draft-ietf-ldapbis-user-schema-04.txt   draft-ietf-ldapbis-user-schema-05.txt 
INTERNET-DRAFT K. Dally, Editor INTERNET-DRAFT K. Dally, Editor
Intended Category: Standard Track The MITRE Corp. Intended Category: Standard Track The MITRE Corp.
Expires 25 August 2003 25 February 2003 Expires: October 2003 April 2003
Obsoletes: RFC 2256, RFC 2252 Updates: RFC 2247
Obsoletes: RFC 2256
LDAP: User Schema LDAP: User Schema
<draft-ietf-ldapbis-user-schema-04> <draft-ietf-ldapbis-user-schema-05>
[Editor's note:
This Internet-Draft (I-D) is an updated version of text from
RFC 2256 and RFC 2252. This action is part of the maintenance
activity that is needed in order to progress LDAP (v3) to Draft
Standard. The changes are described in Annex A of this document.
End of Editor's note]
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026 [RFC2026]. all provisions of Section 10 of RFC 2026.
This document is intended to be, after appropriate review and This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as a Standard Track document. revision, submitted to the RFC Editor as a Standard Track document.
Distribution of this memo is unlimited. Technical discussion of Distribution of this memo is unlimited. Technical discussion of
this document will take place on the IETF LDAP Revision Working this document will take place on the IETF LDAP Revision Working
Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please
send editorial comments directly to the author <kdally@mitre.org>. send editorial comments directly to the author <kdally@mitre.org>.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts are draft documents valid for a Internet-Drafts. Internet-Drafts are draft documents valid for a
maximum of six months and may be updated, replaced, or obsoleted by maximum of six months and may be updated, replaced, or obsoleted by
other documents at any time. It is inappropriate to use other documents at any time. It is inappropriate to use
Internet-Drafts as reference material or to cite them other than as Internet-Drafts as reference material or to cite them other than as
"work in progress." "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. The list of http://www.ietf.org/ietf/1id-abstracts.txt.
Internet-Draft Shadow Directories can be accessed at
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright 2003, The Internet Society. All Rights Reserved. Copyright Notice
Please see the Copyright section near the end of this document for Copyright 2003, The Internet Society. All Rights Reserved.
more information.
Abstract Abstract
This document provides an overview of attribute types and object This document is a integral part of the LDAP technical specification
classes defined by the ISO/IEC JTC1 and ITU-T committees in the [ROADMAP]. It provides an overview of attribute types and object
IS0/IEC 9594 and X.500 documents, in particular those intended for classes intended for use by LDAP directory clients for many
use by directory clients. This is the most widely used schema for directory services, such as, White Pages. Originally specified the
LDAP/X.500 directories. It is used as a basis for many other white ISO/IEC 9594 and X.500 documents, these objects are widely used as a
pages objects schema definitions. This document does not cover basis for the schema in many LDAP directories. This document does
attributes used for the administration of X.500 directory servers, not cover attributes used for the administration of directory
nor does it include attributes defined by other ISO/ITU-T documents. servers, nor does it include directory objects defined for specific
uses in other documents.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Table of Contents Table of Contents
Status of this Memo 1 Status of this Memo 1
Abstract 2 Copyright Notice 1
1. General Issues 5 Abstract 1
2. Source 5 Table of Contents 2
3. Attribute Types 5 1. Introduction 4
3.1 businessCategory 5 1.1 Situation 4
3.2 c 6 1.2 Conventions 4
3.3 cn 6 1.3 General Issues 4
3.4 dc 1.4 Source 5
3.5 description 6
3.6 destinationIndicator 6
3.7 distinguishedName 6
3.8 dnQualifier 7
3.9 enhancedSearchGuide 7
3.10 facsimileTelephoneNumber 7
3.11 generationQualifier 7
3.12 givenName 8
3.13 houseIdentifier 8
3.14 initials 8
3.15 internationalISDNNumber 8
3.16 l 9
3.17 member 9
3.18 name 9
3.19 o 9
3.20 ou 9
3.21 owner 10
3.22 physicalDeliveryOfficeName 10
3.23 postalAddress 10
3.24 postalCode 10
3.25 postOfficeBox 10
3.26 preferredDeliveryMethod 11
3.27 registeredAddress 11
3.28 roleOccupant 12
3.29 searchGuide 12
3.30 seeAlso 12
3.31 serialNumber 12
3.32 sn 12
3.33 st 12
3.34 street 13
3.35 telephoneNumber 13
3.36 teletexTerminalIdentifier 13
3.37 telexNumber 13
3.38 title 14
3.39 uniqueMember 14
3.40 userPassword 14 2. Attribute Types 5
3.41 x121Address 14 2.1 businessCategory 5
3.42 x500UniqueIdentifier 15 2.2 c 5
2.3 cn 6
2.4 dc 6
2.5 description 6
2.6 destinationIndicator 6
2.7 distinguishedName 7
2.8 dnQualifier 7
2.9 enhancedSearchGuide 7
2.10 facsimileTelephoneNumber 7
2.11 generationQualifier 8
2.12 givenName 8
2.13 houseIdentifier 8
2.14 initials 8
2.15 internationalISDNNumber 8
2.16 l 9
2.17 member 9
2.18 name 9
2.19 o 9
2.20 ou 9
2.21 owner 10
2.22 physicalDeliveryOfficeName 10
2.23 postalAddress 10
2.24 postalCode 10
2.25 postOfficeBox 10
2.26 preferredDeliveryMethod 11
2.27 registeredAddress 11
2.28 roleOccupant 11
2.29 searchGuide 11
2.30 seeAlso 12
2.31 serialNumber 12
2.32 sn 12
2.33 st 12
2.34 street 12
2.35 telephoneNumber 12
2.36 teletexTerminalIdentifier 13
2.37 telexNumber 13
2.38 title 13
2.39 uniqueMember 13
2.40 userPassword 14
2.41 x121Address 14
2.42 x500UniqueIdentifier 14
4. Object Classes 15 3. Object Classes 15
4.1 applicationProcess 15 3.1 applicationProcess 15
4.2 country 16 3.2 country 15
4.3 device 16 3.3 device 15
4.4 domain 16 3.4 domain 15
4.5 groupOfNames 16 3.5 groupOfNames 16
4.6 groupOfUniqueNames 17 3.6 groupOfUniqueNames 16
4.7 locality 17 3.7 locality 17
4.8 organization 17 3.8 organization 17
4.9 organizationalPerson 18 3.9 organizationalPerson 17
4.10 organizationalRole 18 3.10 organizationalRole 18
4.11 organizationalUnit 18 3.11 organizationalUnit 18
4.12 person 19 3.12 person 18
4.13 residentialPerson 19 3.13 residentialPerson 19
4. IANA Considerations 19
5. Security Considerations 19 5. Security Considerations 19
6. Acknowledgements 20 6. Acknowledgements 19
7. References 21 7. References 20
7.1 Normative 21 7.1 Normative 20
7.2 Informative 21 7.2 Informative 20
8. Author's Address 21 8. Author's Address 21
Annex A Change Log 22 9. Full Copyright Statement 21
1. General Issues 1. Introduction
This document provides an overview of attribute types and object
classes intended for use by LDAP directory clients for many
directory services, such as, White Pages. Originally specified in
the ISO/IEC 9594 and X.500 documents, these objects are widely used
as a basis for the schema in many LDAP directories. This document
does not cover attributes used for the administration of directory
servers, nor does it include directory objects defined for specific
uses in other documents.
1.1 Situation
This document is a integral part of the LDAP technical specification
[ROADMAP] which obsoletes the previously defined LDAP technical
specification [RFC3377] in its entirety. In terms of RFC 2256,
Sections 6 and 8 of RFC 2256 are obsoleted by [Syntaxes].
Sections 5.1, 5.2, 7.1 and 7.2 of RFC 2256 are obsoleted by [Models].
The remainder of RFC 2256 is obsoleted by this document. Sections
3.4 and 4.4 of this document supercede the technical specifications
for the 'dc' attribute type and 'domain' object class found in
RFC 2247. The remainder of RFC 2247 remains in force.
A number of schema elements which were included in the previous
revision of the LDAP Technical Specification are not included in this
revision of LDAP. PKI-related schema elements are now specified in
[LDAP-PKI]. Unless reintroduced in future technical specifications,
the remainder are to be considered Historic.
1.2 Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
1.3 General Issues
This document references Syntaxes given in Section 3 of [Syntaxes] This document references Syntaxes given in Section 3 of [Syntaxes]
and Matching Rules specified in Section 4 of [Syntaxes]. and Matching Rules specified in Section 4 of [Syntaxes].
The definitions of Attribute Types and Object Classes are written The definitions of Attribute Types and Object Classes are written
using the ABNF form of AttributeTypeDescription and using the ABNF form of AttributeTypeDescription and
ObjectClassDescription given in [Models]. Lines have been folded ObjectClassDescription given in [Models]. Lines have been folded
for readability. for readability.
2. Source 1.4 Source
The schema definitions in this document are based on those found in The schema definitions in this document are based on those found in
the X.500-series [X.520] and [X.521] and RFC 2247 [RFC2247], the X.500-series [X.520] and [X.521] and RFC 2247 [RFC2247],
specifically: specifically:
Sections Source Sections Source
============ ================== ============ ==================
3.1 - 3.3 X.520 [X.520] 2.1 - 2.3 X.520 [X.520]
2.4 RFC 2247 [RFC2247]
2.5 - 2.42 X.520 [X.520]
3.1 - 3.3 X.521 [X.521]
3.4 RFC 2247 [RFC2247] 3.4 RFC 2247 [RFC2247]
3.5 - 3.42 X.520 [X.520] 3.5 - 3.13 X.521 [X.521]
4.1 - 4.3 X.521 [X.521]
4.4 RFC 2247 [RFC2247]
4.5 - 4.13 X.521 [X.521]
3. Attribute Types 2. Attribute Types
The Attribute Types contained in this section hold user information. The Attribute Types contained in this section hold user information.
There is no requirement that servers implement the following There is no requirement that servers implement the following
Attribute Types: Attribute Types:
searchGuide searchGuide
teletexTerminalIdentifier teletexTerminalIdentifier
In fact, their use is greatly discouraged. In fact, their use is greatly discouraged.
An LDAP server implementation SHOULD recognize the rest of the An LDAP server implementation SHOULD recognize the rest of the
Attribute Types described in this section. Attribute Types described in this section.
3.1 businessCategory 2.1 businessCategory
This Attribute Type describes the kind of business performed by This Attribute Type describes the kind of business performed by
an organization. an organization.
( 2.5.4.15 NAME 'businessCategory' ( 2.5.4.15 NAME 'businessCategory'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
The SYNTAX oid indicates the Directory String syntax. The SYNTAX oid indicates the Directory String syntax.
3.2 c 2.2 c
This is the X.520 [X.520] countryName Attribute Type, which contains This is the X.520 [X.520] countryName Attribute Type, which contains
a two-letter ISO 3166 [ISO3166]country code. a two-letter ISO 3166 [ISO3166]country code.
( 2.5.4.6 NAME 'c' ( 2.5.4.6 NAME 'c'
SUP name SUP name
SINGLE-VALUE ) SINGLE-VALUE )
3.3 cn 2.3 cn
This is the X.520 [X.520] commonName Attribute Type, which contains This is the X.520 [X.520] commonName Attribute Type, which contains
a name of an object. If the object corresponds to a person, it is a name of an object. If the object corresponds to a person, it is
typically the person's full name. typically the person's full name.
( 2.5.4.3 NAME 'cn' ( 2.5.4.3 NAME 'cn'
SUP name ) SUP name )
3.4 dc 2.4 dc
The dc (short for domainComponent) attribute type is defined as The dc (short for domainComponent) attribute type is defined as
follows: follows:
( 0.9.2342.19200300.100.1.25 NAME 'dc' ( 0.9.2342.19200300.100.1.25 NAME 'dc'
EQUALITY caseIgnoreIA5Match EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE ) SINGLE-VALUE )
The value of this attribute is a string holding one component of a The value of this attribute is a string holding one component of a
DNS domain name. The encoding of IA5String for use in LDAP is simply DNS domain name. The encoding of IA5String for use in LDAP is simply
the characters of the string itself. The equality matching rule is the characters of the string itself. The equality matching rule is
case insensitive, as is today's DNS. case insensitive, as is today's DNS.
3.5 description 2.5 description
This Attribute Type contains a human-readable description of This Attribute Type contains a human-readable description of
the object. the object.
( 2.5.4.13 NAME 'description' ( 2.5.4.13 NAME 'description'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
The SYNTAX oid indicates the Directory String syntax. The SYNTAX oid indicates the Directory String syntax.
3.6 destinationIndicator 2.6 destinationIndicator
This attribute is used for the telegram service. This attribute is used for the telegram service.
( 2.5.4.27 NAME 'destinationIndicator' ( 2.5.4.27 NAME 'destinationIndicator'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
The SYNTAX oid indicates the Printable String syntax. The SYNTAX oid indicates the Printable String syntax.
3.7 distinguishedName 2.7 distinguishedName
This Attribute Type is not used as the name of the object itself, This Attribute Type is not used as the name of the object itself,
but it is instead a base type from which attributes with DN syntax but it is instead a base type from which attributes with DN syntax
inherit. inherit.
It is unlikely that values of this type itself will occur in an It is unlikely that values of this type itself will occur in an
entry. LDAP server implementations which do not support attribute entry. LDAP server implementations which do not support attribute
subtyping need not recognize this attribute in requests. Client subtyping need not recognize this attribute in requests. Client
implementations MUST NOT assume that LDAP servers are capable of implementations MUST NOT assume that LDAP servers are capable of
performing attribute subtyping. performing attribute subtyping.
( 2.5.4.49 NAME 'distinguishedName' ( 2.5.4.49 NAME 'distinguishedName'
EQUALITY distinguishedNameMatch EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
The SYNTAX oid indicates the DN syntax. The SYNTAX oid indicates the DN syntax.
3.8 dnQualifier 2.8 dnQualifier
The dnQualifier Attribute Type specifies disambiguating information The dnQualifier Attribute Type specifies disambiguating information
to add to the relative distinguished name of an entry. It is to add to the relative distinguished name of an entry. It is
intended for use when merging data from multiple sources in order to intended for use when merging data from multiple sources in order to
prevent conflicts between entries which would otherwise have the same prevent conflicts between entries which would otherwise have the same
name. It is recommended that the value of the dnQualifier attribute name. It is recommended that the value of the dnQualifier attribute
be the same for all entries from a particular source. be the same for all entries from a particular source.
( 2.5.4.46 NAME 'dnQualifier' ( 2.5.4.46 NAME 'dnQualifier'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
The SYNTAX oid indicates the Printable String syntax. The SYNTAX oid indicates the Printable String syntax.
3.9 enhancedSearchGuide 2.9 enhancedSearchGuide
This attribute is for use by X.500 clients in constructing search This attribute is for use by X.500 clients in constructing search
filters. filters.
( 2.5.4.47 NAME 'enhancedSearchGuide' ( 2.5.4.47 NAME 'enhancedSearchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
The SYNTAX oid indicates the Enhanced Guide syntax. The SYNTAX oid indicates the Enhanced Guide syntax.
3.10 facsimileTelephoneNumber 2.10 facsimileTelephoneNumber
A value of this Attribute Type is a telephone number for a facsimile A value of this Attribute Type is a telephone number for a facsimile
terminal (and, optionally, its parameters). terminal (and, optionally, its parameters).
( 2.5.4.23 NAME 'facsimileTelephoneNumber' ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
The SYNTAX oid indicates the Facsimile Telephone Number syntax. The SYNTAX oid indicates the Facsimile Telephone Number syntax.
3.11 generationQualifier 2.11 generationQualifier
The generationQualifier Attribute Type contains the part of a The generationQualifier Attribute Type contains the part of a
person's name which typically is the suffix, as in "IIIrd". person's name which typically is the suffix, as in "IIIrd".
( 2.5.4.44 NAME 'generationQualifier' ( 2.5.4.44 NAME 'generationQualifier'
SUP name ) SUP name )
3.12 givenName 2.12 givenName
The givenName Attribute Type is used to hold the part of a person's The givenName Attribute Type is used to hold the part of a person's
name which is not their surname nor middle name. name which is not their surname nor middle name.
( 2.5.4.42 NAME 'givenName' ( 2.5.4.42 NAME 'givenName'
SUP name ) SUP name )
3.13 houseIdentifier 2.13 houseIdentifier
This Attribute Type is used to identify a building within a location. This Attribute Type is used to identify a building within a location.
( 2.5.4.51 NAME 'houseIdentifier' ( 2.5.4.51 NAME 'houseIdentifier'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
The SYNTAX oid indicates the Directory String syntax. The SYNTAX oid indicates the Directory String syntax.
3.14 initials 2.14 initials
The initials Attribute Type contains the initials of some or all of The initials Attribute Type contains the initials of some or all of
an individuals names, except the surname(s). an individuals names, except the surname(s).
( 2.5.4.43 NAME 'initials' ( 2.5.4.43 NAME 'initials'
SUP name ) SUP name )
3.15 internationalISDNNumber 2.15 internationalISDNNumber
A value of this Attribute Type is an ISDN address, as defined in A value of this Attribute Type is an ISDN address, as defined in
ITU Recommendation E.164 [E.164]. ITU Recommendation E.164 [E.164].
( 2.5.4.25 NAME 'internationalISDNNumber' ( 2.5.4.25 NAME 'internationalISDNNumber'
EQUALITY numericStringMatch EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i
The SYNTAX oid indicates the Numeric String syntax. The SYNTAX oid indicates the Numeric String syntax.
3.16 l 2.16 l
This is the X.520 [X.520] localityName Attribute Type, which This is the X.520 [X.520] localityName Attribute Type, which
contains the name of a locality or place, such as a city, county or contains the name of a locality or place, such as a city, county or
other geographic region. other geographic region.
( 2.5.4.7 NAME 'l' ( 2.5.4.7 NAME 'l'
SUP name ) SUP name )
3.17 member 2.17 member
A value of this Attribute Type is the Distinguished Name of an A value of this Attribute Type is the Distinguished Name of an
object that is on a list or in a group. object that is on a list or in a group.
( 2.5.4.31 NAME 'member' ( 2.5.4.31 NAME 'member'
SUP distinguishedName ) SUP distinguishedName )
3.18 name 2.18 name
The name Attribute Type is the attribute supertype from which string The name Attribute Type is the attribute supertype from which string
Attribute Types typically used for naming may be formed. It is Attribute Types typically used for naming may be formed. It is
unlikely that values of this type itself will occur in an entry. unlikely that values of this type itself will occur in an entry.
LDAP server implementations which do not support attribute subtyping LDAP server implementations which do not support attribute subtyping
need not recognize this attribute in requests. Client need not recognize this attribute in requests. Client
implementations MUST NOT assume that LDAP servers are capable of implementations MUST NOT assume that LDAP servers are capable of
performing attribute subtyping. performing attribute subtyping.
( 2.5.4.41 NAME 'name' ( 2.5.4.41 NAME 'name'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
The SYNTAX oid indicates the Directory String syntax. The SYNTAX oid indicates the Directory String syntax.
3.19 o 2.19 o
This is the X.520 [X.520] organizationName Attribute Type, which This is the X.520 [X.520] organizationName Attribute Type, which
contains the name of an organization. contains the name of an organization.
( 2.5.4.10 NAME 'o' ( 2.5.4.10 NAME 'o'
SUP name ) SUP name )
3.20 ou 2.20 ou
This is the X.520 [X.520] organizationalUnitName Attribute Type, This is the X.520 [X.520] organizationalUnitName Attribute Type,
which contains the name of an organizational unit. which contains the name of an organizational unit.
( 2.5.4.11 NAME 'ou' ( 2.5.4.11 NAME 'ou'
SUP name ) SUP name )
3.21 owner 2.21 owner
A value of this Attribute Type is the Distinguished Name of an A value of this Attribute Type is the Distinguished Name of an
object that has an ownership responsibility for the object that object that has an ownership responsibility for the object that
is owned. is owned.
( 2.5.4.32 NAME 'owner' ( 2.5.4.32 NAME 'owner'
SUP distinguishedName ) SUP distinguishedName )
3.22 physicalDeliveryOfficeName 2.22 physicalDeliveryOfficeName
This attribute contains the name that a Postal Service uses to This attribute contains the name that a Postal Service uses to
identify a post office. identify a post office.
( 2.5.4.19 NAME 'physicalDeliveryOfficeName' ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
The SYNTAX oid indicates the Directory String syntax. The SYNTAX oid indicates the Directory String syntax.
3.23 postalAddress 2.23 postalAddress
This attribute contains an address used by a Postal Service to This attribute contains an address used by a Postal Service to
perform services for the object. perform services for the object.
( 2.5.4.16 NAME 'postalAddress' ( 2.5.4.16 NAME 'postalAddress'
EQUALITY caseIgnoreListMatch EQUALITY caseIgnoreListMatch
SUBSTR caseIgnoreListSubstringsMatch SUBSTR caseIgnoreListSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) SYNTAX 1.5.6.1.4.1.1466.115.121.1.41 )
The SYNTAX oid indicates the Postal Address syntax. The SYNTAX oid indicates the Postal Address syntax.
3.24 postalCode 2.24 postalCode
This attribute contains a code used by a Postal Service to identify This attribute contains a code used by a Postal Service to identify
a postal service zone, such as the southern quadrant of a city. a postal service zone, such as the southern quadrant of a city.
( 2.5.4.17 NAME 'postalCode' ( 2.5.4.17 NAME 'postalCode'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} )
The SYNTAX oid indicates the Directory String syntax. The SYNTAX oid indicates the Directory String syntax.
3.25 postOfficeBox 2.25 postOfficeBox
This attribute contains the number that a Postal Service uses when a This attribute contains the number that a Postal Service uses when a
customer arranges to receive mail at a box on premises of the Postal customer arranges to receive mail at a box on premises of the Postal
Service. Service.
( 2.5.4.18 NAME 'postOfficeBox' ( 2.5.4.18 NAME 'postOfficeBox'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} )
The SYNTAX oid indicates the Directory String syntax. The SYNTAX oid indicates the Directory String syntax.
3.26 preferredDeliveryMethod 2.26 preferredDeliveryMethod
This attribute contains an indication of the preferred method of This attribute contains an indication of the preferred method of
getting a message to the object. getting a message to the object.
( 2.5.4.28 NAME 'preferredDeliveryMethod' ( 2.5.4.28 NAME 'preferredDeliveryMethod'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 SYNTAX 1.5.6.1.4.1.1466.115.121.1.14
SINGLE-VALUE ) SINGLE-VALUE )
The SYNTAX oid indicates the Delivery Method syntax. The SYNTAX oid indicates the Delivery Method syntax.
3.27 registeredAddress 2.27 registeredAddress
This attribute holds a postal address suitable for reception of This attribute holds a postal address suitable for reception of
telegrams or expedited documents, where it is necessary to have the telegrams or expedited documents, where it is necessary to have the
recipient accept delivery. recipient accept delivery.
( 2.5.4.26 NAME 'registeredAddress' ( 2.5.4.26 NAME 'registeredAddress'
SUP postalAddress SUP postalAddress
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
The SYNTAX oid indicates the Postal Address syntax. The SYNTAX oid indicates the Postal Address syntax.
3.28 roleOccupant 2.28 roleOccupant
A value of this Attribute Type is the Distinguished Name of an A value of this Attribute Type is the Distinguished Name of an
object (normally a person) that fulfills the responsibilities of a object (normally a person) that fulfills the responsibilities of a
role object. role object.
( 2.5.4.33 NAME 'roleOccupant' ( 2.5.4.33 NAME 'roleOccupant'
SUP distinguishedName ) SUP distinguishedName )
3.29 searchGuide 2.29 searchGuide
This Attribute Type is for use by clients in constructing search This Attribute Type is for use by clients in constructing search
filters. It is superseded by enhancedSearchGuide, described above filters. It is superseded by enhancedSearchGuide, described above
in section 3.9. in section 2.9.
( 2.5.4.14 NAME 'searchGuide' ( 2.5.4.14 NAME 'searchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide
The SYNTAX oid indicates the Guide syntax. The SYNTAX oid indicates the Guide syntax.
3.30 seeAlso 2.30 seeAlso
A value of this Attribute Type is the Distinguished Name of an A value of this Attribute Type is the Distinguished Name of an
object that is related to the subject object. object that is related to the subject object.
( 2.5.4.34 NAME 'seeAlso' ( 2.5.4.34 NAME 'seeAlso'
SUP distinguishedName ) SUP distinguishedName )
3.31 serialNumber 2.31 serialNumber
This attribute contains the serial number of a device. This attribute contains the serial number of a device.
( 2.5.4.5 NAME 'serialNumber' ( 2.5.4.5 NAME 'serialNumber'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
The SYNTAX oid indicates the Printable String syntax. The SYNTAX oid indicates the Printable String syntax.
3.32 sn 2.32 sn
This is the X.520 [X.520] surname Attribute Type, which contains the This is the X.520 [X.520] surname Attribute Type, which contains the
family name of a person. family name of a person.
( 2.5.4.4 NAME 'sn' ( 2.5.4.4 NAME 'sn'
SUP name ) SUP name )
3.33 st 2.33 st
This is the X.520 [X.520] stateOrProvinceName attribute, which This is the X.520 [X.520] stateOrProvinceName attribute, which
contains the full name of a state or province. contains the full name of a state or province.
( 2.5.4.8 NAME 'st' ( 2.5.4.8 NAME 'st'
SUP name ) SUP name )
3.34 street 2.34 street
This is the X.520 [X.520] streetAddress attribute, which contains the This is the X.520 [X.520] streetAddress attribute, which contains the
physical address of the object to which the entry corresponds, such physical address of the object to which the entry corresponds, such
as an address for package delivery. as an address for package delivery.
( 2.5.4.9 NAME 'street' ( 2.5.4.9 NAME 'street'
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
The SYNTAX oid indicates the Directory String syntax. The SYNTAX oid indicates the Directory String syntax.
3.35 telephoneNumber 2.35 telephoneNumber
A value of this Attribute Type is a telephone number complying with A value of this Attribute Type is a telephone number complying with
ITU Recommendation E.123 [E.123]. ITU Recommendation E.123 [E.123].
( 2.5.4.20 NAME 'telephoneNumber' ( 2.5.4.20 NAME 'telephoneNumber'
EQUALITY telephoneNumberMatch EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) ; TelephoneNumber SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
The SYNTAX oid indicates the Telephone Number syntax. The SYNTAX oid indicates the Telephone Number syntax.
3.36 teletexTerminalIdentifier 2.36 teletexTerminalIdentifier
The withdrawal of Rec. F.200 has resulted in the withdrawal of this The withdrawal of Rec. F.200 has resulted in the withdrawal of this
attribute. attribute.
( 2.5.4.22 NAME 'teletexTerminalIdentifier' ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
The SYNTAX oid indicates the Teletex Terminal Identifier syntax. The SYNTAX oid indicates the Teletex Terminal Identifier syntax.
3.37 telexNumber 2.37 telexNumber
A value of this Attribute Type is a telex number, country code, and A value of this Attribute Type is a telex number, country code, and
answerback code of a telex terminal. answerback code of a telex terminal.
( 2.5.4.21 NAME 'telexNumber' ( 2.5.4.21 NAME 'telexNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
The SYNTAX oid indicates the Telex Number syntax. The SYNTAX oid indicates the Telex Number syntax.
3.38 title 2.38 title
This attribute contains the title, such as "Vice President", of a This attribute contains the title, such as "Vice President", of a
person in their organizational context. The "personalTitle" person in their organizational context. The "personalTitle"
attribute would be used for a person's title independent of their attribute would be used for a person's title independent of their
job function. job function.
( 2.5.4.12 NAME 'title' ( 2.5.4.12 NAME 'title'
SUP name ) SUP name )
3.39 uniqueMember 2.39 uniqueMember
A value of this Attribute Type is the Distinguished Name of an A value of this Attribute Type is the Distinguished Name of an
object that is on a list or in a group, where the Relative object that is on a list or in a group, where the Relative
Distinguished Name of the object includes a value that distinguishs Distinguished Name of the object includes a value that distinguishs
between objects when a distinguished name has been reused. between objects when a distinguished name has been reused.
( 2.5.4.50 NAME 'uniqueMember' ( 2.5.4.50 NAME 'uniqueMember'
EQUALITY uniqueMemberMatch EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
The SYNTAX oid indicates the Name and Optional UID syntax. The SYNTAX oid indicates the Name and Optional UID syntax.
3.40 userPassword 2.40 userPassword
A value of this Attribute Type is a character string that is known A value of this Attribute Type is a character string that is known
only to the user and the system to which the user has access. only to the user and the system to which the user has access.
( 2.5.4.35 NAME 'userPassword' ( 2.5.4.35 NAME 'userPassword'
EQUALITY octetStringMatch EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
The SYNTAX oid indicates the Octet String syntax. The SYNTAX oid indicates the Octet String syntax.
Passwords are stored using an Octet String syntax and are not Passwords are stored using an Octet String syntax and are not
encrypted. Transfer of cleartext passwords is strongly discouraged encrypted. Transfer of cleartext passwords is strongly discouraged
where the underlying transport service cannot guarantee where the underlying transport service cannot guarantee
confidentiality and may result in disclosure of the password to confidentiality and may result in disclosure of the password to
unauthorized parties. unauthorized parties.
3.41 x121Address 2.41 x121Address
A value of this Attribute Type is a data network address as defined A value of this Attribute Type is a data network address as defined
by ITU Recommendation X.121 [X.121]. by ITU Recommendation X.121 [X.121].
( 2.5.4.24 NAME 'x121Address' ( 2.5.4.24 NAME 'x121Address'
EQUALITY numericStringMatch EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
The SYNTAX oid indicates the Numeric String syntax. The SYNTAX oid indicates the Numeric String syntax.
3.42 x500UniqueIdentifier 2.42 x500UniqueIdentifier
The x500UniqueIdentifier Attribute Type is used to distinguish The x500UniqueIdentifier Attribute Type is used to distinguish
between objects when a distinguished name has been reused. In X.520 between objects when a distinguished name has been reused. In X.520
[X.520], this Attribute Type is called uniqueIdentifier. This is a [X.520], this Attribute Type is called uniqueIdentifier. This is a
different Attribute Type from both the "uid" and "uniqueIdentifier" different Attribute Type from both the "uid" and "uniqueIdentifier"
Attribute Types. Attribute Types.
( 2.5.4.45 NAME 'x500UniqueIdentifier' ( 2.5.4.45 NAME 'x500UniqueIdentifier'
EQUALITY bitStringMatch EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
The SYNTAX oid indicates the Bit String syntax. The SYNTAX oid indicates the Bit String syntax.
4. Object Classes 3. Object Classes
LDAP servers SHOULD recognize all the Object Classes listed here as LDAP servers SHOULD recognize all the Object Classes listed here as
values of the objectClass attribute. values of the objectClass attribute.
4.1 applicationProcess 3.1 applicationProcess
The applicationProcess Object Class definition is the basis of an The applicationProcess Object Class definition is the basis of an
entry which represents an application executing in a computer system. entry which represents an application executing in a computer system.
( 2.5.6.11 NAME 'applicationProcess' ( 2.5.6.11 NAME 'applicationProcess'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST cn MUST cn
MAY ( seeAlso $ MAY ( seeAlso $
ou $ ou $
l $ l $
description ) ) description ) )
4.2 country 3.2 country
The country Object Class definition is the basis of an entry which The country Object Class definition is the basis of an entry which
represents a country. represents a country.
( 2.5.6.2 NAME 'country' ( 2.5.6.2 NAME 'country'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST c MUST c
MAY ( searchGuide $ MAY ( searchGuide $
description ) ) description ) )
4.3 device 3.3 device
The device Object Class is the basis of an entry which represents The device Object Class is the basis of an entry which represents
an appliance or computer or network element. an appliance or computer or network element.
( 2.5.6.14 NAME 'device' ( 2.5.6.14 NAME 'device'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST cn MUST cn
MAY ( serialNumber $ MAY ( serialNumber $
seeAlso $ seeAlso $
owner $ owner $
ou $ ou $
o $ o $
l $ l $
description ) ) description ) )
4.4 domain 3.4 domain
The domain Object Class is the basis of an entry which represents a The domain Object Class is the basis of an entry which represents a
portion of a network, as organized by DNS. portion of a network, as organized by DNS.
( 0.9.2342.19200300.100.4.13 NAME 'domain' ( 0.9.2342.19200300.100.4.13 NAME 'domain'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST dc MUST dc
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $ x121Address $ registeredAddress $ destinationIndicator $
skipping to change at page 17, line 5 skipping to change at page 16, line 26
associatedName ) ) associatedName ) )
An example entry would be: An example entry would be:
dn: dc=tcp,dc=critical-angle,dc=com dn: dc=tcp,dc=critical-angle,dc=com
objectClass: top objectClass: top
objectClass: domain objectClass: domain
dc: tcp dc: tcp
description: a placeholder entry used with SRV records description: a placeholder entry used with SRV records
4.5 groupOfNames 3.5 groupOfNames
The groupOfNames Object Class is the basis of an entry which The groupOfNames Object Class is the basis of an entry which
represents a set of named objects including information related to represents a set of named objects including information related to
the purpose or maintenance of the set. the purpose or maintenance of the set.
( 2.5.6.9 NAME 'groupOfNames' ( 2.5.6.9 NAME 'groupOfNames'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ( member $ MUST ( member $
cn ) cn )
MAY ( businessCategory $ MAY ( businessCategory $
seeAlso $ seeAlso $
owner $ owner $
ou $ ou $
o $ o $
description ) ) description ) )
4.6 groupOfUniqueNames 3.6 groupOfUniqueNames
The groupOfUniqueNames Object Class is the same as the groupOfNames The groupOfUniqueNames Object Class is the same as the groupOfNames
object class except that the object names are not repeated or object class except that the object names are not repeated or
reassigned within a set scope. reassigned within a set scope.
( 2.5.6.17 NAME 'groupOfUniqueNames' ( 2.5.6.17 NAME 'groupOfUniqueNames'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ( uniqueMember $ MUST ( uniqueMember $
cn ) cn )
MAY ( businessCategory $ MAY ( businessCategory $
seeAlso $ seeAlso $
owner $ owner $
ou $ ou $
o $ o $
description ) ) description ) )
4.7 locality 3.7 locality
The locality Object Class is the basis of an entry which The locality Object Class is the basis of an entry which
represents a place in the physical world. represents a place in the physical world.
( 2.5.6.3 NAME 'locality' ( 2.5.6.3 NAME 'locality'
SUP top SUP top
STRUCTURAL STRUCTURAL
MAY ( street $ MAY ( street $
seeAlso $ seeAlso $
searchGuide $ searchGuide $
st $ st $
l $ l $
description ) ) description ) )
4.8 organization 3.8 organization
The organization Object Class is the basis of an entry which The organization Object Class is the basis of an entry which
represents a structured group of people. represents a structured group of people.
( 2.5.6.4 NAME 'organization' ( 2.5.6.4 NAME 'organization'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST o MUST o
MAY ( userPassword $ searchGuide $ seeAlso $ MAY ( userPassword $ searchGuide $ seeAlso $
businessCategory $ x121Address $ registeredAddress $ businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $ postalAddress $ physicalDeliveryOfficeName $ st $
l $ description ) ) l $ description ) )
4.9 organizationalPerson 3.9 organizationalPerson
The organizationalPerson Object Class is the basis of an entry which The organizationalPerson Object Class is the basis of an entry which
represents a person in relation to an organization. represents a person in relation to an organization.
( 2.5.6.7 NAME 'organizationalPerson' ( 2.5.6.7 NAME 'organizationalPerson'
SUP person SUP person
STRUCTURAL STRUCTURAL
MAY ( title $ x121Address $ registeredAddress $ MAY ( title $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ postalAddress $ street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l ) ) physicalDeliveryOfficeName $ ou $ st $ l ) )
4.10 organizationalRole 3.10 organizationalRole
The organizationalRole Object Class is the basis of an entry which The organizationalRole Object Class is the basis of an entry which
represents a job or function or position in an organization. represents a job or function or position in an organization.
( 2.5.6.8 NAME 'organizationalRole' ( 2.5.6.8 NAME 'organizationalRole'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST cn MUST cn
MAY ( x121Address $ registeredAddress $ destinationIndicator $ MAY ( x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
seeAlso $ roleOccupant $ preferredDeliveryMethod $ seeAlso $ roleOccupant $ preferredDeliveryMethod $
street $ postOfficeBox $ postalCode $ postalAddress $ street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
4.11 organizationalUnit 3.11 organizationalUnit
The organizationalUnit Object Class is the basis of an entry which The organizationalUnit Object Class is the basis of an entry which
represents a piece of an organization. represents a piece of an organization.
( 2.5.6.5 NAME 'organizationalUnit' ( 2.5.6.5 NAME 'organizationalUnit'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ou MUST ou
MAY ( businessCategory $ description $ destinationIndicator $ MAY ( businessCategory $ description $ destinationIndicator $
facsimileTelephoneNumber $ internationaliSDNNumber $ l $ facsimileTelephoneNumber $ internationaliSDNNumber $ l $
physicalDeliveryOfficeName $ postalAddress $ postalCode $ physicalDeliveryOfficeName $ postalAddress $ postalCode $
postOfficeBox $ preferredDeliveryMethod $ postOfficeBox $ preferredDeliveryMethod $
registeredAddress $ searchGuide $ seeAlso $ st $ street $ registeredAddress $ searchGuide $ seeAlso $ st $ street $
telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $
userPassword $ x121Address ) ) userPassword $ x121Address ) )
4.12 person 3.12 person
The person Object Class is the basis of an entry which represents a The person Object Class is the basis of an entry which represents a
human being. human being.
( 2.5.6.6 NAME 'person' ( 2.5.6.6 NAME 'person'
SUP top SUP top
STRUCTURAL STRUCTURAL
MUST ( sn $ MUST ( sn $
cn ) cn )
MAY ( userPassword $ MAY ( userPassword $
telephoneNumber $ telephoneNumber $
seeAlso $ seeAlso $
description ) ) description ) )
4.13 residentialPerson 3.13 residentialPerson
The residentialPerson Object Class is the basis of an entry which The residentialPerson Object Class is the basis of an entry which
includes a person's residence in the representation of the person. includes a person's residence in the representation of the person.
( 2.5.6.10 NAME 'residentialPerson' ( 2.5.6.10 NAME 'residentialPerson'
SUP person SUP person
STRUCTURAL STRUCTURAL
MUST l MUST l
MAY ( businessCategory $ x121Address $ registeredAddress $ MAY ( businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
preferredDeliveryMethod $ street $ postOfficeBox $ preferredDeliveryMethod $ street $ postOfficeBox $
postalCode $ postalAddress $ physicalDeliveryOfficeName $ postalCode $ postalAddress $ physicalDeliveryOfficeName $
st $ l ) ) st $ l ) )
4. IANA Considerations
It is requested that the Internet Assigned Numbers Authority (IANA)
update the LDAP descriptors registry as indicated in the following
template:
Subject: Request for LDAP Descriptor Registration Update
Descriptor (short name): see comment
Object Identifier: see comment
Person & email address to contact for further information:
Kathy Dally <kdally@mitre.org>
Usage: (A = Attribute Type, O = Object Class) see comment
Specification: RFC XXXX
Author/Change Controller: IESG
Comments:
The following descriptors (short names) should be updated to
refer to RFC XXXX.
NAME Type OID
------------------------ ---- ----------------------------
applicationProcess O 2.5.6.11
businessCategory A 2.5.4.15
c A 2.5.4.6
cn A 2.5.4.3
country O 2.5.6.2
dc A 0.9.2342.19200300.100.1.25
description A 2.5.4.13
destinationIndicator A 2.5.4.27
device O 2.5.6.14
distinguishedName A 2.5.4.49
dnQualifier A 2.5.4.46
domain O 0.9.2342.19200300.100.4.13
enhancedSearchGuide A 2.5.4.47
facsimileTelephoneNumber A 2.5.4.23
generationQualifier A 2.5.4.44
givenName A 2.5.4.42
groupOfNames O 2.5.6.9
groupOfUniqueNames O 2.5.6.17
houseIdentifier A 2.5.4.51
initials A 2.5.4.43
internationalISDNNumber A 2.5.4.25
l A 2.5.4.7
locality O 2.5.6.3
member A 2.5.4.31
name A 2.5.4.41
o A 2.5.4.10
organization O 2.5.6.4
organizationalPerson O 2.5.6.7
organizationalRole O 2.5.6.8
organizationalUnit O 2.5.6.5
ou A 2.5.4.11
owner A 2.5.4.32
person O 2.5.6.6
physicalDeliveryOfficeName A 2.5.4.19
postalAddress A 2.5.4.16
postalCode A 2.5.4.17
postOfficeBox A 2.5.4.18
preferredDeliveryMethod A 2.5.4.28
registeredAddress A 2.5.4.26
residentialPerson O 2.5.6.10
roleOccupant A 2.5.4.33
searchGuide A 2.5.4.14
seeAlso A 2.5.4.34
serialNumber A 2.5.4.5
sn A 2.5.4.4
st A 2.5.4.8
street A 2.5.4.9
telephoneNumber A 2.5.4.20
teletexTerminalIdentifier A 2.5.4.22
telexNumber A 2.5.4.21
title A 2.5.4.12
uniqueMember A 2.5.4.50
userPassword A 2.5.4.35
x121Address A 2.5.4.24
x500UniqueIdentifier A 2.5.4.45
5. Security Considerations 5. Security Considerations
Attributes of directory entries are used to provide descriptive Attributes of directory entries are used to provide descriptive
information about the real-world objects they represent, which can be information about the real-world objects they represent, which can be
people, organizations or devices. Most countries have privacy laws people, organizations or devices. Most countries have privacy laws
regarding the publication of information about people. regarding the publication of information about people.
Transfer of cleartext passwords is strongly discouraged where the Transfer of cleartext passwords is strongly discouraged where the
underlying transport service cannot guarantee confidentiality and may underlying transport service cannot guarantee confidentiality and may
result in disclosure of the password to unauthorized parties. result in disclosure of the password to unauthorized parties.
It is required that strong authentication be performed in order to It is required that strong authentication be performed in order to
modify directory entries using LDAP. modify directory entries using LDAP.
Several X.500 Attribute Types and Object Classes, such as, the
userCertificate Attribute Type or the certificationAuthority Object
Class, are used to include key-based security information in
directory entries. The Attribute Types are:
authorityRevocationList
cACertificate
certificateRevocationList
crossCertificatePair
deltaRevocationList
supportedAlgorithms
userCertificate
The Object Classes are:
certificationAuthority
certificationAuthority-V2
cRLDistributionPoint
strongAuthenticationUser
userSecurityInformation
These Attribute Types and Object Classes are specified for LDAP by
the PKIX Working Group, and so, are not included in this document.
It is recommended that the BNF notation in RFC 1778 [RFC1778] not
be used for User Certificate, Authority Revocation List, and
Certificate Pair.
6. Acknowledgements 6. Acknowledgements
The definitions, on which this document is based, have been developed The definitions, on which this document is based, have been developed
by committees for telecommunications and international standards. by committees for telecommunications and international standards.
No new attribute definitions have been added. No new attribute definitions have been added.
This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a
product of the IETF ASID Working Group. product of the IETF ASID Working Group.
This document is based upon input of the IETF LDAPBIS working group. This document is based upon input of the IETF LDAPBIS working group.
skipping to change at page 21, line 21 skipping to change at page 22, line 4
7. References 7. References
7.1 Normative 7.1 Normative
[E.123] Notation for national and international telephone numbers, [E.123] Notation for national and international telephone numbers,
ITU-T Recommendation E.123, 1988 ITU-T Recommendation E.123, 1988
[E.164] The international public telecommunication numbering plan, [E.164] The international public telecommunication numbering plan,
ITU-T Recommendation E.164, 1997 ITU-T Recommendation E.164, 1997
[ISO3166] ISO 3166, "Codes for the representation of names of [ISO3166] ISO 3166, "Codes for the representation of names of
countries". countries".
[Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis- [LDAP-PKI] Chadwick, D. W., Legg S., "LDAP Schema and Syntaxes for
models-xx.txt (a work in progress). PKIs", draft-ietf-pkix-ldap-pki-schema-xx (a work in
progress)
[RFC2026] Bradner, S., "The Internet Standards Process -- [Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis-
Revision 3", RFC 2026, October 1996 models-xx (a work in progress)
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997 Requirement Levels", RFC 2119, March 1997
[RFC3377] Hodges, J., Morgan, R., "Lightweight Directory Access
Protocol (v3): Technical Specification", RFC 3377,
September 2002
...[ROADMAP] Zeilenga, K., "LDAP: Technical Specification Road Map",
draft-ietf-ldapbis-roadmap-xx (a work in progress)
[Syntaxes] S. Legg (editor), "LDAP: Syntaxes", [Syntaxes] S. Legg (editor), "LDAP: Syntaxes",
draft-ietf-ldapbis-syntaxes-xx, a work in progress draft-ietf-ldapbis-syntaxes-xx (a work in progress)
[X.121] International numbering plan for public data networks, [X.121] International numbering plan for public data networks,
ITU-T Recommendation X.121, 1996 ITU-T Recommendation X.121, 1996
[X.509] The Directory: Authentication Framework, ITU-T [X.509] The Directory: Authentication Framework, ITU-T
Recommendation X.509, 1993 Recommendation X.509, 1993
[X.520] The Directory: Selected Attribute Types, ITU-T Recommendation [X.520] The Directory: Selected Attribute Types, ITU-T
X.520, 1993 Recommendation X.520, 1993
[X.521] The Directory: Selected Object Classes. ITU-T Recommendation [X.521] The Directory: Selected Object Classes. ITU-T
X.521, 1993 Recommendation X.521, 1993
7.2 Informative 7.2 Informative
[RFC1778] Howes, T., Kille, S., Yeong, W., Robbins, C., "The
String Representation of Standard Attribute Syntaxes", RFC 1778,
March 1995.
[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and
Sataluri, S., "Using Domains in LDAP/X.500 Distinguished Names", Sataluri, S., "Using Domains in LDAP/X.500 Distinguished Names",
RFC 2247, January 1998 RFC 2247, January 1998
[RFC2252] Wahl, M., Coulbeck, A., Howes, T., and S. Kille,
"Lightweight X.500 Directory Access Protocol(v3): Attribute
Syntax Definitions", RFC 2252, December 1997
8. Author's Address 8. Author's Address
Kathy Dally Kathy Dally
The MITRE Corp. The MITRE Corp.
1575 Colshire Dr., H300 1575 Colshire Dr., H300
McLean VA 22102 McLean VA 22102
USA USA
Phone: +1 703 883 6058 Phone: +1 703 883 6058
Email: kdally@mitre.org Email: kdally@mitre.org
Annex A Change Log
This annex lists the changes that have been made from RFC 2256 to
this I-D.
Changes to RFC 2256 resulting in
draft-ietf-ldapbis-user-schema-00.txt:
1. Revision of the Status of this Memo. 9. Full Copyright Statement
2. Dependencies on RFC 1274 have been eliminated.
3. The references to X.500(96) have been expressed in terms of
the "edition", rather than the standard date. Note that the
version of X.500 which is the basis for this document, is the
third edition, which was finalized in 1996, but approved in
1997.
4. The "teletexTerminalNumber" attribute and syntax are marked
as obsolete.
5. Removed "The syntax definitions are based on the ISODE "QUIPU"
implementation of X.500." from section 6.
6. Added text to 6.1, the octetString syntax, in accordance
with X.520.
7. Some of the attribute types MUST be recognized by servers.
Also, several attributes are obsolete. Therefore, the
various kinds of attribute types have been placed in separate
sections:
- necessary for the directory to operate (section 3.1)
- for holding user information (section 3.2)
- superseded or withdrawn (section 3.3). Copyright (C) The Internet Society (2002). All Rights Reserved.
8. Since "top" may be implicitly specified and "alias" is not This document and translations of it may be copied and furnished to
abstract, the last sentence in the description of the others, and derivative works that comment on or otherwise explain it
"objectClass" attribute type, section 3.1.1, has been deleted. or assist in its implementation may be prepared, copied, published
The clause that preceded the deleted sentence has been and distributed, in whole or in part, without restriction of any
removed, also. kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
9. Add a description to the definition of the "telephoneNumber" The limited permissions granted above are perpetual and will not be
attribute type, section 3.2.17. revoked by the Internet Society or its successors or assigns.
10. Add text to mark the "teletexTerminalIdentifier" attribute This document and the information contained herein is provided on an
type as obsolete. "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
11. Add a security consideration requiring strong authentication Appendix A Changes RFC 2256
in order to modify directory entries.
Changes to draft-ietf-ldapbis-user-schema-00.txt, resulting in draft- This appendix lists the changes that have been made from RFC 2256 to
ietf-ldapbis-user-schema-01.txt: this I-D.
12. Delete the conformance requirement for subschema object 1. Revised the Status of this Memo.
classes in favor of a statement in [SYNTAX].
13. Add a Table of Contents 2. Removed the IESG Note.
14. Replace the term "obsolete" with "superseded or withdrawn" 3. Dependencies on RFC 1274 have been eliminated.
15. Added explanations to many attributes. 4. Added a Security Considerations section, requiring strong
authentication in order to modify directory entries.
16. In the title, correct the X.500 reference to have the second 5. Deleted the conformance requirement for subschema object
edition as the basis. classes in favor of a statement in [Syntaxes].
17. Throughout this I-D, cleaned up whitespace in the BNF 6. Added a Table of Contents.
definitions.
18. Removed Section 4, Syntaxes, and Section 6, Matching Rules, 7. Added explanations to many attributes.
(moved to draft-ietf-ldapbis-syntaxes-01.txt).
19. Reorganized Section 3, Attributes, to eliminate grouping 8. Removed Section 4, Syntaxes, and Section 6, Matching Rules,
attributes according to conformance requirements. Reordered (moved to [Syntaxes]).
Section 3, Attributes, and Section 4, Object Classes,
alphabetically.
20. Added an explanation for each object class. 9. Reordered Section 3, Attributes, and Section 4, Object
Classes, alphabetically.
Changes to draft-ietf-ldapbis-user-schema-01.txt, resulting in draft- 10. Added an explanation for each object class.
ietf-ldapbis-user-schema-02.txt:
21. Removed the certificate-related Attribute Types: 11. Removed the certificate-related Attribute Types:
authorityRevocationList, authorityRevocationList,
cACertificate, cACertificate,
certificateRevocationList, certificateRevocationList,
crossCertificatePair, crossCertificatePair,
deltaRevocationList, deltaRevocationList,
supportedAlgorithms, and supportedAlgorithms, and
userCertificate. userCertificate.
Removed the certificate-related Object Classes: Removed the certificate-related Object Classes:
certificationAuthority, certificationAuthority,
certificationAuthority-V2, certificationAuthority-V2,
cRLDistributionPoint, cRLDistributionPoint,
strongAuthenticationUser, and strongAuthenticationUser, and
userSecurityInformation userSecurityInformation
Noted in the Security Considerations (Section 7) that they
are covered in PKIX WG documents.
22. Removed the dmdName Attribute Type and dmd Object Class Noted that they are covered in PKIX WG documents.
12. Removed the dmdName Attribute Type and dmd Object Class
because they are not in the version of X.500 which because they are not in the version of X.500 which
is referenced. is referenced.
23. Removed embedded comments from the ABNF productions ......13. Deleted the 'aliasedObjectName' and 'objectClass' attribute
throughout the document.
24. Cleaned up the references; adopted word instead of number
tags; split Section 7 into normative and informative
subsections.
Changes to draft-ietf-ldapbis-user-schema-02.txt, resulting in draft-
ietf-ldapbis-user-schema-03.txt:
......25. Deleted the 'aliasedObjectName' and 'objectClass' attribute
type definitions. They are included in [Models]. type definitions. They are included in [Models].
26. Deleted the 'alias' and 'top' object class definitions. They 14. Deleted the 'alias' and 'top' object class definitions. They
are included in [Models]. are included in [Models].
27. Replaced the document title. 15. Replaced the document title.
28. Changed reference citations to be consistent with the rest of
the LDAPbis documents.
Changes to draft-ietf-ldapbis-user-schema-03.txt, resulting in draft-
ietf-ldapbis-user-schema-04.txt:
29. Added references for RFC 2026 and RFC 2247.
30. Corrected the copyright year.
31. Added the 'dc' attribute and the 'domain' object class from 16. Added the 'dc' attribute and the 'domain' object class from
RFC 2247. RFC 2247.
32. Deleted the 'knowledgeInformation', 'presentationAddress', 17. Deleted the 'knowledgeInformation', 'presentationAddress',
'protocolInformation', and 'supportedApplicationContext' 'protocolInformation', and 'supportedApplicationContext'
attributes. attributes.
33. Deleted the 'applicationEntity' and 'dSA' object classes. 18. Deleted the 'applicationEntity' and 'dSA' object classes.
19. Added an IANA Considerations section.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/