7 INTERNET-DRAFT Editor: A. Sciberras
8 Intended Category: Standard Track eB2Bcom
9 Updates: RFC 2247, RFC 2798, RFC 2377 January 30, 2006
12 LDAP: Schema for User Applications
13 draft-ietf-ldapbis-user-schema-11.txt
15 Copyright (C) The Internet Society (2006). All Rights Reserved.
19 By submitting this Internet-Draft, each author represents that any
20 applicable patent or other IPR claims of which he or she is aware
21 have been or will be disclosed, and any of which he or she becomes
22 aware will be disclosed, in accordance with Section 6 of BCP 79.
24 By submitting this Internet-Draft, I accept the provisions of Section
27 Internet-Drafts are working documents of the Internet Engineering
28 Task Force (IETF), its areas, and its working groups. Note that
29 other groups may also distribute working documents as
32 Internet-Drafts are draft documents valid for a maximum of six months
33 and may be updated, replaced, or obsoleted by other documents at any
34 time. It is inappropriate to use Internet-Drafts as reference
35 material or to cite them other than as "work in progress".
37 The list of current Internet-Drafts can be accessed at
38 http://www.ietf.org/1id-abstracts.html
40 The list of Internet-Draft Shadow Directories can be accessed at
41 http://www.ietf.org/shadow.html
43 This document is intended to be, after appropriate review and
44 revision, submitted to the RFC Editor as a Standard Track document.
45 Distribution of this document is unlimited. Technical discussion of
46 this document should take place on the IETF LDAP Revision Working
47 Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please
48 send editorial comments directly to the editor
49 <andrew.sciberras@eb2bcom.com>.
51 This Internet-Draft expires on 30 July 2006.
58 Sciberras Expires 30 July 2006 [Page 1]
60 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
65 This document is an integral part of the Lightweight Directory Access
66 Protocol (LDAP) technical specification [Roadmap]. It provides a
67 technical specification of attribute types and object classes
68 intended for use by LDAP directory clients for many directory
69 services, such as, White Pages. These objects are widely used as a
70 basis for the schema in many LDAP directories. This document does
71 not cover attributes used for the administration of directory
72 servers, nor does it include directory objects defined for specific
73 uses in other documents.
114 Sciberras Expires 30 July 2006 [Page 2]
116 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
121 Status of this Memo . . . . . . . . . . . . . . . . . . . . . . . 1
122 Copyright Notice. . . . . . . . . . . . . . . . . . . . . . . . . 1
123 Abstract. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
124 Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . 3
125 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 5
126 1.1 Relationship with other specifications . . . . . . . . . 5
127 1.2 Conventions. . . . . . . . . . . . . . . . . . . . . . . 5
128 1.3 General Issues . . . . . . . . . . . . . . . . . . . . . 5
130 2. Attribute Types . . . . . . . . . . . . . . . . . . . . . . . 6
131 2.1 'businessCategory' . . . . . . . . . . . . . . . . . . . 6
132 2.2 'c'. . . . . . . . . . . . . . . . . . . . . . . . . . . 6
133 2.3 'cn' . . . . . . . . . . . . . . . . . . . . . . . . . . 7
134 2.4 'dc' . . . . . . . . . . . . . . . . . . . . . . . . . . 7
135 2.5 'description'. . . . . . . . . . . . . . . . . . . . . . 8
136 2.6 'destinationIndicator' . . . . . . . . . . . . . . . . . 8
137 2.7 'distinguishedName'. . . . . . . . . . . . . . . . . . . 8
138 2.8 'dnQualifier'. . . . . . . . . . . . . . . . . . . . . . 9
139 2.9 'enhancedSearchGuide'. . . . . . . . . . . . . . . . . . 9
140 2.10 'facsimileTelephoneNumber' . . . . . . . . . . . . . . . 10
141 2.11 'generationQualifier'. . . . . . . . . . . . . . . . . . 10
142 2.12 'givenName'. . . . . . . . . . . . . . . . . . . . . . . 10
143 2.13 'houseIdentifier'. . . . . . . . . . . . . . . . . . . . 11
144 2.14 'initials' . . . . . . . . . . . . . . . . . . . . . . . 11
145 2.15 'internationalISDNNumber'. . . . . . . . . . . . . . . . 11
146 2.16 'l'. . . . . . . . . . . . . . . . . . . . . . . . . . . 12
147 2.17 'member' . . . . . . . . . . . . . . . . . . . . . . . . 12
148 2.18 'name' . . . . . . . . . . . . . . . . . . . . . . . . . 12
149 2.19 'o'. . . . . . . . . . . . . . . . . . . . . . . . . . . 13
150 2.20 'ou' . . . . . . . . . . . . . . . . . . . . . . . . . . 13
151 2.21 'owner'. . . . . . . . . . . . . . . . . . . . . . . . . 13
152 2.22 'physicalDeliveryOfficeName' . . . . . . . . . . . . . . 13
153 2.23 'postalAddress'. . . . . . . . . . . . . . . . . . . . . 14
154 2.24 'postalCode' . . . . . . . . . . . . . . . . . . . . . . 14
155 2.25 'postOfficeBox'. . . . . . . . . . . . . . . . . . . . . 14
156 2.26 'preferredDeliveryMethod'. . . . . . . . . . . . . . . . 15
157 2.27 'registeredAddress'. . . . . . . . . . . . . . . . . . . 15
158 2.28 'roleOccupant' . . . . . . . . . . . . . . . . . . . . . 16
159 2.29 'searchGuide'. . . . . . . . . . . . . . . . . . . . . . 16
160 2.30 'seeAlso'. . . . . . . . . . . . . . . . . . . . . . . . 16
161 2.31 'serialNumber' . . . . . . . . . . . . . . . . . . . . . 17
162 2.32 'sn' . . . . . . . . . . . . . . . . . . . . . . . . . . 17
163 2.33 'st' . . . . . . . . . . . . . . . . . . . . . . . . . . 17
164 2.34 'street' . . . . . . . . . . . . . . . . . . . . . . . . 18
165 2.35 'telephoneNumber'. . . . . . . . . . . . . . . . . . . . 18
166 2.36 'teletexTerminalIdentifier'. . . . . . . . . . . . . . . 18
170 Sciberras Expires 30 July 2006 [Page 3]
172 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
175 2.37 'telexNumber'. . . . . . . . . . . . . . . . . . . . . . 19
176 2.38 'title'. . . . . . . . . . . . . . . . . . . . . . . . . 19
177 2.39 'uid'. . . . . . . . . . . . . . . . . . . . . . . . . . 19
178 2.40 'uniqueMember' . . . . . . . . . . . . . . . . . . . . . 19
179 2.41 'userPassword' . . . . . . . . . . . . . . . . . . . . . 20
180 2.42 'x121Address'. . . . . . . . . . . . . . . . . . . . . . 21
181 2.43 'x500UniqueIdentifier' . . . . . . . . . . . . . . . . . 21
183 3. Object Classes. . . . . . . . . . . . . . . . . . . . . . . . 22
184 3.1 'applicationProcess' . . . . . . . . . . . . . . . . . . 22
185 3.2 'country'. . . . . . . . . . . . . . . . . . . . . . . . 22
186 3.3 'dcObject' . . . . . . . . . . . . . . . . . . . . . . . 22
187 3.4 'device' . . . . . . . . . . . . . . . . . . . . . . . . 23
188 3.5 'groupOfNames' . . . . . . . . . . . . . . . . . . . . . 23
189 3.6 'groupOfUniqueNames' . . . . . . . . . . . . . . . . . . 23
190 3.7 'locality' . . . . . . . . . . . . . . . . . . . . . . . 24
191 3.8 'organization' . . . . . . . . . . . . . . . . . . . . . 24
192 3.9 'organizationalPerson' . . . . . . . . . . . . . . . . . 24
193 3.10 'organizationalRole' . . . . . . . . . . . . . . . . . . 25
194 3.11 'organizationalUnit' . . . . . . . . . . . . . . . . . . 25
195 3.12 'person' . . . . . . . . . . . . . . . . . . . . . . . . 26
196 3.13 'residentialPerson'. . . . . . . . . . . . . . . . . . . 26
197 3.14 'uidObject'. . . . . . . . . . . . . . . . . . . . . . . 26
199 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
201 5. Security Considerations . . . . . . . . . . . . . . . . . . . 28
203 6. Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . 29
205 7. References. . . . . . . . . . . . . . . . . . . . . . . . . . 30
206 7.1 Normative. . . . . . . . . . . . . . . . . . . . . . . . 30
207 7.2 Informative. . . . . . . . . . . . . . . . . . . . . . . 31
209 8. Author's Address. . . . . . . . . . . . . . . . . . . . . . . 31
211 9. Intellectual Property Statement . . . . . . . . . . . . . . . 32
213 10. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 32
226 Sciberras Expires 30 July 2006 [Page 4]
228 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
233 This document provides an overview of attribute types and object
234 classes intended for use by Lightweight Directory Access Protocol
235 (LDAP) directory clients for many directory services, such as, White
236 Pages. Originally specified in the X.500 [X.500] documents, these
237 objects are widely used as a basis for the schema in many LDAP
238 directories. This document does not cover attributes used for the
239 administration of directory servers, nor does it include directory
240 objects defined for specific uses in other documents.
242 1.1 Relationship with other specifications
244 This document is an integral part of the LDAP technical specification
245 [Roadmap] which obsoletes the previously defined LDAP technical
246 specification, RFC 3377, in its entirety. In terms of RFC 2256,
247 Sections 6 and 8 of RFC 2256 are obsoleted by [Syntaxes]. Sections
248 5.1, 5.2, 7.1 and 7.2 of RFC 2256 are obsoleted by [Models]. The
249 remainder of RFC 2256 is obsoleted by this document. Section 2.4 of
250 this document supersedes the technical specification for the 'dc'
251 attribute type and 'dcObject' object class found in RFC 2247. The
252 remainder of RFC 2247 remains in force.
254 This document updates RFC 2798 by replacing the informative
255 description of the 'uid' attribute type, with the definitive
256 description provided in Section 2.39 of this document.
258 A number of schema elements which were included in the previous
259 revision of the LDAP Technical Specification are not included in this
260 revision of LDAP. PKI-related schema elements are now specified in
261 [LDAP-PKI]. Unless reintroduced in future technical specifications,
262 the remainder are to be considered Historic.
264 The descriptions in this document SHALL be considered definitive for
269 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
270 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
271 document are to be interpreted as described in RFC 2119 [RFC2119].
275 This document references Syntaxes defined in Section 3 of [Syntaxes]
276 and Matching Rules defined in Section 4 of [Syntaxes].
278 The definitions of Attribute Types and Object Classes are written
282 Sciberras Expires 30 July 2006 [Page 5]
284 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
287 using the Augmented Backus-Naur Form (ABNF) [RFC4234] of
288 AttributeTypeDescription and ObjectClassDescription given in
289 [Models]. Lines have been folded for readability. When such values
290 are transferred as attribute values in the LDAP Protocol the values
291 will not contain line breaks.
295 The Attribute Types contained in this section hold user information.
297 There is no requirement that servers implement the 'searchGuide' and
298 'teletexTerminalIdentifier' attribute types. In fact, their use is
301 An LDAP server implementation SHOULD recognize the rest of the
302 attribute types described in this section.
304 2.1 'businessCategory'
306 The 'businessCategory' attribute type describes the kinds of business
307 performed by an organization. Each kind is one value of this
308 multi-valued attribute.
309 (Source: X.520 [X.520])
311 ( 2.5.4.15 NAME 'businessCategory'
312 EQUALITY caseIgnoreMatch
313 SUBSTR caseIgnoreSubstringsMatch
314 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
316 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
319 Examples: "banking", "transportation" and "real estate".
323 The 'c' ('countryName' in X.500) attribute type contains a two-letter
324 ISO 3166 [ISO3166] country code.
325 (Source: X.520 [X.520])
329 SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
332 1.3.6.1.4.1.1466.115.121.1.11 refers to the Country String syntax
338 Sciberras Expires 30 July 2006 [Page 6]
340 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
343 Examples: "DE", "AU" and "FR".
347 The 'cn' ('commonName' in X.500) attribute type contains names of an
348 object. Each name is one value of this multi-valued attribute. If
349 the object corresponds to a person, it is typically the person's full
351 (Source: X.520 [X.520])
356 Examples: "Martin K Smith", "Marty Smith" and "printer12".
360 The 'dc' ('domainComponent' in RFC 2247) attribute type is a string
361 holding one component, a label, of a DNS domain name [RFC1034]. The
362 encoding of IA5String for use in LDAP is simply the characters of the
363 ASCII label. The equality matching rule is case insensitive, as is
365 (Source: RFC 2247 [RFC2247])
367 ( 0.9.2342.19200300.100.1.25 NAME 'dc'
368 EQUALITY caseIgnoreIA5Match
369 SUBSTR caseIgnoreIA5SubstringsMatch
370 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
373 1.3.6.1.4.1.1466.115.121.1.26 refers to the IA5 String syntax
376 Examples: Valid values include "example" and "com". The value
377 "example.com" is invalid, because it contains two label
380 Directory applications supporting International Domain Names SHALL
381 use the ToASCII method [RFC3490] to produce the domain name component
382 label. The special considerations discussed in section 4 of RFC 3490
383 [RFC3490] should be taken, depending on whether the domain component
384 is used for "stored" or "query" purposes.
394 Sciberras Expires 30 July 2006 [Page 7]
396 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
401 The 'description' attribute type contains human-readable descriptive
402 phrases about the object. Each description is one value of this
403 multi-valued attribute.
404 (Source: X.520 [X.520])
406 ( 2.5.4.13 NAME 'description'
407 EQUALITY caseIgnoreMatch
408 SUBSTR caseIgnoreSubstringsMatch
409 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
411 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
414 Examples: "a color printer", "Maintenance is done every Monday, at
415 1pm." and "distribution list for all technical staff".
417 2.6 'destinationIndicator'
419 The 'destinationIndicator' attribute type contains country and city
420 strings, associated with the object (the addressee), needed to
421 provide the Public Telegram Service. The strings are composed in
422 accordance with CCITT Recommendations F.1 [F.1] and F.31 [F.31].
423 Each string is one value of this multi-valued attribute.
424 (Source: X.520 [X.520])
426 ( 2.5.4.27 NAME 'destinationIndicator'
427 EQUALITY caseIgnoreMatch
428 SUBSTR caseIgnoreSubstringsMatch
429 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
431 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
434 Examples: "AASD" as a destination indicator for Sydney, Australia.
435 "GBLD" as a destination indicator for London, United
438 It is noted that the directory will not ensure that values of this
439 attribute conform to the F.1 and F.30 CCITT Recommendations. It is
440 the application's responsibility to ensure destination indicators
441 that it stores in this attribute are appropriately constructed.
443 2.7 'distinguishedName'
445 The 'distinguishedName' attribute type is not used as the name of the
446 object itself, but it is instead a base type from which some user
450 Sciberras Expires 30 July 2006 [Page 8]
452 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
455 attribute types with a DN syntax can inherit.
457 It is unlikely that values of this type itself will occur in an
458 entry. LDAP server implementations which do not support attribute
459 subtyping need not recognize this attribute in requests. Client
460 implementations MUST NOT assume that LDAP servers are capable of
461 performing attribute subtyping.
462 (Source: X.520 [X.520])
464 ( 2.5.4.49 NAME 'distinguishedName'
465 EQUALITY distinguishedNameMatch
466 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
468 1.3.6.1.4.1.1466.115.121.1.12 refers to the DN syntax [Syntaxes].
472 The 'dnQualifier' attribute type contains disambiguating information
473 strings to add to the relative distinguished name of an entry. The
474 information is intended for use when merging data from multiple
475 sources in order to prevent conflicts between entries which would
476 otherwise have the same name. Each string is one value of this
477 multi-valued attribute. It is recommended that a value of the
478 'dnQualifier' attribute be the same for all entries from a particular
480 (Source: X.520 [X.520])
482 ( 2.5.4.46 NAME 'dnQualifier'
483 EQUALITY caseIgnoreMatch
484 ORDERING caseIgnoreOrderingMatch
485 SUBSTR caseIgnoreSubstringsMatch
486 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
488 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
491 Examples: "20050322123345Z" - timestamps can be used to disambiguate
493 "123456A" - serial numbers can be used to disambiguate
496 2.9 'enhancedSearchGuide'
498 The 'enhancedSearchGuide' attribute type contains sets of information
499 for use by directory clients in constructing search filters. Each
500 set is one value of this multi-valued attribute.
501 (Source: X.520 [X.520])
506 Sciberras Expires 30 July 2006 [Page 9]
508 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
511 ( 2.5.4.47 NAME 'enhancedSearchGuide'
512 SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
514 1.3.6.1.4.1.1466.115.121.1.21 refers to the Enhanced Guide syntax
517 Examples: "person#(sn$APPROX)#wholeSubtree" and
518 "organizationalUnit#(ou$SUBSTR)#oneLevel".
520 2.10 'facsimileTelephoneNumber'
522 The 'facsimileTelephoneNumber' attribute type contains telephone
523 numbers (and, optionally, the parameters) for facsimile terminals.
524 Each telephone number is one value of this multi-valued attribute.
525 (Source: X.520 [X.520])
527 ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
528 SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
530 1.3.6.1.4.1.1466.115.121.1.22 refers to the Facsimile Telephone
531 Number syntax [Syntaxes].
533 Examples: "+61 3 9896 7801" and "+81 3 347 7418$fineResolution".
535 2.11 'generationQualifier'
537 The 'generationQualifier' attribute type contains name strings that
538 are the part of a person's name which typically is the suffix. Each
539 string is one value of this multi-valued attribute.
540 (Source: X.520 [X.520])
542 ( 2.5.4.44 NAME 'generationQualifier'
545 Examples: "III", "3rd" and "Jr.".
549 The 'givenName' attribute type contains name strings that are the
550 part of a person's name which is not their surname. Each string is
551 one value of this multi-valued attribute.
552 (Source: X.520 [X.520])
554 ( 2.5.4.42 NAME 'givenName'
557 Examples: "Andrew", "Charles" and "Joanne".
562 Sciberras Expires 30 July 2006 [Page 10]
564 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
567 2.13 'houseIdentifier'
569 The 'houseIdentifier' attribute type contains identifiers for a
570 building within a location. Each identifier is one value of this
571 multi-valued attribute.
572 (Source: X.520 [X.520])
574 ( 2.5.4.51 NAME 'houseIdentifier'
575 EQUALITY caseIgnoreMatch
576 SUBSTR caseIgnoreSubstringsMatch
577 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
579 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
582 Examples: "20" to represent the house number 20.
586 The 'initials' attribute type contains strings of initials of some or
587 all of an individual's names, except the surname(s). Each string is
588 one value of this multi-valued attribute.
589 (Source: X.520 [X.520])
591 ( 2.5.4.43 NAME 'initials'
594 Examples: "K. A." and "K".
596 2.15 'internationalISDNNumber'
598 The 'internationalISDNNumber' attribute type contains Integrated
599 Services Digital Network (ISDN) addresses, as defined in the
600 International Telecommunication Union (ITU) Recommendation E.164
601 [E.164]. Each address is one value of this multi-valued attribute.
602 (Source: X.520 [X.520])
604 ( 2.5.4.25 NAME 'internationalISDNNumber'
605 EQUALITY numericStringMatch
606 SUBSTR numericStringSubstringsMatch
607 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
609 1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String syntax
612 Example: "0198 333 333".
618 Sciberras Expires 30 July 2006 [Page 11]
620 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
625 The 'l' ('localityName' in X.500) attribute type contains names of a
626 locality or place, such as a city, county or other geographic region.
627 Each name is one value of this multi-valued attribute.
628 (Source: X.520 [X.520])
633 Examples: "Geneva", "Paris" and "Edinburgh".
637 The 'member' attribute type contains the Distinguished Names of
638 objects that are on a list or in a group. Each name is one value of
639 this multi-valued attribute.
640 (Source: X.520 [X.520])
642 ( 2.5.4.31 NAME 'member'
643 SUP distinguishedName )
645 Examples: "cn=James Clarke,ou=Finance,o=Widget\, Inc." and
646 "cn=John Xerri,ou=Finance,o=Widget\, Inc." may
647 be two members of the financial team (group) at Widget,
648 Inc. In which case, both of these distinguished names would
649 be present as individual values of the member attribute.
653 The 'name' attribute type is the attribute supertype from which user
654 attribute types with the name syntax inherit. Such attribute types
655 are typically used for naming. The attribute type is multi-valued.
657 It is unlikely that values of this type itself will occur in an
658 entry. LDAP server implementations which do not support attribute
659 subtyping need not recognize this attribute in requests. Client
660 implementations MUST NOT assume that LDAP servers are capable of
661 performing attribute subtyping.
662 (Source: X.520 [X.520])
664 ( 2.5.4.41 NAME 'name'
665 EQUALITY caseIgnoreMatch
666 SUBSTR caseIgnoreSubstringsMatch
667 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
669 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
674 Sciberras Expires 30 July 2006 [Page 12]
676 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
681 The 'o' ('organizationName' in X.500) attribute type contains the
682 names of an organization. Each name is one value of this
683 multi-valued attribute.
684 (Source: X.520 [X.520])
689 Examples: "Widget", "Widget, Inc." and "Widget, Incorporated.".
693 The 'ou' ('organizationalUnitName' in X.500) attribute type contains
694 the names of an organizational unit. Each name is one value of this
695 multi-valued attribute.
696 (Source: X.520 [X.520])
701 Examples: "Finance", "Human Resources" and "Research and
706 The 'owner' attribute type contains the Distinguished Names of
707 objects that have an ownership responsibility for the object that is
708 owned. Each owner's name is one value of this multi-valued
710 (Source: X.520 [X.520])
712 ( 2.5.4.32 NAME 'owner'
713 SUP distinguishedName )
715 Example: The mailing list object, whose DN is "cn=All Employees,
716 ou=Mailing List,o=Widget\, Inc.", is owned by the Human
718 Therefore, the value of the 'owner' attribute within the
719 mailing list object, would be the DN of the director (role):
720 "cn=Human Resources Director,ou=employee,o=Widget\, Inc.".
722 2.22 'physicalDeliveryOfficeName'
724 The 'physicalDeliveryOfficeName' attribute type contains names that a
725 Postal Service uses to identify a post office.
726 (Source: X.520 [X.520])
730 Sciberras Expires 30 July 2006 [Page 13]
732 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
735 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
736 EQUALITY caseIgnoreMatch
737 SUBSTR caseIgnoreSubstringsMatch
738 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
740 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
743 Examples: "Bremerhaven, Main" and "Bremerhaven, Bonnstrasse".
747 The 'postalAddress' attribute type contains addresses used by a
748 Postal Service to perform services for the object. Each address is
749 one value of this multi-valued attribute.
750 (Source: X.520 [X.520])
752 ( 2.5.4.16 NAME 'postalAddress'
753 EQUALITY caseIgnoreListMatch
754 SUBSTR caseIgnoreListSubstringsMatch
755 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
757 1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address syntax
760 Example: "15 Main St.$Ottawa$Canada".
764 The 'postalCode' attribute type contains codes used by a Postal
765 Service to identify postal service zones. Each code is one value of
766 this multi-valued attribute.
767 (Source: X.520 [X.520])
769 ( 2.5.4.17 NAME 'postalCode'
770 EQUALITY caseIgnoreMatch
771 SUBSTR caseIgnoreSubstringsMatch
772 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
774 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
777 Example: "22180", to identify Vienna, VA in the USA.
781 The 'postOfficeBox' attribute type contains postal box identifiers
782 that a Postal Service uses when a customer arranges to receive mail
786 Sciberras Expires 30 July 2006 [Page 14]
788 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
791 at a box on premises of the Postal Service. Each postal box
792 identifier is a single value of this multi-valued attribute.
793 (Source: X.520 [X.520])
795 ( 2.5.4.18 NAME 'postOfficeBox'
796 EQUALITY caseIgnoreMatch
797 SUBSTR caseIgnoreSubstringsMatch
798 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
800 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
805 2.26 'preferredDeliveryMethod'
807 The 'preferredDeliveryMethod' attribute type contains an indication
808 of the preferred method of getting a message to the object.
809 (Source: X.520 [X.520])
811 ( 2.5.4.28 NAME 'preferredDeliveryMethod'
812 SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
815 1.3.6.1.4.1.1466.115.121.1.14 refers to the Delivery Method syntax
818 Example: If the mhs-delivery Delivery Method is preferred over
819 telephone-delivery, which is preferred over all other
820 methods, the value would be: "mhs $ telephone".
822 2.27 'registeredAddress'
824 The 'registeredAddress' attribute type contains postal addresses
825 suitable for reception of telegrams or expedited documents, where it
826 is necessary to have the recipient accept delivery. Each address is
827 one value of this multi-valued attribute.
828 (Source: X.520 [X.520])
830 ( 2.5.4.26 NAME 'registeredAddress'
832 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
834 1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address syntax
837 Example: "Receptionist$Widget, Inc.$15 Main St.$Ottawa$Canada".
842 Sciberras Expires 30 July 2006 [Page 15]
844 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
849 The 'roleOccupant' attribute type contains the Distinguished Names of
850 objects (normally people) that fulfill the responsibilities of a role
851 object. Each distinguished name is one value of this multi-valued
853 (Source: X.520 [X.520])
855 ( 2.5.4.33 NAME 'roleOccupant'
856 SUP distinguishedName )
858 Example: The role object, "cn=Human Resources
859 Director,ou=Position,o=Widget\, Inc.", is fulfilled by two
860 people whose object names are "cn=Mary
861 Smith,ou=employee,o=Widget\, Inc." and "cn=James
862 Brown,ou=employee,o=Widget\, Inc.". The 'roleOccupant'
863 attribute will contain both of these distinguished names,
864 since they are the occupants of this role.
868 The 'searchGuide' attribute type contains sets of information for use
869 by clients in constructing search filters. It is superseded by
870 'enhancedSearchGuide', described above in section 2.9. Each set is
871 one value of this multi-valued attribute.
872 (Source: X.520 [X.520])
874 ( 2.5.4.14 NAME 'searchGuide'
875 SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
877 1.3.6.1.4.1.1466.115.121.1.25 refers to the Guide syntax [Syntaxes].
879 Example: "person#sn$EQ".
883 The 'seeAlso' attribute type contains Distinguished Names of objects
884 that are related to the subject object. Each related object name is
885 one value of this multi-valued attribute.
886 (Source: X.520 [X.520])
888 ( 2.5.4.34 NAME 'seeAlso'
889 SUP distinguishedName )
891 Example: The person object, "cn=James Brown,ou=employee,o=Widget\,
892 Inc." is related to the role objects, "cn=Football Team
893 Captain,ou=sponsored activities,o=Widget\, Inc." and
894 "cn=Chess Team,ou=sponsored activities,o=Widget\, Inc.".
898 Sciberras Expires 30 July 2006 [Page 16]
900 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
903 Since the role objects are related to the person object, the
904 'seeAlso' attribute will contain the distinguished name of
905 each role object as separate values.
909 The 'serialNumber' attribute type contains the serial numbers of
910 devices. Each serial number is one value of this multi-valued
912 (Source: X.520 [X.520])
914 ( 2.5.4.5 NAME 'serialNumber'
915 EQUALITY caseIgnoreMatch
916 SUBSTR caseIgnoreSubstringsMatch
917 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
919 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
922 Examples: "WI-3005" and "XF551426".
926 The 'sn' ('surname' in X.500) attribute type contains name strings
927 for the family names of a person. Each string is one value of this
928 multi-valued attribute.
929 (Source: X.520 [X.520])
938 The 'st' ('stateOrProvinceName' in X.500) attribute type contains the
939 full names of states or provinces. Each name is one value of this
940 multi-valued attribute.
941 (Source: X.520 [X.520])
946 Example: "California".
954 Sciberras Expires 30 July 2006 [Page 17]
956 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
961 The 'street' ('streetAddress' in X.500) attribute type contains site
962 information from a postal address (i.e., the street name, place,
963 avenue, and the house number.). Each street is one value of this
964 multi-valued attribute.
965 (Source: X.520 [X.520])
967 ( 2.5.4.9 NAME 'street'
968 EQUALITY caseIgnoreMatch
969 SUBSTR caseIgnoreSubstringsMatch
970 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
972 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
975 Example: "15 Main St.".
977 2.35 'telephoneNumber'
979 The 'telephoneNumber' attribute type contains telephone numbers that
980 comply with the ITU Recommendation E.123 [E.123]. Each number is one
981 value of this multi-valued attribute.
982 (Source: X.520 [X.520])
984 ( 2.5.4.20 NAME 'telephoneNumber'
985 EQUALITY telephoneNumberMatch
986 SUBSTR telephoneNumberSubstringsMatch
987 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
989 1.3.6.1.4.1.1466.115.121.1.50 refers to the Telephone Number syntax
992 Example: "+1 234 567 8901".
994 2.36 'teletexTerminalIdentifier'
996 The withdrawal of Rec. F.200 has resulted in the withdrawal of this
998 (Source: X.520 [X.520])
1000 ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
1001 SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
1003 1.3.6.1.4.1.1466.115.121.1.51 refers to the Teletex Terminal
1004 Identifier syntax [Syntaxes].
1010 Sciberras Expires 30 July 2006 [Page 18]
1012 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1017 The 'telexNumber' attribute type contains sets of strings which are a
1018 telex number, country code, and answerback code of a telex terminal.
1019 Each set is one value of this multi-valued attribute.
1020 (Source: X.520 [X.520])
1022 ( 2.5.4.21 NAME 'telexNumber'
1023 SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
1025 1.3.6.1.4.1.1466.115.121.1.52 refers to the Telex Number syntax
1028 Example: "12345$023$ABCDE".
1032 The 'title' attribute type contains the title of a person in their
1033 organizational context. Each title is one value of this multi-valued
1035 (Source: X.520 [X.520])
1037 ( 2.5.4.12 NAME 'title'
1039 Examples: "Vice President", "Software Engineer" and "CEO".
1043 The 'uid' ('userid' in RFC 1274) attribute type contains computer
1044 system login names associated with the object. Each name is one
1045 value of this multi-valued attribute.
1046 (Source: RFC 2798 [RFC2798] and RFC 1274 [RFC1274])
1048 ( 0.9.2342.19200300.100.1.1 NAME 'uid'
1049 EQUALITY caseIgnoreMatch
1050 SUBSTR caseIgnoreSubstringsMatch
1051 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1053 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
1056 Examples: "s9709015", "admin" and "Administrator".
1060 The 'uniqueMember' attribute type contains the Distinguished Names of
1061 an object that is on a list or in a group, where the Relative
1062 Distinguished Names of the object include a value that distinguishes
1066 Sciberras Expires 30 July 2006 [Page 19]
1068 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1071 between objects when a distinguished name has been reused. Each
1072 distinguished name is one value of this multi-valued attribute.
1073 (Source: X.520 [X.520])
1075 ( 2.5.4.50 NAME 'uniqueMember'
1076 EQUALITY uniqueMemberMatch
1077 SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
1079 1.3.6.1.4.1.1466.115.121.1.34 refers to the Name and Optional UID
1082 Example: If "ou=1st Battalion,o=Defense,c=US" is a battalion that was
1083 disbanded, establishing a new battalion with the "same" name
1084 would have a unique identifier value added, resulting in
1085 "ou=1st Battalion, o=Defense,c=US#'010101'B".
1089 The 'userPassword' attribute contains octet strings that are known
1090 only to the user and the system to which the user has access. Each
1091 string is one value of this multi-valued attribute.
1093 The application SHOULD prepare textual strings used as passwords by
1094 transcoding them to Unicode, applying SASLprep [RFC4013], and
1095 encoding as UTF-8. The determination of whether a password is
1096 textual is a local client matter.
1097 (Source: X.509 [X.509])
1099 ( 2.5.4.35 NAME 'userPassword'
1100 EQUALITY octetStringMatch
1101 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
1103 1.3.6.1.4.1.1466.115.121.1.40 refers to the Octet String syntax
1106 Passwords are stored using an Octet String syntax and are not
1107 encrypted. Transfer of cleartext passwords is strongly discouraged
1108 where the underlying transport service cannot guarantee
1109 confidentiality and may result in disclosure of the password to
1110 unauthorized parties.
1112 An example of a need for multiple values in the 'userPassword'
1113 attribute is an environment where every month the user was expected
1114 to use a different password generated by some automated system.
1115 During transitional periods, like the last and first day of the
1116 periods, it may be necessary to allow two passwords for the two
1117 consecutive periods to be valid in the system.
1122 Sciberras Expires 30 July 2006 [Page 20]
1124 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1129 The 'x121Address' attribute type contains data network addresses as
1130 defined by ITU Recommendation X.121 [X.121]. Each address is one
1131 value of this multi-valued attribute.
1132 (Source: X.520 [X.520])
1134 ( 2.5.4.24 NAME 'x121Address'
1135 EQUALITY numericStringMatch
1136 SUBSTR numericStringSubstringsMatch
1137 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
1139 1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String syntax
1142 Example: "36111222333444555".
1144 2.43 'x500UniqueIdentifier'
1146 The 'x500UniqueIdentifier' attribute type contains binary strings
1147 that are used to distinguish between objects when a distinguished
1148 name has been reused. Each string is one value of this multi-valued
1150 In X.520 [X.520], this attribute type is called 'uniqueIdentifier'.
1151 This is a different attribute type from both the 'uid' and
1152 'uniqueIdentifier' LDAP attribute types. The 'uniqueIdentifier'
1153 attribute type is defined in [RFC1274].
1154 (Source: X.520 [X.520])
1156 ( 2.5.4.45 NAME 'x500UniqueIdentifier'
1157 EQUALITY bitStringMatch
1158 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
1160 1.3.6.1.4.1.1466.115.121.1.6 refers to the Bit String syntax
1178 Sciberras Expires 30 July 2006 [Page 21]
1180 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1185 LDAP servers SHOULD recognize all the Object Classes listed here as
1186 values of the 'objectClass' attribute (see [Models]).
1188 3.1 'applicationProcess'
1190 The 'applicationProcess' object class definition is the basis of an
1191 entry which represents an application executing in a computer system.
1192 (Source: X.521 [X.521])
1194 ( 2.5.6.11 NAME 'applicationProcess'
1205 The 'country' object class definition is the basis of an entry which
1206 represents a country.
1207 (Source: X.521 [X.521])
1209 ( 2.5.6.2 NAME 'country'
1218 The 'dcObject' object class permits an entry to contains domain
1219 component information. This object class is defined as auxiliary,
1220 because it will be used in conjunction with an existing structural
1222 (Source: RFC 2247 [RFC2247])
1224 ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
1234 Sciberras Expires 30 July 2006 [Page 22]
1236 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1241 The 'device' object class is the basis of an entry which represents
1242 an appliance, computer or network element.
1243 (Source: X.521 [X.521])
1245 ( 2.5.6.14 NAME 'device'
1249 MAY ( serialNumber $
1259 The 'groupOfNames' object class is the basis of an entry which
1260 represents a set of named objects including information related to
1261 the purpose or maintenance of the set.
1262 (Source: X.521 [X.521])
1264 ( 2.5.6.9 NAME 'groupOfNames'
1269 MAY ( businessCategory $
1276 3.6 'groupOfUniqueNames'
1278 The 'groupOfUniqueNames' object class is the same as the
1279 'groupOfNames' object class except that the object names are not
1280 repeated or reassigned within a set scope.
1281 (Source: X.521 [X.521])
1283 ( 2.5.6.17 NAME 'groupOfUniqueNames'
1286 MUST ( uniqueMember $
1290 Sciberras Expires 30 July 2006 [Page 23]
1292 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1296 MAY ( businessCategory $
1305 The 'locality' object class is the basis of an entry which represents
1306 a place in the physical world.
1307 (Source: X.521 [X.521])
1309 ( 2.5.6.3 NAME 'locality'
1321 The 'organization' object class is the basis of an entry which
1322 represents a structured group of people.
1323 (Source: X.521 [X.521])
1325 ( 2.5.6.4 NAME 'organization'
1329 MAY ( userPassword $ searchGuide $ seeAlso $
1330 businessCategory $ x121Address $ registeredAddress $
1331 destinationIndicator $ preferredDeliveryMethod $
1332 telexNumber $ teletexTerminalIdentifier $
1333 telephoneNumber $ internationaliSDNNumber $
1334 facsimileTelephoneNumber $ street $ postOfficeBox $
1335 postalCode $ postalAddress $ physicalDeliveryOfficeName $
1336 st $ l $ description ) )
1338 3.9 'organizationalPerson'
1340 The 'organizationalPerson' object class is the basis of an entry
1341 which represents a person in relation to an organization.
1342 (Source: X.521 [X.521])
1346 Sciberras Expires 30 July 2006 [Page 24]
1348 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1351 ( 2.5.6.7 NAME 'organizationalPerson'
1354 MAY ( title $ x121Address $ registeredAddress $
1355 destinationIndicator $ preferredDeliveryMethod $
1356 telexNumber $ teletexTerminalIdentifier $
1357 telephoneNumber $ internationaliSDNNumber $
1358 facsimileTelephoneNumber $ street $ postOfficeBox $
1359 postalCode $ postalAddress $ physicalDeliveryOfficeName $
1362 3.10 'organizationalRole'
1364 The 'organizationalRole' object class is the basis of an entry which
1365 represents a job, function or position in an organization.
1366 (Source: X.521 [X.521])
1368 ( 2.5.6.8 NAME 'organizationalRole'
1372 MAY ( x121Address $ registeredAddress $ destinationIndicator $
1373 preferredDeliveryMethod $ telexNumber $
1374 teletexTerminalIdentifier $ telephoneNumber $
1375 internationaliSDNNumber $ facsimileTelephoneNumber $
1376 seeAlso $ roleOccupant $ preferredDeliveryMethod $
1377 street $ postOfficeBox $ postalCode $ postalAddress $
1378 physicalDeliveryOfficeName $ ou $ st $ l $
1381 3.11 'organizationalUnit'
1383 The 'organizationalUnit' object class is the basis of an entry which
1384 represents a piece of an organization.
1385 (Source: X.521 [X.521])
1387 ( 2.5.6.5 NAME 'organizationalUnit'
1391 MAY ( businessCategory $ description $ destinationIndicator $
1392 facsimileTelephoneNumber $ internationaliSDNNumber $ l $
1393 physicalDeliveryOfficeName $ postalAddress $ postalCode $
1394 postOfficeBox $ preferredDeliveryMethod $
1395 registeredAddress $ searchGuide $ seeAlso $ st $ street $
1396 telephoneNumber $ teletexTerminalIdentifier $
1397 telexNumber $ userPassword $ x121Address ) )
1402 Sciberras Expires 30 July 2006 [Page 25]
1404 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1409 The 'person' object class is the basis of an entry which represents a
1411 (Source: X.521 [X.521])
1413 ( 2.5.6.6 NAME 'person'
1418 MAY ( userPassword $
1420 seeAlso $ description ) )
1422 3.13 'residentialPerson'
1424 The 'residentialPerson' object class is the basis of an entry which
1425 includes a person's residence in the representation of the person.
1426 (Source: X.521 [X.521])
1428 ( 2.5.6.10 NAME 'residentialPerson'
1432 MAY ( businessCategory $ x121Address $ registeredAddress $
1433 destinationIndicator $ preferredDeliveryMethod $
1434 telexNumber $ teletexTerminalIdentifier $
1435 telephoneNumber $ internationaliSDNNumber $
1436 facsimileTelephoneNumber $ preferredDeliveryMethod $
1437 street $ postOfficeBox $ postalCode $ postalAddress $
1438 physicalDeliveryOfficeName $ st $ l ) )
1442 The 'uidObject' object class permits an entry to contains user
1443 identification information. This object class is defined as
1444 auxiliary, because it will be used in conjunction with an existing
1445 structural object class.
1446 (Source: RFC 2377 [RFC2377])
1448 ( 1.3.6.1.1.3.1 NAME 'uidObject'
1458 Sciberras Expires 30 July 2006 [Page 26]
1460 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1463 4. IANA Considerations
1465 It is requested that the Internet Assigned Numbers Authority (IANA)
1466 update the LDAP descriptors registry as indicated in the following
1469 Subject: Request for LDAP Descriptor Registration Update
1470 Descriptor (short name): see comment
1471 Object Identifier: see comment
1472 Person & email address to contact for further information:
1473 Andrew Sciberras <andrew.sciberras@eb2bcom.com>
1474 Usage: (A = attribute type, O = Object Class) see comment
1475 Specification: RFC XXXX [editor's note: The RFC number will be
1476 the one assigned to this document.]
1477 Author/Change Controller: IESG
1479 In the LDAP descriptors registry, the following descriptors (short
1480 names) should be updated to refer to RFC XXXX [editor's note: This
1481 document]. Names that need to be reserved, rather than assigned to
1482 an Object Identifier, will contain an Object Identifier value of
1486 ------------------------ ---- ----------------------------
1487 applicationProcess O 2.5.6.11
1488 businessCategory A 2.5.4.15
1491 commonName A 2.5.4.3
1493 countryName A 2.5.4.6
1494 DC A 0.9.2342.19200300.100.1.25
1495 dcObject O 1.3.6.1.4.1.1466.344
1496 description A 2.5.4.13
1497 destinationIndicator A 2.5.4.27
1499 distinguishedName A 2.5.4.49
1500 dnQualifier A 2.5.4.46
1501 domainComponent A 0.9.2342.19200300.100.1.25
1502 enhancedSearchGuide A 2.5.4.47
1503 facsimileTelephoneNumber A 2.5.4.23
1504 generationQualifier A 2.5.4.44
1505 givenName A 2.5.4.42
1507 groupOfNames O 2.5.6.9
1508 groupOfUniqueNames O 2.5.6.17
1509 houseIdentifier A 2.5.4.51
1514 Sciberras Expires 30 July 2006 [Page 27]
1516 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1519 internationalISDNNumber A 2.5.4.25
1522 localityName A 2.5.4.7
1526 organization O 2.5.6.4
1527 organizationName A 2.5.4.10
1528 organizationalPerson O 2.5.6.7
1529 organizationalRole O 2.5.6.8
1530 organizationalUnit O 2.5.6.5
1531 organizationalUnitName A 2.5.4.11
1535 physicalDeliveryOfficeName A 2.5.4.19
1536 postalAddress A 2.5.4.16
1537 postalCode A 2.5.4.17
1538 postOfficeBox A 2.5.4.18
1539 preferredDeliveryMethod A 2.5.4.28
1540 registeredAddress A 2.5.4.26
1541 residentialPerson O 2.5.6.10
1542 roleOccupant A 2.5.4.33
1543 searchGuide A 2.5.4.14
1545 serialNumber A 2.5.4.5
1550 telephoneNumber A 2.5.4.20
1551 teletexTerminalIdentifier A 2.5.4.22
1552 telexNumber A 2.5.4.21
1554 uid A 0.9.2342.19200300.100.1.1
1555 uidObject O 1.3.6.1.1.3.1
1556 uniqueMember A 2.5.4.50
1557 userId A 0.9.2342.19200300.100.1.1
1558 userPassword A 2.5.4.35
1559 x121Address A 2.5.4.24
1560 x500UniqueIdentifier A 2.5.4.45
1562 5. Security Considerations
1564 Attributes of directory entries are used to provide descriptive
1565 information about the real-world objects they represent, which can be
1566 people, organizations or devices. Most countries have privacy laws
1570 Sciberras Expires 30 July 2006 [Page 28]
1572 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1575 regarding the publication of information about people.
1577 Transfer of cleartext passwords is strongly discouraged where the
1578 underlying transport service cannot guarantee confidentiality and
1579 integrity, since this may result in disclosure of the password to
1580 unauthorized parties.
1582 Multiple attribute values for the 'userPassword' attribute need to be
1583 used with care. Especially reset/deletion of a password by an admin
1584 without knowing the old user password gets tricky or impossible if
1585 multiple values for different applications are present.
1587 Certainly, applications which intend to replace the 'userPassword'
1588 value(s) with new value(s) should use modify/replaceValues (or
1589 modify/deleteAttribute+addAttribute). Additionally, server
1590 implementations are encouraged to provide administrative controls
1591 which, if enabled, restrict the 'userPassword' attribute to one
1594 Note that when used for authentication purposes [AuthMeth], the user
1595 need only prove knowledge of one of the values, not all of the
1601 The definitions, on which this document is based, have been developed
1602 by committees for telecommunications and international standards.
1604 This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a
1605 product of the IETF ASID Working Group.
1607 The 'dc' attribute type definition and the 'dcObject' object class
1608 definition in this document supersede the specification in RFC 2247
1609 by S. Kille, M. Wahl, A. Grimstad, R. Huber, and S. Sataluri.
1611 The 'uid' attribute type definition in this document supersedes the
1612 specification of the 'userid' in RFC 1274 by P. Barker and S. Kille
1613 and of the uid in RFC 2798 by M. Smith.
1615 The 'uidObject' object class definition in this document supersedes
1616 the specification of the 'uidObject' in RFC 2377 by A. Grimstad, R.
1617 Huber, S. Sataluri and M. Smith.
1619 This document is based upon input of the IETF LDAPBIS working group.
1620 The author wishes to thank S. Legg and K. Zeilenga for their
1621 significant contribution to this update. The author would also like
1622 to thank Kathy Dally who edited early drafts of this document.
1626 Sciberras Expires 30 July 2006 [Page 29]
1628 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1635 [E.123] Notation for national and international telephone
1636 numbers, ITU-T Recommendation E.123, 1988
1638 [E.164] The international public telecommunication numbering
1639 plan, ITU-T Recommendation E.164, 1997
1641 [F.1] Operational Provisions For The International Public
1642 Telegram Service Transmission System, CCITT
1643 Recommendation F.1, 1992
1645 [F.31] Telegram Retransmission System, CCITT Recommendation
1648 [ISO3166] ISO 3166, "Codes for the representation of names of
1651 [Models] K. Zeilenga, "LDAP: The Models", draft-ietf-ldapbis-
1652 models-xx (a work in progress)
1654 [RFC1034] P. Mockapetris, " DOMAIN NAMES - CONCEPTS AND
1655 FACILITIES", RFC 1034, January 1987
1657 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1658 Requirement Levels", RFC 2119, March 1997
1660 [RFC3490] Faltstrom P., Hoffman P., Costello A.,
1661 "Internationalizing Domain Names in Applications
1662 (IDNA)", RFC 3490, March 2003
1664 [RFC4013] Zeilenga K., "SASLprep: Stringprep profile for User
1665 Names and Passwords", RFC 4013, February 2005.
1667 [RFC4234] Crocker, D., Overell P., "Augmented BNF for Syntax
1668 Specifications: ABNF", RFC 4234, October 2005
1670 [Roadmap] Zeilenga, K., "LDAP: Technical Specification Road
1671 Map", draft-ietf-ldapbis-roadmap-xx (a work in
1674 [Syntaxes] S. Legg (editor), "LDAP: Syntaxes", draft-ietf-ldapbis-
1675 syntaxes-xx (a work in progress)
1677 [X.121] International numbering plan for public data networks,
1678 ITU-T Recommendation X.121, 1996
1682 Sciberras Expires 30 July 2006 [Page 30]
1684 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1687 [X.509] The Directory: Authentication Framework, ITU-T
1688 Recommendation X.509, 1993
1690 [X.520] The Directory: Selected Attribute Types, ITU-T
1691 Recommendation X.520, 1993
1693 [X.521] The Directory: Selected Object Classes. ITU-T
1694 Recommendation X.521, 1993
1698 [AuthMeth] Harrison R., "LDAP: Authentication Methods and
1699 Connection Level Security Mechanisms", draft-ietf-
1700 ldapbis-authmeth-xx (a work in progress)
1702 [LDAP-PKI] Zeilenga, K., "Lightweight Directory Access Protocol
1703 (LDAP) schema definitions for X.509 Certificates",
1704 draft-zeilenga-ldap-x509-xx (a work in progress)
1706 [RFC1274] Barker, P., Kille, S.,"The COSINE and Internet X.500
1707 Schema", RFC 1274, November 1991
1709 [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and
1710 Sataluri, S., "Using Domains in LDAP/X.500
1711 Distinguished Names", RFC 2247, January 1998
1713 [RFC2377] Grimstad, A., Huber, R., Sataluri, S., and Wahl, M.,
1714 "Naming Plan for Internet-Enabled Applications", RFC
1715 2377, September 1998.
1717 [RFC2798] Smith, M., "Definition of the inetOrgPerson LDAP Object
1718 Class", RFC 2798, April 2000
1720 [X.500] ITU-T Recommendations X.500 (1993) | ISO/IEC
1721 9594-1:1994, Information Technology - Open Systems
1722 Interconnection - The Directory: Overview of concepts,
1723 models and services.
1729 Suite 3, Woodhouse Corporate Centre,
1731 Box Hill North, Victoria 3129
1734 Phone: +61 3 9896 7833
1738 Sciberras Expires 30 July 2006 [Page 31]
1740 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1743 Email: andrew.sciberras@eb2bcom.com
1745 9. Intellectual Property Statement
1747 The IETF takes no position regarding the validity or scope of any
1748 Intellectual Property Rights or other rights that might be claimed to
1749 pertain to the implementation or use of the technology described in
1750 this document or the extent to which any license under such rights
1751 might or might not be available; nor does it represent that it has
1752 made any independent effort to identify any such rights. Information
1753 on the procedures with respect to rights in RFC documents can be
1754 found in BCP 78 and BCP 79.
1756 Copies of IPR disclosures made to the IETF Secretariat and any
1757 assurances of licenses to be made available, or the result of an
1758 attempt made to obtain a general license or permission for the use of
1759 such proprietary rights by implementers or users of this
1760 specification can be obtained from the IETF on-line IPR repository at
1761 http://www.ietf.org/ipr.
1763 The IETF invites any interested party to bring to its attention any
1764 copyrights, patents or patent applications, or other proprietary
1765 rights that may cover technology that may be required to implement
1766 this standard. Please address the information to the IETF at
1769 10. Full Copyright Statement
1771 Copyright (C) The Internet Society (2006).
1773 This document is subject to the rights, licenses and restrictions
1774 contained in BCP 78, and except as set forth therein, the authors
1775 retain all their rights.
1777 This document and the information contained herein are provided on an
1778 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1779 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1780 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1781 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1782 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1783 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1794 Sciberras Expires 30 July 2006 [Page 32]
1796 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1799 Appendix A Changes Made Since RFC 2256
1801 This appendix lists the changes that have been made from RFC 2256 to
1804 This appendix is not a normative part of this specification, which
1805 has been provided for informational purposes only.
1807 1. Replaced the document title.
1809 2. Removed the IESG Note.
1811 3. Dependencies on RFC 1274 have been eliminated.
1813 4. Added a Security Considerations section and an IANA
1814 considerations section.
1816 5. Deleted the conformance requirement for subschema object
1817 classes in favor of a statement in [Syntaxes].
1819 6. Added explanation to attribute types and to each object class.
1821 7. Removed Section 4, Syntaxes, and Section 6, Matching Rules,
1822 (moved to [Syntaxes]).
1824 8. Removed the certificate-related attribute types:
1825 authorityRevocationList, cACertificate,
1826 certificateRevocationList, crossCertificatePair,
1827 deltaRevocationList, supportedAlgorithms, and userCertificate.
1829 Removed the certificate-related Object Classes:
1830 certificationAuthority, certificationAuthority-V2,
1831 cRLDistributionPoint, strongAuthenticationUser, and
1832 userSecurityInformation
1834 LDAP PKI is now discussed in [LDAP-CRL] and [LDAP-CERT].
1836 9. Removed the dmdName, knowledgeInformation,
1837 presentationAddress, protocolInformation, and
1838 supportedApplicationContext attribute types and the dmd,
1839 applicationEntity, and dSA object classes.
1841 10. Deleted the aliasedObjectName and objectClass attribute type
1842 definitions. Deleted the alias and top object class
1843 definitions. They are included in [Models].
1845 11. Added the 'dc' attribute type from RFC 2247.
1850 Sciberras Expires 30 July 2006 [Page 33]
1852 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1855 12. Numerous edititorial changes.
1857 13. Removed upper bound after the SYNTAX oid in all attribute
1858 definitions where it appeared.
1860 14. Added text about Unicode, SASLprep and UTF-8 for userPassword.
1864 15. Corrected examples in preferredDeliveryMethod, uniqueMember,
1865 postalAddress, and registeredAddress attribute types.
1867 16. Clarified and corrected examples in owner and roleOccupant
1870 17. Added RFC 2234 to normative references.
1872 18. Added RFC 1274 and RFC 2798 to informative references.
1874 19. Removed the statement about RFC 2026 conformance.
1876 20. Added the IPR Disclosure and Notice
1878 21. Updated the Copyright text.
1882 22. Included RFC 2377 into Updates header and Informative
1885 23. Changed Editor information to Andrew Sciberras.
1887 24. Updated I-D Template information.
1889 25. References made consistent with other LDAPbis ID's. [ROADMAP]
1890 -> [RoadMap] and [AUTHMETH] -> [AuthMeth].
1892 26. Changed Introduction to include an (LDAP) acronym after the
1895 27. Renamed section 1.1 to "Relationship with other
1896 specifications" from "Situation".
1898 28. Included definitions, comments and references for 'dcObject'
1901 29. Replaced PKI schema references to use draft-zeilenga-ldap-
1906 Sciberras Expires 30 July 2006 [Page 34]
1908 INTERNET-DRAFT LDAP: Schema for User Applications January 30, 2006
1911 30. Spelt out and referenced ABNF on first usage.
1913 31. Removed Section 2.4 (Source). Replaced the source table with
1914 explicit references for each definition.
1916 32. All references to an attribute type or object class are
1917 enclosed in single quotes.
1919 33. The layout of attribute type definitions has been changed to
1920 provide consistency throughout the document:
1922 > Description of Attribute type
1923 > Multivalued description
1924 > Source Information
1927 > Additional Comments
1929 Adding this consistent output included the addition of
1930 examples to some definitions.
1932 34. References to alternate names for attributes types are
1933 provided with a reference to where they were originally
1936 35. Clarification of the description of 'distinguishedName' and
1937 'name', in regards to these attribute types being supertypes.
1939 36. Spelt out ISDN on first usage.
1941 37. Inserted a reference to [Syntaxes] for the
1942 'teletexTerminalIdentifier' definition's SYNTAX OID.
1944 38. Additional names were added to the IANA Considerations. Names
1945 include 'commonName', 'dcObject', 'domainComponent', 'GN',
1946 'localityName', 'organizationName', 'organizationUnitName',
1947 'surname', 'uidObject' and 'userid'.
1949 39. Renamed all instances of supercede to supersede.
1951 40. Moved [F.1], [F.30] and [SASLprep] from informative to
1952 normative references.
1954 41. Changed the 'c' definition to be consistent with X.500.
1956 42. Added text to 'dc', making the distinction between 'stored'
1957 and 'query' values when preparing IDN strings.
1962 Sciberras Expires 30 July 2006 [Page 35]