draft-ietf-ldapbis-models-11.txt   draft-ietf-ldapbis-models-12.txt 
INTERNET-DRAFT Editor: Kurt D. Zeilenga INTERNET-DRAFT Editor: Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation Intended Category: Standard Track OpenLDAP Foundation
Expires in six months 4 June 2004 Expires in six months 24 October 2004
Obsoletes: RFC 2251, RFC 2252, RFC 2256 Obsoletes: RFC 2251, RFC 2252, RFC 2256
LDAP: Directory Information Models LDAP: Directory Information Models
<draft-ietf-ldapbis-models-11.txt> <draft-ietf-ldapbis-models-12.txt>
Status of this Memo Status of this Memo
This document is intended to be published as a Standard Track RFC. This document is intended to be published as a Standard Track RFC.
Distribution of this memo is unlimited. Technical discussion of this Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Revision Working Group document will take place on the IETF LDAP Revision Working Group
mailing list <ietf-ldapbis@openldap.org>. Please send editorial mailing list <ietf-ldapbis@openldap.org>. Please send editorial
comments directly to the editor <Kurt@OpenLDAP.org>. comments directly to the editor <Kurt@OpenLDAP.org>.
By submitting this Internet-Draft, I accept the provisions of Section By submitting this Internet-Draft, I accept the provisions of Section
4 of RFC 3667. By submitting this Internet-Draft, I certify that any 4 of RFC 3667. By submitting this Internet-Draft, I certify that any
applicable patent or other IPR claims of which I am aware have been applicable patent or other IPR claims of which I am aware have been
disclosed, and any of which I become aware will be disclosed, in disclosed, or will be disclosed, and any of which I become aware will
accordance with RFC 3668. be disclosed, in accordance with RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Task Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts. groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress." or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. The list of <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
Internet-Draft Shadow Directories can be accessed at Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. <http://www.ietf.org/shadow.html>.
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
Please see the Full Copyright section near the end of this document Please see the Full Copyright section near the end of this document
for more information. for more information.
Abstract Abstract
The Lightweight Directory Access Protocol (LDAP) is an Internet The Lightweight Directory Access Protocol (LDAP) is an Internet
protocol for accessing distributed directory services which act in protocol for accessing distributed directory services which act in
skipping to change at page 8, line 16 skipping to change at page 8, line 16
values, the syntax and matching rules used to construct and compare values, the syntax and matching rules used to construct and compare
values of that attribute, and other functions. Options indicate values of that attribute, and other functions. Options indicate
subtypes and other functions. subtypes and other functions.
Attribute values conform to the defined syntax of the attribute type. Attribute values conform to the defined syntax of the attribute type.
No two values of an attribute may be equivalent. Two values are No two values of an attribute may be equivalent. Two values are
considered equivalent only if they would match according to the considered equivalent only if they would match according to the
equality matching rule of the attribute type. If the attribute type equality matching rule of the attribute type. If the attribute type
is defined with no equality matching rule, two values are equivalent is defined with no equality matching rule, two values are equivalent
if and only if they are identical. if and only if they are identical. (See 2.5.1 for other
restrictions.)
For example, a 'givenName' attribute can have more than one value, For example, a 'givenName' attribute can have more than one value,
they must be Directory Strings, and they are case insensitive. A they must be Directory Strings, and they are case insensitive. A
'givenName' attribute cannot hold both "John" and "JOHN" as these are 'givenName' attribute cannot hold both "John" and "JOHN" as these are
equivalent values per the equality matching rule of the attribute equivalent values per the equality matching rule of the attribute
type. type.
When an attribute is used for naming of the entry, one and only one When an attribute is used for naming of the entry, one and only one
value of the attribute is used in forming the Relative Distinguished value of the attribute is used in forming the Relative Distinguished
Name. This value is known as a distinguished value. Name. This value is known as a distinguished value.
skipping to change at page 11, line 40 skipping to change at page 11, line 40
Each structural object class is a (direct or indirect) subclass of the Each structural object class is a (direct or indirect) subclass of the
'top' abstract object class. 'top' abstract object class.
Structural object classes cannot subclass auxiliary object classes. Structural object classes cannot subclass auxiliary object classes.
Each entry is said to belong to its structural object class as well as Each entry is said to belong to its structural object class as well as
all classes in its structural object class's superclass chain. all classes in its structural object class's superclass chain.
2.4.3. Auxiliary Object Classes 2.4.3. Auxiliary Object Classes
Auxiliary object classes are used augment the characteristics of Auxiliary object classes are used to augment the characteristics of
entries. They are commonly used to augment the sets of attributes entries. They are commonly used to augment the sets of attributes
required and allowed to be present in an entry. They can be used to required and allowed to be present in an entry. They can be used to
describe entries or classes of entries. describe entries or classes of entries.
Auxiliary object classes cannot subclass structural object classes. Auxiliary object classes cannot subclass structural object classes.
An entry can belong to any subset of the set of auxiliary object An entry can belong to any subset of the set of auxiliary object
classes allowed by the DIT content rule associated with the structural classes allowed by the DIT content rule associated with the structural
object class of the entry. If no DIT content rule is associated with object class of the entry. If no DIT content rule is associated with
the structural object class of the entry, the entry cannot belong to the structural object class of the entry, the entry cannot belong to
skipping to change at page 13, line 4 skipping to change at page 13, line 4
All attributes of an entry must have distinct attribute descriptions. All attributes of an entry must have distinct attribute descriptions.
2.5.1. Attribute Types 2.5.1. Attribute Types
An attribute type governs whether the attribute can have multiple An attribute type governs whether the attribute can have multiple
values, the syntax and matching rules used to construct and compare values, the syntax and matching rules used to construct and compare
values of that attribute, and other functions. values of that attribute, and other functions.
If no equality matching is specified for the attribute type: If no equality matching is specified for the attribute type:
- the attribute (of the type) cannot be used for naming; - the attribute (of the type) cannot be used for naming;
- individual values of a multi-valued attribute attribute to be - when adding the attribute (or replacing all values), no two values
added or deleted; may be equivalent (see 2.2);
- individual values of a multi-valued attribute are not to be
independently added or deleted;
- attribute value assertions (such as matching in search filters and - attribute value assertions (such as matching in search filters and
comparisons) using values of such a type cannot be performed. comparisons) using values of such a type cannot be performed.
Otherwise, the equality matching rule is to be used for the purposes Otherwise, the equality matching rule is to be used for the purposes
of evaluating attribute value assertions concerning the attribute of evaluating attribute value assertions concerning the attribute
type. type.
The attribute type indicates whether the attribute is a user attribute The attribute type indicates whether the attribute is a user attribute
or an operational attribute. If operational, the attribute type or an operational attribute. If operational, the attribute type
indicates the operational usage and whether the attribute is indicates the operational usage and whether the attribute is
skipping to change at page 15, line 25 skipping to change at page 15, line 27
returned if available. Where the more general descriptions are returned if available. Where the more general descriptions are
selected to be returned as part of a search result both the selected to be returned as part of a search result both the
general and the specialized descriptions shall be returned, if general and the specialized descriptions shall be returned, if
available. An attribute value shall always be returned as a value available. An attribute value shall always be returned as a value
of its own attribute description. of its own attribute description.
All of the attribute descriptions in an attribute hierarchy are All of the attribute descriptions in an attribute hierarchy are
treated as distinct and unrelated descriptions for user treated as distinct and unrelated descriptions for user
modification of entry content. modification of entry content.
An attribute value stored in a object or alias entry is of An attribute value stored in an object or alias entry is of
precisely one attribute description. The description is indicated precisely one attribute description. The description is indicated
when the value is originally added to the entry. when the value is originally added to the entry.
For the purpose of subschema administration of the entry, a For the purpose of subschema administration of the entry, a
specification that an attribute is required is fulfilled if the entry specification that an attribute is required is fulfilled if the entry
contains a value of an attribute description belonging to an attribute contains a value of an attribute description belonging to an attribute
hierarchy where the attribute type of that description is the same as hierarchy where the attribute type of that description is the same as
the required attribute's type. That is, a "MUST name" specification the required attribute's type. That is, a "MUST name" specification
is fulfilled by 'name' or 'name;x-tag-option', but is not fulfilled by is fulfilled by 'name' or 'name;x-tag-option', but is not fulfilled by
'CN' nor by 'CN;x-tag-option' (even though 'CN' is a subtype of 'CN' nor by 'CN;x-tag-option' (even though 'CN' is a subtype of
skipping to change at page 16, line 4 skipping to change at page 16, line 6
'name;x-tag-option' are allowed by "MAY name" (or by "MUST name"), but 'name;x-tag-option' are allowed by "MAY name" (or by "MUST name"), but
'CN' and 'CN;x-tag-option' are not allowed by "MAY name" (nor by "MUST 'CN' and 'CN;x-tag-option' are not allowed by "MAY name" (nor by "MUST
name"). name").
For the purposes of other policy administration, unless stated For the purposes of other policy administration, unless stated
otherwise in the specification of the particular administrative model, otherwise in the specification of the particular administrative model,
all of the attribute descriptions in an attribute hierarchy are all of the attribute descriptions in an attribute hierarchy are
treated as distinct and unrelated descriptions. treated as distinct and unrelated descriptions.
2.6. Alias Entries 2.6. Alias Entries
As adapted from [X.501]: As adapted from [X.501]:
An alias, or an alias name, for an object is a an alternative name An alias, or an alias name, for an object is an alternative name
for an object or object entry which is provided by the use of for an object or object entry which is provided by the use of
alias entries. alias entries.
Each alias entry contains, within the 'aliasedObjectName' Each alias entry contains, within the 'aliasedObjectName'
attribute (known as the 'aliasedEntryName' attribute in X.500]), a attribute (known as the 'aliasedEntryName' attribute in X.500]), a
name of some object. The distinguished name of the alias entry is name of some object. The distinguished name of the alias entry is
thus also a name for this object. thus also a name for this object.
NOTE - The name within the 'aliasedObjectName' is said to be NOTE - The name within the 'aliasedObjectName' is said to be
pointed to by the alias. It does not have to be the pointed to by the alias. It does not have to be the
skipping to change at page 23, line 47 skipping to change at page 23, line 49
; except %x27 ("'") and %x5C ("\") ; except %x27 ("'") and %x5C ("\")
QUTF8 = QUTF1 / UTFMB QUTF8 = QUTF1 / UTFMB
; Any ASCII character except %x27 ("'") and %x5C ("\") ; Any ASCII character except %x27 ("'") and %x5C ("\")
QUTF1 = %x00-26 / %x28-5B / %x5D-7F QUTF1 = %x00-26 / %x28-5B / %x5D-7F
Schema definitions in this section also share a number of common Schema definitions in this section also share a number of common
terms. terms.
The NAME field provides a set of short names (descriptors) which are The NAME field provides a set of short names (descriptors) which are
be used as aliases for the OID. to be used as aliases for the OID.
The DESC field optionally allows a descriptive string to be provided The DESC field optionally allows a descriptive string to be provided
by the directory administrator and/or implementor. While by the directory administrator and/or implementor. While
specifications may suggest a descriptive string, there is no specifications may suggest a descriptive string, there is no
requirement that the suggested (or any) descriptive string be used. requirement that the suggested (or any) descriptive string be used.
The OBSOLETE field, if present, indicates the element is not active. The OBSOLETE field, if present, indicates the element is not active.
Implementors should note that future versions of this document may Implementors should note that future versions of this document may
expand these definitions to include additional terms. Terms whose expand these definitions to include additional terms. Terms whose
skipping to change at page 28, line 12 skipping to change at page 28, line 14
OBSOLETE indicates this matching rule use is not active; OBSOLETE indicates this matching rule use is not active;
APPLIES provides a list of attribute types the matching rule applies APPLIES provides a list of attribute types the matching rule applies
to; and to; and
<extensions> describe extensions. <extensions> describe extensions.
4.1.5. LDAP Syntaxes 4.1.5. LDAP Syntaxes
LDAP Syntaxes of (attribute and assertion) values are described in LDAP Syntaxes of (attribute and assertion) values are described in
terms of ASN.1 [X.680] and, optionally, have an octet string encoding terms of ASN.1 [X.680] and, optionally, have an octet string encoding
known as the LDAP-specific encoding. Commonly, the LDAP-specific known as the LDAP-specific encoding. Commonly, the LDAP-specific
encoding is constrained to string of Unicode [Unicode] characters in encoding is constrained to a string of Unicode [Unicode] characters in
UTF-8 [RFC3629] form. UTF-8 [RFC3629] form.
Each LDAP syntax is identified by an object identifier (OID). Each LDAP syntax is identified by an object identifier (OID).
LDAP syntax definitions are written according to the ABNF: LDAP syntax definitions are written according to the ABNF:
SyntaxDescription = LPAREN WSP SyntaxDescription = LPAREN WSP
numericoid ; object identifier numericoid ; object identifier
[ SP "DESC" SP qdstring ] ; description [ SP "DESC" SP qdstring ] ; description
extensions WSP RPAREN ; extensions extensions WSP RPAREN ; extensions
where: where:
<numericoid> is object identifier assigned to this LDAP syntax; <numericoid> is the object identifier assigned to this LDAP syntax;
DESC <qdstring> is a short descriptive string; and DESC <qdstring> is a short descriptive string; and
<extensions> describe extensions. <extensions> describe extensions.
4.1.6. DIT Content Rules 4.1.6. DIT Content Rules
A DIT content rule is a "rule governing the content of entries of a A DIT content rule is a "rule governing the content of entries of a
particular structural object class" [X.501]. particular structural object class" [X.501].
For DIT entries of a particular structural object class, a DIT content For DIT entries of a particular structural object class, a DIT content
rule specifies which auxiliary object classes the entries are allowed rule specifies which auxiliary object classes the entries are allowed
to belong to and which additional attributes (by type) are required, to belong to and which additional attributes (by type) are required,
allowed or not allowed to appear in the entries. allowed or not allowed to appear in the entries.
The list of precluded attributes cannot include any attribute listed The list of precluded attributes cannot include any attribute listed
as mandatory in rule, the structural object class, or any of the as mandatory in the rule, the structural object class, or any of the
allowed auxiliary object classes. allowed auxiliary object classes.
Each content rule is identified by the object identifier, as well as Each content rule is identified by the object identifier, as well as
any short names (descriptors), of the structural object class it any short names (descriptors), of the structural object class it
applies to. applies to.
An entry may only belong to auxiliary object classes listed in the An entry may only belong to auxiliary object classes listed in the
governing content rule. governing content rule.
An entry must contain all attributes required by the object classes An entry must contain all attributes required by the object classes
the entry belongs to as well as all attributed required by the the entry belongs to as well as all attributes required by the
governing content rule. governing content rule.
An entry may contain any non-precluded attributes allowed by the An entry may contain any non-precluded attributes allowed by the
object classes the entry belongs to as well as all attributes allowed object classes the entry belongs to as well as all attributes allowed
by the governing content rule. by the governing content rule.
An entry cannot include any attribute precluded by the governing An entry cannot include any attribute precluded by the governing
content rule. content rule.
An entry is governed by (if present and active in the subschema) the An entry is governed by (if present and active in the subschema) the
skipping to change at page 32, line 19 skipping to change at page 32, line 21
and so these are not ordinary object entries but subentries (see and so these are not ordinary object entries but subentries (see
Section 3.2). LDAP clients SHOULD NOT assume that servers implement Section 3.2). LDAP clients SHOULD NOT assume that servers implement
any of the other aspects of X.500 subschema. any of the other aspects of X.500 subschema.
Servers MAY allow subschema modification. Procedures for subschema Servers MAY allow subschema modification. Procedures for subschema
modification are discussed in Section 14.5 of [X.501]. modification are discussed in Section 14.5 of [X.501].
A server which masters entries and permits clients to modify these A server which masters entries and permits clients to modify these
entries SHALL implement and provide access to these subschema entries SHALL implement and provide access to these subschema
(sub)entries including providing a 'subschemaSubentry' attribute in (sub)entries including providing a 'subschemaSubentry' attribute in
each modifiable entry. This so clients may discover the attributes each modifiable entry. This is so clients may discover the attributes
and object classes which are permitted to be present. It is strongly and object classes which are permitted to be present. It is strongly
RECOMMENDED that all other servers implement this as well. RECOMMENDED that all other servers implement this as well.
The value of the 'subschemaSubentry' attribute is the name of the The value of the 'subschemaSubentry' attribute is the name of the
subschema (sub)entry holding the subschema controlling the entry. subschema (sub)entry holding the subschema controlling the entry.
( 2.5.18.10 NAME 'subschemaSubentry' ( 2.5.18.10 NAME 'subschemaSubentry'
EQUALITY distinguishedNameMatch EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
NO-USER-MODIFICATION SINGLE-VALUE NO-USER-MODIFICATION SINGLE-VALUE
skipping to change at page 34, line 44 skipping to change at page 34, line 47
EQUALITY objectIdentifierFirstComponentMatch EQUALITY objectIdentifierFirstComponentMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.16 SYNTAX 1.3.6.1.4.1.1466.115.121.1.16
USAGE directoryOperation ) USAGE directoryOperation )
The 'objectIdentifierFirstComponentMatch' matching rule and the The 'objectIdentifierFirstComponentMatch' matching rule and the
DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are
defined in [Syntaxes]. defined in [Syntaxes].
4.2.7. 'dITStructureRules' 4.2.7. 'dITStructureRules'
This attribute lists DIT Structure Rules which present in the This attribute lists DIT Structure Rules which are present in the
subschema. subschema.
( 2.5.21.1 NAME 'dITStructureRules' ( 2.5.21.1 NAME 'dITStructureRules'
EQUALITY integerFirstComponentMatch EQUALITY integerFirstComponentMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.17 SYNTAX 1.3.6.1.4.1.1466.115.121.1.17
USAGE directoryOperation ) USAGE directoryOperation )
The 'integerFirstComponentMatch' matching rule and the The 'integerFirstComponentMatch' matching rule and the
DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax are DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax are
defined in [Syntaxes]. defined in [Syntaxes].
skipping to change at page 42, line 30 skipping to change at page 42, line 33
information about the real-world objects they represent, which can be information about the real-world objects they represent, which can be
people, organizations or devices. Most countries have privacy laws people, organizations or devices. Most countries have privacy laws
regarding the publication of information about people. regarding the publication of information about people.
General security considerations for accessing directory information General security considerations for accessing directory information
with LDAP are discussed in [Protocol] and [AuthMeth]. with LDAP are discussed in [Protocol] and [AuthMeth].
9. IANA Considerations 9. IANA Considerations
It is requested that the Internet Assigned Numbers Authority (IANA) It is requested that the Internet Assigned Numbers Authority (IANA)
update the LDAP descriptors registry as indicated the following update the LDAP descriptors registry as indicated in the following
template: template:
Subject: Request for LDAP Descriptor Registration Update Subject: Request for LDAP Descriptor Registration Update
Descriptor (short name): see comment Descriptor (short name): see comment
Object Identifier: see comment Object Identifier: see comment
Person & email address to contact for further information: Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org> Kurt Zeilenga <kurt@OpenLDAP.org>
Usage: see comment Usage: see comment
Specification: RFC XXXX Specification: RFC XXXX
Author/Change Controller: IESG Author/Change Controller: IESG
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/