2 INTERNET-DRAFT Editor: A. Sciberras
3 Intended Category: Standard Track eB2Bcom
4 Updates: RFC 2247, RFC 2798, RFC 2377 April 4, 2005
8 LDAP: Schema for User Applications
9 draft-ietf-ldapbis-user-schema-09.txt
11 Copyright (C) The Internet Society (2005). All Rights Reserved.
15 This document is an Internet-Draft and is subject to all provisions
16 of Section 3 of RFC 3978. By submitting this Internet-Draft, each
17 author represents that any applicable patent or other IPR claims of
18 which he or she is aware have been or will be disclosed, and any of
19 which he or she become aware will be disclosed, in accordance with
22 Internet-Drafts are working documents of the Internet Engineering
23 Task Force (IETF), its areas, and its working groups. Note that
24 other groups may also distribute working documents as Internet-
27 Internet-Drafts are draft documents valid for a maximum of six months
28 and may be updated, replaced, or obsoleted by other documents at any
29 time. It is inappropriate to use Internet-Drafts as reference
30 material or to cite them other than as "work in progress".
32 The list of current Internet-Drafts can be accessed at
33 http://www.ietf.org/1id-abstracts.html
35 The list of Internet-Draft Shadow Directories can be accessed at
36 http://www.ietf.org/shadow.html
38 This document is intended to be, after appropriate review and
39 revision, submitted to the RFC Editor as a Standard Track document.
40 Distribution of this memo is unlimited. Technical discussion of this
41 document will take place on the IETF LDAP Revision Working Group
42 (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please send
43 editorial comments directly to the editor
44 <andrew.sciberras@eb2bcom.com>.
46 This Internet-Draft expires on 4 October 2005.
50 Copyright (C) The Internet Society 2005. All Rights Reserved.
54 Sciberras Expires 4 October 2005 [Page 1]
56 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
61 This document is an integral part of the Lightweight Directory Access
62 Protocol (LDAP) technical specification [Roadmap]. It provides a
63 technical specification of attribute types and object classes
64 intended for use by LDAP directory clients for many directory
65 services, such as, White Pages. These objects are widely used as a
66 basis for the schema in many LDAP directories. This document does
67 not cover attributes used for the administration of directory
68 servers, nor does it include directory objects defined for specific
69 uses in other documents.
110 Sciberras Expires 4 October 2005 [Page 2]
112 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
117 Status of this Memo . . . . . . . . . . . . . . . . . . . . . . . 1
118 Copyright Notice. . . . . . . . . . . . . . . . . . . . . . . . . 1
119 Abstract. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
120 Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . 3
121 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 5
122 1.1 Relationship with other specifications . . . . . . . . . 5
123 1.2 Conventions. . . . . . . . . . . . . . . . . . . . . . . 5
124 1.3 General Issues . . . . . . . . . . . . . . . . . . . . . 5
126 2. Attribute Types . . . . . . . . . . . . . . . . . . . . . . . 6
127 2.1 'businessCategory' . . . . . . . . . . . . . . . . . . . 6
128 2.2 'c'. . . . . . . . . . . . . . . . . . . . . . . . . . . 6
129 2.3 'cn' . . . . . . . . . . . . . . . . . . . . . . . . . . 7
130 2.4 'dc' . . . . . . . . . . . . . . . . . . . . . . . . . . 7
131 2.5 'description'. . . . . . . . . . . . . . . . . . . . . . 8
132 2.6 'destinationIndicator' . . . . . . . . . . . . . . . . . 8
133 2.7 'distinguishedName'. . . . . . . . . . . . . . . . . . . 8
134 2.8 'dnQualifier'. . . . . . . . . . . . . . . . . . . . . . 9
135 2.9 'enhancedSearchGuide'. . . . . . . . . . . . . . . . . . 9
136 2.10 'facsimileTelephoneNumber' . . . . . . . . . . . . . . . 10
137 2.11 'generationQualifier'. . . . . . . . . . . . . . . . . . 10
138 2.12 'givenName'. . . . . . . . . . . . . . . . . . . . . . . 10
139 2.13 'houseIdentifier'. . . . . . . . . . . . . . . . . . . . 11
140 2.14 'initials' . . . . . . . . . . . . . . . . . . . . . . . 11
141 2.15 'internationalISDNNumber'. . . . . . . . . . . . . . . . 11
142 2.16 'l'. . . . . . . . . . . . . . . . . . . . . . . . . . . 12
143 2.17 'member' . . . . . . . . . . . . . . . . . . . . . . . . 12
144 2.18 'name' . . . . . . . . . . . . . . . . . . . . . . . . . 12
145 2.19 'o'. . . . . . . . . . . . . . . . . . . . . . . . . . . 13
146 2.20 'ou' . . . . . . . . . . . . . . . . . . . . . . . . . . 13
147 2.21 'owner'. . . . . . . . . . . . . . . . . . . . . . . . . 13
148 2.22 'physicalDeliveryOfficeName' . . . . . . . . . . . . . . 13
149 2.23 'postalAddress'. . . . . . . . . . . . . . . . . . . . . 14
150 2.24 'postalCode' . . . . . . . . . . . . . . . . . . . . . . 14
151 2.25 'postOfficeBox'. . . . . . . . . . . . . . . . . . . . . 14
152 2.26 'preferredDeliveryMethod'. . . . . . . . . . . . . . . . 15
153 2.27 'registeredAddress'. . . . . . . . . . . . . . . . . . . 15
154 2.28 'roleOccupant' . . . . . . . . . . . . . . . . . . . . . 16
155 2.29 'searchGuide'. . . . . . . . . . . . . . . . . . . . . . 16
156 2.30 'seeAlso'. . . . . . . . . . . . . . . . . . . . . . . . 16
157 2.31 'serialNumber' . . . . . . . . . . . . . . . . . . . . . 17
158 2.32 'sn' . . . . . . . . . . . . . . . . . . . . . . . . . . 17
159 2.33 'st' . . . . . . . . . . . . . . . . . . . . . . . . . . 17
160 2.34 'street' . . . . . . . . . . . . . . . . . . . . . . . . 18
161 2.35 'telephoneNumber'. . . . . . . . . . . . . . . . . . . . 18
162 2.36 'teletexTerminalIdentifier'. . . . . . . . . . . . . . . 18
166 Sciberras Expires 4 October 2005 [Page 3]
168 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
171 2.37 'telexNumber'. . . . . . . . . . . . . . . . . . . . . . 19
172 2.38 'title'. . . . . . . . . . . . . . . . . . . . . . . . . 19
173 2.39 'uid'. . . . . . . . . . . . . . . . . . . . . . . . . . 19
174 2.40 'uniqueMember' . . . . . . . . . . . . . . . . . . . . . 19
175 2.41 'userPassword' . . . . . . . . . . . . . . . . . . . . . 20
176 2.42 'x121Address'. . . . . . . . . . . . . . . . . . . . . . 21
177 2.43 'x500UniqueIdentifier' . . . . . . . . . . . . . . . . . 21
179 3. Object Classes. . . . . . . . . . . . . . . . . . . . . . . . 22
180 3.1 'applicationProcess' . . . . . . . . . . . . . . . . . . 22
181 3.2 'country'. . . . . . . . . . . . . . . . . . . . . . . . 22
182 3.3 'dcObject' . . . . . . . . . . . . . . . . . . . . . . . 22
183 3.4 'device' . . . . . . . . . . . . . . . . . . . . . . . . 23
184 3.5 'groupOfNames' . . . . . . . . . . . . . . . . . . . . . 23
185 3.6 'groupOfUniqueNames' . . . . . . . . . . . . . . . . . . 23
186 3.7 'locality' . . . . . . . . . . . . . . . . . . . . . . . 24
187 3.8 'organization' . . . . . . . . . . . . . . . . . . . . . 24
188 3.9 'organizationalPerson' . . . . . . . . . . . . . . . . . 24
189 3.10 'organizationalRole' . . . . . . . . . . . . . . . . . . 25
190 3.11 'organizationalUnit' . . . . . . . . . . . . . . . . . . 25
191 3.12 'person' . . . . . . . . . . . . . . . . . . . . . . . . 26
192 3.13 'residentialPerson'. . . . . . . . . . . . . . . . . . . 26
193 3.14 'uidObject'. . . . . . . . . . . . . . . . . . . . . . . 26
195 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
197 5. Security Considerations . . . . . . . . . . . . . . . . . . . 28
199 6. Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . 29
201 7. References. . . . . . . . . . . . . . . . . . . . . . . . . . 30
202 7.1 Normative. . . . . . . . . . . . . . . . . . . . . . . . 30
203 7.2 Informative. . . . . . . . . . . . . . . . . . . . . . . 31
205 8. Author's Address. . . . . . . . . . . . . . . . . . . . . . . 31
207 9. Intellectual Property Statement . . . . . . . . . . . . . . . 32
209 10. Disclaimer of Validity. . . . . . . . . . . . . . . . . . . . 32
222 Sciberras Expires 4 October 2005 [Page 4]
224 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
229 This document provides an overview of attribute types and object
230 classes intended for use by Lightweight Directory Access Protocol
231 (LDAP) directory clients for many directory services, such as, White
232 Pages. Originally specified in the X.500 [X.500] documents, these
233 objects are widely used as a basis for the schema in many LDAP
234 directories. This document does not cover attributes used for the
235 administration of directory servers, nor does it include directory
236 objects defined for specific uses in other documents.
238 1.1 Relationship with other specifications
240 This document is an integral part of the LDAP technical specification
241 [Roadmap] which obsoletes the previously defined LDAP technical
242 specification, RFC 3377, in its entirety. In terms of RFC 2256,
243 Sections 6 and 8 of RFC 2256 are obsoleted by [Syntaxes]. Sections
244 5.1, 5.2, 7.1 and 7.2 of RFC 2256 are obsoleted by [Models]. The
245 remainder of RFC 2256 is obsoleted by this document. Section 2.4 of
246 this document supersedes the technical specification for the 'dc'
247 attribute type and 'dcObject' object class found in RFC 2247. The
248 remainder of RFC 2247 remains in force.
250 This document updates RFC 2798 by replacing the informative
251 description of the 'uid' attribute type, with the definitive
252 description provided in Section 2.39 of this document.
254 A number of schema elements which were included in the previous
255 revision of the LDAP Technical Specification are not included in this
256 revision of LDAP. PKI-related schema elements are now specified in
257 [LDAP-PKI]. Unless reintroduced in future technical specifications,
258 the remainder are to be considered Historic.
260 The descriptions in this document SHALL be considered definitive for
265 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
266 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
267 document are to be interpreted as described in RFC 2119 [RFC2119].
271 This document references Syntaxes defined in Section 3 of [Syntaxes]
272 and Matching Rules defined in Section 4 of [Syntaxes].
274 The definitions of Attribute Types and Object Classes are written
278 Sciberras Expires 4 October 2005 [Page 5]
280 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
283 using the Augmented Backus-Naur Form (ABNF) [RFC2234] of
284 AttributeTypeDescription and ObjectClassDescription given in
285 [Models]. Lines have been folded for readability. When such values
286 are transferred as attribute values in the LDAP Protocol the values
287 will not contain line breaks.
291 The Attribute Types contained in this section hold user information.
293 There is no requirement that servers implement the 'searchGuide' and
294 'teletexTerminalIdentifier' attribute types. In fact, their use is
297 An LDAP server implementation SHOULD recognize the rest of the
298 attribute types described in this section.
300 2.1 'businessCategory'
302 The 'businessCategory' attribute type describes the kinds of business
303 performed by an organization. Each kind is one value of this
304 multi-valued attribute.
305 (Source: X.520 [X.520])
307 ( 2.5.4.15 NAME 'businessCategory'
308 EQUALITY caseIgnoreMatch
309 SUBSTR caseIgnoreSubstringsMatch
310 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
312 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
315 Examples: "banking", "transportation" and "real estate".
319 The 'c' ('countryName' in X.500) attribute type contains a two-letter
320 ISO 3166 [ISO3166] country code.
321 (Source: X.520 [X.520])
325 SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
328 1.3.6.1.4.1.1466.115.121.1.11 refers to the Country String syntax
334 Sciberras Expires 4 October 2005 [Page 6]
336 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
339 Examples: "DE", "AU" and "FR".
343 The 'cn' ('commonName' in X.500) attribute type contains names of an
344 object. Each name is one value of this multi-valued attribute. If
345 the object corresponds to a person, it is typically the person's full
347 (Source: X.520 [X.520])
352 Examples: "Martin K Smith", "Marty Smith" and "printer12".
356 The 'dc' ('domainComponent' in RFC 2247) attribute type is a string
357 holding one component, a <label> [RFC1034], of a DNS domain name.
358 The encoding of IA5String for use in LDAP is simply the characters of
359 the string itself. The equality matching rule is case insensitive,
361 (Source: RFC 2247 [RFC2247])
363 ( 0.9.2342.19200300.100.1.25 NAME 'dc'
364 EQUALITY caseIgnoreIA5Match
365 SUBSTR caseIgnoreIA5SubstringsMatch
366 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
369 1.3.6.1.4.1.1466.115.121.1.26 refers to the IA5 String syntax
372 Examples: Valid values include "example" and "com". The value
373 "example.com" is invalid, because it contains two <label>
376 It is noted that the directory will not ensure that values of this
377 attribute conform to the label production [RFC1034]. It is the
378 application's responsibility to ensure domains it stores in this
379 attribute are appropriately represented.
381 It is also noted that applications supporting Internationalized
382 Domain Names SHALL use the ToASCII method [RFC3490] to produce
383 <label> components of the <domain> [RFC1034] production. The special
384 considerations discussed in section 4 of RFC 3490 [RFC3490] should be
385 taken, depending on whether the domain component is used for "stored"
390 Sciberras Expires 4 October 2005 [Page 7]
392 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
397 The 'description' attribute type contains human-readable descriptive
398 phrases about the object. Each description is one value of this
399 multi-valued attribute.
400 (Source: X.520 [X.520])
402 ( 2.5.4.13 NAME 'description'
403 EQUALITY caseIgnoreMatch
404 SUBSTR caseIgnoreSubstringsMatch
405 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
407 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
410 Examples: "a color printer", "Maintenance is done every Monday, at
411 1pm." and "distribution list for all technical staff".
413 2.6 'destinationIndicator'
415 The 'destinationIndicator' attribute type contains country and city
416 strings, associated with the object (the addressee), needed to
417 provide the Public Telegram Service. The strings are composed in
418 accordance with CCITT Recommendations F.1 [F.1] and F.31 [F.31].
419 Each string is one value of this multi-valued attribute.
420 (Source: X.520 [X.520])
422 ( 2.5.4.27 NAME 'destinationIndicator'
423 EQUALITY caseIgnoreMatch
424 SUBSTR caseIgnoreSubstringsMatch
425 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
427 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
430 Examples: "AASD" as a destination indicator for Sydney, Australia.
431 "GBLD" as a destination indicator for London, United
434 It is noted that the directory will not ensure that values of this
435 attribute conform to the F.1 and F.30 CCITT Recommendations. It is
436 the application's responsibility to ensure destination indicators
437 that it stores in this attribute are appropriately constructed.
439 2.7 'distinguishedName'
441 The 'distinguishedName' attribute type is not used as the name of the
442 object itself, but it is instead a base type from which some user
446 Sciberras Expires 4 October 2005 [Page 8]
448 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
451 attribute types with a DN syntax can inherit.
453 It is unlikely that values of this type itself will occur in an
454 entry. LDAP server implementations which do not support attribute
455 subtyping need not recognize this attribute in requests. Client
456 implementations MUST NOT assume that LDAP servers are capable of
457 performing attribute subtyping.
458 (Source: X.520 [X.520])
460 ( 2.5.4.49 NAME 'distinguishedName'
461 EQUALITY distinguishedNameMatch
462 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
464 1.3.6.1.4.1.1466.115.121.1.12 refers to the DN syntax [Syntaxes].
468 The 'dnQualifier' attribute type contains disambiguating information
469 strings to add to the relative distinguished name of an entry. The
470 information is intended for use when merging data from multiple
471 sources in order to prevent conflicts between entries which would
472 otherwise have the same name. Each string is one value of this
473 multi-valued attribute. It is recommended that a value of the
474 'dnQualifier' attribute be the same for all entries from a particular
476 (Source: X.520 [X.520])
478 ( 2.5.4.46 NAME 'dnQualifier'
479 EQUALITY caseIgnoreMatch
480 ORDERING caseIgnoreOrderingMatch
481 SUBSTR caseIgnoreSubstringsMatch
482 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
484 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
487 Examples: "20050322123345Z" - timestamps can be used to disambiguate
489 "123456A" - serial numbers can be used to disambiguate
492 2.9 'enhancedSearchGuide'
494 The 'enhancedSearchGuide' attribute type contains sets of information
495 for use by directory clients in constructing search filters. Each
496 set is one value of this multi-valued attribute.
497 (Source: X.520 [X.520])
502 Sciberras Expires 4 October 2005 [Page 9]
504 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
507 ( 2.5.4.47 NAME 'enhancedSearchGuide'
508 SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
510 1.3.6.1.4.1.1466.115.121.1.21 refers to the Enhanced Guide syntax
513 Examples: "person#(sn$APPROX)#wholeSubtree"
514 "organizationalUnit#(ou$SUBSTR)#oneLevel"
516 2.10 'facsimileTelephoneNumber'
518 The 'facsimileTelephoneNumber' attribute type contains telephone
519 numbers (and, optionally, the parameters) for facsimile terminals.
520 Each telephone number is one value of this multi-valued attribute.
521 (Source: X.520 [X.520])
523 ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
524 SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
526 1.3.6.1.4.1.1466.115.121.1.22 refers to the Facsimile Telephone
527 Number syntax [Syntaxes].
529 Examples: "+61 3 9896 7801" and "+81 3 347 7418$fineResolution"
531 2.11 'generationQualifier'
533 The 'generationQualifier' attribute type contains name strings that
534 are the part of a person's name which typically is the suffix. Each
535 string is one value of this multi-valued attribute.
536 (Source: X.520 [X.520])
538 ( 2.5.4.44 NAME 'generationQualifier'
541 Examples: "III", "3rd" and "Jr.".
545 The 'givenName' attribute type contains name strings that are the
546 part of a person's name which is not their surname. Each string is
547 one value of this multi-valued attribute.
548 (Source: X.520 [X.520])
550 ( 2.5.4.42 NAME 'givenName'
553 Examples: "Andrew", "Charles" and "Joanne"
558 Sciberras Expires 4 October 2005 [Page 10]
560 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
563 2.13 'houseIdentifier'
565 The 'houseIdentifier' attribute type contains identifiers for a
566 building within a location. Each identifier is one value of this
567 multi-valued attribute.
568 (Source: X.520 [X.520])
570 ( 2.5.4.51 NAME 'houseIdentifier'
571 EQUALITY caseIgnoreMatch
572 SUBSTR caseIgnoreSubstringsMatch
573 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
575 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
578 Examples: "20" to represent a the house number 20.
582 The 'initials' attribute type contains strings of initials of some or
583 all of an individual's names, except the surname(s). Each string is
584 one value of this multi-valued attribute.
585 (Source: X.520 [X.520])
587 ( 2.5.4.43 NAME 'initials'
590 Examples: "K. A." and "K".
592 2.15 'internationalISDNNumber'
594 The 'internationalISDNNumber' attribute type contains Integrated
595 Services Digital Network (ISDN) addresses, as defined in the
596 International Telecommunication Union (ITU) Recommendation E.164
597 [E.164]. Each address is one value of this multi-valued attribute.
598 (Source: X.520 [X.520])
600 ( 2.5.4.25 NAME 'internationalISDNNumber'
601 EQUALITY numericStringMatch
602 SUBSTR numericStringSubstringsMatch
603 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
605 1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String syntax
608 Example: "0198 333 333"
614 Sciberras Expires 4 October 2005 [Page 11]
616 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
621 The 'l' ('localityName' in X.500) attribute type contains names of a
622 locality or place, such as a city, county or other geographic region.
623 Each name is one value of this multi-valued attribute.
624 (Source: X.520 [X.520])
629 Examples: "Geneva", "Paris" and "Edinburgh".
633 The 'member' attribute type contains the Distinguished Names of
634 objects that are on a list or in a group. Each name is one value of
635 this multi-valued attribute.
636 (Source: X.520 [X.520])
638 ( 2.5.4.31 NAME 'member'
639 SUP distinguishedName )
641 Examples: "cn=James Clarke,ou=Finance,o=Widget\, Inc." and
642 "cn=John Xerri,ou=Finance,o=Widget\, Inc" may
643 be two members of the financial team (group) at Widget,
644 Inc. In which case, both of these distinguished names would
645 be present as individual values of the member attribute.
649 The 'name' attribute type is the attribute supertype from which user
650 attribute types with the name syntax inherit. Such attribute types
651 are typically used for naming. The attribute type is multi-valued.
653 It is unlikely that values of this type itself will occur in an
654 entry. LDAP server implementations which do not support attribute
655 subtyping need not recognize this attribute in requests. Client
656 implementations MUST NOT assume that LDAP servers are capable of
657 performing attribute subtyping.
658 (Source: X.520 [X.520])
660 ( 2.5.4.41 NAME 'name'
661 EQUALITY caseIgnoreMatch
662 SUBSTR caseIgnoreSubstringsMatch
663 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
665 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
670 Sciberras Expires 4 October 2005 [Page 12]
672 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
677 The 'o' ('organizationName' in X.500) attribute type contains the
678 names of an organization. Each name is one value of this
679 multi-valued attribute.
680 (Source: X.520 [X.520])
685 Examples: "Widget", "Widget, Inc." and "Widget, Incorporated.".
689 The 'ou' ('organizationalUnitName' in X.500) attribute type contains
690 the names of an organizational unit. Each name is one value of this
691 multi-valued attribute.
692 (Source: X.520 [X.520])
697 Examples: "Finance", "Human Resources" and "Research and
702 The 'owner' attribute type contains the Distinguished Names of
703 objects that have an ownership responsibility for the object that is
704 owned. Each owner's name is one value of this multi-valued
706 (Source: X.520 [X.520])
708 ( 2.5.4.32 NAME 'owner'
709 SUP distinguishedName )
711 Example: The mailing list object, whose DN is "cn=All Employees,
712 ou=Mailing List,o=Widget\, Inc.", is owned by the Human
714 Therefore, the value of the owner attribute within the
715 mailing list object, would be the DN of the director (role):
716 "cn=Human Resources Director,ou=employee,o=Widget\, Inc.".
718 2.22 'physicalDeliveryOfficeName'
720 The 'physicalDeliveryOfficeName' attribute type contains names that a
721 Postal Service uses to identify a post office.
722 (Source: X.520 [X.520])
726 Sciberras Expires 4 October 2005 [Page 13]
728 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
731 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
732 EQUALITY caseIgnoreMatch
733 SUBSTR caseIgnoreSubstringsMatch
734 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
736 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
739 Examples: "Bremerhaven, Main" and "Bremerhaven, Bonnstrasse".
743 The 'postalAddress' attribute type contains addresses used by a
744 Postal Service to perform services for the object. Each address is
745 one value of this multi-valued attribute.
746 (Source: X.520 [X.520])
748 ( 2.5.4.16 NAME 'postalAddress'
749 EQUALITY caseIgnoreListMatch
750 SUBSTR caseIgnoreListSubstringsMatch
751 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
753 1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address syntax
756 Example: "15 Main St.$Ottawa$Canada".
760 The 'postalCode' attribute type contains codes used by a Postal
761 Service to identify postal service zones. Each code is one value of
762 this multi-valued attribute.
763 (Source: X.520 [X.520])
765 ( 2.5.4.17 NAME 'postalCode'
766 EQUALITY caseIgnoreMatch
767 SUBSTR caseIgnoreSubstringsMatch
768 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
770 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
773 Example: "22180", to identify Vienna, VA in the USA.
777 The 'postOfficeBox' attribute type contains postal box identifiers
778 that a Postal Service uses when a customer arranges to receive mail
782 Sciberras Expires 4 October 2005 [Page 14]
784 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
787 at a box on premises of the Postal Service. Each postal box
788 identifier is a single value of this multi-valued attribute.
789 (Source: X.520 [X.520])
791 ( 2.5.4.18 NAME 'postOfficeBox'
792 EQUALITY caseIgnoreMatch
793 SUBSTR caseIgnoreSubstringsMatch
794 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
796 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
801 2.26 'preferredDeliveryMethod'
803 The 'preferredDeliveryMethod' attribute type contains an indication
804 of the preferred method of getting a message to the object.
805 (Source: X.520 [X.520])
807 ( 2.5.4.28 NAME 'preferredDeliveryMethod'
808 SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
811 1.3.6.1.4.1.1466.115.121.1.14 refers to the Delivery Method syntax
814 Example: If the mhs-delivery Delivery Method is preferred over
815 telephone-delivery, which is preferred over all other
816 methods, the value would be: "mhs $ telephone"
818 2.27 'registeredAddress'
820 The 'registeredAddress' attribute type contains postal addresses
821 suitable for reception of telegrams or expedited documents, where it
822 is necessary to have the recipient accept delivery. Each address is
823 one value of this multi-valued attribute.
824 (Source: X.520 [X.520])
826 ( 2.5.4.26 NAME 'registeredAddress'
828 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
830 1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address syntax
833 Example: "Receptionist$Widget, Inc.$15 Main St.$Ottawa$Canada".
838 Sciberras Expires 4 October 2005 [Page 15]
840 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
845 The 'roleOccupant' attribute type contains the Distinguished Names of
846 objects (normally people) that fulfill the responsibilities of a role
847 object. Each distinguished name is one value of this multi-valued
849 (Source: X.520 [X.520])
851 ( 2.5.4.33 NAME 'roleOccupant'
852 SUP distinguishedName )
854 Example: The role object, "cn=Human Resources
855 Director,ou=Position,o=Widget\, Inc.", is fulfilled by two
856 people whose object names are "cn=Mary
857 Smith,ou=employee,o=Widget\, Inc." and "cn=James
858 Brown,ou=employee,o=Widget\, Inc.". The 'roleOccupant'
859 attribute will contain both of these distinguished names,
860 since they are the occupants of this role.
864 The 'searchGuide' attribute type contains sets of information for use
865 by clients in constructing search filters. It is superseded by
866 'enhancedSearchGuide', described above in section 2.9. Each set is
867 one value of this multi-valued attribute.
868 (Source: X.520 [X.520])
870 ( 2.5.4.14 NAME 'searchGuide'
871 SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
873 1.3.6.1.4.1.1466.115.121.1.25 refers to the Guide syntax [Syntaxes].
875 Example: "person#sn$EQ"
879 The 'seeAlso' attribute type contains Distinguished Names of objects
880 that are related to the subject object. Each related object name is
881 one value of this multi-valued attribute.
883 (Source: X.520 [X.520])
885 ( 2.5.4.34 NAME 'seeAlso'
886 SUP distinguishedName )
888 Example: The person object, "cn=James Brown,ou=employee,o=Widget\,
889 Inc." is related to the role objects, "cn=Football Team
890 Captain,ou=sponsored activities,o=Widget\, Inc." and
894 Sciberras Expires 4 October 2005 [Page 16]
896 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
899 "cn=Chess Team,ou=sponsored activities,o=Widget\, Inc.".
900 Since the role objects are related to the person object, the
901 'seeAlso' attribute will contain the distinguished name of
902 each role object as separate values.
906 The 'serialNumber' attribute type contains the serial numbers of
907 devices. Each serial number is one value of this multi-valued
909 (Source: X.520 [X.520])
911 ( 2.5.4.5 NAME 'serialNumber'
912 EQUALITY caseIgnoreMatch
913 SUBSTR caseIgnoreSubstringsMatch
914 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
916 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
919 Examples: "WI-3005" and "XF551426".
923 The 'sn' ('surname' in X.500) attribute type contains name strings
924 for the family names of a person. Each string is one value of this
925 multi-valued attribute.
926 (Source: X.520 [X.520])
935 The 'st' ('stateOrProvinceName' in X.500) attribute type contains the
936 full names of states or provinces. Each name is one value of this
937 multi-valued attribute.
938 (Source: X.520 [X.520])
943 Example: "California".
950 Sciberras Expires 4 October 2005 [Page 17]
952 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
957 The 'street' ('streetAddress' in X.500) attribute type contains site
958 information from a postal address (i.e., the street name, place,
959 avenue, and the house number.). Each street is one value of this
960 multi-valued attribute.
961 (Source: X.520 [X.520])
963 ( 2.5.4.9 NAME 'street'
964 EQUALITY caseIgnoreMatch
965 SUBSTR caseIgnoreSubstringsMatch
966 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
968 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
971 Example: "15 Main St."
973 2.35 'telephoneNumber'
975 The 'telephoneNumber' attribute type contains telephone numbers that
976 comply with the ITU Recommendation E.123 [E.123]. Each number is one
977 value of this multi-valued attribute.
978 (Source: X.520 [X.520])
980 ( 2.5.4.20 NAME 'telephoneNumber'
981 EQUALITY telephoneNumberMatch
982 SUBSTR telephoneNumberSubstringsMatch
983 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
985 1.3.6.1.4.1.1466.115.121.1.50 refers to the Telephone Number syntax
988 Example: "+1 234 567 8901".
990 2.36 'teletexTerminalIdentifier'
992 The withdrawal of Rec. F.200 has resulted in the withdrawal of this
994 (Source: X.520 [X.520])
996 ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
997 SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
999 1.3.6.1.4.1.1466.115.121.1.51 refers to the Teletex Terminal
1000 Identifier syntax [Syntaxes].
1006 Sciberras Expires 4 October 2005 [Page 18]
1008 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1013 The 'telexNumber' attribute type contains sets of strings which are a
1014 telex number, country code, and answerback code of a telex terminal.
1015 Each set is one value of this multi-valued attribute.
1016 (Source: X.520 [X.520])
1018 ( 2.5.4.21 NAME 'telexNumber'
1019 SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
1021 1.3.6.1.4.1.1466.115.121.1.52 refers to the Telex Number syntax
1024 Example: "12345$023$ABCDE"
1028 The 'title' attribute type contains the title of a person in their
1029 organizational context. Each title is one value of this multi-valued
1031 (Source: X.520 [X.520])
1033 ( 2.5.4.12 NAME 'title'
1037 Examples: "Vice President", "Software Engineer" and "CEO".
1041 The 'uid' ('userid' in RFC 1274) attribute type contains computer
1042 system login names associated with the object. Each name is one
1043 value of this multi-valued attribute.
1044 (Source: RFC 2798 [RFC2798] and RFC 1274 [RFC1274])
1046 ( 0.9.2342.19200300.100.1.1 NAME 'uid'
1047 EQUALITY caseIgnoreMatch
1048 SUBSTR caseIgnoreSubstringsMatch
1049 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1051 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
1054 Examples: "s9709015", "admin" and "Administrator".
1058 The 'uniqueMember' attribute type contains the Distinguished Names of
1062 Sciberras Expires 4 October 2005 [Page 19]
1064 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1067 an object that is on a list or in a group, where the Relative
1068 Distinguished Names of the object include a value that distinguishes
1069 between objects when a distinguished name has been reused. Each
1070 distinguished name is one value of this multi-valued attribute.
1071 (Source: X.520 [X.520])
1073 ( 2.5.4.50 NAME 'uniqueMember'
1074 EQUALITY uniqueMemberMatch
1075 SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
1077 1.3.6.1.4.1.1466.115.121.1.34 refers to the Name and Optional UID
1080 Example: If "ou=1st Battalion,o=Defense,c=US" is a battalion that was
1081 disbanded, establishing a new battalion with the "same" name
1082 would have a unique identifier value added, resulting in
1083 "ou=1st Battalion, o=Defense,c=US#'010101'B".
1087 The 'userPassword' attribute contains octet strings that are known
1088 only to the user and the system to which the user has access. Each
1089 string is one value of this multi-valued attribute.
1091 The application SHOULD prepare textual strings used as passwords by
1092 transcoding them to Unicode, applying SASLprep [SASLprep], and
1093 encoding as UTF-8. The determination of whether a password is
1094 textual is a local client matter.
1095 (Source: X.509 [X.509])
1097 ( 2.5.4.35 NAME 'userPassword'
1098 EQUALITY octetStringMatch
1099 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
1101 1.3.6.1.4.1.1466.115.121.1.40 refers to the Octet String syntax
1104 Passwords are stored using an Octet String syntax and are not
1105 encrypted. Transfer of cleartext passwords is strongly discouraged
1106 where the underlying transport service cannot guarantee
1107 confidentiality and may result in disclosure of the password to
1108 unauthorized parties.
1110 An example of a need for multiple values in the 'userPassword'
1111 attribute is an environment where every month the user was expected
1112 to use a different password generated by some automated system.
1113 During transitional periods, like the last and first day of the
1114 periods, it may be necessary to allow two passwords for the two
1118 Sciberras Expires 4 October 2005 [Page 20]
1120 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1123 consecutive periods to be valid in the system.
1127 The 'x121Address' attribute type contains data network addresses as
1128 defined by ITU Recommendation X.121 [X.121]. Each address is one
1129 value of this multi-valued attribute.
1130 (Source: X.520 [X.520])
1132 ( 2.5.4.24 NAME 'x121Address'
1133 EQUALITY numericStringMatch
1134 SUBSTR numericStringSubstringsMatch
1135 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
1137 1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String syntax
1140 Example: "36111222333444555".
1142 2.43 'x500UniqueIdentifier'
1144 The 'x500UniqueIdentifier' attribute type contains binary strings
1145 that are used to distinguish between objects when a distinguished
1146 name has been reused. Each string is one value of this multi-valued
1148 In X.520 [X.520], this attribute type is called 'uniqueIdentifier'.
1149 This is a different attribute type from both the 'uid' and
1150 'uniqueIdentifier' LDAP attribute types. The 'uniqueIdentifier'
1151 attribute type is defined in [RFC1274].
1152 (Source: X.520 [X.520])
1154 ( 2.5.4.45 NAME 'x500UniqueIdentifier'
1155 EQUALITY bitStringMatch
1156 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
1158 1.3.6.1.4.1.1466.115.121.1.6 refers to the Bit String syntax
1174 Sciberras Expires 4 October 2005 [Page 21]
1176 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1181 LDAP servers SHOULD recognize all the Object Classes listed here as
1182 values of the 'objectClass' attribute (see [Models]).
1184 3.1 'applicationProcess'
1186 The 'applicationProcess' object class definition is the basis of an
1187 entry which represents an application executing in a computer system.
1188 (Source: X.521 [X.521])
1190 ( 2.5.6.11 NAME 'applicationProcess'
1201 The 'country' object class definition is the basis of an entry which
1202 represents a country.
1203 (Source: X.521 [X.521])
1205 ( 2.5.6.2 NAME 'country'
1214 The 'dcObject' object class permits an entry to contains domain
1215 component information. This object class is defined as auxiliary,
1216 because it will be used in conjunction with an existing structural
1218 (Source: RFC 2247 [RFC2247])
1220 ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
1230 Sciberras Expires 4 October 2005 [Page 22]
1232 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1237 The 'device' object class is the basis of an entry which represents
1238 an appliance, computer or network element.
1239 (Source: X.521 [X.521])
1241 ( 2.5.6.14 NAME 'device'
1245 MAY ( serialNumber $
1255 The 'groupOfNames' object class is the basis of an entry which
1256 represents a set of named objects including information related to
1257 the purpose or maintenance of the set.
1258 (Source: X.521 [X.521])
1260 ( 2.5.6.9 NAME 'groupOfNames'
1265 MAY ( businessCategory $
1272 3.6 'groupOfUniqueNames'
1274 The 'groupOfUniqueNames' object class is the same as the
1275 'groupOfNames' object class except that the object names are not
1276 repeated or reassigned within a set scope.
1277 (Source: X.521 [X.521])
1279 ( 2.5.6.17 NAME 'groupOfUniqueNames'
1282 MUST ( uniqueMember $
1286 Sciberras Expires 4 October 2005 [Page 23]
1288 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1292 MAY ( businessCategory $
1301 The 'locality' object class is the basis of an entry which represents
1302 a place in the physical world.
1303 (Source: X.521 [X.521])
1305 ( 2.5.6.3 NAME 'locality'
1317 The 'organization' object class is the basis of an entry which
1318 represents a structured group of people.
1319 (Source: X.521 [X.521])
1321 ( 2.5.6.4 NAME 'organization'
1325 MAY ( userPassword $ searchGuide $ seeAlso $
1326 businessCategory $ x121Address $ registeredAddress $
1327 destinationIndicator $ preferredDeliveryMethod $
1328 telexNumber $ teletexTerminalIdentifier $
1329 telephoneNumber $ internationaliSDNNumber $
1330 facsimileTelephoneNumber $ street $ postOfficeBox $
1331 postalCode $ postalAddress $ physicalDeliveryOfficeName $
1332 st $ l $ description ) )
1334 3.9 'organizationalPerson'
1336 The 'organizationalPerson' object class is the basis of an entry
1337 which represents a person in relation to an organization.
1338 (Source: X.521 [X.521])
1342 Sciberras Expires 4 October 2005 [Page 24]
1344 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1347 ( 2.5.6.7 NAME 'organizationalPerson'
1350 MAY ( title $ x121Address $ registeredAddress $
1351 destinationIndicator $ preferredDeliveryMethod $
1352 telexNumber $ teletexTerminalIdentifier $
1353 telephoneNumber $ internationaliSDNNumber $
1354 facsimileTelephoneNumber $ street $ postOfficeBox $
1355 postalCode $ postalAddress $ physicalDeliveryOfficeName $
1358 3.10 'organizationalRole'
1360 The 'organizationalRole' object class is the basis of an entry which
1361 represents a job, function or position in an organization.
1362 (Source: X.521 [X.521])
1364 ( 2.5.6.8 NAME 'organizationalRole'
1368 MAY ( x121Address $ registeredAddress $ destinationIndicator $
1369 preferredDeliveryMethod $ telexNumber $
1370 teletexTerminalIdentifier $ telephoneNumber $
1371 internationaliSDNNumber $ facsimileTelephoneNumber $
1372 seeAlso $ roleOccupant $ preferredDeliveryMethod $
1373 street $ postOfficeBox $ postalCode $ postalAddress $
1374 physicalDeliveryOfficeName $ ou $ st $ l $
1377 3.11 'organizationalUnit'
1379 The 'organizationalUnit' object class is the basis of an entry which
1380 represents a piece of an organization.
1381 (Source: X.521 [X.521])
1383 ( 2.5.6.5 NAME 'organizationalUnit'
1387 MAY ( businessCategory $ description $ destinationIndicator $
1388 facsimileTelephoneNumber $ internationaliSDNNumber $ l $
1389 physicalDeliveryOfficeName $ postalAddress $ postalCode $
1390 postOfficeBox $ preferredDeliveryMethod $
1391 registeredAddress $ searchGuide $ seeAlso $ st $ street $
1392 telephoneNumber $ teletexTerminalIdentifier $
1393 telexNumber $ userPassword $ x121Address ) )
1398 Sciberras Expires 4 October 2005 [Page 25]
1400 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1405 The 'person' object class is the basis of an entry which represents a
1407 (Source: X.521 [X.521])
1409 ( 2.5.6.6 NAME 'person'
1414 MAY ( userPassword $
1416 seeAlso $ description ) )
1418 3.13 'residentialPerson'
1420 The 'residentialPerson' object class is the basis of an entry which
1421 includes a person's residence in the representation of the person.
1422 (Source: X.521 [X.521])
1424 ( 2.5.6.10 NAME 'residentialPerson'
1428 MAY ( businessCategory $ x121Address $ registeredAddress $
1429 destinationIndicator $ preferredDeliveryMethod $
1430 telexNumber $ teletexTerminalIdentifier $
1431 telephoneNumber $ internationaliSDNNumber $
1432 facsimileTelephoneNumber $ preferredDeliveryMethod $
1433 street $ postOfficeBox $ postalCode $ postalAddress $
1434 physicalDeliveryOfficeName $ st $ l ) )
1438 The 'uidObject' object class permits an entry to contains user
1439 identification information. This object class is defined as
1440 auxiliary, because it will be used in conjunction with an existing
1441 structural object class.
1442 (Source: RFC 2377 [RFC2377])
1444 ( 1.3.6.1.1.3.1 NAME 'uidObject'
1454 Sciberras Expires 4 October 2005 [Page 26]
1456 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1459 4. IANA Considerations
1461 It is requested that the Internet Assigned Numbers Authority (IANA)
1462 update the LDAP descriptors registry as indicated in the following
1465 Subject: Request for LDAP Descriptor Registration Update
1466 Descriptor (short name): see comment
1467 Object Identifier: see comment
1468 Person & email address to contact for further information:
1469 Andrew Sciberras <andrew.sciberras@eb2bcom.com>
1470 Usage: (A = attribute type, O = Object Class) see comment
1471 Specification: RFC XXXX [editor's note: The RFC number will be
1472 the one assigned to this document.]
1473 Author/Change Controller: IESG
1477 In the LDAP descriptors registry, the following descriptors (short
1478 names) should be updated to refer to RFC XXXX [editor's note: This
1479 document]. Names that need to be reserved, rather than assigned to
1480 an Object Identifier, will contain an Object Identifier value of
1484 ------------------------ ---- ----------------------------
1485 applicationProcess O 2.5.6.11
1486 businessCategory A 2.5.4.15
1489 commonName A 2.5.4.3
1491 countryName A 2.5.4.6
1492 DC A 0.9.2342.19200300.100.1.25
1493 dcObject O 1.3.6.1.4.1.1466.344
1494 description A 2.5.4.13
1495 destinationIndicator A 2.5.4.27
1497 distinguishedName A 2.5.4.49
1498 dnQualifier A 2.5.4.46
1499 domainComponent A 0.9.2342.19200300.100.1.25
1500 enhancedSearchGuide A 2.5.4.47
1501 facsimileTelephoneNumber A 2.5.4.23
1502 generationQualifier A 2.5.4.44
1503 givenName A 2.5.4.42
1505 groupOfNames O 2.5.6.9
1506 groupOfUniqueNames O 2.5.6.17
1510 Sciberras Expires 4 October 2005 [Page 27]
1512 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1515 houseIdentifier A 2.5.4.51
1517 internationalISDNNumber A 2.5.4.25
1520 localityName A 2.5.4.7
1524 organization O 2.5.6.4
1525 organizationName A 2.5.4.10
1526 organizationalPerson O 2.5.6.7
1527 organizationalRole O 2.5.6.8
1528 organizationalUnit O 2.5.6.5
1529 organizationalUnitName A 2.5.4.11
1533 physicalDeliveryOfficeName A 2.5.4.19
1534 postalAddress A 2.5.4.16
1535 postalCode A 2.5.4.17
1536 postOfficeBox A 2.5.4.18
1537 preferredDeliveryMethod A 2.5.4.28
1538 registeredAddress A 2.5.4.26
1539 residentialPerson O 2.5.6.10
1540 roleOccupant A 2.5.4.33
1541 searchGuide A 2.5.4.14
1543 serialNumber A 2.5.4.5
1548 telephoneNumber A 2.5.4.20
1549 teletexTerminalIdentifier A 2.5.4.22
1550 telexNumber A 2.5.4.21
1552 uid A 0.9.2342.19200300.100.1.1
1553 uidObject O 1.3.6.1.1.3.1
1554 uniqueMember A 2.5.4.50
1555 userId A 0.9.2342.19200300.100.1.1
1556 userPassword A 2.5.4.35
1557 x121Address A 2.5.4.24
1558 x500UniqueIdentifier A 2.5.4.45
1560 5. Security Considerations
1562 Attributes of directory entries are used to provide descriptive
1566 Sciberras Expires 4 October 2005 [Page 28]
1568 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1571 information about the real-world objects they represent, which can be
1572 people, organizations or devices. Most countries have privacy laws
1573 regarding the publication of information about people.
1575 Transfer of cleartext passwords is strongly discouraged where the
1576 underlying transport service cannot guarantee confidentiality and may
1577 result in disclosure of the password to unauthorized parties.
1579 Multiple attribute values for the 'userPassword' needs to be used
1580 with care. Especially reset/deletion of a password by an admin
1581 without knowing the old user password gets tricky or impossible if
1582 multiple values for different applications are present.
1584 Certainly, applications which intend to replace the 'userPassword'
1585 value(s) with new value(s) should use modify/replaceValues (or
1586 modify/deleteAttribute+addAttribute). Additionally, server
1587 implementations are encouraged to provide administrative controls
1588 which, if enabled, restrict the 'userPassword' attributer to one
1591 Note that when used for authentication purposes [AuthMeth], the user
1592 need only prove knowledge of one of the values, not all of the
1597 The definitions, on which this document is based, have been developed
1598 by committees for telecommunications and international standards.
1600 This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a
1601 product of the IETF ASID Working Group.
1603 The 'dc' attribute type definition and the 'dcObject' object class
1604 definition in this document supersede the specification in RFC 2247
1605 by S. Kille, M. Wahl, A. Grimstad, R. Huber, and S. Sataluri.
1607 The 'uid' attribute type definition in this document supersedes the
1608 specification of the 'userid' in RFC 1274 by P. Barker and S. Kille
1609 and of the uid in RFC 2798 by M. Smith.
1611 The 'uidObject' object class definition in this document supersedes
1612 the specification of the 'uidObject' in RFC 2377 by A. Grimstad, R.
1613 Huber, S, Sataluri and M. Smith.
1615 This document is based upon input of the IETF LDAPBIS working group.
1616 The author wishes to thank S. Legg and K. Zeilenga for their
1617 significant contribution to this update. The author would also like
1618 to thank Kathy Dally who edited early drafts of this document.
1622 Sciberras Expires 4 October 2005 [Page 29]
1624 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1631 [E.123] Notation for national and international telephone
1632 numbers, ITU-T Recommendation E.123, 1988
1634 [E.164] The international public telecommunication numbering
1635 plan, ITU-T Recommendation E.164, 1997
1637 [F.1] Operational Provisions For The International Public
1638 Telegram Service Transmission System, CCITT
1639 Recommendation F.1, 1992
1641 [F.31] Telegram Retransmission System, CCITT Recommendation
1644 [ISO3166] ISO 3166, "Codes for the representation of names of
1647 [Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis-
1648 models-xx (a work in progress)
1650 [RFC1034] P. Mockapetris, " DOMAIN NAMES - CONCEPTS AND
1651 FACILITIES", RFC 1034, January 1987
1653 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1654 Requirement Levels", RFC 2119, March 1997
1656 [RFC2234] Crocker, D., Overell P., "Augmented BNF for Syntax
1657 Specifications: ABNF", RFC 2234, November 1997
1659 [RFC3490] Faltstrom P., Hoffman P., Costello A.,
1660 "Internationalizing Domain Names in Applications
1661 (IDNA)", RFC 3490, March 2003
1663 [Roadmap] Zeilenga, K., "LDAP: Technical Specification Road
1664 Map", draft-ietf-ldapbis-roadmap-xx (a work in
1667 [SASLprep] Zeilenga K., "SASLprep: Stringprep profile for user
1668 names and passwords", draft-ietf-sasl-saslprep-xx (a
1671 [Syntaxes] S. Legg (editor), "LDAP: Syntaxes", draft-ietf-ldapbis-
1672 syntaxes-xx (a work in progress)
1674 [X.121] International numbering plan for public data networks,
1678 Sciberras Expires 4 October 2005 [Page 30]
1680 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1683 ITU-T Recommendation X.121, 1996
1685 [X.509] The Directory: Authentication Framework, ITU-T
1686 Recommendation X.509, 1993
1688 [X.520] The Directory: Selected Attribute Types, ITU-T
1689 Recommendation X.520, 1993
1691 [X.521] The Directory: Selected Object Classes. ITU-T
1692 Recommendation X.521, 1993
1696 [AuthMeth] Harrison R., "LDAP: Authentication Methods and
1697 Connection Level Security Mechanisms", draft-ietf-
1698 ldapbis-authmeth-xx (a work in progress)
1700 [LDAP-PKI] Zeilenga, K., "Lightweight Directory Access Protocol
1701 (LDAP) schema definitions for X.509 Certificates",
1702 draft-zeilenga-ldap-x509-xx (a work in progress)
1704 [RFC1274] Barker, P., Kille, S.,"The COSINE and Internet X.500
1705 Schema", RFC 1274, November 1991
1707 [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and
1708 Sataluri, S., "Using Domains in LDAP/X.500
1709 Distinguished Names", RFC 2247, January 1998
1711 [RFC2377] Grimstad, A., Huber, R., Sataluri, S., and Wahl, M.,
1712 "Naming Plan for Internet-Enabled Applications", RFC
1713 2377, September 1998.
1715 [RFC2798] Smith, M., "Definition of the inetOrgPerson LDAP Object
1716 Class", RFC 2798, April 2000
1718 [X.500] The Directory, ITU-T Recommendations X.501-X.525, 1993
1724 Suite 3, Woodhouse Corporate Centre,
1726 Box Hill North, Victoria 3129
1729 Phone: +61 3 9896 7833
1730 Email: andrew.sciberras@eb2bcom.com
1734 Sciberras Expires 4 October 2005 [Page 31]
1736 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1739 9. Intellectual Property Statement
1741 The IETF takes no position regarding the validity or scope of any
1742 Intellectual Property Rights or other rights that might be claimed to
1743 pertain to the implementation or use of the technology described in
1744 this document or the extent to which any license under such rights
1745 might or might not be available; nor does it represent that it has
1746 made any independent effort to identify any such rights. Information
1747 on the procedures with respect to rights in RFC documents can be
1748 found in BCP 78 and BCP 79.
1750 Copies of IPR disclosures made to the IETF Secretariat and any
1751 assurances of licenses to be made available, or the result of an
1752 attempt made to obtain a general license or permission for the use of
1753 such proprietary rights by implementers or users of this
1754 specification can be obtained from the IETF on-line IPR repository at
1755 http://www.ietf.org/ipr.
1757 The IETF invites any interested party to bring to its attention any
1758 copyrights, patents or patent applications, or other proprietary
1759 rights that may cover technology that may be required to implement
1760 this standard. Please address the information to the IETF at
1763 10. Disclaimer of Validity
1765 This document and the information contained herein are provided on an
1766 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1767 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1768 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1769 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1770 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1771 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1773 Copyright Statement Copyright (C) The Internet Society (2005). This
1774 document is subject to the rights, licenses and restrictions
1775 contained in BCP 78, and except as set forth therein, the authors
1776 retain all their rights.
1790 Sciberras Expires 4 October 2005 [Page 32]
1792 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1795 Appendix A Changes Made Since RFC 2256
1797 This appendix lists the changes that have been made from RFC 2256 to
1800 This appendix is not a normative part of this specification, which
1801 has been provided for informational purposes only.
1803 1. Replaced the document title.
1805 2. Removed the IESG Note.
1807 3. Dependencies on RFC 1274 have been eliminated.
1809 4. Added a Security Considerations section and an IANA
1810 considerations section.
1812 5. Deleted the conformance requirement for subschema object
1813 classes in favor of a statement in [Syntaxes].
1815 6. Added explanation to attribute types and to each object class.
1817 7. Removed Section 4, Syntaxes, and Section 6, Matching Rules,
1818 (moved to [Syntaxes]).
1820 8. Removed the certificate-related attribute types:
1821 authorityRevocationList, cACertificate,
1822 certificateRevocationList, crossCertificatePair,
1823 deltaRevocationList, supportedAlgorithms, and userCertificate.
1825 Removed the certificate-related Object Classes:
1826 certificationAuthority, certificationAuthority-V2,
1827 cRLDistributionPoint, strongAuthenticationUser, and
1828 userSecurityInformation
1830 LDAP PKI is now discussed in [LDAP-CRL] and [LDAP-CERT].
1832 9. Removed the dmdName, knowledgeInformation,
1833 presentationAddress, protocolInformation, and
1834 supportedApplicationContext attribute types and the dmd,
1835 applicationEntity, and dSA object classes.
1837 10. Deleted the aliasedObjectName and objectClass attribute type
1838 definitions. Deleted the alias and top object class
1839 definitions. They are included in [Models].
1841 11. Added the 'dc' attribute type from RFC 2247.
1846 Sciberras Expires 4 October 2005 [Page 33]
1848 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1851 12. Numerous edititorial changes.
1853 13. Removed upper bound after the SYNTAX oid in all attribute
1854 definitions where it appeared.
1856 14. Added text about Unicode, SASLprep and UTF-8 for userPassword.
1860 15. Corrected examples in preferredDeliveryMethod, uniqueMember,
1861 postalAddress, and registeredAddress attribute types.
1863 16. Clarified and corrected examples in owner and roleOccupant
1866 17. Added RFC 2234 to normative references.
1868 18. Added RFC 1274 and RFC 2798 to informative references.
1870 19. Removed the statement about RFC 2026 conformance.
1872 20. Added the IPR Disclosure and Notice
1874 21. Updated the Copyright text.
1878 22. Included RFC 2377 into Updates header and Informative
1881 23. Changed Editor information to Andrew Sciberras.
1883 24. Updated I-D Template information.
1885 25. References made consistent with other LDAPbis ID's. [ROADMAP]
1886 -> [RoadMap] and [AUTHMETH] -> [AuthMeth].
1888 26. Changed Introduction to include an (LDAP) acronym after the
1891 27. Renamed section 1.1 to "Relationship with other
1892 specifications" from "Situation".
1894 28. Included definitions, comments and references for 'dcObject'
1897 29. Replaced PKI schema references to use draft-zeilenga-ldap-
1902 Sciberras Expires 4 October 2005 [Page 34]
1904 INTERNET-DRAFT LDAP: Schema for User Applications April 4, 2005
1907 30. Spelt out and referenced ABNF on first usage.
1909 31. Removed Section 2.4 (Source). Replaced the source table with
1910 explicit references for each definition.
1912 32. All references to an attribute type or object class are
1913 enclosed in single quotes.
1915 33. The layout of attribute type definitions has been changed to
1916 provide consistency throughout the document:
1918 > Description of Attribute type
1919 > Multivalued description
1920 > Source Information
1923 > Additional Comments
1925 Adding this consistent output included the addition of
1926 examples to some definitions.
1928 34. References to alternate names for attributes types are
1929 provided with a reference to where they were originally
1932 35. Clarification of the description of 'distinguishedName' and
1933 'name', in regards to these attribute types being supertypes.
1935 36. Spelt out ISDN on first usage.
1937 37. Inserted a reference to [Syntaxes] for the
1938 'teletexTerminalIdentifier' definition's SYNTAX OID.
1940 38. Additional names were added to the IANA Considerations. Names
1941 include 'commonName', 'dcObject', 'domainComponent', 'GN',
1942 'localityName', 'organizationName', 'organizationUnitName',
1943 'surname', 'uidObject' and 'userid'.
1945 39. Renamed all instances of supercede to supersede.
1947 40. Moved [F.1], [F.30] and [SASLprep] from informative to
1948 normative references.
1950 41. Changed the 'c' definition to be consistent with X.500.
1952 42. Added text to 'dc', making the distinction between 'stored'
1953 and 'query' values when preparing IDN strings.
1958 Sciberras Expires 4 October 2005 [Page 35]