draft-ietf-ldapbis-models-01.txt   draft-ietf-ldapbis-models-02.txt 
INTERNET-DRAFT Editor: Kurt D. Zeilenga INTERNET-DRAFT Editor: Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation Intended Category: Standard Track OpenLDAP Foundation
Expires in six months 28 May 2002 Expires in six months 12 August 2002
Obsoletes: RFC 2251, RFC 2252, RFC 2256 Obsoletes: RFC 2251, RFC 2252, RFC 2256
LDAP: Directory Information Models LDAP: Directory Information Models
<draft-ietf-ldapbis-models-01.txt> <draft-ietf-ldapbis-models-02.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026. provisions of Section 10 of RFC2026.
This document is intended to be published as a Standard Track RFC. This document is intended to be published as a Standard Track RFC.
Distribution of this memo is unlimited. Technical discussion of this Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Revision Working Group document will take place on the IETF LDAP Revision Working Group
mailing list <ietf-ldapbis@openldap.org>. Please send editorial mailing list <ietf-ldapbis@openldap.org>. Please send editorial
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.'' material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
<http://www.ietf.org/ietf/1id-abstracts.txt>. The list of <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
Internet-Draft Shadow Directories can be accessed at Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>. <http://www.ietf.org/shadow.html>.
Copyright 2002, The Internet Society. All Rights Reserved. Copyright 2002, The Internet Society. All Rights Reserved. Please
see the Copyright section near the end of this document for more
Please see the Copyright section near the end of this document for information.
more information.
Abstract Abstract
The Lightweight Directory Access Protocol (LDAP) is an Internet The Lightweight Directory Access Protocol (LDAP) is an Internet
protocol for accessing distributed directory services which act in protocol for accessing distributed directory services which act in
accordance with X.500 data and service models. This document accordance with X.500 data and service models. This document
describes the X.500 Directory Information Models, as used in LDAP. describes the X.500 Directory Information Models, as used in LDAP.
Table of Contents Table of Contents
skipping to change at page 2, line 37 skipping to change at page 2, line 37
2.5.2. Attribute Options 13 2.5.2. Attribute Options 13
2.5.2.1. Tagging Options 2.5.2.1. Tagging Options
2.5.3. Attribute Description Hierarchies 14 2.5.3. Attribute Description Hierarchies 14
2.5.4. Attribute Values 15 2.5.4. Attribute Values 15
2.6. Alias Entries 2.6. Alias Entries
2.6.1. 'alias' 16 2.6.1. 'alias' 16
2.6.2. 'aliasObjectName' 2.6.2. 'aliasObjectName'
3. Directory Administrative and Operational Information 3. Directory Administrative and Operational Information
3.1. Subtrees 3.1. Subtrees
3.2. Subentries 17 3.2. Subentries 17
3.3. The ObjectClass attribute 3.3. The 'objectClass' attribute
3.4. Operational attributes 3.4. Operational attributes 18
3.4.1. 'createTimestamp' 18 3.4.1. 'creatorsName'
3.4.2. 'modifyTimestamp' 3.4.2. 'createTimestamp' 19
3.4.3. 'creatorsName' 19 3.4.3. 'modifiersName'
3.4.4. 'modifiersName' 3.4.4. 'modifyTimestamp'
4. Directory Schema 4. Directory Schema 20
4.1. Schema Definitions 21 4.1. Schema Definitions 21
4.1.1. Object Class Definitions 22 4.1.1. Object Class Definitions 22
4.1.2. Attribute Types 4.1.2. Attribute Types 23
4.1.3. Matching Rules 24 4.1.3. Matching Rules 24
4.1.4. LDAP Syntaxes 25 4.1.4. LDAP Syntaxes 25
4.1.5. DIT Content Rules 26 4.1.5. DIT Content Rules 26
4.1.6. DIT Structural Rules and Name Forms 27 4.1.6. DIT Structural Rules and Name Forms 27
4.2. Subschema Subentries 29 4.2. Subschema Subentries 29
4.2.1. 'objectClasses' 30 4.2.1. 'objectClasses' 30
4.2.2. 'attributeTypes' 4.2.2. 'attributeTypes'
4.2.3. 'matchingRules' 4.2.3. 'matchingRules' 31
4.2.4. 'matchingRuleUse' 31 4.2.4. 'matchingRuleUse'
4.2.5. 'ldapSyntaxes' 4.2.5. 'ldapSyntaxes'
4.2.6. 'dITContentRules' 4.2.6. 'dITContentRules' 32
4.2.7. 'dITStructureRules' 32 4.2.7. 'dITStructureRules'
4.2.8. 'nameForms' 4.2.8. 'nameForms'
4.3. 'extensibleObject' 4.3. 'extensibleObject'
4.4. Subschema Discovery 33 4.4. Subschema Discovery 33
5. DSA (Server) Informational Model 5. DSA (Server) Informational Model
5.1. Server-specific Data Requirements 34 5.1. Server-specific Data Requirements 34
5.1.1. 'altServer' 5.1.1. 'altServer' 35
5.1.2. 'namingContexts' 35 5.1.2. 'namingContexts'
5.1.3. 'supportedControl' 5.1.3. 'supportedControl'
5.1.4. 'supportedExtension' 36 5.1.4. 'supportedExtension' 36
5.1.5. 'supportedLDAPVersion' 5.1.5. 'supportedLDAPVersion'
5.1.6. 'supportedSASLMechanisms' 5.1.6. 'supportedSASLMechanisms'
6. Other Considerations 6. Other Considerations 37
6.1. Preservation of User Information 37 6.1. Preservation of User Information
6.2. Short Names 6.2. Short Names
6.3. Cache and Shadowing 6.3. Cache and Shadowing
7. Implementation Guidelines 7. Implementation Guidelines 38
7.1. Server Guidelines 7.1. Server Guidelines
7.2. Client Guidelines 38 7.2. Client Guidelines
8. Security Considerations 8. Security Considerations 39
9. IANA Considerations 39 9. IANA Considerations
10. Acknowledgments 40 10. Acknowledgments 40
11. Author's Address 11. Author's Address
12. References 12. References
12.1. Normative References 12.1. Normative References
12.2. Informative References 41 12.2. Informative References 41
Appendix A. Changes Appendix A. Changes 42
A.1 Changes to RFC 2251 42 A.1 Changes to RFC 2251
A.1.1 Section 3.2 of RFC 2251 A.1.1 Section 3.2 of RFC 2251
A.1.2 Section 3.4 of RFC 2251 A.1.2 Section 3.4 of RFC 2251 43
A.1.2 Section 4 of RFC 2251 43 A.1.2 Section 4 of RFC 2251
A.1.3 Section 6 of RFC 2251 A.1.3 Section 6 of RFC 2251 44
A.2 Changes to RFC 2252 44 A.2 Changes to RFC 2252
A.2.1 Section 4 of RFC 2252 A.2.1 Section 4 of RFC 2252
A.2.2 Section 5 of RFC 2252 A.2.2 Section 5 of RFC 2252
A.2.2 Section 7 of RFC 2252 A.2.3 Section 7 of RFC 2252 45
A.3 Changes to RFC 2256 45 A.3 Changes to RFC 2256
Copyright Copyright
1. Introduction 1. Introduction
This document discusses the X.500 Directory Information Models This document discusses the X.500 Directory Information Models
[X.501], as used by LDAP. [X.501], as used by the Lightweight Directory Access Protocol (LDAP)
[Roadmap].
The Directory is "a collection of open systems cooperating to provide The Directory is "a collection of open systems cooperating to provide
directory services" [X.500]. The information held in the Directory is directory services" [X.500]. The information held in the Directory is
collectively known as the Directory Information Base (DIB). A collectively known as the Directory Information Base (DIB). A
Directory user, which may be a human or other entity, accesses the Directory user, which may be a human or other entity, accesses the
Directory through a client (or Directory User Agent (DUA)). The Directory through a client (or Directory User Agent (DUA)). The
client, on behalf of the directory user, interacts with one or more client, on behalf of the directory user, interacts with one or more
servers (or Directory System Agents (DSA)). A server holds a fragment servers (or Directory System Agents (DSA)). A server holds a fragment
of the DIB. of the DIB.
skipping to change at page 4, line 48 skipping to change at page 4, line 49
how these models are to be used in LDAP is left to future documents. how these models are to be used in LDAP is left to future documents.
1.1. Relationship to Other LDAP Specifications 1.1. Relationship to Other LDAP Specifications
This document is a integral part of the LDAP technical specification This document is a integral part of the LDAP technical specification
[Roadmap] which obsoletes entirely the previously defined LDAP [Roadmap] which obsoletes entirely the previously defined LDAP
technical specification [LDAPTS]. technical specification [LDAPTS].
This document obsoletes RFC 2251 sections 3.2 and 3.4, as well as This document obsoletes RFC 2251 sections 3.2 and 3.4, as well as
portions of sections 4 and 6. Appendix A.1 summaries changes to these portions of sections 4 and 6. Appendix A.1 summaries changes to these
sections. sections. The remainder of RFC 2251 is obsoleted by the [Protocol],
[AuthMeth], and [Roadmap] documents.
This document obsoletes RFC 2252 sections 4, 5 and 7 of RFC 2252.
Appendix A.2 summaries changes to these sections.
This document obsoletes RFC 2256 Sections 5.1 and portions of Section This document obsoletes RFC 2252 sections 4, 5 and 7. Appendix A.2
7 including all of 7.1. Appendix A.3 summarizes changes to these summaries changes to these sections. The remainder of RFC 2252 is
sections. obsoleted by [Syntaxes] and [Schema].
The remainder of RFC 2251 is obsoleted by the [Protocol], [AuthMeth], This document obsoletes RFC 2256 sections 5.1, 5.2, 7.1 and 7.2.
and [Roadmap] documents. The remainder of RFC 2252 is obsoleted by Appendix A.3 summarizes changes to these sections. The remainder of
[Syntaxes] and [Schema]. The remainder of RFC 2256 is obsoleted by RFC 2256 is obsoleted by [Schema] and [Syntaxes].
[Schema] and [Syntaxes].
1.2. Conventions 1.2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119]. document are to be interpreted as described in BCP 14 [RFC2119].
Schema definitions are provided using LDAP description formats (as Schema definitions are provided using LDAP description formats (as
defined in Section 4.1). Definitions provided here are formatted defined in Section 4.1). Definitions provided here are formatted
(line wrapped) for readability. Matching rules and LDAP syntaxes (line wrapped) for readability. Matching rules and LDAP syntaxes
skipping to change at page 6, line 32 skipping to change at page 6, line 31
UTF8 = UTF1 / UTFMB UTF8 = UTF1 / UTFMB
UTFMB = UTF2 / UTF3 / UTF4 / UTF5 / UTF6 UTFMB = UTF2 / UTF3 / UTF4 / UTF5 / UTF6
UTF0 = %x80-BF UTF0 = %x80-BF
UTF1 = %x00-7F UTF1 = %x00-7F
UTF2 = %xC0-DF 1(UTF0) UTF2 = %xC0-DF 1(UTF0)
UTF3 = %xE0-EF 2(UTF0) UTF3 = %xE0-EF 2(UTF0)
UTF4 = %xF0-F7 3(UTF0) UTF4 = %xF0-F7 3(UTF0)
UTF5 = %xF8-FB 4(UTF0) UTF5 = %xF8-FB 4(UTF0)
UTF6 = %xFC-FD 5(UTF0) UTF6 = %xFC-FD 5(UTF0)
; Any octet
OCTET = %x00-FF
Object identifiers are represented in LDAP using a dot-decimal format Object identifiers are represented in LDAP using a dot-decimal format
conforming to the ABNF: conforming to the ABNF:
numericoid = number *( DOT number ) numericoid = number *( DOT number )
Short names, known as descriptors, are used as a more readable aliases Short names, known as descriptors, are used as a more readable aliases
for object identifiers. Descriptors are case insensitive and conform for object identifiers. Descriptors are case insensitive and conform
to the the ABNF: to the the ABNF:
descr = keystring descr = keystring
skipping to change at page 12, line 14 skipping to change at page 12, line 21
option = 1*keychar option = 1*keychar
where <attributetype> identifies the attribute type and each <option> where <attributetype> identifies the attribute type and each <option>
identifies an attribute option. Both <attributetype> and <option> identifies an attribute option. Both <attributetype> and <option>
productions are case insensitive. The order in which <option>s appear productions are case insensitive. The order in which <option>s appear
is irrelevant. That is, any two <attributedescription>s which consist is irrelevant. That is, any two <attributedescription>s which consist
of the same <attributetype> and same set of <option>s are equivalent. of the same <attributetype> and same set of <option>s are equivalent.
Examples of valid attribute descriptions: Examples of valid attribute descriptions:
2.5.4.0 cn;lang-de;lang-en owner 2.5.4.0
cn;lang-de;lang-en
owner
An attribute description which consisting of an unrecognized attribute An attribute description which consisting of an unrecognized attribute
type is to be treated as unrecongized. Servers SHALL treat an type is to be treated as unrecongized. Servers SHALL treat an
attribute description with an unrecognized attribute option as attribute description with an unrecognized attribute option as
unrecongized. Client MAY treat an unrecongized attribute option as unrecongized. Client MAY treat an unrecongized attribute option as a
tagging option (see Section 2.5.2.1). tagging option (see Section 2.5.2.1).
All attributes of an entry must have distinct attribute descriptions. All attributes of an entry must have distinct attribute descriptions.
2.5.1. Attribute Types 2.5.1. Attribute Types
An attribute type governs whether the attribute can have multiple An attribute type governs whether the attribute can have multiple
values, the syntax and matching rules used to construct and compare values, the syntax and matching rules used to construct and compare
values of that attribute, and other functions. values of that attribute, and other functions.
skipping to change at page 13, line 5 skipping to change at page 13, line 12
(a direct supertype). The subtype inherits the matching rules and (a direct supertype). The subtype inherits the matching rules and
syntax of its supertype. syntax of its supertype.
An attribute description consisting of a subtype and no options is An attribute description consisting of a subtype and no options is
said to the direct description subtype of the attribute description said to the direct description subtype of the attribute description
consisting of the subtype's direct supertype and no options. consisting of the subtype's direct supertype and no options.
Each attribute type is identified by an object identifier (OID) and, Each attribute type is identified by an object identifier (OID) and,
optionally, one or more short names known as descriptors. optionally, one or more short names known as descriptors.
Procedures for registering descriptors are detailed in [LDAPIANA].
2.5.2. Attribute Options 2.5.2. Attribute Options
There are multiple kinds of attribute description options. The LDAP There are multiple kinds of attribute description options. The LDAP
technical specification details one kind: tagging options. technical specification details one kind: tagging options.
Not all options can be associated with attributes held in the Not all options can be associated with attributes held in the
directory. Tagging options can be. directory. Tagging options can be.
Not all options can be use in conjunction with all attribute types. Not all options can be use in conjunction with all attribute types.
In such cases, the attribute description is to be treated as In such cases, the attribute description is to be treated as
skipping to change at page 13, line 35 skipping to change at page 13, line 44
detail whether or not new kinds of options can be associated with detail whether or not new kinds of options can be associated with
attributes held in the directory, how new kinds of options affect attributes held in the directory, how new kinds of options affect
transfer of attribute values, and how new kinds of options are treated transfer of attribute values, and how new kinds of options are treated
in attribute description hierarchies. in attribute description hierarchies.
Options are represented as short case insensitive textual strings Options are represented as short case insensitive textual strings
conforming to the <option> production defined in Section 2.5 of this conforming to the <option> production defined in Section 2.5 of this
document. document.
Procedures for registering options are detailed in [LDAPIANA]. Procedures for registering options are detailed in [LDAPIANA].
Specifications of options should use registered short names to avoid
conflicts.
2.5.2.1. Tagging Options 2.5.2.1. Tagging Options
Attributes held in the directory can have attribute descriptions with Attributes held in the directory can have attribute descriptions with
one or more tagging options. Tagging options are never mutually one or more tagging options. Tagging options are never mutually
exclusive. exclusive.
An attribute description with N tagging options is consider a direct An attribute description with N tagging options is consider a direct
(description) subtype of all attribute descriptions of the same (description) subtype of all attribute descriptions of the same
attribute type and all but one of the N options. If the attribute attribute type and all but one of the N options. If the attribute
skipping to change at page 17, line 18 skipping to change at page 17, line 25
to hold information associated with a subtree or subtree refinement" to hold information associated with a subtree or subtree refinement"
[X.501]. Subentries are used in Directory to hold for administrative [X.501]. Subentries are used in Directory to hold for administrative
and operational purposes as defined in [X.501]. Their use in LDAP is and operational purposes as defined in [X.501]. Their use in LDAP is
not detailed in this technical specification, but may be detailed in not detailed in this technical specification, but may be detailed in
future documents. future documents.
The term "(sub)entry" in this specification indicates that servers The term "(sub)entry" in this specification indicates that servers
implementing X.500(93) models are to use a subentry and other servers implementing X.500(93) models are to use a subentry and other servers
use an object entry belonging to the appropriate auxiliary class use an object entry belonging to the appropriate auxiliary class
normally used with the subentry (e.g., 'subschema' for subschema normally used with the subentry (e.g., 'subschema' for subschema
subentries) to mimic the subentry. This object entry's RDN shall be subentries) to mimic the subentry. This object entry's RDN SHALL be
formed from a value of the 'cn' (commonName) attribute [Schema]. formed from a value of the 'cn' (commonName) attribute [Schema].
3.3. The ObjectClass attribute 3.3. The 'objectClass' attribute
Each entry in the DIT has an 'objectClass' attribute. Each entry in the DIT has an 'objectClass' attribute.
( 2.5.4.0 NAME 'objectClass' ( 2.5.4.0 NAME 'objectClass'
EQUALITY objectIdentifierMatch EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
The 'objectIdentifierMatch' matching rule and OBJECT IDENTIFIER The 'objectIdentifierMatch' matching rule and OBJECT IDENTIFIER
(1.3.6.1.4.1.1466.115.121.1.38) syntax is defined in [Syntaxes]. (1.3.6.1.4.1.1466.115.121.1.38) syntax is defined in [Syntaxes].
skipping to change at page 18, line 23 skipping to change at page 18, line 33
- creatorsName: the Distinguished Name of the user who added this - creatorsName: the Distinguished Name of the user who added this
entry to the directory. entry to the directory.
- createTimestamp: the time this entry was added to the directory. - createTimestamp: the time this entry was added to the directory.
- modifiersName: the Distinguished Name of the user who last - modifiersName: the Distinguished Name of the user who last
modified this entry. modified this entry.
- modifyTimestamp: the time this entry was last modified. - modifyTimestamp: the time this entry was last modified.
Servers SHOULD maintain these attributes for all entries of the DIT. Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
'modifiersName', and 'modifyTimestamp' for all entries of the DIT.
3.4.1. 'createTimestamp' 3.4.1. 'creatorsName'
This attribute appears in entries which were added using the protocol This attribute appears in entries which were added using the protocol
(e.g., using the Add operation). The value is the time the entry was (e.g., using the Add operation). The value is the distinguised name
added. of the creator.
( 2.5.18.1 NAME 'createTimestamp' ( 2.5.18.3 NAME 'creatorsName'
EQUALITY generalizedTimeMatch EQUALITY distinguishedNameMatch
ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE NO-USER-MODIFICATION SINGLE-VALUE NO-USER-MODIFICATION
USAGE directoryOperation ) USAGE directoryOperation )
The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching The 'distinguishedNameMatch' matching rule and the DistinguishedName
rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].
are defined in [Syntaxes].
3.4.2. 'modifyTimestamp' 3.4.2. 'createTimestamp'
This attribute appears in entries which have been modified using the This attribute appears in entries which were added using the protocol
protocol (e.g., using the Modify operation). The value is the time (e.g., using the Add operation). The value is the time the entry was
the entry was last modified. added.
( 2.5.18.2 NAME 'modifyTimestamp' ( 2.5.18.1 NAME 'createTimestamp'
EQUALITY generalizedTimeMatch EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE NO-USER-MODIFICATION SINGLE-VALUE NO-USER-MODIFICATION
USAGE directoryOperation ) USAGE directoryOperation )
The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
are defined in [Syntaxes]. are defined in [Syntaxes].
3.4.3. 'creatorsName' 3.4.3. 'modifiersName'
This attribute appears in entries which were added using the protocol This attribute appears in entries which have been modified using the
(e.g., using the Add operation). The value is the distinguised name protocol (e.g., using Modify operation). The value is the
of the creator. distinguised name of the last modifier.
( 2.5.18.3 NAME 'creatorsName' ( 2.5.18.4 NAME 'modifiersName'
EQUALITY distinguishedNameMatch EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE NO-USER-MODIFICATION SINGLE-VALUE NO-USER-MODIFICATION
USAGE directoryOperation ) USAGE directoryOperation )
The 'distinguishedNameMatch' matching rule and the DistinguishedName The 'distinguishedNameMatch' matching rule and the DistinguishedName
(1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes]. (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes].
3.4.4. 'modifiersName' 3.4.4. 'modifyTimestamp'
This attribute appears in entries which have been modified using the This attribute appears in entries which have been modified using the
protocol (e.g., using the Modify operation). The value is the protocol (e.g., using the Modify operation). The value is the time
distinguised name of the last modifier. the entry was last modified.
( 2.5.18.4 NAME 'modifiersName' ( 2.5.18.2 NAME 'modifyTimestamp'
EQUALITY distinguishedNameMatch EQUALITY generalizedTimeMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE NO-USER-MODIFICATION SINGLE-VALUE NO-USER-MODIFICATION
USAGE directoryOperation ) USAGE directoryOperation )
The 'distinguishedNameMatch' matching rule and the DistinguishedName The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch' matching
(1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [Syntaxes]. rules and the GeneralizedTime (1.3.6.1.4.1.1466.115.121.1.24) syntax
are defined in [Syntaxes].
4. Directory Schema 4. Directory Schema
As defined in [X.501]: As defined in [X.501]:
The Directory Schema is a set of definitions and constraints The Directory Schema is a set of definitions and constraints
concerning the structure of the DIT, the possible ways entries are concerning the structure of the DIT, the possible ways entries are
named, the information that can be held in an entry, the named, the information that can be held in an entry, the
attributes used to represent that information and their attributes used to represent that information and their
organization into hierarchies to facilitate search and retrieval organization into hierarchies to facilitate search and retrieval
skipping to change at page 28, line 27 skipping to change at page 28, line 34
ruleidlist = [ ruleid *( SP ruleid ) ] ruleidlist = [ ruleid *( SP ruleid ) ]
ruleid = number ruleid = number
where: where:
<ruleid> is the rule identifier of this DIT structure rule; <ruleid> is the rule identifier of this DIT structure rule;
NAME <qdescrs> are short names identifying this DIT structure rule; NAME <qdescrs> are short names identifying this DIT structure rule;
DESC <qdstring> is a store descriptive string; DESC <qdstring> is a store descriptive string;
OBSOLETE indicates this DIT structure rule use is not active; OBSOLETE indicates this DIT structure rule use is not active;
FORM is specifies the name form associated with this DIT strucure rule; FORM is specifies the name form associated with this DIT strucure
rule;
SUP identifies superior rules (by rule id); and SUP identifies superior rules (by rule id); and
<extensions> describe extensions. <extensions> describe extensions.
Name form descriptions are written according to the ABNF: Name form descriptions are written according to the ABNF:
NameFormDescription = LPAREN WSP NameFormDescription = LPAREN WSP
numericoid ; object identifer numericoid ; object identifer
[ SP "NAME" SP qdescrs ] ; short names [ SP "NAME" SP qdescrs ] ; short names
[ SP "DESC" SP qdstring ] ; description [ SP "DESC" SP qdstring ] ; description
[ SP "OBSOLETE" ] ; not active [ SP "OBSOLETE" ] ; not active
skipping to change at page 31, line 42 skipping to change at page 32, line 5
( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes' ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
EQUALITY objectIdentifierFirstComponentMatch EQUALITY objectIdentifierFirstComponentMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.54 SYNTAX 1.3.6.1.4.1.1466.115.121.1.54
USAGE directoryOperation ) USAGE directoryOperation )
The 'objectIdentifierFirstComponentMatch' matching rule and the The 'objectIdentifierFirstComponentMatch' matching rule and the
SyntaxDescription (1.3.6.1.4.1.1466.115.121.1.54) syntax are defined SyntaxDescription (1.3.6.1.4.1.1466.115.121.1.54) syntax are defined
in [Syntaxes]. in [Syntaxes].
4.2.4. 'dITContentRules' 4.2.6. 'dITContentRules'
This attribute lists DIT Content Rules which are in force. This attribute lists DIT Content Rules which are in force.
( 2.5.21.2 NAME 'dITContentRules' ( 2.5.21.2 NAME 'dITContentRules'
EQUALITY objectIdentifierFirstComponentMatch EQUALITY objectIdentifierFirstComponentMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.16 SYNTAX 1.3.6.1.4.1.1466.115.121.1.16
USAGE directoryOperation ) USAGE directoryOperation )
The 'objectIdentifierFirstComponentMatch' matching rule and the The 'objectIdentifierFirstComponentMatch' matching rule and the
DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are
defined in [Syntaxes]. defined in [Syntaxes].
4.2.5. 'dITStructureRules' 4.2.7. 'dITStructureRules'
This attribute lists DIT Structure Rules which are in force. This attribute lists DIT Structure Rules which are in force.
( 2.5.21.1 NAME 'dITStructureRules' ( 2.5.21.1 NAME 'dITStructureRules'
EQUALITY integerFirstComponentMatch EQUALITY integerFirstComponentMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.17 SYNTAX 1.3.6.1.4.1.1466.115.121.1.17
USAGE directoryOperation ) USAGE directoryOperation )
The 'integerFirstComponentMatch' matching rule and the The 'integerFirstComponentMatch' matching rule and the
DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax are DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax are
defined in [Syntaxes]. defined in [Syntaxes].
4.2.6 'nameForms' 4.2.8 'nameForms'
This attribute lists Name Forms which are in force. This attribute lists Name Forms which are in force.
( 2.5.21.7 NAME 'nameForms' ( 2.5.21.7 NAME 'nameForms'
EQUALITY objectIdentifierFirstComponentMatch EQUALITY objectIdentifierFirstComponentMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.35 SYNTAX 1.3.6.1.4.1.1466.115.121.1.35
USAGE directoryOperation ) USAGE directoryOperation )
The 'objectIdentifierFirstComponentMatch' matching rule and the The 'objectIdentifierFirstComponentMatch' matching rule and the
NameFormDescription (1.3.6.1.4.1.1466.115.121.1.35) syntax are defined NameFormDescription (1.3.6.1.4.1.1466.115.121.1.35) syntax are defined
in [Syntaxes]. in [Syntaxes].
4.3. 'extensibleObject' object class 4.3. 'extensibleObject' object class
The 'extensibleObject auxiliary object class allows entries belong to The 'extensibleObject auxiliary object class allows entries belong to
it to hold any attribute type. The set of allowed attributes of this it to hold any attribute type. The set of allowed attributes of this
class is implicitly the set of all user attribute types. class is implicitly the set of all user attributes.
( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
SUP top AUXILIARY ) SUP top AUXILIARY )
The mandatory attributes of the other object classes of this entry are The mandatory attributes of the other object classes of this entry are
still required to be present and any precluded attributes are still still required to be present and any precluded attributes are still
not allowed to be present. not allowed to be present.
Note that not all servers will implement this object class, and those Note that not all servers will implement this object class, and those
which do not will reject requests to add entries which contain this which do not will reject requests to add entries which contain this
skipping to change at page 35, line 18 skipping to change at page 35, line 28
their preferred LDAP server later becomes unavailable. their preferred LDAP server later becomes unavailable.
( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer' ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 USAGE dSAOperation ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 USAGE dSAOperation )
The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax is defined in The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax is defined in
[Syntaxes]. [Syntaxes].
5.1.2. 'namingContexts' 5.1.2. 'namingContexts'
The 'namingContexts' attribute lists the context prefixs of the naming The 'namingContexts' attribute lists the context prefixes of the
contexts the server masters or shadows (in part or in whole). If the naming contexts the server masters or shadows (in part or in whole).
server does not master or shadow any information (e.g. it is an LDAP If the server does not master or shadow any information (e.g. it is an
gateway to a public X.500 directory) this attribute will be absent. LDAP gateway to a public X.500 directory) this attribute will be
If the server believes it masters or shadows the entire directory, the absent. If the server believes it masters or shadows the entire
attribute will have a single value, and that value will be the empty directory, the attribute will have a single value, and that value will
string (indicating the null DN of the root). This attribute allows a be the empty string (indicating the null DN of the root). This
client to choose suitable base objects for searching when it has attribute allows a client to choose suitable base objects for
contacted a server. searching when it has contacted a server.
( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts' ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE dSAOperation ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE dSAOperation )
The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax is The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax is
defined in [Syntaxes]. defined in [Syntaxes].
5.1.3. 'supportedControl' 5.1.3. 'supportedControl'
The 'supportedControl' attribute lists object identifiers identifying The 'supportedControl' attribute lists object identifiers identifying
the request controls the server supports. If the server does not the request controls the server supports. If the server does not
support any request controls, this attribute will be absent. support any request controls, this attribute will be absent.
Object identifiers identifying response controls need not be listed. Object identifiers identifying response controls need not be listed.
Procedures for registering object identifiers used to discovery of
protocol mechanisms are detailed in [LDAPIANA].
( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl' ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )
The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
defined in [Syntaxes]. defined in [Syntaxes].
5.1.4. 'supportedExtension' 5.1.4. 'supportedExtension'
The 'supportedExtension' attribute lists object identifiers The 'supportedExtension' attribute lists object identifiers
identifying the extended operations which the server supports. If the identifying the extended operations which the server supports. If the
server does not support any extended operations, this attribute will server does not support any extended operations, this attribute will
be absent. be absent.
An extended operation comprises a ExtendedRequest, possibly other PDUs An extended operation comprises a ExtendedRequest, possibly other PDUs
defined by extension, and an ExtendedResponse [Protocol]. The object defined by extension, and an ExtendedResponse [Protocol]. The object
identifier assigned to the ExtendedRequest is used to identify the identifier assigned to the ExtendedRequest is used to identify the
extended operation. Other object identifiers associated with the extended operation. Other object identifiers associated with the
extended operation need not be listed. extended operation need not be listed.
Procedures for registering object identifiers used to discovery of
protocol mechanisms are detailed in [LDAPIANA].
( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension' ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )
The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
defined in [Syntaxes]. defined in [Syntaxes].
5.1.5. 'supportedLDAPVersion' 5.1.5. 'supportedLDAPVersion'
The 'supportedLDAPVersion' attribute lists the versions of LDAP which The 'supportedLDAPVersion' attribute lists the versions of LDAP which
the server supports. the server supports.
skipping to change at page 38, line 5 skipping to change at page 38, line 17
requested. Servers that perform shadowing or caching MUST ensure that requested. Servers that perform shadowing or caching MUST ensure that
they do not violate any access control constraints placed on the data they do not violate any access control constraints placed on the data
by the originating server. by the originating server.
7. Implementation Guidelines 7. Implementation Guidelines
7.1 Server Guidelines 7.1 Server Guidelines
Servers MUST recognize all attribute types and object classes defined Servers MUST recognize all attribute types and object classes defined
in this document but, unless stated otherwise, need not support the in this document but, unless stated otherwise, need not support the
associated functionality. associated functionality. Servers SHOULD recognize all the names of
object classes defined in Section 7 of [Schema].
Servers SHOULD recognize all the names of object classes defined in
Section 7 of [Schema].
Servers MUST ensure that entries conform to user and system schema Servers MUST ensure that entries conform to user and system schema
rules or other data model constraints. rules or other data model constraints.
Servers MAY support DIT Content Rules, DIT Structural Rules, and/or Servers MAY support DIT Content Rules, DIT Structural Rules, and/or
Name Forms. To indicate support, servers SHOULD provide in the Name Forms features. To indicate support, servers SHOULD provide in
subschema the definitions of attribute types associated with the the subschema the definitions of attribute types associated with the
features they support. features they support.
Servers MAY support alias entries. To indicate support for alias Servers MAY support alias entries. To indicate support for alias
entries, servers SHOULD provide definitions for 'alias' and entries, servers SHOULD provide definitions for 'alias' and
'aliasedObjectName' in subschema (sub)entries. 'aliasedObjectName' in subschema (sub)entries.
Servers MAY support subentries. If so, they MUST do so in accordance Servers MAY support subentries. If so, they MUST do so in accordance
with [X.501]. Servers which do not support subenties SHOULD use with [X.501]. Servers which do not support subenties SHOULD use
object entries to mimic subentries as detailed in Section 3.2. object entries to mimic subentries as detailed in Section 3.2.
skipping to change at page 39, line 4 skipping to change at page 39, line 14
Clients MUST NOT assume the LDAP-specific string encoding is Clients MUST NOT assume the LDAP-specific string encoding is
restricted to a UTF-8 encoded string of UCS characters or any restricted to a UTF-8 encoded string of UCS characters or any
particular subset of particular subset of UCS (such as a printable particular subset of particular subset of UCS (such as a printable
subset) unless such restriction is explicitly stated. subset) unless such restriction is explicitly stated.
Clients MUST NOT send attribute values in a request that are not valid Clients MUST NOT send attribute values in a request that are not valid
according to the syntax defined for the attributes. according to the syntax defined for the attributes.
8. Security Considerations 8. Security Considerations
Attributes of directory entries are used to provide descriptive Attributes of directory entries are used to provide descriptive
information about the real-world objects they represent, which can be information about the real-world objects they represent, which can be
people, organizations or devices. Most countries have privacy laws people, organizations or devices. Most countries have privacy laws
regarding the publication of information about people. regarding the publication of information about people.
General security considerations for accessing directory information
with LDAP are discussed in [Protocol] and [AuthMeth].
9. IANA Considerations 9. IANA Considerations
It is requested that IANA update the LDAP descriptors registry as It is requested that IANA update the LDAP descriptors registry as
indicated the following template: indicated the following template:
Subject: Request for LDAP Descriptor Registration Update Subject: Request for LDAP Descriptor Registration Update
Descriptor (short name): see comment Descriptor (short name): see comment
Object Identifier: see comment Object Identifier: see comment
Person & email address to contact for further information: Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org> Kurt Zeilenga <kurt@OpenLDAP.org>
skipping to change at page 44, line 43 skipping to change at page 45, line 13
2252 where incorporated into this document. 2252 where incorporated into this document.
The 'supportedExtension' description was clarified. A server need The 'supportedExtension' description was clarified. A server need
only list the OBJECT IDENTIFIERs associated with the extended only list the OBJECT IDENTIFIERs associated with the extended
requests of the extended operations it recognizes. requests of the extended operations it recognizes.
The 'supportedControl' description was clarified. A server need The 'supportedControl' description was clarified. A server need
only list the OBJECT IDENTIFIERs associated with the request only list the OBJECT IDENTIFIERs associated with the request
controls it recognizes. controls it recognizes.
A.2.2 Section 7 of RFC 2252 A.2.3 Section 7 of RFC 2252
Section 7 of RFC 2252 provides definitions of the 'subschema' and Section 7 of RFC 2252 provides definitions of the 'subschema' and
'extensibleObject' object classes. These definitions where 'extensibleObject' object classes. These definitions where
integrated into Section 4.2 and Section 4.3 of this document, integrated into Section 4.2 and Section 4.3 of this document,
respectively. Section 7 of RFC 2252 also contained the object class respectively. Section 7 of RFC 2252 also contained the object class
implementation requirement. This was incorporated into Section 7 of implementation requirement. This was incorporated into Section 7 of
this document. this document.
The specification of 'extensibleObject' was clarified of how it
interacts with precluded attributes.
A.3 Changes to RFC 2256 A.3 Changes to RFC 2256
This document incorporates Sections 5.1, 5.2, 7.1, and 7.2 of RFC This document incorporates Sections 5.1, 5.2, 7.1, and 7.2 of RFC
2256. 2256.
Section 5.1 of RFC 2256 provided the definition of the 'objectClass' Section 5.1 of RFC 2256 provided the definition of the 'objectClass'
attribute type. This was integrated into Section 2.4.1 of this attribute type. This was integrated into Section 2.4.1 of this
document. The statement "One of the values is either 'top' or document. The statement "One of the values is either 'top' or
'alias'" was replaced with statement that one of the values is 'top' 'alias'" was replaced with statement that one of the values is 'top'
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/