draft-ietf-ldapbis-user-schema-01.txt   draft-ietf-ldapbis-user-schema-02.txt 
INTERNET-DRAFT K. Dally, Editor INTERNET-DRAFT K. Dally, Editor
Intended Category: Standard Track The MITRE Corp. Intended Category: Standard Track The MITRE Corp.
Expires 20 May 2001 20 November 2001 Expires 27 August 2002 27 February 2002
Obsoletes: RFC 2256 Obsoletes: RFC 2256
A Summary of the X.500(2nd edition) User Schema for use with LDAPv3 A Summary of the X.500(2nd edition) User Schema for use with LDAPv3
<draft-ietf-ldapbis-user-schema-01> <draft-ietf-ldapbis-user-schema-02>
[Editor's note: [Editor's note:
This Internet-Draft (I-D) is a modified version of the text of This Internet-Draft (I-D) is a modified version of the text of
RFC 2256, in order to bring it up to date. This action is part of RFC 2256, in order to bring it up to date. This action is part of
the maintenance activity that is needed in order to progress LDAPv3 the maintenance activity that is needed in order to progress
to Draft Standard. The changes are described in Annex A of this LDAP (v3) to Draft Standard. The changes are described in Annex A
document. of this document.
End of Editor's note] End of Editor's note]
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
This document is intended to be, after appropriate review and This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as a Standard Track document. revision, submitted to the RFC Editor as a Standard Track document.
Distribution of this memo is unlimited. Technical discussion of Distribution of this memo is unlimited. Technical discussion of
skipping to change at page 2, line 18 skipping to change at page 2, line 18
classes defined by the ISO/IEC JTC1 and ITU-T committees in the classes defined by the ISO/IEC JTC1 and ITU-T committees in the
IS0/IEC 9594 and X.500 documents, in particular those intended for IS0/IEC 9594 and X.500 documents, in particular those intended for
use by directory clients. This is the most widely used schema for use by directory clients. This is the most widely used schema for
LDAP/X.500 directories, and many other schema definitions for white LDAP/X.500 directories, and many other schema definitions for white
pages objects use it as a basis. This document does not cover pages objects use it as a basis. This document does not cover
attributes used for the administration of X.500 directory servers, attributes used for the administration of X.500 directory servers,
nor does it include attributes defined by other ISO/ITU-T documents. nor does it include attributes defined by other ISO/ITU-T documents.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [6]. document are to be interpreted as described in RFC 2119 [KEYWD].
Table of Contents Table of Contents
Status of this Memo 1 Status of this Memo 1
Abstract 2 Abstract 2
1. General Issues 5 1. General Issues 5
2. Source 5 2. Source 5
3. Attribute Types 6 3. Attribute Types 6
3.1 aliasedObjectName 6 3.1 aliasedObjectName 6
3.2 authorityRevocationList 6 3.2 businessCategory 6
3.3 businessCategory 6 3.3 c 6
3.4 c 7 3.4 cn 7
3.5 cACertificate 7 3.5 description 7
3.6 certificateRevocationList 7 3.6 destinationIndicator 7
3.7 cn 7 3.7 distinguishedName 7
3.8 crossCertificatePair 7 3.8 dnQualifier 8
3.9 deltaRevocationList 8 3.9 enhancedSearchGuide 8
3.10 description 8 3.10 facsimileTelephoneNumber 8
3.11 destinationIndicator 8 3.11 generationQualifier 8
3.12 distinguishedName 8 3.12 givenName 8
3.13 dmdName 8 3.13 houseIdentifier 9
3.14 dnQualifier 9 3.14 initials 9
3.15 enhancedSearchGuide 9 3.15 internationalISDNNumber 9
3.16 facsimileTelephoneNumber 9 3.16 knowledgeInformation 9
3.17 generationQualifier 9 3.17 l 9
3.18 givenName 9 3.18 member 10
3.19 houseIdentifier 10 3.19 name 10
3.20 initials 10 3.20 o 10
3.21 internationalISDNNumber 10 3.21 objectClass 10
3.22 knowledgeInformation 10 3.22 ou 10
3.23 l 10 3.23 owner 11
3.24 member 10 3.24 physicalDeliveryOfficeName 11
3.25 name 11 3.25 postalAddress 11
3.26 o 11 3.26 postalCode 11
3.27 objectClass 11 3.27 postOfficeBox 11
3.28 ou 11 3.28 preferredDeliveryMethod 12
3.29 owner 11 3.29 presentationAddress 12
3.30 physicalDeliveryOfficeName 12 3.30 protocolInformation 12
3.31 postalAddress 12 3.31 registeredAddress 12
3.32 postalCode 12 3.32 roleOccupant 13
3.33 postOfficeBox 12 3.33 searchGuide 13
3.34 preferredDeliveryMethod 12 3.34 seeAlso 13
3.35 presentationAddress 13 3.35 serialNumber 13
3.36 protocolInformation 13 3.36 sn 13
3.37 registeredAddress 13 3.37 st 13
3.38 roleOccupant 13 3.38 street 14
3.39 searchGuide 13 3.39 supportedApplicationContext 14
3.40 seeAlso 14 3.40 telephoneNumber 14
3.41 teletexTerminalIdentifier 14
3.41 serialNumber 14 3.42 telexNumber 15
3.42 sn 14 3.43 title 15
3.43 st 14 3.44 uniqueMember 15
3.44 street 14 3.45 userPassword 15
3.45 supportedAlgorithms 14 3.46 x121Address 16
3.46 supportedApplicationContext 15 3.47 x500UniqueIdentifier 16
3.47 telephoneNumber 15
3.48 teletexTerminalIdentifier 15
3.49 telexNumber 15
3.50 title 15
3.51 uniqueMember 16
3.52 userCertificate 16
3.53 userPassword 16
3.54 x121Address 16
3.55 x500UniqueIdentifier 17
4. Object Classes 18 4. Object Classes 17
4.1 alias 18 4.1 alias 17
4.2 applicationEntity 18 4.2 applicationEntity 17
4.3 applicationProcess 18 4.3 applicationProcess 17
4.4 certificationAuthority 18 4.4 country 18
4.5 certificationAuthority-V2 19 4.5 device 18
4.6 country 19 4.6 dSA 18
4.7 cRLDistributionPoint 19 4.7 groupOfNames 18
4.8 device 19 4.8 groupOfUniqueNames 19
4.9 dmd 20 4.9 locality 19
4.10 dSA 20 4.10 organization 19
4.11 groupOfNames 20 4.11 organizationalPerson 20
4.12 groupOfUniqueNames 21 4.12 organizationalRole 20
4.13 locality 21 4.13 organizationalUnit 20
4.14 organization 21 4.14 person 21
4.15 organizationalPerson 21 4.15 residentialPerson 21
4.16 organizationalRole 22 4.16 top 21
4.17 organizationalUnit 22
4.18 person 23
4.19 residentialPerson 23
4.20 strongAuthenticationUser 23
4.21 top 23
4.22 userSecurityInformation 24
5. Security Considerations 24 5. Security Considerations 22
6. Acknowledgements 24 6. Acknowledgements 22
7. References 25 7. References 23
7.1 Normative 23
7.2 Informative 23
8. Author's Address 25 8. Author's Address 24
Annex A Change Log 26 Annex A Change Log 25
1. General Issues 1. General Issues
This document references syntaxes given in section 3 of [1]. This document references Syntaxes given in Section 3 of [SYNTAX] and
Matching rules are listed in section 4 of [1]. Matching Rules specified in Section 4 of [SYNTAX].
The attribute type and object class definitions are written using the The Attribute Type and Object Class definitions are written using the
BNF form of AttributeTypeDescription and ObjectClassDescription given ABNF form of AttributeTypeDescription and ObjectClassDescription
in [1]. Lines have been folded for readability. given in [SYNTAX]. Lines have been folded for readability.
2. Source 2. Source
The schema definitions in this document are based on those found in The schema definitions in this document are based on those found in
X.500 [2], [3], [4], and [5], specifically: X.500 [X501], [X509], [X520], and [X521], specifically:
Sections Source Sections Source
============ ============ ============ ============
3.1 X.501 [2] 3.1 X.501 [X501]
3.2 X.509 [3] 3.2 - 3.20 X.520 [X520]
3.3 - 3.4 X.520 [4] 3.21 X.501 [X501]
3.5 - 3.6 X.509 [3] 3.22 - 3.44 X.520 [X520]
3.7 X.520 [4] 3.45 X.509 [X509]
3.8 - 3.9 X.509 [3] 3.46 - 3.47 X.520 [X520]
3.10 - 3.44 X.520 [4] 4.1 X.501 [X501]
3.45 X.509 [3] 4.2 - 4.15 X.521 [X521]
3.46 - 3.51 X.520 [4] 4.16 X.501 [X501]
3.52 - 3.53 X.509 [3]
3.54 - 3.55 X.520 [4]
4.1 X.501 [2]
4.2 - 4.3 X.521 [5]
4.4 - 4.5 X.509 [3]
4.6 X.521 [5]
4.7 X.509 [3]
4.8 - 4.19 X.521 [5]
4.20 X.509 [3]
4.21 X.501 [2]
4.22 X.509 [3]
Three new attributes: supportedAlgorithms, deltaRevocationList and
dmdName, and the new objectClass dmd, which were not specified in
X.500 edition 2 (1993), are defined in the X.500 edition 3 (1997)[2,
3, 4, 5] documents.
[Editor's note: Should these items be removed so that they are not
bringing in a second set of X.500 references. Perhaps they could be
put into a non-normative annex with reference to the later X.500
edition. End editor's note.]
3. Attribute Types 3. Attribute Types
The attribute types contained in this section hold user information. The Attribute Types contained in this section hold user information.
An LDAP server implementation MUST recognize the objectClass An LDAP server implementation MUST recognize the objectClass
attribute type. Attribute Type.
There is no requirement that servers implement the following There is no requirement that servers implement the following
attribute types: Attribute Types:
knowledgeInformation knowledgeInformation
searchGuide searchGuide
teletexTerminalIdentifier teletexTerminalIdentifier
In fact, their use is greatly discouraged. In fact, their use is greatly discouraged.
An LDAP server implementation SHOULD recognize the rest of the An LDAP server implementation SHOULD recognize the rest of the
attribute types described in this section. Attribute Types described in this section.
3.1 aliasedObjectName 3.1 aliasedObjectName
The aliasedObjectName attribute is used by the directory service if The aliasedObjectName Attribute Type is used by the directory
the entry containing this attribute is an alias. In X.500, this service if the entry containing this attribute is an alias. In
attribute is called aliasedEntryName. X.501 [X501], this Attribute Type is called aliasedEntryName.
( 2.5.4.1 NAME 'aliasedObjectName' ( 2.5.4.1 NAME 'aliasedObjectName'
EQUALITY distinguishedNameMatch EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ; DN SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE ) SINGLE-VALUE )
3.2 authorityRevocationList The SYNTAX oid indicates the DN syntax.
A value of this attribute is a list of CA certificates that are no
longer valid. This attribute is to be stored and requested in the
binary form, as 'authorityRevocationList;binary'.
( 2.5.4.38 NAME 'authorityRevocationList'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) ; CertificateList
3.3 businessCategory 3.2 businessCategory
This attribute describes the kind of business performed by an This Attribute Type describes the kind of business performed by
organization. an organization.
( 2.5.4.15 NAME 'businessCategory' ( 2.5.4.15 NAME 'businessCategory'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) ; DirectoryString SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
3.4 c The SYNTAX oid indicates the Directory String syntax.
This is the X.500 countryName attribute, which contains a two-letter 3.3 c
ISO 3166 country code.
This is the X.520 [X520] countryName Attribute Type, which contains
a two-letter ISO 3166 [Codes]country code.
( 2.5.4.6 NAME 'c' ( 2.5.4.6 NAME 'c'
SUP name SUP name
SINGLE-VALUE ) SINGLE-VALUE )
3.5 cACertificate 3.4 cn
A value of this attribute is a set of information that is used to
establish a traceable chain of authority for issuing user
certificates. This attribute is to be stored and requested in the
binary form, as 'cACertificate;binary'.
( 2.5.4.37 NAME 'cACertificate'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) ; Certificate
3.6 certificateRevocationList
A value of this attribute is a list of user certificates that are no
longer valid. This attribute is to be stored and requested in the
binary form, as 'certificateRevocationList;binary'.
( 2.5.4.39 NAME 'certificateRevocationList'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) ; CertificateList
3.7 cn
This is the X.500 commonName attribute, which contains a name of an
object. If the object corresponds to a person, it is typically the
person's full name.
( 2.5.4.3 NAME 'cn' SUP name )
3.8 crossCertificatePair
A value of this attribute is a set of two certificates that are used
to enable the certificates issued in two security domains to be
usable in both domains. This attribute is to be stored and requested
in the binary form, as 'crossCertificatePair;binary'.
( 2.5.4.40 NAME 'crossCertificatePair'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) ; CertificatePair
3.9 deltaRevocationList
This attribute contains a list of revoked user certificates that is This is the X.520 [X520] commonName Attribute Type, which contains
an addition to a previous certificate revocation list. This a name of an object. If the object corresponds to a person, it is
attribute is to be stored and requested in the binary form, as typically the person's full name.
'deltaRevocationList;binary'.
( 2.5.4.53 NAME 'deltaRevocationList' ( 2.5.4.3 NAME 'cn'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) ; CertificateList SUP name )
3.10 description 3.5 description
This attribute contains a human-readable description of the object. This Attribute Type contains a human-readable description of
the object.
( 2.5.4.13 NAME 'description' ( 2.5.4.13 NAME 'description'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) ; DirectoryString SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
3.11 destinationIndicator The SYNTAX oid indicates the Directory String syntax.
3.6 destinationIndicator
This attribute is used for the telegram service. This attribute is used for the telegram service.
( 2.5.4.27 NAME 'destinationIndicator' ( 2.5.4.27 NAME 'destinationIndicator'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) ; PrintableString SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
3.12 distinguishedName The SYNTAX oid indicates the Printable String syntax.
This attribute type is not used as the name of the object itself, but 3.7 distinguishedName
it is instead a base type from which attributes with DN syntax
This Attribute Type is not used as the name of the object itself,
but it is instead a base type from which attributes with DN syntax
inherit. inherit.
It is unlikely that values of this type itself will occur in an It is unlikely that values of this type itself will occur in an
entry. LDAP server implementations which do not support attribute entry. LDAP server implementations which do not support attribute
subtyping need not recognize this attribute in requests. Client subtyping need not recognize this attribute in requests. Client
implementations MUST NOT assume that LDAP servers are capable of implementations MUST NOT assume that LDAP servers are capable of
performing attribute subtyping. performing attribute subtyping.
( 2.5.4.49 NAME 'distinguishedName' ( 2.5.4.49 NAME 'distinguishedName'
EQUALITY distinguishedNameMatch EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
3.13 dmdName The SYNTAX oid indicates the DN syntax.
The value of this attribute specifies a directory management domain
(DMD), the administrative authority which operates the directory
server.
( 2.5.4.54 NAME 'dmdName'
SUP name )
3.14 dnQualifier 3.8 dnQualifier
The dnQualifier attribute type specifies disambiguating information The dnQualifier Attribute Type specifies disambiguating information
to add to the relative distinguished name of an entry. It is to add to the relative distinguished name of an entry. It is
intended for use when merging data from multiple sources in order to intended for use when merging data from multiple sources in order to
prevent conflicts between entries which would otherwise have the same prevent conflicts between entries which would otherwise have the same
name. It is recommended that the value of the dnQualifier attribute name. It is recommended that the value of the dnQualifier attribute
be the same for all entries from a particular source. be the same for all entries from a particular source.
( 2.5.4.46 NAME 'dnQualifier' ( 2.5.4.46 NAME 'dnQualifier'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) ; PrintableString SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
3.2.15 enhancedSearchGuide The SYNTAX oid indicates the Printable String syntax.
3.9 enhancedSearchGuide
This attribute is for use by X.500 clients in constructing search This attribute is for use by X.500 clients in constructing search
filters. filters.
( 2.5.4.47 NAME 'enhancedSearchGuide' ( 2.5.4.47 NAME 'enhancedSearchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) ; EnhancedGuide SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
3.16 facsimileTelephoneNumber The SYNTAX oid indicates the Enhanced Guide syntax.
A value of this attribute is a telephone number for a facsimile 3.10 facsimileTelephoneNumber
A value of this Attribute Type is a telephone number for a facsimile
terminal (and, optionally, its parameters). terminal (and, optionally, its parameters).
( 2.5.4.23 NAME 'facsimileTelephoneNumber' ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) ; FacsimileTelephoneNumber SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
3.17 generationQualifier The SYNTAX oid indicates the Facsimile Telephone Number syntax.
The generationQualifier attribute contains the part of the name which 3.11 generationQualifier
typically is the suffix, as in "IIIrd".
The generationQualifier Attribute Type contains the part of a
person's name which typically is the suffix, as in "IIIrd".
( 2.5.4.44 NAME 'generationQualifier' ( 2.5.4.44 NAME 'generationQualifier'
SUP name ) SUP name )
3.18 givenName 3.12 givenName
The givenName attribute is used to hold the part of a person's name The givenName Attribute Type is used to hold the part of a person's
which is not their surname nor middle name. name which is not their surname nor middle name.
( 2.5.4.42 NAME 'givenName' ( 2.5.4.42 NAME 'givenName'
SUP name ) SUP name )
3.19 houseIdentifier 3.13 houseIdentifier
This attribute is used to identify a building within a location. This Attribute Type is used to identify a building within a location.
( 2.5.4.51 NAME 'houseIdentifier' ( 2.5.4.51 NAME 'houseIdentifier'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) ; DirectoryString SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
3.20 initials The SYNTAX oid indicates the Directory String syntax.
The initials attribute contains the initials of some or all of an 3.14 initials
individuals names, but not the surname(s).
The initials Attribute Type contains the initials of some or all of
an individuals names, except the surname(s).
( 2.5.4.43 NAME 'initials' ( 2.5.4.43 NAME 'initials'
SUP name ) SUP name )
3.21 internationalISDNNumber 3.15 internationalISDNNumber
A value of this attribute is an ISDN address, as defined in CCITT A value of this Attribute Type is an ISDN address, as defined in
Recommendation E.164. ITU Recommendation E.164 [ISDN].
( 2.5.4.25 NAME 'internationalISDNNumber' ( 2.5.4.25 NAME 'internationalISDNNumber'
EQUALITY numericStringMatch EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) ; NumericString SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i
3.22 knowledgeInformation The SYNTAX oid indicates the Numeric String syntax.
3.16 knowledgeInformation
This attribute is superseded by the system schema attributes which This attribute is superseded by the system schema attributes which
hold the pointers to other LDAP servers. hold the pointers to other LDAP servers.
( 2.5.4.2 NAME 'knowledgeInformation' ( 2.5.4.2 NAME 'knowledgeInformation'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) ; DirectoryString SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
3.23 l The SYNTAX oid indicates the Directory String syntax.
This is the X.500 localityName attribute, which contains the name of 3.17 l
a locality, such as a city, county or other geographic region.
This is the X.520 [X520] localityName Attribute Type, which contains
the name of a locality or place, such as a city, county or other
geographic region.
( 2.5.4.7 NAME 'l' ( 2.5.4.7 NAME 'l'
SUP name ) SUP name )
3.24 member 3.18 member
A value of this attribute is the Distinguished Name of an object A value of this Attribute Type is the Distinguished Name of an
that is on a list or in a group. object that is on a list or in a group.
( 2.5.4.31 NAME 'member' ( 2.5.4.31 NAME 'member'
SUP distinguishedName ) SUP distinguishedName )
3.25 name 3.19 name
The name attribute type is the attribute supertype from which string The name Attribute Type is the attribute supertype from which string
attribute types typically used for naming may be formed. It is Attribute Types typically used for naming may be formed. It is
unlikely that values of this type itself will occur in an entry. LDAP unlikely that values of this type itself will occur in an entry.
server implementations which do not support attribute subtyping need LDAP server implementations which do not support attribute subtyping
not recognize this attribute in requests. Client implementations need not recognize this attribute in requests. Client
MUST NOT assume that LDAP servers are capable of performing attribute implementations MUST NOT assume that LDAP servers are capable of
subtyping. performing attribute subtyping.
( 2.5.4.41 NAME 'name' ( 2.5.4.41 NAME 'name'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) ; DirectoryString SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
3.26 o The SYNTAX oid indicates the Directory String syntax.
This is the X.500 organizationName attribute, which contains the 3.20 o
name of an organization.
This is the X.520 [X520] organizationName Attribute Type, which
contains the name of an organization.
( 2.5.4.10 NAME 'o' ( 2.5.4.10 NAME 'o'
SUP name ) SUP name )
3.27 objectClass 3.21 objectClass
The values of the objectClass attribute describe the kind of object The values of the objectClass Attribute Type describe the kind of
which an entry represents. The objectClass attribute is present in object which an entry represents. The objectClass attribute is
every entry. present in every entry.
( 2.5.4.0 NAME 'objectClass' ( 2.5.4.0 NAME 'objectClass'
EQUALITY objectIdentifierMatch EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) ; OID SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
3.28 ou The SYNTAX oid indicates the OID syntax.
This is the X.500 organizationalUnitName attribute, which contains 3.22 ou
the name of an organizational unit.
This is the X.520 [X520] organizationalUnitName Attribute Type,
which contains the name of an organizational unit.
( 2.5.4.11 NAME 'ou' ( 2.5.4.11 NAME 'ou'
SUP name ) SUP name )
3.29 owner 3.23 owner
A value of this attribute is the Distinguished Name of an object A value of this Attribute Type is the Distinguished Name of an
that has an ownership responsibility for the object that is owned. object that has an ownership responsibility for the object that
is owned.
( 2.5.4.32 NAME 'owner' ( 2.5.4.32 NAME 'owner'
SUP distinguishedName ) SUP distinguishedName )
3.30 physicalDeliveryOfficeName 3.24 physicalDeliveryOfficeName
This attribute contains the name that a Postal Service uses to This attribute contains the name that a Postal Service uses to
identify a post office. identify a post office.
( 2.5.4.19 NAME 'physicalDeliveryOfficeName' ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) ; DirectoryString SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
3.31 postalAddress The SYNTAX oid indicates the Directory String syntax.
3.25 postalAddress
This attribute contains an address used by a Postal Service to This attribute contains an address used by a Postal Service to
perform services for the object. perform services for the object.
( 2.5.4.16 NAME 'postalAddress' ( 2.5.4.16 NAME 'postalAddress'
EQUALITY caseIgnoreListMatch EQUALITY caseIgnoreListMatch
SUBSTR caseIgnoreListSubstringsMatch SUBSTR caseIgnoreListSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) ; PostalAddress SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
3.32 postalCode The SYNTAX oid indicates the Postal Address syntax.
3.26 postalCode
This attribute contains a code used by a Postal Service to identify This attribute contains a code used by a Postal Service to identify
a postal service zone, such as the southern quadrant of a city. a postal service zone, such as the southern quadrant of a city.
( 2.5.4.17 NAME 'postalCode' ( 2.5.4.17 NAME 'postalCode'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) ; DirectoryString SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
3.33 postOfficeBox The SYNTAX oid indicates the Directory String syntax.
3.27 postOfficeBox
This attribute contains the number that a Postal Service uses when a This attribute contains the number that a Postal Service uses when a
customer arranges to receive mail at a box on premises of the Postal customer arranges to receive mail at a box on premises of the Postal
Service. Service.
( 2.5.4.18 NAME 'postOfficeBox' ( 2.5.4.18 NAME 'postOfficeBox'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) ; DirectoryString SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
3.34 preferredDeliveryMethod The SYNTAX oid indicates the Directory String syntax.
3.28 preferredDeliveryMethod
This attribute contains an indication of the preferred method of This attribute contains an indication of the preferred method of
getting a message to the object. getting a message to the object.
( 2.5.4.28 NAME 'preferredDeliveryMethod' ( 2.5.4.28 NAME 'preferredDeliveryMethod'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 ; DeliveryMethod SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
SINGLE-VALUE ) SINGLE-VALUE )
3.35 presentationAddress The SYNTAX oid indicates the Delivery Method syntax.
This attribute contains an OSI presentation address. 3.29 presentationAddress
This attribute contains an OSI presentation layer address.
( 2.5.4.29 NAME 'presentationAddress' ( 2.5.4.29 NAME 'presentationAddress'
EQUALITY presentationAddressMatch EQUALITY presentationAddressMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 ; PresentationAddress SYNTAX 1.3.6.1.4.1.1466.115.121.1.43
SINGLE-VALUE ) SINGLE-VALUE )
3.36 protocolInformation The SYNTAX oid indicates the Presentation Address syntax.
This attribute is used in conjunction with the presentationAddress 3.30 protocolInformation
attribute, to provide additional information to the OSI network
service. This Attribute Type is used in conjunction with the
presentationAddress Attribute Type, to provide additional
information to the OSI network service.
( 2.5.4.48 NAME 'protocolInformation' ( 2.5.4.48 NAME 'protocolInformation'
EQUALITY protocolInformationMatch EQUALITY protocolInformationMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 ) ; ProtocolInformation SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
3.37 registeredAddress The SYNTAX oid indicates the Protocol Information syntax.
3.31 registeredAddress
This attribute holds a postal address suitable for reception of This attribute holds a postal address suitable for reception of
telegrams or expedited documents, where it is necessary to have the telegrams or expedited documents, where it is necessary to have the
recipient accept delivery. recipient accept delivery.
( 2.5.4.26 NAME 'registeredAddress' ( 2.5.4.26 NAME 'registeredAddress'
SUP postalAddress SUP postalAddress
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) ; PostalAddress SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
3.38 roleOccupant The SYNTAX oid indicates the Postal Address syntax.
A value of this attribute is the Distinguished Name of an object 3.32 roleOccupant
(normally a person) that fulfills the responsibilities of a role
object. A value of this Attribute Type is the Distinguished Name of an
object (normally a person) that fulfills the responsibilities of a
role object.
( 2.5.4.33 NAME 'roleOccupant' ( 2.5.4.33 NAME 'roleOccupant'
SUP distinguishedName ) SUP distinguishedName )
3.39 searchGuide 3.33 searchGuide
This attribute is for use by clients in constructing search filters. This Attribute Type is for use by clients in constructing search
It is superseded by enhancedSearchGuide, described above in 3.15. filters. It is superseded by enhancedSearchGuide, described above
in section 3.9.
( 2.5.4.14 NAME 'searchGuide' ( 2.5.4.14 NAME 'searchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide
3.40 seeAlso The SYNTAX oid indicates the Guide syntax.
A value of this attribute is the Distinguished Name of an object 3.34 seeAlso
that is related to the subject object.
A value of this Attribute Type is the Distinguished Name of an
object that is related to the subject object.
( 2.5.4.34 NAME 'seeAlso' ( 2.5.4.34 NAME 'seeAlso'
SUP distinguishedName ) SUP distinguishedName )
3.41 serialNumber 3.35 serialNumber
This attribute contains the serial number of a device. This attribute contains the serial number of a device.
( 2.5.4.5 NAME 'serialNumber' ( 2.5.4.5 NAME 'serialNumber'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) ; PrintableString SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
3.42 sn The SYNTAX oid indicates the Printable String syntax.
This is the X.500 surname attribute, which contains the family name 3.36 sn
of a person.
This is the X.520 [X520] surname Attribute Type, which contains the
family name of a person.
( 2.5.4.4 NAME 'sn' ( 2.5.4.4 NAME 'sn'
SUP name ) SUP name )
3.43 st 3.37 st
This is the X.500 stateOrProvinceName attribute, which contains the This is the X.520 [X520] stateOrProvinceName attribute, which
full name of a state or province. contains the full name of a state or province.
( 2.5.4.8 NAME 'st' SUP name ) ( 2.5.4.8 NAME 'st'
SUP name )
3.44 street 3.44 street
This is the X.500 streetAddress attribute, which contains the This is the X.520 [X520] streetAddress attribute, which contains the
physical address of the object to which the entry corresponds, such physical address of the object to which the entry corresponds, such
as an address for package delivery. as an address for package delivery.
( 2.5.4.9 NAME 'street' ( 2.5.4.9 NAME 'street'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) DirectoryString SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
3.45 supportedAlgorithms
This attribute contains the identifiers of cryptographic algorithms
that the object implements. This attribute is to be stored and
requested in the binary form, as 'supportedAlgorithms;binary'.
( 2.5.4.52 NAME 'supportedAlgorithms' The SYNTAX oid indicates the Directory String syntax.
SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) ; SupportedAlgorithm
3.46 supportedApplicationContext 3.39 supportedApplicationContext
This attribute contains the identifiers of OSI application contexts. This attribute contains the identifiers of OSI application
contexts.
( 2.5.4.30 NAME 'supportedApplicationContext' ( 2.5.4.30 NAME 'supportedApplicationContext'
EQUALITY objectIdentifierMatch EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) ; OID SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
3.47 telephoneNumber The SYNTAX oid indicates the OID syntax.
A value of this attribute is a telephone number complying with CCITT 3.40 telephoneNumber
Rec. E.123.
A value of this Attribute Type is a telephone number complying with
ITU Recommendation E.123 [E123].
( 2.5.4.20 NAME 'telephoneNumber' ( 2.5.4.20 NAME 'telephoneNumber'
EQUALITY telephoneNumberMatch EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) ; TelephoneNumber SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) ; TelephoneNumber
3.48 teletexTerminalIdentifier The SYNTAX oid indicates the Telephone Number syntax.
3.41 teletexTerminalIdentifier
The withdrawal of Rec. F.200 has resulted in the withdrawal of this The withdrawal of Rec. F.200 has resulted in the withdrawal of this
attribute. attribute.
( 2.5.4.22 NAME 'teletexTerminalIdentifier' ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) ; TeletexTerminalIdentifier SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
3.49 telexNumber The SYNTAX oid indicates the Teletex Terminal Identifier syntax.
A value of this attribute is a telex number , country code, and 3.42 telexNumber
A value of this Attribute Type is a telex number, country code, and
answerback code of a telex terminal. answerback code of a telex terminal.
( 2.5.4.21 NAME 'telexNumber' ( 2.5.4.21 NAME 'telexNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) ; TelexNumber SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
3.50 title The SYNTAX oid indicates the Telex Number syntax.
3.43 title
This attribute contains the title, such as "Vice President", of a This attribute contains the title, such as "Vice President", of a
person in their organizational context. The "personalTitle" person in their organizational context. The "personalTitle"
attribute would be used for a person's title independent of their job attribute would be used for a person's title independent of their
function. job function.
( 2.5.4.12 NAME 'title' ( 2.5.4.12 NAME 'title'
SUP name ) SUP name )
3.51 uniqueMember 3.44 uniqueMember
A value of this attribute is the Distinguished Name of an object A value of this Attribute Type is the Distinguished Name of an
that is on a list or in a group, where the Relative Distinguished object that is on a list or in a group, where the Relative
Name of the object includes a value that distinguishs between Distinguished Name of the object includes a value that distinguishs
objects when a distinguished name has been reused. between objects when a distinguished name has been reused.
( 2.5.4.50 NAME 'uniqueMember' ( 2.5.4.50 NAME 'uniqueMember'
EQUALITY uniqueMemberMatch EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) ; NameAndOptionalUID SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
3.52 userCertificate
A value of this attribute is a set of information that is used to
protect business systems, including the directory system and its
contents, from a number of threats. The protection is realized by
verifying the object is authorized to use the business system for
certain purposes. This attribute is to be stored and requested in
the binary form, as 'userCertificate;binary'.
( 2.5.4.36 NAME 'userCertificate' The SYNTAX oid indicates the Name and Optional UID syntax.
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) ; Certificate
3.53 userPassword 3.45 userPassword
A value of this attribute is a character string that is known only A value of this Attribute Type is a character string that is known
to the user and the system to which the user has access. only to the user and the system to which the user has access.
( 2.5.4.35 NAME 'userPassword' ( 2.5.4.35 NAME 'userPassword'
EQUALITY octetStringMatch EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) ; OctetString SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
The SYNTAX oid indicates the Octet String syntax.
Passwords are stored using an Octet String syntax and are not Passwords are stored using an Octet String syntax and are not
encrypted. Transfer of cleartext passwords is strongly discouraged encrypted. Transfer of cleartext passwords is strongly discouraged
where the underlying transport service cannot guarantee where the underlying transport service cannot guarantee
confidentiality and may result in disclosure of the password to confidentiality and may result in disclosure of the password to
unauthorized parties. unauthorized parties.
3.54 x121Address 3.46 x121Address
A value of this attribute is a data network address as defined by A value of this Attribute Type is a data network address as defined
CCITT Recommendation X.121. by ITU Recommendation X.121 [X121].
( 2.5.4.24 NAME 'x121Address' ( 2.5.4.24 NAME 'x121Address'
EQUALITY numericStringMatch EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) ; NumericString SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
The SYNTAX oid indicates the Numeric String syntax.
3.55 x500UniqueIdentifier 3.55 x500UniqueIdentifier
The x500UniqueIdentifier attribute is used to distinguish between The x500UniqueIdentifier Attribute Type is used to distinguish
objects when a distinguished name has been reused. In X.500, this between objects when a distinguished name has been reused. In X.520
attribute is called uniqueIdentifier. This is a different attribute [X520], this Attribute Type is called uniqueIdentifier. This is a
type from both the "uid" and "uniqueIdentifier" (defined in ??) different Attribute Type from both the "uid" and "uniqueIdentifier"
types. Attribute Types.
( 2.5.4.45 NAME 'x500UniqueIdentifier' ( 2.5.4.45 NAME 'x500UniqueIdentifier'
EQUALITY bitStringMatch EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) ; BitString SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
The SYNTAX oid indicates the Bit String syntax.
4. Object Classes 4. Object Classes
LDAP servers MUST recognize the object class "top". LDAP servers LDAP servers MUST recognize the Object Class "top". LDAP servers
SHOULD recognize all the other object classes listed here as values SHOULD recognize all the other Object Classes listed here as values
of the objectClass attribute. of the objectClass attribute.
4.1 alias 4.1 alias
The alias object class enables more than one Distinguished Name to The alias Object Class enables more than one Distinguished Name to
designate an entry by providing an alias entry. The alias entry designate an entry by providing an alias entry. The alias entry
contains a pointer to the other entry. The pointer is automatically contains a pointer to the other entry. The pointer is automatically
followed when the alias entry is found in the process of locating followed when the alias entry is found in the process of locating
the target entry(s) of an operation. the target entry(s) of an operation.
( 2.5.6.1 NAME 'alias' ( 2.5.6.1 NAME 'alias'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST aliasedObjectName ) MUST aliasedObjectName )
4.2 applicationEntity 4.2 applicationEntity
The applicationEntity object class definition is the basis of an The applicationEntity Object Class definition is the basis of an
entry which represents the interconnection aspects of an application entry which represents the interconnection aspects of an application
process in a distributed environment. process in a distributed environment.
( 2.5.6.12 NAME 'applicationEntity' ( 2.5.6.12 NAME 'applicationEntity'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ( presentationAddress $ cn ) MUST ( presentationAddress $
MAY ( supportedApplicationContext $ seeAlso $ ou $ cn )
o $ l $ description ) ) MAY ( supportedApplicationContext $
seeAlso $
ou $
o $
l $
description ) )
4.3 applicationProcess 4.3 applicationProcess
The applicationProcess object class definition is the basis of an The applicationProcess Object Class definition is the basis of an
entry which represents an application executing in a computer system. entry which represents an application executing in a computer system.
( 2.5.6.11 NAME 'applicationProcess' ( 2.5.6.11 NAME 'applicationProcess'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST cn MUST cn
MAY ( seeAlso $ ou $ l $ description ) ) MAY ( seeAlso $
ou $
4.4 certificationAuthority l $
description ) )
The certificationAuthority object class is the collection of
attributes that are needed in an entry which represents an issuer of
certificates in a security system.
( 2.5.6.16 NAME 'certificationAuthority'
SUP top
AUXILIARY
MUST ( authorityRevocationList $ certificateRevocationList $
cACertificate )
MAY crossCertificatePair )
4.5 certificationAuthority-V2
The certificationAuthority-V2 object class adds the
deltaRevocationList attribute to the collection in the
certificationAuthority object class, as an option.
( 2.5.6.16.2 NAME 'certificationAuthority-V2'
SUP certificationAuthority
AUXILIARY
MAY ( deltaRevocationList ) )
4.6 country 4.4 country
The country object class definition is the basis of an entry which The country Object Class definition is the basis of an entry which
represents a country. represents a country.
( 2.5.6.2 NAME 'country' ( 2.5.6.2 NAME 'country'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST c MUST c
MAY ( searchGuide $ description ) ) MAY ( searchGuide $
description ) )
4.7 cRLDistributionPoint
The cRLDistributionPoint object class is the basis of an entry which
represents a source of certificate revocation lists in a security
system.
( 2.5.6.19 NAME 'cRLDistributionPoint'
SUP top
STRUCTURAL
MUST ( cn )
MAY ( certificateRevocationList $ authorityRevocationList $
deltaRevocationList ) )
4.8 device 4.5 device
The device object class is the basis of an entry which represents The device Object Class is the basis of an entry which represents
an appliance or computer or network element. an appliance or computer or network element.
( 2.5.6.14 NAME 'device' ( 2.5.6.14 NAME 'device'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST cn MUST cn
MAY ( serialNumber $ seeAlso $ owner $ MAY ( serialNumber $
ou $ o $ l $ description ) ) seeAlso $
owner $
4.9 dmd ou $
o $
The dmd object class is the basis of an entry which represents the l $
set of one or more DSAs and zero or more DUAs managed by a single
organization, i.e., a Directory Management Domain.
( 2.5.6.20 NAME 'dmd'
SUP top
STRUCTURAL
MUST ( dmdName )
MAY ( userPassword $ searchGuide $ seeAlso $
businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ street $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $
description ) ) description ) )
4.10 dSA 4.6 dSA
The dSA (Directory System Agent) object class is the basis of an The dSA (Directory System Agent) Object Class is the basis of an
entry which represents a server in a directory system. entry which represents a server in a directory system.
( 2.5.6.13 NAME 'dSA' ( 2.5.6.13 NAME 'dSA'
SUP applicationEntity SUP applicationEntity
STRUCTURAL STRUCTURAL
MAY knowledgeInformation ) MAY knowledgeInformation )
4.11 groupOfNames 4.7 groupOfNames
The groupOfNames object class is the basis of an entry which The groupOfNames Object Class is the basis of an entry which
represents a set of named objects including information related to represents a set of named objects including information related to
the purpose or maintenance of the set. the purpose or maintenance of the set.
( 2.5.6.9 NAME 'groupOfNames' ( 2.5.6.9 NAME 'groupOfNames'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ( member $ cn ) MUST ( member $
MAY ( businessCategory $ seeAlso $ owner $ cn )
ou $ o $ description ) ) MAY ( businessCategory $
seeAlso $
owner $
ou $
o $
description ) )
4.12 groupOfUniqueNames 4.8 groupOfUniqueNames
The groupOfUniqueNames object class is the same as the groupOfNames The groupOfUniqueNames Object Class is the same as the groupOfNames
object class except that the object names are not repeated or object class except that the object names are not repeated or
reassigned within a set scope. reassigned within a set scope.
( 2.5.6.17 NAME 'groupOfUniqueNames' ( 2.5.6.17 NAME 'groupOfUniqueNames'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ( uniqueMember $ cn ) MUST ( uniqueMember $
MAY ( businessCategory $ seeAlso $ owner $ cn )
ou $ o $ description ) ) MAY ( businessCategory $
seeAlso $
owner $
ou $
o $
description ) )
4.13 locality 4.9 locality
The locality object class is the basis of an entry which The locality Object Class is the basis of an entry which
represents a place in the physical world. represents a place in the physical world.
( 2.5.6.3 NAME 'locality' ( 2.5.6.3 NAME 'locality'
SUP top SUP top
STRUCTURAL STRUCTURAL
MAY ( street $ seeAlso $ searchGuide $ MAY ( street $
st $ l $ description ) ) seeAlso $
searchGuide $
st $
l $
description ) )
4.14 organization 4.10 organization
The organization object class is the basis of an entry which The organization Object Class is the basis of an entry which
represents a structured group of people. represents a structured group of people.
( 2.5.6.4 NAME 'organization' ( 2.5.6.4 NAME 'organization'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST o MUST o
MAY ( userPassword $ searchGuide $ seeAlso $ MAY ( userPassword $ searchGuide $ seeAlso $
businessCategory $ x121Address $ registeredAddress $ businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $ postalAddress $ physicalDeliveryOfficeName $ st $
l $ description ) ) l $ description ) )
4.15 organizationalPerson 4.11 organizationalPerson
The organizationalPerson object class is the basis of an entry which The organizationalPerson Object Class is the basis of an entry which
represents a person in relation to an organization. represents a person in relation to an organization.
( 2.5.6.7 NAME 'organizationalPerson' ( 2.5.6.7 NAME 'organizationalPerson'
SUP person SUP person
STRUCTURAL STRUCTURAL
MAY ( title $ x121Address $ registeredAddress $ MAY ( title $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ postalAddress $ street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l ) ) physicalDeliveryOfficeName $ ou $ st $ l ) )
4.16 organizationalRole 4.12 organizationalRole
The organizationalRole object class is the basis of an entry which The organizationalRole Object Class is the basis of an entry which
represents a job or function or position in an organization. represents a job or function or position in an organization.
( 2.5.6.8 NAME 'organizationalRole' ( 2.5.6.8 NAME 'organizationalRole'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST cn MUST cn
MAY ( x121Address $ registeredAddress $ destinationIndicator $ MAY ( x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
seeAlso $ roleOccupant $ preferredDeliveryMethod $ seeAlso $ roleOccupant $ preferredDeliveryMethod $
street $ postOfficeBox $ postalCode $ street $ postOfficeBox $ postalCode $ postalAddress $
postalAddress $ physicalDeliveryOfficeName $ ou $ physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
st $ l $ description ) )
4.17 organizationalUnit 4.13 organizationalUnit
The organizationalUnit object class is the basis of an entry which The organizationalUnit Object Class is the basis of an entry which
represents a piece of an organization. represents a piece of an organization.
( 2.5.6.5 NAME 'organizationalUnit' ( 2.5.6.5 NAME 'organizationalUnit'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ou MUST ou
MAY ( userPassword $ searchGuide $ seeAlso $ MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
businessCategory $ x121Address $ registeredAddress $ x121Address $ registeredAddress $ destinationIndicator $
destinationIndicator $ preferredDeliveryMethod $ preferredDeliveryMethod $ telexNumber $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ street $ postOfficeBox $ postalCode $ postalAddress $
postalAddress $ physicalDeliveryOfficeName $ st $ physicalDeliveryOfficeName $ st $ l $ description ) )
l $ description ) )
4.18 person 4.14 person
The person object class is the basis of an entry which represents a The person Object Class is the basis of an entry which represents a
human being. human being.
( 2.5.6.6 NAME 'person' ( 2.5.6.6 NAME 'person'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ( sn $ cn ) MUST ( sn $
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) cn )
MAY ( userPassword $
telephoneNumber $
seeAlso $
description ) )
4.19 residentialPerson 4.15 residentialPerson
The residentialPerson object class is the basis of an entry which The residentialPerson Object Class is the basis of an entry which
includes a person's residence in the representation of the person. includes a person's residence in the representation of the person.
( 2.5.6.10 NAME 'residentialPerson' ( 2.5.6.10 NAME 'residentialPerson'
SUP person SUP person
STRUCTURAL STRUCTURAL
MUST l MUST l
MAY ( businessCategory $ x121Address $ registeredAddress $ MAY ( businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
preferredDeliveryMethod $ street $ postOfficeBox $ preferredDeliveryMethod $ street $ postOfficeBox $
postalCode $ postalAddress $ physicalDeliveryOfficeName $ postalCode $ postalAddress $ physicalDeliveryOfficeName $
st $ l ) ) st $ l ) )
4.20 strongAuthenticationUser 4.16 top
The strongAuthenticationUser object class adds the userCertificate
attribute, as a mandatory attribute, to the collection of attributes
in an entry.
( 2.5.6.15 NAME 'strongAuthenticationUser'
SUP top
AUXILIARY
MUST userCertificate )
4.21 top
The top object class is the conceptual beginning of the inheritance The top Object Class is the conceptual beginning of the inheritance
hierarchy of object classes. Top guarantees that every entry has hierarchy of object classes. Top guarantees that every entry has
the objectClass attribute, which identifies the type of the entry. the objectClass attribute, which identifies the type of the entry.
( 2.5.6.0 NAME 'top' ( 2.5.6.0 NAME 'top'
ABSTRACT ABSTRACT
MUST objectClass ) MUST objectClass )
4.22 userSecurityInformation
The userSecurityInformation object class adds the supportedAlgorithms
attribute, as an optional attribute, to the collection of attributes
in an entry.
( 2.5.6.18 NAME 'userSecurityInformation'
SUP top
AUXILIARY
MAY ( supportedAlgorithms ) )
5. Security Considerations 5. Security Considerations
Attributes of directory entries are used to provide descriptive Attributes of directory entries are used to provide descriptive
information about the real-world objects they represent, which can be information about the real-world objects they represent, which can be
people, organizations or devices. Most countries have privacy laws people, organizations or devices. Most countries have privacy laws
regarding the publication of information about people. regarding the publication of information about people.
Transfer of cleartext passwords is strongly discouraged where the Transfer of cleartext passwords is strongly discouraged where the
underlying transport service cannot guarantee confidentiality and may underlying transport service cannot guarantee confidentiality and may
result in disclosure of the password to unauthorized parties. result in disclosure of the password to unauthorized parties.
It is required that strong authentication be performed in order to It is required that strong authentication be performed in order to
modify directory entries using LDAP. modify directory entries using LDAP.
Several X.500 Attribute Types and Object Classes, such as, the
userCertificate Attribute Type or the certificationAuthority Object
Class, are used to include key-based security information in
directory entries. The Attribute Types are:
authorityRevocationList
cACertificate
certificateRevocationList
crossCertificatePair
deltaRevocationList
supportedAlgorithms
userCertificate
The Object Classes are:
certificationAuthority
certificationAuthority-V2
cRLDistributionPoint
strongAuthenticationUser
userSecurityInformation
These Attribute Types and Object Classes are specified for LDAP by
the PKIX Working Group, and so, are not included in this document.
The BNF notation in RFC 1778 [Syn String] for User Certificate,
Authority Revocation List, and Certificate Pair are not recommended
to be used.
6. Acknowledgements 6. Acknowledgements
The definitions, on which this document is based, have been developed The definitions, on which this document is based, have been developed
by committees for telecommunications and international standards. by committees for telecommunications and international standards.
No new attribute definitions have been added. No new attribute definitions have been added.
This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a
product of the IETF ASID Working Group. product of the IETF ASID Working Group.
This document is based upon input of the IETF LDAPBIS working group. This document is based upon input of the IETF LDAPBIS working group.
The authors wish to thank ___ for their significant contribution to The author wishes to thank S. Legg and K. Zeilenga for their
this update. significant contribution to this update.
7. References 7. References
[1] replacement (draft-ietf-ldapbis-syntaxes-01) for Wahl, M., 7.1 Normative
[Codes] ISO 3166, "Codes for the representation of names
of countries".
[E123] Notation for national and international telephone numbers,
ITU-T Recommendation E.123, 1988
[ISDN] The international public telecommunication numbering plan,
ITU-T Recommendation E.164, 1997
[KEYWD] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997
[SYNTAX] replacement (draft-ietf-ldapbis-syntaxes-02) for Wahl, M.,
Coulbeck, A., Howes, T., and S. Kille, "Lightweight X.500 Coulbeck, A., Howes, T., and S. Kille, "Lightweight X.500
Directory Access Protocol(v3): Attribute Syntax Definitions", Directory Access Protocol(v3): Attribute Syntax Definitions",
RFC 2252, December 1997 RFC 2252, December 1997
[2] The Directory: Models, ITU-T Recommendation X.501, 1995 [X121] International numbering plan for public data networks,
ITU-T Recommendation X.121, 1996
[3] The Directory: Authentication Framework, ITU-T Recommendation [X501] The Directory: Models, ITU-T Recommendation X.501, 1995
[X509] The Directory: Authentication Framework, ITU-T Recommendation
X.509, 1995 X.509, 1995
[4] The Directory: Selected Attribute Types, ITU-T Recommendation [X520] The Directory: Selected Attribute Types, ITU-T Recommendation
X.520, 1995 X.520, 1995
[5] The Directory: Selected Object Classes. ITU-T Recommendation [X521] The Directory: Selected Object Classes. ITU-T Recommendation
X.521, 1995 X.521, 1995
[6] Bradner, S., "Key words for use in RFCs to Indicate Requirement 7.2 Informative
Levels", RFC 2119, March 1997
[Syn String] Howes, T., Kille, S., Yeong, W., Robbins, C., "The
String Representation of Standard Attribute Syntaxes", RFC 1778,
March 1995.
8. Author's Address 8. Author's Address
Kathy Dally Kathy Dally
The MITRE Corp. The MITRE Corp.
1575 Colshire Dr., ms-W650 1575 Colshire Dr., ms-W650
McLean VA 22102 McLean VA 22102
USA USA
Phone: +1 703 883 6058 Phone: +1 703 883 6058
skipping to change at page 27, line 12 skipping to change at page 26, line 12
10. Add text to mark the "teletexTerminalIdentifier" attribute 10. Add text to mark the "teletexTerminalIdentifier" attribute
type as obsolete. type as obsolete.
11. Add a security consideration requiring strong authentication 11. Add a security consideration requiring strong authentication
in order to modify directory entries. in order to modify directory entries.
Changes to draft-ietf-ldapbis-user-schema-00.txt, resulting in draft- Changes to draft-ietf-ldapbis-user-schema-00.txt, resulting in draft-
ietf-ldapbis-user-schema-01.txt: ietf-ldapbis-user-schema-01.txt:
12. Delete the conformance requirement for subschema object 12. Delete the conformance requirement for subschema object
classes in favor of a statement in [1]. classes in favor of a statement in [SYNTAX].
13. Add a Table of Contents 13. Add a Table of Contents
14. Replace the term "obsolete" with "superseded or withdrawn" 14. Replace the term "obsolete" with "superseded or withdrawn"
15. Added explanations to many attributes. 15. Added explanations to many attributes.
16. In the title, correct the X.500 reference to have the second 16. In the title, correct the X.500 reference to have the second
edition as the basis. edition as the basis.
skipping to change at line 1194 skipping to change at page 26, line 35
18. Removed Section 4, Syntaxes, and Section 6, Matching Rules, 18. Removed Section 4, Syntaxes, and Section 6, Matching Rules,
(moved to draft-ietf-ldapbis-syntaxes-01.txt). (moved to draft-ietf-ldapbis-syntaxes-01.txt).
19. Reorganized Section 3, Attributes, to eliminate grouping 19. Reorganized Section 3, Attributes, to eliminate grouping
attributes according to conformance requirements. Reordered attributes according to conformance requirements. Reordered
Section 3, Attributes, and Section 4, Object Classes, Section 3, Attributes, and Section 4, Object Classes,
alphabetically. alphabetically.
20. Added an explanation for each object class. 20. Added an explanation for each object class.
Changes to draft-ietf-ldapbis-user-schema-01.txt, resulting in draft-
ietf-ldapbis-user-schema-02.txt:
21. Removed the certificate-related Attribute Types:
authorityRevocationList,
cACertificate,
certificateRevocationList,
crossCertificatePair,
deltaRevocationList,
supportedAlgorithms, and
userCertificate.
Removed the certificate-related Object Classes:
certificationAuthority,
certificationAuthority-V2,
cRLDistributionPoint,
strongAuthenticationUser, and
userSecurityInformation
Noted in the Security Considerations (Section 7) that they
are covered in PKIX WG documents.
22. Removed the dmdName Attribute Type and dmd Object Class
because they are not in the version of X.500 which
is referenced.
23. Removed embedded comments from the ABNF productions
throughout the document.
24. Cleaned up the references; adopted word instead of number
tags; split Section 7 into normative and informative
subsections.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/