sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Code
61589085c4
samba-mirror/source4/ldap_server/devdocs/rfc4524.txt

1404 lines
50 KiB
Plaintext
Raw Normal View History

r17189: Add the new LDAP rfc series (This used to be commit d3f8b813b33d1338e62f099017a1d4a32745e7a2)
2006-07-22 23:26:52 +04:00
Network Working Group K. Zeilenga, Ed.
Request for Comments: 4524 OpenLDAP Foundation
Obsoletes: 1274 June 2006
Updates: 2247, 2798
Category: Standards Track
COSINE LDAP/X.500 Schema
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document provides a collection of schema elements for use with
the Lightweight Directory Access Protocol (LDAP) from the COSINE and
Internet X.500 pilot projects.
This document obsoletes RFC 1274 and updates RFCs 2247 and 2798.
Table of Contents
1. Introduction ....................................................3
1.1. Relationship to Other Documents ............................3
1.2. Terminology and Conventions ................................4
2. COSINE Attribute Types ..........................................4
2.1. associatedDomain ...........................................4
2.2. associatedName .............................................5
2.3. buildingName ...............................................5
2.4. co .........................................................5
2.5. documentAuthor .............................................6
2.6. documentIdentifier .........................................6
2.7. documentLocation ...........................................6
2.8. documentPublisher ..........................................7
2.9. documentTitle ..............................................7
2.10. documentVersion ...........................................7
2.11. drink .....................................................8
2.12. homePhone .................................................8
2.13. homePostalAddress .........................................8
Zeilenga Standards Track [Page 1]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
2.14. host ......................................................9
2.15. info ......................................................9
2.16. mail ......................................................9
2.17. manager ..................................................10
2.18. mobile ...................................................10
2.19. organizationalStatus .....................................11
2.20. pager ....................................................11
2.21. personalTitle ............................................11
2.22. roomNumber ...............................................12
2.23. secretary ................................................12
2.24. uniqueIdentifier .........................................12
2.25. userClass ................................................13
3. COSINE Object Classes ..........................................13
3.1. account ...................................................13
3.2. document ..................................................14
3.3. documentSeries ............................................14
3.4. domain ....................................................15
3.5. domainRelatedObject .......................................16
3.6. friendlyCountry ...........................................16
3.7. rFC822LocalPart ...........................................17
3.8. room ......................................................18
3.9. simpleSecurityObject ......................................18
4. Security Considerations ........................................18
5. IANA Considerations ............................................19
6. Acknowledgements ...............................................20
7. References .....................................................20
7.1. Normative References ......................................20
7.2. Informative References ....................................21
Appendix A. Changes since RFC 1274 ...............................23
A.1. LDAP Short Names .........................................23
A.2. pilotObject ..............................................23
A.3. pilotPerson ..............................................23
A.4. dNSDomain ................................................24
A.5. pilotDSA and qualityLabelledData .........................24
A.6. Attribute Syntaxes .......................................24
Appendix B. Changes since RFC 2247 ...............................24
Zeilenga Standards Track [Page 2]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
1. Introduction
In the late 1980s, X.500 Directory Services were standardized by the
CCITT (Commite' Consultatif International de Telegraphique et
Telephonique), now a part of the ITU (International Telephone Union).
This lead to Directory Service piloting activities in the early
1990s, including the COSINE (Co-operation and Open Systems
Interconnection in Europe) PARADISE Project pilot [COSINEpilot] in
Europe. Motivated by needs for large-scale directory pilots, RFC
1274 was published to standardize the directory schema and naming
architecture for use in the COSINE and other Internet X.500 pilots
[RFC1274].
In the years that followed, X.500 Directory Services have evolved to
incorporate new capabilities and even new protocols. In particular,
the Lightweight Directory Access Protocol (LDAP) [RFC4510] was
introduced in the early 1990s [RFC1487], with Version 3 of LDAP
introduced in the late 1990s [RFC2251] and subsequently revised in
2005 [RFC4510].
While much of the material in RFC 1274 has been superceded by
subsequently published ITU-T Recommendations and IETF RFCs, many of
the schema elements lack standardized schema descriptions for use in
modern X.500 and LDAP directory services despite the fact that these
schema elements are in wide use today. As the old schema
descriptions cannot be used without adaptation, interoperability
issues may arise due to lack of standardized modern schema
descriptions.
This document addresses these issues by offering standardized schema
descriptions, where needed, for widely used COSINE schema elements.
1.1. Relationship to Other Documents
This document, together with [RFC4519] and [RFC4517], obsoletes RFC
1274 in its entirety. [RFC4519] replaces Sections 9.3.1 (Userid) and
9.3.21 (Domain Component) of RFC 1274. [RFC4517] replaces Section
9.4 (Generally useful syntaxes) of RFC 1274.
This document replaces the remainder of RFC 1274. Appendix A
discusses changes since RFC 1274, as well as why certain schema
elements were not brought forward in this revision of the COSINE
schema. All elements not brought are to be regarded as Historic.
The description of the 'domain' object class provided in this
document supercedes that found in RFC 2247. That is, Section 3.4 of
this document replaces Section 5.2 of [RFC2247].
Zeilenga Standards Track [Page 3]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
Some of the schema elements specified here were described in RFC 2798
(inetOrgPerson schema). This document supersedes these descriptions.
This document, together with [RFC4519], replaces Section 9.1.3 of RFC
2798.
1.2. Terminology and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119].
DIT stands for Directory Information Tree.
DN stands for Distinguished Name.
DSA stands for Directory System Agent, a server.
DSE stands for DSA-Specific Entry.
DUA stands for Directory User Agent, a client.
These terms are discussed in [RFC4512].
Schema definitions are provided using LDAP description formats
[RFC4512]. Definitions provided here are formatted (line wrapped)
for readability.
2. COSINE Attribute Types
This section details COSINE attribute types for use in LDAP.
2.1. associatedDomain
The 'associatedDomain' attribute specifies DNS [RFC1034][RFC2181]
host names [RFC1123] that are associated with an object. That is,
values of this attribute should conform to the following ABNF:
domain = root / label *( DOT label )
root = SPACE
label = LETDIG [ *61( LETDIG / HYPHEN ) LETDIG ]
LETDIG = %x30-39 / %x41-5A / %x61-7A ; "0" - "9" / "A"-"Z" / "a"-"z"
SPACE = %x20 ; space (" ")
HYPHEN = %x2D ; hyphen ("-")
DOT = %x2E ; period (".")
For example, the entry in the DIT with a DN <DC=example,DC=com> might
have an associated domain of "example.com".
( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
Zeilenga Standards Track [Page 4]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax and the
'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch' rules are
described in [RFC4517].
Note that the directory will not ensure that values of this attribute
conform to the <domain> production provided above. It is the
application's responsibility to ensure that domains it stores in this
attribute are appropriately represented.
Also note that applications supporting Internationalized Domain Names
SHALL use the ToASCII method [RFC3490] to produce <label> components
of the <domain> production.
2.2. associatedName
The 'associatedName' attribute specifies names of entries in the
organizational DIT associated with a DNS domain [RFC1034][RFC2181].
( 0.9.2342.19200300.100.1.38 NAME 'associatedName'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
'distinguishedNameMatch' rule are described in [RFC4517].
2.3. buildingName
The 'buildingName' attribute specifies names of the buildings where
an organization or organizational unit is based, for example, "The
White House".
( 0.9.2342.19200300.100.1.48 NAME 'buildingName'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.4. co
The 'co' (Friendly Country Name) attribute specifies names of
countries in human-readable format, for example, "Germany" and
"Federal Republic of Germany". It is commonly used in conjunction
with the 'c' (Country Name) [RFC4519] attribute (whose values are
restricted to the two-letter codes defined in [ISO3166]).
Zeilenga Standards Track [Page 5]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
( 0.9.2342.19200300.100.1.43 NAME 'co'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.5. documentAuthor
The 'documentAuthor' attribute specifies the distinguished names of
authors (or editors) of a document. For example,
( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
'distinguishedNameMatch' rule are described in [RFC4517].
2.6. documentIdentifier
The 'documentIdentifier' attribute specifies unique identifiers for a
document. A document may be identified by more than one unique
identifier. For example, RFC 3383 and BCP 64 are unique identifiers
that (presently) refer to the same document.
( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.7. documentLocation
The 'documentLocation' attribute specifies locations of the document
original.
( 0.9.2342.19200300.100.1.15 NAME 'documentLocation'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
Zeilenga Standards Track [Page 6]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.8. documentPublisher
The 'documentPublisher' attribute is the persons and/or organizations
that published the document. Documents that are jointly published
have one value for each publisher.
( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.9. documentTitle
The 'documentTitle' attribute specifies the titles of a document.
Multiple values are allowed to accommodate both long and short
titles, or other situations where a document has multiple titles, for
example, "The Lightweight Directory Access Protocol Technical
Specification" and "The LDAP Technical Specification".
( 0.9.2342.19200300.100.1.12 NAME 'documentTitle'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.10. documentVersion
The 'documentVersion' attribute specifies the version information of
a document.
( 0.9.2342.19200300.100.1.13 NAME 'documentVersion'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
Zeilenga Standards Track [Page 7]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.11. drink
The 'drink' (favoriteDrink) attribute specifies the favorite drinks
of an object (or person), for instance, "cola" and "beer".
( 0.9.2342.19200300.100.1.5 NAME 'drink'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.12. homePhone
The 'homePhone' (Home Telephone Number) attribute specifies home
telephone numbers (e.g., "+1 775 555 1234") associated with a person.
( 0.9.2342.19200300.100.1.20 NAME 'homePhone'
EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
described in [RFC4517].
2.13. homePostalAddress
The 'homePostalAddress' attribute specifies home postal addresses for
an object. Each value should be limited to up to 6 directory strings
of 30 characters each. (Note: It is not intended that the directory
service enforce these limits.)
( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress'
EQUALITY caseIgnoreListMatch
SUBSTR caseIgnoreListSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
The PostalAddress (1.3.6.1.4.1.1466.115.121.1.41) syntax and the
'caseIgnoreListMatch' and 'caseIgnoreListSubstringsMatch' rules are
described in [RFC4517].
Zeilenga Standards Track [Page 8]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
2.14. host
The 'host' attribute specifies host computers, generally by their
primary fully qualified domain name (e.g., my-host.example.com).
( 0.9.2342.19200300.100.1.9 NAME 'host'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.15. info
The 'info' attribute specifies any general information pertinent to
an object. This information is not necessarily descriptive of the
object.
Applications should not attach specific semantics to values of this
attribute. The 'description' attribute [RFC4519] is available for
specifying descriptive information pertinent to an object.
( 0.9.2342.19200300.100.1.4 NAME 'info'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.16. mail
The 'mail' (rfc822mailbox) attribute type holds Internet mail
addresses in Mailbox [RFC2821] form (e.g., user@example.com).
( 0.9.2342.19200300.100.1.3 NAME 'mail'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax and the
'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch' rules are
described in [RFC4517].
Zeilenga Standards Track [Page 9]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
Note that the directory will not ensure that values of this attribute
conform to the <Mailbox> production [RFC2821]. It is the
application's responsibility to ensure that domains it stores in this
attribute are appropriately represented.
Additionally, the directory will compare values per the matching
rules named in the above attribute type description. As these rules
differ from rules that normally apply to <Mailbox> comparisons,
operational issues may arise. For example, the assertion
(mail=joe@example.com) will match "JOE@example.com" even though the
<local-parts> differ. Also, where a user has two <Mailbox>es whose
addresses differ only by case of the <local-part>, both cannot be
listed as values of the user's mail attribute (as they are considered
equal by the 'caseIgnoreIA5Match' rule).
Also note that applications supporting internationalized domain names
SHALL use the ToASCII method [RFC3490] to produce <sub-domain>
components of the <Mailbox> production.
2.17. manager
The 'manager' attribute specifies managers, by distinguished name, of
the person (or entity).
( 0.9.2342.19200300.100.1.10 NAME 'manager'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
'distinguishedNameMatch' rule are described in [RFC4517].
2.18. mobile
The 'mobile' (mobileTelephoneNumber) attribute specifies mobile
telephone numbers (e.g., "+1 775 555 6789") associated with a person
(or entity).
( 0.9.2342.19200300.100.1.41 NAME 'mobile'
EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
described in [RFC4517].
Zeilenga Standards Track [Page 10]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
2.19. organizationalStatus
The 'organizationalStatus' attribute specifies categories by which a
person is often referred to in an organization. Examples of usage in
academia might include "undergraduate student", "researcher",
"professor", and "staff". Multiple values are allowed where the
person is in multiple categories.
Directory administrators and application designers SHOULD consider
carefully the distinctions between this and the 'title' and
'userClass' attributes.
( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.20. pager
The 'pager' (pagerTelephoneNumber) attribute specifies pager
telephone numbers (e.g., "+1 775 555 5555") for an object.
( 0.9.2342.19200300.100.1.42 NAME 'pager'
EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
described in [RFC4517].
2.21. personalTitle
The 'personalTitle' attribute specifies personal titles for a person.
Examples of personal titles are "Frau", "Dr.", "Herr", and
"Professor".
( 0.9.2342.19200300.100.1.40 NAME 'personalTitle'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
Zeilenga Standards Track [Page 11]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.22. roomNumber
The 'roomNumber' attribute specifies the room number of an object.
During periods of renumbering, or in other circumstances where a room
has multiple valid room numbers associated with it, multiple values
may be provided. Note that the 'cn' (commonName) attribute type
SHOULD be used for naming room objects.
( 0.9.2342.19200300.100.1.6 NAME 'roomNumber'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
2.23. secretary
The 'secretary' attribute specifies secretaries and/or administrative
assistants, by distinguished name.
( 0.9.2342.19200300.100.1.21 NAME 'secretary'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
'distinguishedNameMatch' rule are described in [RFC4517].
2.24. uniqueIdentifier
The 'uniqueIdentifier' attribute specifies a unique identifier for an
object represented in the Directory. The domain within which the
identifier is unique and the exact semantics of the identifier are
for local definition. For a person, this might be an institution-
wide payroll number. For an organizational unit, it might be a
department code.
( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
Zeilenga Standards Track [Page 12]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
Note: X.520 also describes an attribute called 'uniqueIdentifier'
(2.5.4.45), which is called 'x500UniqueIdentifier' in LDAP
[RFC4519]. The attribute detailed here ought not be confused
with 'x500UniqueIdentifier'.
2.25. userClass
The 'userClass' attribute specifies categories of computer or
application user. The semantics placed on this attribute are for
local interpretation. Examples of current usage of this attribute in
academia are "student", "staff", and "faculty". Note that the
'organizationalStatus' attribute type is now often preferred, as it
makes no distinction between persons as opposed to users.
( 0.9.2342.19200300.100.1.8 NAME 'userClass'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
3. COSINE Object Classes
This section details COSINE object classes for use in LDAP.
3.1. account
The 'account' object class is used to define entries representing
computer accounts. The 'uid' attribute SHOULD be used for naming
entries of this object class.
( 0.9.2342.19200300.100.4.5 NAME 'account'
SUP top STRUCTURAL
MUST uid
MAY ( description $ seeAlso $ l $ o $ ou $ host ) )
The 'top' object class is described in [RFC4512]. The 'description',
'seeAlso', 'l', 'o', 'ou', and 'uid' attribute types are described in
[RFC4519]. The 'host' attribute type is described in Section 2 of
this document.
Zeilenga Standards Track [Page 13]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
3.3. documentSeriesExample:
dn: uid=kdz,cn=Accounts,dc=Example,dc=COM
objectClass: account
uid: kdz
seeAlso: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
3.2. document
The 'document' object class is used to define entries that represent
documents.
( 0.9.2342.19200300.100.4.6 NAME 'document'
SUP top STRUCTURAL
MUST documentIdentifier
MAY ( cn $ description $ seeAlso $ l $ o $ ou $
documentTitle $ documentVersion $ documentAuthor $
documentLocation $ documentPublisher ) )
The 'top' object class is described in [RFC4512]. The 'cn',
'description', 'seeAlso', 'l', 'o', and 'ou' attribute types are
described in [RFC4519]. The 'documentIdentifier', 'documentTitle',
'documentVersion', 'documentAuthor', 'documentLocation', and
'documentPublisher' attribute types are described in Section 2 of
this document.
Example:
dn: documentIdentifier=RFC 4524,cn=RFC,dc=Example,dc=COM
objectClass: document
documentIdentifier: RFC 4524
documentTitle: COSINE LDAP/X.500 Schema
documentAuthor: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
documentLocation: http://www.rfc-editor.org/rfc/rfc4524.txt
documentPublisher: Internet Engineering Task Force
description: A collection of schema elements for use in LDAP
description: Obsoletes RFC 1274
seeAlso: documentIdentifier=RFC 4510,cn=RFC,dc=Example,dc=COM
seeAlso: documentIdentifier=RFC 1274,cn=RFC,dc=Example,dc=COM
3.3. documentSeries
The 'documentSeries' object class is used to define an entry that
represents a series of documents (e.g., The Request For Comments
memos).
Zeilenga Standards Track [Page 14]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
( 0.9.2342.19200300.100.4.9 NAME 'documentSeries'
SUP top STRUCTURAL
MUST cn
MAY ( description $ l $ o $ ou $ seeAlso $
telephonenumber ) )
The 'top' object class is described in [RFC4512]. The 'description',
'l', 'o', 'ou', 'seeAlso', and 'telephoneNumber' attribute types are
described in [RFC4519].
Example:
dn: cn=RFC,dc=Example,dc=COM
objectClass: documentSeries
cn: Request for Comments
cn: RFC
description: a series of memos about the Internet
3.4. domain
The 'domain' object class is used to define entries that represent
DNS domains for objects that are not organizations, organizational
units, or other kinds of objects more appropriately defined using an
object class specific to the kind of object being defined (e.g.,
'organization', 'organizationUnit').
The 'dc' attribute should be used for naming entries of the 'domain'
object class.
( 0.9.2342.19200300.100.4.13 NAME 'domain'
SUP top STRUCTURAL
MUST dc
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $ street $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $ description $ o $
associatedName ) )
The 'top' object class and the 'dc', 'userPassword', 'searchGuide',
'seeAlso', 'businessCategory', 'x121Address', 'registeredAddress',
'destinationIndicator', 'preferredDeliveryMethod', 'telexNumber',
'teletexTerminalIdentifier', 'telephoneNumber',
'internationaliSDNNumber', 'facsimileTelephoneNumber', 'street',
'postOfficeBox', 'postalCode', 'postalAddress',
'physicalDeliveryOfficeName', 'st', 'l', 'description', and 'o' types
Zeilenga Standards Track [Page 15]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
are described in [RFC4519]. The 'associatedName' attribute type is
described in Section 2 of this document.
Example:
dn: dc=com
objectClass: domain
dc: com
description: the .COM TLD
3.5. domainRelatedObject
The 'domainRelatedObject' object class is used to define entries that
represent DNS domains that are "equivalent" to an X.500 domain, e.g.,
an organization or organizational unit.
( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject'
SUP top AUXILIARY
MUST associatedDomain )
The 'top' object class is described in [RFC4512]. The
'associatedDomain' attribute type is described in Section 2 of this
document.
Example:
dn: dc=example,dc=com
objectClass: organization
objectClass: dcObject
objectClass: domainRelatedObject
dc: example
associatedDomain: example.com
o: Example Organization
The 'organization' and 'dcObject' object classes and the 'dc' and 'o'
attribute types are described in [RFC4519].
3.6. friendlyCountry
The 'friendlyCountry' object class is used to define entries
representing countries in the DIT. The object class is used to allow
friendlier naming of countries than that allowed by the object class
'country' [RFC4519].
( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry'
SUP country STRUCTURAL
MUST co )
Zeilenga Standards Track [Page 16]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
The 'country' object class is described in [RFC4519]. The 'co'
attribute type is described in Section 2 of this document.
Example:
dn: c=DE
objectClass: country
objectClass: friendlyCountry
c: DE
co: Deutschland
co: Germany
co: Federal Republic of Germany
co: FRG
The 'c' attribute type is described in [RFC4519].
3.7. rFC822LocalPart
The 'rFC822LocalPart' object class is used to define entries that
represent the local part of Internet mail addresses [RFC2822]. This
treats the local part of the address as a 'domain' object.
( 0.9.2342.19200300.100.4.14 NAME 'rFC822localPart'
SUP domain STRUCTURAL
MAY ( cn $ description $ destinationIndicator $
facsimileTelephoneNumber $ internationaliSDNNumber $
physicalDeliveryOfficeName $ postalAddress $ postalCode $
postOfficeBox $ preferredDeliveryMethod $ registeredAddress $
seeAlso $ sn $ street $ telephoneNumber $
teletexTerminalIdentifier $ telexNumber $ x121Address ) )
The 'domain' object class is described in Section 3.4 of this
document. The 'cn', 'description', 'destinationIndicator',
'facsimileTelephoneNumber', 'internationaliSDNNumber,
'physicalDeliveryOfficeName', 'postalAddress', 'postalCode',
'postOfficeBox', 'preferredDeliveryMethod', 'registeredAddress',
'seeAlso', 'sn, 'street', 'telephoneNumber',
'teletexTerminalIdentifier', 'telexNumber', and 'x121Address'
attribute types are described in [RFC4519].
Example:
dn: dc=kdz,dc=example,dc=com
objectClass: domain
objectClass: rFC822LocalPart
dc: kdz
associatedName: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
Zeilenga Standards Track [Page 17]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
The 'dc' attribute type is described in [RFC4519].
3.8. room
The 'room' object class is used to define entries representing rooms.
The 'cn' (commonName) attribute SHOULD be used for naming entries of
this object class.
( 0.9.2342.19200300.100.4.7 NAME 'room'
SUP top STRUCTURAL
MUST cn
MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) )
The 'top' object class is described in [RFC4512]. The 'cn',
'description', 'seeAlso', and 'telephoneNumber' attribute types are
described in [RFC4519]. The 'roomNumber' attribute type is described
in Section 2 of this document.
dn: cn=conference room,dc=example,dc=com
objectClass: room
cn: conference room
telephoneNumber: +1 755 555 1111
3.9. simpleSecurityObject
The 'simpleSecurityObject' object class is used to require an entry
to have a 'userPassword' attribute when the entry's structural object
class does not require (or allow) the 'userPassword attribute'.
( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
SUP top AUXILIARY
MUST userPassword )
The 'top' object class is described in [RFC4512]. The 'userPassword'
attribute type is described in [RFC4519].
dn: dc=kdz,dc=Example,dc=COM
objectClass: account
objectClass: simpleSecurityObject
uid: kdz
userPassword: My Password
seeAlso: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
4. Security Considerations
General LDAP security considerations [RFC4510] are applicable to the
use of this schema. Additional considerations are noted above where
appropriate.
Zeilenga Standards Track [Page 18]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
Directories administrators should ensure that access to sensitive
information be restricted to authorized entities and that appropriate
data security services, including data integrity and data
confidentiality, are used to protect against eavesdropping.
Simple authentication (e.g., plain text passwords) mechanisms should
only be used when adequate data security services are in place. LDAP
offers reasonably strong authentication and data security services
[RFC4513].
5. IANA Considerations
The Internet Assigned Numbers Authority (IANA) has updated the LDAP
descriptors registry [RFC4520] as indicated in the following
template:
Subject: Request for LDAP Descriptor Registration Update
Descriptor (short name): see comment
Object Identifier: see comments
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Usage: see comments
Specification: RFC 4524
Author/Change Controller: IESG
Comments:
The following descriptors have been updated to refer to RFC 4524.
NAME Type OID
------------------------ ---- --------------------------
account O 0.9.2342.19200300.100.4.5
associatedDomain A 0.9.2342.19200300.100.1.37
associatedName A 0.9.2342.19200300.100.1.38
buildingName A 0.9.2342.19200300.100.1.48
co A 0.9.2342.19200300.100.1.43
document O 0.9.2342.19200300.100.4.6
documentAuthor A 0.9.2342.19200300.100.1.14
documentIdentifier A 0.9.2342.19200300.100.1.11
documentLocation A 0.9.2342.19200300.100.1.15
documentPublisher A 0.9.2342.19200300.100.1.56
documentSeries O 0.9.2342.19200300.100.4.8
documentTitle A 0.9.2342.19200300.100.1.12
documentVersion A 0.9.2342.19200300.100.1.13
domain O 0.9.2342.19200300.100.4.13
domainRelatedObject O 0.9.2342.19200300.100.4.17
drink A 0.9.2342.19200300.100.1.5
favouriteDrink A* 0.9.2342.19200300.100.1.5
friendlyCountry O 0.9.2342.19200300.100.4.18
Zeilenga Standards Track [Page 19]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
friendlyCountryName A* 0.9.2342.19200300.100.1.43
homePhone A 0.9.2342.19200300.100.1.20
homePostalAddress A 0.9.2342.19200300.100.1.39
homeTelephone A* 0.9.2342.19200300.100.1.20
host A 0.9.2342.19200300.100.1.9
info A 0.9.2342.19200300.100.1.4
mail A 0.9.2342.19200300.100.1.3
manager A 0.9.2342.19200300.100.1.10
mobile A 0.9.2342.19200300.100.1.41
mobileTelephoneNumber A* 0.9.2342.19200300.100.1.41
organizationalStatus A 0.9.2342.19200300.100.1.45
pager A 0.9.2342.19200300.100.1.42
pagerTelephoneNumber A* 0.9.2342.19200300.100.1.42
personalTitle A 0.9.2342.19200300.100.1.40
rFC822LocalPart O 0.9.2342.19200300.100.4.14
rfc822Mailbox A* 0.9.2342.19200300.100.1.3
room O 0.9.2342.19200300.100.4.7
roomNumber A 0.9.2342.19200300.100.1.6
secretary A 0.9.2342.19200300.100.1.21
simpleSecurityObject O 0.9.2342.19200300.100.4.19
singleLevelQuality A 0.9.2342.19200300.100.1.50
uniqueIdentifier A 0.9.2342.19200300.100.1.44
userClass A 0.9.2342.19200300.100.1.8
where Type A is Attribute, Type O is ObjectClass, and *
indicates that the registration is historic in nature.
6. Acknowledgements
This document is based on RFC 1274, by Paul Barker and Steve Kille,
as well as on RFC 2247, by Steve Kill, Mark Wahl, Al Grimstad, Rick
Huber, and Sri Satulari.
7. References
7.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and
facilities", STD 13, RFC 1034, November 1987.
[RFC1123] Braden, R., "Requirements for Internet Hosts -
Application and Support", STD 3, RFC 1123, October
1989.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Zeilenga Standards Track [Page 20]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997.
[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S.
Sataluri, "Using Domains in LDAP/X.500 Distinguished
Names", RFC 2247, January 1998.
[RFC2821] Klensin, J., Ed., "Simple Mail Transfer Protocol", RFC
2821, April 2001.
[RFC2822] Resnick, P., "Internet Message Format", RFC 2822, April
2001.
[RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
"Internationalizing Domain Names in Applications
(IDNA)", RFC 3490, March 2003.
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
Protocol (LDAP): Technical Specification Road Map", RFC
4510, June 2006.
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): Directory Information Models", RFC 4512, June
2006.
[RFC4513] Harrison, R., "Lightweight Directory Access Protocol
(LDAP): Authentication Methods and Security
Mechanisms", RFC 4513, June 2006.
[RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
(LDAP): Syntaxes and Matching Rules", RC 4517, June
2006.
[RFC4519] Sciberras, A., Ed., "Lightweight Directory Access
Protocol (LDAP): Schema for User Applications", RFC
4519, June 2006.
[X.501] International Telecommunication Union -
Telecommunication Standardization Sector, "The
Directory -- Models," X.501(1993) (also ISO/IEC 9594-
2:1994).
7.2. Informative References
[COSINEpilot] Goodman, D., "PARADISE" section of the March 1991
INTERNET MONTHLY REPORTS (p. 28-29),
http://www.iana.org/periodic-reports/imr-mar91.txt
Zeilenga Standards Track [Page 21]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
[ISO3166] International Organization for Standardization, "Codes
for the representation of names of countries", ISO
3166.
[RFC1274] Barker, P. and S. Kille, "The COSINE and Internet X.500
Schema", RFC 1274, November 1991.
[RFC1279] Hardcastle-Kille, S., "X.500 and Domains", RFC 1279,
November 1991.
[RFC1487] Yeong, W., Howes, T., and S. Kille, "X.500 Lightweight
Directory Access Protocol", RFC 1487, July 1993.
[RFC2251] Wahl, M., Howes, T., and S. Kille, "Lightweight
Directory Access Protocol (v3)", RFC 2251, December
1997.
[RFC2798] Smith, M., "Definition of the inetOrgPerson LDAP Object
Class", RFC 2798, April 2000.
[RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol
version 2 (LDAPv2) to Historic Status", RFC 3494, March
2003.
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
(IANA) Considerations for the Lightweight Directory
Access Protocol (LDAP)", BCP 64, RFC 4520.
Zeilenga Standards Track [Page 22]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
Appendix A. Changes since RFC 1274
This document represents a substantial rewrite of RFC 1274. The
following sections summarize the substantive changes.
A.1. LDAP Short Names
A number of COSINE attribute types have short names in LDAP.
X.500 Name LDAP Short Name
------------- ---------------
domainComponent dc
favoriteDrink drink
friendCountryName co
homeTelephoneNumber homePhone
mobileTelephoneNumber mobile
pagerTelephoneNumber pager
rfc822Mailbox mail
userid uid
While the LDAP short names are generally used in LDAP, some
implementations may (for legacy reasons [RFC3494]) recognize the
attribute type by its X.500 name. Hence, the X.500 names have been
reserved solely for this purpose.
Note: 'uid' and 'dc' are described in [RFC4519].
A.2. pilotObject
The 'pilotObject' object class was not brought forward as its
function is largely replaced by operational attributes introduced in
X.500(93) [X.501] and version 3 of LDAP [RFC4512]. For instance, the
function of the 'lastModifiedBy' and 'lastModifiedTime' attribute
types is now served by the 'creatorsName', 'createTimestamp',
'modifiersName', and 'modifyTimestamp' operational attributes
[RFC4512].
A.3. pilotPerson
The 'pilotPerson' object class was not brought forward as its
function is largely replaced by the 'organizationalPerson' [RFC4512]
object class and its subclasses, such as 'inetOrgPerson' [RFC2798].
Most of the related attribute types (e.g., 'mail', 'manager') were
brought forward as they are used in other object classes.
Zeilenga Standards Track [Page 23]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
A.4. dNSDomain
The 'dNSDomain' object class and related attribute types were not
brought forward as its use is primarily experimental [RFC1279].
A.5. pilotDSA and qualityLabelledData
The 'pilotDSA' and 'qualityLabelledData' object classes, as well as
related attribute types, were not brought forward as its use is
primarily experimental [QoS].
A.6. Attribute Syntaxes
RFC 1274 defined and used caseIgnoreIA5StringSyntax attribute syntax.
This has been replaced with the IA5String syntax and appropriate
matching rules in 'mail' and 'associatedDomain'.
RFC 1274 restricted 'mail' to have non-zero length values. This
restriction is not reflected in the IA5String syntax used in the
definitions provided in this specification. However, as values are
to conform to the <Mailbox> production, the 'mail' should not contain
zero-length values. Unfortunately, the directory service will not
enforce this restriction.
Appendix B. Changes since RFC 2247
The 'domainNameForm' name form was not brought forward as
specification of name forms used in LDAP is left to a future
specification.
Editor's Address
Kurt D. Zeilenga
OpenLDAP Foundation
EMail: Kurt@OpenLDAP.org
Zeilenga Standards Track [Page 24]
RFC 4524 COSINE LDAP/X.500 Schema June 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Zeilenga Standards Track [Page 25]
Copy Permalink