2 Network Working Group M. Wahl
3 INTERNET-DRAFT Critical Angle Inc.
4 Obsoletes: RFC 1778 A. Coulbeck
7 Netscape Communications Corp.
10 Intended Category: Standards Track October 22, 1996
13 Lightweight Directory Access Protocol:
14 Standard and Pilot Attribute Definitions
15 <draft-ietf-asid-ldapv3-attributes-03.txt>
17 1. Status of this Memo
19 This document is an Internet-Draft. Internet-Drafts are working
20 documents of the Internet Engineering Task Force (IETF), its areas, and
21 its working groups. Note that other groups may also distribute working
22 documents as Internet-Drafts.
24 Internet-Drafts are draft documents valid for a maximum of six months
25 and may be updated, replaced, or obsoleted by other documents at any
26 time. It is inappropriate to use Internet-Drafts as reference material
27 or to cite them other than as "work in progress."
29 To learn the current status of any Internet-Draft, please check the
30 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
31 Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
32 ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
36 The Lightweight Directory Access Protocol (LDAP) [1] requires that the
37 contents of AttributeValue fields in protocol elements be octet
38 strings. This document defines the requirements that must be
39 satisfied by encoding rules used to render directory attribute
40 syntaxes into a form suitable for use in the LDAP, then goes on to
41 define the encoding rules for the standard set of attribute syntaxes
42 of [2],[3] and [4]. It also identifies all the attribute types, object
43 classes and matching rules for LDAP version 3.
47 Section 4 states the general requirements and notations for attribute
48 types, object classes, syntax and matching rule definitions.
50 The core definitions are given in section 5, those which are based on
51 X.500(1993) in section 6, and other optional definitions in section 7.
57 Wahl, Coulbeck, Howes & Kille [Page 1]
59 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
65 The attribute types are described by sample values for the subschema
66 "attributeTypes" attribute, which is written in the
67 AttributeTypeDescription syntax. While lines have been folded for
68 readability, the values transferred in protocol would not contain
71 The AttributeTypeDescription is encoded according to the following BNF,
72 and the productions for <oid>, <DirectoryStrings> and <DirectoryString>
73 are given in sections 4.2.1.
75 <AttributeTypeDescription> ::= "("
76 <oid> -- AttributeType identifier
77 [ "NAME" <DirectoryStrings> ] -- name used in AttributeType
78 [ "DESC" <DirectoryString> ]
80 [ "SUP" <oid> ] -- derived from this other AttributeType
81 [ "EQUALITY" <oid> ] -- Matching Rule name
82 [ "ORDERING" <oid> ] -- Matching Rule name
83 [ "SUBSTR" <oid> ] -- Matching Rule name
84 [ "SYNTAX" <DirectoryString> ] -- see section 4.2
85 [ "SINGLE-VALUE" ] -- default multi-valued
86 [ "COLLECTIVE" ] -- default not collective
87 [ "NO-USER-MODIFICATION" ] -- default user modifiable
88 [ "USAGE" <AttributeUsage> ] -- default user applications
93 | "directoryOperation"
94 | "distributedOperation" -- DSA-shared
95 | "dSAOperation" -- DSA-specific, value depends on server
97 Servers are not required to provide the same or any text
98 in the description part of the subschema values they maintain.
100 Servers must implement all the attribute types in section 5.1, and
101 may also implement the types listed in sections 6.1 and 7.1. Servers must
102 be able to perform equality matching of values, but need not perform
103 any additional validity checks on attribute values.
105 Servers may recognize additional names and attributes not listed in this
106 document. Later documents may define additional types.
108 Servers may implement additional attribute types not listed in this
109 document, and if they do so, must publish the definitions of the types
110 in the attributeTypes attribute of their subschema subentries.
112 AttributeDescriptions may be used as the value in a NAME part of an
113 AttributeTypeDescription. Note that these are case insensitive.
115 Wahl, Coulbeck, Howes & Kille [Page 2]
117 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
121 This section defines general requirements for LDAP attribute value
122 syntax encodings. All documents defining attribute syntax encodings for
123 use with LDAP are expected to conform to these requirements.
125 The encoding rules defined for a given attribute syntax must produce
126 octet strings. To the greatest extent possible, encoded octet
127 strings should be usable in their native encoded form for display
128 purposes. In particular, encoding rules for attribute syntaxes
129 defining non-binary values should produce strings that can be
130 displayed with little or no translation by clients implementing
131 LDAP. There are a few cases (e.g. Audio) however, when it is not sensible
132 to produce a printable representation, and clients must not assume that
133 an unrecognized syntax is a string representation.
135 4.2.1. Common Encoding Aspects
137 In these encodings where an arbitrary string is used as part of a larger
138 production (other than a Distinguished Name), a backslash quoting mechanism
139 is used to encode the following separator symbol character (such as ''',
140 '$' or '#') if it should occur in that string. The backslash is followed
141 by a pair of hexadecimal digits representing the next character. A
142 backslash itself in the string which forms part of a larger syntax is
143 always transmitted as '\5C' or '\5c'.
145 For the purposes of defining the encoding rules for attribute syntaxes,
146 the following auxiliary BNF definitions will be used:
148 <a> ::= 'a' | 'b' | 'c' | 'd' | 'e' | 'f' | 'g' | 'h' | 'i' |
149 'j' | 'k' | 'l' | 'm' | 'n' | 'o' | 'p' | 'q' | 'r' |
150 's' | 't' | 'u' | 'v' | 'w' | 'x' | 'y' | 'z' | 'A' |
151 'B' | 'C' | 'D' | 'E' | 'F' | 'G' | 'H' | 'I' | 'J' |
152 'K' | 'L' | 'M' | 'N' | 'O' | 'P' | 'Q' | 'R' | 'S' |
153 'T' | 'U' | 'V' | 'W' | 'X' | 'Y' | 'Z'
155 <d> ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9'
157 <hex-digit> ::= <d> | 'a' | 'b' | 'c' | 'd' | 'e' | 'f' |
158 'A' | 'B' | 'C' | 'D' | 'E' | 'F'
160 <k> ::= <a> | <d> | '-'
162 <p> ::= <a> | <d> | ''' | '(' | ')' | '+' | ',' | '-' | '.' |
163 '/' | ':' | '?' | ' '
165 <letterstring> ::= <a> | <a> <letterstring>
167 <numericstring> ::= <d> | <d> <numericstring>
169 <keystring> ::= <a> | <a> <anhstring>
171 <anhstring> ::= <k> | <k> <anhstring>
173 Wahl, Coulbeck, Howes & Kille [Page 3]
175 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
177 <printablestring> ::= <p> | <p> <printablestring>
179 <space> ::= ' ' | ' ' <space>
181 <whsp> ::= <space> | empty
183 <utf8> ::= any sequence of octets formed from the UTF-8 [11]
184 transformation of a character from ISO 10646 [12]
186 <dstring> ::= <utf8> | <utf8> <dstring>
188 <DirectoryStrings> ::= <DirectoryString> | '(' <DirectoryStringList> ')'
190 <DirectoryStringList> ::= <DirectoryStringList> <DirectoryString> | ""
192 <DirectoryString> ::= ''' <dstring> '''
194 <oids> ::= <oid> | '(' <oidlist> ')'
196 <oidlist> ::= <oidlist> '$' <oid> | <oid>
198 -- <oid> is defined in 5.2.1.15
200 4.2.2 Binary Transfer of Values
202 This encoding format is used if the binary encoding is requested by the
203 client for an attribute, or if the attribute syntax name is 'Binary'. The
204 value, an instance of the ASN.1 AttributeValue type, is BER-encoded,
205 subject to the restrictions of section 5.1 of [1], and this sequence of
206 octets is used as the value.
208 All servers must implement this form for both generating Search responses
209 and parsing Add, Compare and Modify requests. Clients must be prepared
210 receiving values in binary (e.g. userCertificate or audio), and must not
211 simply display binary or unrecognized values to users.
215 Names of syntaxes for use with LDAP are ASCII strings which either
216 begin with a letter and contain only letters or digits. The names are
217 case insensitive. Historically since syntaxes correspond to ASN.1 types,
218 they have been named starting with a capital letter. A suggested upper
219 bound on the number of characters in value with a DirectoryString or
220 IA5String syntax or the number of bytes in a value for all other syntaxes
221 may be indicated by appending this bound count inside of curly braces, e.g.
222 "DirectoryString{64}". Note that a single character of the DirectoryString
223 may be encoded in more than one byte since UTF-8 is a variable-length
226 Syntax names do not have global scope: two clients or servers may
227 know of different syntaxes with the same name.
231 Wahl, Coulbeck, Howes & Kille [Page 4]
233 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
235 The definition of additional arbitrary syntaxes is strongly depreciated
236 since it will hinder interoperability: today's client and server
237 implementations generally do not have the ability to dynamically recognize
238 new syntaxes. In most cases attributes will be defined with the
239 DirectoryString syntax.
241 The following syntax names are used for attributes in this document.
242 Servers are only required to implement the syntaxes in section 5.2.
245 AttributeTypeDescription Audio
247 Certificate CertificateList
248 CertificatePair DataQualitySyntax
249 DeliveryMethod DirectoryString
250 DITContentRuleDescription DN
251 DSAQualitySyntax DSEType
252 EnhancedGuide FacsimileTelephoneNumber
256 MailPreference MasterAndShadowAccessPoints
257 MatchingRuleDescription MatchingRuleUseDescription
258 ModifyRight NameAndOptionalUID
259 NameFormDescription NumericString
260 ObjectClassDescription OID
261 OtherMailbox Password
262 PostalAddress PresentationAddress
263 PrintableString ProtocolInformation
264 SubtreeSpecification SupplierAndConsumers
265 SupplierInformation SupplierOrConsumer
266 TelephoneNumber TeletexTerminalIdentifier
271 These are described as sample values for the subschema "objectClasses"
272 attribute for a server which implements the LDAP schema.
273 While lines have been folded for readability, the values transferred in
274 protocol would not contain newlines.
276 Object class descriptions are written according to the following BNF:
278 <ObjectClassDescription> ::= "("
279 <oid> -- ObjectClass identifier
280 [ "NAME" <DirectoryStrings> ]
281 [ "DESC" <DirectoryString> ]
283 [ "SUP" <oids> ] -- Superior ObjectClasses
284 [ ( "ABSTRACT" | "STRUCTURAL" | "AUXILIARY" ) ] -- default structural
285 [ "MUST" <oids> ] -- AttributeTypes
286 [ "MAY" <oids> ] -- AttributeTypes
289 Wahl, Coulbeck, Howes & Kille [Page 5]
291 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
293 Servers must implement all the object classes in section 5.3:
295 applicationEntity applicationProcess
296 certificationAuthority country
299 documentSeries domain
300 domainRelatedObject friendlyCountry
301 groupOfNames groupOfUniqueNames
302 locality newPilotPerson
303 organization organizationalPerson
304 organizationalRole organizationalUnit
306 pilotObject pilotOrganization
307 qualityLabelledData rFC822localPart
308 residentialPerson room
309 simpleSecurityObject strongAuthenticationUser
312 and may also implement the object classes of 6.3 and 7.3.
314 Servers may implement additional object classes not listed in this
315 document, and if they do so, must publish the definitions of the classes
316 in the objectClasses attribute of their subschema subentries. Later
317 documents may define additional object classes.
321 Matching rules are used by servers to compare attribute values against
322 assertion values when performing Search and Compare operations.
324 Most of the attributes given in this document will have an equality
325 matching rule defined.
327 Matching rule descriptions are written according to the following BNF:
329 <MatchingRuleDescription> ::= "("
330 <oid> -- MatchingRule identifier
331 [ "NAME" <DirectoryStrings> ]
332 [ "DESC" <DirectoryString> ]
334 "SYNTAX" <DirectoryString>
337 Servers must implement all the matching rules in section 5.4:
338 bitStringMatch caseExactIA5Match
339 caseIgnoreIA5Match caseIgnoreListMatch
340 caseIgnoreMatch distinguishedNameMatch
341 generalizedTimeMatch integerMatch
342 numericStringMatch objectIdentifierMatch
343 octetStringMatch telephoneNumberMatch
345 and may also implement the matching rules of 6.4 and 7.4.
347 Wahl, Coulbeck, Howes & Kille [Page 6]
349 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
351 Servers may implement additional matching rules not listed in this
352 document, and if they do so, must publish the definitions of the
353 matching rules in the matchingRules attribute of their
354 subschema subentries.
356 5. Mandatory Definitions
358 Section 5 contains definitions which must be implemented by all servers.
363 Servers must recognize all the attributes of this section (5.1.1 - 5.1.5).
365 5.1.1. Standard User Attributes
367 The attributes listed in this section are those defined in X.520(1993),
368 likely to be present in user entries. Servers must recognize all the
369 attributes of this section. The semantics of attributes 2.5.4.0 through
370 2.5.4.40 are summarized in RFC 1274.
372 ( 2.5.4.0 NAME 'objectClass' EQUALITY objectIdentifierMatch SYNTAX 'OID' )
374 ( 2.5.4.1 NAME 'aliasedObjectName' EQUALITY distinguishedNameMatch
375 SYNTAX 'DN' SINGLE-VALUE )
377 ( 2.5.4.2 NAME 'knowledgeInformation' EQUALITY caseIgnoreMatch
378 SYNTAX 'DirectoryString{32768}' )
380 ( 2.5.4.3 NAME 'cn' SUP name )
382 ( 2.5.4.4 NAME 'sn' SUP name )
384 ( 2.5.4.5 NAME 'serialNumber' EQUALITY caseIgnoreMatch
385 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'PrintableString{64}' )
387 ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE )
389 ( 2.5.4.7 NAME 'l' SUP name )
391 ( 2.5.4.8 NAME 'st' SUP name )
393 ( 2.5.4.9 NAME 'street' EQUALITY caseIgnoreMatch
394 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{128}' )
396 ( 2.5.4.10 NAME 'o' SUP name )
398 ( 2.5.4.11 NAME 'ou' SUP name )
400 ( 2.5.4.12 NAME 'title' SUP name )
402 ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch
403 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{1024}' )
405 Wahl, Coulbeck, Howes & Kille [Page 7]
407 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
409 ( 2.5.4.14 NAME 'searchGuide' SYNTAX 'Guide' )
411 ( 2.5.4.15 NAME 'businessCategory' EQUALITY caseIgnoreMatch
412 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{128}' )
414 ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreListMatch
415 SUBSTRINGS caseIgnoreListSubstringsMatch SYNTAX 'PostalAddress' )
417 ( 2.5.4.17 NAME 'postalCode' EQUALITY caseIgnoreMatch
418 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{40}' )
420 ( 2.5.4.18 NAME 'postOfficeBox' EQUALITY caseIgnoreMatch
421 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{40}' )
423 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' EQUALITY caseIgnoreMatch
424 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{128}' )
426 ( 2.5.4.20 NAME 'telephoneNumber' EQUALITY telephoneNumberMatch
427 SUBSTRINGS telephoneNumberSubstringsMatch SYNTAX 'TelephoneNumber{32}' )
429 ( 2.5.4.21 NAME 'telexNumber' SYNTAX 'TelexNumber' )
431 ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
432 SYNTAX 'TeletexTerminalIdentifier' )
434 ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
435 SYNTAX 'FacsimileTelephoneNumber' )
437 ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch
438 SUBSTRINGS numericStringSubstringsMatch SYNTAX 'NumericString{15}' )
440 ( 2.5.4.25 NAME 'internationaliSDNNumber' EQUALITY numericStringMatch
441 SUBSTRINGS numericStringSubstringsMatch SYNTAX 'NumericString{16}' )
443 ( 2.5.4.26 NAME 'registeredAddress' SUP postalAddress
444 SYNTAX 'PostalAddress' )
446 ( 2.5.4.27 NAME 'destinationIndicator' EQUALITY caseIgnoreMatch
447 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'PrintableString{128}' )
449 ( 2.5.4.28 NAME 'preferredDeliveryMethod' SYNTAX 'DeliveryMethod'
452 ( 2.5.4.29 NAME 'presentationAddress' EQUALITY presentationAddressMatch
453 SYNTAX 'PresentationAddress' SINGLE-VALUE )
455 ( 2.5.4.30 NAME 'supportedApplicationContext'
456 EQUALITY objectIdentifierMatch SYNTAX 'OID' )
458 ( 2.5.4.31 NAME 'member' SUP distinguishedName )
460 ( 2.5.4.32 NAME 'owner' SUP distinguishedName )
463 Wahl, Coulbeck, Howes & Kille [Page 8]
465 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
467 ( 2.5.4.33 NAME 'roleOccupant' SUP distinguishedName )
469 ( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName )
471 ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
472 SYNTAX 'Password{128}' )
474 ( 2.5.4.36 NAME 'userCertificate' SYNTAX 'Certificate' )
476 ( 2.5.4.37 NAME 'cACertificate' SYNTAX 'Certificate' )
478 ( 2.5.4.38 NAME 'authorityRevocationList' SYNTAX 'CertificateList' )
480 ( 2.5.4.39 NAME 'certificateRevocationList' SYNTAX 'CertificateList' )
482 ( 2.5.4.40 NAME 'crossCertificatePair' SYNTAX 'CertificatePair' )
484 ( 2.5.4.41 NAME 'name'
485 DESC 'The name attribute type is the attribute supertype from which
486 string attribute types typically used for naming may be formed.'
487 EQUALITY caseIgnoreMatch
488 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{32768}' )
490 ( 2.5.4.42 NAME 'givenName' SUP name )
492 ( 2.5.4.43 NAME 'initials'
493 DESC 'The initials attribute type contains the initials of some or all
494 of an individuals names, but not the surname(s).'
497 ( 2.5.4.44 NAME 'generationQualifier'
498 DESC 'e.g. Jr or II.'
501 ( 2.5.4.45 NAME 'x500UniqueIdentifier'
502 DESC 'used to distinguish between objects when a distinguished name has
504 EQUALITY bitStringMatch SYNTAX 'BitString' )
506 ( 2.5.4.46 NAME 'dnQualifier'
507 DESC 'The dnQualifier attribute type specifies disambiguating
508 information to add to the relative distinguished name of an
509 entry. It is intended to be used for entries held in multiple
510 DSAs which would otherwise have the same name, and that its
511 value be the same in a given DSA for all entries to which this
512 information has been added.'
513 EQUALITY caseIgnoreMatch
514 ORDERING caseIgnoreOrderingMatch SUBSTRINGS caseIgnoreSubstringsMatch
515 SYNTAX 'PrintableString' )
517 ( 2.5.4.47 NAME 'enhancedSearchGuide' SYNTAX 'EnhancedGuide' )
521 Wahl, Coulbeck, Howes & Kille [Page 9]
523 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
525 ( 2.5.4.48 NAME 'protocolInformation' EQUALITY protocolInformationMatch
526 SYNTAX 'ProtocolInformation' )
528 ( 2.5.4.49 NAME 'distinguishedName'
529 DESC 'This is not the name of the object itself, but a base type
530 from which attributes with DN syntax inherit.'
531 EQUALITY distinguishedNameMatch
534 ( 2.5.4.50 NAME 'uniqueMember' EQUALITY uniqueMemberMatch
535 SYNTAX 'NameAndOptionalUID' )
537 ( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch
538 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{32768}' )
540 5.1.2. Pilot User Attributes
542 These attributes are defined in RFC 1274. Servers must recognize all the
543 attributes of this section.
545 ( 0.9.2342.19200300.100.1.1 NAME 'uid' EQUALITY caseIgnoreMatch
546 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' )
548 ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORaddress'
549 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch
550 SYNTAX 'DirectoryString{256}' )
552 ( 0.9.2342.19200300.100.1.3 NAME 'mail' EQUALITY caseIgnoreIA5Match
553 SUBSTRINGS caseIgnoreIA5SubstringsMatch SYNTAX 'IA5String{256}' )
555 ( 0.9.2342.19200300.100.1.4 NAME 'info' EQUALITY caseIgnoreMatch
556 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{2048}' )
558 ( 0.9.2342.19200300.100.1.5 NAME 'drink' EQUALITY caseIgnoreMatch
559 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' )
561 ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' EQUALITY caseIgnoreMatch
562 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' )
564 ( 0.9.2342.19200300.100.1.7 NAME 'photo' SYNTAX 'Fax{250000}' )
566 ( 0.9.2342.19200300.100.1.8 NAME 'userClass' EQUALITY caseIgnoreMatch
567 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' )
569 ( 0.9.2342.19200300.100.1.9 NAME 'host' EQUALITY caseIgnoreMatch
570 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' )
572 ( 0.9.2342.19200300.100.1.10 NAME 'manager'
573 EQUALITY distinguishedNameMatch SYNTAX 'DN' )
575 ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier'
576 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch
577 SYNTAX 'DirectoryString{256}' )
579 Wahl, Coulbeck, Howes & Kille [Page 10]
581 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
583 ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' EQUALITY caseIgnoreMatch
584 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString{256}' )
586 ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion'
587 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch
588 SYNTAX 'DirectoryString{256}' )
590 ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor'
591 EQUALITY distinguishedNameMatch SYNTAX 'DN' )
593 ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation'
594 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch
595 SYNTAX 'DirectoryString{256}' )
597 ( 0.9.2342.19200300.100.1.20 NAME 'homePhone' EQUALITY telephoneNumberMatch
598 SUBSTRINGS telephoneNumberSubstringsMatch SYNTAX 'TelephoneNumber{32}' )
600 ( 0.9.2342.19200300.100.1.21 NAME 'secretary'
601 EQUALITY distinguishedNameMatch SYNTAX 'DN' )
603 ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNTAX 'OtherMailbox' )
605 ( 0.9.2342.19200300.100.1.25 NAME 'dc' EQUALITY caseIgnoreIA5Match
606 SUBSTRINGS caseIgnoreIA5SubstringsMatch SYNTAX 'IA5String' )
608 ( 0.9.2342.19200300.100.1.26 NAME 'dNSRecord'
609 EQUALITY caseExactIA5Match SYNTAX 'IA5String' )
611 ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain'
612 EQUALITY caseIgnoreIA5Match SUBSTRINGS caseIgnoreIA5SubstringsMatch
615 ( 0.9.2342.19200300.100.1.38 NAME 'associatedName'
616 EQUALITY distinguishedNameMatch SYNTAX 'DN' )
618 ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress'
619 EQUALITY caseIgnoreListMatch
620 SUBSTRINGS caseIgnoreListSubstringsMatch SYNTAX 'PostalAddress' )
622 ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle'
623 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch
624 SYNTAX 'DirectoryString' )
626 ( 0.9.2342.19200300.100.1.41 NAME 'mobile' EQUALITY telephoneNumberMatch
627 SUBSTRINGS telephoneNumberSubstringsMatch SYNTAX 'TelephoneNumber{32}' )
629 ( 0.9.2342.19200300.100.1.42 NAME 'pager' EQUALITY telephoneNumberMatch
630 SUBSTRINGS telephoneNumberSubstringsMatch SYNTAX 'TelephoneNumber{32}' )
632 ( 0.9.2342.19200300.100.1.43 NAME 'co' EQUALITY caseIgnoreMatch
633 SUBSTRINGS caseIgnoreSubstringsMatch SYNTAX 'DirectoryString' )
637 Wahl, Coulbeck, Howes & Kille [Page 11]
639 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
641 ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier'
642 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch
643 SYNTAX 'DirectoryString' )
645 ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus'
646 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch
647 SYNTAX 'DirectoryString{256}' )
649 ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox'
650 EQUALITY caseIgnoreIA5Match SUBSTRINGS caseIgnoreIA5SubstringsMatch
651 SYNTAX 'IA5String{256}' )
653 ( 0.9.2342.19200300.100.1.47 NAME 'mailPreferenceOption'
654 SYNTAX 'INTEGER' SINGLE-VALUE }
656 ( 0.9.2342.19200300.100.1.48 NAME 'buildingName'
657 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch
658 SYNTAX 'DirectoryString{256}' )
660 ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality'
661 SYNTAX 'DSAQualitySyntax' SINGLE-VALUE )
663 ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality'
664 SYNTAX 'DataQualitySyntax' SINGLE-VALUE )
666 ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQuality'
667 SYNTAX 'DataQualitySyntax' SINGLE-VALUE )
669 ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQuality'
670 SYNTAX 'DataQualitySyntax' SINGLE-VALUE )
672 ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature'
673 SYNTAX 'Fax{50000}' )
675 ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect'
676 EQUALITY distinguishedNameMatch SYNTAX 'DN' )
678 ( 0.9.2342.19200300.100.1.55 NAME 'audio' SYNTAX 'Audio{250000}' )
680 ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher'
681 EQUALITY caseIgnoreMatch SUBSTRINGS caseIgnoreSubstringsMatch
682 SYNTAX 'DirectoryString' )
684 ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' SYNTAX 'JPEG' )
695 Wahl, Coulbeck, Howes & Kille [Page 12]
697 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
699 5.1.3. Standard Operational Attributes
701 All servers must recognize the attribute types defined in this
704 ( 2.5.18.1 NAME 'createTimestamp' EQUALITY generalizedTimeMatch
705 ORDERING generalizedTimeOrderingMatch SYNTAX 'GeneralizedTime'
706 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
708 ( 2.5.18.2 NAME 'modifyTimestamp' EQUALITY generalizedTimeMatch
709 ORDERING generalizedTimeOrderingMatch SYNTAX 'GeneralizedTime'
710 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
712 ( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatch SYNTAX 'DN'
713 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
715 ( 2.5.18.4 NAME 'modifiersName' EQUALITY distinguishedNameMatch SYNTAX 'DN'
716 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
718 ( 2.5.18.10 NAME 'subschemaSubentry'
719 DESC 'The value of this attribute is the name of a subschema subentry,
720 an entry in which the server makes available attributes specifying
722 EQUALITY distinguishedNameMatch SYNTAX 'DN' NO-USER-MODIFICATION
723 SINGLE-VALUE USAGE directoryOperation )
725 ( 2.5.21.5 NAME 'attributeTypes'
726 EQUALITY objectIdentifierFirstComponentMatch
727 SYNTAX 'AttributeTypeDescription' USAGE directoryOperation )
729 ( 2.5.21.6 NAME 'objectClasses'
730 EQUALITY objectIdentifierFirstComponentMatch
731 SYNTAX 'ObjectClassDescription' USAGE directoryOperation )
733 5.1.4. LDAP Operational Attributes
735 All servers must recognize the attribute types defined in this section.
736 (Of course, it is not required that the server provide values for these
737 attributes, when the attribute corresponds to a feature which the server
740 ( 1.3.6.1.4.1.1466.101.120.1 NAME 'administratorsAddress'
741 DESC 'This attribute\27s values are string containing the addresses of
742 the LDAP server\27s human administrator. This information may
743 be of use when tracking down problems in an Internet distributed
744 directory. For simplicity the syntax of the values are limited to
745 being URLs of the mailto form with an RFC 822 address:
746 "mailto:user@domain". Future versions of this protocol may permit
747 other forms of addresses.'
748 SYNTAX 'IA5String' USAGE dSAOperation )
753 Wahl, Coulbeck, Howes & Kille [Page 13]
755 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
757 ( 1.3.6.1.4.1.1466.101.120.2 NAME 'currentTime'
758 DESC 'This attribute has a single value, a string containing a
759 GeneralizedTime character string. This attribute need only
760 be present if the server supports LDAP strong or protected
761 simple authentication. Otherwise if the server does not know
762 the current time, or does not choose to present it to clients,
763 this attribute need not be present. The client may wish to
764 use this value to detect whether a strong or protected bind
765 is failing because the client and server clocks are not
766 sufficiently synchronized. Clients must not use this time
767 field for setting their own system clock.'
768 SYNTAX 'GeneralizedTime' SINGLE-VALUE USAGE dSAOperation )
770 ( 1.3.6.1.4.1.1466.101.120.3 NAME 'serverName'
771 DESC 'This attribute\27s value is the server\27s Distinguished Name.
772 If the server does not have a Distinguished Name it will not
773 be able to accept X.509-style strong authentication, and this
774 attribute must be absent. However the presence of this
775 attribute does not guarantee that the server will be able to
776 perform strong authentication. If the server acts as a
777 gateway to more than one X.500 DSA capable of strong
778 authentication, there may be multiple values of this
779 attribute, one per DSA. (Note: this attribute is distinct
780 from myAccessPoint, for it is not required that a server
781 have a presentation address in order to perform strong
782 authentication.) (Note: it is likely that clients will
783 retrieve this attribute in binary.)'
784 SYNTAX 'DN' USAGE dSAOperation )
786 ( 1.3.6.1.4.1.1466.101.120.4 NAME 'certificationPath'
787 DESC 'This attribute contains a binary DER encoding of an
788 AF.CertificatePath data type, which is the certificate
789 path for a server. If the server does not have a certificate
790 path this attribute must be absent. (Note: this attribute
791 may only be retrieved in binary.)'
792 SYNTAX 'CertificatePath' USAGE dSAOperation )
794 ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
795 DESC 'The values of this attribute correspond to naming contexts
796 which this server masters or shadows. If the server does
797 not master any information (e.g. it is an LDAP gateway to a
798 public X.500 directory) this attribute must be absent. If
799 the server believes it contains the entire directory, the
800 attribute must have a single value, and that value must
801 be the empty string (indicating the null DN of the root).
802 This attribute will allow clients to choose suitable base
803 objects for searching when it has contacted a server.'
804 SYNTAX 'DN' USAGE dSAOperation )
811 Wahl, Coulbeck, Howes & Kille [Page 14]
813 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
815 ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
816 DESC 'The values of this attribute are URLs of other servers which
817 may be contacted when this server becomes unavailable. If
818 the server does not know of any other servers which could be
819 used this attribute must be absent. Clients may cache this
820 information in case their preferred LDAP server later becomes
822 SYNTAX 'IA5String' USAGE dSAOperation )
824 ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
825 DESC 'The values of this attribute are OBJECT IDENTIFIERs,
826 the names of supported extended operations
827 which the server supports. If the server does not support
828 any extensions this attribute must be absent.'
829 SYNTAX 'OID' USAGE dSAOperation )
831 ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
832 DESC 'The values of this attribute are the names of supported session
833 controls which the server supports. If the server does not
834 support any controls this attribute must be absent.'
835 SYNTAX 'LDAPString' USAGE dSAOperation )
837 ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
838 DESC 'The values of this attribute are the names of supported SASL
839 mechanisms which the server supports. If the server does not
840 support any mechanisms this attribute must be absent.'
841 SYNTAX 'LDAPString' USAGE dSAOperation )
843 ( 1.3.6.1.4.1.1466.101.120.8 NAME 'entryName'
844 SYNTAX 'DN' SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
846 ( 1.3.6.1.4.1.1466.101.120.9 NAME 'modifyRights'
847 SYNTAX 'ModifyRight' NO-USER-MODIFICATION USAGE dSAOperation )
849 ( 1.3.6.1.4.1.1466.101.120.10 NAME 'incompleteEntry'
850 SYNTAX 'BOOLEAN' NO-USER-MODIFICATION USAGE dSAOperation )
852 ( 1.3.6.1.4.1.1466.101.120.11 NAME 'fromEntry'
853 SYNTAX 'BOOLEAN' NO-USER-MODIFICATION USAGE dSAOperation )
855 5.1.5. LDAP User Attributes
857 The following attributes may be of use in naming entries, or as
858 descriptive attributes in entries.
860 ( 1.3.6.1.4.1.1466.101.121.1 NAME 'url'
861 DESC 'Uniform Resource Locator'
862 EQUALITY caseExactIA5Match SYNTAX 'IA5String' )
864 Note that the associatedDomain attribute may be used to hold a DNS name.
869 Wahl, Coulbeck, Howes & Kille [Page 15]
871 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
875 5.2.1. Standard User Syntaxes
877 Servers must recognize all the syntaxes described in this section.
881 The encoding of a value with BitString syntax is according to the
884 <bitstring> ::= ''' <binary-digits> ''B'
886 <binary-digits> ::= '0' <binary-digits> | '1' <binary-digits> |
890 5.2.1.2. PrintableString
892 The encoding of a value with PrintableString syntax is the string
893 value itself. PrintableString is limited to the characters in
894 production <p> of section 4.1.
896 5.2.1.3. DirectoryString
898 A string with DirectoryString syntax is encoded in the UTF-8 form of
899 ISO 10646 (a superset of Unicode). Servers and clients must be prepared to
900 receive arbitrary Unicode characters in values.
902 For characters in the PrintableString form, the value is encoded as the
905 If it is of the TeletexString form, then the characters are transliterated
906 to their equivalents in UniversalString, and encoded in UTF-8 [11].
908 If it is of the UniversalString or BMPString forms [12], UTF-8 is used to
911 Note: the form of DirectoryString is not indicated in protocol unless the
912 attribute value is carried in binary. Servers which convert to DAP must
913 choose an appropriate form. Servers must not reject values merely because
914 they contain legal Unicode characters outside of the range of printable
919 Because of the changes from X.509(1988) and X.509(1993) and additional
920 changes to the ASN.1 definition to support certificate extensions, no
921 string representation is defined, and values with Certificate syntax
922 must only be transferred using the binary encoding, by requesting or
923 returning the attributes with descriptions "userCertificate;binary" or
924 "caCertificate;binary". The BNF notation in RFC 1778 for
925 "User Certificate" is not recommended to be used.
927 Wahl, Coulbeck, Howes & Kille [Page 16]
929 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
931 5.2.1.5. CertificateList
933 Because of the incompatibility of the X.509(1988) and X.509(1993)
934 definitions of revocation lists, values with CertificateList syntax
935 must only be transferred using a binary encoding, by requesting or
936 returning the attributes with descriptions
937 "certificateRevocationList;binary" or "authorityRevocationList;binary".
938 The BNF notation in RFC 1778 for "Authority Revocation List" is not
939 recommended to be used.
941 5.2.1.6. CertificatePair
943 Because the Certificate is being carried in binary, values with
944 CertificatePair syntax must only be transferred using a binary encoding,
945 by requesting or returning the attribute description
946 "crossCertificatePair;binary". The BNF notation in RFC 1778 for
947 "Certificate Pair" is not recommended to be used.
949 5.2.1.7. CountryString
951 A value of CountryString syntax is encoded the same as a value of
952 DirectoryString syntax. Note that this syntax is limited to values of
953 exactly two printable string characters.
955 <CountryString> ::= <p> <p>
959 Values with DN (Distinguished Name) syntax are encoded to have the
960 representation defined in [5]. Note that this representation is not
961 reversible to the original ASN.1 encoding as the CHOICE of any
962 DirectoryString element in an RDN is no longer known.
964 5.2.1.9. DeliveryMethod
966 Values with DeliveryMethod syntax are encoded according to the
969 <delivery-value> ::= <pdm> | <pdm> '$' <delivery-value>
971 <pdm> ::= 'any' | 'mhs' | 'physical' | 'telex' | 'teletex' |
972 'g3fax' | 'g4fax' | 'ia5' | 'videotex' | 'telephone'
974 5.2.1.10. EnhancedGuide
976 Values with the EnhancedGuide syntax are encoded according to the
979 <EnhancedGuide> ::= <objectclass> '#' <criteria> '#' <subset>
981 <subset> ::= "baseobject" | "oneLevel" | "wholeSubtree"
985 Wahl, Coulbeck, Howes & Kille [Page 17]
987 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
989 The <criteria> production is defined in the Guide syntax below.
990 This syntax has been added subsequent to RFC 1778.
992 5.2.1.11. FacsimileTelephoneNumber
994 Values with the FacsimileTelephoneNumber syntax are encoded according
995 to the following BNF:
997 <fax-number> ::= <printablestring> [ '$' <faxparameters> ]
999 <faxparameters> ::= <faxparm> | <faxparm> '$' <faxparameters>
1001 <faxparm> ::= 'twoDimensional' | 'fineResolution' | 'unlimitedLength' |
1002 'b4Length' | 'a3Width' | 'b4Width' | 'uncompressed'
1004 In the above, the first <printablestring> is the actual fax number,
1005 and the <faxparm> tokens represent fax parameters.
1009 Values with the Guide syntax are encoded according to the following
1012 <guide-value> ::= [ <object-class> '#' ] <criteria>
1014 <object-class> ::= an encoded value with OID syntax
1016 <criteria> ::= <criteria-item> | <criteria-set> | '!' <criteria>
1018 <criteria-set> ::= [ '(' ] <criteria> '&' <criteria-set> [ ')' ] |
1019 [ '(' ] <criteria> '|' <criteria-set> [ ')' ]
1021 <criteria-item> ::= [ '(' ] <attributetype> '$' <match-type> [ ')' ]
1023 <match-type> ::= "EQ" | "SUBSTR" | "GE" | "LE" | "APPROX"
1025 5.2.1.13. NameAndOptionalUID
1027 The encoding of a value with the NameAndOptionalUID syntax is according
1028 to the following BNF:
1030 <NameAndOptionalUID> ::=
1031 <DistinguishedName> [ '#' <BitString> ]
1033 Although the '#' character may occur in a string representation of a
1034 distinguished name, no additional special quoting is done in the
1035 distinguished name other than that of [5].
1037 This syntax has been added subsequent to RFC 1778.
1043 Wahl, Coulbeck, Howes & Kille [Page 18]
1045 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1047 5.2.1.14. NumericString
1049 The encoding of a string with the NumericString syntax is the string
1054 Values with OID (Object Identifier) syntax are encoded according to the
1057 <oid> ::= <descr> | <numericoid>
1059 <descr> ::= <keystring>
1061 <numericoid> ::= <numericstring> | <numericstring> '.' <numericoid>
1063 In the above BNF, <descr> is the syntactic representation of an
1064 object descriptor, which must consist of letters and digits, starting
1065 with a letter. When encoding values with OID syntax, the first encoding
1066 option must be used in preference to the second. That is, in encoding
1067 object identifiers, object descriptors (where assigned and known by
1068 the implementation) must be used in preference to numeric oids to
1069 the greatest extent possible. All permitted object descriptors for use
1070 in LDAP are given in this document. No other object descriptors may be
1071 used. (Note that clients must expect that LDAPv2 implementations
1072 will return object descriptors other than those listed.)
1076 Values with Password syntax are encoded as octet strings.
1078 5.2.1.17. PostalAddress
1080 Values with the PostalAddress syntax are encoded according to the
1083 <postal-address> ::= <dstring> | <dstring> '$' <postal-address>
1085 In the above, each <dstring> component of a postal address value is
1086 encoded as a value of type DirectoryString syntax. Backslashes and
1087 dollar characters, if they occur in the component, are quoted as
1088 described in section 4.2.
1090 5.2.1.18. PresentationAddress
1092 Values with the PresentationAddress syntax are encoded to have the
1093 representation described in [6].
1095 5.2.1.20. TelephoneNumber
1097 Values with the TelephoneNumber syntax are encoded as if they were
1098 Printable String types. Telephone numbers are recommended in X.520 to
1099 be in international form, e.g. "+1 512 305 0280".
1101 Wahl, Coulbeck, Howes & Kille [Page 19]
1103 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1105 5.2.1.21. TeletexTerminalIdentifier
1107 Values with the TeletexTerminalIdentifier syntax are encoded according
1108 to the following BNF:
1110 <teletex-id> ::= <ttx-term> 0*('$' <ttx-param>)
1112 <ttx-term> ::= <printablestring>
1114 <ttx-param> ::= <ttx-key> ':' <ttx-value>
1116 <ttx-key> ::= 'graphic' | 'control' | 'misc' | 'page' | 'private'
1118 <ttx-value> ::= <octetstring>
1120 In the above, the first <printablestring> is the encoding of the
1121 first portion of the teletex terminal identifier to be encoded, and
1122 the subsequent 0 or more <octetstrings> are subsequent portions
1123 of the teletex terminal identifier.
1125 5.2.1.22. TelexNumber
1127 Values with the TelexNumber syntax are encoded according to the
1130 <telex-number> ::= <actual-number> '$' <country> '$' <answerback>
1132 <actual-number> ::= <printablestring>
1134 <country> ::= <printablestring>
1136 <answerback> ::= <printablestring>
1138 In the above, <actual-number> is the syntactic representation of the
1139 number portion of the TELEX number being encoded, <country> is the
1140 TELEX country code, and <answerback> is the answerback code of a
1145 Values with UTCTime syntax are encoded as if they were printable
1146 strings with the strings containing a UTCTime value. This is historical;
1147 new attribute definitions must use GeneralizedTime instead.
1151 Values with Boolean syntax are encoded according to the following
1154 <boolean> ::= "TRUE" | "FALSE"
1156 Boolean values have an encoding of "TRUE" if they are logically true,
1157 and have an encoding of "FALSE" otherwise.
1159 Wahl, Coulbeck, Howes & Kille [Page 20]
1161 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1163 5.2.2. Pilot Syntaxes
1165 Servers must recognize all the syntaxes described in this section.
1169 The encoding of a value with Audio syntax is the octets of the value
1170 itself, an 8KHz uncompressed encoding compatible with the SunOS
1171 4.1.3 'play' utility.
1173 5.2.2.2. DSAQualitySyntax
1175 Values with this syntax are encoded according to the following BNF:
1177 <DsaQualitySyntax> ::= <DSAKeyword> [ '#' <description> ]
1179 <DSAKeyword> ::= 'DEFUNCT' | 'EXPERIMENTAL' | 'BEST-EFFORT' |
1180 'PILOT-SERVICE' | 'FULL-SERVICE'
1182 <description> ::= encoded as a PrintableString
1184 5.2.2.3. DataQualitySyntax
1186 Values with this syntax are encoded according to the following BNF:
1188 <DataQualitySyntax> ::= <compKeyword> '#' <attrQuality> '#'
1189 <listQuality> [ '#' <description> ]
1191 <attrQuality> ::= <levelKeyword> '+' <compKeyword>
1193 <listQuality> ::= <list> '$' <list><listQuality>
1195 <list> ::= <attribute> '+' <attrQuality>
1197 <compKeyword> ::= 'NONE' | 'SAMPLE' | 'SELECTED' |
1198 'SUBSTANTIAL' | 'FULL'
1200 <levelKeyword> ::= 'UNKNOWN' | 'EXTERNAL' | 'SYSTEM-MAINTAINED' |
1205 The encoding of a value with IA5String syntax is the string value
1210 Values with JPEG syntax are encoded as if they were octet strings
1211 containing JPEG images in the JPEG File Interchange Format (JFIF), as
1217 Wahl, Coulbeck, Howes & Kille [Page 21]
1219 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1221 5.2.2.6. MailPreference
1223 Values with MailPreference syntax are encoded according to the
1226 <mail-preference> ::= "NO-LISTS" | "ANY-LIST" | "PROFESSIONAL-LISTS"
1228 5.2.2.7. OtherMailbox
1230 Values of the OtherMailbox syntax are encoded according to the
1233 <otherMailbox> ::= <mailbox-type> '$' <mailbox>
1235 <mailbox-type> ::= an encoded Printable String
1237 <mailbox> ::= an encoded IA5 String
1239 In the above, <mailbox-type> represents the type of mail system in
1240 which the mailbox resides, for example "MCIMail"; and <mailbox> is the
1241 actual mailbox in the mail system defined by <mailbox-type>.
1245 Values with Fax syntax are encoded as if they were octet strings
1246 containing Group 3 Fax images as defined in [7].
1248 5.2.3. Operational Syntaxes
1250 Servers must recognize all the syntaxes described in this section.
1252 5.2.3.1. AttributeTypeDescription
1254 Values with this syntax are encoded according to the BNF given at the
1255 start of section 4.1. For example,
1257 ( 2.5.4.0 NAME 'objectClass' SYNTAX 'OID' )
1259 5.2.3.2. GeneralizedTime
1261 Values of this syntax are encoded as printable strings, represented
1262 as specified in X.208. Note that the time zone must be specified.
1263 It is strongly recommended that Zulu time zone be used. For example,
1269 Values with INTEGER syntax are encoded as the decimal representation
1270 of their values, with each decimal digit represented by the its
1271 character equivalent. So the number 1321 is represented by the character
1275 Wahl, Coulbeck, Howes & Kille [Page 22]
1277 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1279 5.2.3.4. ObjectClassDescription
1281 Values of this syntax are encoded according to the BNF in section 4.3.
1285 5.3.1. Standard Classes
1287 Servers must recognize the object classes listed here as values of
1288 the objectClass attribute. With the exception of groupOfUniqueNames,
1289 they are described in RFC 1274.
1291 ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )
1293 ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName )
1295 ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c
1296 MAY ( searchGuide $ description ) )
1298 ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL
1299 MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
1301 ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o
1302 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
1303 x121Address $ registeredAddress $ destinationIndicator $
1304 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
1305 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
1306 street $ postOfficeBox $ postalCode $ postalAddress $
1307 physicalDeliveryOfficeName $ st $ l $ description ) )
1309 ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou
1310 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
1311 x121Address $ registeredAddress $ destinationIndicator $
1312 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
1313 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
1314 street $ postOfficeBox $ postalCode $ postalAddress $
1315 physicalDeliveryOfficeName $ st $ l $ description ) )
1317 ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn )
1318 MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
1320 ( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL
1321 MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $
1322 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
1323 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
1324 street $ postOfficeBox $ postalCode $ postalAddress $
1325 physicalDeliveryOfficeName $ ou $ st $ l ) )
1333 Wahl, Coulbeck, Howes & Kille [Page 23]
1335 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1337 ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn
1338 MAY ( x121Address $ registeredAddress $ destinationIndicator $
1339 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
1340 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
1341 seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
1342 postOfficeBox $ postalCode $ postalAddress $
1343 physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
1345 ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( member $ cn )
1346 MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
1348 ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l
1349 MAY ( businessCategory $ x121Address $ registeredAddress $
1350 destinationIndicator $ preferredDeliveryMethod $ telexNumber $
1351 teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $
1352 facsimileTelephoneNumber $ preferredDeliveryMethod $ street $
1353 postOfficeBox $ postalCode $ postalAddress $
1354 physicalDeliveryOfficeName $ st $ l ) )
1356 ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn
1357 MAY ( seeAlso $ ou $ l $ description ) )
1359 ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL
1360 MUST ( presentationAddress $ cn )
1361 MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $
1364 ( 2.5.6.13 NAME 'dSA' SUP applicationEntity STRUCTURAL
1365 MAY knowledgeInformation )
1367 ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn
1368 MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
1370 ( 2.5.6.15 NAME 'strongAuthenticationUser' SUP top STRUCTURAL
1371 MUST userCertificate )
1373 ( 2.5.6.16 NAME 'certificationAuthority' SUP top STRUCTURAL
1374 MUST ( authorityRevocationList $ certificateRevocationList $
1375 cACertificate ) MAY crossCertificatePair )
1377 ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL
1378 MUST ( uniqueMember $ cn )
1379 MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
1381 5.3.2. Pilot Classes
1383 These object classes are defined in RFC 1274. All servers must recognize
1384 these object class names.
1386 ( 0.9.2342.19200300.100.4.3 NAME 'pilotObject' SUP top STRUCTURAL
1387 MAY ( jpegPhoto $ audio $ dITRedirect $ lastModifiedBy $
1388 lastModifiedTime $ uniqueIdentifier $ manager $ photo $ info ) )
1391 Wahl, Coulbeck, Howes & Kille [Page 24]
1393 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1395 ( 0.9.2342.19200300.100.4.4 NAME 'newPilotPerson' SUP person
1396 STRUCTURAL MAY ( personalSignature $ mailPreferenceOption $
1397 organizationalStatus $ pagerTelephoneNumber $ mobileTelephoneNumber $
1398 otherMailbox $ janetMailbox $ businessCategory $
1399 preferredDeliveryMethod $ personalTitle $ secretary $
1400 homePostalAddress $ homePhone $ userClass $ roomNumber $
1401 favouriteDrink $ rfc822Mailbox $ textEncodedORaddress $ userid ) )
1403 ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL
1404 MUST userid MAY ( host $ ou $ o $ l $ seeAlso $ description ) )
1406 ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP ( top $ pilotObject )
1407 STRUCTURAL MUST documentIdentifier
1408 MAY ( documentPublisher $ documentStore $ documentAuthorSurName $
1409 documentAuthorCommonName $ abstract $ subject $ keywords $
1410 updatedByDocument $ updatesDocument $ obsoletedByDocument $
1411 obsoletesDocument $ documentLocation $ documentAuthor $
1412 documentVersion $ documentTitle $ ou $ o $ l $ seeAlso $ description $
1415 ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST cn
1416 MAY ( telephoneNumber $ seeAlso $ description $ roomNumber ) )
1418 ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUCTURAL
1419 MUST cn MAY ( ou $ o $ l $ telephoneNumber $ seeAlso $ description ) )
1421 ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL
1423 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
1424 x121Address $ registeredAddress $ destinationIndicator $
1425 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
1426 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
1427 street $ postOfficeBox $ postalCode $ postalAddress $
1428 physicalDeliveryOfficeName $ st $ l $ description $ o $
1431 ( 0.9.2342.19200300.100.4.14 NAME 'rFC822localPart' SUP domain
1433 MAY ( x121Address $ registeredAddress $ destinationIndicator $
1434 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
1435 telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
1436 streetAddress $ postOfficeBox $ postalCode $ postalAddress $
1437 physicalDeliveryOfficeName $ telephoneNumber $ seeAlso $ description $
1440 ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain STRUCTURAL
1443 ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' SUP top
1444 STRUCTURAL MUST associatedDomain )
1446 ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country
1447 STRUCTURAL MUST co )
1449 Wahl, Coulbeck, Howes & Kille [Page 25]
1451 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1453 ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' SUP top
1454 STRUCTURAL MUST userPassword )
1456 ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization'
1457 SUP ( organization $ organizationalUnit ) STRUCTURAL
1460 ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dSA STRUCTURAL
1463 ( 0.9.2342.19200300.100.4.23 NAME 'qualityLabelledData' SUP top
1464 STRUCTURAL MUST singleLevelQuality
1465 MAY ( subtreeMaximumQuality $ subtreeMinimumQuality ) )
1469 Servers must recognize the following matching rules, used for equality
1470 matching, and must be capable of performing the matching rules.
1471 For all these rules, the assertion syntax is the same as the value syntax.
1473 ( 2.5.13.0 NAME 'objectIdentifierMatch' SYNTAX 'OID' )
1474 ( 2.5.13.1 NAME 'distinguishedNameMatch' SYNTAX 'DN' )
1475 ( 2.5.13.2 NAME 'caseIgnoreMatch' SYNTAX 'DirectoryString' )
1476 ( 2.5.13.8 NAME 'numericStringMatch' SYNTAX 'NumericString' )
1477 ( 2.5.13.11 NAME 'caseIgnoreListMatch' SYNTAX 'PostalAddress' )
1478 ( 2.5.13.14 NAME 'integerMatch' SYNTAX 'INTEGER' )
1479 ( 2.5.13.16 NAME 'bitStringMatch' SYNTAX 'BitString' )
1480 ( 2.5.13.17 NAME 'octetStringMatch' SYNTAX 'Password' )
1481 ( 2.5.13.20 NAME 'telephoneNumberMatch' SYNTAX 'TelephoneNumber' )
1482 ( 2.5.13.27 NAME 'generalizedTimeMatch' SYNTAX 'GeneralizedTime' )
1483 ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' SYNTAX 'IA5String' )
1484 ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' SYNTAX 'IA5String' )
1486 When performing the caseIgnoreMatch, caseIgnoreListMatch,
1487 telephoneNumberMatch, caseExactIA5Match and caseIgnoreIA5Match,
1488 multiple adjoining whitespace characters are treated the same as
1489 an individual space, and leading and trailing whitespace is ignored.
1491 6. X.500 Definitions
1493 Servers which implement the X.500(1993) protocols are required to recognize
1494 these attributes types, syntaxes, object classes and matching rules, where
1495 they correspond to X.500 features implemented by that server. No other
1496 servers are required to implement any definitions in section 6, although
1499 Clients must not assume these definitions are recognized by all servers.
1501 6.1. Attribute Types
1503 6.1.1. User Attributes
1505 All user attributes of X.500 are listed in section 5.1.1.
1507 Wahl, Coulbeck, Howes & Kille [Page 26]
1509 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1511 6.1.2. Collective Attributes
1513 These attributes are stored in collective attribute subentries, but may
1514 be visible in user entries if requested.
1516 Each of these collective attributes is a subtype of the attribute which
1517 has the OID without the final ".1", e.g. "collectivePostalCode" is a
1518 subtype of "postalCode".
1520 ( 2.5.4.7.1 NAME 'collectiveLocalityName' SUP l COLLECTIVE )
1522 ( 2.5.4.8.1 NAME 'collectiveStateOrProvinceName' SUP st COLLECTIVE )
1524 ( 2.5.4.9.1 NAME 'collectiveStreetAddress' SUP street COLLECTIVE )
1526 ( 2.5.4.10.1 NAME 'collectiveOrganizationName' SUP o COLLECTIVE )
1528 ( 2.5.4.11.1 NAME 'collectiveOrganizationalUnitName' SUP ou COLLECTIVE )
1530 ( 2.5.4.16.1 NAME 'collectivePostalAddress' SUP postalAddress COLLECTIVE )
1532 ( 2.5.4.17.1 NAME 'collectivePostalCode' SUP postalCode COLLECTIVE )
1534 ( 2.5.4.18.1 NAME 'collectivePostOfficeBox' SUP postOfficeBox COLLECTIVE )
1536 ( 2.5.4.19.1 NAME 'collectivePhysicalDeliveryOfficeName'
1537 SUP physicalDeliveryOfficeName COLLECTIVE )
1539 ( 2.5.4.20.1 NAME 'collectiveTelephoneNumber' SUP telephoneNumber
1542 ( 2.5.4.21.1 NAME 'collectiveTelexNumber' SUP 'TelexNumber' COLLECTIVE )
1544 ( 2.5.4.22.1 NAME 'collectiveTeletexTerminalIdentifier'
1545 SUP teletexTerminalIdentifier COLLECTIVE )
1547 ( 2.5.4.23.1 NAME 'collectiveFacsimileTelephoneNumber'
1548 SUP facsimileTelephoneNumber COLLECTIVE )
1550 ( 2.5.4.25.1 NAME 'collectiveInternationaliSDNNumber'
1551 SUP internationaliSDNNumber COLLECTIVE )
1553 6.1.3. Standard Operational Attributes
1555 These attributes are defined in X.501(1993) Annexes B through E.
1557 ( 2.5.18.5 NAME 'administrativeRole' EQUALITY objectIdentifierMatch
1558 SYNTAX 'OID' USAGE directoryOperation )
1560 ( 2.5.18.6 NAME 'subtreeSpecification' SYNTAX 'SubtreeSpecification'
1561 SINGLE-VALUE USAGE directoryOperation )
1565 Wahl, Coulbeck, Howes & Kille [Page 27]
1567 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1569 ( 2.5.18.7 NAME 'collectiveExclusions' EQUALITY objectIdentifierMatch
1570 SYNTAX 'OID' USAGE directoryOperation )
1572 ( 2.5.21.1 NAME 'dITStructureRules' EQUALITY integerFirstComponentMatch
1573 SYNTAX 'DITStructureRuleDescription' USAGE directoryOperation )
1575 ( 2.5.21.2 NAME 'dITContentRules'
1576 EQUALITY objectIdentifierFirstComponentMatch
1577 SYNTAX 'DITContentRuleDescription' USAGE directoryOperation )
1579 ( 2.5.21.4 NAME 'matchingRules'
1580 EQUALITY objectIdentifierFirstComponentMatch
1581 SYNTAX 'MatchingRuleDescription' USAGE directoryOperation )
1583 ( 2.5.21.7 NAME 'nameForms'
1584 EQUALITY objectIdentifierFirstComponentMatch
1585 SYNTAX 'NameFormDescription' USAGE directoryOperation )
1587 ( 2.5.21.8 NAME 'matchingRuleUse'
1588 EQUALITY objectIdentifierFirstComponentMatch
1589 SYNTAX 'MatchingRuleUseDescription' USAGE directoryOperation )
1591 ( 2.5.21.9 NAME 'structuralObjectClass' EQUALITY objectIdentifierMatch
1592 SYNTAX 'OID' SINGLE-VALUE NO-USER-MODIFICATION
1593 USAGE directoryOperation )
1595 ( 2.5.21.10 NAME 'governingStructuralRule' EQUALITY integerMatch
1596 SYNTAX 'INTEGER' SINGLE-VALUE NO-USER-MODIFICATION
1597 USAGE directoryOperation )
1599 ( 2.5.24.1 NAME 'accessControlScheme' EQUALITY objectIdentifierMatch
1600 SYNTAX 'OID' SINGLE-VALUE USAGE directoryOperation )
1602 ( 2.5.24.4 NAME 'prescriptiveACI'
1603 EQUALITY directoryStringFirstComponentMatch SYNTAX 'ACIItem'
1604 USAGE directoryOperation )
1606 ( 2.5.24.5 NAME 'entryACI'
1607 EQUALITY directoryStringFirstComponentMatch SYNTAX 'ACIItem'
1608 USAGE directoryOperation )
1610 ( 2.5.24.6 NAME 'subentryACI'
1611 EQUALITY directoryStringFirstComponentMatch SYNTAX 'ACIItem'
1612 USAGE directoryOperation )
1614 ( 2.5.12.0 NAME 'dseType' EQUALITY bitStringMatch SYNTAX 'DSEType'
1615 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
1617 ( 2.5.12.1 NAME 'myAccessPoint' EQUALITY accessPointMatch
1618 SYNTAX 'AccessPoint' SINGLE-VALUE NO-USER-MODIFICATION
1619 USAGE dSAOperation )
1623 Wahl, Coulbeck, Howes & Kille [Page 28]
1625 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1627 ( 2.5.12.2 NAME 'superiorKnowledge' EQUALITY accessPointMatch
1628 SYNTAX 'AccessPoint' SINGLE-VALUE NO-USER-MODIFICATION
1629 USAGE dSAOperation )
1631 ( 2.5.12.3 NAME 'specificKnowledge'
1632 EQUALITY masterAndShadowAccessPointsMatch
1633 SYNTAX 'MasterAndShadowAccessPoints'
1634 SINGLE-VALUE NO-USER-MODIFICATION USAGE distributedOperation )
1636 ( 2.5.12.4 NAME 'nonSpecificKnowledge'
1637 EQUALITY masterAndShadowAccessPointsMatch
1638 SYNTAX 'MasterAndShadowAccessPoints' NO-USER-MODIFICATION
1639 USAGE distributedOperation )
1641 ( 2.5.12.5 NAME 'supplierKnowledge'
1642 EQUALITY supplierOrConsumerInformationMatch
1643 SYNTAX 'SupplierInformation'
1644 NO-USER-MODIFICATION USAGE dSAOperation )
1646 ( 2.5.12.6 NAME 'consumerKnowledge'
1647 EQUALITY supplierOrConsumerInformationMatch
1648 SYNTAX 'SupplierOrConsumer'
1649 NO-USER-MODIFICATION USAGE dSAOperation )
1651 ( 2.5.12.7 NAME 'secondaryShadows'
1652 EQUALITY supplierAndConsumersMatch
1653 SYNTAX 'SupplierAndConsumers'
1654 NO-USER-MODIFICATION USAGE dSAOperation )
1656 6.1.4. LDAP-defined Operational Attributes
1658 6.1.4.1. targetSystem
1660 ( 1.3.6.1.4.1.1466.101.120.12 NAME 'targetSystem'
1661 SYNTAX 'AccessPoint' SINGLE-VALUE NO-USER-MODIFICATION
1662 USAGE distributedOperation )
1664 The value of this attribute may be supplied in an AddEntry operation
1665 to inform the Directory of the target server on which the entry is to
1666 be held. This is used to create a new naming context in the directory
1667 tree. A server which does not permit the use of this attribute must
1668 return an appropriate error code if it is present in the attribute list.
1669 This attribute will generally not be present in the entry after the add
1681 Wahl, Coulbeck, Howes & Kille [Page 29]
1683 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1687 6.2.1. Standard Syntaxes
1691 This syntax appears too complicated for a compact string representation
1692 to be useful. Clients must only request and servers must only return
1693 values which use the the binary encoding of the value, e.g.
1696 It is recommended that clients that wish to only determine whether they
1697 have been granted permission to modify an entry use the "modifyRights"
1698 attribute rather than attempt to parse this syntax.
1700 6.2.1.2. AccessPoint
1702 Values with AccessPoint syntax are encoded according to the
1705 <AccessPoint> ::= ( '(' <DistinguishedName> '#'
1706 <PresentationAddress> ')' ) |
1707 -- Optional protocol info absent, parenthesis required
1708 ( '(' <DistinguishedName> '#'
1709 <PresentationAddress> '#'
1710 <SetOfProtocolInformation ')' )
1712 <SetOfProtocolInformation> ::= <ProtocolInformation> |
1713 '(' <ProtocolInformationList> ')'
1715 <ProtocolInformationList> ::= <ProtocolInformation> |
1716 <ProtocolInformation> '$'
1717 <ProtocolInformationList>
1719 6.2.1.3. DITContentRuleDescription
1721 Values with this syntax are encoded according to the following BNF:
1723 <DITContentRuleDescription> ::= "("
1724 <oid> -- Structural ObjectClass identifier
1725 [ "NAME" <DirectoryStrings> ]
1726 [ "DESC" <DirectoryString> ]
1728 [ "AUX" <oids> ] -- Auxiliary ObjectClasses
1729 [ "MUST" <oids> ] -- AttributeType identifiers
1730 [ "MAY" <oids> ] -- AttributeType identifiers
1731 [ "NOT" <oids> ] -- AttributeType identifiers
1739 Wahl, Coulbeck, Howes & Kille [Page 30]
1741 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1743 6.2.1.4. DITStructureRuleDescription
1745 Values with this syntax are encoded according to the following BNF:
1747 <DITStructureRuleDescription> ::= "("
1748 <RuleIdentifier> -- DITStructureRule identifier
1749 [ "NAME" <DirectoryStrings> ]
1750 [ "DESC" <DirectoryString> ]
1752 "FORM" <oid> -- NameForm
1753 [ "SUP" <RuleIdentifiers> ] -- superior DITStructureRules
1756 <RuleIdentifier> ::= <integer>
1758 <RuleIdentifiers> ::=
1760 "(" <RuleIdentifierList> ")"
1762 <RuleIdentifierList> ::=
1763 <RuleIdentifierList> <RuleIdentifier>
1769 Values with DSEType syntax are encoded according to the following BNF:
1771 <DSEType> ::= '(' <DSEBitList> ')'
1773 <DSEBitList> ::= <DSEBit> | <DSEBit> '$' <DSEBitList>
1775 <DSEBit> ::= 'root' | 'glue' | 'cp' | 'entry' | 'alias' | 'subr' |
1776 'nssr' | 'supr' | 'xr' | 'admPoint' | 'subentry' |
1777 'shadow' | 'zombie' | 'immSupr' | 'rhob' | 'sa'
1779 6.2.1.6. MasterAndShadowAccessPoints
1781 Values of this syntax are encoded according to the following BNF:
1783 <MasterAndShadowAccessPoints> ::= <MasterOrShadowAccessPoint> |
1784 '(' <MasterAndShadowAccessPointList ')'
1786 <MasterAndShadowAccessPointList> ::= <MasterOrShadowAccessPoint> |
1787 <MasterOrShadowAccessPoint> '$' <MasterAndShadowAccessPointList>
1789 <MasterOrShadowAccessPoint> ::= <category> '#' <AccessPoint>
1791 <category> ::= 'master' | 'shadow'
1793 6.2.1.7. MatchingRuleDescription
1795 Values of this syntax are encoded according to the BNF of section 4.4.
1797 Wahl, Coulbeck, Howes & Kille [Page 31]
1799 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1801 6.2.1.8. MatchingRuleUseDescription
1803 Values of this syntax are encoded according to the following BNF:
1805 <MatchingRuleUseDescription> ::= "("
1806 <oid> -- MatchingRule identifier
1807 [ "NAME" <DirectoryStrings> ]
1808 [ "DESC" <DirectoryString> ]
1810 "APPLIES" <oids> -- AttributeType identifiers
1813 6.2.1.9. NameFormDescription
1815 Values of this syntax are encoded according to the following BNF:
1817 <NameFormDescription> ::= "("
1818 <oid> -- NameForm identifier
1819 [ "NAME" <DirectoryStrings> ]
1820 [ "DESC" <DirectoryString> ]
1822 "OC" <oid> -- Structural ObjectClass
1823 "MUST" <oids> -- AttributeTypes
1824 [ "MAY" <oids> ] -- AttributeTypes
1827 6.2.1.10. SubtreeSpecification
1829 Values of this syntax are encoded according to the following BNF:
1831 <SubtreeSpecification> ::= '(' [<localname>] '#'
1832 [<exclusionlist>] '#'
1833 [<minimum>] '#' [<maximum>] '#'
1836 <localname> ::= <DistinguishedName>
1838 <exclusionlist> ::= '(' <exclusions> ')'
1840 <exclusions> ::= <exclusion> | <exclusion> '$' <exclusionlist>
1842 <exclusion> ::= ( 'before ' <DistinguishedName> ) |
1843 ( 'after ' <DistinguishedName> )
1845 <minimum> ::= <numericstring>
1847 <maximum> ::= <numericstring>
1849 <refinement> ::= <oid> | '!' <refinement> |
1850 '( &' <refinements> ')' |
1851 '( |' <refinements> ')'
1853 <refinements> ::= <refinement> | <refinement> '$' <refinements>
1855 Wahl, Coulbeck, Howes & Kille [Page 32]
1857 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1859 6.2.1.11. SupplierInformation
1861 Values of this syntax are encoded according to the following BNF:
1863 <SupplierInformation> ::=
1864 -- supplier is master --
1865 '(' 'master' '#' <SupplierOrConsumer> ')' |
1867 -- supplier is not master, master unspecified --
1868 '(' 'shadow' '#' <SupplierOrConsumer> ')' |
1870 -- supplier not master, master specified --
1871 ['('] 'shadow' '#' <SupplierOrConsumer> '#' <AccessPoint> [')']
1873 6.2.1.12. SupplierOrConsumer
1875 Values of this syntax are encoded according to the following BNF:
1877 <SupplierOrConsumer> ::= <Agreement> '#' <AccessPoint>
1879 <Agreement> ::= <bindingid> '.' <bindingversion>
1881 <bindingid> ::= <numericstring>
1883 <bindingversion> ::= <numericstring>
1885 6.2.1.13. SupplierAndConsumers
1887 Values of this syntax are encoded according to the following BNF:
1889 <SupplierAndConsumers> ::= <Supplier> '#' <Consumers>
1891 <Suppliers> ::= <AccessPoint>
1893 <Consumers> ::= <AccessPoint> | '(' <AccessPointList> ')'
1895 <AccessPointList> ::= <AccessPoint> |
1896 <AccessPoint> '$' <AccessPointList>
1898 6.2.1.14. ProtocolInformation
1900 A value with the ProtocolInformation syntax is encoded according to the
1903 <ProtocolInformation> ::= <NetworkAddress> <space> '#'
1904 <SetOfProtocolIdentifier>
1906 <NetworkAddress> ::= As appears in PresentationAddress
1908 <SetOfProtocolIdentifiers> ::= <ProtocolIdentifier> |
1909 '(' <ProtocolIdentifiers> ')'
1913 Wahl, Coulbeck, Howes & Kille [Page 33]
1915 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1917 <ProtocolIdentifiers> ::= <ProtocolIdentifier> |
1918 <ProtocolIdentifier> '$' <ProtocolIdentifiers>
1920 <ProtocolIdentifier> ::= <oid>
1924 NS+12345678 # 1.2.3.4.5
1926 6.2.2. LDAP-defined Syntaxes
1928 There is currently one syntax defined here.
1932 This syntax is a printable encoding of the following ASN.1 data type:
1934 ModifyRight ::= SEQUENCE {
1937 attribute [1] AttributeType,
1938 value [2] AttributeValueAssertion },
1939 permission [3] BIT STRING { add(0), remove(1), rename(2), move(3) } }
1941 The syntax is encoded according to the following BNF:
1943 <ModifyRight> ::= [<perm-list>] <octo> <item>
1944 -- perm list is absent when none of the bits set in permission
1946 <item> ::= <entry> | <attribute> | <value>
1950 <attribute> ::= 'attribute' <dollar> <attributetype>
1952 <value> ::= 'value' <dollar> <attributetype> <dollar> <strvalue>
1954 -- <strvalue> is the string encoding of the value
1956 <perm-list> ::= <perm> | <perm> <dollar> <perm-list>
1957 -- one or more of the bits in permission, if set
1959 <perm> ::= 'add' | 'remove' | 'rename' | 'move'
1961 <octo> ::= [ <whsp> ] '#' [ <whsp> ]
1963 <dollar> ::= [ <whsp> ] '$' [ <whsp> ]
1971 Wahl, Coulbeck, Howes & Kille [Page 34]
1973 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
1978 add $ remove # attribute $ cn
1979 add $ remove # attribute $ sn
1980 remove # value $ memberName $ CN=Babs, O=Michigan, C=US
1984 The following object classes may be recognized.
1986 ( 2.5.17.0 NAME 'subentry' SUP top STRUCTURAL
1987 MUST ( cn $ subtreeSpecification ) )
1989 ( 2.5.17.1 NAME 'accessControlSubentry' AUXILIARY )
1991 ( 2.5.17.2 NAME 'collectiveAttributeSubentry' AUXILIARY )
1993 ( 2.5.20.1 NAME 'subschema' AUXILIARY
1994 MAY ( dITStructureRules $ nameForms $ ditContentRules $
1995 objectClasses $ attributeTypes $ matchingRules $ matchingRuleUse ) )
1999 Only servers which implement the attribute types which reference these
2000 matching rules in their definition are required to implement these rules.
2002 The definitions of the rules can be found in [2] and [3].
2005 ===================================== ===========
2006 caseIgnoreOrderingMatch 2.5.13.3
2007 caseIgnoreSubstringsMatch 2.5.13.4
2008 caseExactMatch 2.5.13.5
2009 caseExactOrderingMatch 2.5.13.6
2010 caseExactSubstringsMatch 2.5.13.7
2011 numericStringOrderingMatch 2.5.13.9
2012 numericStringSubstringsMatch 2.5.13.10
2013 caseIgnoreListSubstringsMatch 2.5.13.12
2014 booleanMatch 2.5.13.13
2015 integerOrderingMatch 2.5.13.15
2016 octetStringOrderingMatch 2.5.13.18
2017 octetStringSubstringsMatch 2.5.13.19
2018 telephoneNumberSubstringsMatch 2.5.13.21
2019 presentationAddressMatch 2.5.13.22
2020 uniqueMemberMatch 2.5.13.23
2021 protocolInformationMatch 2.5.13.24
2022 uTCTimeMatch 2.5.13.25
2023 uTCTimeOrderingMatch 2.5.13.26
2024 generalizedTimeOrderingMatch 2.5.13.28
2025 integerFirstComponentMatch 2.5.13.29
2026 objectIdentifierFirstComponentMatch 2.5.13.30
2027 directoryStringFirstComponentMatch 2.5.13.31
2029 Wahl, Coulbeck, Howes & Kille [Page 35]
2031 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
2034 keywordMatch 2.5.13.33
2035 accessPointMatch 2.5.14.0
2036 masterAndShadowAccessPointsMatch 2.5.14.1
2037 supplierOrConsumerInformationMatch 2.5.14.2
2038 supplierAndConsumersMatch 2.5.14.3
2042 The string 'excludeAllCollectiveAttributes' is defined as a synonym
2043 for the OID 2.5.18.0. It would typically be used as a value of the
2044 collectiveExclusions attribute.
2046 7. Other Optional Definitions
2048 7.1. Attribute Types
2050 7.1.1. Obsolete Attributes
2052 Implementors must use modifyTimestamp and modifiersName instead.
2054 ( 0.9.2342.19200300.100.1.23 NAME 'lastModifiedTime' OBSOLETE
2057 ( 0.9.2342.19200300.100.1.24 NAME 'lastModifiedBy' OBSOLETE
2058 EQUALITY distinguishedNameMatch SYNTAX 'DN' )
2064 Values of type MHSORAddress are encoded as strings, according to
2065 the format defined in [10].
2067 7.2.2 DLSubmitPermission
2069 Values of type DLSubmitPermission are encoded as strings, according
2070 to the following BNF:
2072 <dlsubmit-perm> ::= <dlgroup_label> ':' <dlgroup-value>
2073 | <dl-label> ':' <dl-value>
2075 <dlgroup-label> ::= 'group_member'
2077 <dlgroup-value> ::= <name>
2079 <name> ::= an encoded Distinguished Name
2081 <dl-label> ::= 'individual' | 'dl_member' | 'pattern'
2083 <dl-value> ::= <orname>
2087 Wahl, Coulbeck, Howes & Kille [Page 36]
2089 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
2091 <orname> ::= <address> '#' <dn>
2094 <address> ::= <add-label> ':' <oraddress>
2096 <dn> ::= <dn-label> ':' <name>
2098 <add-label> = 'X400'
2102 where <oraddress> is as defined in RFC 1327.
2106 7.3.1. Obsolete Classes
2108 ( 0.9.2342.19200300.100.4.22 NAME 'oldQualityLabelledData' SUP top
2109 STRUCTURAL MUST dSAQuality
2110 MAY ( subtreeMaximumQuality $ subtreeMinimumQuality ) )
2112 The oldQualityLabelledData object class is historical and must not be
2113 used for defining new objects.
2115 7.3.2. extensibleObject
2117 ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
2120 This class, if present in an entry, permits that entry to optionally
2121 hold any attribute. The MAY attribute list of this class is implicitly
2122 the set of all attributes known to the server. The mandatory attributes
2123 of the other object classes of this entry are still required to be
2126 Note that not all servers will implement this object class, and those
2127 which do not will reject requests to add entries which contain this
2128 object class, or modify an entry to add this object class.
2132 7.4.1. caseIgnoreIA5SubstringsMatch
2134 ( 1.3.6.1.4.1.1466.109.114.3
2135 NAME 'caseIgnoreIA5SubstringsMatch' SYNTAX 'IA5String' )
2137 This matching rule may be used to compare components of an IA5 string
2138 against an attribute whose values have IA5 string syntax.
2140 8. Security Considerations
2142 Security issues are not discussed in this memo.
2145 Wahl, Coulbeck, Howes & Kille [Page 37]
2147 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
2151 This document is based substantially on RFC 1778, written by Tim Howes,
2152 Steve Kille, Wengyik Yeong and Colin Robbins.
2154 Many of the attribute syntax encodings defined in this document are
2155 adapted from those used in the QUIPU and the IC R3 X.500
2156 implementations. The contributions of the authors of both these
2157 implementations in the specification of syntaxes in this document are
2158 gratefully acknowledged.
2160 10. Authors Addresses
2164 4815 West Braker Lane #502-385
2168 EMail: M.Wahl@critical-angle.com
2173 The Dome, The Square
2177 Phone: +44 181-332-9091
2178 EMail: A.Coulbeck@isode.com
2184 Netscape Communications Corp.
2185 501 E. Middlefield Rd
2186 Mountain View, CA 94043
2189 Phone: +1 415 254-1900
2190 EMail: howes@netscape.com
2195 The Dome, The Square
2200 Phone: +44-181-332-9091
2201 EMail: S.Kille@isode.com
2203 Wahl, Coulbeck, Howes & Kille [Page 38]
2205 INTERNET-DRAFT LDAP Standard and Pilot Attributes October 1996
2209 [1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol
2210 (Version 3)", INTERNET-DRAFT <draft-ietf-asid-ldapv3-protocol-03.txt>,
2213 [2] The Directory: Selected Attribute Types. ITU-T Recommendation
2216 [3] The Directory: Models. ITU-T Recommendation X.501, 1993.
2218 [4] P. Barker, S. Kille, "The COSINE and Internet X.500 Schema", RFC
2219 1274, November 1991.
2221 [5] M. Wahl, S. Kille, "A UTF-8 String Representation of Distinguished
2222 Names", INTERNET-DRAFT <draft-ietf-asid-ldapv3-dn-00.txt>, August 1996.
2224 [6] S. Kille, "A String Representation for Presentation Addresses",
2225 RFC 1278, University College London, November 1991.
2227 [7] Terminal Equipment and Protocols for Telematic Services -
2228 Standardization of Group 3 facsimile apparatus for document
2229 transmission. CCITT, Recommendation T.4.
2231 [8] JPEG File Interchange Format (Version 1.02). Eric Hamilton,
2232 C-Cube Microsystems, Milpitas, CA, September 1, 1992.
2234 [9] The Directory: Selected Object Classes. ITU-T Recommendation
2237 [10] H. Alvestrand, S. Kille, R. Miles, M. Rose, S. Thompson,
2238 "Mapping between X.400 and RFC-822 Message Bodies", RFC 1495,
2241 [11] M. Davis, UTF-8, (WG2 N1036) DAM for ISO/IEC 10646-1.
2243 [12] Universal Multiple-Octet Coded Character Set (UCS) - Architecture
2244 and Basic Multilingual Plane, ISO/IEC 10646-1 : 1993.
2246 [13] The Directory: Authentication Framework. ITU-T Recommendation
2249 [14] Abstract Syntax Notation One (ASN.1) - Specification of Basic
2250 Notation. ITU-T Recommendation X.680, 1994.
2259 <draft-ietf-asid-ldapv3-attributes-03.txt>
2261 Wahl, Coulbeck, Howes & Kille [Page 39]