7 INTERNET-DRAFT Editor: Kurt D. Zeilenga
8 Intended Category: Standard Track OpenLDAP Foundation
9 Expires: 22 April 2002 22 October 2001
15 LDAPv3: A Collection of User Schema
16 <draft-zeilenga-ldap-user-schema-03.txt>
21 This document is an Internet-Draft and is in full conformance with all
22 provisions of Section 10 of RFC2026.
24 This document is intended to be, after appropriate review and
25 revision, submitted to the RFC Editor as a Standard Track document.
26 Distribution of this memo is unlimited. Technical discussion of this
27 document will take place on the IETF Directory Interest mailing list
28 <directory@apps.ietf.org>. Please send editorial comments directly to
29 the author <Kurt@OpenLDAP.org>.
31 Internet-Drafts are working documents of the Internet Engineering Task
32 Force (IETF), its areas, and its working groups. Note that other
33 groups may also distribute working documents as Internet-Drafts.
34 Internet-Drafts are draft documents valid for a maximum of six months
35 and may be updated, replaced, or obsoleted by other documents at any
36 time. It is inappropriate to use Internet-Drafts as reference
37 material or to cite them other than as ``work in progress.''
39 The list of current Internet-Drafts can be accessed at
40 <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
41 Internet-Draft Shadow Directories can be accessed at
42 <http://www.ietf.org/shadow.html>.
44 Copyright 2001, The Internet Society. All Rights Reserved.
46 Please see the Copyright section near the end of this document for
52 This document provides a collection of user schema elements for use
53 with LDAP collected from numerous sources including RFC 1274, X.501,
58 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 1]
60 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
65 Schema definitions are provided using LDAPv3 description formats
66 [RFC2252]. Definitions provided here are formatted (line wrapped) for
69 The key words "SHALL", "SHALL NOT", "MUST", "MUST NOT", "SHOULD",
70 "SHOULD NOT", "MAY" and "MAY NOT" used in this document are to be
71 interpreted as described in [RFC2119].
74 Table of Contents (to be expanded by editor)
80 1. Background and Intended Use 3
84 2.3. caseExactOrderingMatch
85 2.4. caseExactSubstringsMatch
86 2.5. caseIgnoreListSubstringsMatch
87 2.6. directoryStringFirstComponentMatch 5
88 2.7. integerOrderingMatch
90 2.9. numericStringOrderingMatch 6
91 2.10. octetStringOrderingMatch
92 2.11. storedPrefixMatch
99 3.4. destinationIndicator
101 3.6. documentIdentifier 9
102 3.7. documentLocation
103 3.8. documentPublisher
105 3.10. documentVersion
107 3.12. houseIdentifier
109 3.14. homePostalAddress
114 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 2]
116 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
123 3.20. organizationalStatus
130 3.27. uniqueIdentifier
136 4.4. domainRelatedObject 16
140 4.8. simpleSecurityObject
141 5. Security Considerations
148 1. Background and Intended Use
150 This document provides descriptions [RFC2252] of user schema for use
151 with LDAP [LDAPTS] collected from numerous sources.
153 This document includes a summary of select schema introduced for the
154 COSINE and Internet X.500 pilot projects [RFC1274]. This document
157 This document contains a summary of X.500 user schema [X.520] not
158 included in LDAPv3 [RFC2252][RFC2256]. Some of these items were
159 described in the inetOrgPerson [RFC2798] schema. This document
160 supercedes these descriptions, replacing sections 9.1.3 and 9.3.3 of
166 This section introduces LDAP matching rules based upon descriptions of
170 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 3]
172 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
175 their X.500 counterparts.
180 BooleanMatch compares for equality a asserted Boolean value with an
181 attribute value of BOOLEAN syntax. The rule returns TRUE if and only
182 if the values are the same, i.e. both are TRUE or both are FALSE.
185 ( 2.5.13.13 NAME 'booleanMatch'
186 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
191 CaseExactMatch compares for equality the asserted value with an
192 attribute value of DirectoryString syntax. The rule is identical to
193 the caseIgnoreMatch [RFC2252] rule except that case is not ignored.
196 ( 2.5.13.5 NAME 'caseExactMatch'
197 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
200 2.3. caseExactOrderingMatch
202 CaseExactOrderingMatch compares the collation order of the asserted
203 string with an attribute value of DirectoryString syntax. The rule is
204 identical to the caseIgnoreOrderingMatch [RFC2252] rule except that
205 letters are not folded. (Source: X.520)
207 ( 2.5.13.6 NAME 'caseExactOrderingMatch'
208 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
211 2.3. caseExactSubstringsMatch
213 CaseExactSubstringsMatch determines whether the asserted value are
214 substrings of an attribute value of DirectoryString syntax. The rule
215 is identical to the caseIgnoreSubstringsMatch [RFC2252] rule except
216 that case is not ignored. (Source: X.520)
218 ( 2.5.13.7 NAME 'caseExactSubstringsMatch'
219 SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
222 2.4. caseIgnoreListSubstringsMatch
226 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 4]
228 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
231 CaseIgnoreListSubstringMatch compares the asserted substring with an
232 attribute value which is a sequence of DirectoryStrings, but where the
233 case (upper or lower) is not significant for comparison purposes. The
234 asserted value matches a stored value if and only if the asserted
235 value matches the string formed by concatenating the strings of the
236 stored value. This matching is done according to the
237 caseIgnoreSubstringsMatch [RFC2252] rule; however, none of the
238 initial, any, or final values of the asserted value are considered to
239 match a substring of the concatenated string which spans more than one
240 of the strings of the stored value. (Source: X.520)
242 ( 2.5.13.12 NAME 'caseIgnoreListSubstringsMatch'
243 SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
246 2.5. directoryStringFirstComponentMatch
248 DirectoryStringFirstComponentMatch compares for equality the asserted
249 DirectoryString value with an attribute value of type SEQUENCE whose
250 first component is mandatory and of type DirectoryString. The rule
251 returns TRUE if and only if the attribute value has a first component
252 whose value matches the asserted DirectoryString using the rules of
253 caseIgnoreMatch [RFC2252]. A value of the assertion syntax is derived
254 from a value of the attribute syntax by using the value of the first
255 component of the SEQUENCE. (Source: X.520)
257 ( 2.5.13.31 NAME 'directoryStringFirstComponentMatch'
258 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
261 2.6. integerOrderingMatch
263 The integerOrderingMatch rule compares the ordering of the asserted
264 integer with an attribute value of Integer syntax. The rule returns
265 True if the attribute value is less than the asserted value. (Source:
268 ( 2.5.13.15 NAME 'integerOrderingMatch'
269 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
274 The keywordMatch rule compares the asserted string with keywords in an
275 attribute value of DirectoryString syntax. The rule returns TRUE if
276 and only if the asserted value matches any keyword in the attribute
277 value. The identification of keywords in an attribute value and of
278 the exactness of match are both implementation specific. (Source:
282 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 5]
284 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
289 ( 2.5.13.32 NAME 'keywordMatch'
290 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
293 2.8. numericStringOrderingMatch
295 NumericStringOrderingMatch compares the collation order of the
296 asserted string with an attribute value of NumericString syntax. The
297 rule is identical to the caseIgnoreOrderingMatch [RFC2252] rule except
298 that all space characters are skipped during comparison (case is
299 irrelevant as characters are numeric). (Source: X.520)
301 ( 2.5.13.9 NAME 'NumericStringOrderingMatch'
302 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
305 2.9. octetStringOrderingMatch
307 OctetStringOrderingMatch compares the collation order of the asserted
308 octet string with an attribute value of OCTET STRING syntax. The rule
309 compares octet strings from first octet to last octet, and from the
310 most significant bit to the least significant bit within the octet.
311 The first occurrence of a different bit determines the ordering of the
312 strings. A zero bit precedes a one bit. If the strings are identical
313 but contain different numbers of octets, the shorter string precedes
314 the longer string. (Source: X.520)
316 ( 2.5.13.18 NAME 'octetStringOrderingMatch'
317 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
320 2.10. storedPrefixMatch
322 StoredPrefixMatch determines whether an attribute value, whose syntax
323 is DirectoryString, is a prefix (i.e. initial substring) of the
324 asserted value, without regard to the case (upper or lower) of the
325 strings. The rule returns TRUE if and only if the attribute value is
326 an initial substring of the asserted value with corresponding
327 characters identical except possibly with regard to case. (Source:
330 ( 2.5.13.41 NAME 'storedPrefixMatch'
331 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
333 Note: This rule can be used, for example, to compare values in the
334 Directory which are telephone area codes with a purported value
338 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 6]
340 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
343 which is a telephone number.
348 The wordMatch rule compares the asserted string with words in an
349 attribute value of DirectoryString syntax. The rule returns TRUE if
350 and only if the asserted word matches any word in the attribute value.
351 Individual word matching is as for the caseIgnoreMatch [RFC2252]
352 matching rule. The precise definition of a "word" is implementation
353 specific. (Source: X.520)
355 ( 2.5.13.32 NAME 'wordMatch'
356 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
361 This section details attribute types for use in LDAP based upon their
365 3.1. associatedDomain
367 The associatedDomain attribute type specifies a DNS domain [RFC1034]
368 which is associated with an object. For example, the entry in the DIT
369 with a distinguished name "DC=example,DC=com" might have an associated
370 domain of "example.com". (Source: RFC 1274)
372 ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain'
373 EQUALITY caseIgnoreIA5Match
374 SUBSTR caseIgnoreIA5SubstringsMatch
375 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
380 The associatedName attribute type specifies an entry in the
381 organizational DIT associated with a DNS domain [RFC1034]. (Source:
384 ( 0.9.2342.19200300.100.1.38 NAME 'associatedName'
385 EQUALITY distinguishedNameMatch
386 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
394 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 7]
396 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
399 The buildingName attribute type specifies the name of the building
400 where an organization or organizational unit is based. (Source: RFC
403 ( 0.9.2342.19200300.100.1.48 NAME 'buildingName'
404 EQUALITY caseIgnoreMatch
405 SUBSTR caseIgnoreSubstringsMatch
406 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
411 The co (Friendly Country Name) attribute type specifies names of
412 countries in human readable format. The standard attribute country
413 name must be one of the two-letter codes defined in [ISO 3166].
416 ( 0.9.2342.19200300.100.1.43
417 NAME ( 'co' 'friendlyCountryName' )
418 EQUALITY caseIgnoreMatch
419 SUBSTR caseIgnoreSubstringsMatch
420 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
423 3.4. destinationIndicator
425 The destinationIndicator attribute type specifies (according to CCITT
426 Recommendation F.1 and CCITT Recommendation F.31) the country and city
427 associated with the object (the addressee) needed to provide the
428 Public Telegram Service. An attribute value for Destination Indicator
429 is a printable string containing only alphabetical characters.
432 ( 2.5.4.27 NAME 'destinationIndicator'
433 EQUALITY caseIgnoreMatch
434 SUBSTR caseIgnoreSubstringsMatch
435 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
440 The documentAuthor attribute type specifies the distinguished name of
441 the author of a document. (Source: RFC 1274)
443 ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor'
444 EQUALITY distinguishedNameMatch
445 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
450 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 8]
452 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
455 3.6. documentIdentifier
457 The documentIdentifier attribute type specifies a unique identifier
458 for a document. (Source: RFC 1274)
460 ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier'
461 EQUALITY caseIgnoreMatch
462 SUBSTR caseIgnoreSubstringsMatch
463 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
466 3.7. documentLocation
468 The documentLocation attribute type specifies the location of the
469 document original. (Source: RFC 1274)
471 ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation'
472 EQUALITY caseIgnoreMatch
473 SUBSTR caseIgnoreSubstringsMatch
474 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
477 3.8. documentPublisher
479 The documentPublisher attribute is the person and/or organization that
480 published a document. (Source: RFC 1274)
482 ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher'
483 EQUALITY caseIgnoreMatch
484 SUBSTR caseIgnoreSubstringsMatch
485 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
490 The documentTitle attribute type specifies the title of a document.
493 ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle'
494 EQUALITY caseIgnoreMatch
495 SUBSTR caseIgnoreSubstringsMatch
496 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
499 3.10. documentVersion
501 The documentVersion attribute type specifies the version number of a
502 document. (Source: RFC 1274)
506 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 9]
508 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
511 ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion'
512 EQUALITY caseIgnoreMatch
513 SUBSTR caseIgnoreSubstringsMatch
514 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
519 The drink (Favourite Drink) attribute type specifies the favorite
520 drink of an object (or person). (Source: RFC 1274)
522 ( 0.9.2342.19200300.100.1.5 NAME ( 'drink' 'favouriteDrink' )
523 EQUALITY caseIgnoreMatch
524 SUBSTR caseIgnoreSubstringsMatch
525 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
528 3.12. houseIdentifier
530 The houseIdentifier attribute type specifies a linguistic construct
531 used to identify a particular building, for example a house number or
532 house name relative to a street, avenue, town or city, etc. An
533 attribute value for houseIdentifier is a string, e.g. "14". (Source:
536 ( 2.5.4.51 NAME 'houseIdentifier'
537 EQUALITY caseIgnoreMatch
538 SUBSTR caseIgnoreSubstringsMatch
539 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
544 The homePhone (Home Telephone Number) attribute type specifies a home
545 telephone number (e.g., "+44 71 123 4567") associated with a person.
548 ( 0.9.2342.19200300.100.1.20
549 NAME ( 'homePhone' 'homeTelephoneNumber' )
550 EQUALITY telephoneNumberMatch
551 SUBSTR telephoneNumberSubstringsMatch
552 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
555 3.14. homePostalAddress
557 The homePostalAddress attribute type specifies a home postal address
558 for an object. This should be limited to up to 6 lines of 30
562 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 10]
564 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
567 characters each. (Source: RFC 1274)
569 ( 0.9.2342.19200300.100.1.39
570 NAME 'homePostalAddress'
571 EQUALITY caseIgnoreListMatch
572 SUBSTR caseIgnoreListSubstringsMatch
573 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
578 The host attribute type specifies a host computer. (Source: RFC 1274)
580 ( 0.9.2342.19200300.100.1.9
582 EQUALITY caseIgnoreMatch
583 SUBSTR caseIgnoreSubstringsMatch
584 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
589 The info (Information) attribute type specifies any general
590 information pertinent to an object. It is RECOMMENDED that specific
591 usage of this attribute type is avoided, and that specific
592 requirements are met by other (possibly additional) attribute types.
593 It is noted the description attribute [RFC2256] for specifying
594 descriptive information pertinent to an object. (Source: RFC 1274)
596 ( 0.9.2342.19200300.100.1.4
598 EQUALITY caseIgnoreMatch
599 SUBSTR caseIgnoreSubstringsMatch
600 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
605 The mail (rfc822mailbox) attribute type holds an the electronic mail
606 address in RFC822 form (e.g.: user@example.com). Note that this
607 attribute SHOULD NOT be used to hold non-Internet addresses. (Source:
611 ( 0.9.2342.19200300.100.1.3
612 NAME ( 'mail' 'rfc822Mailbox' )
613 EQUALITY caseIgnoreIA5Match
614 SUBSTR caseIgnoreIA5SubstringsMatch
618 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 11]
620 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
623 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
628 The Manager attribute type specifies the manager of an object
629 represented by an entry. (Source: RFC 1274)
631 ( 0.9.2342.19200300.100.1.10
633 EQUALITY distinguishedNameMatch
634 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
639 The mobile (Mobile Telephone Number) attribute type specifies a mobile
640 telephone number (e.g., "+44 71 123 4567") associated with a person.
643 ( 0.9.2342.19200300.100.1.41
644 NAME ( 'mobile' 'mobileTelephoneNumber' )
645 EQUALITY telephoneNumberMatch
646 SUBSTR telephoneNumberSubstringsMatch
647 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
650 3.20. organizationalStatus
652 The organizationalStatus attribute type specifies a category by which
653 a person is often referred to in an organization. Examples of usage
654 in academia might include undergraduate student, researcher, lecturer,
657 A Directory administrator should probably consider carefully the
658 distinctions between this and the title and userClass attributes.
661 ( 0.9.2342.19200300.100.1.45
662 NAME 'organizationalStatus'
663 EQUALITY caseIgnoreMatch
664 SUBSTR caseIgnoreSubstringsMatch
665 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
670 The otherMailbox attribute type specifies values for electronic
674 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 12]
676 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
679 mailbox types other than X.400 and RFC822. (Source: RFC 1274)
681 ( 0.9.2342.19200300.100.1.22
683 SYNTAX 1.3.6.1.4.1.1466.115.121.1.39 )
688 The pager (Pager Telephone Number) attribute type specifies a pager
689 telephone number (e.g., "+44 71 123 4567") for an object. (Source:
692 ( 0.9.2342.19200300.100.1.42
693 NAME ( 'pager' 'pagerTelephoneNumber' )
694 EQUALITY telephoneNumberMatch
695 SUBSTR telephoneNumberSubstringsMatch
696 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
701 The personalTitle attribute type specifies a personal title for a
702 person. Examples of personal titles are "Frau", "Dr", "Herr", and
703 "Prof". (Source: RFC 1274)
705 ( 0.9.2342.19200300.100.1.40
707 EQUALITY caseIgnoreMatch
708 SUBSTR caseIgnoreSubstringsMatch
709 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
714 The roomNumber attribute type specifies the room number of an object.
715 Note that the cn (commonName) attribute should be used for naming room
716 objects. (Source: RFC 1274)
718 ( 0.9.2342.19200300.100.1.6
720 EQUALITY caseIgnoreMatch
721 SUBSTR caseIgnoreSubstringsMatch
722 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
730 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 13]
732 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
735 The secretary attribute type specifies the secretary of a person. The
736 attribute value for Secretary is a distinguished name. (Source: RFC
739 ( 0.9.2342.19200300.100.1.21
741 EQUALITY distinguishedNameMatch
742 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
747 The uid (userid) attribute type specifies a computer system login
748 name. (Source: RFC 1274)
750 ( 0.9.2342.19200300.100.1.1
751 NAME ( 'uid' 'userid' )
752 EQUALITY caseIgnoreMatch
753 SUBSTR caseIgnoreSubstringsMatch
754 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
757 3.27. uniqueIdentifier
759 The Unique Identifier attribute type specifies a "unique identifier"
760 for an object represented in the Directory. The domain within which
761 the identifier is unique, and the exact semantics of the identifier,
762 are for local definition. For a person, this might be an institution-
763 wide payroll number. For an organizational unit, it might be a
764 department code. An attribute value for uniqueIdentifier is a
765 directoryString. (Source: RFC 1274)
767 ( 2.5.4.45 NAME 'uniqueIdentifier'
768 EQUALITY caseIgnoreMatch
769 SUBSTR caseIgnoreSubstringsMatch
770 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
772 Note: X.520 describes an attribute also called 'uniqueIdentifier'
773 (2.5.4.45) which is called 'x500UniqueIdentifier' in LDAP
774 [RFC2256]. The attribute detailed here ought not be confused
775 with x500UniqueIdentifier.
780 The userClass attribute type specifies a category of computer user.
781 The semantics placed on this attribute are for local interpretation.
782 Examples of current usage od this attribute in academia are
786 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 14]
788 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
791 undergraduate student, researcher, lecturer, etc. Note that the
792 organizationalStatus attribute may now often be preferred as it makes
793 no distinction between computer users and others. (Source: RFC 1274)
795 ( 0.9.2342.19200300.100.1.8 NAME 'userClass'
796 EQUALITY caseIgnoreMatch
797 SUBSTR caseIgnoreSubstringsMatch
798 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
803 This section details attribute types for use in LDAP based upon their
808 The account object class is used to define entries representing
809 computer accounts. The uid (userid) attribute should be used for
810 naming entries of this object class. (Source: RFC 1274)
812 ( 0.9.2342.19200300.100.4.5
816 MAY ( description $ seeAlso $ l $ o $ ou $ host ) )
821 The document object class is used to define entries which represent
822 documents. (Source: RFC 1274)
824 ( 0.9.2342.19200300.100.4.6
827 MUST documentIdentifier
828 MAY ( cn $ description $ seeAlso $ l $ o $ ou $
829 documentTitle $ documentVersion $ documentAuthor $
830 documentLocation $ documentPublisher ) )
835 The documentSeries object class is used to define an entry which
836 represents a series of documents (e.g., The Request For Comments
837 memos). (Source: RFC 1274)
842 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 15]
844 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
847 ( 0.9.2342.19200300.100.4.9
848 NAME 'documentSeries'
851 MAY ( description $ l $ o $ ou $ seeAlso $
855 4.4. domainRelatedObject
857 The domainRelatedObject object class is used to define entries which
858 represent DNS domains which are "equivalent" to an X.500 domain: e.g.,
859 an organization or organizational unit. (Source: RFC 1274)
861 ( 0.9.2342.19200300.100.4.17
862 NAME 'domainRelatedObject'
864 MUST associatedDomain )
869 The friendlyCountry object class is used to define country entries in
870 the DIT. The object class is used to allow friendlier naming of
871 countries than that allowed by the object class country. The naming
872 attribute of object class country, c (countryName), has to be a 2
873 letter string defined in [ISO3166]. (Source: RFC 1274)
875 ( 0.9.2342.19200300.100.4.18
876 NAME 'friendlyCountry'
877 SUP country STRUCTURAL
883 The rFC822LocalPart object class is used to define entries which
884 represent the local part of RFC822 mail addresses. This treats this
885 part of an RFC822 address as a domain [RFC2247]. (Source: RFC 1274)
887 ( 0.9.2342.19200300.100.4.14
888 NAME 'rFC822localPart'
889 SUP domain STRUCTURAL
890 MAY ( cn $ description $ destinationIndicator $
891 facsimileTelephoneNumber $ internationaliSDNNumber $
892 physicalDeliveryOfficeName $ postalAddress $
893 postalCode $ postOfficeBox $ preferredDeliveryMethod $
894 registeredAddress $ seeAlso $ sn $ street $
898 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 16]
900 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
903 telephoneNumber $ teletexTerminalIdentifier $
904 telexNumber $ x121Address ) )
909 The room object class is used to define entries representing rooms.
910 The cn (commonName) attribute should be used for naming entries of
911 this object class. (Source: RFC 1274)
913 ( 0.9.2342.19200300.100.4.7 NAME 'room'
916 MAY ( roomNumber $ description $
917 seeAlso $ telephoneNumber ) )
920 4.8. simpleSecurityObject
922 The simpleSecurityObject object class is used to allow an entry to
923 have a userPassword attribute when an entry's principal object classes
924 do not allow userPassword as an attribute type. (Source: RFC 1274)
926 ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
930 Note: Security considerations related to the use of simple
931 authentication mechanisms in LDAP are discussed in RFC 2829
935 5. Security Considerations
937 General LDAP security considerations [LDAPTS] is applicable to the use
938 of this schema. Additional considerations are noted above where
944 This document borrows from a number of IETF documents including RFC
945 1274 by Paul Barker and Steve Kille. This document also borrows from
946 a number of ITU documents including X.520.
954 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 17]
956 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
966 [ISO3166] International Standards Organization, "Codes for the
967 representation of names of countries", ISO 3166.
969 [RFC822] D. Crocker, "Standard for the format of ARPA Internet text
970 messages", August 1982.
972 [RFC1034] P.V. Mockapetris, "Domain names - concepts and facilities",
975 [RFC1274] P. Barker, S. Kille, "The COSINE and Internet X.500 Schema",
978 [RFC2219] S. Bradner, "Key words for use in RFCs to Indicate
979 Requirement Levels", RFC 2119 (also BCP 14), March 1997.
981 [RFC2247] S. Kille, M. Wahl, A. Grimstad, R. Huber, S. Sataluri,
982 "Using Domains in LDAP/X.500 Distinguished Names", January
985 [RFC2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
986 Directory Access Protocol (v3): Attribute Syntax
987 Definitions", RFC 2252, December 1997.
989 [RFC2256] M. Wahl, "A Summary of the X.500(96) User Schema for use
990 with LDAPv3", RFC 2256, December 1997.
992 [RFC2798] M. Smith, "The LDAP inetOrgPerson Object Class", RFC 2798,
995 [RFC2829] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan,
996 "Authentication Methods for LDAP", RFC 2829, May 2000.
998 [LDAPTS] J. Hodges, R. Morgan, "Lightweight Directory Access Protocol
999 (v3): Technical Specification", draft-ietf-ldapbis-
1002 [X.520] "The Directory: Selected Attribute Types", ITU
1003 Recommendation X.520, 1997.
1010 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 18]
1012 INTERNET-DRAFT LDAPv3: A Collection of User Schema 20 October 2001
1017 Copyright 2001, The Internet Society. All Rights Reserved.
1019 This document and translations of it may be copied and furnished to
1020 others, and derivative works that comment on or otherwise explain it
1021 or assist in its implementation may be prepared, copied, published and
1022 distributed, in whole or in part, without restriction of any kind,
1023 provided that the above copyright notice and this paragraph are
1024 included on all such copies and derivative works. However, this
1025 document itself may not be modified in any way, such as by removing
1026 the copyright notice or references to the Internet Society or other
1027 Internet organizations, except as needed for the purpose of
1028 developing Internet standards in which case the procedures for
1029 copyrights defined in the Internet Standards process must be followed,
1030 or as required to translate it into languages other than English.
1032 The limited permissions granted above are perpetual and will not be
1033 revoked by the Internet Society or its successors or assigns.
1035 This document and the information contained herein is provided on an
1036 "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
1037 ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
1038 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1039 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1040 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1066 Zeilenga draft-zeilenga-ldap-user-schema-03 [Page 19]