1 INTERNET-DRAFT K. Dally, Editor
2 Intended Category: Standard Track The MITRE Corp.
3 Expires: October 2003 April 2003
9 <draft-ietf-ldapbis-user-schema-05>
14 This document is an Internet-Draft and is in full conformance with
15 all provisions of Section 10 of RFC 2026.
17 This document is intended to be, after appropriate review and
18 revision, submitted to the RFC Editor as a Standard Track document.
19 Distribution of this memo is unlimited. Technical discussion of
20 this document will take place on the IETF LDAP Revision Working
21 Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please
22 send editorial comments directly to the author <kdally@mitre.org>.
24 Internet-Drafts are working documents of the Internet Engineering
25 Task Force (IETF), its areas, and its working groups. Note that
26 other groups may also distribute working documents as
27 Internet-Drafts. Internet-Drafts are draft documents valid for a
28 maximum of six months and may be updated, replaced, or obsoleted by
29 other documents at any time. It is inappropriate to use
30 Internet-Drafts as reference material or to cite them other than as
33 The list of current Internet-Drafts can be accessed at
34 http://www.ietf.org/ietf/1id-abstracts.txt.
36 The list of Internet-Draft Shadow Directories can be accessed at
37 http://www.ietf.org/shadow.html.
42 Copyright 2003, The Internet Society. All Rights Reserved.
47 This document is a integral part of the LDAP technical specification
48 [ROADMAP]. It provides an overview of attribute types and object
49 classes intended for use by LDAP directory clients for many
50 directory services, such as, White Pages. Originally specified the
51 ISO/IEC 9594 and X.500 documents, these objects are widely used as a
52 basis for the schema in many LDAP directories. This document does
53 not cover attributes used for the administration of directory
54 servers, nor does it include directory objects defined for specific
55 uses in other documents.
58 Dally Expires October 2003 [Page 1]
59 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
79 2.1 businessCategory 5
84 2.6 destinationIndicator 6
85 2.7 distinguishedName 7
87 2.9 enhancedSearchGuide 7
88 2.10 facsimileTelephoneNumber 7
89 2.11 generationQualifier 8
91 2.13 houseIdentifier 8
93 2.15 internationalISDNNumber 8
100 2.22 physicalDeliveryOfficeName 10
101 2.23 postalAddress 10
103 2.25 postOfficeBox 10
104 2.26 preferredDeliveryMethod 11
105 2.27 registeredAddress 11
113 2.35 telephoneNumber 12
116 Dally Expires October 2003 [Page 2]
117 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
120 2.36 teletexTerminalIdentifier 13
126 2.42 x500UniqueIdentifier 14
129 3.1 applicationProcess 15
134 3.6 groupOfUniqueNames 16
137 3.9 organizationalPerson 17
138 3.10 organizationalRole 18
139 3.11 organizationalUnit 18
141 3.13 residentialPerson 19
143 4. IANA Considerations 19
145 5. Security Considerations 19
147 6. Acknowledgements 19
153 8. Author's Address 21
155 9. Full Copyright Statement 21
174 Dally Expires October 2003 [Page 3]
175 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2002
180 This document provides an overview of attribute types and object
181 classes intended for use by LDAP directory clients for many
182 directory services, such as, White Pages. Originally specified in
183 the ISO/IEC 9594 and X.500 documents, these objects are widely used
184 as a basis for the schema in many LDAP directories. This document
185 does not cover attributes used for the administration of directory
186 servers, nor does it include directory objects defined for specific
187 uses in other documents.
191 This document is a integral part of the LDAP technical specification
192 [ROADMAP] which obsoletes the previously defined LDAP technical
193 specification [RFC3377] in its entirety. In terms of RFC 2256,
194 Sections 6 and 8 of RFC 2256 are obsoleted by [Syntaxes].
195 Sections 5.1, 5.2, 7.1 and 7.2 of RFC 2256 are obsoleted by [Models].
196 The remainder of RFC 2256 is obsoleted by this document. Sections
197 3.4 and 4.4 of this document supercede the technical specifications
198 for the 'dc' attribute type and 'domain' object class found in
199 RFC 2247. The remainder of RFC 2247 remains in force.
201 A number of schema elements which were included in the previous
202 revision of the LDAP Technical Specification are not included in this
203 revision of LDAP. PKI-related schema elements are now specified in
204 [LDAP-PKI]. Unless reintroduced in future technical specifications,
205 the remainder are to be considered Historic.
209 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
210 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
211 document are to be interpreted as described in RFC 2119 [RFC2119].
215 This document references Syntaxes given in Section 3 of [Syntaxes]
216 and Matching Rules specified in Section 4 of [Syntaxes].
218 The definitions of Attribute Types and Object Classes are written
219 using the ABNF form of AttributeTypeDescription and
220 ObjectClassDescription given in [Models]. Lines have been folded
232 Dally Expires October 2003 [Page 4]
233 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
238 The schema definitions in this document are based on those found in
239 the X.500-series [X.520] and [X.521] and RFC 2247 [RFC2247],
243 ============ ==================
244 2.1 - 2.3 X.520 [X.520]
245 2.4 RFC 2247 [RFC2247]
246 2.5 - 2.42 X.520 [X.520]
247 3.1 - 3.3 X.521 [X.521]
248 3.4 RFC 2247 [RFC2247]
249 3.5 - 3.13 X.521 [X.521]
254 The Attribute Types contained in this section hold user information.
256 There is no requirement that servers implement the following
260 teletexTerminalIdentifier
262 In fact, their use is greatly discouraged.
264 An LDAP server implementation SHOULD recognize the rest of the
265 Attribute Types described in this section.
269 This Attribute Type describes the kind of business performed by
272 ( 2.5.4.15 NAME 'businessCategory'
273 EQUALITY caseIgnoreMatch
274 SUBSTR caseIgnoreSubstringsMatch
275 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
277 The SYNTAX oid indicates the Directory String syntax.
281 This is the X.520 [X.520] countryName Attribute Type, which contains
282 a two-letter ISO 3166 [ISO3166]country code.
290 Dally Expires October 2003 [Page 5]
291 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
296 This is the X.520 [X.520] commonName Attribute Type, which contains
297 a name of an object. If the object corresponds to a person, it is
298 typically the person's full name.
305 The dc (short for domainComponent) attribute type is defined as
308 ( 0.9.2342.19200300.100.1.25 NAME 'dc'
309 EQUALITY caseIgnoreIA5Match
310 SUBSTR caseIgnoreIA5SubstringsMatch
311 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
314 The value of this attribute is a string holding one component of a
315 DNS domain name. The encoding of IA5String for use in LDAP is simply
316 the characters of the string itself. The equality matching rule is
317 case insensitive, as is today's DNS.
321 This Attribute Type contains a human-readable description of
324 ( 2.5.4.13 NAME 'description'
325 EQUALITY caseIgnoreMatch
326 SUBSTR caseIgnoreSubstringsMatch
327 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
329 The SYNTAX oid indicates the Directory String syntax.
331 2.6 destinationIndicator
333 This attribute is used for the telegram service.
335 ( 2.5.4.27 NAME 'destinationIndicator'
336 EQUALITY caseIgnoreMatch
337 SUBSTR caseIgnoreSubstringsMatch
338 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
340 The SYNTAX oid indicates the Printable String syntax.
348 Dally Expires October 2003 [Page 6]
349 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
352 2.7 distinguishedName
354 This Attribute Type is not used as the name of the object itself,
355 but it is instead a base type from which attributes with DN syntax
358 It is unlikely that values of this type itself will occur in an
359 entry. LDAP server implementations which do not support attribute
360 subtyping need not recognize this attribute in requests. Client
361 implementations MUST NOT assume that LDAP servers are capable of
362 performing attribute subtyping.
364 ( 2.5.4.49 NAME 'distinguishedName'
365 EQUALITY distinguishedNameMatch
366 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
368 The SYNTAX oid indicates the DN syntax.
372 The dnQualifier Attribute Type specifies disambiguating information
373 to add to the relative distinguished name of an entry. It is
374 intended for use when merging data from multiple sources in order to
375 prevent conflicts between entries which would otherwise have the same
376 name. It is recommended that the value of the dnQualifier attribute
377 be the same for all entries from a particular source.
379 ( 2.5.4.46 NAME 'dnQualifier'
380 EQUALITY caseIgnoreMatch
381 ORDERING caseIgnoreOrderingMatch
382 SUBSTR caseIgnoreSubstringsMatch
383 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
385 The SYNTAX oid indicates the Printable String syntax.
387 2.9 enhancedSearchGuide
389 This attribute is for use by X.500 clients in constructing search
392 ( 2.5.4.47 NAME 'enhancedSearchGuide'
393 SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
395 The SYNTAX oid indicates the Enhanced Guide syntax.
397 2.10 facsimileTelephoneNumber
399 A value of this Attribute Type is a telephone number for a facsimile
400 terminal (and, optionally, its parameters).
402 ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
403 SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
406 Dally Expires October 2003 [Page 7]
407 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
410 The SYNTAX oid indicates the Facsimile Telephone Number syntax.
412 2.11 generationQualifier
414 The generationQualifier Attribute Type contains the part of a
415 person's name which typically is the suffix, as in "IIIrd".
417 ( 2.5.4.44 NAME 'generationQualifier'
422 The givenName Attribute Type is used to hold the part of a person's
423 name which is not their surname nor middle name.
425 ( 2.5.4.42 NAME 'givenName'
430 This Attribute Type is used to identify a building within a location.
432 ( 2.5.4.51 NAME 'houseIdentifier'
433 EQUALITY caseIgnoreMatch
434 SUBSTR caseIgnoreSubstringsMatch
435 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
437 The SYNTAX oid indicates the Directory String syntax.
441 The initials Attribute Type contains the initials of some or all of
442 an individuals names, except the surname(s).
444 ( 2.5.4.43 NAME 'initials'
447 2.15 internationalISDNNumber
449 A value of this Attribute Type is an ISDN address, as defined in
450 ITU Recommendation E.164 [E.164].
452 ( 2.5.4.25 NAME 'internationalISDNNumber'
453 EQUALITY numericStringMatch
454 SUBSTR numericStringSubstringsMatch
455 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) i
457 The SYNTAX oid indicates the Numeric String syntax.
464 Dally Expires October 2003 [Page 8]
465 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
470 This is the X.520 [X.520] localityName Attribute Type, which
471 contains the name of a locality or place, such as a city, county or
472 other geographic region.
479 A value of this Attribute Type is the Distinguished Name of an
480 object that is on a list or in a group.
482 ( 2.5.4.31 NAME 'member'
483 SUP distinguishedName )
487 The name Attribute Type is the attribute supertype from which string
488 Attribute Types typically used for naming may be formed. It is
489 unlikely that values of this type itself will occur in an entry.
490 LDAP server implementations which do not support attribute subtyping
491 need not recognize this attribute in requests. Client
492 implementations MUST NOT assume that LDAP servers are capable of
493 performing attribute subtyping.
495 ( 2.5.4.41 NAME 'name'
496 EQUALITY caseIgnoreMatch
497 SUBSTR caseIgnoreSubstringsMatch
498 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
500 The SYNTAX oid indicates the Directory String syntax.
504 This is the X.520 [X.520] organizationName Attribute Type, which
505 contains the name of an organization.
512 This is the X.520 [X.520] organizationalUnitName Attribute Type,
513 which contains the name of an organizational unit.
522 Dally Expires October 2003 [Page 9]
523 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
528 A value of this Attribute Type is the Distinguished Name of an
529 object that has an ownership responsibility for the object that
532 ( 2.5.4.32 NAME 'owner'
533 SUP distinguishedName )
535 2.22 physicalDeliveryOfficeName
537 This attribute contains the name that a Postal Service uses to
538 identify a post office.
540 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
541 EQUALITY caseIgnoreMatch
542 SUBSTR caseIgnoreSubstringsMatch
543 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
545 The SYNTAX oid indicates the Directory String syntax.
549 This attribute contains an address used by a Postal Service to
550 perform services for the object.
552 ( 2.5.4.16 NAME 'postalAddress'
553 EQUALITY caseIgnoreListMatch
554 SUBSTR caseIgnoreListSubstringsMatch
555 SYNTAX 1.5.6.1.4.1.1466.115.121.1.41 )
557 The SYNTAX oid indicates the Postal Address syntax.
561 This attribute contains a code used by a Postal Service to identify
562 a postal service zone, such as the southern quadrant of a city.
564 ( 2.5.4.17 NAME 'postalCode'
565 EQUALITY caseIgnoreMatch
566 SUBSTR caseIgnoreSubstringsMatch
567 SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} )
569 The SYNTAX oid indicates the Directory String syntax.
573 This attribute contains the number that a Postal Service uses when a
574 customer arranges to receive mail at a box on premises of the Postal
580 Dally Expires October 2003 [Page 10]
581 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
584 ( 2.5.4.18 NAME 'postOfficeBox'
585 EQUALITY caseIgnoreMatch
586 SUBSTR caseIgnoreSubstringsMatch
587 SYNTAX 1.5.6.1.4.1.1466.115.121.1.15{40} )
589 The SYNTAX oid indicates the Directory String syntax.
591 2.26 preferredDeliveryMethod
593 This attribute contains an indication of the preferred method of
594 getting a message to the object.
596 ( 2.5.4.28 NAME 'preferredDeliveryMethod'
597 SYNTAX 1.5.6.1.4.1.1466.115.121.1.14
600 The SYNTAX oid indicates the Delivery Method syntax.
602 2.27 registeredAddress
604 This attribute holds a postal address suitable for reception of
605 telegrams or expedited documents, where it is necessary to have the
606 recipient accept delivery.
608 ( 2.5.4.26 NAME 'registeredAddress'
610 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
612 The SYNTAX oid indicates the Postal Address syntax.
616 A value of this Attribute Type is the Distinguished Name of an
617 object (normally a person) that fulfills the responsibilities of a
620 ( 2.5.4.33 NAME 'roleOccupant'
621 SUP distinguishedName )
625 This Attribute Type is for use by clients in constructing search
626 filters. It is superseded by enhancedSearchGuide, described above
629 ( 2.5.4.14 NAME 'searchGuide'
630 SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) ; Guide
632 The SYNTAX oid indicates the Guide syntax.
638 Dally Expires October 2003 [Page 11]
639 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
644 A value of this Attribute Type is the Distinguished Name of an
645 object that is related to the subject object.
647 ( 2.5.4.34 NAME 'seeAlso'
648 SUP distinguishedName )
652 This attribute contains the serial number of a device.
654 ( 2.5.4.5 NAME 'serialNumber'
655 EQUALITY caseIgnoreMatch
656 SUBSTR caseIgnoreSubstringsMatch
657 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
659 The SYNTAX oid indicates the Printable String syntax.
663 This is the X.520 [X.520] surname Attribute Type, which contains the
664 family name of a person.
671 This is the X.520 [X.520] stateOrProvinceName attribute, which
672 contains the full name of a state or province.
679 This is the X.520 [X.520] streetAddress attribute, which contains the
680 physical address of the object to which the entry corresponds, such
681 as an address for package delivery.
683 ( 2.5.4.9 NAME 'street'
684 EQUALITY caseIgnoreMatch
685 SUBSTR caseIgnoreSubstringsMatch
686 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
688 The SYNTAX oid indicates the Directory String syntax.
692 A value of this Attribute Type is a telephone number complying with
693 ITU Recommendation E.123 [E.123].
696 Dally Expires October 2003 [Page 12]
697 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
700 ( 2.5.4.20 NAME 'telephoneNumber'
701 EQUALITY telephoneNumberMatch
702 SUBSTR telephoneNumberSubstringsMatch
703 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
705 The SYNTAX oid indicates the Telephone Number syntax.
707 2.36 teletexTerminalIdentifier
709 The withdrawal of Rec. F.200 has resulted in the withdrawal of this
712 ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
713 SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
715 The SYNTAX oid indicates the Teletex Terminal Identifier syntax.
719 A value of this Attribute Type is a telex number, country code, and
720 answerback code of a telex terminal.
722 ( 2.5.4.21 NAME 'telexNumber'
723 SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
725 The SYNTAX oid indicates the Telex Number syntax.
729 This attribute contains the title, such as "Vice President", of a
730 person in their organizational context. The "personalTitle"
731 attribute would be used for a person's title independent of their
734 ( 2.5.4.12 NAME 'title'
739 A value of this Attribute Type is the Distinguished Name of an
740 object that is on a list or in a group, where the Relative
741 Distinguished Name of the object includes a value that distinguishs
742 between objects when a distinguished name has been reused.
744 ( 2.5.4.50 NAME 'uniqueMember'
745 EQUALITY uniqueMemberMatch
746 SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
748 The SYNTAX oid indicates the Name and Optional UID syntax.
754 Dally Expires October 2003 [Page 13]
755 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
760 A value of this Attribute Type is a character string that is known
761 only to the user and the system to which the user has access.
763 ( 2.5.4.35 NAME 'userPassword'
764 EQUALITY octetStringMatch
765 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
767 The SYNTAX oid indicates the Octet String syntax.
769 Passwords are stored using an Octet String syntax and are not
770 encrypted. Transfer of cleartext passwords is strongly discouraged
771 where the underlying transport service cannot guarantee
772 confidentiality and may result in disclosure of the password to
773 unauthorized parties.
777 A value of this Attribute Type is a data network address as defined
778 by ITU Recommendation X.121 [X.121].
780 ( 2.5.4.24 NAME 'x121Address'
781 EQUALITY numericStringMatch
782 SUBSTR numericStringSubstringsMatch
783 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
785 The SYNTAX oid indicates the Numeric String syntax.
787 2.42 x500UniqueIdentifier
789 The x500UniqueIdentifier Attribute Type is used to distinguish
790 between objects when a distinguished name has been reused. In X.520
791 [X.520], this Attribute Type is called uniqueIdentifier. This is a
792 different Attribute Type from both the "uid" and "uniqueIdentifier"
795 ( 2.5.4.45 NAME 'x500UniqueIdentifier'
796 EQUALITY bitStringMatch
797 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
799 The SYNTAX oid indicates the Bit String syntax.
812 Dally Expires October 2003 [Page 14]
813 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
818 LDAP servers SHOULD recognize all the Object Classes listed here as
819 values of the objectClass attribute.
821 3.1 applicationProcess
823 The applicationProcess Object Class definition is the basis of an
824 entry which represents an application executing in a computer system.
826 ( 2.5.6.11 NAME 'applicationProcess'
837 The country Object Class definition is the basis of an entry which
838 represents a country.
840 ( 2.5.6.2 NAME 'country'
849 The device Object Class is the basis of an entry which represents
850 an appliance or computer or network element.
852 ( 2.5.6.14 NAME 'device'
866 The domain Object Class is the basis of an entry which represents a
867 portion of a network, as organized by DNS.
870 Dally Expires October 2003 [Page 15]
871 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
874 ( 0.9.2342.19200300.100.4.13 NAME 'domain'
878 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
879 x121Address $ registeredAddress $ destinationIndicator $
880 preferredDeliveryMethod $ telexNumber $
881 teletexTerminalIdentifier $ telephoneNumber $
882 internationaliSDNNumber $ facsimileTelephoneNumber $ street $
883 postOfficeBox $ postalCode $ postalAddress $
884 physicalDeliveryOfficeName $ st $ l $ description $ o $
887 An example entry would be:
889 dn: dc=tcp,dc=critical-angle,dc=com
893 description: a placeholder entry used with SRV records
897 The groupOfNames Object Class is the basis of an entry which
898 represents a set of named objects including information related to
899 the purpose or maintenance of the set.
901 ( 2.5.6.9 NAME 'groupOfNames'
906 MAY ( businessCategory $
913 3.6 groupOfUniqueNames
915 The groupOfUniqueNames Object Class is the same as the groupOfNames
916 object class except that the object names are not repeated or
917 reassigned within a set scope.
919 ( 2.5.6.17 NAME 'groupOfUniqueNames'
922 MUST ( uniqueMember $
924 MAY ( businessCategory $
928 Dally Expires October 2003 [Page 16]
929 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
939 The locality Object Class is the basis of an entry which
940 represents a place in the physical world.
942 ( 2.5.6.3 NAME 'locality'
954 The organization Object Class is the basis of an entry which
955 represents a structured group of people.
957 ( 2.5.6.4 NAME 'organization'
961 MAY ( userPassword $ searchGuide $ seeAlso $
962 businessCategory $ x121Address $ registeredAddress $
963 destinationIndicator $ preferredDeliveryMethod $
964 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
965 internationaliSDNNumber $ facsimileTelephoneNumber $
966 street $ postOfficeBox $ postalCode $
967 postalAddress $ physicalDeliveryOfficeName $ st $
970 3.9 organizationalPerson
972 The organizationalPerson Object Class is the basis of an entry which
973 represents a person in relation to an organization.
975 ( 2.5.6.7 NAME 'organizationalPerson'
978 MAY ( title $ x121Address $ registeredAddress $
979 destinationIndicator $ preferredDeliveryMethod $
980 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
981 internationaliSDNNumber $ facsimileTelephoneNumber $
982 street $ postOfficeBox $ postalCode $ postalAddress $
983 physicalDeliveryOfficeName $ ou $ st $ l ) )
986 Dally Expires October 2003 [Page 17]
987 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
990 3.10 organizationalRole
992 The organizationalRole Object Class is the basis of an entry which
993 represents a job or function or position in an organization.
995 ( 2.5.6.8 NAME 'organizationalRole'
999 MAY ( x121Address $ registeredAddress $ destinationIndicator $
1000 preferredDeliveryMethod $ telexNumber $
1001 teletexTerminalIdentifier $ telephoneNumber $
1002 internationaliSDNNumber $ facsimileTelephoneNumber $
1003 seeAlso $ roleOccupant $ preferredDeliveryMethod $
1004 street $ postOfficeBox $ postalCode $ postalAddress $
1005 physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
1007 3.11 organizationalUnit
1009 The organizationalUnit Object Class is the basis of an entry which
1010 represents a piece of an organization.
1012 ( 2.5.6.5 NAME 'organizationalUnit'
1016 MAY ( businessCategory $ description $ destinationIndicator $
1017 facsimileTelephoneNumber $ internationaliSDNNumber $ l $
1018 physicalDeliveryOfficeName $ postalAddress $ postalCode $
1019 postOfficeBox $ preferredDeliveryMethod $
1020 registeredAddress $ searchGuide $ seeAlso $ st $ street $
1021 telephoneNumber $ teletexTerminalIdentifier $ telexNumber $
1022 userPassword $ x121Address ) )
1026 The person Object Class is the basis of an entry which represents a
1029 ( 2.5.6.6 NAME 'person'
1034 MAY ( userPassword $
1044 Dally Expires October 2003 [Page 18]
1045 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
1048 3.13 residentialPerson
1050 The residentialPerson Object Class is the basis of an entry which
1051 includes a person's residence in the representation of the person.
1053 ( 2.5.6.10 NAME 'residentialPerson'
1057 MAY ( businessCategory $ x121Address $ registeredAddress $
1058 destinationIndicator $ preferredDeliveryMethod $
1059 telexNumber $ teletexTerminalIdentifier $ telephoneNumber $
1060 internationaliSDNNumber $ facsimileTelephoneNumber $
1061 preferredDeliveryMethod $ street $ postOfficeBox $
1062 postalCode $ postalAddress $ physicalDeliveryOfficeName $
1066 4. IANA Considerations
1068 It is requested that the Internet Assigned Numbers Authority (IANA)
1069 update the LDAP descriptors registry as indicated in the following
1072 Subject: Request for LDAP Descriptor Registration Update
1073 Descriptor (short name): see comment
1074 Object Identifier: see comment
1075 Person & email address to contact for further information:
1076 Kathy Dally <kdally@mitre.org>
1077 Usage: (A = Attribute Type, O = Object Class) see comment
1078 Specification: RFC XXXX
1079 Author/Change Controller: IESG
1083 Dally Expires October 2003 [Page 19]
1084 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
1088 The following descriptors (short names) should be updated to
1092 ------------------------ ---- ----------------------------
1093 applicationProcess O 2.5.6.11
1094 businessCategory A 2.5.4.15
1098 dc A 0.9.2342.19200300.100.1.25
1099 description A 2.5.4.13
1100 destinationIndicator A 2.5.4.27
1102 distinguishedName A 2.5.4.49
1103 dnQualifier A 2.5.4.46
1104 domain O 0.9.2342.19200300.100.4.13
1105 enhancedSearchGuide A 2.5.4.47
1106 facsimileTelephoneNumber A 2.5.4.23
1107 generationQualifier A 2.5.4.44
1108 givenName A 2.5.4.42
1109 groupOfNames O 2.5.6.9
1110 groupOfUniqueNames O 2.5.6.17
1111 houseIdentifier A 2.5.4.51
1113 internationalISDNNumber A 2.5.4.25
1119 organization O 2.5.6.4
1120 organizationalPerson O 2.5.6.7
1121 organizationalRole O 2.5.6.8
1122 organizationalUnit O 2.5.6.5
1126 physicalDeliveryOfficeName A 2.5.4.19
1127 postalAddress A 2.5.4.16
1128 postalCode A 2.5.4.17
1129 postOfficeBox A 2.5.4.18
1130 preferredDeliveryMethod A 2.5.4.28
1131 registeredAddress A 2.5.4.26
1132 residentialPerson O 2.5.6.10
1133 roleOccupant A 2.5.4.33
1134 searchGuide A 2.5.4.14
1136 serialNumber A 2.5.4.5
1140 Dally Expires October 2003 [Page 20]
1141 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
1146 telephoneNumber A 2.5.4.20
1147 teletexTerminalIdentifier A 2.5.4.22
1148 telexNumber A 2.5.4.21
1150 uniqueMember A 2.5.4.50
1151 userPassword A 2.5.4.35
1152 x121Address A 2.5.4.24
1153 x500UniqueIdentifier A 2.5.4.45
1156 5. Security Considerations
1158 Attributes of directory entries are used to provide descriptive
1159 information about the real-world objects they represent, which can be
1160 people, organizations or devices. Most countries have privacy laws
1161 regarding the publication of information about people.
1163 Transfer of cleartext passwords is strongly discouraged where the
1164 underlying transport service cannot guarantee confidentiality and may
1165 result in disclosure of the password to unauthorized parties.
1167 It is required that strong authentication be performed in order to
1168 modify directory entries using LDAP.
1173 The definitions, on which this document is based, have been developed
1174 by committees for telecommunications and international standards.
1175 No new attribute definitions have been added.
1177 This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a
1178 product of the IETF ASID Working Group.
1180 This document is based upon input of the IETF LDAPBIS working group.
1181 The author wishes to thank S. Legg and K. Zeilenga for their
1182 significant contribution to this update.
1189 [E.123] Notation for national and international telephone numbers,
1190 ITU-T Recommendation E.123, 1988
1192 [E.164] The international public telecommunication numbering plan,
1193 ITU-T Recommendation E.164, 1997
1197 Dally Expires October 2003 [Page 21]
1198 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
1201 [ISO3166] ISO 3166, "Codes for the representation of names of
1204 [LDAP-PKI] Chadwick, D. W., Legg S., "LDAP Schema and Syntaxes for
1205 PKIs", draft-ietf-pkix-ldap-pki-schema-xx (a work in
1208 [Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis-
1209 models-xx (a work in progress)
1211 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1212 Requirement Levels", RFC 2119, March 1997
1214 [RFC3377] Hodges, J., Morgan, R., "Lightweight Directory Access
1215 Protocol (v3): Technical Specification", RFC 3377,
1218 ...[ROADMAP] Zeilenga, K., "LDAP: Technical Specification Road Map",
1219 draft-ietf-ldapbis-roadmap-xx (a work in progress)
1221 [Syntaxes] S. Legg (editor), "LDAP: Syntaxes",
1222 draft-ietf-ldapbis-syntaxes-xx (a work in progress)
1224 [X.121] International numbering plan for public data networks,
1225 ITU-T Recommendation X.121, 1996
1227 [X.509] The Directory: Authentication Framework, ITU-T
1228 Recommendation X.509, 1993
1230 [X.520] The Directory: Selected Attribute Types, ITU-T
1231 Recommendation X.520, 1993
1233 [X.521] The Directory: Selected Object Classes. ITU-T
1234 Recommendation X.521, 1993
1238 [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and
1239 Sataluri, S., "Using Domains in LDAP/X.500 Distinguished Names",
1240 RFC 2247, January 1998
1254 Dally Expires October 2003 [Page 22]
1255 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
1262 1575 Colshire Dr., H300
1266 Phone: +1 703 883 6058
1267 Email: kdally@mitre.org
1270 9. Full Copyright Statement
1272 Copyright (C) The Internet Society (2002). All Rights Reserved.
1274 This document and translations of it may be copied and furnished to
1275 others, and derivative works that comment on or otherwise explain it
1276 or assist in its implementation may be prepared, copied, published
1277 and distributed, in whole or in part, without restriction of any
1278 kind, provided that the above copyright notice and this paragraph are
1279 included on all such copies and derivative works. However, this
1280 document itself may not be modified in any way, such as by removing
1281 the copyright notice or references to the Internet Society or other
1282 Internet organizations, except as needed for the purpose of
1283 developing Internet standards in which case the procedures for
1284 copyrights defined in the Internet Standards process must be
1285 followed, or as required to translate it into languages other than
1288 The limited permissions granted above are perpetual and will not be
1289 revoked by the Internet Society or its successors or assigns.
1291 This document and the information contained herein is provided on an
1292 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
1293 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
1294 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
1295 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
1296 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1311 Dally Expires October 2003 [Page 23]
1312 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
1315 Appendix A Changes RFC 2256
1317 This appendix lists the changes that have been made from RFC 2256 to
1320 1. Revised the Status of this Memo.
1322 2. Removed the IESG Note.
1324 3. Dependencies on RFC 1274 have been eliminated.
1326 4. Added a Security Considerations section, requiring strong
1327 authentication in order to modify directory entries.
1329 5. Deleted the conformance requirement for subschema object
1330 classes in favor of a statement in [Syntaxes].
1332 6. Added a Table of Contents.
1334 7. Added explanations to many attributes.
1336 8. Removed Section 4, Syntaxes, and Section 6, Matching Rules,
1337 (moved to [Syntaxes]).
1339 9. Reordered Section 3, Attributes, and Section 4, Object
1340 Classes, alphabetically.
1342 10. Added an explanation for each object class.
1344 11. Removed the certificate-related Attribute Types:
1345 authorityRevocationList,
1347 certificateRevocationList,
1348 crossCertificatePair,
1349 deltaRevocationList,
1350 supportedAlgorithms, and
1353 Removed the certificate-related Object Classes:
1354 certificationAuthority,
1355 certificationAuthority-V2,
1356 cRLDistributionPoint,
1357 strongAuthenticationUser, and
1358 userSecurityInformation
1360 Noted that they are covered in PKIX WG documents.
1362 12. Removed the dmdName Attribute Type and dmd Object Class
1363 because they are not in the version of X.500 which
1368 Dally Expires October 2003 [Page 24]
1369 INTERNET-DRAFT draft-ietf-ldapbis-user-schema-05 April 2003
1372 ......13. Deleted the 'aliasedObjectName' and 'objectClass' attribute
1373 type definitions. They are included in [Models].
1375 14. Deleted the 'alias' and 'top' object class definitions. They
1376 are included in [Models].
1378 15. Replaced the document title.
1380 16. Added the 'dc' attribute and the 'domain' object class from
1383 17. Deleted the 'knowledgeInformation', 'presentationAddress',
1384 'protocolInformation', and 'supportedApplicationContext'
1387 18. Deleted the 'applicationEntity' and 'dSA' object classes.
1389 19. Added an IANA Considerations section.
1425 Dally Expires October 2003 [Page 25]