7 INTERNET-DRAFT Editor: Kurt D. Zeilenga
8 Intended Category: Standard Track OpenLDAP Foundation
9 Expires in six months 23 October 2005
10 Obsoletes: RFC 1274, RFC 2247
14 COSINE LDAP/X.500 Schema
15 <draft-zeilenga-ldap-cosine-01.txt>
20 This document is intended to be, after appropriate review and
21 revision, submitted to the RFC Editor as a Standard Track document.
22 Distribution of this memo is unlimited. Technical discussion of this
23 document will take place on the IETF LDAPEXT mailing list
24 <ldapext@ietf.org>. Please send editorial comments directly to the
25 author <Kurt@OpenLDAP.org>.
27 By submitting this Internet-Draft, each author represents that any
28 applicable patent or other IPR claims of which he or she is aware have
29 been or will be disclosed, and any of which he or she becomes aware
30 will be disclosed, in accordance with Section 6 of BCP 79.
32 Internet-Drafts are working documents of the Internet Engineering Task
33 Force (IETF), its areas, and its working groups. Note that other
34 groups may also distribute working documents as Internet-Drafts.
36 Internet-Drafts are draft documents valid for a maximum of six months
37 and may be updated, replaced, or obsoleted by other documents at any
38 time. It is inappropriate to use Internet-Drafts as reference material
39 or to cite them other than as "work in progress."
41 The list of current Internet-Drafts can be accessed at
42 http://www.ietf.org/1id-abstracts.html
44 The list of Internet-Draft Shadow Directories can be accessed at
45 http://www.ietf.org/shadow.html
48 Copyright (C) The Internet Society (2005). All Rights Reserved.
50 Please see the Full Copyright section near the end of this document
58 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 1]
60 INTERNET-DRAFT COSINE Schema 23 October 2005
63 This document provides a collection of schema elements for use with
64 the Lightweight Directory Access Protocol (LDAP) from the COSINE and
65 Internet X.500 pilot projects.
67 This document obsoletes RFC 1274 and RFC 2247.
75 1. Background and Intended Use 3
76 1.1. Relationship with Other Documents
77 1.2. Terminology and Conventions
78 2. COSINE Attribute Types 4
84 2.6. documentIdentifier
86 2.8. documentPublisher
91 2.13. homePostalAddress
97 2.20. organizationalStatus
102 2.26. uniqueIdentifier
104 3. COSINE Object Classes 14
109 3.5. domainRelatedObject
114 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 2]
116 INTERNET-DRAFT COSINE Schema 23 October 2005
121 3.9. simpleSecurityObject
122 4. Security Considerations 19
123 5. IANA Considerations 20
124 6. Acknowledgments 21
127 A. Changes Since RFC 1274 23
128 Intellectual Property Rights 24
132 1. Background and Intended Use
134 In the late 1980s, X.500 Directory Services were standardised by the
135 CCITT (Commite' Consultatif International de Telegraphique et
136 Telephonique), now a part of the ITU (International Telephone Union).
137 This lead to Directory Service piloting activities in the early 1990s,
138 including the COSINE (Co-operation and Open Systems Interconnection in
139 Europe) PARADISE Project pilot [COSINEpilot] in Europe. Motivated by
140 needs large scale directory pilots, RFC 1274 was published to
141 standardize directory schema and naming architecture for use in the
142 COSINE and other Internet X.500 pilots [RFC1274].
144 In the years that followed, X.500 Directory Services have evolved to
145 incorporate new capabilities and even new protocols. In particular,
146 the Lightweight Directory Access Protocol (LDAP) [Roadmap] was
147 introduced in the early 1990s [RFC1487], with Version 3 of LDAP
148 introduced in the late 1990s [RFC2251] and subsequently revised in the
151 While much of the material in RFC 1274 has been superceed by
152 subsequently published ITU-T Recommendations and IETF RFCs, many of
153 the schema elements lack standardized schema descriptions for use in
154 modern X.500 and LDAP directory services despite the fact that these
155 schema elements are in wide use today. As the old schema descriptions
156 cannot be used without adaptation, interoperabilty issues may arise
157 due to lack of standardized modern schema descriptions.
159 This document addresses these issues by offering standardized schema
160 descriptions, where needed, for widely-used COSINE schema elements.
162 1.1. Relationship to Other Documents
164 This document, together with [Schema] and [Syntaxes], obsoletes RFC
165 1274 in its entirety. [Schema] replaces Sections 9.3.1 (Userid) and
166 Section 9.3.21 (Domain Component) of RFC 1274. [Syntaxes] replaces
170 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 3]
172 INTERNET-DRAFT COSINE Schema 23 October 2005
175 section 9.4 (Generally useful syntaxes) of RFC 1274.
177 This document replaces the remainder of RFC 1274. Appendix A.
178 discusses changes since RFC 1274, as well as why certain schema
179 elements were not brought forward in this revision of the COSINE
180 schema. All elements not brought are to be regarded as Historic.
182 This document, together with [NamingPlan] and [Schema], obsoletes RFC
183 2247 in its entirety. [Schema] replaces Section 4 (Attribute Type
184 Definition) and Section 5.1 (The dcObject object class) of RFC 2247.
185 This document replaces Section 5.2 (The domain object class) of RFC
186 2247. The remainder of RFC 2247 is replaced by [NamingPlan].
188 Some of these items were described in RFC 2798 (inetOrgPerson schema).
189 This document supersedes these descriptions. This document, together
190 with [Schema], replaces section 9.1.3 of RFC 2798.
193 1.2. Terminology and Conventions
195 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
196 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
197 document are to be interpreted as described in BCP 14 [RFC2119].
199 DIT stands for Directory Information Tree.
200 DN stands for Distinguished Name.
201 DSA stands for Directory System Agent, a server.
202 DSE stands for DSA-Specific Entry.
203 DUA stands for Directory User Agent, a client.
205 These terms are discussed in [Models].
207 Schema definitions are provided using LDAP description formats
208 [Models]. Definitions provided here are formatted (line wrapped) for
212 2. COSINE Attribute Types
214 This section details COSINE attribute types for use in LDAP.
217 2.1. associatedDomain
219 The 'associatedDomain' attribute specifies DNS domains [RFC1034] which
220 are associated with an object. For example, the entry in the DIT with
221 a DN <DC=example,DC=com> might have an associated domain of
226 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 4]
228 INTERNET-DRAFT COSINE Schema 23 October 2005
231 ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain'
232 EQUALITY caseIgnoreIA5Match
233 SUBSTR caseIgnoreIA5SubstringsMatch
234 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
236 The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax and the
237 'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch' rules are
238 described in [Syntaxes].
240 It is noted that the directory will not ensure that values of this
241 attribute conform to the <domain> production [RFC1034]. It is the
242 application responsibility to ensure domains it stores in this
243 attribute are appropriately represented.
245 It is also noted that applications supporting Internationalized Domain
246 Names SHALL use the ToASCII method [RFC3490] to produce <label>
247 components of the <domain> production.
252 The 'associatedName' attribute specifies names of entries in the
253 organizational DIT associated with a DNS domain [RFC1034].
255 ( 0.9.2342.19200300.100.1.38 NAME 'associatedName'
256 EQUALITY distinguishedNameMatch
257 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
259 The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
260 'distinguishedNameMatch' rule are described in [Syntaxes].
265 The 'buildingName' attribute specifies names of the buildings where an
266 organization or organizational unit is based. For example, "The White
269 ( 0.9.2342.19200300.100.1.48 NAME 'buildingName'
270 EQUALITY caseIgnoreMatch
271 SUBSTR caseIgnoreSubstringsMatch
272 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
274 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
275 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
282 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 5]
284 INTERNET-DRAFT COSINE Schema 23 October 2005
289 The 'co' (Friendly Country Name) attribute specifies names of
290 countries in human-readable format. For example, "Germany" and
291 "Federal Republic of Germany". It is commonly used in conjunction
292 with the 'c' (Country Name) [Schema] attribute (whose values are
293 restricted to the two-letter codes defined in [ISO3166]).
295 ( 0.9.2342.19200300.100.1.43 NAME 'co'
296 EQUALITY caseIgnoreMatch
297 SUBSTR caseIgnoreSubstringsMatch
298 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
300 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
301 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
307 The 'documentAuthor' attribute specifies the distinguished name of
308 authors (or editors) of a document. For example,
310 ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor'
311 EQUALITY distinguishedNameMatch
312 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
314 The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
315 'distinguishedNameMatch' rule are described in [Syntaxes].
318 2.6. documentIdentifier
320 The 'documentIdentifier' attribute specifies unique identifiers for a
321 document. A document may be identified by more than one unique
322 identifier. For example, RFC 3383 and BCP 64 are unique identifers
323 which (presently) refer to the same document.
325 ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier'
326 EQUALITY caseIgnoreMatch
327 SUBSTR caseIgnoreSubstringsMatch
328 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
330 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
331 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
338 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 6]
340 INTERNET-DRAFT COSINE Schema 23 October 2005
343 2.7. documentLocation
345 The 'documentLocation' attribute specifies locations of the document
348 ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation'
349 EQUALITY caseIgnoreMatch
350 SUBSTR caseIgnoreSubstringsMatch
351 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
353 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
354 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
358 2.8. documentPublisher
360 The 'documentPublisher' attribute is the persons and/or organizations
361 that published the document. Documents which are jointly published
362 have one value for each publisher.
364 ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher'
365 EQUALITY caseIgnoreMatch
366 SUBSTR caseIgnoreSubstringsMatch
367 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
369 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
370 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
376 The 'documentTitle' attribute specifies the titles of a document.
377 Multiple values are allowed to accomadate both long and short titles,
378 or other situations where a document has multiple titles. For
379 example, "The Lightweight Directory Access Protocol Technical
380 Specification" and "The LDAP Technical Specification".
382 ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle'
383 EQUALITY caseIgnoreMatch
384 SUBSTR caseIgnoreSubstringsMatch
385 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
387 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
388 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
394 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 7]
396 INTERNET-DRAFT COSINE Schema 23 October 2005
399 2.10. documentVersion
401 The 'documentVersion' attribute specifies the version information of a
404 ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion'
405 EQUALITY caseIgnoreMatch
406 SUBSTR caseIgnoreSubstringsMatch
407 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
409 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
410 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
416 The 'drink' (favoriteDrink) attribute specifies favorite drinks of an
417 object (or person). For instance, "cola" and "beer".
419 ( 0.9.2342.19200300.100.1.5 NAME 'drink'
420 EQUALITY caseIgnoreMatch
421 SUBSTR caseIgnoreSubstringsMatch
422 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
424 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
425 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
431 The 'homePhone' (Home Telephone Number) attribute specifies home
432 telephone numbers (e.g., "+1 775 555 1234") associated with a person.
434 ( 0.9.2342.19200300.100.1.20 NAME 'homePhone'
435 EQUALITY telephoneNumberMatch
436 SUBSTR telephoneNumberSubstringsMatch
437 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
439 The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
440 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
441 described in [Syntaxes].
444 2.13. homePostalAddress
446 The 'homePostalAddress' attribute specifies home postal addresses for
450 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 8]
452 INTERNET-DRAFT COSINE Schema 23 October 2005
455 an object. Each value should be limited to up to 6 directory strings
456 of 30 characters each. (Note: it is not intended that the directory
457 service enforce these limits.)
460 ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress'
461 EQUALITY caseIgnoreListMatch
462 SUBSTR caseIgnoreListSubstringsMatch
463 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
465 The PostalAddress (1.3.6.1.4.1.1466.115.121.1.41) syntax and the
466 'caseIgnoreListMatch' and 'caseIgnoreListSubstringsMatch' rules are
467 described in [Syntaxes].
472 The 'host' attribute specifies host computers, generally by their
473 primary fully-qualified domain name (e.g., my-host.example.com).
475 ( 0.9.2342.19200300.100.1.9 NAME 'host'
476 EQUALITY caseIgnoreMatch
477 SUBSTR caseIgnoreSubstringsMatch
478 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
480 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
481 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
487 The 'info' attribute specifies any general information pertinent to an
488 object. This information is not necessarily descriptive of the
491 Applications should not attach specific semantics to values of this
492 attribute. The 'description' attribute [Schema] is available for
493 specifying descriptive information pertinent to an object.
495 ( 0.9.2342.19200300.100.1.4 NAME 'info'
496 EQUALITY caseIgnoreMatch
497 SUBSTR caseIgnoreSubstringsMatch
498 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
500 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
501 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
506 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 9]
508 INTERNET-DRAFT COSINE Schema 23 October 2005
513 The 'mail' (rfc822mailbox) attribute type holds Internet mail
514 addresses in Mailbox [RFC2821] form (e.g.: user@example.com).
516 ( 0.9.2342.19200300.100.1.3 NAME 'mail'
517 EQUALITY caseIgnoreIA5Match
518 SUBSTR caseIgnoreIA5SubstringsMatch
519 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
521 The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax and the
522 'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch' rules are
523 described in [Syntaxes].
525 It is noted that the directory will not ensure that values of this
526 attribute conform to the <Mailbox> production [RFC2821]. It is the
527 application responsibility to ensure domains it stores in this
528 attribute are appropriately represented.
530 Additionally, the directory will compare values per the matching rules
531 named in the above attribute type description. As these rules differ
532 from rules which normally apply to <Mailbox> comparisons, operational
533 issues may arise. For example, the assertion (mail=joe@example.com)
534 will match "JOE@example.com" even though the <local-parts> differ.
535 Also, where a user has two <Mailbox>es which whose addresses differ
536 only by case of the <local-part>, both cannot be listed as values of
537 the user's mail attribute (as they are considered by the
538 'caseIgnoreIA5Match' rule to be equal).
540 It is also noted that applications supporting internationalized domain
541 names SHALL use the ToASCII method [RFC3490] to produce <sub-domain>
542 components of the <Mailbox> production.
547 The 'manager' attribute specifies managers, by distinguished name, of
548 the person (or entity).
550 ( 0.9.2342.19200300.100.1.10 NAME 'manager'
551 EQUALITY distinguishedNameMatch
552 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
554 The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
555 'distinguishedNameMatch' rule are described in [Syntaxes].
562 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 10]
564 INTERNET-DRAFT COSINE Schema 23 October 2005
567 The 'mobile' (mobileTelephoneNumber) attribute specifies mobile
568 telephone numbers (e.g., "+1 775 555 6789") associated with a person
571 ( 0.9.2342.19200300.100.1.41 NAME 'mobile'
572 EQUALITY telephoneNumberMatch
573 SUBSTR telephoneNumberSubstringsMatch
574 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
576 The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
577 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
578 described in [Syntaxes].
581 2.20. organizationalStatus
583 The 'organizationalStatus' attribute specifies categories by which a
584 person is often referred to in an organization. Examples of usage in
585 academia might include "undergraduate student", "researcher",
586 "professor", "staff", etc.. Multiple values are allowed were the
587 person is in multiple categories.
589 Directory administrators and application designers SHOULD consider
590 carefully the distinctions between this and the 'title' and
591 'userClass' attributes.
593 ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus'
594 EQUALITY caseIgnoreMatch
595 SUBSTR caseIgnoreSubstringsMatch
596 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
598 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
599 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
605 The 'pager' (pagerTelephoneNumber) attribute specifies pager telephone
606 numbers (e.g., "+1 775 555 5555") for an object.
608 ( 0.9.2342.19200300.100.1.42 NAME 'pager'
609 EQUALITY telephoneNumberMatch
610 SUBSTR telephoneNumberSubstringsMatch
611 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
613 The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
614 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
618 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 11]
620 INTERNET-DRAFT COSINE Schema 23 October 2005
623 described in [Syntaxes].
628 The 'personalTitle' attribute specifies personal titles for a person.
629 Examples of personal titles are "Frau", "Dr.", "Herr", and
632 ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle'
633 EQUALITY caseIgnoreMatch
634 SUBSTR caseIgnoreSubstringsMatch
635 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
637 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
638 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
644 The 'roomNumber' attribute specifies the room number of an object.
645 During periods of renumbering or in other circumstances where a room
646 has multiple valid room numbers associated with it, multiple values
647 may be provided. Note that the 'cn' (commonName) attribute type
648 SHOULD be used for naming room objects.
650 ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber'
651 EQUALITY caseIgnoreMatch
652 SUBSTR caseIgnoreSubstringsMatch
653 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
655 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
656 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
662 The 'secretary' attribute specifies secretaries and/or administrative
663 assistants, by distinguish name, of a person.
665 ( 0.9.2342.19200300.100.1.21 NAME 'secretary'
666 EQUALITY distinguishedNameMatch
667 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
669 The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
670 'distinguishedNameMatch' rule are described in [Syntaxes].
674 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 12]
676 INTERNET-DRAFT COSINE Schema 23 October 2005
679 2.26. uniqueIdentifier
681 The 'uniqueIdentifier' attribute specifies a unique identifier for an
682 object represented in the Directory. The domain within which the
683 identifier is unique, and the exact semantics of the identifier, are
684 for local definition. For a person, this might be an institution-wide
685 payroll number. For an organizational unit, it might be a department
688 ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier'
689 EQUALITY caseIgnoreMatch
690 SUBSTR caseIgnoreSubstringsMatch
691 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
693 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
694 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
697 Note: X.520 also describes an attribute called 'uniqueIdentifier'
698 (2.5.4.45) which is called 'x500UniqueIdentifier' in LDAP
699 [Schema]. The attribute detailed here ought not be confused
700 with 'x500UniqueIdentifier'.
705 The 'userClass' attribute specifies categories of computer or
706 application user. The semantics placed on this attribute are for
707 local interpretation. Examples of current usage of this attribute in
708 academia are "student", "staff", "faculty", etc.. Note that the
709 'organizationalStatus' attribute type is now often be preferred as it
710 makes no distinction between persons as opposed to users.
712 ( 0.9.2342.19200300.100.1.8 NAME 'userClass'
713 EQUALITY caseIgnoreMatch
714 SUBSTR caseIgnoreSubstringsMatch
715 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
717 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
718 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
722 3. COSINE Object Classes
724 This section details COSINE object classes for use in LDAP.
730 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 13]
732 INTERNET-DRAFT COSINE Schema 23 October 2005
737 The 'account' object class is used to define entries representing
738 computer accounts. The 'uid' attribute SHOULD be used for naming
739 entries of this object class.
741 ( 0.9.2342.19200300.100.4.5 NAME 'account'
744 MAY ( description $ seeAlso $ l $ o $ ou $ host ) )
746 The 'top' object class is described in [Models]. The 'description',
747 'seeAlso', 'l', 'o', 'ou', and 'uid' attribute types are described in
748 [Schema]. The 'host' attribute type is described in Section 2 of this
753 dn: uid=kdz,cn=Accounts,dc=Example,dc=COM
756 seeAlso: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
761 The 'document' object class is used to define entries which represent
764 ( 0.9.2342.19200300.100.4.6 NAME 'document'
766 MUST documentIdentifier
767 MAY ( cn $ description $ seeAlso $ l $ o $ ou $
768 documentTitle $ documentVersion $ documentAuthor $
769 documentLocation $ documentPublisher ) )
771 The 'top' object class is described in [Models]. The 'cn',
772 'description', 'seeAlso', 'l', 'o', and 'ou' attribute types are
773 described in [Schema]. The 'documentIdentifier', 'documentTitle',
774 'documentVersion', 'documentAuthor', 'documentLocation', and
775 'documentPublisher' attribute types are described in Section 2 of this
780 dn: documentIdentifier=RFCXXXX,cn=RFC,dc=Example,dc=COM
781 objectClass: document
782 documentIdentifier: RFC XXXXX
786 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 14]
788 INTERNET-DRAFT COSINE Schema 23 October 2005
791 documentTitle: COSINE LDAP/X.500 Schema
792 documentAuthor: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
793 documentLocation: http://www.rfc-editor.org/rfc/rfcXXXX.txt
794 documentPublisher: Internet Engineering Task Force
795 description: A collection of schema elements for use in LDAP
796 description: Obsoletes RFC 1274
797 seeAlso: documentIdentifier=[Roadmap],cn=RFC,dc=Example,dc=COM
798 seeAlso: documentIdentifier=RFC 1274,cn=RFC,dc=Example,dc=COM
803 The documentSeries object class is used to define an entry which
804 represents a series of documents (e.g., The Request For Comments
807 ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries'
810 MAY ( description $ l $ o $ ou $ seeAlso $
813 The 'top' object class is described in [Models]. The 'description',
814 'l', 'o', 'ou', 'seeAlso', and 'telephoneNumber' attribute types are
815 described in [Schema].
819 dn: cn=RFC,dc=Example,dc=COM
820 objectClass: documentSeries
821 cn: Request for Comments
823 description: a series of memos about the Internet
828 The 'domain' object class is used to define entries which represent
829 DNS domains for objects which are not organizations, organizational
830 units, or other kinds of objects more approproiately defined using an
831 object class specific to the kind of object being defined (e.g.,
832 'organization', 'organizationUnit', etc.).
834 The 'dc' attribute should be used for naming entries of 'domain'
837 ( 0.9.2342.19200300.100.4.13 NAME 'domain'
842 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 15]
844 INTERNET-DRAFT COSINE Schema 23 October 2005
848 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
849 x121Address $ registeredAddress $ destinationIndicator $
850 preferredDeliveryMethod $ telexNumber $
851 teletexTerminalIdentifier $ telephoneNumber $
852 internationaliSDNNumber $ facsimileTelephoneNumber $ street $
853 postOfficeBox $ postalCode $ postalAddress $
854 physicalDeliveryOfficeName $ st $ l $ description $ o $
857 The 'top' object class and the 'dc', 'userPassword', 'searchGuide
858 'seeAlso', 'businessCategory', 'x121Address', 'registeredAddress
859 'destinationIndicator', 'preferredDeliveryMethod', 'telexNumber',
860 'teletexTerminalIdentifier', 'telephoneNumber',
861 'internationaliSDNNumber', 'facsimileTelephoneNumber', 'street',
862 'postOfficeBox', 'postalCode', 'postalAddress',
863 'physicalDeliveryOfficeName', 'st', 'l', 'description', 'o', types are
864 described in [Schema]. The 'associatedName' attribute type is
865 described in Section 2 of this document.
871 description: the .COM TLD
874 3.5. domainRelatedObject
876 The 'domainRelatedObject' object class is used to define entries which
877 represent DNS domains which are "equivalent" to an X.500 domain: e.g.,
878 an organization or organizational unit.
880 ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject'
882 MUST associatedDomain )
884 The 'top' object class is described in [Models]. The
885 'associatedDomain' attribute type is described in Section 2 of this
890 dn: dc=example,dc=com
891 objectClass: organization
892 objectClass: dcObject
893 objectClass: domainRelatedObject
898 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 16]
900 INTERNET-DRAFT COSINE Schema 23 October 2005
903 associatedDomain: example.com
904 o: Example Organization
906 The 'organization' and 'dcObject' object classes and the 'dc' and 'o'
907 attribute types are described in [Schema].
912 The 'friendlyCountry' object class is used to define entries
913 representing countries in the DIT. The object class is used to allow
914 friendlier naming of countries than that allowed by the object class
917 ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry'
918 SUP country STRUCTURAL
921 The 'country' object class is described in [Schema]. The 'co'
922 attribute type is described in Section 2 of this document.
928 objectClass: friendlyCountry
932 co: Federal Republic of Germany
935 The 'c' attribute type is described in [Schema].
940 The 'rFC822LocalPart' object class is used to define entries which
941 represent the local part of Internet mail addresses [RFC2822]. This
942 treats the local part of the address as a 'domain' object.
944 ( 0.9.2342.19200300.100.4.14 NAME 'rFC822localPart'
945 SUP domain STRUCTURAL
946 MAY ( cn $ description $ destinationIndicator $
947 facsimileTelephoneNumber $ internationaliSDNNumber $
948 physicalDeliveryOfficeName $ postalAddress $ postalCode $
949 postOfficeBox $ preferredDeliveryMethod $ registeredAddress $
950 seeAlso $ sn $ street $ telephoneNumber $
954 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 17]
956 INTERNET-DRAFT COSINE Schema 23 October 2005
959 teletexTerminalIdentifier $ telexNumber $ x121Address ) )
961 The 'domain' object class is described in Section 3.4 of this
962 document. The 'cn', 'description', 'destinationIndicator',
963 'facsimileTelephoneNumber', 'internationaliSDNNumber,
964 'physicalDeliveryOfficeName', 'postalAddress', 'postalCode',
965 'postOfficeBox', 'preferredDeliveryMethod', 'registeredAddress',
966 'seeAlso', 'sn, 'street', 'telephoneNumber',
967 'teletexTerminalIdentifier', 'telexNumber' and 'x121Address' attribute
968 types are described in [Schema].
973 dn: dc=kdz,dc=example,dc=com
975 objectClass: rFC822LocalPart
977 associatedName: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
979 The 'dc' attribute type is described in [Schema].
984 The 'room' object class is used to define entries representing rooms.
985 The 'cn' (commonName) attribute SHOULD be used for naming entries of
988 ( 0.9.2342.19200300.100.4.7 NAME 'room'
991 MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) )
993 The 'top' object class is described in [Models]. The 'cn',
994 'description', 'seeAlso' and 'telephoneNumber' attribute types are
995 described in [Schema]. The 'roomNumber' attribute type is described
996 in Section 2 of this document.
998 dn: cn=conference room,dc=example,dc=com
1001 telephoneNumber: +1 755 555 1111
1004 3.8. simpleSecurityObject
1006 The 'simpleSecurityObject' object class is used to require an entry to
1010 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 18]
1012 INTERNET-DRAFT COSINE Schema 23 October 2005
1015 have an 'userPassword' attribute when the entry's structural object
1016 class does not require (or allow) the 'userPassword attribute'.
1018 ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
1022 The 'top' object class is described in [Models]. The 'userPassword'
1023 attribute type is described in [Schema].
1025 dn: dc=kdz,dc=Example,dc=COM
1026 objectClass: account
1027 objectClass: simpleSecurityObject
1029 userPassword: My Password
1030 seeAlso: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
1033 4. Security Considerations
1035 General LDAP security considerations [Roadmap] is applicable to the
1036 use of this schema. Additional considerations are noted above where
1039 Directories administrators should ensure that access to sensitive
1040 information is restricted to authorized entities, but ensure that
1041 appropriate data security services, including data integrity and data
1042 confidentiality, are used to protect against eavesdropping.
1044 Simple authentication (e.g., plain text passwords) mechanisms should
1045 only be used when adequate data security services are in place. LDAP
1046 offers reasonable strong authentication and data security services
1051 5. IANA Considerations
1053 It is requested that the Internet Assigned Numbers Authority (IANA)
1054 update upon Standard Action the LDAP descriptors registry [BCP64bis]
1055 as indicated the following template:
1057 Subject: Request for LDAP Descriptor Registration Update
1058 Descriptor (short name): see comment
1059 Object Identifier: see comments
1060 Person & email address to contact for further information:
1061 Kurt Zeilenga <kurt@OpenLDAP.org>
1066 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 19]
1068 INTERNET-DRAFT COSINE Schema 23 October 2005
1071 Specification: RFC XXXX
1072 Author/Change Controller: IESG
1075 The following descriptors should be updated to refer to RFC XXXX.
1078 ------------------------ ---- --------------------------
1079 account O 0.9.2342.19200300.100.4.5
1080 associatedDomain A 0.9.2342.19200300.100.1.37
1081 associatedName A 0.9.2342.19200300.100.1.38
1082 buildingName A 0.9.2342.19200300.100.1.48
1083 co A 0.9.2342.19200300.100.1.43
1084 document O 0.9.2342.19200300.100.4.6
1085 documentAuthor A 0.9.2342.19200300.100.1.14
1086 documentIdentifier A 0.9.2342.19200300.100.1.11
1087 documentLocation A 0.9.2342.19200300.100.1.15
1088 documentPublisher A 0.9.2342.19200300.100.1.56
1089 documentSeries O 0.9.2342.19200300.100.4.8
1090 documentTitle A 0.9.2342.19200300.100.1.12
1091 documentVersion A 0.9.2342.19200300.100.1.13
1092 domain O 0.9.2342.19200300.100.4.13
1093 domainRelatedObject O 0.9.2342.19200300.100.4.17
1094 drink A 0.9.2342.19200300.100.1.5
1095 favouriteDrink A* 0.9.2342.19200300.100.1.5
1096 friendlyCountry O 0.9.2342.19200300.100.4.18
1097 friendlyCountryName A* 0.9.2342.19200300.100.1.43
1098 homePhone A 0.9.2342.19200300.100.1.20
1099 homePostalAddress A 0.9.2342.19200300.100.1.39
1100 homeTelephone A* 0.9.2342.19200300.100.1.20
1101 host A 0.9.2342.19200300.100.1.9
1102 info A 0.9.2342.19200300.100.1.4
1103 mail A 0.9.2342.19200300.100.1.3
1104 manager A 0.9.2342.19200300.100.1.10
1105 mobile A 0.9.2342.19200300.100.1.41
1106 mobileTelephoneNumber A* 0.9.2342.19200300.100.1.41
1107 organizationalStatus A 0.9.2342.19200300.100.1.45
1108 pager A 0.9.2342.19200300.100.1.42
1109 pagerTelephoneNumber A* 0.9.2342.19200300.100.1.42
1110 personalTitle A 0.9.2342.19200300.100.1.40
1111 rFC822LocalPart O 0.9.2342.19200300.100.4.14
1112 rfc822Mailbox A* 0.9.2342.19200300.100.1.3
1113 room O 0.9.2342.19200300.100.4.7
1114 roomNumber A 0.9.2342.19200300.100.1.6
1115 secretary A 0.9.2342.19200300.100.1.21
1116 simpleSecurityObject O 0.9.2342.19200300.100.4.19
1117 singleLevelQuality A 0.9.2342.19200300.100.1.50
1118 uniqueIdentifier A 0.9.2342.19200300.100.1.44
1122 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 20]
1124 INTERNET-DRAFT COSINE Schema 23 October 2005
1127 userClass A 0.9.2342.19200300.100.1.8
1129 where Type A is Attribute and Type O is ObjectClass, and *
1130 indicates the registration is historic in nature.
1135 This document is based upon RFC 1274 by Paul Barker and Steve Kille,
1136 as well as RFC 2247 by Steve Kill, Mark Wahl, Al Grimstad, Rick Huber,
1145 Email: Kurt@OpenLDAP.org
1150 [[Note to the RFC Editor: please replace the citation tags used in
1151 referencing Internet-Drafts with tags of the form RFCnnnn where
1154 8.1. Normative References
1156 [RFC1034] Mockapetris, P., "Domain names - concepts
1157 and facilities", STD 13 (also RFC 1034), November 1987.
1159 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1160 Requirement Levels", BCP 14 (also RFC 2119), March 1997.
1162 [RFC2247] Kille, S., M. Wahl, A. Grimstad, R. Huber and S.
1163 Sataluri, "Using Domains in LDAP/X.500 Distinguished
1164 Names", January 1998.
1166 [RFC2821] Klensin, J. (editor), "Simple Mail Transfer Protocol",
1167 RFC 2822, April 2001.
1169 [RFC3490] Faltstrom, P., P. Hoffman, and A. Costello,
1170 "Internationalizing Domain Names in Applications
1171 (INDA)", RFC 3490, March 2003.
1173 [Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification
1174 Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
1178 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 21]
1180 INTERNET-DRAFT COSINE Schema 23 October 2005
1185 [Models] Zeilenga, K. (editor), "LDAP: Directory Information
1186 Models", draft-ietf-ldapbis-models-xx.txt, a work in
1189 [Syntaxes] Legg, S. (editor), "LDAP: Syntaxes and Matching Rules",
1190 draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress.
1192 [Schema] Dally, K. (editor), "LDAP: User Schema",
1193 draft-ietf-ldapbis-user-schema-xx.txt, a work in
1196 [AuthMeth] Harrison, R. (editor), "LDAP: Authentication Methods and
1197 Connection Level Security Mechanisms",
1198 draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.
1201 8.2. Informative References
1205 [NamingPlan] Zeilenga, K., "The Internet Naming Plan for LDAP/X.500
1206 Directories", draft-zeilenga-ldap-namingplan-xx.txt, a
1209 [ISO3166] International Organization for Standardization, "Codes
1210 for the representation of names of countries", ISO 3166.
1212 [RFC1274] Barker, P. and S. Kille, "The COSINE and Internet X.500
1213 Schema", November 1991.
1215 [RFC2798] Smith, M., "The LDAP inetOrgPerson Object Class", RFC
1218 [BCP64bis] Zeilenga, K., "IANA Considerations for LDAP",
1219 draft-ietf-ldapbis-bcp64-xx.txt, a work in progress.
1222 Appendix A. Changes since RFC 1274
1224 This document represents a substantial rewrite of RFC 1274. The
1225 following sections summarize the substantive changes.
1227 A.1. LDAP Short Names
1229 A number of COSINE attribute types have short names in LDAP.
1234 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 22]
1236 INTERNET-DRAFT COSINE Schema 23 October 2005
1239 X.500 Name LDAP Short Name
1240 ------------- ---------------
1243 friendCountryName co
1244 homeTelephoneNumber homePhone
1245 mobileTelephoneNumber mobile
1246 pagerTelephoneNumber pager
1250 While the LDAP short names are generally used in LDAP, some
1251 implementations may (for legacy reasons [Historic]) recognize the
1252 attribute type by its X.500 name. Hence, the X.500 names have been
1253 reserved solely for this purpose.
1255 Note: 'uid' and 'dc' are described in [Schema].
1260 The 'pilotObject' object class was not brought forward as its function
1261 is largely replaced by operational attributes introduced in X.500(93)
1262 [X.501] and version 3 of LDAP [Models]. For instance, the function
1263 of the 'lastModifiedBy' and 'lastModifiedTime' attribute types is now
1264 served by the 'creatorsName', 'createTimestamp', 'modifiersName', and
1265 'modifyTimestamp' operational attributes [Models].
1270 The 'pilotPerson' object class was not brought forward as its function
1271 is largely replaced by the 'organizationalPerson' [Models] object
1272 class and its subclasses, such as 'inetOrgPerson' [RFC2798].
1274 Most of the related attribute types (e.g., 'mail', 'manager', etc.)
1275 were brought forward as they are used in other object classes.
1280 The 'dNSDomain' object class and related attribute types were not
1281 brought forward as its use is primarily experimental [RFC1279].
1284 A.5. pilotDSA and qualityLabelledData
1286 The 'pilotDSA' and 'qualityLabelledData' object classes, as well as
1290 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 23]
1292 INTERNET-DRAFT COSINE Schema 23 October 2005
1295 related attribute types, were not brought forward as it as its use is
1296 primarily experimental [QoS].
1299 A.6. Attribute syntaxes
1301 RFC 1274 defined and used caseIgnoreIA5StringSyntax attribute syntax.
1302 This has been replaced with the IA5String syntax and approrpiate
1303 matching rules in 'mail' and 'associatedDomain'.
1305 RFC 1274 restricted 'mail' to have non-zero length values. This
1306 restriction is not reflected in the IA5String syntax used in the
1307 definitions provided in this specification. However, as values are
1308 to conform to the <Mailbox> production, the 'mail' should not contain
1309 zero-length values. Unfornuately, the directory service will not
1310 enforce this restriction.
1313 Appendix B. Changes since RFC 2247
1315 The 'domainNameForm' name form was not brought forward as
1316 specification of name forms used in LDAP is left to a future
1321 Intellectual Property Rights
1323 The IETF takes no position regarding the validity or scope of any
1324 Intellectual Property Rights or other rights that might be claimed to
1325 pertain to the implementation or use of the technology described in
1326 this document or the extent to which any license under such rights
1327 might or might not be available; nor does it represent that it has
1328 made any independent effort to identify any such rights. Information
1329 on the procedures with respect to rights in RFC documents can be found
1330 in BCP 78 and BCP 79.
1332 Copies of IPR disclosures made to the IETF Secretariat and any
1333 assurances of licenses to be made available, or the result of an
1334 attempt made to obtain a general license or permission for the use of
1335 such proprietary rights by implementers or users of this specification
1336 can be obtained from the IETF on-line IPR repository at
1337 http://www.ietf.org/ipr.
1339 The IETF invites any interested party to bring to its attention any
1340 copyrights, patents or patent applications, or other proprietary
1341 rights that may cover technology that may be required to implement
1342 this standard. Please address the information to the IETF at
1346 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 24]
1348 INTERNET-DRAFT COSINE Schema 23 October 2005
1357 Copyright (C) The Internet Society (2005).
1359 This document is subject to the rights, licenses and restrictions
1360 contained in BCP 78, and except as set forth therein, the authors
1361 retain all their rights.
1363 This document and the information contained herein are provided on an
1364 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1365 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1366 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1367 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1368 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1369 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1402 Zeilenga draft-zeilenga-ldap-cosine-01 [Page 25]