7 Network Working Group M. Wahl
8 Request for Comments: 2256 Critical Angle Inc.
9 Category: Standards Track December 1997
12 A Summary of the X.500(96) User Schema for use with LDAPv3
14 1. Status of this Memo
16 This document specifies an Internet standards track protocol for the
17 Internet community, and requests discussion and suggestions for
18 improvements. Please refer to the current edition of the "Internet
19 Official Protocol Standards" (STD 1) for the standardization state
20 and status of this protocol. Distribution of this memo is unlimited.
24 Copyright (C) The Internet Society (1997). All Rights Reserved.
28 This document describes a directory access protocol that provides
29 both read and update access. Update access requires secure
30 authentication, but this document does not mandate implementation of
31 any satisfactory authentication mechanisms.
33 In accordance with RFC 2026, section 4.4.1, this specification is
34 being approved by IESG as a Proposed Standard despite this
35 limitation, for the following reasons:
37 a. to encourage implementation and interoperability testing of
38 these protocols (with or without update access) before they
41 b. to encourage deployment and use of these protocols in read-only
42 applications. (e.g. applications where LDAPv3 is used as
43 a query language for directories which are updated by some
44 secure mechanism other than LDAP), and
46 c. to avoid delaying the advancement and deployment of other Internet
47 standards-track protocols which require the ability to query, but
48 not update, LDAPv3 directory servers.
50 Readers are hereby warned that until mandatory authentication
51 mechanisms are standardized, clients and servers written according to
52 this specification which make use of update functionality are
53 UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
54 IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
58 Wahl Standards Track [Page 1]
60 RFC 2256 LDAPv3 Schema December 1997
63 Implementors are hereby discouraged from deploying LDAPv3 clients or
64 servers which implement the update functionality, until a Proposed
65 Standard for mandatory authentication in LDAPv3 has been approved and
70 This document provides an overview of the attribute types and object
71 classes defined by the ISO and ITU-T committees in the X.500
72 documents, in particular those intended for use by directory clients.
73 This is the most widely used schema for LDAP/X.500 directories, and
74 many other schema definitions for white pages objects use it as a
75 basis. This document does not cover attributes used for the
76 administration of X.500 directory servers, nor does it include
77 attributes defined by other ISO/ITU-T documents.
79 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
80 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
81 document are to be interpreted as described in RFC 2119 [6].
85 This document references syntaxes given in section 6 of this document
86 and section 6 of [1]. Matching rules are listed in section 8 of this
87 document and section 8 of [1].
89 The attribute type and object class definitions are written using the
90 BNF form of AttributeTypeDescription and ObjectClassDescription given
91 in [1]. Lines have been folded for readability.
95 The schema definitions in this document are based on those found in
96 X.500 [2],[3],[4],[5], and updates to these documents, specifically:
99 ============ ============
102 5.37 - 5.41 X.509(93)
103 5.42 - 5.52 X.520(93)
104 5.53 - 5.54 X.509(96)
114 Wahl Standards Track [Page 2]
116 RFC 2256 LDAPv3 Schema December 1997
119 7.19 - 7.21 X.509(96)
122 Some attribute names are different from those found in X.520(93).
124 Three new attributes supportedAlgorithms, deltaRevocationList and
125 dmdName, and the objectClass dmd, are defined in the X.500(96)
130 An LDAP server implementation SHOULD recognize the attribute types
131 described in this section.
135 The values of the objectClass attribute describe the kind of object
136 which an entry represents. The objectClass attribute is present in
137 every entry, with at least two values. One of the values is either
140 ( 2.5.4.0 NAME 'objectClass' EQUALITY objectIdentifierMatch
141 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
143 5.2. aliasedObjectName
145 The aliasedObjectName attribute is used by the directory service if
146 the entry containing this attribute is an alias.
148 ( 2.5.4.1 NAME 'aliasedObjectName' EQUALITY distinguishedNameMatch
149 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
151 5.3. knowledgeInformation
153 This attribute is no longer used.
155 ( 2.5.4.2 NAME 'knowledgeInformation' EQUALITY caseIgnoreMatch
156 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
160 This is the X.500 commonName attribute, which contains a name of an
161 object. If the object corresponds to a person, it is typically the
164 ( 2.5.4.3 NAME 'cn' SUP name )
170 Wahl Standards Track [Page 3]
172 RFC 2256 LDAPv3 Schema December 1997
177 This is the X.500 surname attribute, which contains the family name
180 ( 2.5.4.4 NAME 'sn' SUP name )
184 This attribute contains the serial number of a device.
186 ( 2.5.4.5 NAME 'serialNumber' EQUALITY caseIgnoreMatch
187 SUBSTR caseIgnoreSubstringsMatch
188 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
192 This attribute contains a two-letter ISO 3166 country code
195 ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE )
199 This attribute contains the name of a locality, such as a city,
200 county or other geographic region (localityName).
202 ( 2.5.4.7 NAME 'l' SUP name )
206 This attribute contains the full name of a state or province
207 (stateOrProvinceName).
209 ( 2.5.4.8 NAME 'st' SUP name )
213 This attribute contains the physical address of the object to which
214 the entry corresponds, such as an address for package delivery
217 ( 2.5.4.9 NAME 'street' EQUALITY caseIgnoreMatch
218 SUBSTR caseIgnoreSubstringsMatch
219 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
226 Wahl Standards Track [Page 4]
228 RFC 2256 LDAPv3 Schema December 1997
233 This attribute contains the name of an organization
236 ( 2.5.4.10 NAME 'o' SUP name )
240 This attribute contains the name of an organizational unit
241 (organizationalUnitName).
243 ( 2.5.4.11 NAME 'ou' SUP name )
247 This attribute contains the title, such as "Vice President", of a
248 person in their organizational context. The "personalTitle"
249 attribute would be used for a person's title independent of their job
252 ( 2.5.4.12 NAME 'title' SUP name )
256 This attribute contains a human-readable description of the object.
258 ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch
259 SUBSTR caseIgnoreSubstringsMatch
260 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
264 This attribute is for use by X.500 clients in constructing search
265 filters. It is obsoleted by enhancedSearchGuide, described below in
268 ( 2.5.4.14 NAME 'searchGuide'
269 SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
271 5.16. businessCategory
273 This attribute describes the kind of business performed by an
276 ( 2.5.4.15 NAME 'businessCategory' EQUALITY caseIgnoreMatch
277 SUBSTR caseIgnoreSubstringsMatch
278 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
282 Wahl Standards Track [Page 5]
284 RFC 2256 LDAPv3 Schema December 1997
289 ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreListMatch
290 SUBSTR caseIgnoreListSubstringsMatch
291 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
295 ( 2.5.4.17 NAME 'postalCode' EQUALITY caseIgnoreMatch
296 SUBSTR caseIgnoreSubstringsMatch
297 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
301 ( 2.5.4.18 NAME 'postOfficeBox' EQUALITY caseIgnoreMatch
302 SUBSTR caseIgnoreSubstringsMatch
303 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
305 5.20. physicalDeliveryOfficeName
307 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' EQUALITY caseIgnoreMatch
308 SUBSTR caseIgnoreSubstringsMatch
309 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
311 5.21. telephoneNumber
313 ( 2.5.4.20 NAME 'telephoneNumber' EQUALITY telephoneNumberMatch
314 SUBSTR telephoneNumberSubstringsMatch
315 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
319 ( 2.5.4.21 NAME 'telexNumber'
320 SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
322 5.23. teletexTerminalIdentifier
324 ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
325 SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
327 5.24. facsimileTelephoneNumber
329 ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
330 SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
338 Wahl Standards Track [Page 6]
340 RFC 2256 LDAPv3 Schema December 1997
345 ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch
346 SUBSTR numericStringSubstringsMatch
347 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
349 5.26. internationaliSDNNumber
351 ( 2.5.4.25 NAME 'internationaliSDNNumber' EQUALITY numericStringMatch
352 SUBSTR numericStringSubstringsMatch
353 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )
355 5.27. registeredAddress
357 This attribute holds a postal address suitable for reception of
358 telegrams or expedited documents, where it is necessary to have the
359 recipient accept delivery.
361 ( 2.5.4.26 NAME 'registeredAddress' SUP postalAddress
362 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
364 5.28. destinationIndicator
366 This attribute is used for the telegram service.
368 ( 2.5.4.27 NAME 'destinationIndicator' EQUALITY caseIgnoreMatch
369 SUBSTR caseIgnoreSubstringsMatch
370 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
372 5.29. preferredDeliveryMethod
374 ( 2.5.4.28 NAME 'preferredDeliveryMethod'
375 SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
378 5.30. presentationAddress
380 This attribute contains an OSI presentation address.
382 ( 2.5.4.29 NAME 'presentationAddress'
383 EQUALITY presentationAddressMatch
384 SYNTAX 1.3.6.1.4.1.1466.115.121.1.43
394 Wahl Standards Track [Page 7]
396 RFC 2256 LDAPv3 Schema December 1997
399 5.31. supportedApplicationContext
401 This attribute contains the identifiers of OSI application contexts.
403 ( 2.5.4.30 NAME 'supportedApplicationContext'
404 EQUALITY objectIdentifierMatch
405 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
409 ( 2.5.4.31 NAME 'member' SUP distinguishedName )
413 ( 2.5.4.32 NAME 'owner' SUP distinguishedName )
417 ( 2.5.4.33 NAME 'roleOccupant' SUP distinguishedName )
421 ( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName )
425 ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
426 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
428 Passwords are stored using an Octet String syntax and are not
429 encrypted. Transfer of cleartext passwords are strongly discouraged
430 where the underlying transport service cannot guarantee
431 confidentiality and may result in disclosure of the password to
432 unauthorized parties.
434 5.37. userCertificate
436 This attribute is to be stored and requested in the binary form, as
437 'userCertificate;binary'.
439 ( 2.5.4.36 NAME 'userCertificate'
440 SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
444 This attribute is to be stored and requested in the binary form, as
445 'cACertificate;binary'.
450 Wahl Standards Track [Page 8]
452 RFC 2256 LDAPv3 Schema December 1997
455 ( 2.5.4.37 NAME 'cACertificate'
456 SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
458 5.39. authorityRevocationList
460 This attribute is to be stored and requested in the binary form, as
461 'authorityRevocationList;binary'.
463 ( 2.5.4.38 NAME 'authorityRevocationList'
464 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
466 5.40. certificateRevocationList
468 This attribute is to be stored and requested in the binary form, as
469 'certificateRevocationList;binary'.
471 ( 2.5.4.39 NAME 'certificateRevocationList'
472 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
474 5.41. crossCertificatePair
476 This attribute is to be stored and requested in the binary form, as
477 'crossCertificatePair;binary'.
479 ( 2.5.4.40 NAME 'crossCertificatePair'
480 SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
484 The name attribute type is the attribute supertype from which string
485 attribute types typically used for naming may be formed. It is
486 unlikely that values of this type itself will occur in an entry. LDAP
487 server implementations which do not support attribute subtyping need
488 not recognize this attribute in requests. Client implementations
489 MUST NOT assume that LDAP servers are capable of performing attribute
492 ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch
493 SUBSTR caseIgnoreSubstringsMatch
494 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
498 The givenName attribute is used to hold the part of a person's name
499 which is not their surname nor middle name.
501 ( 2.5.4.42 NAME 'givenName' SUP name )
506 Wahl Standards Track [Page 9]
508 RFC 2256 LDAPv3 Schema December 1997
513 The initials attribute contains the initials of some or all of an
514 individuals names, but not the surname(s).
516 ( 2.5.4.43 NAME 'initials' SUP name )
518 5.45. generationQualifier
520 The generationQualifier attribute contains the part of the name which
521 typically is the suffix, as in "IIIrd".
523 ( 2.5.4.44 NAME 'generationQualifier' SUP name )
525 5.46. x500UniqueIdentifier
527 The x500UniqueIdentifier attribute is used to distinguish between
528 objects when a distinguished name has been reused. This is a
529 different attribute type from both the "uid" and "uniqueIdentifier"
532 ( 2.5.4.45 NAME 'x500UniqueIdentifier' EQUALITY bitStringMatch
533 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
537 The dnQualifier attribute type specifies disambiguating information
538 to add to the relative distinguished name of an entry. It is
539 intended for use when merging data from multiple sources in order to
540 prevent conflicts between entries which would otherwise have the same
541 name. It is recommended that the value of the dnQualifier attribute
542 be the same for all entries from a particular source.
544 ( 2.5.4.46 NAME 'dnQualifier' EQUALITY caseIgnoreMatch
545 ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch
546 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
548 5.48. enhancedSearchGuide
550 This attribute is for use by X.500 clients in constructing search
553 ( 2.5.4.47 NAME 'enhancedSearchGuide'
554 SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
562 Wahl Standards Track [Page 10]
564 RFC 2256 LDAPv3 Schema December 1997
567 5.49. protocolInformation
569 This attribute is used in conjunction with the presentationAddress
570 attribute, to provide additional information to the OSI network
573 ( 2.5.4.48 NAME 'protocolInformation'
574 EQUALITY protocolInformationMatch
575 SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
577 5.50. distinguishedName
579 This attribute type is not used as the name of the object itself, but
580 it is instead a base type from which attributes with DN syntax
583 It is unlikely that values of this type itself will occur in an
584 entry. LDAP server implementations which do not support attribute
585 subtyping need not recognize this attribute in requests. Client
586 implementations MUST NOT assume that LDAP servers are capable of
587 performing attribute subtyping.
589 ( 2.5.4.49 NAME 'distinguishedName' EQUALITY distinguishedNameMatch
590 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
594 ( 2.5.4.50 NAME 'uniqueMember' EQUALITY uniqueMemberMatch
595 SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
597 5.52. houseIdentifier
599 This attribute is used to identify a building within a location.
601 ( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch
602 SUBSTR caseIgnoreSubstringsMatch
603 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
605 5.53. supportedAlgorithms
607 This attribute is to be stored and requested in the binary form, as
608 'supportedAlgorithms;binary'.
610 ( 2.5.4.52 NAME 'supportedAlgorithms'
611 SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
618 Wahl Standards Track [Page 11]
620 RFC 2256 LDAPv3 Schema December 1997
623 5.54. deltaRevocationList
625 This attribute is to be stored and requested in the binary form, as
626 'deltaRevocationList;binary'.
628 ( 2.5.4.53 NAME 'deltaRevocationList'
629 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
633 The value of this attribute specifies a directory management domain
634 (DMD), the administrative authority which operates the directory
637 ( 2.5.4.54 NAME 'dmdName' SUP name )
641 Servers SHOULD recognize the syntaxes defined in this section. Each
642 syntax begins with a sample value of the ldapSyntaxes attribute which
643 defines the OBJECT IDENTIFIER of the syntax. The descriptions of
644 syntax names are not carried in protocol, and are not guaranteed to
649 ( 1.3.6.1.4.1.1466.115.121.1.14 DESC 'Delivery Method' )
651 Values in this syntax are encoded according to the following BNF:
653 delivery-value = pdm / ( pdm whsp "$" whsp delivery-value )
655 pdm = "any" / "mhs" / "physical" / "telex" / "teletex" /
656 "g3fax" / "g4fax" / "ia5" / "videotex" / "telephone"
664 ( 1.3.6.1.4.1.1466.115.121.1.21 DESC 'Enhanced Guide' )
666 Values in this syntax are encoded according to the following BNF:
668 EnhancedGuide = woid whsp "#" whsp criteria whsp "#" whsp subset
670 subset = "baseobject" / "oneLevel" / "wholeSubtree"
674 Wahl Standards Track [Page 12]
676 RFC 2256 LDAPv3 Schema December 1997
679 The criteria production is defined in the Guide syntax below. This
680 syntax has been added subsequent to RFC 1778.
688 ( 1.3.6.1.4.1.1466.115.121.1.25 DESC 'Guide' )
690 Values in this syntax are encoded according to the following BNF:
692 guide-value = [ object-class "#" ] criteria
696 criteria = criteria-item / criteria-set / ( "!" criteria )
698 criteria-set = ( [ "(" ] criteria "&" criteria-set [ ")" ] ) /
699 ( [ "(" ] criteria "|" criteria-set [ ")" ] )
701 criteria-item = [ "(" ] attributetype "$" match-type [ ")" ]
703 match-type = "EQ" / "SUBSTR" / "GE" / "LE" / "APPROX"
705 This syntax should not be used for defining new attributes.
709 ( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' )
711 Values in this syntax are encoded as octet strings.
718 6.5. Teletex Terminal Identifier
720 ( 1.3.6.1.4.1.1466.115.121.1.51 DESC 'Teletex Terminal Identifier' )
722 Values in this syntax are encoded according to the following BNF:
724 teletex-id = ttx-term 0*("$" ttx-param)
726 ttx-term = printablestring
730 Wahl Standards Track [Page 13]
732 RFC 2256 LDAPv3 Schema December 1997
735 ttx-param = ttx-key ":" ttx-value
737 ttx-key = "graphic" / "control" / "misc" / "page" / "private"
739 ttx-value = octetstring
741 In the above, the first printablestring is the encoding of the first
742 portion of the teletex terminal identifier to be encoded, and the
743 subsequent 0 or more octetstrings are subsequent portions of the
744 teletex terminal identifier.
748 ( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' )
750 Values in this syntax are encoded according to the following BNF:
752 telex-number = actual-number "$" country "$" answerback
754 actual-number = printablestring
756 country = printablestring
758 answerback = printablestring
760 In the above, actual-number is the syntactic representation of the
761 number portion of the TELEX number being encoded, country is the
762 TELEX country code, and answerback is the answerback code of a TELEX
765 6.7. Supported Algorithm
767 ( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' )
769 No printable representation of values of the supportedAlgorithms
770 attribute is defined in this document. Clients which wish to store
771 and retrieve this attribute MUST use "supportedAlgorithms;binary", in
772 which the value is transferred as a binary encoding.
776 LDAP servers MUST recognize the object classes "top" and "subschema".
777 LDAP servers SHOULD recognize all the other object classes listed
778 here as values of the objectClass attribute.
782 ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )
786 Wahl Standards Track [Page 14]
788 RFC 2256 LDAPv3 Schema December 1997
793 ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName )
797 ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c
798 MAY ( searchGuide $ description ) )
802 ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL
803 MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
807 ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o
808 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
809 x121Address $ registeredAddress $ destinationIndicator $
810 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
811 telephoneNumber $ internationaliSDNNumber $
812 facsimileTelephoneNumber $
813 street $ postOfficeBox $ postalCode $ postalAddress $
814 physicalDeliveryOfficeName $ st $ l $ description ) )
816 7.6. organizationalUnit
818 ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou
819 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
820 x121Address $ registeredAddress $ destinationIndicator $
821 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
822 telephoneNumber $ internationaliSDNNumber $
823 facsimileTelephoneNumber $
824 street $ postOfficeBox $ postalCode $ postalAddress $
825 physicalDeliveryOfficeName $ st $ l $ description ) )
829 ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn )
830 MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
832 7.8. organizationalPerson
834 ( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL
835 MAY ( title $ x121Address $ registeredAddress $
836 destinationIndicator $
837 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
838 telephoneNumber $ internationaliSDNNumber $
842 Wahl Standards Track [Page 15]
844 RFC 2256 LDAPv3 Schema December 1997
847 facsimileTelephoneNumber $
848 street $ postOfficeBox $ postalCode $ postalAddress $
849 physicalDeliveryOfficeName $ ou $ st $ l ) )
851 7.9. organizationalRole
853 ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn
854 MAY ( x121Address $ registeredAddress $ destinationIndicator $
855 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
856 telephoneNumber $ internationaliSDNNumber $
857 facsimileTelephoneNumber $
858 seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
859 postOfficeBox $ postalCode $ postalAddress $
860 physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
864 ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( member $ cn )
865 MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
867 7.11. residentialPerson
869 ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l
870 MAY ( businessCategory $ x121Address $ registeredAddress $
871 destinationIndicator $ preferredDeliveryMethod $ telexNumber $
872 teletexTerminalIdentifier $ telephoneNumber $
873 internationaliSDNNumber $
874 facsimileTelephoneNumber $ preferredDeliveryMethod $ street $
875 postOfficeBox $ postalCode $ postalAddress $
876 physicalDeliveryOfficeName $ st $ l ) )
878 7.12. applicationProcess
880 ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn
881 MAY ( seeAlso $ ou $ l $ description ) )
883 7.13. applicationEntity
885 ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL
886 MUST ( presentationAddress $ cn )
887 MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $
892 ( 2.5.6.13 NAME 'dSA' SUP applicationEntity STRUCTURAL
893 MAY knowledgeInformation )
898 Wahl Standards Track [Page 16]
900 RFC 2256 LDAPv3 Schema December 1997
905 ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn
906 MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
908 7.16. strongAuthenticationUser
910 ( 2.5.6.15 NAME 'strongAuthenticationUser' SUP top AUXILIARY
911 MUST userCertificate )
913 7.17. certificationAuthority
915 ( 2.5.6.16 NAME 'certificationAuthority' SUP top AUXILIARY
916 MUST ( authorityRevocationList $ certificateRevocationList $
917 cACertificate ) MAY crossCertificatePair )
919 7.18. groupOfUniqueNames
921 ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL
922 MUST ( uniqueMember $ cn )
923 MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
925 7.19. userSecurityInformation
927 ( 2.5.6.18 NAME 'userSecurityInformation' SUP top AUXILIARY
928 MAY ( supportedAlgorithms ) )
930 7.20. certificationAuthority-V2
932 ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP
933 certificationAuthority
934 AUXILIARY MAY ( deltaRevocationList ) )
936 7.21. cRLDistributionPoint
938 ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL
939 MUST ( cn ) MAY ( certificateRevocationList $
940 authorityRevocationList $
941 deltaRevocationList ) )
945 ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName )
946 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
947 x121Address $ registeredAddress $ destinationIndicator $
948 preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
949 telephoneNumber $ internationaliSDNNumber $
950 facsimileTelephoneNumber $
954 Wahl Standards Track [Page 17]
956 RFC 2256 LDAPv3 Schema December 1997
959 street $ postOfficeBox $ postalCode $ postalAddress $
960 physicalDeliveryOfficeName $ st $ l $ description ) )
964 Servers MAY implement additional matching rules.
966 8.1. octetStringMatch
968 Servers which implement the extensibleMatch filter SHOULD allow the
969 matching rule listed in this section to be used in the
970 extensibleMatch. In general these servers SHOULD allow matching
971 rules to be used with all attribute types known to the server, when
972 the assertion syntax of the matching rule is the same as the value
973 syntax of the attribute.
975 ( 2.5.13.17 NAME 'octetStringMatch'
976 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
978 9. Security Considerations
980 Attributes of directory entries are used to provide descriptive
981 information about the real-world objects they represent, which can be
982 people, organizations or devices. Most countries have privacy laws
983 regarding the publication of information about people.
985 Transfer of cleartext passwords are strongly discouraged where the
986 underlying transport service cannot guarantee confidentiality and may
987 result in disclosure of the password to unauthorized parties.
991 The definitions on which this document have been developed by
992 committees for telecommunications and international standards. No
993 new attribute definitions have been added. The syntax definitions
994 are based on the ISODE "QUIPU" implementation of X.500.
998 [1] Wahl, M., Coulbeck, A., Howes, T., and S. Kille,
999 "Lightweight X.500 Directory Access Protocol (v3): Attribute
1000 Syntax Definitions", RFC 2252, December 1997.
1002 [2] The Directory: Models. ITU-T Recommendation X.501, 1996.
1004 [3] The Directory: Authentication Framework. ITU-T Recommendation
1010 Wahl Standards Track [Page 18]
1012 RFC 2256 LDAPv3 Schema December 1997
1015 [4] The Directory: Selected Attribute Types. ITU-T Recommendation
1018 [5] The Directory: Selected Object Classes. ITU-T Recommendation
1021 [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement
1022 Levels", RFC 2119, March 1997.
1024 12. Author's Address
1028 4815 West Braker Lane #502-385
1032 Phone: +1 512 372 3160
1033 EMail: M.Wahl@critical-angle.com
1066 Wahl Standards Track [Page 19]
1068 RFC 2256 LDAPv3 Schema December 1997
1071 13. Full Copyright Statement
1073 Copyright (C) The Internet Society (1997). All Rights Reserved.
1075 This document and translations of it may be copied and furnished to
1076 others, and derivative works that comment on or otherwise explain it
1077 or assist in its implementation may be prepared, copied, published
1078 and distributed, in whole or in part, without restriction of any
1079 kind, provided that the above copyright notice and this paragraph are
1080 included on all such copies and derivative works. However, this
1081 document itself may not be modified in any way, such as by removing
1082 the copyright notice or references to the Internet Society or other
1083 Internet organizations, except as needed for the purpose of
1084 developing Internet standards in which case the procedures for
1085 copyrights defined in the Internet Standards process must be
1086 followed, or as required to translate it into languages other than
1089 The limited permissions granted above are perpetual and will not be
1090 revoked by the Internet Society or its successors or assigns.
1092 This document and the information contained herein is provided on an
1093 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
1094 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
1095 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
1096 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
1097 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1122 Wahl Standards Track [Page 20]