draft-ietf-ldapbis-user-schema-03.txt   draft-ietf-ldapbis-user-schema-04.txt 
INTERNET-DRAFT K. Dally, Editor INTERNET-DRAFT K. Dally, Editor
Intended Category: Standard Track The MITRE Corp. Intended Category: Standard Track The MITRE Corp.
Expires 4 May 2003 4 November 2002 Expires 25 August 2003 25 February 2003
Obsoletes: RFC 2256, RFC 2252 Obsoletes: RFC 2256, RFC 2252
LDAP: User Schema LDAP: User Schema
<draft-ietf-ldapbis-user-schema-03> <draft-ietf-ldapbis-user-schema-04>
[Editor's note: [Editor's note:
This Internet-Draft (I-D) is a modified version of the text of This Internet-Draft (I-D) is an updated version of text from
RFC 2256, in order to bring it up to date. This action is part of RFC 2256 and RFC 2252. This action is part of the maintenance
the maintenance activity that is needed in order to progress activity that is needed in order to progress LDAP (v3) to Draft
LDAP (v3) to Draft Standard. The changes are described in Annex A Standard. The changes are described in Annex A of this document.
of this document.
End of Editor's note] End of Editor's note]
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. all provisions of Section 10 of RFC 2026 [RFC2026].
This document is intended to be, after appropriate review and This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as a Standard Track document. revision, submitted to the RFC Editor as a Standard Track document.
Distribution of this memo is unlimited. Technical discussion of Distribution of this memo is unlimited. Technical discussion of
this document will take place on the IETF LDAP Revision Working this document will take place on the IETF LDAP Revision Working
Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please
send editorial comments directly to the author <kdally@mitre.org>. send editorial comments directly to the author <kdally@mitre.org>.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 44 skipping to change at page 1, line 43
maximum of six months and may be updated, replaced, or obsoleted by maximum of six months and may be updated, replaced, or obsoleted by
other documents at any time. It is inappropriate to use other documents at any time. It is inappropriate to use
Internet-Drafts as reference material or to cite them other than as Internet-Drafts as reference material or to cite them other than as
"work in progress." "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. The list of http://www.ietf.org/ietf/1id-abstracts.txt. The list of
Internet-Draft Shadow Directories can be accessed at Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright 2002, The Internet Society. All Rights Reserved. Copyright 2003, The Internet Society. All Rights Reserved.
Please see the Copyright section near the end of this document for Please see the Copyright section near the end of this document for
more information. more information.
Abstract Abstract
This document provides an overview of attribute types and object This document provides an overview of attribute types and object
classes defined by the ISO/IEC JTC1 and ITU-T committees in the classes defined by the ISO/IEC JTC1 and ITU-T committees in the
IS0/IEC 9594 and X.500 documents, in particular those intended for IS0/IEC 9594 and X.500 documents, in particular those intended for
use by directory clients. This is the most widely used schema for use by directory clients. This is the most widely used schema for
skipping to change at page 3, line 19 skipping to change at page 3, line 19
Abstract 2 Abstract 2
1. General Issues 5 1. General Issues 5
2. Source 5 2. Source 5
3. Attribute Types 5 3. Attribute Types 5
3.1 businessCategory 5 3.1 businessCategory 5
3.2 c 6 3.2 c 6
3.3 cn 6 3.3 cn 6
3.4 description 6 3.4 dc
3.5 destinationIndicator 6 3.5 description 6
3.6 distinguishedName 6 3.6 destinationIndicator 6
3.7 dnQualifier 7 3.7 distinguishedName 6
3.8 enhancedSearchGuide 7 3.8 dnQualifier 7
3.9 facsimileTelephoneNumber 7 3.9 enhancedSearchGuide 7
3.10 generationQualifier 7 3.10 facsimileTelephoneNumber 7
3.11 givenName 8 3.11 generationQualifier 7
3.12 houseIdentifier 8 3.12 givenName 8
3.13 initials 8 3.13 houseIdentifier 8
3.14 internationalISDNNumber 8 3.14 initials 8
3.15 knowledgeInformation 8 3.15 internationalISDNNumber 8
3.16 l 9 3.16 l 9
3.17 member 9 3.17 member 9
3.18 name 9 3.18 name 9
3.19 o 9 3.19 o 9
3.20 ou 9 3.20 ou 9
3.21 owner 10 3.21 owner 10
3.22 physicalDeliveryOfficeName 10 3.22 physicalDeliveryOfficeName 10
3.23 postalAddress 10 3.23 postalAddress 10
3.24 postalCode 10 3.24 postalCode 10
3.25 postOfficeBox 10 3.25 postOfficeBox 10
3.26 preferredDeliveryMethod 11 3.26 preferredDeliveryMethod 11
3.27 presentationAddress 11 3.27 registeredAddress 11
3.28 protocolInformation 11 3.28 roleOccupant 12
3.29 registeredAddress 11 3.29 searchGuide 12
3.30 roleOccupant 12 3.30 seeAlso 12
3.31 searchGuide 12 3.31 serialNumber 12
3.32 seeAlso 12 3.32 sn 12
3.33 serialNumber 12 3.33 st 12
3.34 sn 12 3.34 street 13
3.35 st 12 3.35 telephoneNumber 13
3.36 street 13 3.36 teletexTerminalIdentifier 13
3.37 supportedApplicationContext 13 3.37 telexNumber 13
3.38 telephoneNumber 13 3.38 title 14
3.39 teletexTerminalIdentifier 13 3.39 uniqueMember 14
3.40 telexNumber 13
3.41 title 14
3.42 uniqueMember 14
3.43 userPassword 14
3.44 x121Address 14 3.40 userPassword 14
3.45 x500UniqueIdentifier 15 3.41 x121Address 14
3.42 x500UniqueIdentifier 15
4. Object Classes 15 4. Object Classes 15
4.1 applicationEntity 15 4.1 applicationProcess 15
4.2 applicationProcess 15 4.2 country 16
4.3 country 16 4.3 device 16
4.4 device 16 4.4 domain 16
4.5 dSA 16 4.5 groupOfNames 16
4.6 groupOfNames 16 4.6 groupOfUniqueNames 17
4.7 groupOfUniqueNames 17 4.7 locality 17
4.8 locality 17 4.8 organization 17
4.9 organization 17 4.9 organizationalPerson 18
4.10 organizationalPerson 18 4.10 organizationalRole 18
4.11 organizationalRole 18 4.11 organizationalUnit 18
4.12 organizationalUnit 18 4.12 person 19
4.13 person 19 4.13 residentialPerson 19
4.14 residentialPerson 19
5. Security Considerations 19 5. Security Considerations 19
6. Acknowledgements 20 6. Acknowledgements 20
7. References 21 7. References 21
7.1 Normative 21 7.1 Normative 21
7.2 Informative 21 7.2 Informative 21
8. Author's Address 21 8. Author's Address 21
skipping to change at page 5, line 18 skipping to change at page 5, line 18
and Matching Rules specified in Section 4 of [Syntaxes]. and Matching Rules specified in Section 4 of [Syntaxes].
The definitions of Attribute Types and Object Classes are written The definitions of Attribute Types and Object Classes are written
using the ABNF form of AttributeTypeDescription and using the ABNF form of AttributeTypeDescription and
ObjectClassDescription given in [Models]. Lines have been folded ObjectClassDescription given in [Models]. Lines have been folded
for readability. for readability.
2. Source 2. Source
The schema definitions in this document are based on those found in The schema definitions in this document are based on those found in
the X.500-series [X.509], [X.520], and [X.521], specifically: the X.500-series [X.520] and [X.521] and RFC 2247 [RFC2247],
specifically:
Sections Source Sections Source
============ ============= ============ ==================
3.1 - 3.42 X.520 [X.520] 3.1 - 3.3 X.520 [X.520]
3.43 X.509 [X.509] 3.4 RFC 2247 [RFC2247]
3.44 - 3.45 X.520 [X.520] 3.5 - 3.42 X.520 [X.520]
4.1 - 4.14 X.521 [X.521] 4.1 - 4.3 X.521 [X.521]
4.4 RFC 2247 [RFC2247]
4.5 - 4.13 X.521 [X.521]
3. Attribute Types 3. Attribute Types
The Attribute Types contained in this section hold user information. The Attribute Types contained in this section hold user information.
There is no requirement that servers implement the following There is no requirement that servers implement the following
Attribute Types: Attribute Types:
knowledgeInformation
searchGuide searchGuide
teletexTerminalIdentifier teletexTerminalIdentifier
In fact, their use is greatly discouraged. In fact, their use is greatly discouraged.
An LDAP server implementation SHOULD recognize the rest of the An LDAP server implementation SHOULD recognize the rest of the
Attribute Types described in this section. Attribute Types described in this section.
3.1 businessCategory 3.1 businessCategory
skipping to change at page 6, line 23 skipping to change at page 6, line 30
3.3 cn 3.3 cn
This is the X.520 [X.520] commonName Attribute Type, which contains This is the X.520 [X.520] commonName Attribute Type, which contains
a name of an object. If the object corresponds to a person, it is a name of an object. If the object corresponds to a person, it is
typically the person's full name. typically the person's full name.
( 2.5.4.3 NAME 'cn' ( 2.5.4.3 NAME 'cn'
SUP name ) SUP name )
3.4 description 3.4 dc
The dc (short for domainComponent) attribute type is defined as
follows:
( 0.9.2342.19200300.100.1.25 NAME 'dc'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
The value of this attribute is a string holding one component of a
DNS domain name. The encoding of IA5String for use in LDAP is simply
the characters of the string itself. The equality matching rule is
case insensitive, as is today's DNS.
3.5 description
This Attribute Type contains a human-readable description of This Attribute Type contains a human-readable description of
the object. the object.
( 2.5.4.13 NAME 'description' ( 2.5.4.13 NAME 'description'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
The SYNTAX oid indicates the Directory String syntax. The SYNTAX oid indicates the Directory String syntax.
3.5 destinationIndicator 3.6 destinationIndicator
This attribute is used for the telegram service. This attribute is used for the telegram service.
( 2.5.4.27 NAME 'destinationIndicator' ( 2.5.4.27 NAME 'destinationIndicator'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
The SYNTAX oid indicates the Printable String syntax. The SYNTAX oid indicates the Printable String syntax.
3.6 distinguishedName 3.7 distinguishedName
This Attribute Type is not used as the name of the object itself, This Attribute Type is not used as the name of the object itself,
but it is instead a base type from which attributes with DN syntax but it is instead a base type from which attributes with DN syntax
inherit. inherit.
It is unlikely that values of this type itself will occur in an It is unlikely that values of this type itself will occur in an
entry. LDAP server implementations which do not support attribute entry. LDAP server implementations which do not support attribute
subtyping need not recognize this attribute in requests. Client subtyping need not recognize this attribute in requests. Client
implementations MUST NOT assume that LDAP servers are capable of implementations MUST NOT assume that LDAP servers are capable of
performing attribute subtyping. performing attribute subtyping.
( 2.5.4.49 NAME 'distinguishedName' ( 2.5.4.49 NAME 'distinguishedName'
EQUALITY distinguishedNameMatch EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
The SYNTAX oid indicates the DN syntax. The SYNTAX oid indicates the DN syntax.
3.7 dnQualifier 3.8 dnQualifier
The dnQualifier Attribute Type specifies disambiguating information The dnQualifier Attribute Type specifies disambiguating information
to add to the relative distinguished name of an entry. It is to add to the relative distinguished name of an entry. It is
intended for use when merging data from multiple sources in order to intended for use when merging data from multiple sources in order to
prevent conflicts between entries which would otherwise have the same prevent conflicts between entries which would otherwise have the same
name. It is recommended that the value of the dnQualifier attribute name. It is recommended that the value of the dnQualifier attribute
be the same for all entries from a particular source. be the same for all entries from a particular source.
( 2.5.4.46 NAME 'dnQualifier' ( 2.5.4.46 NAME 'dnQualifier'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
The SYNTAX oid indicates the Printable String syntax. The SYNTAX oid indicates the Printable String syntax.
3.8 enhancedSearchGuide 3.9 enhancedSearchGuide
This attribute is for use by X.500 clients in constructing search This attribute is for use by X.500 clients in constructing search
filters. filters.
( 2.5.4.47 NAME 'enhancedSearchGuide' ( 2.5.4.47 NAME 'enhancedSearchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
The SYNTAX oid indicates the Enhanced Guide syntax. The SYNTAX oid indicates the Enhanced Guide syntax.
3.9 facsimileTelephoneNumber 3.10 facsimileTelephoneNumber
A value of this Attribute Type is a telephone number for a facsimile A value of this Attribute Type is a telephone number for a facsimile
terminal (and, optionally, its parameters). terminal (and, optionally, its parameters).
( 2.5.4.23 NAME 'facsimileTelephoneNumber' ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
The SYNTAX oid indicates the Facsimile Telephone Number syntax. The SYNTAX oid indicates the Facsimile Telephone Number syntax.
3.10 generationQualifier 3.11 generationQualifier
The generationQualifier Attribute Type contains the part of a The generationQualifier Attribute Type contains the part of a
person's name which typically is the suffix, as in "IIIrd". person's name which typically is the suffix, as in "IIIrd".
( 2.5.4.44 NAME 'generationQualifier' ( 2.5.4.44 NAME 'generationQualifier'
SUP name ) SUP name )
3.11 givenName 3.12 givenName
The givenName Attribute Type is used to hold the part of a person's The givenName Attribute Type is used to hold the part of a person's
name which is not their surname nor middle name. name which is not their surname nor middle name.
( 2.5.4.42 NAME 'givenName' ( 2.5.4.42 NAME 'givenName'
SUP name ) SUP name )
3.12 houseIdentifier 3.13 houseIdentifier
This Attribute Type is used to identify a building within a location. This Attribute Type is used to identify a building within a location.
( 2.5.4.51 NAME 'houseIdentifier' ( 2.5.4.51 NAME 'houseIdentifier'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
The SYNTAX oid indicates the Directory String syntax. The SYNTAX oid indicates the Directory String syntax.
3.13 initials 3.14 initials
The initials Attribute Type contains the initials of some or all of The initials Attribute Type contains the initials of some or all of
an individuals names, except the surname(s). an individuals names, except the surname(s).
( 2.5.4.43 NAME 'initials' ( 2.5.4.43 NAME 'initials'
SUP name ) SUP name )
3.14 internationalISDNNumber 3.15 internationalISDNNumber
A value of this Attribute Type is an ISDN address, as defined in A value of this Attribute Type is an ISDN address, as defined in
ITU Recommendation E.164 [E.164]. ITU Recommendation E.164 [E.164].
( 2.5.4.25 NAME 'internationalISDNNumber' ( 2.5.4.25 NAME 'internationalISDNNumber'
EQUALITY numericStringMatch EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i
The SYNTAX oid indicates the Numeric String syntax. The SYNTAX oid indicates the Numeric String syntax.
3.15 knowledgeInformation
This attribute is superseded by the system schema attributes which
hold the pointers to other LDAP servers.
( 2.5.4.2 NAME 'knowledgeInformation'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
The SYNTAX oid indicates the Directory String syntax.
3.16 l 3.16 l
This is the X.520 [X.520] localityName Attribute Type, which This is the X.520 [X.520] localityName Attribute Type, which
contains the name of a locality or place, such as a city, county or contains the name of a locality or place, such as a city, county or
other geographic region. other geographic region.
( 2.5.4.7 NAME 'l' ( 2.5.4.7 NAME 'l'
SUP name ) SUP name )
3.17 member 3.17 member
skipping to change at page 11, line 23 skipping to change at page 11, line 48
This attribute contains an indication of the preferred method of This attribute contains an indication of the preferred method of
getting a message to the object. getting a message to the object.
( 2.5.4.28 NAME 'preferredDeliveryMethod' ( 2.5.4.28 NAME 'preferredDeliveryMethod'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
SINGLE-VALUE ) SINGLE-VALUE )
The SYNTAX oid indicates the Delivery Method syntax. The SYNTAX oid indicates the Delivery Method syntax.
3.27 presentationAddress 3.27 registeredAddress
This attribute contains an OSI presentation layer address.
( 2.5.4.29 NAME 'presentationAddress'
EQUALITY presentationAddressMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.43
SINGLE-VALUE )
The SYNTAX oid indicates the Presentation Address syntax.
3.28 protocolInformation
This Attribute Type is used in conjunction with the
presentationAddress Attribute Type, to provide additional
information to the OSI network service.
( 2.5.4.48 NAME 'protocolInformation'
EQUALITY protocolInformationMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
The SYNTAX oid indicates the Protocol Information syntax.
3.29 registeredAddress
This attribute holds a postal address suitable for reception of This attribute holds a postal address suitable for reception of
telegrams or expedited documents, where it is necessary to have the telegrams or expedited documents, where it is necessary to have the
recipient accept delivery. recipient accept delivery.
( 2.5.4.26 NAME 'registeredAddress' ( 2.5.4.26 NAME 'registeredAddress'
SUP postalAddress SUP postalAddress
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
The SYNTAX oid indicates the Postal Address syntax. The SYNTAX oid indicates the Postal Address syntax.
3.30 roleOccupant 3.28 roleOccupant
A value of this Attribute Type is the Distinguished Name of an A value of this Attribute Type is the Distinguished Name of an
object (normally a person) that fulfills the responsibilities of a object (normally a person) that fulfills the responsibilities of a
role object. role object.
( 2.5.4.33 NAME 'roleOccupant' ( 2.5.4.33 NAME 'roleOccupant'
SUP distinguishedName ) SUP distinguishedName )
3.31 searchGuide 3.29 searchGuide
This Attribute Type is for use by clients in constructing search This Attribute Type is for use by clients in constructing search
filters. It is superseded by enhancedSearchGuide, described above filters. It is superseded by enhancedSearchGuide, described above
in section 3.9. in section 3.9.
( 2.5.4.14 NAME 'searchGuide' ( 2.5.4.14 NAME 'searchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide
The SYNTAX oid indicates the Guide syntax. The SYNTAX oid indicates the Guide syntax.
3.32 seeAlso 3.30 seeAlso
A value of this Attribute Type is the Distinguished Name of an A value of this Attribute Type is the Distinguished Name of an
object that is related to the subject object. object that is related to the subject object.
( 2.5.4.34 NAME 'seeAlso' ( 2.5.4.34 NAME 'seeAlso'
SUP distinguishedName ) SUP distinguishedName )
3.33 serialNumber 3.31 serialNumber
This attribute contains the serial number of a device. This attribute contains the serial number of a device.
( 2.5.4.5 NAME 'serialNumber' ( 2.5.4.5 NAME 'serialNumber'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
The SYNTAX oid indicates the Printable String syntax. The SYNTAX oid indicates the Printable String syntax.
3.34 sn 3.32 sn
This is the X.520 [X.520] surname Attribute Type, which contains the This is the X.520 [X.520] surname Attribute Type, which contains the
family name of a person. family name of a person.
( 2.5.4.4 NAME 'sn' ( 2.5.4.4 NAME 'sn'
SUP name ) SUP name )
3.35 st 3.33 st
This is the X.520 [X.520] stateOrProvinceName attribute, which This is the X.520 [X.520] stateOrProvinceName attribute, which
contains the full name of a state or province. contains the full name of a state or province.
( 2.5.4.8 NAME 'st' ( 2.5.4.8 NAME 'st'
SUP name ) SUP name )
3.36 street 3.34 street
This is the X.520 [X.520] streetAddress attribute, which contains the This is the X.520 [X.520] streetAddress attribute, which contains the
physical address of the object to which the entry corresponds, such physical address of the object to which the entry corresponds, such
as an address for package delivery. as an address for package delivery.
( 2.5.4.9 NAME 'street' ( 2.5.4.9 NAME 'street'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
The SYNTAX oid indicates the Directory String syntax. The SYNTAX oid indicates the Directory String syntax.
3.37 supportedApplicationContext 3.35 telephoneNumber
This attribute contains the identifiers of OSI application
contexts.
( 2.5.4.30 NAME 'supportedApplicationContext'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
The SYNTAX oid indicates the OID syntax.
3.38 telephoneNumber
A value of this Attribute Type is a telephone number complying with A value of this Attribute Type is a telephone number complying with
ITU Recommendation E.123 [E.123]. ITU Recommendation E.123 [E.123].
( 2.5.4.20 NAME 'telephoneNumber' ( 2.5.4.20 NAME 'telephoneNumber'
EQUALITY telephoneNumberMatch EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) ; TelephoneNumber SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) ; TelephoneNumber
The SYNTAX oid indicates the Telephone Number syntax. The SYNTAX oid indicates the Telephone Number syntax.
3.39 teletexTerminalIdentifier 3.36 teletexTerminalIdentifier
The withdrawal of Rec. F.200 has resulted in the withdrawal of this The withdrawal of Rec. F.200 has resulted in the withdrawal of this
attribute. attribute.
( 2.5.4.22 NAME 'teletexTerminalIdentifier' ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
The SYNTAX oid indicates the Teletex Terminal Identifier syntax. The SYNTAX oid indicates the Teletex Terminal Identifier syntax.
3.40 telexNumber 3.37 telexNumber
A value of this Attribute Type is a telex number, country code, and A value of this Attribute Type is a telex number, country code, and
answerback code of a telex terminal. answerback code of a telex terminal.
( 2.5.4.21 NAME 'telexNumber' ( 2.5.4.21 NAME 'telexNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
The SYNTAX oid indicates the Telex Number syntax. The SYNTAX oid indicates the Telex Number syntax.
3.41 title 3.38 title
This attribute contains the title, such as "Vice President", of a This attribute contains the title, such as "Vice President", of a
person in their organizational context. The "personalTitle" person in their organizational context. The "personalTitle"
attribute would be used for a person's title independent of their attribute would be used for a person's title independent of their
job function. job function.
( 2.5.4.12 NAME 'title' ( 2.5.4.12 NAME 'title'
SUP name ) SUP name )
3.42 uniqueMember 3.39 uniqueMember
A value of this Attribute Type is the Distinguished Name of an A value of this Attribute Type is the Distinguished Name of an
object that is on a list or in a group, where the Relative object that is on a list or in a group, where the Relative
Distinguished Name of the object includes a value that distinguishs Distinguished Name of the object includes a value that distinguishs
between objects when a distinguished name has been reused. between objects when a distinguished name has been reused.
( 2.5.4.50 NAME 'uniqueMember' ( 2.5.4.50 NAME 'uniqueMember'
EQUALITY uniqueMemberMatch EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
The SYNTAX oid indicates the Name and Optional UID syntax. The SYNTAX oid indicates the Name and Optional UID syntax.
3.43 userPassword 3.40 userPassword
A value of this Attribute Type is a character string that is known A value of this Attribute Type is a character string that is known
only to the user and the system to which the user has access. only to the user and the system to which the user has access.
( 2.5.4.35 NAME 'userPassword' ( 2.5.4.35 NAME 'userPassword'
EQUALITY octetStringMatch EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
The SYNTAX oid indicates the Octet String syntax. The SYNTAX oid indicates the Octet String syntax.
Passwords are stored using an Octet String syntax and are not Passwords are stored using an Octet String syntax and are not
encrypted. Transfer of cleartext passwords is strongly discouraged encrypted. Transfer of cleartext passwords is strongly discouraged
where the underlying transport service cannot guarantee where the underlying transport service cannot guarantee
confidentiality and may result in disclosure of the password to confidentiality and may result in disclosure of the password to
unauthorized parties. unauthorized parties.
3.44 x121Address 3.41 x121Address
A value of this Attribute Type is a data network address as defined A value of this Attribute Type is a data network address as defined
by ITU Recommendation X.121 [X.121]. by ITU Recommendation X.121 [X.121].
( 2.5.4.24 NAME 'x121Address' ( 2.5.4.24 NAME 'x121Address'
EQUALITY numericStringMatch EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
The SYNTAX oid indicates the Numeric String syntax. The SYNTAX oid indicates the Numeric String syntax.
3.45 x500UniqueIdentifier 3.42 x500UniqueIdentifier
The x500UniqueIdentifier Attribute Type is used to distinguish The x500UniqueIdentifier Attribute Type is used to distinguish
between objects when a distinguished name has been reused. In X.520 between objects when a distinguished name has been reused. In X.520
[X.520], this Attribute Type is called uniqueIdentifier. This is a [X.520], this Attribute Type is called uniqueIdentifier. This is a
different Attribute Type from both the "uid" and "uniqueIdentifier" different Attribute Type from both the "uid" and "uniqueIdentifier"
Attribute Types. Attribute Types.
( 2.5.4.45 NAME 'x500UniqueIdentifier' ( 2.5.4.45 NAME 'x500UniqueIdentifier'
EQUALITY bitStringMatch EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
The SYNTAX oid indicates the Bit String syntax. The SYNTAX oid indicates the Bit String syntax.
4. Object Classes 4. Object Classes
LDAP servers LDAP servers SHOULD recognize all the Object Classes listed here as
SHOULD recognize all the Object Classes listed here as values values of the objectClass attribute.
of the objectClass attribute.
4.1 applicationEntity
The applicationEntity Object Class definition is the basis of an
entry which represents the interconnection aspects of an application
process in a distributed environment.
( 2.5.6.12 NAME 'applicationEntity'
SUP top
STRUCTURAL
MUST ( presentationAddress $
cn )
MAY ( supportedApplicationContext $
seeAlso $
ou $
o $
l $
description ) )
4.2 applicationProcess 4.1 applicationProcess
The applicationProcess Object Class definition is the basis of an The applicationProcess Object Class definition is the basis of an
entry which represents an application executing in a computer system. entry which represents an application executing in a computer system.
( 2.5.6.11 NAME 'applicationProcess' ( 2.5.6.11 NAME 'applicationProcess'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST cn MUST cn
MAY ( seeAlso $ MAY ( seeAlso $
ou $ ou $
l $ l $
description ) ) description ) )
4.3 country 4.2 country
The country Object Class definition is the basis of an entry which The country Object Class definition is the basis of an entry which
represents a country. represents a country.
( 2.5.6.2 NAME 'country' ( 2.5.6.2 NAME 'country'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST c MUST c
MAY ( searchGuide $ MAY ( searchGuide $
description ) ) description ) )
4.4 device 4.3 device
The device Object Class is the basis of an entry which represents The device Object Class is the basis of an entry which represents
an appliance or computer or network element. an appliance or computer or network element.
( 2.5.6.14 NAME 'device' ( 2.5.6.14 NAME 'device'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST cn MUST cn
MAY ( serialNumber $ MAY ( serialNumber $
seeAlso $ seeAlso $
owner $ owner $
ou $ ou $
o $ o $
l $ l $
description ) ) description ) )
4.5 dSA 4.4 domain
The dSA (Directory System Agent) Object Class is the basis of an The domain Object Class is the basis of an entry which represents a
entry which represents a server in a directory system. portion of a network, as organized by DNS.
( 2.5.6.13 NAME 'dSA' ( 0.9.2342.19200300.100.4.13 NAME 'domain'
SUP applicationEntity SUP top
STRUCTURAL STRUCTURAL
MAY knowledgeInformation ) MUST dc
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ street $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $ description $ o $
associatedName ) )
4.6 groupOfNames An example entry would be:
dn: dc=tcp,dc=critical-angle,dc=com
objectClass: top
objectClass: domain
dc: tcp
description: a placeholder entry used with SRV records
4.5 groupOfNames
The groupOfNames Object Class is the basis of an entry which The groupOfNames Object Class is the basis of an entry which
represents a set of named objects including information related to represents a set of named objects including information related to
the purpose or maintenance of the set. the purpose or maintenance of the set.
( 2.5.6.9 NAME 'groupOfNames' ( 2.5.6.9 NAME 'groupOfNames'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ( member $ MUST ( member $
cn ) cn )
MAY ( businessCategory $ MAY ( businessCategory $
seeAlso $ seeAlso $
owner $ owner $
ou $ ou $
o $ o $
description ) ) description ) )
4.7 groupOfUniqueNames 4.6 groupOfUniqueNames
The groupOfUniqueNames Object Class is the same as the groupOfNames The groupOfUniqueNames Object Class is the same as the groupOfNames
object class except that the object names are not repeated or object class except that the object names are not repeated or
reassigned within a set scope. reassigned within a set scope.
( 2.5.6.17 NAME 'groupOfUniqueNames' ( 2.5.6.17 NAME 'groupOfUniqueNames'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ( uniqueMember $ MUST ( uniqueMember $
cn ) cn )
MAY ( businessCategory $ MAY ( businessCategory $
seeAlso $ seeAlso $
owner $ owner $
ou $ ou $
o $ o $
description ) ) description ) )
4.8 locality 4.7 locality
The locality Object Class is the basis of an entry which The locality Object Class is the basis of an entry which
represents a place in the physical world. represents a place in the physical world.
( 2.5.6.3 NAME 'locality' ( 2.5.6.3 NAME 'locality'
SUP top SUP top
STRUCTURAL STRUCTURAL
MAY ( street $ MAY ( street $
seeAlso $ seeAlso $
searchGuide $ searchGuide $
st $ st $
l $ l $
description ) ) description ) )
4.9 organization 4.8 organization
The organization Object Class is the basis of an entry which The organization Object Class is the basis of an entry which
represents a structured group of people. represents a structured group of people.
( 2.5.6.4 NAME 'organization' ( 2.5.6.4 NAME 'organization'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST o MUST o
MAY ( userPassword $ searchGuide $ seeAlso $ MAY ( userPassword $ searchGuide $ seeAlso $
businessCategory $ x121Address $ registeredAddress $ businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $ postalAddress $ physicalDeliveryOfficeName $ st $
l $ description ) ) l $ description ) )
4.10 organizationalPerson 4.9 organizationalPerson
The organizationalPerson Object Class is the basis of an entry which The organizationalPerson Object Class is the basis of an entry which
represents a person in relation to an organization. represents a person in relation to an organization.
( 2.5.6.7 NAME 'organizationalPerson' ( 2.5.6.7 NAME 'organizationalPerson'
SUP person SUP person
STRUCTURAL STRUCTURAL
MAY ( title $ x121Address $ registeredAddress $ MAY ( title $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ postalAddress $ street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l ) ) physicalDeliveryOfficeName $ ou $ st $ l ) )
4.11 organizationalRole 4.10 organizationalRole
The organizationalRole Object Class is the basis of an entry which The organizationalRole Object Class is the basis of an entry which
represents a job or function or position in an organization. represents a job or function or position in an organization.
( 2.5.6.8 NAME 'organizationalRole' ( 2.5.6.8 NAME 'organizationalRole'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST cn MUST cn
MAY ( x121Address $ registeredAddress $ destinationIndicator $ MAY ( x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
seeAlso $ roleOccupant $ preferredDeliveryMethod $ seeAlso $ roleOccupant $ preferredDeliveryMethod $
street $ postOfficeBox $ postalCode $ postalAddress $ street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
4.12 organizationalUnit 4.11 organizationalUnit
The organizationalUnit Object Class is the basis of an entry which The organizationalUnit Object Class is the basis of an entry which
represents a piece of an organization. represents a piece of an organization.
( 2.5.6.5 NAME 'organizationalUnit' ( 2.5.6.5 NAME 'organizationalUnit'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ou MUST ou
MAY ( businessCategory $ description $ destinationIndicator $ MAY ( businessCategory $ description $ destinationIndicator $
facsimileTelephoneNumber $ internationaliSDNNumber $ l $ facsimileTelephoneNumber $ internationaliSDNNumber $ l $
physicalDeliveryOfficeName $ postalAddress $ postalCode $ physicalDeliveryOfficeName $ postalAddress $ postalCode $
postOfficeBox $ preferredDeliveryMethod $ postOfficeBox $ preferredDeliveryMethod $
registeredAddress $ searchGuide $ seeAlso $ st $ street $ registeredAddress $ searchGuide $ seeAlso $ st $ street $
telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $
userPassword $ x121Address ) ) userPassword $ x121Address ) )
4.13 person 4.12 person
The person Object Class is the basis of an entry which represents a The person Object Class is the basis of an entry which represents a
human being. human being.
( 2.5.6.6 NAME 'person' ( 2.5.6.6 NAME 'person'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ( sn $ MUST ( sn $
cn ) cn )
MAY ( userPassword $ MAY ( userPassword $
telephoneNumber $ telephoneNumber $
seeAlso $ seeAlso $
description ) ) description ) )
4.14 residentialPerson 4.13 residentialPerson
The residentialPerson Object Class is the basis of an entry which The residentialPerson Object Class is the basis of an entry which
includes a person's residence in the representation of the person. includes a person's residence in the representation of the person.
( 2.5.6.10 NAME 'residentialPerson' ( 2.5.6.10 NAME 'residentialPerson'
SUP person SUP person
STRUCTURAL STRUCTURAL
MUST l MUST l
MAY ( businessCategory $ x121Address $ registeredAddress $ MAY ( businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ destinationIndicator $ preferredDeliveryMethod $
skipping to change at page 20, line 36 skipping to change at page 20, line 43
certificationAuthority certificationAuthority
certificationAuthority-V2 certificationAuthority-V2
cRLDistributionPoint cRLDistributionPoint
strongAuthenticationUser strongAuthenticationUser
userSecurityInformation userSecurityInformation
These Attribute Types and Object Classes are specified for LDAP by These Attribute Types and Object Classes are specified for LDAP by
the PKIX Working Group, and so, are not included in this document. the PKIX Working Group, and so, are not included in this document.
It is recommended that the BNF notation in RFC 1778 [Syn String] not It is recommended that the BNF notation in RFC 1778 [RFC1778] not
be used for User Certificate, Authority Revocation List, and be used for User Certificate, Authority Revocation List, and
Certificate Pair. Certificate Pair.
6. Acknowledgements 6. Acknowledgements
The definitions, on which this document is based, have been developed The definitions, on which this document is based, have been developed
by committees for telecommunications and international standards. by committees for telecommunications and international standards.
No new attribute definitions have been added. No new attribute definitions have been added.
This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a
skipping to change at page 21, line 20 skipping to change at page 21, line 28
[E.164] The international public telecommunication numbering plan, [E.164] The international public telecommunication numbering plan,
ITU-T Recommendation E.164, 1997 ITU-T Recommendation E.164, 1997
[ISO3166] ISO 3166, "Codes for the representation of names of [ISO3166] ISO 3166, "Codes for the representation of names of
countries". countries".
[Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis- [Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis-
models-xx.txt (a work in progress). models-xx.txt (a work in progress).
[RFC2026] Bradner, S., "The Internet Standards Process --
Revision 3", RFC 2026, October 1996
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997 Requirement Levels", RFC 2119, March 1997
[Syntaxes] K. Dally (editor), "LDAP: Syntaxes", [Syntaxes] S. Legg (editor), "LDAP: Syntaxes",
draft-ietf-ldapbis-syntaxes-xx, a work in progress draft-ietf-ldapbis-syntaxes-xx, a work in progress
[X.121] International numbering plan for public data networks, [X.121] International numbering plan for public data networks,
ITU-T Recommendation X.121, 1996 ITU-T Recommendation X.121, 1996
[X.509] The Directory: Authentication Framework, ITU-T [X.509] The Directory: Authentication Framework, ITU-T
Recommendation X.509, 1995 Recommendation X.509, 1993
[X.520] The Directory: Selected Attribute Types, ITU-T Recommendation [X.520] The Directory: Selected Attribute Types, ITU-T Recommendation
X.520, 1995 X.520, 1993
[X.521] The Directory: Selected Object Classes. ITU-T Recommendation [X.521] The Directory: Selected Object Classes. ITU-T Recommendation
X.521, 1995 X.521, 1993
7.2 Informative 7.2 Informative
[Syn String] Howes, T., Kille, S., Yeong, W., Robbins, C., "The [RFC1778] Howes, T., Kille, S., Yeong, W., Robbins, C., "The
String Representation of Standard Attribute Syntaxes", RFC 1778, String Representation of Standard Attribute Syntaxes", RFC 1778,
March 1995. March 1995.
[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and
Sataluri, S., "Using Domains in LDAP/X.500 Distinguished Names",
RFC 2247, January 1998
[RFC2252] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, [RFC2252] Wahl, M., Coulbeck, A., Howes, T., and S. Kille,
"Lightweight X.500 Directory Access Protocol(v3): Attribute "Lightweight X.500 Directory Access Protocol(v3): Attribute
Syntax Definitions", RFC 2252, December 1997 Syntax Definitions", RFC 2252, December 1997
8. Author's Address 8. Author's Address
Kathy Dally Kathy Dally
The MITRE Corp. The MITRE Corp.
1575 Colshire Dr., ms-W650 1575 Colshire Dr., H300
McLean VA 22102 McLean VA 22102
USA USA
Phone: +1 703 883 6058 Phone: +1 703 883 6058
Email: kdally@mitre.org Email: kdally@mitre.org
Annex A Change Log Annex A Change Log
This annex lists the changes that have been made from RFC 2256 to This annex lists the changes that have been made from RFC 2256 to
this I-D. this I-D.
skipping to change at line 1146 skipping to change at page 25, line 31
......25. Deleted the 'aliasedObjectName' and 'objectClass' attribute ......25. Deleted the 'aliasedObjectName' and 'objectClass' attribute
type definitions. They are included in [Models]. type definitions. They are included in [Models].
26. Deleted the 'alias' and 'top' object class definitions. They 26. Deleted the 'alias' and 'top' object class definitions. They
are included in [Models]. are included in [Models].
27. Replaced the document title. 27. Replaced the document title.
28. Changed reference citations to be consistent with the rest of 28. Changed reference citations to be consistent with the rest of
the LDAPbis documents. the LDAPbis documents.
Changes to draft-ietf-ldapbis-user-schema-03.txt, resulting in draft-
ietf-ldapbis-user-schema-04.txt:
29. Added references for RFC 2026 and RFC 2247.
30. Corrected the copyright year.
31. Added the 'dc' attribute and the 'domain' object class from
RFC 2247.
32. Deleted the 'knowledgeInformation', 'presentationAddress',
'protocolInformation', and 'supportedApplicationContext'
attributes.
33. Deleted the 'applicationEntity' and 'dSA' object classes.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/