import drafts

[openldap] / doc / drafts / draft-ietf-ldapbis-user-schema-xx.txt

INTERNET-DRAFT                                          K. Dally, Editor
Intended Category:  Standard Track                       The MITRE Corp.
Expires:  October 2003                                        April 2003
Updates:  RFC 2247
Obsoletes:  RFC 2256


                           LDAP:  User Schema
                  <draft-ietf-ldapbis-user-schema-05>


Status of this Memo

   This document is an Internet-Draft and is in full conformance with 
   all provisions of Section 10 of RFC 2026.

   This document is intended to be, after appropriate review and
   revision, submitted to the RFC Editor as a Standard Track document.
   Distribution of this memo is unlimited.  Technical discussion of 
   this document will take place on the IETF LDAP Revision Working 
   Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>.  Please 
   send editorial comments directly to the author <kdally@mitre.org>.

   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF), its areas, and its working groups.  Note that 
   other groups may also distribute working documents as 
   Internet-Drafts.  Internet-Drafts are draft documents valid for a 
   maximum of six months and may be updated, replaced, or obsoleted by 
   other documents at any time.  It is inappropriate to use 
   Internet-Drafts as reference material or to cite them other than as 
   "work in progress."

   The list of current Internet-Drafts can be accessed at 
   http://www.ietf.org/ietf/1id-abstracts.txt.  

   The list of Internet-Draft Shadow Directories can be accessed at 
   http://www.ietf.org/shadow.html.


Copyright Notice

   Copyright 2003, The Internet Society.  All Rights Reserved.


Abstract

   This document is a integral part of the LDAP technical specification 
   [ROADMAP].  It provides an overview of attribute types and object 
   classes intended for use by LDAP directory clients for many 
   directory services, such as, White Pages.  Originally specified the 
   ISO/IEC 9594 and X.500 documents, these objects are widely used as a 
   basis for the schema in many LDAP directories.  This document does 
   not cover attributes used for the administration of directory 
   servers, nor does it include directory objects defined for specific 
   uses in other documents.  


Dally                    Expires October 2003                   [Page 1]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


                           Table of Contents

Status of this Memo                                                    1

Copyright Notice                                                       1

Abstract                                                               1

Table of Contents                                                      2

1.  Introduction                                                       4
    1.1  Situation                                                     4
    1.2  Conventions                                                   4
    1.3  General Issues                                                4
    1.4  Source                                                        5

2.  Attribute Types                                                    5
    2.1  businessCategory                                              5
    2.2  c                                                             5
    2.3  cn                                                            6
    2.4  dc                                                            6
    2.5  description                                                   6
    2.6  destinationIndicator                                          6
    2.7  distinguishedName                                             7
    2.8  dnQualifier                                                   7
    2.9  enhancedSearchGuide                                           7
    2.10 facsimileTelephoneNumber                                      7
    2.11 generationQualifier                                           8
    2.12 givenName                                                     8
    2.13 houseIdentifier                                               8
    2.14 initials                                                      8
    2.15 internationalISDNNumber                                       8
    2.16 l                                                             9
    2.17 member                                                        9
    2.18 name                                                          9
    2.19 o                                                             9
    2.20 ou                                                            9
    2.21 owner                                                        10
    2.22 physicalDeliveryOfficeName                                   10
    2.23 postalAddress                                                10
    2.24 postalCode                                                   10
    2.25 postOfficeBox                                                10
    2.26 preferredDeliveryMethod                                      11
    2.27 registeredAddress                                            11
    2.28 roleOccupant                                                 11
    2.29 searchGuide                                                  11
    2.30 seeAlso                                                      12
    2.31 serialNumber                                                 12
    2.32 sn                                                           12
    2.33 st                                                           12
    2.34 street                                                       12
    2.35 telephoneNumber                                              12


Dally                    Expires October 2003                   [Page 2]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


    2.36 teletexTerminalIdentifier                                    13
    2.37 telexNumber                                                  13
    2.38 title                                                        13
    2.39 uniqueMember                                                 13
    2.40 userPassword                                                 14
    2.41 x121Address                                                  14
    2.42 x500UniqueIdentifier                                         14

3.  Object Classes                                                    15
    3.1  applicationProcess                                           15
    3.2  country                                                      15
    3.3  device                                                       15
    3.4  domain                                                       15
    3.5  groupOfNames                                                 16
    3.6  groupOfUniqueNames                                           16
    3.7  locality                                                     17
    3.8  organization                                                 17
    3.9  organizationalPerson                                         17
    3.10 organizationalRole                                           18
    3.11 organizationalUnit                                           18
    3.12 person                                                       18
    3.13 residentialPerson                                            19

4.  IANA Considerations                                               19

5.  Security Considerations                                           19

6.  Acknowledgements                                                  19

7.  References                                                        20
    7.1  Normative                                                    20
    7.2  Informative                                                  20

8.  Author's Address                                                  21

9.  Full Copyright Statement                                          21


















Dally                    Expires October 2003                   [Page 3]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2002


1.  Introduction

   This document provides an overview of attribute types and object 
   classes intended for use by LDAP directory clients for many 
   directory services, such as, White Pages.  Originally specified in 
   the ISO/IEC 9594 and X.500 documents, these objects are widely used 
   as a basis for the schema in many LDAP directories.  This document 
   does not cover attributes used for the administration of directory 
   servers, nor does it include directory objects defined for specific 
   uses in other documents.

1.1  Situation

   This document is a integral part of the LDAP technical specification 
   [ROADMAP] which obsoletes the previously defined LDAP technical 
   specification [RFC3377] in its entirety.  In terms of RFC 2256, 
   Sections 6 and 8 of RFC 2256 are obsoleted by [Syntaxes].  
   Sections 5.1, 5.2, 7.1 and 7.2 of RFC 2256 are obsoleted by [Models].
   The remainder of RFC 2256 is obsoleted by this document.  Sections 
   3.4 and 4.4 of this document supercede the technical specifications 
   for the 'dc' attribute type and 'domain' object class found in 
   RFC 2247.  The remainder of RFC 2247 remains in force.

   A number of schema elements which were included in the previous 
   revision of the LDAP Technical Specification are not included in this
   revision of LDAP.  PKI-related schema elements are now specified in 
   [LDAP-PKI].  Unless reintroduced in future technical specifications, 
   the remainder are to be considered Historic.

1.2  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

1.3  General Issues

   This document references Syntaxes given in Section 3 of [Syntaxes] 
   and Matching Rules specified in Section 4 of [Syntaxes].

   The definitions of Attribute Types and Object Classes are written 
   using the ABNF form of AttributeTypeDescription and 
   ObjectClassDescription given in [Models].  Lines have been folded 
   for readability.










Dally                    Expires October 2003                   [Page 4]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


1.4  Source

   The schema definitions in this document are based on those found in 
   the X.500-series [X.520] and [X.521] and RFC 2247 [RFC2247], 
   specifically:

        Sections             Source
        ============         ==================
        2.1 - 2.3            X.520 [X.520]
        2.4                  RFC 2247 [RFC2247]
        2.5 - 2.42           X.520 [X.520]
        3.1  - 3.3           X.521 [X.521]
        3.4                  RFC 2247 [RFC2247]
        3.5 - 3.13           X.521 [X.521]


2. Attribute Types

   The Attribute Types contained in this section hold user information.

   There is no requirement that servers implement the following 
   Attribute Types: 

       searchGuide
       teletexTerminalIdentifier

   In fact, their use is greatly discouraged.

   An LDAP server implementation SHOULD recognize the rest of the 
   Attribute Types described in this section.

2.1  businessCategory

   This Attribute Type describes the kind of business performed by 
   an organization.

   ( 2.5.4.15 NAME 'businessCategory' 
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 

   The SYNTAX oid indicates the Directory String syntax.

2.2  c

   This is the X.520 [X.520] countryName Attribute Type, which contains 
   a two-letter ISO 3166 [ISO3166]country code.

   ( 2.5.4.6 NAME 'c' 
      SUP name 
      SINGLE-VALUE )



Dally                    Expires October 2003                   [Page 5]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


2.3  cn

   This is the X.520 [X.520] commonName Attribute Type, which contains 
   a name of an object.  If the object corresponds to a person, it is 
   typically the person's full name.

   ( 2.5.4.3 NAME 'cn' 
      SUP name )

2.4  dc

   The dc (short for domainComponent) attribute type is defined as 
   follows:

   ( 0.9.2342.19200300.100.1.25 NAME 'dc' 
      EQUALITY caseIgnoreIA5Match
      SUBSTR caseIgnoreIA5SubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
      SINGLE-VALUE )

   The value of this attribute is a string holding one component of a 
   DNS domain name.  The encoding of IA5String for use in LDAP is simply
   the characters of the string itself.  The equality matching rule is 
   case insensitive, as is today's DNS.

2.5  description

   This Attribute Type contains a human-readable description of 
   the object. 

   ( 2.5.4.13 NAME 'description' 
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) 

   The SYNTAX oid indicates the Directory String syntax.

2.6  destinationIndicator

   This attribute is used for the telegram service.

   ( 2.5.4.27 NAME 'destinationIndicator' 
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) 

   The SYNTAX oid indicates the Printable String syntax.







Dally                    Expires October 2003                   [Page 6]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


2.7  distinguishedName

   This Attribute Type is not used as the name of the object itself, 
   but it is instead a base type from which attributes with DN syntax 
   inherit.

   It is unlikely that values of this type itself will occur in an 
   entry.  LDAP server implementations which do not support attribute 
   subtyping need not recognize this attribute in requests.  Client 
   implementations MUST NOT assume that LDAP servers are capable of 
   performing attribute subtyping.

   ( 2.5.4.49 NAME 'distinguishedName' 
      EQUALITY distinguishedNameMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

   The SYNTAX oid indicates the DN syntax.

2.8  dnQualifier

   The dnQualifier Attribute Type specifies disambiguating information 
   to add to the relative distinguished name of an entry.  It is 
   intended for use when merging data from multiple sources in order to 
   prevent conflicts between entries which would otherwise have the same
   name.  It is recommended that the value of the dnQualifier attribute 
   be the same for all entries from a particular source.

   ( 2.5.4.46 NAME 'dnQualifier' 
      EQUALITY caseIgnoreMatch
      ORDERING caseIgnoreOrderingMatch 
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) 

   The SYNTAX oid indicates the Printable String syntax.

2.9  enhancedSearchGuide

   This attribute is for use by X.500 clients in constructing search 
   filters.

   ( 2.5.4.47 NAME 'enhancedSearchGuide'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) 

   The SYNTAX oid indicates the Enhanced Guide syntax.

2.10  facsimileTelephoneNumber

   A value of this Attribute Type is a telephone number for a facsimile 
   terminal (and, optionally, its parameters).

   ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) 


Dally                    Expires October 2003                   [Page 7]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


   The SYNTAX oid indicates the Facsimile Telephone Number syntax.

2.11  generationQualifier

   The generationQualifier Attribute Type contains the part of a 
   person's name which typically is the suffix, as in "IIIrd".

   ( 2.5.4.44 NAME 'generationQualifier' 
      SUP name )

2.12  givenName

   The givenName Attribute Type is used to hold the part of a person's 
   name which is not their surname nor middle name.

   ( 2.5.4.42 NAME 'givenName' 
      SUP name )

2.13  houseIdentifier

   This Attribute Type is used to identify a building within a location.

   ( 2.5.4.51 NAME 'houseIdentifier' 
      EQUALITY caseIgnoreMatch 
      SUBSTR caseIgnoreSubstringsMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 

   The SYNTAX oid indicates the Directory String syntax.

2.14  initials

   The initials Attribute Type contains the initials of some or all of 
   an individuals names, except the surname(s).

    ( 2.5.4.43 NAME 'initials' 
      SUP name )

2.15  internationalISDNNumber

   A value of this Attribute Type is an ISDN address, as defined in 
   ITU Recommendation E.164 [E.164].

   ( 2.5.4.25 NAME 'internationalISDNNumber' 
      EQUALITY numericStringMatch 
      SUBSTR numericStringSubstringsMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i

   The SYNTAX oid indicates the Numeric String syntax.






Dally                    Expires October 2003                   [Page 8]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


2.16  l

   This is the X.520 [X.520] localityName Attribute Type, which 
   contains the name of a locality or place, such as a city, county or 
   other geographic region.

    ( 2.5.4.7 NAME 'l' 
      SUP name )

2.17  member

   A value of this Attribute Type is the Distinguished Name of an 
   object that is on a list or in a group.

   ( 2.5.4.31 NAME 'member' 
      SUP distinguishedName )

2.18  name

   The name Attribute Type is the attribute supertype from which string 
   Attribute Types typically used for naming may be formed.  It is 
   unlikely that values of this type itself will occur in an entry.  
   LDAP server implementations which do not support attribute subtyping 
   need not recognize this attribute in requests.  Client 
   implementations MUST NOT assume that LDAP servers are capable of 
   performing attribute subtyping.

   ( 2.5.4.41 NAME 'name' 
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) 

   The SYNTAX oid indicates the Directory String syntax.

2.19  o

   This is the X.520 [X.520] organizationName Attribute Type, which 
   contains the name of an organization.

   ( 2.5.4.10 NAME 'o' 
      SUP name )

2.20  ou

   This is the X.520 [X.520] organizationalUnitName Attribute Type, 
   which contains the name of an organizational unit.

    ( 2.5.4.11 NAME 'ou' 
      SUP name )





Dally                    Expires October 2003                   [Page 9]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


2.21  owner

   A value of this Attribute Type is the Distinguished Name of an 
   object that has an ownership responsibility for the object that 
   is owned.

    ( 2.5.4.32 NAME 'owner' 
      SUP distinguishedName )

2.22  physicalDeliveryOfficeName

   This attribute contains the name that a Postal Service uses to 
   identify a post office.

   ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' 
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 

   The SYNTAX oid indicates the Directory String syntax.

2.23  postalAddress

   This attribute contains an address used by a Postal Service to 
   perform services for the object.

   ( 2.5.4.16 NAME 'postalAddress' 
      EQUALITY caseIgnoreListMatch
      SUBSTR caseIgnoreListSubstringsMatch
      SYNTAX 1.5.6.1.4.1.1466.115.121.1.41 ) 

   The SYNTAX oid indicates the Postal Address syntax.

2.24  postalCode

   This attribute contains a code used by a Postal Service to identify 
   a postal service zone, such as the southern quadrant of a city.

   ( 2.5.4.17 NAME 'postalCode' 
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} ) 

   The SYNTAX oid indicates the Directory String syntax.

2.25  postOfficeBox

   This attribute contains the number that a Postal Service uses when a 
   customer arranges to receive mail at a box on premises of the Postal 
   Service.




Dally                   Expires October 2003                   [Page 10]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


   ( 2.5.4.18 NAME 'postOfficeBox' 
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} ) 

   The SYNTAX oid indicates the Directory String syntax.

2.26  preferredDeliveryMethod

   This attribute contains an indication of the preferred method of 
   getting a message to the object.

   ( 2.5.4.28 NAME 'preferredDeliveryMethod'
      SYNTAX 1.5.6.1.4.1.1466.115.121.1.14 
      SINGLE-VALUE )

   The SYNTAX oid indicates the Delivery Method syntax.

2.27  registeredAddress

   This attribute holds a postal address suitable for reception of 
   telegrams or expedited documents, where it is necessary to have the 
   recipient accept delivery.

   ( 2.5.4.26 NAME 'registeredAddress' 
      SUP postalAddress
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 

   The SYNTAX oid indicates the Postal Address syntax.

2.28  roleOccupant

   A value of this Attribute Type is the Distinguished Name of an 
   object (normally a person) that fulfills the responsibilities of a 
   role object.

   ( 2.5.4.33 NAME 'roleOccupant' 
      SUP distinguishedName )

2.29  searchGuide

   This Attribute Type is for use by clients in constructing search 
   filters.  It is superseded by enhancedSearchGuide, described above 
   in section 2.9.

   ( 2.5.4.14 NAME 'searchGuide'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )  ; Guide

The SYNTAX oid indicates the Guide syntax.





Dally                   Expires October 2003                   [Page 11]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


2.30  seeAlso

   A value of this Attribute Type is the Distinguished Name of an 
   object that is related to the subject object.

    ( 2.5.4.34 NAME 'seeAlso' 
      SUP distinguishedName )

2.31  serialNumber

   This attribute contains the serial number of a device.

    ( 2.5.4.5 NAME 'serialNumber' 
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) 

   The SYNTAX oid indicates the Printable String syntax.

2.32  sn

   This is the X.520 [X.520] surname Attribute Type, which contains the 
   family name of a person.

   ( 2.5.4.4 NAME 'sn' 
      SUP name )

2.33  st

   This is the X.520 [X.520] stateOrProvinceName attribute, which 
   contains the full name of a state or province.

   ( 2.5.4.8 NAME 'st' 
      SUP name )

2.34  street

   This is the X.520 [X.520] streetAddress attribute, which contains the
   physical address of the object to which the entry corresponds, such 
   as an address for package delivery.

   ( 2.5.4.9 NAME 'street' 
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 

   The SYNTAX oid indicates the Directory String syntax.

2.35  telephoneNumber

   A value of this Attribute Type is a telephone number complying with 
   ITU Recommendation E.123 [E.123].


Dally                   Expires October 2003                   [Page 12]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


   ( 2.5.4.20 NAME 'telephoneNumber' 
     EQUALITY telephoneNumberMatch
     SUBSTR telephoneNumberSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) 

   The SYNTAX oid indicates the Telephone Number syntax.

2.36  teletexTerminalIdentifier

   The withdrawal of Rec. F.200 has resulted in the withdrawal of this 
   attribute. 

   ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) 

   The SYNTAX oid indicates the Teletex Terminal Identifier syntax.

2.37  telexNumber

   A value of this Attribute Type is a telex number, country code, and 
   answerback code of a telex terminal.

   ( 2.5.4.21 NAME 'telexNumber'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) 

   The SYNTAX oid indicates the Telex Number syntax.

2.38  title

   This attribute contains the title, such as "Vice President", of a 
   person in their organizational context.  The "personalTitle"
   attribute would be used for a person's title independent of their 
   job function.

   ( 2.5.4.12 NAME 'title' 
      SUP name )

2.39  uniqueMember

   A value of this Attribute Type is the Distinguished Name of an 
   object that is on a list or in a group, where the Relative 
   Distinguished Name of the object includes a value that distinguishs 
   between objects when a distinguished name has been reused.

   ( 2.5.4.50 NAME 'uniqueMember' 
      EQUALITY uniqueMemberMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) 

The SYNTAX oid indicates the Name and Optional UID syntax.





Dally                   Expires October 2003                   [Page 13]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


2.40  userPassword

   A value of this Attribute Type is a character string that is known 
   only to the user and the system to which the user has access.

   ( 2.5.4.35 NAME 'userPassword' 
      EQUALITY octetStringMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) 

   The SYNTAX oid indicates the Octet String syntax.

   Passwords are stored using an Octet String syntax and are not 
   encrypted.  Transfer of cleartext passwords is strongly discouraged 
   where the underlying transport service cannot guarantee 
   confidentiality and may result in disclosure of the password to 
   unauthorized parties.

2.41  x121Address

   A value of this Attribute Type is a data network address as defined 
   by ITU Recommendation X.121 [X.121].

   ( 2.5.4.24 NAME 'x121Address' 
      EQUALITY numericStringMatch
      SUBSTR numericStringSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) 

   The SYNTAX oid indicates the Numeric String syntax.

2.42  x500UniqueIdentifier

   The x500UniqueIdentifier Attribute Type is used to distinguish 
   between objects when a distinguished name has been reused.  In X.520 
   [X.520], this Attribute Type is called uniqueIdentifier.  This is a 
   different Attribute Type from both the "uid" and "uniqueIdentifier" 
   Attribute Types.

   ( 2.5.4.45 NAME 'x500UniqueIdentifier' 
      EQUALITY bitStringMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) 

   The SYNTAX oid indicates the Bit String syntax.












Dally                   Expires October 2003                   [Page 14]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


3.  Object Classes

   LDAP servers SHOULD recognize all the Object Classes listed here as 
   values of the objectClass attribute.

3.1  applicationProcess

   The applicationProcess Object Class definition is the basis of an 
   entry which represents an application executing in a computer system.

   ( 2.5.6.11 NAME 'applicationProcess' 
      SUP top 
      STRUCTURAL 
      MUST cn
      MAY ( seeAlso $ 
            ou $ 
            l $ 
            description ) ) 

3.2  country

   The country Object Class definition is the basis of an entry which 
   represents a country.

   ( 2.5.6.2 NAME 'country' 
      SUP top 
      STRUCTURAL 
      MUST c
      MAY ( searchGuide $ 
            description ) )

3.3  device

   The device Object Class is the basis of an entry which represents 
   an appliance or computer or network element.

   ( 2.5.6.14 NAME 'device' 
      SUP top 
      STRUCTURAL 
      MUST cn
      MAY ( serialNumber $ 
            seeAlso $ 
            owner $ 
            ou $ 
            o $ 
            l $ 
            description ) )

3.4  domain

   The domain Object Class is the basis of an entry which represents a 
   portion of a network, as organized by DNS.  


Dally                   Expires October 2003                   [Page 15]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


   ( 0.9.2342.19200300.100.4.13 NAME 'domain' 
      SUP top 
      STRUCTURAL
      MUST dc
      MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
          x121Address $ registeredAddress $ destinationIndicator $
          preferredDeliveryMethod $ telexNumber $
          teletexTerminalIdentifier $ telephoneNumber $
          internationaliSDNNumber $  facsimileTelephoneNumber $ street $
          postOfficeBox $ postalCode $ postalAddress $
          physicalDeliveryOfficeName $ st $ l $ description $ o $
          associatedName ) )

   An example entry would be:

   dn: dc=tcp,dc=critical-angle,dc=com
   objectClass: top
   objectClass: domain
   dc: tcp
   description: a placeholder entry used with SRV records

3.5  groupOfNames

   The groupOfNames Object Class is the basis of an entry which 
   represents a set of named objects including information related to 
   the purpose or maintenance of the set.

   ( 2.5.6.9 NAME 'groupOfNames' 
      SUP top 
      STRUCTURAL 
      MUST ( member $ 
             cn )
      MAY ( businessCategory $ 
            seeAlso $ 
            owner $ 
            ou $ 
            o $ 
            description ) )

3.6  groupOfUniqueNames

   The groupOfUniqueNames Object Class is the same as the groupOfNames 
   object class except that the object names are not repeated or 
   reassigned within a set scope.

   ( 2.5.6.17 NAME 'groupOfUniqueNames' 
      SUP top 
      STRUCTURAL
      MUST ( uniqueMember $ 
             cn )
      MAY ( businessCategory $ 
            seeAlso $ 


Dally                   Expires October 2003                   [Page 16]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


            owner $ 
            ou $ 
            o $ 
            description ) ) 

3.7  locality

   The locality Object Class is the basis of an entry which 
   represents a place in the physical world.

   ( 2.5.6.3 NAME 'locality' 
      SUP top 
      STRUCTURAL
      MAY ( street $ 
            seeAlso $ 
            searchGuide $ 
            st $ 
            l $ 
            description ) )

3.8  organization

   The organization Object Class is the basis of an entry which 
   represents a structured group of people.

   ( 2.5.6.4 NAME 'organization' 
      SUP top 
      STRUCTURAL 
      MUST o
      MAY ( userPassword $ searchGuide $ seeAlso $ 
            businessCategory $ x121Address $ registeredAddress $ 
            destinationIndicator $ preferredDeliveryMethod $ 
            telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 
            internationaliSDNNumber $ facsimileTelephoneNumber $ 
            street $ postOfficeBox $ postalCode $ 
            postalAddress $ physicalDeliveryOfficeName $ st $ 
            l $ description ) )

3.9  organizationalPerson

   The organizationalPerson Object Class is the basis of an entry which 
   represents a person in relation to an organization.  

   ( 2.5.6.7 NAME 'organizationalPerson' 
      SUP person 
      STRUCTURAL
      MAY ( title $ x121Address $ registeredAddress $ 
            destinationIndicator $ preferredDeliveryMethod $ 
            telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 
            internationaliSDNNumber $ facsimileTelephoneNumber $ 
            street $ postOfficeBox $ postalCode $ postalAddress $ 
            physicalDeliveryOfficeName $ ou $ st $ l ) )


Dally                   Expires October 2003                   [Page 17]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


3.10  organizationalRole

   The organizationalRole Object Class is the basis of an entry which 
   represents a job or function or position in an organization.

   ( 2.5.6.8 NAME 'organizationalRole' 
      SUP top 
      STRUCTURAL 
      MUST cn
      MAY ( x121Address $ registeredAddress $ destinationIndicator $ 
            preferredDeliveryMethod $ telexNumber $ 
            teletexTerminalIdentifier $ telephoneNumber $ 
            internationaliSDNNumber $ facsimileTelephoneNumber $ 
            seeAlso $ roleOccupant $ preferredDeliveryMethod $ 
            street $ postOfficeBox $ postalCode $ postalAddress $ 
            physicalDeliveryOfficeName $ ou $ st $ l $ description ) )

3.11  organizationalUnit

   The organizationalUnit Object Class is the basis of an entry which 
   represents a piece of an organization.

   ( 2.5.6.5 NAME 'organizationalUnit' 
      SUP top 
      STRUCTURAL 
      MUST ou
      MAY ( businessCategory $ description $ destinationIndicator $ 
            facsimileTelephoneNumber $ internationaliSDNNumber $ l $ 
            physicalDeliveryOfficeName $ postalAddress $ postalCode $ 
            postOfficeBox $ preferredDeliveryMethod $ 
            registeredAddress $ searchGuide $ seeAlso $ st $ street $ 
            telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ 
            userPassword $ x121Address ) )

3.12  person

   The person Object Class is the basis of an entry which represents a 
   human being.

   ( 2.5.6.6 NAME 'person' 
      SUP top 
      STRUCTURAL 
      MUST ( sn $ 
             cn )
      MAY ( userPassword $ 
            telephoneNumber $ 
            seeAlso $ 
            description ) ) 






Dally                   Expires October 2003                   [Page 18]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


3.13  residentialPerson

   The residentialPerson Object Class is the basis of an entry which 
   includes a person's residence in the representation of the person. 

   ( 2.5.6.10 NAME 'residentialPerson' 
      SUP person 
      STRUCTURAL 
      MUST l
      MAY ( businessCategory $ x121Address $ registeredAddress $ 
           destinationIndicator $ preferredDeliveryMethod $ 
           telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ 
           internationaliSDNNumber $ facsimileTelephoneNumber $ 
           preferredDeliveryMethod $ street $ postOfficeBox $ 
           postalCode $ postalAddress $ physicalDeliveryOfficeName $ 
           st $ l ) )


4.  IANA Considerations

   It is requested that the Internet Assigned Numbers Authority (IANA)
   update the LDAP descriptors registry as indicated in the following
   template:

      Subject: Request for LDAP Descriptor Registration Update
      Descriptor (short name): see comment
      Object Identifier: see comment
      Person & email address to contact for further information:
          Kathy Dally <kdally@mitre.org>
      Usage: (A = Attribute Type, O = Object Class) see comment
      Specification: RFC XXXX
      Author/Change Controller: IESG



Dally                   Expires October 2003                   [Page 19]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


      Comments:
         The following descriptors (short names) should be updated to 
         refer to RFC XXXX.

        NAME                         Type OID
        ------------------------     ---- ----------------------------
         applicationProcess           O    2.5.6.11
         businessCategory             A    2.5.4.15
         c                            A    2.5.4.6
         cn                           A    2.5.4.3
         country                      O    2.5.6.2
         dc                           A    0.9.2342.19200300.100.1.25
         description                  A    2.5.4.13
         destinationIndicator         A    2.5.4.27
         device                       O    2.5.6.14
         distinguishedName            A    2.5.4.49
         dnQualifier                  A    2.5.4.46
         domain                       O    0.9.2342.19200300.100.4.13
         enhancedSearchGuide          A    2.5.4.47
         facsimileTelephoneNumber     A    2.5.4.23
         generationQualifier          A    2.5.4.44
         givenName                    A    2.5.4.42
         groupOfNames                 O    2.5.6.9
         groupOfUniqueNames           O    2.5.6.17
         houseIdentifier              A    2.5.4.51
         initials                     A    2.5.4.43
         internationalISDNNumber      A    2.5.4.25
         l                            A    2.5.4.7
         locality                     O    2.5.6.3
         member                       A    2.5.4.31
         name                         A    2.5.4.41
         o                            A    2.5.4.10
         organization                 O    2.5.6.4
         organizationalPerson         O    2.5.6.7
         organizationalRole           O    2.5.6.8
         organizationalUnit           O    2.5.6.5
         ou                           A    2.5.4.11
         owner                        A    2.5.4.32
         person                       O    2.5.6.6
         physicalDeliveryOfficeName   A    2.5.4.19
         postalAddress                A    2.5.4.16
         postalCode                   A    2.5.4.17
         postOfficeBox                A    2.5.4.18
         preferredDeliveryMethod      A    2.5.4.28
         registeredAddress            A    2.5.4.26
         residentialPerson            O    2.5.6.10
         roleOccupant                 A    2.5.4.33
         searchGuide                  A    2.5.4.14
         seeAlso                      A    2.5.4.34
         serialNumber                 A    2.5.4.5
         sn                           A    2.5.4.4


Dally                   Expires October 2003                   [Page 20]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


         st                           A    2.5.4.8
         street                       A    2.5.4.9
         telephoneNumber              A    2.5.4.20
         teletexTerminalIdentifier    A    2.5.4.22
         telexNumber                  A    2.5.4.21
         title                        A    2.5.4.12
         uniqueMember                 A    2.5.4.50
         userPassword                 A    2.5.4.35
         x121Address                  A    2.5.4.24
         x500UniqueIdentifier         A    2.5.4.45


5.  Security Considerations

   Attributes of directory entries are used to provide descriptive 
   information about the real-world objects they represent, which can be
   people, organizations or devices.  Most countries have privacy laws 
   regarding the publication of information about people.

   Transfer of cleartext passwords is strongly discouraged where the 
   underlying transport service cannot guarantee confidentiality and may
   result in disclosure of the password to unauthorized parties.

   It is required that strong authentication be performed in order to 
   modify directory entries using LDAP.


6.  Acknowledgements

   The definitions, on which this document is based, have been developed
   by committees for telecommunications and international standards.  
   No new attribute definitions have been added.  

   This document is an update of RFC 2256 by Mark Wahl.  RFC 2256 was a
   product of the IETF ASID Working Group.

   This document is based upon input of the IETF LDAPBIS working group.
   The author wishes to thank S. Legg and K. Zeilenga for their 
   significant contribution to this update.


7.  References

7.1  Normative

   [E.123]  Notation for national and international telephone numbers, 
            ITU-T Recommendation E.123, 1988

   [E.164]  The international public telecommunication numbering plan, 
            ITU-T Recommendation E.164, 1997



Dally                   Expires October 2003                   [Page 21]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


   [ISO3166]  ISO 3166, "Codes for the representation of names of 
              countries".

   [LDAP-PKI]  Chadwick, D. W., Legg S., "LDAP Schema and Syntaxes for 
               PKIs", draft-ietf-pkix-ldap-pki-schema-xx (a work in 
               progress)

   [Models]  K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis-
             models-xx (a work in progress) 

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate 
              Requirement Levels", RFC 2119, March 1997

   [RFC3377]  Hodges, J., Morgan, R., "Lightweight Directory Access 
              Protocol (v3):  Technical Specification", RFC 3377, 
              September 2002

...[ROADMAP]  Zeilenga, K., "LDAP:  Technical Specification Road Map", 
              draft-ietf-ldapbis-roadmap-xx (a work in progress)

   [Syntaxes]  S. Legg (editor), "LDAP: Syntaxes",
               draft-ietf-ldapbis-syntaxes-xx (a work in progress)

   [X.121]  International numbering plan for public data networks, 
            ITU-T Recommendation X.121, 1996

   [X.509]  The Directory:  Authentication Framework, ITU-T 
            Recommendation X.509, 1993

   [X.520]  The Directory: Selected Attribute Types, ITU-T 
            Recommendation X.520, 1993

   [X.521]  The Directory: Selected Object Classes.  ITU-T 
            Recommendation X.521, 1993

7.2  Informative

   [RFC2247]  Kille, S., Wahl, M., Grimstad, A., Huber, R., and 
      Sataluri, S., "Using Domains in LDAP/X.500 Distinguished Names", 
      RFC 2247, January 1998













Dally                   Expires October 2003                   [Page 22]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


8.  Author's Address

   Kathy Dally
   The MITRE Corp.
   1575 Colshire Dr., H300
   McLean VA 22102
   USA
   
   Phone:  +1 703 883 6058
   Email:  kdally@mitre.org


9.  Full Copyright Statement

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.














Dally                   Expires October 2003                   [Page 23]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


                          Appendix A  Changes RFC 2256

   This appendix lists the changes that have been made from RFC 2256 to 
   this I-D.  

      1.  Revised the Status of this Memo.

      2.  Removed the IESG Note.

      3.  Dependencies on RFC 1274 have been eliminated.

      4.  Added a Security Considerations section, requiring strong 
          authentication in order to modify directory entries.

      5.  Deleted the conformance requirement for subschema object 
          classes in favor of a statement in [Syntaxes].

      6.  Added a Table of Contents.

      7.  Added explanations to many attributes.

      8.  Removed Section 4, Syntaxes, and Section 6, Matching Rules, 
          (moved to [Syntaxes]).

      9.  Reordered Section 3, Attributes, and Section 4, Object 
          Classes, alphabetically.

      10. Added an explanation for each object class.

      11. Removed the certificate-related Attribute Types:  
             authorityRevocationList, 
             cACertificate, 
             certificateRevocationList, 
             crossCertificatePair, 
             deltaRevocationList, 
             supportedAlgorithms, and 
             userCertificate.

          Removed the certificate-related Object Classes:  
             certificationAuthority,
             certificationAuthority-V2,
             cRLDistributionPoint,
             strongAuthenticationUser, and
             userSecurityInformation

          Noted that they are covered in PKIX WG documents.

      12. Removed the dmdName Attribute Type and dmd Object Class 
          because they are not in the version of X.500 which 
          is referenced.



Dally                   Expires October 2003                   [Page 24]
INTERNET-DRAFT     draft-ietf-ldapbis-user-schema-05          April 2003


......13. Deleted the 'aliasedObjectName' and 'objectClass' attribute 
          type definitions.  They are included in [Models].

      14. Deleted the 'alias' and 'top' object class definitions.  They 
          are included in [Models].

      15. Replaced the document title.

      16. Added the 'dc' attribute and the 'domain' object class from 
          RFC 2247.

      17. Deleted the 'knowledgeInformation', 'presentationAddress', 
          'protocolInformation', and 'supportedApplicationContext' 
          attributes.

      18. Deleted the 'applicationEntity' and 'dSA' object classes.

      19. Added an IANA Considerations section.



































Dally                   Expires October 2003                   [Page 25]