7 INTERNET-DRAFT Editor: Kurt D. Zeilenga
8 Intended Category: Standard Track OpenLDAP Foundation
9 Expires in six months 18 August 2002
12 Collective Attributes in LDAP
13 <draft-zeilenga-ldap-collective-08.txt>
18 This document is an Internet-Draft and is in full conformance with all
19 provisions of Section 10 of RFC2026.
21 This document is intended to be, after appropriate review and
22 revision, submitted to the RFC Editor as a Standard Track document.
23 Distribution of this memo is unlimited. Technical discussion of this
24 document will take place on the IETF LDAP Extension Working Group
25 mailing list <ldapext@ietf.org>. Please send editorial comments
26 directly to the author <Kurt@OpenLDAP.org>.
28 Internet-Drafts are working documents of the Internet Engineering Task
29 Force (IETF), its areas, and its working groups. Note that other
30 groups may also distribute working documents as Internet-Drafts.
31 Internet-Drafts are draft documents valid for a maximum of six months
32 and may be updated, replaced, or obsoleted by other documents at any
33 time. It is inappropriate to use Internet-Drafts as reference
34 material or to cite them other than as ``work in progress.''
36 The list of current Internet-Drafts can be accessed at
37 <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
38 Internet-Draft Shadow Directories can be accessed at
39 <http://www.ietf.org/shadow.html>.
41 Copyright 2002, The Internet Society. All Rights Reserved.
43 Please see the Copyright section near the end of this document for
49 X.500 collective attributes allow common characteristics to be shared
50 between collections of entries. This document summarizes the X.500
51 information model for collective attributes and describes use of
52 collective attributes in LDAP (Lightweight Directory Access Protocol).
53 This document provides schema definitions for collective attributes
58 Zeilenga draft-zeilenga-ldap-collective-08 [Page 1]
60 INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
65 Schema definitions are provided using LDAPv3 description formats
66 [RFC2252]. Definitions provided here are formatted (line wrapped) for
69 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
70 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
71 document are to be interpreted as described in BCP 14 [RFC2119].
76 In X.500, a collective attribute is "a user attribute whose values are
77 the same for each member of an entry collection" [X.501]. This
78 document details their use in the Lightweight Directory Access
79 Protocol (LDAP) [LDAPTS].
82 1.1. Entry Collections
84 A collection of entries is a grouping of object and alias entries
85 based upon common properties or shared relationship between the
86 corresponding entries which share certain attributes. An entry
87 collection consists of all entries within scope of a collective
88 attributes subentry [SUBENTRY]. An entry can belong to several entry
92 1.2. Collective Attributes
94 Attributes shared by the entries comprising an entry collection are
95 called collective attributes. Values of collective attributes are
96 visible but not updateable to clients accessing entries within the
97 collection. Collective attributes are updated (i.e. modified) via
98 their associated collective attributes subentry.
100 When an entry belongs to multiple entry collections, the entry's
101 values of each collective attribute are combined such that independent
102 sources of these values are not manifested to clients.
104 Entries can specifically exclude a particular collective attribute by
105 listing the attribute as a value of the collectiveExclusions
106 attribute. Like other user attributes, collective attributes are
107 subject to a variety of controls including access, administrative, and
114 Zeilenga draft-zeilenga-ldap-collective-08 [Page 2]
116 INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
119 2. System Schema for Collective Attributes
121 The following operational attributes are used to manage Collective
122 Attributes. LDAP servers [LDAPTS] MUST act in accordance with the
123 X.500 Directory Models [X.501] when providing this service.
126 2.1. collectiveAttributeSubentry
128 Subentries of this object class are used to administer collective
129 attributes and are referred to as collective attribute subentries.
131 ( 2.5.20.2 NAME 'collectiveAttributeSubentry' AUXILIARY )
133 A collective attribute subentry SHOULD contain at least one collective
134 attribute. The collective attributes contained within a collective
135 attribute subentry are available for finding, searching, and
136 comparison at every entry within the scope of the subentry. The
137 collective attributes, however, are administered (e.g. modified) via
140 Implementations of this specification SHOULD support collective
141 attribute subentries in both collectiveAttributeSpecificArea
142 (2.5.23.5) and collectiveAttributeInnerArea (2.5.23.6) administrative
143 areas [SUBENTRY][X.501].
146 2.2. collectiveAttributeSubentries
148 The collectiveAttributeSubentries operational attribute identifies all
149 collective attribute subentries that affect the entry.
151 ( 2.5.18.12 NAME 'collectiveAttributeSubentries'
152 EQUALITY distinguishedNameMatch
153 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
154 USAGE directoryOperation NO-USER-MODIFICATION )
157 2.3. collectiveExclusions
159 The collectiveExclusions operational attribute allows particular
160 collective attributes to be excluded from an entry. It MAY appear in
161 any entry and MAY have multiple values.
163 ( 2.5.18.7 NAME 'collectiveExclusions'
164 EQUALITY objectIdentifierMatch
165 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
166 USAGE directoryOperation )
170 Zeilenga draft-zeilenga-ldap-collective-08 [Page 3]
172 INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
175 The descriptor excludeAllCollectiveAttributes is associated with the
176 OID 2.5.18.0. When this descriptor or OID is present as a value of
177 the collectiveExclusions attribute, all collective attributes are
178 excluded from an entry.
181 3. Collective Attribute Types
183 A userApplications attribute type can be defined to be COLLECTIVE
184 [RFC2252]. This indicates that the same attribute values will appear
185 in the entries of an entry collection subject to the use of the
186 collectiveExclusions attribute and other administrative controls.
187 These administrative controls MAY include DIT Content Rules, if
190 Collective attribute types are commonly defined as subtypes of non-
191 collective attribute types. By convention, collective attributes are
192 named by prefixing the name of their non-collective supertype with
193 "c-". For example, the collective telephone attribute is named
194 c-TelephoneNumber after its non-collective supertype telephoneNumber.
196 Non-collective attributes types SHALL NOT subtype collective
199 Collective attributes SHALL NOT be SINGLE-VALUED. Collective
200 attribute types SHALL NOT appear in the attribute types of an object
203 Operational attributes SHALL NOT be defined to be collective.
205 The remainder of section provides a summary of collective attributes
206 derived from those defined in [X.520]. The SUPerior attribute types
207 are described in [RFC 2256] for use with LDAP.
209 Implementations of this specification SHOULD support the following
210 collective attributes and MAY support additional collective
214 3.1. Collective Locality Name
216 The c-l attribute type specifies a locality name for a collection of
219 ( 2.5.4.7.1 NAME 'c-l'
226 Zeilenga draft-zeilenga-ldap-collective-08 [Page 4]
228 INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
231 3.2. Collective State or Province Name
233 The c-st attribute type specifies a state or province name for a
234 collection of entries.
236 ( 2.5.4.8.1 NAME 'c-st'
240 3.3. Collective Street Address
242 The c-street attribute type specifies a street address for a
243 collection of entries.
245 ( 2.5.4.9.1 NAME 'c-street'
246 SUP street COLLECTIVE )
249 3.4. Collective Organization Name
251 The c-o attribute type specifies an organization name for a collection
254 ( 2.5.4.10.1 NAME 'c-o'
258 3.5. Collective Organizational Unit Name
260 The c-ou attribute type specifies an organizational unit name for a
261 collection of entries.
263 ( 2.5.4.11.1 NAME 'c-ou'
267 3.6. Collective Postal Address
269 The c-PostalAddress attribute type specifies a postal address for a
270 collection of entries.
272 ( 2.5.4.16.1 NAME 'c-PostalAddress'
273 SUP postalAddress COLLECTIVE )
276 3.7. Collective Postal Code
278 The c-PostalCode attribute type specifies a postal code for a
282 Zeilenga draft-zeilenga-ldap-collective-08 [Page 5]
284 INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
287 collection of entries.
289 ( 2.5.4.17.1 NAME 'c-PostalCode'
290 SUP postalCode COLLECTIVE )
293 3.8. Collective Post Office Box
295 The c-PostOfficeBox attribute type specifies a post office box for a
296 collection of entries.
298 ( 2.5.4.18.1 NAME 'c-PostOfficeBox'
299 SUP postOfficeBox COLLECTIVE )
302 3.9. Collective Physical Delivery Office Name
304 The c-PhysicalDeliveryOfficeName attribute type specifies a physical
305 delivery office name for a collection of entries.
307 ( 2.5.4.19.1 NAME 'c-PhysicalDeliveryOfficeName'
308 SUP physicalDeliveryOfficeName COLLECTIVE )
311 3.10. Collective Telephone Number
313 The c-TelephoneNumber attribute type specifies a telephone number for
314 a collection of entries.
316 ( 2.5.4.20.1 NAME 'c-TelephoneNumber'
317 SUP telephoneNumber COLLECTIVE )
320 3.11. Collective Telex Number
322 The c-TelexNumber attribute type specifies a telex number for a
323 collection of entries.
325 ( 2.5.4.21.1 NAME 'c-TelexNumber'
326 SUP telexNumber COLLECTIVE )
329 3.13. Collective Facsimile Telephone Number
331 The c-FacsimileTelephoneNumber attribute type specifies a facsimile
332 telephone number for a collection of entries.
334 ( 2.5.4.23.1 NAME 'c-FacsimileTelephoneNumber'
338 Zeilenga draft-zeilenga-ldap-collective-08 [Page 6]
340 INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
343 SUP facsimileTelephoneNumber COLLECTIVE )
346 3.14. Collective International ISDN Number
348 The c-InternationalISDNNumber attribute type specifies an
349 international ISDN number for a collection of entries.
351 ( 2.5.4.25.1 NAME 'c-InternationalISDNNumber'
352 SUP internationalISDNNumber COLLECTIVE )
355 4. Security Considerations
357 Collective attributes, like other attributes, are subject to access
358 control restrictions and other administrative policy. Generally
359 speaking, collective attributes accessed via an entry in a collection
360 are governed by rules restricting access to attributes of that entry.
361 And collective attributes access via a subentry are governed by rules
362 restricting access to attributes of that subentry. However, as LDAP
363 does not have a standard access model, the particulars of each
364 server's access control system may differ.
366 General LDAP security considerations [LDAPTS] also apply.
369 5. IANA Considerations
371 It is requested that IANA register upon Standards Action the LDAP
372 descriptors [LDAPIANA] defined in this technical specification. The
373 following registration template is suggested:
375 Subject: Request for LDAP Descriptor Registration
376 Descriptor see comments
377 Object Identifier: see comment
378 Person & email address to contact for further information:
379 Kurt Zeilenga <kurt@OpenLDAP.org>
381 Specification: RFCXXXX
382 Author/Change Controller: IESG
386 ------------------------ ---- -----------------
387 c-FacsimileTelephoneNumber A 2.5.4.23.1
388 c-InternationalISDNNumber A 2.5.4.25.1
389 c-PhysicalDeliveryOffice A 2.5.4.19.1
390 c-PostOfficeBox A 2.5.4.18.1
394 Zeilenga draft-zeilenga-ldap-collective-08 [Page 7]
396 INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
399 c-PostalAddress A 2.5.4.16.1
400 c-PostalCode A 2.5.4.17.1
401 c-TelephoneNumber A 2.5.4.20.1
402 c-TelexNumber A 2.5.4.21.1
408 collectiveAttributeSubentries A 2.5.18.12
409 collectiveAttributeSubentry O 2.5.20.2
410 collectiveExclusions A 2.5.18.7
412 where Type A is Attribute and Type O is ObjectClass.
415 The Object Identifiers used in this document were assigned by the
416 ISO/IEC Joint Technical Committee 1 - Subcommitte 6 to identify
417 elements of X.500 schema [X.520]. This document make no OID
418 assignments, it only provides LDAP schema descriptions with existing
419 elements of X.500 schema.
424 This document is based upon the ITU Recommendations for the Directory
435 8. Normative References
437 [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
438 Requirement Levels", BCP 14 (also RFC 2119), March 1997.
440 [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
441 Protocol (v3)", RFC 2251, December 1997.
443 [RFC2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
444 Directory Access Protocol (v3): Attribute Syntax
445 Definitions", RFC 2252, December 1997.
450 Zeilenga draft-zeilenga-ldap-collective-08 [Page 8]
452 INTERNET-DRAFT LDAP Collective Attributes 18 August 2002
455 [RFC2256] M. Wahl, "A Summary of the X.500(96) User Schema for use
456 with LDAPv3", RFC 2256, December 1997.
458 [LDAPTS] J. Hodges, R.L. Morgan, "Lightweight Directory Access
459 Protocol (v3): Technical Specification",
460 draft-ietf-ldapbis-ldapv3-ts-xx.txt.
462 [SUBENTRY] K. Zeilenga, S. Legg, "Subentries in LDAP",
463 draft-zeilenga-ldap-subentry-xx.txt, a work in progress.
465 [X.501] "The Directory: Models", ITU-T Recommendation X.501, 1993.
468 9. Informative References
470 [X.500] "The Directory: Overview of Concepts, Models", ITU-T
471 Recommendation X.500, 1993.
473 [X.520] "The Directory: Selected Attribute Types", ITU-T
474 Recommendation X.520, 1993.
477 Copyright 2002, The Internet Society. All Rights Reserved.
479 This document and translations of it may be copied and furnished to
480 others, and derivative works that comment on or otherwise explain it
481 or assist in its implementation may be prepared, copied, published and
482 distributed, in whole or in part, without restriction of any kind,
483 provided that the above copyright notice and this paragraph are
484 included on all such copies and derivative works. However, this
485 document itself may not be modified in any way, such as by removing
486 the copyright notice or references to the Internet Society or other
487 Internet organizations, except as needed for the purpose of
488 developing Internet standards in which case the procedures for
489 copyrights defined in the Internet Standards process must be followed,
490 or as required to translate it into languages other than English.
492 The limited permissions granted above are perpetual and will not be
493 revoked by the Internet Society or its successors or assigns.
495 This document and the information contained herein is provided on an
496 "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
497 ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
498 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
499 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
500 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
506 Zeilenga draft-zeilenga-ldap-collective-08 [Page 9]