draft-ietf-ldapbis-user-schema-00.txt   draft-ietf-ldapbis-user-schema-01.txt 
INTERNET-DRAFT K. Dally, Editor INTERNET-DRAFT K. Dally, Editor
Intended Category: Standard Track The MITRE Corp. Intended Category: Standard Track The MITRE Corp.
Expires 04 October 2001 04 April 2001 Expires 20 May 2001 20 November 2001
Obsoletes: 2256 Obsoletes: RFC 2256
A Summary of the X.500(3rd edition) User Schema for use with LDAPv3 A Summary of the X.500(2nd edition) User Schema for use with LDAPv3
<draft-ietf-ldapbis-user-schema-00> <draft-ietf-ldapbis-user-schema-01>
[Editor's note: [Editor's note:
This Internet-Draft (I-D) is a modified version of the text of This Internet-Draft (I-D) is a modified version of the text of
RFC 2256, in order to bring it up to date. This action is part of RFC 2256, in order to bring it up to date. This action is part of
the maintenance activity that is needed in order to progress LDAPv3 the maintenance activity that is needed in order to progress LDAPv3
to Draft Standard. The changes are described in Annex A of this to Draft Standard. The changes are described in Annex A of this
document. document.
End of Editor's note] End of Editor's note]
Status of this Memo Status of this Memo
skipping to change at page 3, line 9 skipping to change at page 3, line 9
nor does it include attributes defined by other ISO/ITU-T documents. nor does it include attributes defined by other ISO/ITU-T documents.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [6]. document are to be interpreted as described in RFC 2119 [6].
Table of Contents Table of Contents
Status of this Memo 1 Status of this Memo 1
Abstract 2 Abstract 2
1. General Issues 5 1. General Issues 5
2. Source 5 2. Source 5
3. Attribute Types 5
3.1 "MUST" Attribute Types 5
3.1.1 objectClass 5
3.2 "SHOULD" Attribute Types 6
3.2.1 aliasedObjectName 6
3.2.2 cn 6
3.2.3 sn 6
3.2.4 serialNumber 6
3.2.5 c 6
3.2.6 l 6
3.2.7 st 7
3.2.8 street 7
3.2.9 o 7
3.2.10 ou 7
3.2.11 title 7
3.2.12 description 7
3.2.13 businessCategory 8
3.2.14 postalAddress 8
3.2.15 postalCode 8
3.2.16 postOfficeBox 8
3.2.17 physicalDeliveryOfficeName 8
3.2.18 telephoneNumber 9
3.2.19 telexNumber 9
3.2.20 facsimileTelephoneNumber 9
3.2.21 x121Address 9
3.2.22 internationalISDNNumber 9
3.2.23 registeredAddress 9
3.2.24 destinationIndicator 10
3.2.25 preferredDeliveryMethod 10
3.2.26 presentationAddress 10
3.2.27 supportedApplicationContext 10
3.2.28 member 10
3.2.29 owner 10
3.2.30 roleOccupant 11
3.2.31 seeAlso 11
3.2.32 userPassword 11
3.2.33 userCertificate 11
3.2.34 cACertificate 11
3.2.35 authorityRevocationList 12
3.2.36 certificateRevocationList 12
3.2.37 crossCertificatePair 12
3.2.38 name 12
3.2.39 givenName 12
3.2.40 initials 12
3.2.41 generationQualifier 13
3.2.42 x500UniqueIdentifier 13
3.2.43 dnQualifier 13
3.2.44 enhancedSearchGuide 13
3.2.45 protocolInformation 13 3. Attribute Types 6
3.2.46 distinguishedName 14 3.1 aliasedObjectName 6
3.2.47 uniqueMember 14 3.2 authorityRevocationList 6
3.2.48 houseIdentifier 14 3.3 businessCategory 6
3.2.49 supportedAlgorithms 14 3.4 c 7
3.2.50 deltaRevocationList 14 3.5 cACertificate 7
3.2.51 dmdName 15 3.6 certificateRevocationList 7
3.3 Superseded and Withdrawn Attribute Types 15 3.7 cn 7
3.3.1 knowledgeInformation 15 3.8 crossCertificatePair 7
3.3.2 searchGuide 15 3.9 deltaRevocationList 8
3.3.3 teletexTerminalIdentifier 15 3.10 description 8
4. Syntaxes 15 3.11 destinationIndicator 8
4.1 Delivery Method 15 3.12 distinguishedName 8
4.2 Enhanced Guide 16 3.13 dmdName 8
4.3 Guide 16 3.14 dnQualifier 9
4.4 Octet String 16 3.15 enhancedSearchGuide 9
4.5 Teletex Terminal Identifier 17 3.16 facsimileTelephoneNumber 9
4.6 Telex Number 17 3.17 generationQualifier 9
4.7 Supported Algorithm 17 3.18 givenName 9
5. Object Classes 18 3.19 houseIdentifier 10
5.1 top 18 3.20 initials 10
5.2 alias 18 3.21 internationalISDNNumber 10
5.3 country 18 3.22 knowledgeInformation 10
5.4 locality 18 3.23 l 10
5.5 organization 18 3.24 member 10
5.6 organizationalUnit 18 3.25 name 11
5.7 person 18 3.26 o 11
5.8 organizationalPerson 19 3.27 objectClass 11
5.9 organizationalRole 19 3.28 ou 11
5.10 groupOfNames 19 3.29 owner 11
5.11 residentialPerson 19 3.30 physicalDeliveryOfficeName 12
5.12 applicationProcess 19 3.31 postalAddress 12
5.13 applicationEntity 19 3.32 postalCode 12
5.14 dSA 19 3.33 postOfficeBox 12
5.15 device 20 3.34 preferredDeliveryMethod 12
5.16 strongAuthenticationUser 20 3.35 presentationAddress 13
5.17 certificationAuthority 20 3.36 protocolInformation 13
5.18 groupOfUniqueNames 20 3.37 registeredAddress 13
5.19 userSecurityInformation 20 3.38 roleOccupant 13
5.20 certificationAuthority-V2 20 3.39 searchGuide 13
5.21 cRLDistributionPoint 20 3.40 seeAlso 14
5.22 dmd 20
6. Matching Rules 21 3.41 serialNumber 14
6.1 octetStringMatch 21 3.42 sn 14
7. Security Considerations 21 3.43 st 14
8. Acknowledgements 21 3.44 street 14
9. Bibliography 22 3.45 supportedAlgorithms 14
10. Author's Address 22 3.46 supportedApplicationContext 15
Annex A Change Log 23 3.47 telephoneNumber 15
3.48 teletexTerminalIdentifier 15
3.49 telexNumber 15
3.50 title 15
3.51 uniqueMember 16
3.52 userCertificate 16
3.53 userPassword 16
3.54 x121Address 16
3.55 x500UniqueIdentifier 17
4. Object Classes 18
4.1 alias 18
4.2 applicationEntity 18
4.3 applicationProcess 18
4.4 certificationAuthority 18
4.5 certificationAuthority-V2 19
4.6 country 19
4.7 cRLDistributionPoint 19
4.8 device 19
4.9 dmd 20
4.10 dSA 20
4.11 groupOfNames 20
4.12 groupOfUniqueNames 21
4.13 locality 21
4.14 organization 21
4.15 organizationalPerson 21
4.16 organizationalRole 22
4.17 organizationalUnit 22
4.18 person 23
4.19 residentialPerson 23
4.20 strongAuthenticationUser 23
4.21 top 23
4.22 userSecurityInformation 24
5. Security Considerations 24
6. Acknowledgements 24
7. References 25
8. Author's Address 25
Annex A Change Log 26
1. General Issues 1. General Issues
This document references syntaxes given in section 4 of this This document references syntaxes given in section 3 of [1].
document and section 6 of [1]. Matching rules are listed in Matching rules are listed in section 4 of [1].
section 6 of this document and section 8 of [1].
The attribute type and object class definitions are written using the The attribute type and object class definitions are written using the
BNF form of AttributeTypeDescription and ObjectClassDescription given BNF form of AttributeTypeDescription and ObjectClassDescription given
in [1]. Lines have been folded for readability. in [1]. Lines have been folded for readability.
2. Source 2. Source
The schema definitions in this document are based on those found in The schema definitions in this document are based on those found in
X.500 [2], [3], [4], and [5], specifically: X.500 [2], [3], [4], and [5], specifically:
Sections Source Sections Source
============ ============ ============ ============
3.1 - 3.2 X.501 [2] 3.1 X.501 [2]
3.3 - 3.36 X.520 [4] 3.2 X.509 [3]
3.37 - 3.41 X.509 [3] 3.3 - 3.4 X.520 [4]
3.42 - 3.52 X.520 [4] 3.5 - 3.6 X.509 [3]
3.53 - 3.54 X.509 [3] 3.7 X.520 [4]
3.55 X.520 [4] 3.8 - 3.9 X.509 [3]
4.1 - 4.6 X.520 [4] 3.10 - 3.44 X.520 [4]
4.7 X.509 [4] 3.45 X.509 [3]
5.1 - 5.2 X.501 [2] 3.46 - 3.51 X.520 [4]
5.3 - 5.18 X.521 [5] 3.52 - 3.53 X.509 [3]
5.19 - 5.21 X.509 [3] 3.54 - 3.55 X.520 [4]
5.22 X.521 [5] 4.1 X.501 [2]
6.1 X.520 [4] 4.2 - 4.3 X.521 [5]
4.4 - 4.5 X.509 [3]
4.6 X.521 [5]
4.7 X.509 [3]
4.8 - 4.19 X.521 [5]
4.20 X.509 [3]
4.21 X.501 [2]
4.22 X.509 [3]
Three new attributes: supportedAlgorithms, deltaRevocationList and Three new attributes: supportedAlgorithms, deltaRevocationList and
dmdName, and the objectClass dmd, which were not specified in X.500 dmdName, and the new objectClass dmd, which were not specified in
edition 2 (1993), are defined in the X.500 edition 3 (1997)[2, 3, 4, X.500 edition 2 (1993), are defined in the X.500 edition 3 (1997)[2,
5] documents. 3, 4, 5] documents.
[Editor's note: Should these items be removed so that they are not
bringing in a second set of X.500 references. Perhaps they could be
put into a non-normative annex with reference to the later X.500
edition. End editor's note.]
3. Attribute Types 3. Attribute Types
Two kinds of attribute types are contained in this section: ones The attribute types contained in this section hold user information.
for holding user information and others which have been superseded
or withdrawn.
3.1 "MUST" Attribute Types
An LDAP server implementation MUST recognize the attribute types
described in this section.
3.1.1 objectClass An LDAP server implementation MUST recognize the objectClass
attribute type.
The values of the objectClass attribute describe the kind of object There is no requirement that servers implement the following
which an entry represents. The objectClass attribute is present in attribute types:
every entry.
( 2.5.4.0 NAME 'objectClass' knowledgeInformation
EQUALITY objectIdentifierMatch searchGuide
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) teletexTerminalIdentifier
3.2 "SHOULD" Attribute Types In fact, their use is greatly discouraged.
An LDAP server implementation SHOULD recognize the attribute types An LDAP server implementation SHOULD recognize the rest of the
described in this section. attribute types described in this section.
3.2.1 aliasedObjectName 3.1 aliasedObjectName
The aliasedObjectName attribute is used by the directory service if The aliasedObjectName attribute is used by the directory service if
the entry containing this attribute is an alias. In X.500, this the entry containing this attribute is an alias. In X.500, this
attribute is called aliasedEntryName. attribute is called aliasedEntryName.
( 2.5.4.1 NAME 'aliasedObjectName' ( 2.5.4.1 NAME 'aliasedObjectName'
EQUALITY distinguishedNameMatch EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ; DN
SINGLE-VALUE )
3.2.2 cn
This is the X.500 commonName attribute, which contains a name of an
object. If the object corresponds to a person, it is typically the
person's full name.
( 2.5.4.3 NAME 'cn' SUP name )
3.2.3 sn 3.2 authorityRevocationList
This is the X.500 surname attribute, which contains the family name A value of this attribute is a list of CA certificates that are no
of a person. longer valid. This attribute is to be stored and requested in the
binary form, as 'authorityRevocationList;binary'.
( 2.5.4.4 NAME 'sn' SUP name ) ( 2.5.4.38 NAME 'authorityRevocationList'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) ; CertificateList
3.2.4 serialNumber 3.3 businessCategory
This attribute contains the serial number of a device. This attribute describes the kind of business performed by an
organization.
( 2.5.4.5 NAME 'serialNumber' ( 2.5.4.15 NAME 'businessCategory'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) ; DirectoryString
3.2.5 c 3.4 c
This is the X.500 countryName attribute, which contains a two-letter This is the X.500 countryName attribute, which contains a two-letter
ISO 3166 country code. ISO 3166 country code.
( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE ) ( 2.5.4.6 NAME 'c'
SUP name
3.2.6 l SINGLE-VALUE )
This is the X.500 localityName attribute, which contains the name of
a locality, such as a city, county or other geographic region.
( 2.5.4.7 NAME 'l' SUP name )
3.2.7 st 3.5 cACertificate
This is the X.500 stateOrProvinceName attribute, which contains the A value of this attribute is a set of information that is used to
full name of a state or province. establish a traceable chain of authority for issuing user
certificates. This attribute is to be stored and requested in the
binary form, as 'cACertificate;binary'.
( 2.5.4.8 NAME 'st' SUP name ) ( 2.5.4.37 NAME 'cACertificate'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) ; Certificate
3.2.8 street 3.6 certificateRevocationList
This is the X.500 streetAddress attribute, which contains the A value of this attribute is a list of user certificates that are no
physical address of the object to which the entry corresponds, such longer valid. This attribute is to be stored and requested in the
as an address for package delivery. binary form, as 'certificateRevocationList;binary'.
( 2.5.4.9 NAME 'street' ( 2.5.4.39 NAME 'certificateRevocationList'
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) ; CertificateList
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
3.2.9 o 3.7 cn
This is the X.500 organizationName attribute, which contains the This is the X.500 commonName attribute, which contains a name of an
name of an organization. object. If the object corresponds to a person, it is typically the
person's full name.
( 2.5.4.10 NAME 'o' SUP name ) ( 2.5.4.3 NAME 'cn' SUP name )
3.2.10 ou 3.8 crossCertificatePair
This is the X.500 organizationalUnitName attribute, which contains A value of this attribute is a set of two certificates that are used
the name of an organizational unit. to enable the certificates issued in two security domains to be
usable in both domains. This attribute is to be stored and requested
in the binary form, as 'crossCertificatePair;binary'.
( 2.5.4.11 NAME 'ou' SUP name ) ( 2.5.4.40 NAME 'crossCertificatePair'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) ; CertificatePair
3.2.11 title 3.9 deltaRevocationList
This attribute contains the title, such as "Vice President", of a This attribute contains a list of revoked user certificates that is
person in their organizational context. The "personalTitle" an addition to a previous certificate revocation list. This
attribute would be used for a person's title independent of their job attribute is to be stored and requested in the binary form, as
function. 'deltaRevocationList;binary'.
( 2.5.4.12 NAME 'title' SUP name ) ( 2.5.4.53 NAME 'deltaRevocationList'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) ; CertificateList
3.2.12 description 3.10 description
This attribute contains a human-readable description of the object. This attribute contains a human-readable description of the object.
( 2.5.4.13 NAME 'description' ( 2.5.4.13 NAME 'description'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) ; DirectoryString
3.2.13 businessCategory 3.11 destinationIndicator
This attribute describes the kind of business performed by an This attribute is used for the telegram service.
organization.
( 2.5.4.15 NAME 'businessCategory' ( 2.5.4.27 NAME 'destinationIndicator'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) ; PrintableString
3.2.14 postalAddress
This attribute contains an address used by a Postal Service to
perform services for the object.
( 2.5.4.16 NAME 'postalAddress' 3.12 distinguishedName
EQUALITY caseIgnoreListMatch
SUBSTR caseIgnoreListSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
3.2.15 postalCode This attribute type is not used as the name of the object itself, but
it is instead a base type from which attributes with DN syntax
inherit.
This attribute contains a code used by a Postal Service to identify It is unlikely that values of this type itself will occur in an
a postal service zone, such as the southern quadrant of a city. entry. LDAP server implementations which do not support attribute
subtyping need not recognize this attribute in requests. Client
implementations MUST NOT assume that LDAP servers are capable of
performing attribute subtyping.
( 2.5.4.17 NAME 'postalCode' ( 2.5.4.49 NAME 'distinguishedName'
EQUALITY caseIgnoreMatch EQUALITY distinguishedNameMatch
SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
3.2.16 postOfficeBox 3.13 dmdName
This attribute contains the number that a Postal Service uses when a The value of this attribute specifies a directory management domain
customer arranges to receive mail at a box on premises of the Postal (DMD), the administrative authority which operates the directory
Service. server.
( 2.5.4.18 NAME 'postOfficeBox' ( 2.5.4.54 NAME 'dmdName'
EQUALITY caseIgnoreMatch SUP name )
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
3.2.17 physicalDeliveryOfficeName 3.14 dnQualifier
This attribute contains the name that a Postal Service uses to identify The dnQualifier attribute type specifies disambiguating information
a post office. to add to the relative distinguished name of an entry. It is
intended for use when merging data from multiple sources in order to
prevent conflicts between entries which would otherwise have the same
name. It is recommended that the value of the dnQualifier attribute
be the same for all entries from a particular source.
( 2.5.4.19 NAME 'physicalDeliveryOfficeName' ( 2.5.4.46 NAME 'dnQualifier'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) ; PrintableString
3.2.18 telephoneNumber
A value of this attribute is a telephone number complying with CCITT
Rec. E.123.
( 2.5.4.20 NAME 'telephoneNumber'
EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
3.2.19 telexNumber 3.2.15 enhancedSearchGuide
A value of this attribute is a telex number , country code, and This attribute is for use by X.500 clients in constructing search
answerback code of a telex terminal. filters.
( 2.5.4.21 NAME 'telexNumber' ( 2.5.4.47 NAME 'enhancedSearchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) ; EnhancedGuide
3.2.20 facsimileTelephoneNumber 3.16 facsimileTelephoneNumber
A value of this attribute is a telephone number for a facsimile A value of this attribute is a telephone number for a facsimile
terminal (and, optionally, its parameters). terminal (and, optionally, its parameters).
( 2.5.4.23 NAME 'facsimileTelephoneNumber' ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) ; FacsimileTelephoneNumber
3.2.21 x121Address
A value of this attribute is a data network address as defined by
CCITT Recommendation X.121.
( 2.5.4.24 NAME 'x121Address'
EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
3.2.22 internationalISDNNumber 3.17 generationQualifier
A value of this attribute is an ISDN address, as defined in CCITT The generationQualifier attribute contains the part of the name which
Recommendation E.164. typically is the suffix, as in "IIIrd".
( 2.5.4.25 NAME 'internationalISDNNumber' ( 2.5.4.44 NAME 'generationQualifier'
EQUALITY numericStringMatch SUP name )
SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )
3.2.23 registeredAddress 3.18 givenName
This attribute holds a postal address suitable for reception of The givenName attribute is used to hold the part of a person's name
telegrams or expedited documents, where it is necessary to have the which is not their surname nor middle name.
recipient accept delivery.
( 2.5.4.26 NAME 'registeredAddress' ( 2.5.4.42 NAME 'givenName'
SUP postalAddress SUP name )
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
3.2.24 destinationIndicator 3.19 houseIdentifier
This attribute is used for the telegram service. This attribute is used to identify a building within a location.
( 2.5.4.27 NAME 'destinationIndicator' ( 2.5.4.51 NAME 'houseIdentifier'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) ; DirectoryString
3.2.25 preferredDeliveryMethod 3.20 initials
This attribute contains an indication of the preferred method of The initials attribute contains the initials of some or all of an
getting a message to the object. individuals names, but not the surname(s).
( 2.5.4.28 NAME 'preferredDeliveryMethod' ( 2.5.4.43 NAME 'initials'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 SUP name )
SINGLE-VALUE )
3.2.26 presentationAddress 3.21 internationalISDNNumber
This attribute contains an OSI presentation address. A value of this attribute is an ISDN address, as defined in CCITT
Recommendation E.164.
( 2.5.4.29 NAME 'presentationAddress' ( 2.5.4.25 NAME 'internationalISDNNumber'
EQUALITY presentationAddressMatch EQUALITY numericStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 SUBSTR numericStringSubstringsMatch
SINGLE-VALUE ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) ; NumericString
3.2.27 supportedApplicationContext 3.22 knowledgeInformation
This attribute contains the identifiers of OSI application contexts. This attribute is superseded by the system schema attributes which
hold the pointers to other LDAP servers.
( 2.5.4.30 NAME 'supportedApplicationContext' ( 2.5.4.2 NAME 'knowledgeInformation'
EQUALITY objectIdentifierMatch EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) ; DirectoryString
3.2.28 member 3.23 l
A value of this attribute is the Distinguished Name of an object This is the X.500 localityName attribute, which contains the name of
that is on a list or in a group. a locality, such as a city, county or other geographic region.
( 2.5.4.31 NAME 'member' SUP distinguishedName ) ( 2.5.4.7 NAME 'l'
SUP name )
3.2.29 owner 3.24 member
A value of this attribute is the Distinguished Name of an object A value of this attribute is the Distinguished Name of an object
that has an ownership responsibility for the object that is owned. that is on a list or in a group.
( 2.5.4.32 NAME 'owner' SUP distinguishedName )
3.2.30 roleOccupant ( 2.5.4.31 NAME 'member'
SUP distinguishedName )
A value of this attribute is the Distinguished Name of an object 3.25 name
(normally a person) that fulfills the responsibilities of a role
object.
( 2.5.4.33 NAME 'roleOccupant' SUP distinguishedName ) The name attribute type is the attribute supertype from which string
attribute types typically used for naming may be formed. It is
unlikely that values of this type itself will occur in an entry. LDAP
server implementations which do not support attribute subtyping need
not recognize this attribute in requests. Client implementations
MUST NOT assume that LDAP servers are capable of performing attribute
subtyping.
3.2.31 seeAlso ( 2.5.4.41 NAME 'name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) ; DirectoryString
A value of this attribute is the Distinguished Name of an object 3.26 o
that is related to the subject object.
( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName ) This is the X.500 organizationName attribute, which contains the
name of an organization.
3.2.32 userPassword ( 2.5.4.10 NAME 'o'
SUP name )
A value of this attribute is a character string that is known only 3.27 objectClass
to the user and the system to which the user has access.
( 2.5.4.35 NAME 'userPassword' The values of the objectClass attribute describe the kind of object
EQUALITY octetStringMatch which an entry represents. The objectClass attribute is present in
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) every entry.
Passwords are stored using an Octet String syntax and are not ( 2.5.4.0 NAME 'objectClass'
encrypted. Transfer of cleartext passwords is strongly discouraged EQUALITY objectIdentifierMatch
where the underlying transport service cannot guarantee SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) ; OID
confidentiality and may result in disclosure of the password to
unauthorized parties.
3.2.33 userCertificate 3.28 ou
A value of this attribute is a set of information that is used to This is the X.500 organizationalUnitName attribute, which contains
protect business systems, including the directory system and its the name of an organizational unit.
contents, from a number of threats. The protection is realized by
verifying the object is authorized to use the business system for
certain purposes. This attribute is to be stored and requested in
the binary form, as 'userCertificate;binary'.
( 2.5.4.36 NAME 'userCertificate' ( 2.5.4.11 NAME 'ou'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) SUP name )
3.2.34 cACertificate 3.29 owner
A value of this attribute is a set of information that is used to A value of this attribute is the Distinguished Name of an object
establish a traceable chain of authority for issuing user that has an ownership responsibility for the object that is owned.
certificates. This attribute is to be stored and requested in the
binary form, as 'cACertificate;binary'.
( 2.5.4.37 NAME 'cACertificate' ( 2.5.4.32 NAME 'owner'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) SUP distinguishedName )
3.2.35 authorityRevocationList 3.30 physicalDeliveryOfficeName
A value of this attribute is a list of CA certificates that are no This attribute contains the name that a Postal Service uses to
longer valid. This attribute is to be stored and requested in the identify a post office.
binary form, as 'authorityRevocationList;binary'.
( 2.5.4.38 NAME 'authorityRevocationList' ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) ; DirectoryString
3.2.36 certificateRevocationList 3.31 postalAddress
A value of this attribute is a list of user certificates that are no This attribute contains an address used by a Postal Service to
longer valid. This attribute is to be stored and requested in the perform services for the object.
binary form, as 'certificateRevocationList;binary'.
( 2.5.4.39 NAME 'certificateRevocationList' ( 2.5.4.16 NAME 'postalAddress'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) EQUALITY caseIgnoreListMatch
SUBSTR caseIgnoreListSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) ; PostalAddress
3.2.37 crossCertificatePair 3.32 postalCode
A value of this attribute is a set of two certificates that are used This attribute contains a code used by a Postal Service to identify
to enable the certificates issued in two security domains to be a postal service zone, such as the southern quadrant of a city.
usable in both domains. This attribute is to be stored and requested
in the binary form, as 'crossCertificatePair;binary'.
( 2.5.4.40 NAME 'crossCertificatePair' ( 2.5.4.17 NAME 'postalCode'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) ; DirectoryString
3.2.38 name 3.33 postOfficeBox
The name attribute type is the attribute supertype from which string This attribute contains the number that a Postal Service uses when a
attribute types typically used for naming may be formed. It is customer arranges to receive mail at a box on premises of the Postal
unlikely that values of this type itself will occur in an entry. LDAP Service.
server implementations which do not support attribute subtyping need
not recognize this attribute in requests. Client implementations
MUST NOT assume that LDAP servers are capable of performing attribute
subtyping.
( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch ( 2.5.4.18 NAME 'postOfficeBox'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) ; DirectoryString
3.2.39 givenName 3.34 preferredDeliveryMethod
The givenName attribute is used to hold the part of a person's name This attribute contains an indication of the preferred method of
which is not their surname nor middle name. getting a message to the object.
( 2.5.4.42 NAME 'givenName' SUP name ) ( 2.5.4.28 NAME 'preferredDeliveryMethod'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 ; DeliveryMethod
SINGLE-VALUE )
3.2.40 initials 3.35 presentationAddress
The initials attribute contains the initials of some or all of an This attribute contains an OSI presentation address.
individuals names, but not the surname(s).
( 2.5.4.43 NAME 'initials' SUP name ) ( 2.5.4.29 NAME 'presentationAddress'
EQUALITY presentationAddressMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 ; PresentationAddress
SINGLE-VALUE )
3.2.41 generationQualifier 3.36 protocolInformation
The generationQualifier attribute contains the part of the name which This attribute is used in conjunction with the presentationAddress
typically is the suffix, as in "IIIrd". attribute, to provide additional information to the OSI network
service.
( 2.5.4.44 NAME 'generationQualifier' SUP name ) ( 2.5.4.48 NAME 'protocolInformation'
EQUALITY protocolInformationMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 ) ; ProtocolInformation
3.2.42 x500UniqueIdentifier 3.37 registeredAddress
The x500UniqueIdentifier attribute is used to distinguish between This attribute holds a postal address suitable for reception of
objects when a distinguished name has been reused. In X.500, this telegrams or expedited documents, where it is necessary to have the
attribute is called uniqueIdentifier. This is a different attribute recipient accept delivery.
type from both the "uid" and "uniqueIdentifier" (defined in ??)
types.
( 2.5.4.45 NAME 'x500UniqueIdentifier' ( 2.5.4.26 NAME 'registeredAddress'
EQUALITY bitStringMatch SUP postalAddress
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) ; PostalAddress
3.2.43 dnQualifier 3.38 roleOccupant
The dnQualifier attribute type specifies disambiguating information A value of this attribute is the Distinguished Name of an object
to add to the relative distinguished name of an entry. It is (normally a person) that fulfills the responsibilities of a role
intended for use when merging data from multiple sources in order to object.
prevent conflicts between entries which would otherwise have the same
name. It is recommended that the value of the dnQualifier attribute
be the same for all entries from a particular source.
( 2.5.4.46 NAME 'dnQualifier' ( 2.5.4.33 NAME 'roleOccupant'
EQUALITY caseIgnoreMatch SUP distinguishedName )
ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
3.2.44 enhancedSearchGuide 3.39 searchGuide
This attribute is for use by X.500 clients in constructing search This attribute is for use by clients in constructing search filters.
filters. It is superseded by enhancedSearchGuide, described above in 3.15.
( 2.5.4.47 NAME 'enhancedSearchGuide' ( 2.5.4.14 NAME 'searchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide
3.2.45 protocolInformation 3.40 seeAlso
This attribute is used in conjunction with the presentationAddress A value of this attribute is the Distinguished Name of an object
attribute, to provide additional information to the OSI network that is related to the subject object.
service.
( 2.5.4.48 NAME 'protocolInformation' ( 2.5.4.34 NAME 'seeAlso'
EQUALITY protocolInformationMatch SUP distinguishedName )
SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
3.2.46 distinguishedName 3.41 serialNumber
This attribute type is not used as the name of the object itself, but This attribute contains the serial number of a device.
it is instead a base type from which attributes with DN syntax
inherit.
It is unlikely that values of this type itself will occur in an ( 2.5.4.5 NAME 'serialNumber'
entry. LDAP server implementations which do not support attribute EQUALITY caseIgnoreMatch
subtyping need not recognize this attribute in requests. Client SUBSTR caseIgnoreSubstringsMatch
implementations MUST NOT assume that LDAP servers are capable of SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) ; PrintableString
performing attribute subtyping.
( 2.5.4.49 NAME 'distinguishedName' 3.42 sn
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
3.2.47 uniqueMember This is the X.500 surname attribute, which contains the family name
of a person.
A value of this attribute is the Distinguished Name of an object ( 2.5.4.4 NAME 'sn'
that is on a list or in a group, where the Relative Distinguished SUP name )
Name of the object includes a value that distinguishs between
objects when a distinguished name has been reused.
( 2.5.4.50 NAME 'uniqueMember' 3.43 st
EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
3.2.48 houseIdentifier This is the X.500 stateOrProvinceName attribute, which contains the
full name of a state or province.
This attribute is used to identify a building within a location. ( 2.5.4.8 NAME 'st' SUP name )
( 2.5.4.51 NAME 'houseIdentifier' 3.44 street
This is the X.500 streetAddress attribute, which contains the
physical address of the object to which the entry corresponds, such
as an address for package delivery.
( 2.5.4.9 NAME 'street'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) DirectoryString
3.2.49 supportedAlgorithms 3.45 supportedAlgorithms
This attribute contains the identifiers of cryptographic algorithms This attribute contains the identifiers of cryptographic algorithms
that the object implements. This attribute is to be stored and that the object implements. This attribute is to be stored and
requested in the binary form, as 'supportedAlgorithms;binary'. requested in the binary form, as 'supportedAlgorithms;binary'.
( 2.5.4.52 NAME 'supportedAlgorithms' ( 2.5.4.52 NAME 'supportedAlgorithms'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) ; SupportedAlgorithm
3.2.50 deltaRevocationList
This attribute contains a list of revoked user certificates that is
an addition to a previous certificate revocation list. This
attribute is to be stored and requested in the binary form, as
'deltaRevocationList;binary'.
( 2.5.4.53 NAME 'deltaRevocationList'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
3.2.51 dmdName
The value of this attribute specifies a directory management domain
(DMD), the administrative authority which operates the directory
server.
( 2.5.4.54 NAME 'dmdName' SUP name )
3.3 Superseded and Withdrawn Attribute Types
There is no requirement that servers implement the attribute types
in this section. In fact, their use is greatly discouraged.
3.3.1 knowledgeInformation 3.46 supportedApplicationContext
This attribute is superseded by some system schema attributes. This attribute contains the identifiers of OSI application contexts.
( 2.5.4.2 NAME 'knowledgeInformation' EQUALITY caseIgnoreMatch ( 2.5.4.30 NAME 'supportedApplicationContext'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) ; OID
3.3.2 searchGuide 3.47 telephoneNumber
This attribute is for use by clients in constructing search filters. A value of this attribute is a telephone number complying with CCITT
It is superseded by enhancedSearchGuide, described above in 3.2.43. Rec. E.123.
( 2.5.4.14 NAME 'searchGuide' ( 2.5.4.20 NAME 'telephoneNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) ; TelephoneNumber
3.3.3 teletexTerminalIdentifier 3.48 teletexTerminalIdentifier
The withdrawal of Rec. F.200 has resulted in the withdrawal of this The withdrawal of Rec. F.200 has resulted in the withdrawal of this
attribute. attribute.
( 2.5.4.22 NAME 'teletexTerminalIdentifier' ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) ; TeletexTerminalIdentifier
4. Syntaxes 3.49 telexNumber
Servers SHOULD recognize the syntaxes defined in this section. Each A value of this attribute is a telex number , country code, and
syntax begins with a sample value of the ldapSyntaxes attribute answerback code of a telex terminal.
which defines the OBJECT IDENTIFIER of the syntax. The descriptions
of syntax names are not carried in protocol, and are not guaranteed
to be unique.
4.1 Delivery Method ( 2.5.4.21 NAME 'telexNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) ; TelexNumber
( 1.3.6.1.4.1.1466.115.121.1.14 DESC 'Delivery Method' ) 3.50 title
Values in this syntax are encoded according to the following BNF: This attribute contains the title, such as "Vice President", of a
person in their organizational context. The "personalTitle"
attribute would be used for a person's title independent of their job
function.
delivery-value = pdm / ( pdm whsp "$" whsp delivery-value ) ( 2.5.4.12 NAME 'title'
pdm = "any" / "mhs" / "physical" / "telex" / "teletex" / SUP name )
"g3fax" / "g4fax" / "ia5" / "videotex" / "telephone"
Example: 3.51 uniqueMember
telephone A value of this attribute is the Distinguished Name of an object
that is on a list or in a group, where the Relative Distinguished
Name of the object includes a value that distinguishs between
objects when a distinguished name has been reused.
4.2 Enhanced Guide ( 2.5.4.50 NAME 'uniqueMember'
EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) ; NameAndOptionalUID
( 1.3.6.1.4.1.1466.115.121.1.21 DESC 'Enhanced Guide' ) 3.52 userCertificate
Values in this syntax are encoded according to the following BNF: A value of this attribute is a set of information that is used to
protect business systems, including the directory system and its
contents, from a number of threats. The protection is realized by
verifying the object is authorized to use the business system for
certain purposes. This attribute is to be stored and requested in
the binary form, as 'userCertificate;binary'.
EnhancedGuide = woid whsp "#" whsp criteria whsp "#" whsp subset ( 2.5.4.36 NAME 'userCertificate'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) ; Certificate
subset = "baseobject" / "oneLevel" / "wholeSubtree" 3.53 userPassword
The criteria production is defined in the Guide syntax below. This A value of this attribute is a character string that is known only
syntax has been added subsequent to RFC 1778. to the user and the system to which the user has access.
Example: ( 2.5.4.35 NAME 'userPassword'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) ; OctetString
person#(sn)#oneLevel Passwords are stored using an Octet String syntax and are not
encrypted. Transfer of cleartext passwords is strongly discouraged
where the underlying transport service cannot guarantee
confidentiality and may result in disclosure of the password to
unauthorized parties.
4.3 Guide 3.54 x121Address
( 1.3.6.1.4.1.1466.115.121.1.25 DESC 'Guide' ) A value of this attribute is a data network address as defined by
CCITT Recommendation X.121.
Values in this syntax are encoded according to the following BNF: ( 2.5.4.24 NAME 'x121Address'
EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) ; NumericString
guide-value = [ object-class "#" ] criteria 3.55 x500UniqueIdentifier
object-class = woid The x500UniqueIdentifier attribute is used to distinguish between
objects when a distinguished name has been reused. In X.500, this
attribute is called uniqueIdentifier. This is a different attribute
type from both the "uid" and "uniqueIdentifier" (defined in ??)
types.
criteria = criteria-item / criteria-set / ( "!" criteria ) ( 2.5.4.45 NAME 'x500UniqueIdentifier'
EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) ; BitString
criteria-set = ( [ "(" ] criteria "&" criteria-set [ ")" ] ) / 4. Object Classes
( [ "(" ] criteria "|" criteria-set [ ")" ] )
criteria-item = [ "(" ] attributetype "$" match-type [ ")" ] LDAP servers MUST recognize the object class "top". LDAP servers
SHOULD recognize all the other object classes listed here as values
of the objectClass attribute.
match-type = "EQ" / "SUBSTR" / "GE" / "LE" / "APPROX" 4.1 alias
This syntax should not be used for defining new attributes. The alias object class enables more than one Distinguished Name to
designate an entry by providing an alias entry. The alias entry
contains a pointer to the other entry. The pointer is automatically
followed when the alias entry is found in the process of locating
the target entry(s) of an operation.
4.4 Octet String ( 2.5.6.1 NAME 'alias'
SUP top
STRUCTURAL
MUST aliasedObjectName )
( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' ) 4.2 applicationEntity
Values in this syntax are encoded as octet strings. The applicationEntity object class definition is the basis of an
entry which represents the interconnection aspects of an application
process in a distributed environment.
Example: ( 2.5.6.12 NAME 'applicationEntity'
SUP top
STRUCTURAL
MUST ( presentationAddress $ cn )
MAY ( supportedApplicationContext $ seeAlso $ ou $
o $ l $ description ) )
secret 4.3 applicationProcess
4.5 Teletex Terminal Identifier The applicationProcess object class definition is the basis of an
entry which represents an application executing in a computer system.
( 1.3.6.1.4.1.1466.115.121.1.51 DESC 'Teletex Terminal Identifier' ) ( 2.5.6.11 NAME 'applicationProcess'
SUP top
STRUCTURAL
MUST cn
MAY ( seeAlso $ ou $ l $ description ) )
Values in this syntax are encoded according to the following BNF: 4.4 certificationAuthority
teletex-id = ttx-term 0*("$" ttx-param) The certificationAuthority object class is the collection of
attributes that are needed in an entry which represents an issuer of
certificates in a security system.
ttx-term = printablestring ( 2.5.6.16 NAME 'certificationAuthority'
SUP top
AUXILIARY
MUST ( authorityRevocationList $ certificateRevocationList $
cACertificate )
MAY crossCertificatePair )
ttx-param = ttx-key ":" ttx-value 4.5 certificationAuthority-V2
ttx-key = "graphic" / "control" / "misc" / "page" / "private" The certificationAuthority-V2 object class adds the
deltaRevocationList attribute to the collection in the
certificationAuthority object class, as an option.
ttx-value = octetstring ( 2.5.6.16.2 NAME 'certificationAuthority-V2'
SUP certificationAuthority
AUXILIARY
MAY ( deltaRevocationList ) )
In the above, the first printablestring is the encoding of the first 4.6 country
portion of the teletex terminal identifier to be encoded, and the
subsequent 0 or more octetstrings are subsequent portions of the
teletex terminal identifier.
4.6 Telex Number The country object class definition is the basis of an entry which
represents a country.
( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' ) ( 2.5.6.2 NAME 'country'
SUP top
STRUCTURAL
MUST c
MAY ( searchGuide $ description ) )
Values in this syntax are encoded according to the following BNF: 4.7 cRLDistributionPoint
telex-number = actual-number "$" country "$" answerback The cRLDistributionPoint object class is the basis of an entry which
represents a source of certificate revocation lists in a security
system.
actual-number = printablestring ( 2.5.6.19 NAME 'cRLDistributionPoint'
SUP top
STRUCTURAL
MUST ( cn )
MAY ( certificateRevocationList $ authorityRevocationList $
deltaRevocationList ) )
country = printablestring 4.8 device
answerback = printablestring The device object class is the basis of an entry which represents
an appliance or computer or network element.
In the above, actual-number is the syntactic representation of the ( 2.5.6.14 NAME 'device'
number portion of the TELEX number being encoded, country is the SUP top
TELEX country code, and answerback is the answerback code of a TELEX STRUCTURAL
terminal. MUST cn
MAY ( serialNumber $ seeAlso $ owner $
ou $ o $ l $ description ) )
4.7 Supported Algorithm 4.9 dmd
( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' ) The dmd object class is the basis of an entry which represents the
set of one or more DSAs and zero or more DUAs managed by a single
organization, i.e., a Directory Management Domain.
No printable representation of values of the supportedAlgorithms ( 2.5.6.20 NAME 'dmd'
attribute is defined in this document. Clients which wish to store SUP top
and retrieve this attribute MUST use "supportedAlgorithms;binary", STRUCTURAL
in which the value is transferred as a binary encoding. MUST ( dmdName )
MAY ( userPassword $ searchGuide $ seeAlso $
businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ street $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $
description ) )
5. Object Classes 4.10 dSA
LDAP servers MUST recognize the object class "top". LDAP servers The dSA (Directory System Agent) object class is the basis of an
SHOULD recognize all the other object classes listed here as values entry which represents a server in a directory system.
of the objectClass attribute.
5.1 top ( 2.5.6.13 NAME 'dSA'
SUP applicationEntity
STRUCTURAL
MAY knowledgeInformation )
( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) 4.11 groupOfNames
5.2 alias The groupOfNames object class is the basis of an entry which
represents a set of named objects including information related to
the purpose or maintenance of the set.
( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName ) ( 2.5.6.9 NAME 'groupOfNames'
SUP top
STRUCTURAL
MUST ( member $ cn )
MAY ( businessCategory $ seeAlso $ owner $
ou $ o $ description ) )
5.3 country 4.12 groupOfUniqueNames
( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c The groupOfUniqueNames object class is the same as the groupOfNames
MAY ( searchGuide $ description ) ) object class except that the object names are not repeated or
reassigned within a set scope.
5.4 locality ( 2.5.6.17 NAME 'groupOfUniqueNames'
SUP top
STRUCTURAL
MUST ( uniqueMember $ cn )
MAY ( businessCategory $ seeAlso $ owner $
ou $ o $ description ) )
( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL 4.13 locality
MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
5.5 organization The locality object class is the basis of an entry which
represents a place in the physical world.
( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o ( 2.5.6.3 NAME 'locality'
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ SUP top
x121Address $ registeredAddress $ destinationIndicator $ STRUCTURAL
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ MAY ( street $ seeAlso $ searchGuide $
telephoneNumber $ internationaliSDNNumber $ st $ l $ description ) )
facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $ description ) )
5.6 organizationalUnit 4.14 organization
( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou The organization object class is the basis of an entry which
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ represents a structured group of people.
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $
facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $ description ) )
5.7 person ( 2.5.6.4 NAME 'organization'
SUP top
STRUCTURAL
MUST o
MAY ( userPassword $ searchGuide $ seeAlso $
businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $
l $ description ) )
( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn ) 4.15 organizationalPerson
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
5.8 organizationalPerson The organizationalPerson object class is the basis of an entry which
represents a person in relation to an organization.
( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL ( 2.5.6.7 NAME 'organizationalPerson'
SUP person
STRUCTURAL
MAY ( title $ x121Address $ registeredAddress $ MAY ( title $ x121Address $ registeredAddress $
destinationIndicator $ destinationIndicator $ preferredDeliveryMethod $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
telephoneNumber $ internationaliSDNNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ postalAddress $ street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l ) ) physicalDeliveryOfficeName $ ou $ st $ l ) )
5.9 organizationalRole 4.16 organizationalRole
( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn
MAY ( x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $
facsimileTelephoneNumber $
seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
5.10 groupOfNames The organizationalRole object class is the basis of an entry which
represents a job or function or position in an organization.
( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( member $ cn ) ( 2.5.6.8 NAME 'organizationalRole'
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) SUP top
STRUCTURAL
MUST cn
MAY ( x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $
seeAlso $ roleOccupant $ preferredDeliveryMethod $
street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ ou $
st $ l $ description ) )
5.11 residentialPerson 4.17 organizationalUnit
( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l The organizationalUnit object class is the basis of an entry which
MAY ( businessCategory $ x121Address $ registeredAddress $ represents a piece of an organization.
destinationIndicator $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $
facsimileTelephoneNumber $ preferredDeliveryMethod $ street $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l ) )
5.12 applicationProcess ( 2.5.6.5 NAME 'organizationalUnit'
SUP top
STRUCTURAL
MUST ou
MAY ( userPassword $ searchGuide $ seeAlso $
businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $
l $ description ) )
( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn 4.18 person
MAY ( seeAlso $ ou $ l $ description ) )
5.13 applicationEntity The person object class is the basis of an entry which represents a
human being.
( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL ( 2.5.6.6 NAME 'person'
MUST ( presentationAddress $ cn ) SUP top
MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ STRUCTURAL
description ) ) MUST ( sn $ cn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
5.14 dSA 4.19 residentialPerson
( 2.5.6.13 NAME 'dSA' SUP applicationEntity STRUCTURAL The residentialPerson object class is the basis of an entry which
MAY knowledgeInformation ) includes a person's residence in the representation of the person.
5.15 device ( 2.5.6.10 NAME 'residentialPerson'
SUP person
STRUCTURAL
MUST l
MAY ( businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $
preferredDeliveryMethod $ street $ postOfficeBox $
postalCode $ postalAddress $ physicalDeliveryOfficeName $
st $ l ) )
( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn 4.20 strongAuthenticationUser
MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
5.16 strongAuthenticationUser The strongAuthenticationUser object class adds the userCertificate
attribute, as a mandatory attribute, to the collection of attributes
in an entry.
( 2.5.6.15 NAME 'strongAuthenticationUser' SUP top AUXILIARY ( 2.5.6.15 NAME 'strongAuthenticationUser'
SUP top
AUXILIARY
MUST userCertificate ) MUST userCertificate )
5.17 certificationAuthority 4.21 top
( 2.5.6.16 NAME 'certificationAuthority' SUP top AUXILIARY The top object class is the conceptual beginning of the inheritance
MUST ( authorityRevocationList $ certificateRevocationList $ hierarchy of object classes. Top guarantees that every entry has
cACertificate ) MAY crossCertificatePair ) the objectClass attribute, which identifies the type of the entry.
5.18 groupOfUniqueNames ( 2.5.6.0 NAME 'top'
ABSTRACT
MUST objectClass )
( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL 4.22 userSecurityInformation
MUST ( uniqueMember $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
5.19 userSecurityInformation The userSecurityInformation object class adds the supportedAlgorithms
attribute, as an optional attribute, to the collection of attributes
in an entry.
( 2.5.6.18 NAME 'userSecurityInformation' SUP top AUXILIARY ( 2.5.6.18 NAME 'userSecurityInformation'
SUP top
AUXILIARY
MAY ( supportedAlgorithms ) ) MAY ( supportedAlgorithms ) )
5.20 certificationAuthority-V2 5. Security Considerations
( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP
certificationAuthority
AUXILIARY MAY ( deltaRevocationList ) )
5.21 cRLDistributionPoint
( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL
MUST ( cn ) MAY ( certificateRevocationList $
authorityRevocationList $
deltaRevocationList ) )
5.22 dmd
( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName )
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $
facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $ description ) )
6. Matching Rules
Servers MAY implement additional matching rules.
6.1 octetStringMatch
Servers which implement the extensibleMatch filter SHOULD allow the
matching rule listed in this section to be used in the
extensibleMatch. In general these servers SHOULD allow matching
rules to be used with all attribute types known to the server, when
the assertion syntax of the matching rule is the same as the value
syntax of the attribute.
The Octet String Match rule compares for equality an asserted octet
string with an attribute value of type OCTET STRING.
The strings match if they are the same length and corresponding
octets are identical.
( 2.5.13.17 NAME 'octetStringMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
7. Security Considerations
Attributes of directory entries are used to provide descriptive Attributes of directory entries are used to provide descriptive
information about the real-world objects they represent, which can be information about the real-world objects they represent, which can be
people, organizations or devices. Most countries have privacy laws people, organizations or devices. Most countries have privacy laws
regarding the publication of information about people. regarding the publication of information about people.
Transfer of cleartext passwords is strongly discouraged where the Transfer of cleartext passwords is strongly discouraged where the
underlying transport service cannot guarantee confidentiality and may underlying transport service cannot guarantee confidentiality and may
result in disclosure of the password to unauthorized parties. result in disclosure of the password to unauthorized parties.
It is required that strong authentication be performed in order to It is required that strong authentication be performed in order to
modify directory entries using LDAP. modify directory entries using LDAP.
8. Acknowledgements 6. Acknowledgements
The definitions, on which this document is based, have been developed The definitions, on which this document is based, have been developed
by committees for telecommunications and international standards. by committees for telecommunications and international standards.
No new attribute definitions have been added. No new attribute definitions have been added.
This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a
product of the IETF LDAPBIS Working Group. product of the IETF ASID Working Group.
This document is based upon input of the IETF LDAPBIS working group. This document is based upon input of the IETF LDAPBIS working group.
The authors wish to thank ___ for their significant contribution to The authors wish to thank ___ for their significant contribution to
this update. this update.
9. Bibliography 7. References
[1] replacement (draft-hinckley-ldapbis-rfc2252-nn) for Wahl, M., [1] replacement (draft-ietf-ldapbis-syntaxes-01) for Wahl, M.,
Coulbeck, A., Howes, T., and S. Kille, "Lightweight X.500 Coulbeck, A., Howes, T., and S. Kille, "Lightweight X.500
Directory Access Protocol(v3): Attribute Syntax Definitions", Directory Access Protocol(v3): Attribute Syntax Definitions",
RFC 2252, December 1997 RFC 2252, December 1997
[2] The Directory: Models, ITU-T Recommendation X.501, 1997 [2] The Directory: Models, ITU-T Recommendation X.501, 1995
[3] The Directory: Authentication Framework, ITU-T Recommendation [3] The Directory: Authentication Framework, ITU-T Recommendation
X.509, 1997 X.509, 1995
[4] The Directory: Selected Attribute Types, ITU-T Recommendation [4] The Directory: Selected Attribute Types, ITU-T Recommendation
X.520, 1997 X.520, 1995
[5] The Directory: Selected Object Classes. ITU-T Recommendation [5] The Directory: Selected Object Classes. ITU-T Recommendation
X.521, 1997 X.521, 1995
[6] Bradner, S., "Key words for use in RFCs to Indicate Requirement [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, March 1997 Levels", RFC 2119, March 1997
10. Author's Address 8. Author's Address
Kathy Dally Kathy Dally
The MITRE Corp. The MITRE Corp.
1820 Dolley Madison Blvd., ms-W650 1575 Colshire Dr., ms-W650
McLean VA 22102 McLean VA 22102
USA USA
Phone: +1 703 883 6058 Phone: +1 703 883 6058
Email: kdally@mitre.org Email: kdally@mitre.org
Annex A Change Log Annex A Change Log
This annex lists the changes that have been made from RFC 2256 to This annex lists the changes that have been made from RFC 2256 to
this I-D. The changes made in this latest version are items 12 - 15. this I-D.
Changes to RFC 2256 resulting in
draft-ietf-ldapbis-user-schema-00.txt:
1. Revision of the Status of this Memo. 1. Revision of the Status of this Memo.
2. Dependencies on RFC 1274 have been eliminated. 2. Dependencies on RFC 1274 have been eliminated.
3. The references to X.500(96) have been expressed in terms of 3. The references to X.500(96) have been expressed in terms of
the "edition", rather than the standard date. Note that the the "edition", rather than the standard date. Note that the
version of X.500 which is the basis for this document, is the version of X.500 which is the basis for this document, is the
third edition, which was finalized in 1996, but approved in third edition, which was finalized in 1996, but approved in
1997. 1997.
skipping to change at page 23, line 29 skipping to change at page 26, line 32
4. The "teletexTerminalNumber" attribute and syntax are marked 4. The "teletexTerminalNumber" attribute and syntax are marked
as obsolete. as obsolete.
5. Removed "The syntax definitions are based on the ISODE "QUIPU" 5. Removed "The syntax definitions are based on the ISODE "QUIPU"
implementation of X.500." from section 6. implementation of X.500." from section 6.
6. Added text to 6.1, the octetString syntax, in accordance 6. Added text to 6.1, the octetString syntax, in accordance
with X.520. with X.520.
7. Some of the attribute types MUST be recognized by servers. 7. Some of the attribute types MUST be recognized by servers.
Also, several attributes are obsolete. Therefore, the various Also, several attributes are obsolete. Therefore, the
kinds of attribute types have been placed in separate sections: various kinds of attribute types have been placed in separate
sections:
- necessary for the directory to operate (section 3.1) - necessary for the directory to operate (section 3.1)
- for holding user information (section 3.2) - for holding user information (section 3.2)
- superseded or withdrawn (section 3.3). - superseded or withdrawn (section 3.3).
8. Since "top" may be implicitly specified and "alias" is not 8. Since "top" may be implicitly specified and "alias" is not
abstract, the last sentence in the description of the abstract, the last sentence in the description of the
"objectClass" attribute type, section 3.1.1, has been deleted. "objectClass" attribute type, section 3.1.1, has been deleted.
skipping to change at page 23, line 53 skipping to change at page 27, line 8
9. Add a description to the definition of the "telephoneNumber" 9. Add a description to the definition of the "telephoneNumber"
attribute type, section 3.2.17. attribute type, section 3.2.17.
10. Add text to mark the "teletexTerminalIdentifier" attribute 10. Add text to mark the "teletexTerminalIdentifier" attribute
type as obsolete. type as obsolete.
11. Add a security consideration requiring strong authentication 11. Add a security consideration requiring strong authentication
in order to modify directory entries. in order to modify directory entries.
Changes to draft-ietf-ldapbis-user-schema-00.txt, resulting in draft-
ietf-ldapbis-user-schema-01.txt:
12. Delete the conformance requirement for subschema object 12. Delete the conformance requirement for subschema object
classes in favor of a statement in [1]. classes in favor of a statement in [1].
13. Add a Table of Contents 13. Add a Table of Contents
14. Replace the term "obsolete" with "superseded or withdrawn" 14. Replace the term "obsolete" with "superseded or withdrawn"
15. Add explanations to many attributes. 15. Added explanations to many attributes.
16. In the title, correct the X.500 reference to have the second
edition as the basis.
17. Throughout this I-D, cleaned up whitespace in the BNF
definitions.
18. Removed Section 4, Syntaxes, and Section 6, Matching Rules,
(moved to draft-ietf-ldapbis-syntaxes-01.txt).
19. Reorganized Section 3, Attributes, to eliminate grouping
attributes according to conformance requirements. Reordered
Section 3, Attributes, and Section 4, Object Classes,
alphabetically.
20. Added an explanation for each object class.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/