [12] Sun Microsystems, Inc., "RPC: Remote Procedure Call: Protocol
        Specification Version 2", RFC 1057, June 1988.

   [13] ISO/IEC 9945-1:1990, Information Technology - Portable Operating
        Systems Interface (POSIX) - Part 1: Systems Application
        Programming Interface (API) [C Language]

   [14] M. T. Rose, "The Little Black Book: Mail Bonding with OSI
        Directory Services", ISBN 0-13-683210-5, Prentice-Hall, Inc.,

   [15] R. Hinden, S. Deering, "IP Version 6 Addressing Architecture",
        RFC 1884, December 1995.

   [16] L. Hedstrom, L. Howard, "DHCP Options for LDAP", INTERNET-DRAFT
        <draft-hedstrom-dhcp-ldap-00.txt>, July 1997.

   [17] T. Howes, L. Howard, "A Simple Caching Scheme for LDAP and X.500
        Directories", INTERNET-DRAFT <draft-ietf-asid-ldap-cache-
        01.txt>, July 1997.

10. Author's Address

   Luke Howard
   PO Box 59
   Central Park Vic 3145

A. Example entries

   The examples described in this section are provided to illustrate the
   schema described in this draft. They do are not purport to be a an authoritative
   reference. Entries are presented in LDIF notation [11].

   The following entry is an example of the posixAccount class:

           dn: uid=lukeh, dc=aceindustry, dc=com
           cn: Luke Howard
           objectClass: top
           objectClass: person
           objectClass: posixAccount
           sn: Howard
           telephoneNumber: +61 3 9428 0788
           uid: lukeh
           userPassword: {crypt}X5/DBrWPOQQaI
           gecos: Luke Howard
           loginShell: /bin/csh
           uidNumber: 10
           gidNumber: 10
           homeDirectory: /home/lukeh

   This corresponds the Unix UNIX system password file entry:

        lukeh:X5/DBrWPOQQaI:10:10:Luke Howard:/home/lukeh:/bin/sh

   Note that the userPassword value is parsed into a password suitable
   for matching with crypt(3). Attributes such as telephoneNumber and sn
   (which belong to classes other than posixAccount), are not used in
   determining the corresponding password file entry but may be useful
   to other LDAP clients. (In most cases, entries of class posixAccount
   will also inherit from person or organizationalPerson.)

   The following entry is an example of the ipHost class:

           dn: dc=yoyo, dc=aceindustry, dc=com
           dc: yoyo
           objectClass: top
           objectClass: ipHost
           objectClass: domainRelatedObject
           macAddress: 0:0:92:90:ee:e2
           bootFile: unix
           bootParameter: bootfile=mach
           bootParameter: root=fs:/nfsroot/yoyo
           bootParameter: swap=fs:/nfsswap/yoyo
           bootParameter: dump=fs:/nfsdump/yoyo

   This entry represents the host, also known as Note that the associatedDomain values are used
   in searching for the entry, but the distinguished name is parsed to
   determine the host's canonical name. The MAC address, boot image, and
   two boot parameters are also specified in this entry. The auxilary
   class domainRelatedObject is not mandatory. (Thus, the NIS maps
   prefixed by 'hosts', 'ethers', and 'bootparams' could all be derived
   from similar entries.)

   An example of the nISNetgroup nisNetgroup class:

           dn: cn=nightfly, dc=aceindustry, dc=com
           cn: nightfly
           objectClass: top
           objectClass: nISNetgroup
           memberUid: lukeh
           memberUid: fagen
           nISDomain: nisNetgroup
           nisNetgroupTriple: (fagen,peg,
           nisNetgroupTriple: (becker,-,)
           memberNisNetgroup: kamakiriad

   This entry represents the netgroup 'nightfly' nightfly, which contains the
   users lukeh and two
   triples (the user fagen, and the host; peg, and which
   belongs to the NIS domain; and, the user becker, no host, and any domain)
   and one netgroup (kamakiriad).

   Finally, an example of the ipProtocol nisObject class:

           dn: cn=tcp, nisMapName=quote.byname, dc=dunes, dc=aceindustry, dc=com
           objectClass: top
           objectClass: ipProtocol
           cn: tcp nisObject
           nisMapName: quote.byname

           dn: cn=foobar, nisMapName=quote.byname, dc=dunes, dc=aceindustry, dc=com
           objectClass: top
           objectClass: nisObject
           objectClass: cacheObject
           ttl: 86400
           cn: TCP
           ipProtocolNumber: 6 foobar
           nisMapName: quote.byname
           nisValue: 75.00

   This entry represents the protocol named 'tcp' whose protocol number
   is 6. NIS map quote.byname, and a constitutent
   entry, with the key of foobar and a value of 75.00. The latter entry
   has a time-to-live of 24 hours.